Slide 1 - University at Albany

Document Sample
Slide 1 - University at Albany Powered By Docstoc
					History of Attacks
  First There were the Phone Phreaks
• Phone Phreaks or “Blue Boxers” were
  individuals that attacked the phone system in
  the late sixties and early seventies
• The exploited the migration from mechanical
  switches, (As in the film), to electronic
  switches that could be subverted
         Phone Phreak Attacks
• Telephone switches in that period were
  controlled by acoustic signals, specific
  complex tones
• Blue Boxers reverse engineered the system,
  discovering what tones were used to control
  the system.
• They then built gear, “Blue Boxes”, that
  created the tones and permitted them to
  control the system
          Goals of Blue Boxers
• Mostly they made free long distance phone
  calls for themselves and friends
• Compromised PBX’s, (Private Branch
  Exchanges), to obtain access to long distance
    Motivations of Phone Phreaks
• Curiosity
   – What can I do?
• Social
   – I can do this, aren’t you impressed.
   – We can do this, we are a group
• Political
   – ATT was not much loved back then
   Motivations of Phone Phreaks
• Financial
  – Access to free telephone services
     • In this period, only offered to friends
     • Almost never sold
       Impact of Phone Phreaks
• Little Financial Impact
  – Stolen phone time was actually minimal
  – Although Phreaks knew how to exploit damaged
    equipment, their tactics did no damage
• They formed the core of the first generation of
• The tone used to detach ATT Billing
  equipment was 2600 hz
• This is why many of the hacker related
  websites and newsgroups have the “alt.2600”
• 2600 hz happened to be the frequency
  produced by a whistle give as a prize in boxes
  of Captain Crunch cereal.
              Early Intrusions
• Phone Phreaks would often scan phone
  exchanges to find tie lines and PBX’s
  – They would use a brute force approach trying
    every possible phone number in an exchange
  – An exchange is determined by the first three digits
    of a phone number, for example, in the number
    272-1234, the exchange is 272
              Early Intrusions
• Often, while scanning, they would find
  – This is the tone a modem gives when it answers a
  – This indicated a line that was attached to a
• As phone phreaks were engineering students,
  this was very interesting to them
              Early Intrusions
• Early Systems had no concept of user ids and
  there were no passwords
  – This means, if you could find the phone line, and
    you had a modem and terminal, you could gain
  – A lot of this went on
              Early Intrusions
• Eventually, user ids and passwords were
  implemented, mid seventies to late seventies
  – This lead to password guessing approaches as we
    have previously discussed
  – Since users were naïve, very simple password
    guessing tactics were very effective
   Early Intrusions -- Motivations
• Curiosity
  – Powerful computers were rare
  – Access was limited and hard to obtain
  – Intrusion gave you the ability to see what all the
    fuss was about
• Social
  – A newer better form of Phreaking
     • I break into computers, so my kung fu is better
    Early Intrusions -- Motivation
• Social – cont.
   – “We break into computers”, again tribal
• Political
   – Computers belong to the Man
   – Its ok to steal from thieves
• Games
   – As long as there have been computers there have
     been games, and people stealing computer time
     to play them
   Early Intrusions -- Motivations
• Financial
  – Looking for data with a market value
  – This was actually rare. The film we saw is one of
    the first confirmed cases of intrusion for profit
       Early Intrusion -- Impact
• Impact was minor
  – Most intrusions were a goal in themselves
     • The hacker wanted to prove to himself and to members
       of the community that he could gain access to the
  – Very little data stored on computers had a market
  – Hackers in this period had very little taste for
 Comparison with Modern intrusions
• Tactics
  – Little has changed
  – Intruders typically gain access with some form of
    password guessing.
  – They typically exploit some flaw in a program to
    gain administrative access
Comparison with Modern Intrusion
• Motivations
  – Motivations have changed
  – Financial motivations have become more common
     • More valuable data is stored on computers
        – Credit Card Data
        – Identity Data
        – Research Data (Industrial)
  – More markets are available
     • Credit card numbers can easily be sold or traded on the
       web, as can identity data
     Final Thoughts on Intrusion
• Note: A well executed intrusion can not be
• Numbers of Intrusions are certainly grossly
  – System managers believe their intrusion detection
    software and policies
  – Most intrusions are well executed
     • Its easier than managers want to believe
     • Consider “single password, multiple systems”
History of Viruses
               Virus History
• Viruses, though present on early mainframes,
  are mostly correlated with the rise of the
  personal computer
• Virus attacks predate the networking of
       Early Personal Computers
• Apple II
  – Probably the first low cost widely used PC.
