Networks and Security
Download
Report
Transcript Networks and Security
CS 305
Social, Ethical, and Legal
Implications of Computing
Chapter 6
Computer Networks and Security
Herbert G. Mayer, PSU CS
status 6/25/2011
Slides derived from prof. Wu-Chang Feng
1
Syllabus
Malware
Virus
Worms
Examples
Backdoor
Troyan Horse
Rootkit
Botnet
Hackers and Phreaks
Enforcement
OIn-Class Exercise
2
Malware
Def: Malware is unwanted SW attack, giving instructions
to your computer to do something an attacker wants it
to, such as:
Delete files to render your computer inoperable
Infect other systems --worms, viruses
Monitor activity --webcams, keystroke loggers
Gather information on you, your habits, web sites you visit
Provide unauthorized access --Trojans, backdoors
Steal files, store illicit files
Send spam or attack other systems
Stepping stone to launder activity --frame you for a crime
Hide activity --rootkits
3
Types of Malware
Viruses
Worms
Trojans
Backdoors
Rootkits (user & kernel level)
4
What is a Virus?
Self-replicating piece of code that attaches itself to other
programs; usually requires human interaction to
propagate
5
Two Virus Components
Payload
The malicious/anti-social thing that viruses & worms do that
make them highly irritating
Examples: wiping your hard drive, deleting files, encrypting
files for blackmail purposes
Propagation mechanism
How do viruses spread?
6
Virus Propagation
Locally
Simplest method
Write it to the file system
Local files, executables, documents
Write it into the boot sector/operating system
Removable storage
Initial viruses propagated through tapes and floppies
Rarely target CDs specifically but
Chernobyl (CIH) on Yamaha CDR update CD
NIMDA on Visual Studio .net in Korea
Modern media
Compact Flash, SD, USB Keys
7
Virus Propagation
Network
Most common currently
Email (Iloveyou)
Web
Newsgroups (Melissa)
P2P Networks (Fastrack, Gnutella, IRC, Torrent)
» 2003 study showed 45% of executable files downloaded from
KaZaA had viruses or Trojan horses
» Beware of Warez!
NFS, Samba mounts
Social networks
8
Examples
Benign
Brain virus (1986)
Determine level of software piracy in Pakistan
Malicious
Michelangelo (1991)
Erased boot sector on March 6
Love bug (2000)
Deleted files
Collected passwords and e-mailed them
Author was a 23 year old Filipino CS student
No hacking laws in Philippines so no prosecution
9
Worms
A worm is a self-replicating piece of code that spreads
via networks; usually does not require human
interaction to propagate
10
Virus vs. Worm
Similarities
Goal is to infect other machines
Can contain a payload
Virus
Infects other files (must have executable sections)
Transmitted via removable storage or network
Require user interaction for propagation -- e.g. Open a file, boot from
floppy, launch an executable, click on e-mail attachment etc.
Worm
Travels through the network only key
May infect other files (might be cleared through reboot)
Does not require human interaction
Target misconfiguration or flaws/vulnerability in systems --buffer
overflows!
11
Why are Worms Powerful?
Fast scaling
Can take over a vast number of machines, each of which will act as a
launch point to infect other machines
Goal: Infect 10,000 machine
Serial example
Suppose an average of 1 hour per machine
Includes time to find a vulnerable machine, as well as infecting it
10000 hours = 416 days > 1 year!
Worm example
Again, suppose an average of 1 hour per machine,
Infected machines will subsequently take an hour to infect another
»
»
»
»
1st hour: 1 infection
2nd hour: 3 infections
3rd hour: 7 infections
14th hour: 16,383 infections = 714 times faster than serial
12
Anatomy of Worm
A worm is composed of
Warhead
Propagation Engine
Target Selection Algorithm
Scanning Engine
Payload
13
Warhead
Warhead – the mechanism by which a worm gains entry
into a system
This is the part that we protect our systems against. The
warhead contains the exploit code
Buffer overflow, copying into open file shares, password
attacks
14
Propagation Engine
Propagation Engine – How the worm transports a new
copy of itself into another machine
Often, warheads contain the entire worm, but not always
Warhead code can download the rest of the worm code, e.g.
remote root shell exploit followed by an ftp
15
Target Selection Algorithm
Target Selection Algorithm – How a worm selects its
next target
Want to choose nearby targets. Nearby targets are much
faster to infect than far away targets
IP address proximity, network neighborhood, e-mail address
books
16
Scanning Engine
Scanning Engine – Code that probes machines to
determine if addresses generated by the targeting
algorithm are vulnerable.
