SLCU2J0J: Security

Concepts
Lecture 1:
Introduction to Computer Security
Mrs Z.Codabux-Rossan
2
Outline
Introduction
Security Timeline
Computer Security
Security Approaches
Goals of Computer Security
Security Attacks
Popular Threats and Attacks
Types of Attackers
3
Is there a Security Crisis?
Almost every month
High-profile case of computer security failure reported in media.
This gives the impression that security problems are prevalent.
Viruses, worms spread on Internet; Cyber-terrorism (e.g.
Sabotage, Website defacement and denial of service); Industrial
espionage (hacking corporate networks), etc
. . . But the high frequency of security faults and incidents
reported, e.g., on BugTraq and CERT, testify many security
problems in widely deployed systems.
4
Security Attacks 1rends
Source: CERT
S
Computer Security Losses - 2006
CSI/FBI Computer Crime and Security Survey(2006)
6
Computer Security Losses - 2008
CSI/FBI Computer Crime and Security Survey(2008)
Virus 50%
Insider abuse 44%
Laptop theft 42%
Unauthorized access 29%
7
Computer Security Losses - 2009
Financial fraud (19.5%, over 12% in 2008);
Malware infection (64.3% over 50% in 2008);
Denials of service (29.2%, over 21% in 2008),
Password sniffing (17.3%, over 9% in 2008)
Web site defacement (13.5% over 6% in 2008).
Wireless exploits (7.6%, down from 14% in 2008)
Instant messaging abuse (7.6%, down from 21%).
8
Question
Malware (Malicious Software) includes
computer viruses, worms, trojan horses,
spyware, dishonest adware, scareware,
crimeware, most rootkits, and other malicious
and unwanted software or program.
Define underlined key terms.
9
Answer
Scareware comprises several classes of scam software with malicious payloads, or of limited or no
benefit, that are sold to consumers via certain unethical marketing practices. The selling approach
uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed
at an unsuspecting user. Some forms of spyware and adware also use scareware tactics. A tactic
frequently used by criminals involves convincing users that a virus has infected their computer,
then suggesting that they download (and pay for) fake antivirus software to remove it. Usually the
virus is entirely fictional and the software is non-functional or malware itself.
Spyware is software that installs components on a computer for the purpose of recording Web surfing
habits (primarily for marketing purposes). Spyware sends this information to its author or to other
interested parties when the computer is online. Spyware often downloads with items identified as
'free downloads' and does not notify the user of its existence or ask for permission to install the
components.
Adware is software that displays advertising banners on Web browsers such as Internet Explorer and
Mozilla Firefox. Adware programs often create unwanted effects on a system, such as annoying
popup ads and the general degradation in either network connection or system performance.
Crimeware is designed to perpetrate identity theft in order to access a computer user's online
accounts at financial services companies and online retailers for the purpose of taking funds from
those accounts or completing unauthorized transactions that enrich the thief controlling the
crimeware. Crimeware also often has the intent to export confidential or sensitive information from
a network for financial exploitation.
J0
Security 1echnologies Used
CSI/FBI Computer Crime and Security Survey (2008)
JJ
Security 1imeline
Security attacks begin in 1950s and security
mechanisms were designed for operating
systems since the beginning.
Early attackers were near the machines.
Now the Internet allows millions of anonymous
attackers to target any connected system.
J2
Security 1imeline: J960-J970
1960 Memory protection hardware: partitioning, virtual memory.
1962 File access controls in multiple-access systems.
1967 One-way functions to protect passwords.
1968 Multics security kernel (BLP model)
196989 ARPANET Internet; TCP/IP in 1977.
Infamously, ARPANET was built to withstand nuclear attack but
was nearly crippled in 1988 by the Morris Internet Worm.
ARPANET assumed centralised administration which no longer
applies in the Internet: a dramatic example of a change in
environment invalidating security.
J3
Security 1imeline: J970-J990
1975 Unix-Unix copy protocol (UUCP) and mail trapdoors
1976 Public-key cryptography and digital signatures
1978 RSA public-key cryptosystem.
1978 First vulnerability study of passwords (intelligent search).
1978 E-cash protocols invented by David Chaum.
1983 Distributed domain naming system (DNS), vulnerable
to spoofing.
1984 Viruses receive attention of researchers.
1985 Advanced password schemes.
1986 Wily hacker attack (Clifford Stolls Stalking...)
1988 Internet Worm: 6,000 computers (10% of Internet).
1988 Distributed authentication realised in Kerberos.
1989 Pretty Good Privacy (PGP) and Privacy Enhanced Mail
(PEM).
