Computer Security: Hackers and Viruses

Download Report

Transcript Computer Security: Hackers and Viruses

Computer Security:
Hackers and Viruses
Theory of Computation
Mesfer Alrizq
Naif Alrashidi
1
Overview
•Introduction 
•Viruses
•Hackers
•Protecting
•Conclusion
2
Computer Security
• Definition
– is the protection of information systems from theft or
damage to the hardware, the software, and to the information
on them, as well as from disruption or misdirection of the
services they provide.
• Computer Security measures
– Data encryption
– Passwords
3
Goals of Computer Security
• Integrity
– Guarantee that the data is what we expect
• Confidentiality
– The information must just be accessible to the authorized
people
• Reliability
– Computers should work without having unexpected
problems
• Authentication
4
– Guarantee that only authorized persons can access to the
resources
Types of Threats
• Passive Threats
– Interception
• Active Threats
– Interruption
– Modification
– Fabrication
5
Types of Threats
• Interception
–
–
–
–
6
An unauthorized party gains access to an asset
Attack on confidentiality
Wiretapping to capture data in a network
Illicit copying of files or programs
Types of Threats
• Interruption
– An asset of the system is destroyed of becomes unavailable
or unusable
– Attack on availability
– Destruction of hardware
– Cutting of a communication line
– Disabling the file management system
7
Types of Threats
• Modification
– An unauthorized party not only gains access but tampers
with an asset
– Attack on integrity
– Changing values in a data file
– Altering a program so that it performs differently
– Modifying the content of messages being transmitted in a
network
8
Types of Threats
• Fabrication
– An unauthorized party inserts counterfeit objects into the
system
– Attack on authenticity
– Insertion of spurious messages in a network
– Addition of records to a file
9
Computer System Assets
• Hardware
– Threats include accidental and deliberate damage
• Software
– Threats include deletion, alteration, damage
– Backups of the most recent versions can maintain high
availability
10
Computer System Assets
• Data
– Involves files
– Security concerns fro availability, secrecy, and integrity
– Statistical analysis can lead to determination of individual
information which threatens privacy
11
Computer System Assets
• Communication Lines and Networks – Passive Attacks
– Release of message contents for a telephone conversion, an
electronic mail message, and a transferred file are subject to
these threats
– Traffic analysis
• encryption masks the contents of what is transferred so
even if obtained by someone, they would be unable to
extract information
12
Computer System Assets
• Communication Lines and Networks – Active Attacks
– Masquerade takes place when one entity pretends to be a
different entity
– Replay involves the passive capture of a data unit and its
subsequent retransmission to produce an unauthorized effect
13
Computer System Assets
• Communication Lines and Networks – Active Attacks
– Modification of messages means that some portion of a
legitimate message is altered, or that messages are delayed
or reordered, to produce an unauthorized effect
– Denial of service prevents or inhibits the normal use or
management of communications facilities
• Disable network or overload it with messages
14
Overview
•Introduction
•Viruses 
•Hackers
•Protecting
•Conclusion
15
What is computer virus?
• Computer virus refers to a program which damages computer
systems and/or destroys or erases data files
• Virus is a small piece of program that can infect other programs
by modifying them to include a copy of itself.
16
Computer Virus History
•
First half of the 70'Late 60,s, early 70,s- "Rabbits" cloned themselves occupied system
resources, slowing down the productivity.
• -"The Creeper" capable of entering a network by itself and transferring a copy of itself to the
system.
• Early 80,s-Increasing number of programs written by individuals not by software companies.
Programs caused miner viruses called "Trojan horses".
• 1986'Brain virus' - by Amjad and Basit Farooq Alvi.
- spread through floppy disks,
- infected boot records and not computer hard drives
• Lahore, Pakistani Brain, Brain-A and UIUC virus
-took over free space on the floppy disk and hid from detection
”disguised itself by displaying the uninfected boot sector on the disk.”
• 1987-Lehigh virus
- the first memory resident file infector that attacked executable files and took control when a
file was opened
• The Jerusalem Virus
-had bugs that re-infected programs that were already infected
17
Computer Virus History
 1988: Robert Morris made a worm that invaded ARPANET computers
- disabled 6,000 computers on the network by overflowing their memory banks with copies of
itself
 1991: Norton Anti-Virus software
 1999: "Melissa" virus
-infected thousands of computers very fast by sending copies of itself to 50 names in the address
book on Outlook e-mail
- Led to an estimated $80 million in damage and record sales of anti-virus products.
 2000: "I Love You" virus
-was sent by email and infected 10 % of computers in only one day
-created by a young Filipino computer student who did not get punished because then the
Philippines had no laws against hacking which led to the European Union's global Cybercrime
Treaty.
 2001: "Nimda" virus.
-had 5 ways of infecting systems
18
Computer Virus History
•
•
•
•
19
2004:
MyDoom spreads through emails and file-sharing software faster than any previous virus