  – Original versions had one or two floppy drives
  – Angered many users with first versions of copy
  – Mass marketed in the Mid 80’s
  – Tried for and obtained the Home and Small
    Business Markets
      Early Personal Computers
• Apple Mac
  – Original Versions had a single floppy drive twice
    the size of the IBM PC floppy
  – First Graphical User Interface on a PC
     • Use of Mouse and Icon’s
     • WYSIWUG word processing
  – Aimed at home user, and various types of
    commercial artists
                 Early Attacks
• Elk Cloner for the Apple II
  – 1982
  – First wide scale attack
  – Boot virus
     • Written to the boot sector of the disk
     • Executed when the computer was booted
  – Displayed a poem on every 50th boot
  – Infected other floppy disks when inserted in
                Early Viruses
• Note:
  – The purpose of the virus is mostly to demonstrate
    it is there.
  – Its like graffitti, it displays the fact the user
    accessed somewhere he wasn’t supposed to
    access and left a mark
  – This is common in early viruses
               Early Viruses
• Brain or Pakistani Flu – 1986
  – First IBM PC virus in the wild
  – Boot sector virus
  – Left a message and phone numbers in boot sector
  – Tied up 3 kilobytes of boot disk in bad sectors
  – Tied up 7 kilobytes of memory
  – No other real impact
                  Early Viruses
• Note:
  – Again the implementer is primarily concerned
    with leaving a mark, proving what he can do
     • Note: it was a he, and the virus came out of pakistan
                  Early Viruses
• Jerusalem Virus – IBM PC
  – 1987
  – First detected in Jerusalem
  – Attaches itself to all program files it can find
     • Executes when the program executes
  – Beginning in 1988, on Friday the 13th, deletes all
    program files on the machine
                Early Viruses
• Note:
  – We see here the element of Vandalism, which is
    common in Viruses of this period
  – Given there was no way to exploit infected
    computers as there was no network, there is no
    reason not to vandalize the machine
  – This attitude is still found in modern viruses
   Early Viruses – Attack Vectors
• Removable media
  – Most machines in this period either booted from
    floppies or used floppies as their primary
    mechanism for transfering data
  – Machines were often infected by floppies.
  – Once a machine was infected, all floppies created
    or altered on the machine could be infected
  – Often it was not even safe to read a floppy on an
    infected machine
    Early Viruses – Attack Vectors
• Bulletin Board Systems
  – BBS’s were machines attached to modems
  – Members of the BBS would dial up the machine
    using their modems
  – This gave them access to
     • Email – primitive but free
     • Forums
     • Files
        – Provided by BBS owner
        – Uploaded by other members
 Early Viruses – Attack Vector’s
– Often infected programs were accidentally or
  intentionally uploaded to BBS systems
– Users would download the programs, and infect
  their systems
– Often users would unintentionally spread
  infections by downloading a file from one bulletin
  board, and then uploading it to another
     Early Viruses -- Motivations
• Primary motivations are hard to determine
  – Financial
     • No real financial motive is clear.
        – Payloads either did nothing or were highly and none
          specifically destructive
  – Social
     • Almost no one ever came forward and claimed credit
       for a virus attack. To this day, the authors are unknown
     • Outside of a very small group, one could not claim
       bragging rights
Early Viruses -- Motivations
• Its likely that the motivations were highly personal.
  Simply the knowledge that an attack was possible and
  the satisfaction of successfully implementing it.
     Contrast to Modern Viruses
• Viruses became less important than worms as
  more and more computers were networked.
  – Worm is easier to write
  – Viruses are easier to detect
     • Alter the program they are attached to
        – Virus detection software can detect that the file was modified,
          or that the size of the file has changed.