Pretty simple usually – send probing packets (TCP SYN) to
targets, wait for response
If successful in opening a socket, attempt to compromise
17
Payload
Payload – The malicious code that the worm actually
delivers
Early worms often had no payload, just the mere act of
spreading itself around will damage the Internet
Install a backdoor, Trojan, or rootkit
Alter or destroy files (immediately, timed, on-demand)
Encrypt your data, delete the originals, hold it for ransom
Form a botnet (e-mail spam, search engine spam, phishing)
Launch DoS attacks
18
Examples
The first few worms were “ethical” worms – worms that
tried to perform a useful service
Creeper
First worm developed for the assistance of air traffic
controllers by Bob Thomas in 1971
Notified air traffic controllers when the controls of a plane
moved from one computer to another
Traveled from one computer screen to the other on the
network showing the message, "I'm creeper! Catch me if you
can!"
Did not reproduce itself
19
Examples
Xerox PARC worms
John Shock and Jon Hepps of Xerox PARC, early eighties
Worms as efficient carriers of software
"town crier" worm posted announcements on all computers of
network
More complex – activated only at night to consume unused CPU
cycles
Escaped laboratory into Xerox’s network
One morning the employees returned to find that all the
computers had crashed. When they tried to restart the
computers, they crashed again
One of the worms malfunctioned and had created havoc in the
network
A "vaccine" had to be created so as to deactivate the worm
20
Examples
The Internet worm (1988)
Robert Morris (student at Cornell) discovers multiple security holes
in Unix (ftp, sendmail, and fingerd)
Wanted to research whether one could create an automated means for
exploiting them
Goal was to infect quickly, but do no other damage (i.e. files left alone)
In the middle of the design, a patch was released for one vulnerability
Morris quickly launched worm before it was completed
Released November 2, 1988
Brought down the Internet
Morris suspended from Cornell and convicted of felony under U.S.
Computer Fraud and Abuse act. (Given probation)
Went back to school at Princeton, now a professor at MIT
Ethics?
Malicious or selfish?
21
Code Red (2001)
Targeted indexing service used in Windows IIS web
server
Spreads as a bad HTTP request (buffer overflow)
Infected server creates 99 threads to attack random IP addresses
windowsupdate.microsoft.com was infected too
Infection rate
Over 20,000 infections in less than 10 minutes
Over 250,000 infections in less than 9 hours
Over 975,000 total infections
Payload
DDoS attack against whitehouse.gov’s IP
22
Code Red (2001)
People don’t patch
IIS vulnerability was fixed months before Code Red launched
Infected machines observed years later
23
Santy (2004)
Attacks PHP Bulletin Board (phpBB) website software.
Exploit
URL descrambling error in PHP on input allows arbitrary PHP script to
execute.
Novel target selection algorithm
How do you find vulnerable phpBB2 software to attack?
» The same way you do. It Googles for it.
» 40000 phpBB2 servers hit
Google eventually started blocking/censoring searches to slow down worm
Result: New variant of Santy used AOL and Yahoo search engines
“Ethical” worm developed 1 week later
Anti-Santy worm used same method Google used
Defaced webpage: “viewtopic.php secured by Anti-Santy-Worm V4. Your
site is a bit safer, but upgrade to >= 2.0.11.”
24
Ethical Worms
Suppose you create a worm that…
Exploits the vulnerability
Patches the system
Removes itself
Should you release it?
What if it spreads out of control?
What if it doesn’t work?
Patching could bring about problems
E.g. Critical application depends on vulnerability to work correctly
E.g. Application depends on a certain interpretation of the specification
Patches have to be tested thoroughly!
Are ethical worms an oxymoron?
Perhaps not worth the trouble?
How would one analyze this using ethical frameworks?
25
Ethical Disclosure
Publishing zero-day exploits
Zero-Day worms especially dangerous as they target brand new
exploits
No patch available! (Have to hope that your system/network is
adequately hardened)
Is it ethical to disclose such vulnerabilities?
How long should one wait to disclose them?
