; Computer _ Network Security Lecture 1
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Computer _ Network Security Lecture 1


  • pg 1
									                                                                               CNS 06
             Computer & Network
                  Security                                                      • Are you in the right class?

                 Lecture 1                                                      • Tom Dunigan dunigan@cs.utk.edu
                                                                                   – Office hours: by appointment or
          •Mechanics                                                                 before/after class
                                                                                   – TA A. J. Wright ajw@utk.edu
          •Are we at risk?                                                      • Meet here, each Tuesday 5:05 - 7:45
                                                                                • Text
                                                                                   – errata
          •Risk assessment


                                                                            CNS Lecture 1 - 2

   Class mechanics                                                             Objectives
                                                                                                 book smarts & street smarts

    Prerequisites                                                               • understand computing vulnerabilities
    • C/make programming                                                        • understand tools and techniques for developing secure applications and
    • UNIX familiarity                                                            practicing safe computing
    • Web/email/CS account access
    • Postscript/pdf viewer                                                     method: study
                                                                                • risks and countermeasures                                           Tom’s lectures are like
                                CS594                                                                                                                 drinking from a fire hose
    Grading         CS494                                                       • common attacks
    • [Assignments:] 50%        40%                                             • cryptography principles
    • [Midterm:]     20%        20%                                             • applied cryptography
    • [Final Exam:]  30%        20%     paper 20%
                                                                                method: do
                                                                                • practice secure computing
                                                                                • develop secure software
                                                                                • think like a hacker
CNS Lecture 1 - 3                                                           CNS Lecture 1 - 4

                                                                               Plan of attack
                TO DO list …

    Attacks & Defenses          Cryptography             Applied crypto                   1.    Risk, viruses
                                                                                          2.    UNIX vulnerabilities
    • Risk assessment           •Random numbers          •SSH                             3.    Authentication & hashing
                                                                                          4.    Random #s classical crypto
    • Viruses                                                                             5.    Block ciphers DES, RC5
                                •Hash functions          •PGP
    • Unix security                                                                       6.    AES, stream ciphers RC4, LFSR
                                                                                          7.    MIDTERM
    • authentication                MD5, SHA,RIPEMD      •S/Mime
                                                                                          8.    Public key crypto RSA, D-H
                                                                                          9.    ECC, PKCS, ssh/pgp
    • Network security          •Classical + stego       •SSL
                                                                                          10.   PKI, SSL
      Firewalls,vpn,IPsec,IDS                                                             11.   Network vulnerabilities
                                •Number theory           •Kerberos
    • Forensics                                                                           12.   Network defenses, IDS, firewalls
                                                                                                                                                          The bottom up approach
                                                                                          13.   IPsec, VPN, Kerberos, secure OS
                                •Symmetric key           •IPsec
                                                                                          14.   Secure coding, crypto APIs

                                    DES, Rijndael, RC5   •Crypto APIs                     15.   review

                                •Public key              •Coding securely                  Issues: technical, social, ethical, political, legal, mathematical
                                    RSA, DSA, D-H,ECC
CNS Lecture 1 - 5                                                           CNS Lecture 1 - 6

   Building a crypto toolbox                                                        Mathematics of cryptography
    tools for building secure applications                                              • mod arithmetic, gcd, CRT (shift cipher, Hill, RSA, D-H, ECC)
    • fast symmetric key encryption                                                     • Polynomial arithmetic over GF(2n) (LFSR, ECC, AES, CRC)
    • hash functions                                                                    • Testing primes, irreducible polynomials, generators
    • random numbers, prime testing                                                     • Random number generation (keys, IV, blinding, k for DSS)
    • public key crypto
                                                                                        • BIG integer arithmetic
    • Big integer math libraries/methods
    • algorithms for message authentication, key exchange, user authentication          • Nonlinear Boolean functions (Bent)
                                                                                        • Factoring and discrete logs
                                                                                        • Elliptic curves
             We’ll find all of these in the OpenSSL library
                        emphasis will be C
                        some Java examples