or worm.
– Allows hackers to access the hard drive of the infected computer.
An estimated one million computers running Windows are affected by the fast-spreading
Sasser computer worm.
– The worm does not cause irreparable harm to computers or data, but it does slow
computers and cause some to quit or reboot without explanation.
2006:
Discovery of the first-ever malware Trojan horse for Mac OS X
2008:
Torpig is a Trojan horse which affects Windows, turning off anti-virus applications.
– It allows others to access the computer, modifies data, steals confidential
information and installs malware on the victim's computer.
2009:
Conficker infects anywhere from 9 to 15 million Microsoft server systems.
» French air force, Royal Navy warships and submarines, Sheffield Hospital
network, UK Ministry of Defence, German Bundeswehr and Norwegian
Police were all affected.
Total Number of Viruses by year
1985 2
1987 3
1989 6
1990 142
1991 357
1992 1,161
1993 2,482
1994 3,687
1995 5,626
1996 7,764
1997 11,037
1998 16,726
1999 40,850
2000 44,000
2001 48,000
2002 55,000
2003 62,000
20
Difference between Virus and Worm
The difference between a worm and a virus is that a virus does
not have a propagation vector. i.e., it will only effect one host
and does not propagate to other hosts. Worms propagate and
infect other computers. Majority of threats are actually worms
that propagate to other hosts.
21
Types of Computer Virus
•
•
•
•
•
•
•
22
Time Bomb
Logical Bomb
Worm
Boot Sector Virus
Macros Virus
Script Virus
Trojan Virus
Time Bomb
• Software that is inherently malicious, such as viruses and
worms, often contain logic bombs that execute a certain
payload at a pre-defined time or when some other condition is
met.
• A time bomb is a virus program that performs an activity on a
particular date
23
Logical Bomb
• A logical bomb is a destructive program that performs an
activity when a certain action has occurred.
• Other way for the logic bomb is a piece of code intentionally
inserted into a software system that will set off a malicious
function when specified conditions are met.
• For example, a programmer may hide a piece of code that starts
deleting files (such as a salary database trigger), should they
ever be terminated from the company.
24
Worm Virus
• A worm is also a destructive program that fills a computer
system with self-replicating information, clogging the system so
that its operations are slowed down or stopped.
• A computer worm is a standalone malware computer program
that replicates itself in order to spread to other computers.
Often, it uses a computer network to spread itself, relying on
security failures on the target computer to access it.
25
Boot Sector Virus
• A boot sector virus infects boot sector of computers. During
system boot, boot sector virus is loaded into main memory and
destroys data stored in hard disk.
• Boot-sector viruses infect computer systems by copying code
either to the boot sector on a floppy disk or the partition table
on a hard disk. During startup, the virus is loaded into memory.
Once in memory, the virus will infect any non-infected disks
accessed by the system.
26
Macros Virus
• a macro virus is a virus that is written in a macro language: a
programming language which is embedded inside a software
application (e.g., word processors and spreadsheet applications).
• A macro virus is a computer virus that "infects" a Microsoft
Word or similar application and causes a sequence of actions to
be performed automatically when the application is started or
something else triggers it, macro virus is loaded into main
memory and destroys the data stored in hard disk.
27
Script Virus
• Commonly found script viruses are written using the Visual
Basic Scripting edition (VBS) and the JavaScript programming
languages.
• A Script Virus usually comes from webpage advertisements and
is therefore wide-spread.
28
Trojan Virus
• Trojan Horse is a destructive program. It usually pretends as
computer games or application software. If executed, computer
system will be damaged.
• Trojan Horse usually comes with monitoring tools and key
loggers.
• These actions can include:
• Deleting data
• Blocking data
• Modifying data
• Copying data
29
Virus Affecting Turing Machine
• Cohen uses a Turing machine model where each virus in a viral
set produces an element of the set on some part of the TM tape
outside of the original virus specification.
• Formally, a viral set is a pair (M,V) where M is a TM and V is a
set of viruses written as strings in the tape alphabet of M: When
M (in its start state) reads v belongs to V; it writes a string v
belongs to V somewhere else on its tape.
30
Virus Affecting Turing Machines
The notion of viral infection is associated with following
attributes :
•A Trojan component, since an infected program behaves in an
unwanted manner under some conditions;
•A dormancy component , as the infection may conceal it-self.
•An infective component, since infected programs are destined to
infect other programs.
31
Virus Affecting Turing Machines
Cohen’s undecidability results show that:
•There is no algorithm that can detect all viruses, some infected
files may be detected as infected (false positive) or no answer
may be returned.
•There is no algorithm (TM) that can decide if one virus evolves
into another.
•Other results include that there are viruses for which no errorfree detection algorithm exists (undetectable computer viruses)
32
Virus Detection
33