J4
Security 1imeline: J990-2000
1990 Anonymous remailers (protocols prevent tracing)
1993 Packet spoofing; firewalls; network sniffing.
1994 Netscape designs SSL v1.0 (revised 1995).
1996 SYN flooding. Java exploits. Web-site hacking.
1997 DNSSec security extension for DNS proposed.
1998 Script kiddies scanner tools. IPSec proposals.
1999 First DDoS attacks. DVD encryption broken
2000 VBscript worm ILOVEYOU (0.5 8 million
infections). Cult of the Dead Cows Back Orifice 2000
Trojan.
JS
Security 1imeline: 2000 - Date
2001 Code Red, Nimbda worm infects Microsoft IIS.
2002 Palladium; chipped XBox blocked from online play.
2003 W32/Blaster worm. Debian and FSF are cracked.
2004 First mobile phone virus Cabir
2005 Flaws in SHA-1. Sonys rootkit with broken DRM.
2006 RFID cracks. Microsoft Vista released; vulnerabilities
discovered.
2007 Data breaches: TJX Inc (94m), UK HMRC (24m). iPhone
released & cracked.
2008 Kaminsky discovers major DNS flaws. CIA reports power
utility cyber-extortion. Oyster Cards cloned and UK e-passports
faked.
J6
Security 1imeline: 2000 - Date
2009 Conficker virus
iPhone worm
DoS attacks on social networks (Twitter, Facebook)
Numerous data breaches
Hacktivism
TJX Hacker indicted
BT & Phorm
Privacy at Facebook, Google, . . .
Cloud computing
J7
Computer Security
Security is about protecting assets.
Computer Security concerns assets of
computer systems: the information and
services they provide.
Just as real-world physical security systems
vary in their security provision (e.g., a
building may be secure against certain kinds
of attack, but not all), so computer security
systems provide different kinds and amounts
of security.
J8
Computer Security
The protection afforded to an automated
information system in order to attain the
applicable objectives of preserving the
integrity, availability and confidentiality of
information system resources (includes
hardware, software, firmware,
information/data, and telecommunications)
Source: NIST Computer Security Handbook [NIST95]
J9
Security Infrastructure
Policies defines how a company approaches
security, how employees should handle security,
and how certain situations should be addressed.
People weakest link. Most corporate security relies
on the password a user chooses easy to crack.
Technology means to implement the policies
20
Security Approaches
Data security
Data security is the means of ensuring that data is kept safe from
corruption and that access to it is suitably controlled.
Computer Security
The objective of computer security includes protection of
information and property from theft, corruption, or natural
disaster, while allowing the information and property to remain
accessible and productive to its intended users.
Network Security
Protect the network and the network-accessible resources from
unauthorized access, consistent and continuous monitoring and
measurement of its effectiveness
2J
Goals of Security
Prevention
Prevent attackers from violating security policy
Detection
Detect attackers violation of security policy
Recovery
Stop attack, assess and repair damage
Continue to function correctly even if attack
succeeds
22
Components of Computer Security
Confidentiality
Avoidance of the unauthorized disclosure of information.
E.g. using cryptography
Integrity
The property that information has not been altered in an
unauthorized way.
E.g. using digital signature
Availability
Ensuring timely and reliable access to and use of
information
Denial of service attacks are attempts to block availability.
23
Components of Computer Security
Authenticity
The property of being genuine and being able to be
verified and trusted / assurance that communicating
entity is the one claimed
Confidence in the validity of a transmission, a
message, or message originator
Accountability
Ability to track or audit what an individual or entity is
doing on a network/system
Non-Repudiation
Neither sender or receiver of a message be able to
deny the transmission
24
Lxamples of Security Requirements
1. Confidentiality student grades
2. Integrity patient information
3. Availability authentication service
2S
Lxamples of Security Requirements
Confidentiality
Student grade information is an asset whose confidentiality
is considered to be highly important by students. Grade
information should only be available to students, their
parents, and employees that require the information to do
their job.
Student enrollment information may have a moderate
confidentiality rating. This information is seen by more
people on a daily basis, is less likely to be targeted than
grade information, and results in less damage if disclosed.
Directory information, such as lists of students or faculty or
departmental lists, may be assigned a low confidentiality
rating or indeed no rating. This information is typically freely
available to the public and published on a school's Web
site.
26
Lxamples of Security Requirements
Integrity
Consider a hospital patient's allergy information stored in a
database. The doctor should be able to trust that the
information is correct and current. Now suppose that an
employee (e.g., a nurse) who is authorized to view and
update this information deliberately falsifies the data to
cause harm to the hospital. The database needs to be
restored to a trusted basis quickly, and it should be
possible to trace the error back to the person responsible.
Patient allergy information is an example of an asset with a
high requirement for integrity.
Inaccurate information could result in serious harm or death
to a patient and expose the hospital to massive liability.
27
Lxamples of Security Requirements
Availability
The more critical a component or service, the higher is
the level of availability required. Consider a system
that provides authentication services for critical
systems, applications, and devices.
An interruption of service results in the inability for
customers to access computing resources and staff to
access the resources they need to perform critical
tasks.
The loss of the service translates into a large financial
loss in lost employee productivity and potential
customer loss.
28
Aspects of Security
Security attack - Any action that compromises the security of
information owned by an organization.
Security mechanism - A process (or a device incorporating such
a process) that is designed to detect, prevent, or recover from a
security attack.
Security service - A processing or communication service that
enhances the security of the data processing systems and the
information transfers of an organization. The services are
intended to counter security attacks, and they make use of one
or more security mechanisms to provide the service.
29
Aspects of Security
Threat - A potential for violation of security, which exists when
there is a circumstance, capability, action, or event that could
breach security and cause harm. That is, a threat is a possible
danger that might exploit a vulnerability.
Attack - An assault on system security that derives from an
intelligent threat; that is, an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a
system.
Vulnerability inherent weakness in design, configuration,
implementation or management of a network or system that
renders it susceptible to a threat
30
1ypes of Attacks
Interception unauthorized party gain access to an
asset
loss of confidentiality
Fabrication intruder inserts spurious message to a
communication or adds records to a database
absence of proper authentication
Modification unauthorized party gain access and
tampers an asset
loss of message integrity
Interruption asset lost, unavailable or unusable
availability of resources in danger
3J
Passive Attacks
A passive attack attempts to learn or make use of information
from the system but does not affect system resources.
Passive attacks are in the nature of eavesdropping on, or
monitoring of transmissions.
The goal of the opponent is to obtain information that is being
transmitted.
Two types of passive attacks are:
Release of message contents
Traffic analysis - monitor traffic flow to determine location and
identity of communicating hosts and could observe the frequency
and length of messages being exchanged
These attacks are difficult to detect because they do not involve
any alteration of the data.
32
Passive Attacks
33
Active Attacks
Active attacks involve some modification of the data stream or the
creation of a false stream and can be subdivided into four categories:
masquerade of one entity as some other /impersonation
replay previous messages
modify/alter (part of) messages in transit to produce an unauthorized effect
denial of service - prevents or inhibits the normal use or management of
communications facilities
Active attacks present the opposite characteristics of passive attacks.
Whereas passive attacks are difficult to detect, measures are available
to prevent their success.
On the other hand, it is quite difficult to prevent active attacks absolutely,
because of the wide variety of potential physical, software, and network
vulnerabilities.
Instead, the goal is to detect active attacks and to recover from any
disruption or delays caused by them.
34
Active Attacks
3S
Popular 1hreats and Attacks
Eavesdropping: the interception of information intended for
someone else during its transmission over a communication
channel.
Computers could be protected from eavesdropping by using
strong encryption techniques and secure procedures to
communicate with servers like SSL.
A
B
Eavesdropper
36
Popular 1hreats and Attacks
Alteration/Modification: unauthorized
modification of information.
Example: the man-in-the-middle attack, where
a network stream is intercepted, modified, and
retransmitted.
37
Popular 1hreats and Attacks
Denial-of-service: the interruption or degradation of
a data service or information access.
Example: email spam, to the degree that it is meant to
simply fill up a mail queue and slow down an email server.
Methods to launch DoS:
Buffer overflows
SYN attacks
Teardrop attacks
Ping of death attack
Smurf attack
Land attack
38
Question
Distinguish between
Buffer overflows
SYN attacks
Teardrop attacks
Ping of death attack
Smurf attack
Land attack
39
Popular 1hreats and Attacks
Repudiation: the denial of a commitment or
data receipt.
This involves an attempt to back out of a contract
or a protocol that requires the different parties to
provide receipts acknowledging that data has
been received.
40
Popular 1hreats and Attacks
Masquerading/Spoofing: the fabrication of
information that is supposed to be from
someone who is not actually the author.
4J
Popular 1hreats and Attacks
Correlation and traceback: the integration
of multiple data sources and information
flows to determine the source of a particular
data stream or piece of information.
42
Malicious Software
Activated by a trigger
43
Backdoor or 1rapdoor
Secret entry point into a program
Allows those who is aware of it to gain access by
bypassing usual security procedures
Have been commonly used by developers
to debug and test programs
But a threat when left in production programs being
exploited by attackers
Very hard to block in O/S
Requires good s/w development & software update
activities.
44
Logic Bomb
One of oldest types of malicious software
Code embedded in legitimate program
Activated when specified conditions met
eg presence/absence of some file
particular date/time
particular user
When triggered typically damage system
modify/delete files/disks, halt machine, etc
4S
1rojan Horse
Program with hidden side-effects
Which is usually superficially attractive
eg game, utility, s/w upgrade etc
When run performs some additional tasks
allows attacker to indirectly gain access they do
not have directly
Often used to propagate a virus/worm or
install a backdoor
Or simply to destroy data
46
Current 1rends
Trojans currently have largest infection potential
Often exploit browser vulnerabilities
Typically used to download other malware in multi-stage attacks
Source:
Symantec Internet
Security Threat Report,
April 2009
47
Viruses
Piece of software that infects programs
By modifying them to include a copy of the virus
(attaches itself to the program )
so it executes secretly when host program is run
Once a virus is executing, it can perform any
function, such as erasing files and programs.
Specific to operating system and hardware
taking advantage of their details and weaknesses
48
Phases of a virus
Dormant phase: The virus is idle. The virus will eventually be activated by
some event, such as a date, the presence of another program or file, or the
capacity of the disk exceeding some limit. Not all viruses have this stage.
Propagation phase: The virus places an identical copy of itself into other
programs or into certain system areas on the disk. Each infected program will
now contain a clone of the virus, which will itself enter a propagation phase.
Triggering phase: The virus is activated to perform the function for which it was
intended. As with the dormant phase, the triggering phase can be caused by a
variety of system events, including a count of the number of times that this copy
of the virus has made copies of itself.
Execution phase: The function is performed, which may be harmless, e.g. a
message on the screen, or damaging, e.g. the destruction of programs and data
files
49
Worms
Replicating program that propagates over networks
using email, remote exec, remote login
Once active within a system, a network worm can
behave as a computer virus or bacteria, or it could
implant Trojan horse programs or perform any
number of disruptive or destructive actions.
Has phases like a virus:
dormant, propagation, triggering, execution
propagation phase: searches for other systems, connects
to it, copies self to it and runs
May disguise itself as a system process
Fist implemented by Xerox Palo Alto labs in 1980s
S0
Distributed Denial of Service Attacks
(DDoS)
Distributed Denial of Service (DDoS) attacks form a significant
security threat to corporations
Making networked systems unavailable
By flooding with useless traffic so that legitimate users can no
longer gain access to those resources
Using large numbers of zombies (compromised hosts)
Growing sophistication of attacks in recent years
More difficult to trace to the real attackers
Defense technologies struggling to cope
*flooding sending more data/packets to a resource than it can
handle
SJ
Other 1echniques
Vulnerability scanner
A vulnerability scanner is a tool used to quickly check computers on a
network for known weaknesses.
Hackers also commonly use port scanners. These check to see which
ports on a specified computer are "open" or available to access the
computer, and sometimes will detect what program or service is listening
on that port, and its version number.
Password cracking
Password cracking is the process of recovering passwords from data
that has been stored in or transmitted by a computer system. A common
approach is to repeatedly try guesses for the password.
Packet sniffer
A packet sniffer is an application that captures data packets, which can
be used to capture passwords and other data in transit over the network.
S2
Other 1echniques
Spoofing attack
A spoofing attack involves one program, system, or website successfully
masquerading as another by falsifying data and thereby being treated as
a trusted system by a user or another program.
The purpose of this is usually to fool programs, systems, or users into
revealing confidential information, such as user names and passwords,
to the attacker.
Rootkit
A rootkit is designed to conceal the compromise of a computer's
security, and can represent any of a set of programs which work to
subvert control of an operating system from its legitimate operators.
Usually, a rootkit will obscure its installation and attempt to prevent its
removal through a subversion of standard system security. Rootkits may
include replacements for system binaries so that it becomes impossible
for the legitimate user to detect the presence of the intruder on the
system by looking at process tables.
S3
Other 1echniques
Social engineering
Social engineering is the art of getting persons to reveal sensitive
information about a system. This is usually done by impersonating
someone or by convincing people to believe you have permissions to
obtain such information.
Key loggers
A key logger is a tool designed to record ('log') every keystroke on an
affected machine for later retrieval. Its purpose is usually to allow the
user of this tool to gain access to confidential information typed on the
affected machine, such as a user's password or other private data.
Some key loggers uses virus-, trojan-, and rootkit-like methods to remain
active and hidden.
However, some key loggers are used in legitimate ways and sometimes
to even enhance computer security. As an example, a business might
have a key logger on a computer used at a Point of Sale and data
collected by the key logger could be used for catching employee fraud.
S4
Question
What is the difference between a virus, a
worm and a trojan horse?
SS
Answer
A computer virus attaches itself to a program or file enabling it to spread from one computer to another,
leaving infections as it travels. Almost all viruses are attached to an executable file, which means the
virus may exist on your computer but it actually cannot infect your computer unless you run or open the
malicious program. It is important to note that a virus cannot be spread without a human action,
(such as running an infected program) to keep it going. People continue the spread of a computer virus,
mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-
mail.
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms spread from
computer to computer, but unlike a virus, it has the capability to travel without any human action. A
worm takes advantage of file or information transport features on your system, which is what allows it to
travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so
rather than your computer sending out a single worm, it could send out hundreds or thousands of copies
of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to
everyone listed in your e-mail address book.
The Trojan Horse, at first glance will appear to be useful software but will actually do damage once
installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into
opening them because they appear to be receiving legitimate software or files from a legitimate
source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed
to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or
they can cause serious damage by deleting files and destroying information on your system. Trojans are
also known to create a backdoor on your computer that gives malicious users access to your system,
possibly allowing confidential or personal information to be compromised. Unlike viruses and worms,
Trojans do not reproduce by infecting other files nor do they self-replicate.
S6
1ypes of Attackers
Hackers
White hats
Black hats
Gray hats
Blue hats
Script kiddies
Neophyte
Hacktivist
S7
1ypes of Attackers
White hat
A white hat hacker breaks security for non-malicious reasons, for instance testing their
own security system. This classification also includes individuals who perform
penetration tests and vulnerability assessments within a contractual agreement. Often,
this type of 'white hat' hacker is called an ethical hacker.
Black hat
A black hat hacker, sometimes called a cracker, is someone who breaks computer
security without authorization or uses technology (usually a computer, phone system or
network) for malicious reasons such as vandalism, credit card fraud, identity theft,
piracy, or other types of illegal activity.
Grey hat
A grey hat hacker is a combination of a Black Hat and a White Hat Hacker. A Grey Hat
Hacker may surf the internet and hack into a computer system for the sole purpose of
notifying the administrator that their system has been hacked, for example. Then they
may offer to repair their system for a small fee.
Blue hat
A blue hat hacker is someone outside computer security consulting firms who is used
to bug test a system prior to its launch, looking for exploits so they can be closed.
S8
1ypes of Attackers
Script Kiddie
A script kiddie is a non-expert who breaks into computer systems by
using pre-packaged automated tools written by others, usually with little
understanding of the underlying concept
Neophyte
A neophyte, or "newbie" is someone who is new to hacking and has
almost no knowledge or experience of the workings of technology, and
hacking.
Hacktivist
A hacktivist is a hacker who utilizes technology to announce a social,
ideological, religious, or political message. In general, most hacktivism
involves website defacement or denial-of-service attacks. In more
extreme cases, hacktivism is used as tool for cyberterrorism.
S9
Question J
Suppose the author of an online banking
software system has programmed in a secret
feature so that program emails him the
account information for any account whose
balance has just gone over $10,000.
What kind of attack is this and what are some
of its risks?
60
Question 2
1. Enciphering an income tax return will prevent anyone from reading it. If the owner needs to
see the return, it must be deciphered. Only the possessor of the cryptographic key can
enter it into a deciphering program. However, if someone else can read the key when it is
entered into the program, the --------------- of the tax return has been compromised.
2. A newspaper may print information obtained from a leak at the White House but attribute it
to the wrong source. The information is printed as received (preserving ----------------), but
its source is incorrect (corrupting ----------------------).
3. Suppose Anne has compromised a bank's secondary system server, which supplies bank
account balances. When anyone else asks that server for information, Anne can supply
any information she desires. Merchants validate checks by contacting the bank's primary
balance server. If a merchant gets no response, the secondary server will be asked to
supply the data. Anne's colleague prevents merchants from contacting the primary balance
server, so all merchant queries go to the secondary server. Anne will never have a check
turned down, regardless of her actual account balance. Notice that if the bank had only one
server (the primary one), this scheme would not work. The merchant would be unable to
validate the check. - ---------------
What security concept is being compromised in each scenario?