Computer Security and Cryptography
Content
Computer Security and Cryptography
Partha Dasgupta, Arizona State University
Not just hype + paranoia
Internet hosts are under constant attack Financial losses are mounting Miscreants are getting smarter
(and so are consumers)
“National Security” risks were stated and then underplayed Data loss threatens normal users, corporations, financial institutions, government and more Questions:
HOW? WHY? and What can we do?
2
Overview
Part 1: Security Basics Part 2: Attacks and Countermeasures Part 3: Cryptography Part 4: Network Security Part 5: System Security
3
Part 1: Security Basics
Computer and Network Security basics Hacking Attacks and Risks Countermeasures Secrets and Authentication Paranoia
4
Computer and Network Security
Keep computers safe from program execution that is not authorized Keep data storage free from corruption Keep data storage free from leaks Keep data transmissions on the network private and untampered with Ensure the authenticity of the transactions (or executions) Ensure that the identification of the human, computer, resources are established
With a high degree of confidence Do not get stolen, misused or misrepresented
5
Hacking or Cracking
Plain old crime Phone Phreaking Credit cards, the old fashioned way Technology Hacks
Design deficiencies and other vulnerabilite ATM, Coke Machines, Credit Cards, Social Engineering Software hacks Second channel attacks RFID issues Cell phone vulnerabilities Grocery cards?
6
Attacks and Risks
“Attacks”
An attack is a method that compromises one or more of: - privacy (or confidentiality) - data integrity - execution integrity
Attacks can originate in many ways
System based attacks Network based attacks “Unintended Consequences”
Risk – a successful attack leads to “compromise”
Data can be stolen, changed or “spoofed” Computer can be used for unauthorized purposes Identity can be stolen RISK can be financial
7
Attack Types
System based attacks
Virus, Trojan, rootkit Adware, spyware, sniffers
A program has potentially infinite power
Can execute, spawn, update, communicate Can mimic a human being Can invade the operating system
Network based attacks
Eavesdropping Packet modifications, packet replay Denial of Service
Network attacks can lead to data loss and system attacks
8
Countermeasures
System Integrity Checks
Virus detectors Intrusion detection systems Software signatures
Network Integrity checks
Encryption Signatures and digital certificates Firewalls Packet integrity, hashes and other cryptographic protocols
Bottom Line:
We have an arsenal for much of the network attacks System security is still not well solved
9
What is at Risk?
Financial Infrastructure Communication Infrastructure Corporate Infrastructure Confidentiality and Privacy at many levels Economy Personal Safety
10
The Shared Secret Fiasco
Our authentication systems (personal, financial, computing, communications) are all based on “shared secrets”
ID numbers, Account numbers, passwords, SS#, DOB
• The Fake ATM attack • The check attack • The extortion attack
When secrets are shared, they are not secrets
They will leak!
Given the ability of computers to disseminate information, all shared secret schemes are at extreme risk
Media reports of stolen data is rampant
11
How do secrets leak?
Malicious reasons Simple mistakes Oversight Bad human trust management Bad computer trust management “Nothing can go wrong”
Please believe in Murphy!
12
Keeping Secrets?
Simple answer, not possible. Encryption is good, but data has to be unencrypted somewhere “Disappearing Ink”? Use paper based documents, not scanned. Public Key Encryption has much promise (PKI systems) Shared secrets need to be eliminated as much as possible Separate out of band communications
Phone, postal mail, person-to-person
13
Authentication
Shared secrets are used for authentication
Username/passwords
Multi-factor authentication
What you know What you have What you are, what you can do.
Most of the authentication methods are quite broken
Designed when networking was not around PKI systems are better, but not deployed Too many false solutions (dangerous, gives a feeling of security)
14
Passwords
The password is known to the host and the client
Under some password schemes the host does not know the password (e.g. Unix)
Passwords can leak from host or from client Same password is used for multiple sites Password managers are not too effective “Good passwords” are not as good as you think Invented for a completely different purpose, using passwords on the web, even with SSL encryption, is a bad idea
15
False Solutions
Biometrics
A digital bit string, or password that cannot be changed Plenty of attacks possible, including framing
RFID identification
Plenty of attacks possible
Multi-Factor authentication
Better, but still not good
Smart cards (the not-so-smart ones)
Again, based on shared secrets, have attacks and limitations
16
Paranoia?