     • Contain detectable patterns of code or messages that
       virus checking software can detect
             Modern Viruses
• Viruses are no longer a demonstration of great
  programming skill
  – Virus kits are available
  – Viruses now break down into families New viruses
    are modifications of old viruses
   Modern Viruses -- Motivations
• Modern viruses can be instances of Vandalism
• More likely
  – Virus used to implant some form of malware that;
     • Creates a zombie
     • Extracts saleable data
      Of Interest to Mac People
• The FIRST OS X virus appeared last year.
• Its still the only one
• It’s a “test of concept” with no payload
The Morris Worm

The End of Innocence
               Early Worms
• Worms arrived as networking became
• They have grown up with the Network
  – When only mainframes were networked they
    infected mainframes
  – As personal computers came on to the network,
    they became targets
  – As personal computers came to dominate the
    networks, they became primary targets
            The Morris Worm
• The Morris Worm, also known as the Cornell
  Worm, or The Great Worm, is the first real
  worm that was released onto the network
• The Morris Worm was released into the
  version of the Internet we saw in the Stoll Film
            The Morris Worm
• The Worm was written by Robert Morris a
  student at Cornell University
  – Mr. Morris’s father was a researcher for the
  – Its speculated, but not confirmed that Morris used
    information he obtained from his father in writing
    the worm
            The Morris Worm
• The Worm was released into the wild on
  November 2, 1988
• Morris released it from MIT to disguise the
  fact he was a Cornell Student
        Morris Worm -- Intent
• Mr. Morris’s intent was to create a self
  replicating program that could measure the
  size of the internet
• The worm was designed to infect Vax and Sun
  machines running Unix
• It exploited several holes in common Unix
  programs like, sendmail to travel
      The Morris Worm -- Intent
• Once a system was infected, the worm would
  pull the main program over to the infected
  machine and it would begin looking for other
  machines to infect
• Morris assumed that the worm would take
  weeks to infect the entire Internet. He was
  interested in measuring its progress across the
 The Morris Worm – What Happened
• Mr. Morris was not the programmer he
  thought he was
  – The program replicated hundreds of times faster
    than he expected
  – The mechanism he coded to hold down the
    number of copies on an individual machine was
    faulty, so a single machine could be infected
    dozens or hundreds of times
 The Morris Worm – What Happened
• Within minutes
  – The attempts of the worm to replicate itself
    caused what amounted to a denial of service
    attack on the entire Internet
  – Individual machines on the net would end up
    running so many copies of the worm that nothing
    else could run, or the machine would crash
The Morris Worm – What Happened
– System Administrators tried to cure their
  machines by rebooting them, but they were
  immediately reinfected
– Communication between System Administrators
  to solve the problem was impossible because
  email, which they had come to depend upon was
  • No one had phone numbers, it turned out
 The Morris Worm – What Happened
• In the end, the net was taken down for three
  days while administrators fixed vulnerabilities
  and installed patches
     The Morris Worm -- Impact
• End of Innocence
  – System Administrators finally had to face up to
    how vulnerable their systems were
  – The also had to consider what might have
    happened if the attack had been malicious
  – Formed CERT
     • Computer Emergency Reaction Team
     • To deal with future problems
     • Still exists
     The Morris Worm -- Impact
• It was estimated by the GAO that 10 to 100
  million dollars of damage was done. Mostly
  the time require to repair problems and bring
  the net back up
• Estimates of infected machines vary
  – Most experts feel 90% or more of vulnerable
    machines were infected
  – This is probably 6 to 8 thousand of the 60,000
    machines on the Net at that time.
     The Morris Worm -- Impact
• Mr. Morris
  – Was found guilty of violating the Computer Fraud
    and Abuse Act, passed two years previous
  – Was sentenced to 3 years probation, 400 hours of
    community service and 10,500 dollars in fines
  – Now is an associate professor at MIT
     The Morris Worm -- Impact
• University at Albany
  – Was hit hard that day.
     • Why the agreement you sign to gain access to campus
       computers is so strict
     • Why there are so many restrictions on what you can do.
  Comparison to Modern Worms
• Modern Worms are better written
  – Disruption caused by Morris worm is a dead
    giveaway that a worm exists
  – Recall we discussed rapid reproduction as a
    problem with the Slammer Worm
• Modern worms often have a financial motive

Shared By: