BA 28 Chapter 6
Download
Report
Transcript BA 28 Chapter 6
Chapter 6:
Computer and Network Security
Ethics for the Information Age
BA 28
Chapter Overview
Introduction
Viruses, worms, and Trojan horses
Phreaks and hackers
Denial-of-service attacks
Online voting
1-2
6.2 Viruses, Worms, and
Trojan Horses
1-3
Viruses
Virus: piece of self-replicating code
embedded within another program (host)
Viruses associated with program files
Hard disks, floppy disks, CD-ROMS
Email attachments
How viruses spread
1. Diskettes or CDs
2. Email
3. Files downloaded from Internet
1-4
How a Virus
Replicates
1-5
Email Attachment with Possible Virus
1-6
How an Email Virus Spreads
1-7
History of Viruses
Well-known viruses
Brain
Michelangelo
Melissa
Love Bug
Viruses today
Good news: Commercial antivirus software
Bad news: Few people keep up-to-date. It can be
costly for upgrading and time consuming for disk
cleanup.
1-8
Worms
Worm
1.
2.
3.
Self-contained program
Spreads through a computer network
Exploits security holes in networked computers
Famous worms
WANK
Code Red
Sapphire (Slammer)
Blaster
Sasser
1-9
How a Worm Spreads
1-10
Three Kinds of Buffer Overflow Attack
1-11
Conficker (Downadup) Worm
Appeared on Windows computers in
November 2008
Uses a buffer overflow attack to spread to
new computers
Particularly difficult to eradicate
Rate of new infections roughly the same as
rate of eradications
1-12
The Internet Worm
Robert Tappan Morris, Jr.
Effect of worm
Graduate student at Cornell
Released worm onto Internet from MIT computer
Spread to 6,000 Unix computers
Infected computers kept crashing or became unresponsive
Took a day for fixes to be published
Impact on Morris
Suspended from Cornell
3 years’ probation + 400 hours community service
$150,000 in legal fees and fines
1-13
Ethical Evaluation
Kantian evaluation
Social contract theory evaluation
Morris violated property rights of organizations
Utilitarian evaluation
Morris used others by gaining access to their computers
without permission
Benefits: Organizations learned of security flaws
Harms: Time spent by those fighting worm, unavailable
computers, disrupted network traffic, Morris’s punishments
Morris was wrong to have released the Internet worm
1-14
Trojan Horses
Trojan horse: program with benign
capability that masks a sinister purpose
Remote access Trojan: Trojan horse that
gives attack access to victim’s computer
Back Orifice
SubSeven
RAT servers often found within files
downloaded from erotica/porn Usenet sites
1-15
Bot Networks
Bot: A software program that responds to
commands from a program on another computer
Some bots support legitimate activities
Internet Relay Chat
Multiplayer Internet games
Other bots support illegitimate activities
Distributing spam
Collecting person information for ID theft
Distributed denial-of-service attacks
1-16
Defensive Measures
System administrators play key role
Authorization: determining that a user has
permission to perform a particular action
Authentication: determining that people are
who they claim to be
Firewall: a computer monitoring packets
entering and leaving a local area network
1-17
6.3 Phreaks and Hackers
1-18
Hackers (original meaning)
Original meaning of Hackers:
1.
2.
3.
Explorer
Risk-taker
Technical virtuoso
What is the Hacker ethic? (In a nutshell)
1.
2.
3.
4.
5.
Hands-on imperative
Free exchange of information
Mistrust of authority
Value skill above all else
Optimistic view of technology
1-19
Steve Russell Invented First Video
Game, Then Gave It Away
Steve Russell was a
“hacker” in every sense of
the word. He was
considered a “hero” of the
Computer Revolution,
Stewart Nelson was also
considered a “hero hacker”
for his role in modifying the
hardware of the PDP-1. But
were either of these men
ethical in their actions? Did
they start a firestorm?
Computer History Museum
1-20
Hackers (Evolved meaning)
Meaning of “hacker” changed
Movie WarGames
Teenagers accessing corporate or government
computers
Dumpster diving
Social engineering
Malicious acts
Destroying databases
Stealing confidential personal information
1-21
Phone Phreaking
Phone phreak: someone who manipulates
phone system to make free calls
Most popular methods
Steal long-distance telephone access codes
Guess long-distance telephone access codes
Use a “blue box” to get free access to longdistance lines
Access codes posted on “pirate boards”
1-22
U.S. v. Riggs
Riggs and Neidorf arrested
Charged with wire fraud
Interstate transportation of stolen property
valued at $79,449
Computer fraud
Riggs pleaded guilty to wire fraud; went to
federal prison
Neidorf pleaded not guilty
Defense showed similar info being sold for < $25
Prosecution moved to dismiss charges
1-23
Steve Jackson Games
Steve Jackson Games (SJG) published role-playing
games and operated BBS
Loyd Blankenship
Key SJG employee
LOD member
Published E911 document on his own BBS
Secret Service raided SJG and seized computers,
looking for copy of E911 Document
Led to creation of Electronic Frontier Foundation
(EFF)
EFF backed successful SJG lawsuit of Secret
Service
1-24
Retrospective
1.
2.
3.