A large number of computers (consumer, business) are compromised or used for fraud
Viral infections, zombies Many web servers are for fraudulent reasons
Spam is an indicator
Unprecedented lying, cheating
Adware, popups, spyware
All attempting to mislead, steer, and victimize
Identity theft, financial theft, cheating
Probably at an all time high
Security Awareness is often coupled with paranoia
It is necessary to be paranoid!
17
What is the point of an attack?
Get your shared secrets for financial gain
Personal Corporate Financial System Identification
Espionage Disruption
18
Computer Security
Software needs to be verifiably untampered and trusted Networks need to be free from tampering/sniffing Data has to be secure from stealing and tampering End user protection A coalescing of software, hardware and cryptography along with human intervention and multi-band communication.
19
Part 2: Attacks and Countermeasures
Vulnerabilities System Attacks
Virus, Trojan, Worm Buffer overflow Rootkit Zombies Web based attacks Eavesdropping Man-in-the-middle Denial of service Authentication attacks Pharming, RATS
Network Attacks
Social Engineering Attacks
20
The Attackers
Script kiddies Hackers Would-be hackers Crackers Industrial espionage Elite Blackhat
A whitehat attacks too, but for the purpose of securing systems
21
Vulnerabilities
Vulnerabilities are weak spots
Hard to spot, hard to predict
Can exist in any complex system Human vulnerabilities:
Greed, friendship, attraction, guilt….. much more
System Infrastructure Vulnerabilities
“process has holes”, “laws have loopholes”
Software Vulnerabilities
Bad code, bad design, unforeseen problems
Hardware Vulnerabilities
Failures, faulty design
22
Vulnerability Origins
Too many to reason about “Bad design” Use of shared secrets Human’s do not comprehend large systems
Permutation is not what we do best
A set of ways to do things + some thinking on the part of a miscreant…..
The Windows Vista Audio Attack
23
Examples
Coke machine hack
http://youtube.com/watch?v=TBgHH8ZmB_s
ATM hack
The video disappeared “security via obscurity”
SQL Injection
http://youtube.com/watch?v=MJNJjh4jORY
WiFi range extender?
http://youtube.com/watch?v=LY8Wi7XRXCA
24
More Problems
Lack of transparency to humans
Windows registry
Feature Creep Lack of adequate “Idiot Proofing”
Counterintuitive?
Ease of use is paramount
Now we know, but its too late.
Lack of end-user understanding of vulnerable operations and situations
25
Malware
“Malware” is just one problem, but a major problem How does it work? How does it get there? What can it do? The OS is supposed to prevent such external attacks
Does not work Not in our lifetimes, will these problems get fixed
26
Virus-Trojans-Worms
“Malware” – software that causes harm
All software is capable of causing harm
Can perform any computations on a computer Can reproduce BUT: How did it get to the host machine Easy Methods:
Social engineering Trojans
Harder methods
Vulnerability exploits Buffer overflows
27
The Ultimate Trojan
“Reflections on Trusting Trust” -- Ken Thompson, Turing
Award Lecture 1984
How to break into Unix? Write custom “login” program Write custom compiler Write even more custom compiler Now the goose is cooked A trojan that lives forever and can never be disabled?
28
Nothing can be trusted
From login programs to compilers to bootstraps – maybe extending to microcode
“The moral is obvious. You can't trust code that you did not totally create yourself…. “No amount of source-level verification or scrutiny will protect you from using untrusted code….. “A well installed microcode bug will be almost impossible to detect….
– KEN THOMPSON
Since 1984, we know “Software cannot be trusted”.
Yet we do!
29
Trusted Software
We have to trust software
No choice
We have to acquire software from “reliable sources”
Insider attacks happen
We have to check the software regularly
Virus detectors are not the answer
All software have “vulnerabilities”
Operating systems, applications, servers, compilers and so on
Vulnerabilities can be exploited by attackers
“Buffer overflow” is the major attack, there are many more
30
Buffer Overflow
Reading input data causes overwriting of some data already on the system
Stack smashing Heap smashing Data changing Calling existing routines with different parameters
Can be installed form network communications or from a data file Result: Easy to install viruses without intervention from the user.
31
Details of Buffer Overflow
foo() Int a[3]; { read n; i = 0; do n times read(a[i]); i++; }
a[0] a[1]
a[2]
Return address
32
What is vulnerable to Buffer Overflow?