Given a known computer virus V, consider the problem of
detecting an infection by V.

The most straightforward approach to solving this problem is
just to scan incoming messages by <V>.

But virus can easily evade this technique by altering their text in
ways that have no effect on computation that V performs.

For example, source code could be modified to add blanks in
meaningless places or to add leading 0’s to numbers.
Virus Detection
34

Executable code could be modified by adding jump instructions
to the next instruction.

So the practical virus detection problem can be stated as “Given
a known virus V and an input message M”, does M contain the
text of a program that computes the same thing V computes?

We know the equivalence question is undecidable for turing
machines, using that the equivalence question for arbitrary
programs is also undecidable.
Virus Detection




35
So, we can’t solve the virus problem by making a list of known
viruses and comparing new code to them.
Suppose that, instead of making a list of forbidden operations,
we allowed users to define a “white list” of the operations that
are to be allowed to be run on their machines.
Then the job of a virus filter is to compare incoming code to the
operations on the white list.
Any code that is equivalent to some allowed operation can be
declared safe. But now we have EXACTLY THE SAME
PROBLEM. No test for equivalence exists.
Overview
•Introduction
•Viruses
•Hackers 
•Protecting
•Conclusion
36
Definition
• Hacking is a technical effort to manipulate the normal behavior
of network connections and connected systems.
• “Hacking” referred to constructive, clever technical work that
was not necessarily related to computer systems.
• Hackers are most commonly associated with malicious
programming attacks on the internet and other networks.
37
Types of Hackers
• White hat
– breaks security for non-malicious reasons, perhaps to test
their own security system or while working for a security
company which makes security software.
• Black hat
– a black hat hacker who violates computer security for little
reason beyond maliciousness or for personal gain . Black hat
hackers break in to secure networks to destroy data or make
the network unusable for those who are authorized to use the
network.
38
Types of Hackers (Cont.)
• Grey hat
– A grey hat hackers is a combination of a black hat and a
white hat hacker. A grey hacker may surf the internet and
hack in to a computer system for the sole purpose of
notifying the administrator that their system has a security
defect
– Ex: then they may offer to correct the defect for a fee
• Script Kiddie
– A script kiddie is some one who looks out to exploit
vulnerability with not so much as trying to gain access to
administrative or root access to the system
39
Types of Hackers (Cont.)
• Underemployed Adult Hackers
– Former Script Kiddies
• Can’t get employment in the field
• Want recognition in hacker community
• Big in eastern european countries
• Ideological Hackers
– hack as a mechanism to promote some political or
ideological purpose
– Usually coincide with political events
40
Types of Hackers (Cont.)
• Crackers
– Are the people aiming to create software tools that make it
possible to attack computer systems or crack the copy
protection of use-fee software. A crack is therefore an
executable program created to modify the original software
to as to remove its protection.
• Carder’s
Mainly attack chip card systems (particularly bank cards)
to understand how they work and to exploit their flaws. The term
carding refers to chip card piracy.
41
Hackers Access Your Internet
42
•
In 1988 a "worm program" written by a college student shut
down about 10 percent of computers connected to the Internet.
This was the beginning of the era of cyber attacks.
•
Today we have about 10,000 incidents of cyber attacks which
are reported and the number grows.
Hackers Access Your Internet (Cont.)
Once inside hackers can..
•Modify logs
– To cover their tracks
– To mess with you
•Steal files
– Sometimes destroy after stealing
– A pro would steal and cover their tracks so to be undetected
•Modify files
– To let you know they were there
– To cause mischief
•Install back doors
– So they can get in again
43 •Attack other systems
Common Attacks
Spoofing
Definition
An attacker alters his identity so that some one thinks he is
some one else
– Email, User ID, IP Address, …
– Attacker exploits trust relation between user and
networked machines to gain access to machines
Types of Spoofing:
1. IP Spoofing
2. Email Spoofing
3. Web Spoofing
44
Spoofing: IP Spoofing
Definition
Attacker uses IP address of another computer to acquire
information or gain access
How is works
1. Attacker changes his own IP address to spoofed address
2. Attacker can send messages to a machine masquerading
as spoofed machine
3. Attacker can not receive messages from that machine
45
IP Spoofing: Source Routing
Definition
Attacker spoofs the address of another machine and inserts
itself between the attacked machine and the spoofed machine
to intercept replies
- The path a packet may change over time
- To ensure that he stays in the loop, the attacker uses
source routing to ensure that the packet passes through
certain nodes on the network
46
Spoofing: Email Spoofing
Definition
Attacker sends messages masquerading as some one else
What can be the repercussions?
Types of Email Spoofing:
1. Create an account with similar email address
– [email protected]: A message from this account
can perplex the students
2. Modify a mail client
– Attacker can put in any return address he wants to in
the mail he sends
3. Telnet to port 25
– Most mail servers use port 25 for SMTP. Attacker logs
on to this port and composes a message for the user
47
Spoofing: Web Spoofing
•
Basic
–
•
Man-in-the-Middle Attack
–
–
48
Attacker registers a web address matching an entity e.g.
votebush.com, geproducts.com, gesucks.com
Attacker acts as a proxy between the web server and the
client
Attacker has to compromise the router or a node through
which the relevant traffic flows
Spoofing: Web Spoofing (Cont.)
•
URL Rewriting
–
–
•
Tracking State
–
–
49
Attacker redirects web traffic to another site that is
controlled by the attacker
Attacker writes his own web site address before the
legitimate link
When a user logs on to a site a persistent authentication is
maintained
This authentication can be stolen for masquerading as the
user
Denial of Service (DOS)
Definition
Attack through which a person can render a system unusable
or significantly slow down the system for legitimate users
by overloading the system so that no one else can use it.
Types:
1.
50
Crashing the system or network
– Send the victim data or packets which will cause system to crash
or reboot.
2. Exhausting the resources by flooding the system or network with
information
– Since all resources are exhausted others are denied access to the
resources
3. Distributed DOS attacks are coordinated denial of service attacks
involving several people and/or machines to launch attacks
Password Attacks
•
A hacker can exploit a weak passwords & uncontrolled
network modems easily
•
Steps
–
–
Hacker gets the phone number of a company
Hacker runs war dialer program
•
•
–
Hacker now needs a user id and password to enter
company network
•
51
If original number is 555-5532 he runs all numbers in the 555-55xx
range
When modem answers he records the phone number of modem
•
•
Companies often have default accounts e.g. temp, anonymous with
no password
Often the root account uses company name as the password
For strong passwords password cracking techniques exist
Password Security
Client
Hash
Function
Server
Hashed
Password
Compare
Password
Hashed
Password
Password
Salt
Stored Password
Allow/Deny Access
•
•
52
Password hashed and stored
– Salt added to randomize password & stored on system
Password attacks launched to crack encrypted password
http://www.albany.edu/~goel/classes/spring2004/msi604/resources.shtml
Password Attacks - Process
53
•
•
•
•
•
Find a valid user ID
Create a list of possible passwords
Rank the passwords from high probability to low
Type in each password
If the system allows you in – success !
•
If not, try again, being careful not to exceed password lockout
(the number of times you can guess a wrong password before
the system shuts down and won’t let you try any more)
Password Attacks - Types
•
•
•
•
•
•
54
Dictionary Attack
– Hacker tries all words in dictionary to crack password
– 70% of the people use dictionary words as passwords
Brute Force Attack
– Try all permutations of the letters & symbols in the alphabet
Hybrid Attack
– Words from dictionary and their variations used in attack
Social Engineering
– People write passwords in different places
– People disclose passwords naively to others
Shoulder Surfing
– Hackers slyly watch over peoples shoulders to steal passwords
Dumpster Diving
– People dump their trash papers in garbage which may contain
information to crack passwords
Why do Hackers Attack?
55
•
Financial Gain
•
Espionage
•
Venting anger at at a company or organization
•
Terrorism
•
Because they can!
Ethical Hacking
• Independent computer security Professionals breaking into the
computer systems.
• Neither damage the target systems nor steal information.
• Evaluate target systems security and report back to owners
about the vulnerabilities found.
56
Ethical Hackers: not Criminal Hackers
• Completely trustworthy.
• Strong programming and computer networking skills.
• Learn about the system and trying to find its weaknesses.
• Techniques of Criminal hackers-Detection-Prevention.
• Published research papers or released security software.
• No Ex-hackers.
57
Overview
•Introduction
•Viruses
•Hackers
•Protecting 
•Conclusion
58
Security Strategies
Firewall
– allows normal Web browser operations but prevents other
types of communication
– checks incoming data against a list of known sources
– data rejected if it does not fit a preset profile
59
Security Strategies (Cont.)
Network Sniffer
– displays network traffic data
– shows which resources employees use and Web sites they visit
– can be used to troubleshoot network connections and improve
system performance
60
Security Strategies (Cont.)
Antivirus Software
– detects and deletes known viruses
– Internet allows antivirus software to update itself to detect
newer viruses.
– Some popular anti-virus programs:
•
•
•
•
•
•
61
McAfee
Norton Utilities
Inoculan
F-Secure
Internet Guard Dog
PC-cillin
Security Strategies (Cont.)
Data Backups
Organizations protect critical files by
– keeping a copy of programs and data in a safe place
– keep more than one backup of important databases and update
them on a set schedule
62
Security Strategies (Cont.)
Disaster Recovery Plan
A safety system that allows a company to restore its systems after
a complete loss of data; elements include:
– data backup procedures
– remotely located backup copies
– redundant systems with mirrored hard drive which
contains same data as original hard drive and is
updated automatically when original drive is updated
63
Security Strategies (Cont.)
Monitoring and Auditing
Employees’ online and offline activities can be monitored at
work by:
– keyboard loggers store keystrokes on hard drive
– Internet traffic trackers record Web sites visited
– webcams provide video surveillance
– auditing reviews monitored data and system logins
for unauthorized access
64
Security Strategies (Cont.)
Authentication
Proof of identity of a user and of authority to access data; identity
can be confirmed by:
– personal identity (PIN) numbers
– user IDs and passwords
– smart cards
– biometrics
65
Authentication
•
66
© 2011 Pearson Education, Inc. Publishing as Prentice Hall
Password Authentication
• Reusable Passwords
– Strings of characters typed to authenticate the use of a
username (account) on a computer.
– They are used repeatedly and so are called reusable
passwords.
• Benefits
– Ease of use for users (familiar)
– Inexpensive because built into operating systems
67
Password Authentication
• Often Weak (Easy to Crack)
– Word and name passwords are common.
• spot, mud, helicopter, veterinarian
– They can be cracked quickly with dictionary attacks.
– Word and name passwords are never adequately strong,
regardless of how long they are.
68
Password Authentication
• Hybrid Dictionary Attacks
– Look for common variations of names and words.
• Capitalizing only the first letter
• Ending with a single digit
• And so on
– Passwords that can be cracked with hybrid dictionary
attacks are never adequately strong, regardless of how
long they are.
69
Password Authentication
• Passwords Should Be Complex
– Should mix case, digits, and other keyboard characters
($, #, etc.).
– Complex passwords can be cracked only with brute force
attacks (trying all possibilities).
• Passwords Also Should Be Long
– Should have a minimum of eight characters.
– Each added character increases the brute force search
time by a factor of about 70.
70
Password Authentication
• For each password, how would it be cracked, and is it
acceptably strong:
– Mississippi
– 4$5aB
– 34d8%^tdy
71
Password Authentication
• Other Concerns
– If people are forced to use long and complex passwords,
they tend to write them down.
– People should use different passwords for different sites.
• Otherwise, a compromised password will give access
to multiple sites.
– Overall, reusable passwords are too vulnerable
to be used for high security today.
72
Access Control
• Controlling Access to Resources
– If criminals cannot get access,
they cannot do harm.
• Authentication
– Proving one’s identity
– Cannot see the other party
73
Helpful Hints to Avoid Viruses
• Obtain software only from trusted sources.
• Use a safe Web browser and e-mail client.
• Scan all newly-obtained disks, programs, and files.
74
Actions to prevent virus infection
• Always update your anti-virus software at least
weekly.
• Back up your important files and ensure that they can
be restored.
• Change the computer's boot sequence to always start
the PC from its hard drive
75
Actions to prevent virus infection
• Don't share Drive C: without a password and without
read-only restrictions.
• Empty floppy drives of diskettes before turning on
computers, especially laptops.
76
Actions to prevent virus infection
• Forget opening unexpected e-mail attachments, even if
they're from friends
• Get trained on your computer's anti-virus software and
use it.
• Have multiple backups of important files. This lowers
the chance that all are infected.
77
Actions to prevent virus infection
• Install security updates for your operating system and
programs as soon as possible.
• Jump at the chance to learn more about your computer.
This will help you spot viruses.
78
Overview
•Introduction
•Viruses
•Hackers
•Protecting
•Conclusion 
79
Conclusions
•
Computer Security is a continuous battle
– As computer security gets tighter hackers are getting
smarter
80
Questions
•
•
•
•
•
81
List and define the goals of computer security?
List and explain the three types of Active threats?
Explain the difference between virus and worm?
List and define the four types of web spoofing?
Define disaster recovery plan and list its elements?
The End
Any Questions?
82
References
• http://www.spamlaws.com/virus-types.html
• http://www.spamlaws.com/virus-comtypes.html
• http://vxheaven.org/lib/pdf/SelfReplicating%20Turing%20Machines%20and%20Com
puter%20Viruses.pdf
• http://dataanalysis.vsb.cz/Data/Vyuka/PVB11%20Hac
king.pdf
83