                                                                                               Security through mathematics

CNS Lecture 1 - 7                                                                CNS Lecture 1 - 8

                Class web resources                                                 Computer security

    • class page                                                                     • Protecting assets
    • policy                                                                         • Setting security goals
    • resources
                                                                                     • Establishing security policy
    • lectures
        – Required reading                                                           • Identify threats
    • assignments                                                                    • Develop controls/countermeasures
                                                                                     • Have a disaster/recovery plan

                                                                                     Principle: path of least resistance

CNS Lecture 1 - 9                                                                CNS Lecture 1 - 10

   security                                                                         threats

    Objective: protect information                                                   threats are real – interruption, interception, modification, fabrication
    • integrity
    • privacy                                                                        • dependence on info technology
                                                                                     • passive attacks
    • availability
                                                                                        – sniffing, wiretaps, TEMPEST
    • PAIN (non-repudiation)
                                                                                        – social engineering
                                                                                        – dumpster diving
    Provided by:                                                                     • active attacks (DoS, worms/viruses, exploits)
    • having a plan (risk assessment, policy)                                        • attack tools easily available
    • educating users/programmers
    • Secure applications and tools -- hashing, signing, encryption
                                                                                        Social Engineering – because there’s no patch for human stupidity.
                     security features       ≠   secure features

CNS Lecture 1 - 11                                                               CNS Lecture 1 - 12

   Social engineering                                        [user] Hello?                                            phishing
                                                             [hacker] Hi, this is Bob from IT Security. We've
                                                             had a security breach on the system and we need
                                                             every user to verify their username and password.
    misplaced trust                                          [user] What do I need to do?
                                                             [hacker] Let's walk through a login, just to make
    • impersonation                                          sure everything is fine.
    • scam                                                   [user] OK
                                                             [hacker] OK, go ahead and login. What username
    • email -- who really sent it, phishing                  are you coming in as?
                                                             [user] My username is "smith".
    • email -- attachments (viruses)                         [hacker] Excellent. What password are you using?
    • web -- rogue applets, plugins                          [user] I am using the password "drowssap".
                                                             [hacker] Do you have a system prompt yet?
    • Download this fix for virusX                           [user] Yes, I'm in.
        Be suspicious...                                     [hacker] OK, there you are. I see you now.
                                                             Everything is fine. We appreciate your cooperation.
        419 scam
                                                             [user] OK, goodnight.
                                                             [hacker] Thanks again, goodbye.
          “Nigerian uncle has died intestate. Need to
        transfer $8M to US with your assistance. You will
        get 10% of funds, need your bank info to initiate
        the transfer ….”
CNS Lecture 1 - 13                                                                                                 CNS Lecture 1 - 14

   Hoaxes and urban legends                                                                                           Point, click, attack

    • Good intention user forwarding warning                                                                           Sophisticated attack tools designed by troubled genius
       – Good Times Virus                                                                                                  –deep understanding of OS (source files)
       – I may have sent you a virus, see if you have                                                                      –look for known vulnerabilities (overflows)
         vb.exe ....
       – Poisoned chewing gum
                                                                                                                           –lots of time
       – Travelers having their kidneys stolen                                                                             –adaptable, avoids countermeasures
       – 1954 home computer in Popular Mechanics
                                                                                                                       • tools available on the net
                                                                                                                       • cookbook attacks
                                                                                                                       • your little brother could do it

CNS Lecture 1 - 15                                                                                                 CNS Lecture 1 - 16

   alt.2600 faq                                                                                                       Microsoft’s 10 immutable Laws of Security
                                                                                                                       Law #1: If a bad guy can persuade you to run his program on your
                                                                                                                        computer, it's not your computer anymore
    How do I reset a BIOS password?                         How can I find security vulnerabilities in source          Law #2: If a bad guy can alter the operating system on your computer,
    How do I access the password file under                  code?                                                      it's not your computer anymore
     Windows NT?                                            What is an integer overflow?                               Law #3: If a bad guy has unrestricted physical access to your computer,
    How do I crack Windows NT passwords?                    What is a race condition?                                   [or data] it's not your computer anymore
    How can I recover a lost Windows NT                     What is a format string vulnerability?                     Law #4: If you allow a bad guy to upload programs to your website, it's
     Administrator Password?                                What is a random number vulnerability?                      not your website any more
    How does the Microsoft Windows 3.1 password             What is an SQL Injection Attack / Vulnerability?           Law #5: Weak [or weakly protected] passwords trump strong security
     encryption work?                                                                                                  Law #6: A computer is only as secure as the administrator is
                                                            How can I securely erase data?
    How do I change to directories with strange                                                                         trustworthy [and is aware of threats and countermeasures]
     characters in them?                                    What is two factor authentication?
                                                                                                                       Law #7: Encrypted data is only as secure as the decryption key
    What is this system?                                    How do I crack VMS passwords?
                                                                                                                       Law #8: An out of date virus scanner is only marginally better than no
    What are some default accounts?                         What can be logged on a VMS system?                         virus scanner at all
    What is a computer virus?                               What privileges are available on a VMS system?             Law #9: Absolute anonymity isn't practical, in real life or on the Web
    What is a computer worm?                                How do I crack Unix passwords?                             Law #10: Technology is not a panacea
    What is TEMPEST?                                        How do I change a MAC address?
    How do I remove copy protection?                        How do I recover the password for a Cisco
    How do I send fake mail?
                                                            How do I decrypt Cisco passwords?
    How do I fake posts and control messages to

CNS Lecture 1 - 17                                                                                                 CNS Lecture 1 - 18

   countermeasures                                                 Security services
        prevention, detection, response
    • education                                                     From the ISO definition:
    • physical protection
    • authentication                                                • access control
    • authorization                                                 • authentication                                Cryptography
                                                                                                                  •hash functions (MD5, SHA)
    • auditing (intrusion detection)                                • privacy                                     •secret-key encryption (DES, Rijndael)
                                                                                                                  •public-key encryption (RSA, DSS)
    • encryption                                                    • integrity
                                                                    • non-repudiation
    Threats/countermeasures -- a never ending cycle ...
      good job security!                                            provided through applications, protocols, mechanisms, and
    The bad guy has it is easy, he only has to find one hole.        algorithms
    You have the hard job, you need to defend all the holes!

CNS Lecture 1 - 19                                              CNS Lecture 1 - 20

   Are we at risk?                                                 Are we at risk?

CNS Lecture 1 - 21                                              CNS Lecture 1 - 22

   Are critical resources at risk?                                 Under cyber attack?

    Assets controlled by computers
      air defense           nuclear weapons systems
                                                                    • After America accidentally bombed the Chinese embassy in Belgrade in
                                                                      1999, Chinese hackers launched hundreds of attacks on U.S. Web sites and
      command and control Taco Bell                                   infiltrated at least four government Internet sites.
      banking               electronic funds transfer               • War protesters and hackers are assaulting .gov and .mil Websites “in digital
      power grid            air traffic control                       retaliation” for the war in Iraq in record numbers, according to the security
      phone system          elevators                                 firm mi2G Ltd. of London.
      traffic signals       trains                                  • One such hacker, interviewed by e-mail for this article, warned that
      corporate email       grades                                    Western governments and businesses should brace themselves for 'suicide
      refinery              stock exchange                            cyber attacks' in the event of a war against Iraq. He defined a 'suicide cyber
      SCADA systems          TV/radio                                 attack' as one in which the hacker sets out to cause maximum damage
                                                                      unhindered by any regard for being detected and caught. The hacker who
      medical records       police records                            issued this stark warning belongs to a group calling itself the Iron Guards
      personnel records     payroll                                   which has in the past attacked Israeli government and business sites as
                                                                      part of the Arab-Israeli cyberwar.
    • Information warfare/cyber terrorism -- fact or fiction?       • Computer hackers broke into 26 government Internet sites on three
                                                                      continents in "one of the largest, most systematic defacements of
                                                                      worldwide government servers on the Web," according to an online security