Network connections Structured files User inputs Scripts
All software contain vulnerabilities (just have not been discovered yet)
33
After a Buffer Overflow…
Goal is too install a virus Buffer overflow allows:
1. an attacker to introduce malicious code into a process
OR
2. An attacked to call an existing routine in the application process, with doctored arguments
It is a powerful technique to start the compromise a computer process
34
Rootkits, the Grand Finale
Buffer overflows, open the door, the real deal is the “rootkit”. Operating system patch Hides all evidence of the compromise Impossible to detect from within the system
Need external detectors
Can be designed to be very difficult, if not impossible to clean up Reinstall is the only sure way to stop a rootkit
35
What can rootkits do?
Run any software as “root” or administrator Update itself as well as implant newer attacks later “Very Stealthy” Install keyboard sniffers Access any data stored on the computer
If the data is encrypted, the rootkit can find where the key is located
36
Zombies
A virus A process that listens to commands from “home” Can download another programs Can start attacks on other systems Can do spamming without being easily detected Advantage: Upgradeable, reprogrammable!
37
Sniffers
Record keystrokes typed by a user Can see all data entered by a user, including secret data
Passwords, credit card numbers, personal information Can see data that is encrypted (as it can access it before encryption, or after decryption)
Would you use a computer that does not belong you?
38
Web Attacks
A variance of the buffer overflow and virus attack Use web software to attack a browser Utilize vulnerabilities in a browser
Java script vulnerabilities Active X vulnerabilities Install “browser helper objects” Can be hidden in web popups
Often used to install
Adware Spyware
Web-beacons
Single pixel images, that detect a user reading a web page (or email, or any HTML content)
39
Cross Site Scripting
Fun with Javascript and browsers and servers Type 0
Run a script on the users machine when visiting a malicious site. The local script has higher privileges
Type 1
Inject a client side script into a server. A crafted URL followed while logged into a good site can make the good site do what the attacker wants
Type 2
A message board contains crafter URLs that can send cookies to the attacker
Many attacks, including the recent gmail attack were done via XSS
40
Gmail Attack
[from a blog] Haochi Chen discovered what looks like a Gmail XSS (cross-site scripting) security problem. Using a small piece of JavaScript you can put on any server, the user’s contact names & email addresses are revealed (provided you’re logged in to your Google account). I was able to reproduce this using Firefox, and an updated version of the original snippet. With Haochi’s code, a malicious website would be able to grab your contact list and transmit it to their server behind the scenes, storing this data for other purposes – like spamming, or finding out more about you. If you’re worried about this Google vulnerability, the best thing until it’s fixed is to only visit sites you know and trust, or to turn off your browser’s JavaScript, or to log out of Gmail.
41
Password Attacks
Find password by brute force, or by guessing, or by dictionary attacks Hardy ever used any more, even simple passwords are hard to crack!
So many easier ways, why bother!
Phishing is hard? Phishing is easy?
Sniffing too
42
Network Eavesdropping
Ethernet and broadcast networks
“promiscuous mode” Get every packet Password sniffing MAC sniffing WEP cracking
Network eavesdropping can lead to loss of privacy is data is being sent un-encrypted
Not a common attack
43
Man in the Middle
Insert a malicious relay between sender and receiver of a network connection Change data packets, or replay them
Need to sniff and then inject Or need to establish to connections (redirect traffic)
Causes confusion Gain information, use authentication surreptitiously Not effective against modern cryptographic protocols (encryption and digital signatures)
44
Denial of Service
Flood the network with fake traffic Overwhelm servers with large numbers of queries Distributed DoS uses Zombies
Very difficult to contain
Attacking the network stack
Use malformed packets to cause TCP-IP software to block/crash
Does not cause any loss of privacy, or system compromises
45
Authentication Attacks
Steal authentication information
Phishing is the most common method Man in the middle, eavesdropping can do it too
Steal keys and other shared secrets
Physical theft Viruses Brute force (for bad cryptographic algorithms)
46
Pharming
Corrupt a DNS server
Man in the middle System attack
A host translates a DNS name to a attackers IP address
E.g. “mybank.com” leads to a hacker site, set up to look like the mybank.com site
Then a standard phishing attack can be performed on the user-name and password
47
RATS
Remote Access Trojans New! Improved!! More efficient!!!
These new remote-access Trojans are designed specifically to lurk in the background, waiting until the unsuspecting user types the name of a well-known bank into a Web browser. Then, the program springs into action, copying every keystroke. The data is sent back to the criminal, who now can raid the online bank.