1.
2.
3.
Parallels between hackers and those who download MP3 files
Establishment overvalues intellectual property
Use of technology as a “joy ride”
Breaking certain laws considered not that big a deal
Parallels between response of Secret Service and response of
RIAA
Cyberspace is real
Those who break the law can be identified
Illegal actions can have severe consequences
1-25
Penalties for Hacking
Examples of illegal activities
1.
Accessing without authorization any Internet computer
2.
Transmitting a virus or worm
3.
Trafficking in computer passwords
4.
Intercepting a telephone conversation, email, or any
other data transmission
5.
Accessing stored email messages without authorization
6.
Adopting another identity to carry out an illegal activity
Maximum penalty: 20 years in prison + $250,000 fine
Question: Is it worth it????
1-26
6.4 Denial-of-Service Attacks
Denial-of-service attack: an intentional action
designed to prevent legitimate users from making
use of a computer service
Goal of attack: disrupt a server’s ability to respond
to its clients
About 4,000 Web sites attacked each week
Asymmetrical attack that may prove popular with
terrorists
1-27
Attacks that Consume Scarce Resources
SYN flood attack
Smurf attack
Fill target computer’s hard disk
1.
2.
3.
Email bombing
Worm
Break-in followed by file copying
1-28
How a SYN Flood Attack Works
1-29
How a Smurf Attack Works
1-30
Defensive Measures
Physical security of server
Benchmarking
Disk quota systems
Disabling unused network services
Turning off routers’ amplifier network
capability
1-31
Distributed Denial-of-Service Attacks
Attacker gains access to thousands of
computers
Launches simultaneous attack on target
servers
Defensive measures
Secure computers to prevent hijackings
Check for forged IP addresses
1-32
The Rise and Fall of Blue Security
Part I: The Rise
Blue Security: An Israeli company selling a spam
deterrence system
Blue Frog bot would automatically respond to each
spam message with an opt-out message
Spammers started receiving hundreds of thousands
of opt-out messages, disrupting their operations
6 of 10 of world’s top spammers agreed to stop
sending spam to users of Blue Frog
1-33
The Rise and Fall of Blue Security
Part II: The Fall
One spammer (PharmaMaster) started sending Blue
Frog users 10-20 times more spam
PharmaMaster then launched DDoS attacks on Blue
Security and its business customers
Blue Security could not protect its customers from
DDoS attacks and virus-laced emails
Blue Security reluctantly terminated its anti-spam
activities
1-34
Fourth of July Attacks
4th of July weekend in 2009: DDoS attack on
governmental agencies and commercial Web
sites in United States and South Korea
Attack may have been launched by North
Korea in retaliation for United Nations
sanctions
1-35
Attacks on Twitter and Other Social
Networking Sites
Massive DDoS attack made Twitter service
unavailable for several hours on August 6, 2009
Three other sites attacked at same time: Facebook,
LiveJournal, and Google
All sites used by a political blogger from the
Republic of Georgia
Attacks occurred on first anniversary of war between
Georgia and Russia over South Ossetia
1-36
SATAN
Security Administrator Tool for Analyzing
Networks (SATAN)
Allows administrators to test their systems
Could be used to probe other computers
Critics worried SATAN would turn unskilled
teenagers into hackers
That never happened
1-37
6.5 Online Voting
1-38
Motivation for Online Voting
2000 U.S. Presidential election closely contested
Florida pivotal state
Most Florida counties used keypunch voting
machines
Two voting irregularities traced to these machines
Hanging chad
“Butterfly ballot” in Palm Beach County
1-39
The Infamous “Butterfly Ballot”
AP/Wideworld Photos
1-40
Benefits of Online Voting
More people would vote
Votes would be counted more quickly
No ambiguity with electronic votes
Cost less money
Eliminate ballot box tampering
Software can prevent accidental over-voting
Software can prevent under-voting
1-41
The following are REAL
issues that surround the online voting debate.
Risks of Online Voting
Gives unfair advantage to those with home computers
More difficult to preserve voter privacy
More opportunities for vote selling
Obvious target for a DDoS attack
Security of election depends on security of home computers
Susceptible to vote-changing virus or RAT
Susceptible to phony vote servers
No paper copies of ballots for auditing or recounts
1-43
Utilitarian Analysis
Suppose online voting replaced traditional voting
Benefit: Time savings
Assume 50% of adults actually vote
Suppose voter saves 1 hour by voting online
Average pay in U.S. is $18.00 / hour
Time savings worth $9 per adult American
Harm of DDoS attack difficult to determine
What is probability of a DDoS attack?
What is the probability an attack would succeed?
What is the probability a successful attack would change
the outcome of the election?
1-44
Kantian Analysis
The will of each voter should be reflected in that
voter’s ballot
The integrity of each ballot is paramount
Ability to do a recount necessary to guarantee
integrity of each ballot
There should be a paper record of every vote
Eliminating paper records to save time and/or
money is wrong
1-45
Conclusions
Existing systems are highly localized
Widespread tainting more possible with online
system
No paper records with online system
Evidence of tampering with online elections
Relying on security of home computers means
system vulnerable to fraud
Strong case for not allowing online voting
1-46