CNS Lecture 1 - 23                                              CNS Lecture 1 - 24

   Cyber attacks/extortion on financial institutions                   Hacking the infrastructure

    • Russian police have broken up a hacker                            • LOS ANGELES, California (CNN) -- As
      ring that extorted money from British                               Californians suffered under rolling blackouts
      bookmakers, inflicting millions in losses on                        last month, computer hackers were trying to
      their Web sites in a series of attacks                              breach the computer system at the California
                                                                          Independent System Operator (Cal-ISO),
      that attracted the British                                          which oversees most of state's power
      government's attention, officials said                              transmission grid
      Wednesday.                                                        • Nationwide rolling blackouts could have a
    • According to computer security expert                               devastating impact on the economy, but
      Dr Neil Barrett, the credit card trading                            experts also fear that the stress being
      centre of the world is St Petersburg in                             placed on the nation's power grid could make it
      Russia. It is the site of a number of                               more susceptible to disruptions from
      secret internet marketplaces where card                             hackers.
      details are offered in bulk, typically                            • After flunking three congressional audits, the
      costing $1 a card, sold in batches of                               Federal Aviation Administration says air
                                                                          traffic control systems are finally safe from
      500 through to 5,000.                                               hack attack
    • 80% unreported                                                    • Attacks on core Internet routers and DNS
                                                                        • ’97 employee alters software in Taco Bell
                                                                          cash register

CNS Lecture 1 - 25                                                  CNS Lecture 1 - 26

   Recent local activity                                               In the news …

                                                                        • Hacker gains access to personal data (SS# etc) of 36,000
                                                                          students and staff at University of Tennessee
                                                                        • Cyber scams prey on Katrina victims
                                                                        • Congress introduces anti-spyware legislation
                                                                        • Google search can provide access to many “security webcams”
                                                                        • Hacker gets 3 years for botnet attack using 10,000 PCs
                                                                        • 'Two Cal State Northridge students have been accused of
                                                                          hacking into a professor's computer, giving grades to nearly 300
            Nasty hosts and subnet                   Nasty emails
                                                                        • Plus the usual viruses and buffer overflows ….

CNS Lecture 1 - 27                                                  CNS Lecture 1 - 28

                     The attackers                                     Why?

                • amateur                                               • money
                • insider (greed, disgruntled)                          • retribution
                • kids                                                  • sport
                • hackers                                               • political/military
                • criminals                                             • pathological
                • spies
                • sociopath (terrorist/vandal)                          easy to do, hard to catch,
                                                                         harder to prosecute

                                                                        victimless crime? just a prank?

CNS Lecture 1 - 29                                                  CNS Lecture 1 - 30

   Ancient history                                                                                           Recent history
                                                                                                              •   '64 teletype/acoustic coupler (remote users!)
                                                                                                              •   '67 DEC10 timesharing
    " A long time ago in a galaxy far, far way ...“                                                           •   '69 ARPANET (email)
                                                                                                              •   '70 DEC 11 / UNIX
                                                                                                              •   '71 Captain Crunch -- 2600
    •   1900 BC first written cryptography                                                                    •   '74 DES
    •    500 BC Hebrew substitution cipher                                                                    •   '75 crypt for passwd
    •    50 BC Caesar cipher                                                                                  •   '76 public key crypto / Ethernet                      First virus? ☺
                                                                                                              •   '77 Apple II / uucp/USENET
    •   1844 telegraph (easily “tapped”, civil war)                                                           •   '79 VAX / BSD UNIX (free)
    •   1876 telephone invented                                                                               •   '80 DECnet / MFEnet / SNA / CSnet / BITNET / MS DOS
                                                                                                              •   '81 Mitnick (17) steals Pac Bell manuals
    •   1878 first report of teenagers kicked off phone system for pranks
                                                                                                              •   '84 ORNL on Internet (ARPAnet/MILNET) 9.6
    •   1900 radio/wireless (easy intercept)                                                                  •   '85 Sun workstations (sniffers)
    •   1917 one-time pad                                                                                     •   '86 first virus/ LBL cuckoo's egg
                                                                                                              •   '88 Morris worm (hit ORNL)
    •   1923 Enigma machine
                                                                                                              •   '91 PGP
    •   1948 Captain Midnight decoder ring (Ovaltine)                                                         •   '93 Mosaic/www point/click/attack
    •   1950's/60's single user then batch computing                                                          •   '94 ORNL/MSR breakin
                                                                                                              •   '94 Linux (free) / rootkit
                                                                                                              •   '95 Mitnick attack SDSC / SATAN / SSL
                                                                                                              •   '98 smurf attack
                                                                                                              •   '00 ILOVEYOU, DDOS, Rijndael
CNS Lecture 1 - 31                                                                                        CNS Lecture 1 - 32

   happenings                                                                                                Trends

                                                                                                                  • More (vulnerable) things connected to the net
                                                                the new millenia
    • 512-bit number factored (7 mos, 292
      computers/11 sites)                              •   I LOVE YOU virus
    • EFF cracks DES key in 22 hours                   •   Distributed Denial of Service/botnets
    • Shamir describes TWINKLE (crack 512-bit          •   credit cards stolen (hack and SQL)
      RSA in days)                                     •   AES selects Rijndael cipher
    • AES selects 5 finalists (Mars, RC6, Rijindael,   •   Australian net vigilantes (kiddie porn)
      Serpent, Twofish)                                •   US debates offensive methods
    • Pentium III with hardware RNG (and serial no.)   •   cyber warfare (pakistan/india, china/taiwan)
    • script kiddies plaster graffiti on web sites     •   crypto export relaxed ? (myth)
    • Melissa Word macro virus (80-400M)               •   Broadband/dsl/wireless proliferation
    • PaPa Excel macro virus                           •   Al Qaeda using internet ?
    • DVD cracked                                      •   Blaster worm
    • version of GSM cracked (cell phone)              •   Spyware, phishing
    • CERT warns of distributed DoS attacks            •   2004, 50 new malwares/day
    • Serbian hackers threatened NATO info sites       •   To date: 100,000 identified malwares
    • two Chinese hackers sentenced to death

CNS Lecture 1 - 33                                                                                        CNS Lecture 1 - 34

   trends                                                                                                    CERT statistics

    • People and enterprises are more security-aware
    • More tools for detecting/preventing malicious software

    • But
         –More security-challenged boxes online 7x24 (DSL, cable modems)
         –More wireless nets (802.11, cellular, bluetooth/PDAs, RFID)
         –Faster machines/connections
         –More sophisticated malicious software
         –More dependence on “the Net”

CNS Lecture 1 - 35                                                                                        CNS Lecture 1 - 36

   Risk assessment                                                                      Cost of losses
                                                    Personal safety

    • identify assets and value                   Lock your doors? Mutliple locks?       • priceless -- trade secrets
    • determine vulnerabilities                   Bars on windows?                       • don't know when digital info is "stolen"
    • estimate probabilities                      Alarm system?                          • dollar value of assets
                                                  Electric fence?
    • estimate losses                                                                    • plus cost to replace/fix, time
    • identify controls and their cost                                                   • loss of "face" or confidence
                                                  Safe room? Fallout shelter?
    • estimate savings                                                                   • liability
                                                  Seat belt?
                                                  Walk at night?
    determine an acceptable risk
                                                  Concealed weapon?
                                                  Buy “extended warranty”
                                                  Buy insurance/deductible?
              Think like a bad guy …

CNS Lecture 1 - 37                                                                   CNS Lecture 1 - 38

   controls                                                                             Industrial strength

                                             Principle: Defense in depth
    •   bomb shelter                                                                     •   formal policy/procedures
    •   insurance (actuarial tables)               Door/windows locks                    •   automated analysis tools
    •   sprinkler system                                                                 •   threat models
    •   UPS                                        Surveillance cameras
                                                                                         •   forms and sign-off
    •   redundancy                                 Door/window alarms
                                                                                         •   who is responsible
    •   backups                                    Background checks                     •   contingency plans
    •   alternate site
    •   7x24 maintenance                           Guards                                •   configuration mgt.
    •   vaults                                     Safe                                  •   audit and drills
    •   encryption                                                                       •   user training
    •   access/audit logs                                                                •   incident response teams
    •   policy/procedures                                                                •   periodic review
                                                                                         •   punishment
    Review: probabilities/costs change, new assets/threats

CNS Lecture 1 - 39                                                                   CNS Lecture 1 - 40

   Risk assessment useful?                                                              Enterprise security planning
                                                                                         how an organization addresses security             Security Policy
    problems                                                                                                                      security goals -- integrity, availability, privacy
                                                                                         • policy -- security goals
    • not precise -- OK, it's a planning tool                                            • current state                          •who can access what and how
    • file and forget -- review                                                          • requirements to meet goals               -no cleartext logins or POP
                                                                                            – Hardware/software                     -patched OS
    • unscientific -- no based on statistics                                                                                      •mechanisms (fences, authentication, audit,
                                                                                            – Education/training
                                                                                                                                  encryption, smart card, firewall, antivirus)
                                                                                            – Audits and testing
                                                                                                                                   -password policy
    benefits                                                                             • who is responsible                       -unix config guidelines
    • improve awareness                                                                     – Incident response plan and team       -patches
                                                                                         • schedule for implementation             -access points, authorization
    • identifies assets, vulnerabilities, controls                                       • schedule for review                     -ssh/kerberos ssl
    • basis for decisions                                                                                                           -UT netreg (patches, anti-virus)
                                                                                         based on risk assessment                 •Policing and punishment -- scans
    • justification for budget ($)
                                                                                         security is hard -- physical, OS, applications, network, programmers, users
                                                                                         Security is a process – not something you buy

CNS Lecture 1 - 41                                                                   CNS Lecture 1 - 42

   Malicious programs                                                                            Morris worm ‘88

    • trap doors                                                                                  • Entry via network (sendmail debug option, or fingerd stack
        – War Games
                                                                                                    overflow … details later)
        – sendmail
    • logic bombs                                                                                 • Executed simple commands to download rest of worm
        – ‘blowup’ if you’re fired                                                                • Collected potential target hosts from /etc/hosts .rhosts
    • trojan horse
        – “social engineering”
    • worm                                                                                        • tried cracking /etc/passwd
        – Self-propagating                                    Cause?                              • Attempt to rlogin or use sendmail/fingerd to attack targets
        – Blaster, Sasser, Slammer
    • zombie/bot                                            •Bad design                           • Probably hit 10% of Internet hosts in 1988
        – Internet host used to launch attacks              •Improper configuration
    • virus
                                                            •Bad implementation – overflows
        – Infects other programs

CNS Lecture 1 - 43                                                                            CNS Lecture 1 - 44

   viruses                                                                                       Virus phases                                 Infected program

    • Anatomy                                                                                     • Dormant phase
       – Parasitic – attached to an executable                                                       – Activated by event or time or when
       – Memory-resident – in the OS                                                                   infected program is executed
       – Boot-sector
                                                                                                  • Propagation phase
       – Stealth – avoid detection
       – Polymorphic – dynamic signature                                                             – Replicate
    • Threat                                                                                         – “infection” by disk/CD, email
       – Damage/nuisance                                                                               attachments, trojan horses,
       – Loss of information/privacy                                                                   downloads/plugins
       – replication                                                                              • Execution phase
    • propagation                                                                                    – Nuisance messages
    • detection                                                                                      – Delete files
    • Prevention
                                                                                                     – Delayed/triggered execution
       – Email scanners, download check, OS
         activity monitor
    • Recovery
       – Removal, registry restore

CNS Lecture 1 - 45                                                                            CNS Lecture 1 - 46

   viruses                                                                                       UNIX viruses?

    boot sector                                                                                   UNIX script
    • replace code in boot sector
    • goes into RAM, alter I/O routines                                                           • attached to end of a script you've downloaded
    • infects hard disk other floppies                                                            • search all scripts in the current directory
                                                                                                  • if #virus# not there, attach script to end of target
    • append virus code to end of file
    • change first instruction to jump to virus code                                              download threats
    • virus code makes itself resident                                                            • postscript
    • resume execution of original application
    • scans disk and infects other executables or worse                                           • Java applets, ActiveX
                                                                                                  • MIME-encoded mail
    • platform independent
                                                                                                  • Plugins
    • document contains macros (VBasic) (extends functions) (WORD or EXCEL)                       • spyware
    • Command macro – e.g., executed each time uses clicks FILE SAVE                              • root and shareware (tar, shar)
      or automatically executed when WORD starts – copy itself to other docs
    • spread by email (Melissa, ILOVEYOU)

CNS Lecture 1 - 47                                                                            CNS Lecture 1 - 48

   threats                                                                              Popular viruses

    • anything a program can do                                                          • Stoned boot sector
                                                                                         • Michelangelo boot sector
    • display a message on a certain date                                                • Pakistani Brain boot sector, marks area of disk as bad
    • slow performance, alter display                                                    • Jerusalem .COM and .EXE, memory resident, scrambles disk data
                                                                                         • Lehigh command processor, destroys data on hard disk
    • backdoor (backorifice, netbus), remote command window access                       • Friday the 13th
    • Zombie – lay dormant awaiting command to attack/spam                               • Melissa –virus and worm (emails itself to first 50 in your address book)
                                                                                         • ILOVEYOU
    • keyboard/net sniffer (collect passwords, SSN, credit card #s)                      • Concept – first WORD macro virus                            Virus construction kits
    • alter files, crash system                                                          • ExploreZip -- worm                                              •Virus Creation Lab
                                                                                             – emails itself to people who have sent you email             •many Mutation Engines
    • erase files .....                                                                      – Copies itself onto local microsoft net startup files        •Metasploit
                                                                                         • Good Times – NOT (hoax)                                         •more ……
    • Cost: disk cleanup, lost time ($55 billion/yr 2003)                                See symantec or mcafee

CNS Lecture 1 - 49                                                                   CNS Lecture 1 - 50

   propagation                                                                          Symantec simulator

    • disk from home
    • shared file system                                                               • Virus/worms
    • download (ftp/plugin)                                                               – Concept – first macro virus (email)
    • email (attachments)                                                                 – Melissa – virus and worm (email address book)
       – Propagates through address                                                       – exploreZip – worm, spreads on reboot, email address book and recent
         books, archive email                                                               senders, modifies startup script on shared files
       – See Symantec simulator                                                        • Two enterprises
    • vendor (CD, updates, compiler!)                                                     – Corporation 2 has ALL CORPORATION maillist
    • Virus propagation require a person                                                  – Parameters: email rate, external/internal, workgroup, ALL corp. list, %
                                                                                            shared drives, reboots/day, # recipients, % attachments

CNS Lecture 1 - 51                                                                   CNS Lecture 1 - 52

   Worm propagation                         Nimda                                       Microsoft blaster worm
                                            • 5 propagation techniques
                                               – IIS vulnerability probes
    Code Red                                                                             • Exploited a buffer overflow in RPC (port 135)
                                               – Bulk email from address lists
    • .ida vulnerability in Microsoft IIS                                                • Installed msblast.exe in system folder
      servers (buffer overflow)                – Copying to open network shares
    • Launched 99 threads and generated        – Exploit code added to server page           –Modify registry so msblast.exe runs at boot and start msblast.exe
      random IP addresses to attack            – Scan for Code Red II backdoors              –Prevent downloading a patch (SYN flood of windowsupodate.com)
    • Thread 100 defaced web server                                                          –Reboot the machine every 60 seconds
                                                                                             –Look for other IP addresses (“nearby” or random) running port 135
    Code Red II -- faster propagation                                                        –‘03, first 5 days, 3 million tech support calls
    • 3/8 choose random address in local
                                                                                             –Survey 882 companies
      class B
                                                                                                • Average cost $474k, max $4.2M
    • ½ from local class A
                                                                                                • Entered via laptops, VPNs, then routers
    • 1/8 random from whole internet

CNS Lecture 1 - 53                                                                   CNS Lecture 1 - 54

   Virus activity at UT                                                                          symptoms

                                                                                                  When YOU detect the malware
                                                                                                  • file changes: length, date/time
                                                                                                  • slower system operation
                                                                                                  • reduced memory or disk space
                                                                                                  • bad sectors
                                                                                                  • unusual messages/displays
                                                                                                  • failed program execution
                                                                                                                                    A fatal exception 0E has occurred at 0157:BF7FF831. The current
                        who                                                                       • Blue screen of death           application will be terminated.
                                                                                                                                                 * Press any key to terminate the current application.
                                                                                                                                                 * Press CTRL+ALT+DEL to restart your computer.
                                                                                                                                                You will lose any unsaved information in all applications.
                                                                                                                                                Press any key to continue

CNS Lecture 1 - 55                                                                            CNS Lecture 1 - 56

   Detection – anti-virus software                                                               MSRT – Microsoft malware removal
    • signature scan (batch)
       – Locate
       – Identify which virus
       – Remove (anti-virus software may help, or web site instructions, registry)
    • Checksums – see that files have changed (tripwire)
    • email checkers (active)
       – Virus signature
       – Executable attachments
    • self-checking/integrity checking on load (not foolproof)
    • Memory resident abnormal operation detection (detect new ones)
       – Block “abnormal behavior” – format disk, change registry, network apps, executable
    • emulators (IBM's digital immune system)

    • commercial/shareware anti-virus software (updates)
                                                                                                          • 6 million computers cleaned
    • caution downloading software (shareware, Java), attachments
                                                                                                          • Top malware: trojan horse (62%)
    • anti-virus often can remove virus, or see instructions at Symantec/McAfee,                              –Used for bots (spam, spyware, DoS attack)
       otherwise restore from backups
                              See symantec example
CNS Lecture 1 - 57                                                                            CNS Lecture 1 - 58

   Malware Microsoft                                                                             Digital immune system

                                                                                                            Don’t need “signature” data base
                                                                                                            This is basically what Symantec/McAfee do at headquarters each day
                                                                                                                    Trends: combo attack – virus/worm/spam/DoS, sell botnet
                                                                                                                      zero-day exploit: vulnerability discovered on launch day
CNS Lecture 1 - 59                                                                            CNS Lecture 1 - 60

   Trends                                                                       Your mission
    • Combo attacks – virus/worm/spam/DoS
    • Sell botnet’s for spam – attack for profit $$                              • Protect cyber space
    • Zero-day exploit: vulnerability discovered on launch day                   • Pass this course
    • Attacks more sophisticated, less skill required (point/click/attack)

CNS Lecture 1 - 61                                                           CNS Lecture 1 - 62

   Next time …

      UNIX attacks, using PGP

      Get your CS account!
      Do assignment 1 and begin assignment 2

CNS Lecture 1 - 63


To top