48
Social Engineering
Phishing, via spam or web sites Sending pictures or other interesting things, with compelling reasons to “open it” Download interesting programs, with Trojans Giving up personal information using baits of various kinds If we figure out all the tricks, more will be invented
49
Countermeasures
Patches and security fixes Virus Scanners Intrusion Detectors / Firewalls Integrity Checking and Virtual Machines Cryptography
Digital Signatures and PKI systems
Smartcards / RFID Awareness and Education Out of band notifications Simple yet effective (vs. Complex and breakable) Proper administration, configuration
50
Patches and Fixes
Software updates
To fix buffer overflow and such attacks Doublespeak: “attacker can gain complete control over a computer.” Also fixes bugs and other vulnerabilities “Hardens” software
Updates can be dangerous
Introduces more bugs and vulnerabilities Can be fake Target for attackers who distribute malicious patches
51
Password Managers
Stops users from using the same user-id and password Creates strong passwords Sometimes a pain to use Password managers built into browsers – not a good idea Have to transport data between computers, if using multiple computers (or run from USB stick) Master password can be sniffed
52
Virus Scanners
Everyone should have them installed
Even though they are ineffective? Slows down performance
Uses Black Lists Polymorphism and other techniques are used by viruses to avoid detection Can be disabled or tampered with Problem with DLL, browser objects, active X, registry hacks, cookies Adware different from spyware and viruses
Not true
A patch that works for now
53
Firewalls
Software and hardware firewalls “Network Address Translation” Incoming filter is needed Outgoing filter is effective but irritating Software firewalls can be defeated
Hardware firewalls are incoming only
54
Intrusion Detection Systems
A set of layered network-wide service for large computer installations
May just be a firewall
Typical configuration have
DMZ and honeypots Bastion hosts Signature based detection Monitoring and logging
Attacks possible
Polymorphic attacks Noise camouflaged attacks
55
Virtual Private Networks
An authenticated, encrypted tunnel between a client and a host on a secure network Not popular, but effective Reverse attacks are possible
If the host is on an open network, the client does not have firewall protection
Corporate users are required to use VPNs
56
File Integrity Checkers
Scan each “clean” file and store a signature (or hash) Compare files to stored hashes whenever they are used Easy to bypass or to store hash after file corruption occurs Hash storage prone to attack Sometimes irritating to use A virus can fake user input and fool the integrity checker E,g, Tripwire
57
Single Sign on Systems
Sign on to a secure server and your credential will be forwarded to any site you need to sign on to Most implementations are flawed Need too much private information (or shared secrets) to float around Kerberos is probably one of the best, but difficult to administer Microsoft Passport and Liberty Alliance have products that are struggling (or dead) Certificate based systems would be much better
58
Sandboxing
Running applications with limited privileges System calls from sandboxed applications can only acces some “harmless” functions and can cause no damage The above statement is large untrue Sandboxed applications may be able to
Fool the user Send network packets, or spam Run more sandboxed applications Denial of service
59
Virtual Machine Monitors
The ultimate sandbox Multiple copies of the operating system runs on the same machine (guest operating systems) The core of the system is the “Virtual Machine Monitor” Everything is totally separate, each OS has a different file system, different network address Isolation can be perfect, but isolation is not security VMM based integrity checking has much promise
60
Cryptography
Cryptography has a treasure chest of algorithms and protocols for handling security (or computation and data)
(Cryptographically Secure) Random Numbers (One way) Hash functions Symmetric Encryption (e.g. DES, AES, IDEA) Asymmetric Encryption (RSA, Rabin, ECC)
Cryptography, if properly implemented can provide high degrees of data security and reliable authentication
Without using shared secret “IF” keys are kept secret Prone to viral attacks
61
PKI Systems
PKI = Public Key Infrastructure
A set of protocols that use asymmetric encryption and hashing Authentication Systems Digital signatures for non-repudiable transactions Digital Certificates for secure authentication
PKI based authentication stops the phishing problem and password leakage problem Keyboard sniffers are not always effective with PKI systems Microsoft Cardspace seems to be the first “consumer” targeted PKI based identity management system PKI based smartcards are the best implementation
Not yet being deployed
62
Smartcards
Smartcard =
Stored secrets Compute engine Communication path Non tamperable
secrets
processor
Most smartcards are not very smart
Stored value cards, shared secret challenge response cards, GSM SIM cards
PKI based smartcards provide an excellent authentication solution
DoD CAC Belgian ID card
63
RFID cards
More common, less secure Contactless – Accessible via radio waves. Can be read at large distances, with expensive equipment Prone to the tracking vulnerability Many attacks against RFID passport discovered Challenge-response RFID cards are better
The current crop is tainted with bad algorithms Stops cloning, but does not stop stealing Room for improvement
64
Out of band communications
A simple and yet powerful technique Many scenarios possible for example:
Make a web transaction that involves a credit card payment An automated phone call received Confirm PIN using phone keypad Confirm amount Must be resilient against fake phone calls
Very hard for attacker to compromise credit card and cellphone and phone PIN
65
Simple is Effective
Complex is breakable All complicated solutions have vulnerabilities and features that can be exploited
Think of a complex piece of software….