Publishing better ways to design worms
Staniford, Paxson, Weaver, “How to 0wn the Internet in your own
spare time”, in Usenix Secuirty 02
Warhol Worms/Flash Worms
Infect the entire Internet in 15 minutes/30 seconds. (!)
Is it ethical to disclose such techniques?
26
Backdoors
A backdoor is a program that allows attackers to bypass
normal security controls on a system, gaining access
on the attacker’s own terms
27
Types of Backdoors
Local escalation of privileges
Allow attackers with account administrator privileges
Remote execution of individual commands
Remote attackers can send a message to a victim machine
that allows them to execute a single command on the victim
machine
Remote command-line access (aka remote shell)
Remote attacker can type directly into a command prompt of
the victim machine across the network
Remote control of GUI
Remote attacker controls the GUI of the victim machine
across the network
28
Trojan Horse
A Trojan horse is a program which appears to have
some useful or benign capability, but conceals some
hidden, malicious functionality
Origin of term: The ancient Greeks laying siege to
Troy…
29
Rootkits
Rootkits are Trojan backdoor tools that modify existing
operating system software so that attacker can keep
access to and hide on a machine
30
Botnets
A bot is a software program that responds to commands
sent by a command-and-control program located on
an external computer
Botnets are coordinated collections of bots under a
single central control
Launch denial-of-service attacks
Send spam
Host phishing sites
31
Hackers and Phreaks
Hackers – two definitions: good and bad
Someone highly skilled in programming and use of computer
systems (sign of respect in some circles)
Someone that breaks into computer systems (sign of bad
behavior in public circles)
Phone phreak – someone that manipulates the
telephone system in order to communicate with
others without paying
Stealing access codes, using outlawed hardware
32
Early Hacking Incidents
PDP-11
Programmable minicomputer shared by many students at MIT
Students forbidden to modify hardware
Stewart Nelson (1960s)
Added a new hardware instruction in the middle of the night to
“improve” performance
Also did it to demonstrate his skills
Ethical evaluation
Does it depend on the outcome?
What good is an ethical framework if you can only tell afterwards
if an action is right or wrong?
33
U.S. Law on Hacking
Computer Fraud and Abuse Act
Transmitting code that causes damage to a computer system
Accessing without authorization any computer connected to
the Internet
Transmitting classified government information
Trafficking in computer passwords
Computer fraud
Computer extortion
Maximum penalty – 20 years and $250k fine
Other acts that can be applied to Internet-based crime
Wire Fraud Act
National Stolen Property ace
Identity Theft and Assumption Deterrence Act
34
Recent Enforcement
Ancheta (2005)
Created botnet of hundreds of thousands of machines
Some within the DoD
Used to spam
Arrested and convicted under Computer Fraud Abuse act and CANSPAM act in May 2005
57 months in prison, $15,000 in restitution to US government
Forfeiture of illegal proceeds and computer equipment
Gonzalez (2009)
With Russian co-conspirators, obtained 130 million credit/debit card
numbers
Indicted
Success of enforcement few and far between due to stealth
measures that are easy to implement
35
Blue Security
Fighting bots with bots
Users sign up for Blue Security service
Whenever they mark a message as spam, inform
BlueSecurity service
Blue Security bot automatically sends opt-out message to
spammer
Spammers target Blue Security and its users with enormous
volume of spam
Service discontinued
36
In-Class Exercise
Oberlin College in Ohio requires that every computer
brought to campus by a student be inspected for
viruses. System administrators remove all viruses
from the students’ computers. Students whose
computers subsequently pick up and spread a virus
may be fined $25, whether they knew about the virus
or not. Is this a morally justifiable policy?
37
In-Class Exercise
SATAN hacker toolkit
Security Administrator Tool for Analyzing Networks
Probe computers for security weaknesses
Could be used for good and evil
Morality of publishing SATAN using ethical frameworks?
38
In-Class Exercise
On-line voting
Used in many countries to render elections cheap, easily accessible
Local elections in the UK (since 2001)
U.S. primary elections in Alaska and Arizona (2000)
Controversial
Election goals
Tamper-resistance
» One vote per person
» Prevent vote trading/selling
» Audit trail to ensure proper tallying
» Authenticating both the voter and the election service
Privacy
Ease of use to avoid voter disenfranchisement (e.g. “Butterfly” ballot of
2000)
Ethical evaluation?
39