– – – – Web browser Microsoft Office Outlook Many more examples
We need simple solutions
Easy to understand Easy to detect anomalous behavior
66
Awareness and Education
Education is the answer to many problems, but Cannot educate the masses effectively
Computing and network infrastructure has very deep penetration Consumers are getting educated, but more keep coming online
Learn by experience?
Bad idea
Smart people protect themselves
….but the others create problems for everyone
67
Administration and Configuration
Out of the box configurations of systems and gadgets are vulnerable
Default passwords Security features disabled
“Proper Configuration” is of paramount important
e.g. 500 mile email radius How? Very few smart administrators seem to know Obscurity is used to defeat attackers (in a way, bad idea)
• Security policy of your organization • Host system security • Auditing • Router security • Firewalls • Intrusion detection systems • Incident response plan
Checklist for organizational systems
68
Partha Dasgupta, Arizona State University
Not just hype + paranoia
Internet hosts are under constant attack Financial losses are mounting Miscreants are getting smarter
(and so are consumers)
“National Security” risks were stated and then underplayed Data loss threatens normal users, corporations, financial institutions, government and more Questions:
HOW? WHY? and What can we do?
2
Overview
Part 1: Security Basics Part 2: Attacks and Countermeasures Part 3: Cryptography Part 4: Network Security Part 5: System Security
3
Part 1: Security Basics
Computer and Network Security basics Hacking Attacks and Risks Countermeasures Secrets and Authentication Paranoia
4
Computer and Network Security
Keep computers safe from program execution that is not authorized Keep data storage free from corruption Keep data storage free from leaks Keep data transmissions on the network private and untampered with Ensure the authenticity of the transactions (or executions) Ensure that the identification of the human, computer, resources are established
With a high degree of confidence Do not get stolen, misused or misrepresented
5
Hacking or Cracking
Plain old crime Phone Phreaking Credit cards, the old fashioned way Technology Hacks
Design deficiencies and other vulnerabilite ATM, Coke Machines, Credit Cards, Social Engineering Software hacks Second channel attacks RFID issues Cell phone vulnerabilities Grocery cards?
6
Attacks and Risks
“Attacks”
An attack is a method that compromises one or more of: - privacy (or confidentiality) - data integrity - execution integrity
Attacks can originate in many ways
System based attacks Network based attacks “Unintended Consequences”
Risk – a successful attack leads to “compromise”
Data can be stolen, changed or “spoofed” Computer can be used for unauthorized purposes Identity can be stolen RISK can be financial
7
Attack Types
System based attacks
Virus, Trojan, rootkit Adware, spyware, sniffers
A program has potentially infinite power
Can execute, spawn, update, communicate Can mimic a human being Can invade the operating system
Network based attacks
Eavesdropping Packet modifications, packet replay Denial of Service
Network attacks can lead to data loss and system attacks
8
Countermeasures
System Integrity Checks
Virus detectors Intrusion detection systems Software signatures
Network Integrity checks
Encryption Signatures and digital certificates Firewalls Packet integrity, hashes and other cryptographic protocols
Bottom Line:
We have an arsenal for much of the network attacks System security is still not well solved
9
What is at Risk?
Financial Infrastructure Communication Infrastructure Corporate Infrastructure Confidentiality and Privacy at many levels Economy Personal Safety
10
The Shared Secret Fiasco
Our authentication systems (personal, financial, computing, communications) are all based on “shared secrets”
ID numbers, Account numbers, passwords, SS#, DOB
• The Fake ATM attack • The check attack • The extortion attack
When secrets are shared, they are not secrets
They will leak!
Given the ability of computers to disseminate information, all shared secret schemes are at extreme risk
Media reports of stolen data is rampant
11
How do secrets leak?
Malicious reasons Simple mistakes Oversight Bad human trust management Bad computer trust management “Nothing can go wrong”
Please believe in Murphy!
12
Keeping Secrets?
Simple answer, not possible. Encryption is good, but data has to be unencrypted somewhere “Disappearing Ink”? Use paper based documents, not scanned. Public Key Encryption has much promise (PKI systems) Shared secrets need to be eliminated as much as possible Separate out of band communications
Phone, postal mail, person-to-person
13
Authentication
Shared secrets are used for authentication
Username/passwords
Multi-factor authentication
What you know What you have What you are, what you can do.
Most of the authentication methods are quite broken
Designed when networking was not around PKI systems are better, but not deployed Too many false solutions (dangerous, gives a feeling of security)
14
Passwords
The password is known to the host and the client
Under some password schemes the host does not know the password (e.g. Unix)
Passwords can leak from host or from client Same password is used for multiple sites Password managers are not too effective “Good passwords” are not as good as you think Invented for a completely different purpose, using passwords on the web, even with SSL encryption, is a bad idea
15
False Solutions
Biometrics
A digital bit string, or password that cannot be changed Plenty of attacks possible, including framing
RFID identification
Plenty of attacks possible
Multi-Factor authentication
Better, but still not good
Smart cards (the not-so-smart ones)
Again, based on shared secrets, have attacks and limitations
16
Paranoia?
A large number of computers (consumer, business) are compromised or used for fraud
Viral infections, zombies Many web servers are for fraudulent reasons
Spam is an indicator
Unprecedented lying, cheating
Adware, popups, spyware
All attempting to mislead, steer, and victimize
Identity theft, financial theft, cheating
Probably at an all time high
Security Awareness is often coupled with paranoia
It is necessary to be paranoid!
17
What is the point of an attack?
Get your shared secrets for financial gain
Personal Corporate Financial System Identification
Espionage Disruption
18
Computer Security
Software needs to be verifiably untampered and trusted Networks need to be free from tampering/sniffing Data has to be secure from stealing and tampering End user protection A coalescing of software, hardware and cryptography along with human intervention and multi-band communication.
19
Part 2: Attacks and Countermeasures
Vulnerabilities System Attacks
Virus, Trojan, Worm Buffer overflow Rootkit Zombies Web based attacks Eavesdropping Man-in-the-middle Denial of service Authentication attacks Pharming, RATS
Network Attacks
Social Engineering Attacks
20
The Attackers
Script kiddies Hackers Would-be hackers Crackers Industrial espionage Elite Blackhat
A whitehat attacks too, but for the purpose of securing systems
21
Vulnerabilities
Vulnerabilities are weak spots
Hard to spot, hard to predict
Can exist in any complex system Human vulnerabilities:
Greed, friendship, attraction, guilt….. much more
System Infrastructure Vulnerabilities
“process has holes”, “laws have loopholes”
Software Vulnerabilities
Bad code, bad design, unforeseen problems
Hardware Vulnerabilities
Failures, faulty design
22
Vulnerability Origins
Too many to reason about “Bad design” Use of shared secrets Human’s do not comprehend large systems
Permutation is not what we do best
A set of ways to do things + some thinking on the part of a miscreant…..
The Windows Vista Audio Attack
23
Examples
Coke machine hack
http://youtube.com/watch?v=TBgHH8ZmB_s
ATM hack
The video disappeared “security via obscurity”
SQL Injection
http://youtube.com/watch?v=MJNJjh4jORY
WiFi range extender?
http://youtube.com/watch?v=LY8Wi7XRXCA
24
More Problems
Lack of transparency to humans
Windows registry
Feature Creep Lack of adequate “Idiot Proofing”
Counterintuitive?
Ease of use is paramount
Now we know, but its too late.
Lack of end-user understanding of vulnerable operations and situations
25
Malware
“Malware” is just one problem, but a major problem How does it work? How does it get there? What can it do? The OS is supposed to prevent such external attacks
Does not work Not in our lifetimes, will these problems get fixed
26
Virus-Trojans-Worms
“Malware” – software that causes harm
All software is capable of causing harm
Can perform any computations on a computer Can reproduce BUT: How did it get to the host machine Easy Methods:
Social engineering Trojans
Harder methods
Vulnerability exploits Buffer overflows
27
The Ultimate Trojan
“Reflections on Trusting Trust” -- Ken Thompson, Turing
Award Lecture 1984
How to break into Unix? Write custom “login” program Write custom compiler Write even more custom compiler Now the goose is cooked A trojan that lives forever and can never be disabled?
28
Nothing can be trusted
From login programs to compilers to bootstraps – maybe extending to microcode
“The moral is obvious. You can't trust code that you did not totally create yourself…. “No amount of source-level verification or scrutiny will protect you from using untrusted code….. “A well installed microcode bug will be almost impossible to detect….
– KEN THOMPSON
Since 1984, we know “Software cannot be trusted”.
Yet we do!
29
Trusted Software
We have to trust software
No choice
We have to acquire software from “reliable sources”
Insider attacks happen
We have to check the software regularly
Virus detectors are not the answer
All software have “vulnerabilities”
Operating systems, applications, servers, compilers and so on
Vulnerabilities can be exploited by attackers
“Buffer overflow” is the major attack, there are many more
30
Buffer Overflow
Reading input data causes overwriting of some data already on the system
Stack smashing Heap smashing Data changing Calling existing routines with different parameters
Can be installed form network communications or from a data file Result: Easy to install viruses without intervention from the user.
31
Details of Buffer Overflow
foo() Int a[3]; { read n; i = 0; do n times read(a[i]); i++; }
a[0] a[1]
a[2]
Return address
32
What is vulnerable to Buffer Overflow?
Network connections Structured files User inputs Scripts
All software contain vulnerabilities (just have not been discovered yet)
33
After a Buffer Overflow…
Goal is too install a virus Buffer overflow allows:
1. an attacker to introduce malicious code into a process
OR
2. An attacked to call an existing routine in the application process, with doctored arguments
It is a powerful technique to start the compromise a computer process
34
Rootkits, the Grand Finale
Buffer overflows, open the door, the real deal is the “rootkit”. Operating system patch Hides all evidence of the compromise Impossible to detect from within the system
Need external detectors
Can be designed to be very difficult, if not impossible to clean up Reinstall is the only sure way to stop a rootkit
35
What can rootkits do?
Run any software as “root” or administrator Update itself as well as implant newer attacks later “Very Stealthy” Install keyboard sniffers Access any data stored on the computer
If the data is encrypted, the rootkit can find where the key is located
36
Zombies
A virus A process that listens to commands from “home” Can download another programs Can start attacks on other systems Can do spamming without being easily detected Advantage: Upgradeable, reprogrammable!
37
Sniffers
Record keystrokes typed by a user Can see all data entered by a user, including secret data
Passwords, credit card numbers, personal information Can see data that is encrypted (as it can access it before encryption, or after decryption)
Would you use a computer that does not belong you?
38
Web Attacks
A variance of the buffer overflow and virus attack Use web software to attack a browser Utilize vulnerabilities in a browser
Java script vulnerabilities Active X vulnerabilities Install “browser helper objects” Can be hidden in web popups
Often used to install
Adware Spyware
Web-beacons
Single pixel images, that detect a user reading a web page (or email, or any HTML content)
39
Cross Site Scripting
Fun with Javascript and browsers and servers Type 0
Run a script on the users machine when visiting a malicious site. The local script has higher privileges
Type 1
Inject a client side script into a server. A crafted URL followed while logged into a good site can make the good site do what the attacker wants
Type 2
A message board contains crafter URLs that can send cookies to the attacker
Many attacks, including the recent gmail attack were done via XSS
40
Gmail Attack
[from a blog] Haochi Chen discovered what looks like a Gmail XSS (cross-site scripting) security problem. Using a small piece of JavaScript you can put on any server, the user’s contact names & email addresses are revealed (provided you’re logged in to your Google account). I was able to reproduce this using Firefox, and an updated version of the original snippet. With Haochi’s code, a malicious website would be able to grab your contact list and transmit it to their server behind the scenes, storing this data for other purposes – like spamming, or finding out more about you. If you’re worried about this Google vulnerability, the best thing until it’s fixed is to only visit sites you know and trust, or to turn off your browser’s JavaScript, or to log out of Gmail.
41
Password Attacks
Find password by brute force, or by guessing, or by dictionary attacks Hardy ever used any more, even simple passwords are hard to crack!
So many easier ways, why bother!
Phishing is hard? Phishing is easy?
Sniffing too
42
Network Eavesdropping
Ethernet and broadcast networks
“promiscuous mode” Get every packet Password sniffing MAC sniffing WEP cracking
Network eavesdropping can lead to loss of privacy is data is being sent un-encrypted
Not a common attack
43
Man in the Middle
Insert a malicious relay between sender and receiver of a network connection Change data packets, or replay them
Need to sniff and then inject Or need to establish to connections (redirect traffic)
Causes confusion Gain information, use authentication surreptitiously Not effective against modern cryptographic protocols (encryption and digital signatures)
44
Denial of Service
Flood the network with fake traffic Overwhelm servers with large numbers of queries Distributed DoS uses Zombies
Very difficult to contain
Attacking the network stack
Use malformed packets to cause TCP-IP software to block/crash
Does not cause any loss of privacy, or system compromises
45
Authentication Attacks
Steal authentication information
Phishing is the most common method Man in the middle, eavesdropping can do it too
Steal keys and other shared secrets
Physical theft Viruses Brute force (for bad cryptographic algorithms)
46
Pharming
Corrupt a DNS server
Man in the middle System attack
A host translates a DNS name to a attackers IP address
E.g. “mybank.com” leads to a hacker site, set up to look like the mybank.com site
Then a standard phishing attack can be performed on the user-name and password
47
RATS
Remote Access Trojans New! Improved!! More efficient!!!
These new remote-access Trojans are designed specifically to lurk in the background, waiting until the unsuspecting user types the name of a well-known bank into a Web browser. Then, the program springs into action, copying every keystroke. The data is sent back to the criminal, who now can raid the online bank.
48
Social Engineering
Phishing, via spam or web sites Sending pictures or other interesting things, with compelling reasons to “open it” Download interesting programs, with Trojans Giving up personal information using baits of various kinds If we figure out all the tricks, more will be invented
49
Countermeasures
Patches and security fixes Virus Scanners Intrusion Detectors / Firewalls Integrity Checking and Virtual Machines Cryptography
Digital Signatures and PKI systems
Smartcards / RFID Awareness and Education Out of band notifications Simple yet effective (vs. Complex and breakable) Proper administration, configuration
50
Patches and Fixes
Software updates
To fix buffer overflow and such attacks Doublespeak: “attacker can gain complete control over a computer.” Also fixes bugs and other vulnerabilities “Hardens” software
Updates can be dangerous
Introduces more bugs and vulnerabilities Can be fake Target for attackers who distribute malicious patches
51
Password Managers
Stops users from using the same user-id and password Creates strong passwords Sometimes a pain to use Password managers built into browsers – not a good idea Have to transport data between computers, if using multiple computers (or run from USB stick) Master password can be sniffed
52
Virus Scanners
Everyone should have them installed
Even though they are ineffective? Slows down performance
Uses Black Lists Polymorphism and other techniques are used by viruses to avoid detection Can be disabled or tampered with Problem with DLL, browser objects, active X, registry hacks, cookies Adware different from spyware and viruses
Not true
A patch that works for now
53
Firewalls
Software and hardware firewalls “Network Address Translation” Incoming filter is needed Outgoing filter is effective but irritating Software firewalls can be defeated
Hardware firewalls are incoming only
54
Intrusion Detection Systems
A set of layered network-wide service for large computer installations
May just be a firewall
Typical configuration have
DMZ and honeypots Bastion hosts Signature based detection Monitoring and logging
Attacks possible
Polymorphic attacks Noise camouflaged attacks
55
Virtual Private Networks
An authenticated, encrypted tunnel between a client and a host on a secure network Not popular, but effective Reverse attacks are possible
If the host is on an open network, the client does not have firewall protection
Corporate users are required to use VPNs
56
File Integrity Checkers
Scan each “clean” file and store a signature (or hash) Compare files to stored hashes whenever they are used Easy to bypass or to store hash after file corruption occurs Hash storage prone to attack Sometimes irritating to use A virus can fake user input and fool the integrity checker E,g, Tripwire
57
Single Sign on Systems
Sign on to a secure server and your credential will be forwarded to any site you need to sign on to Most implementations are flawed Need too much private information (or shared secrets) to float around Kerberos is probably one of the best, but difficult to administer Microsoft Passport and Liberty Alliance have products that are struggling (or dead) Certificate based systems would be much better
58
Sandboxing
Running applications with limited privileges System calls from sandboxed applications can only acces some “harmless” functions and can cause no damage The above statement is large untrue Sandboxed applications may be able to
Fool the user Send network packets, or spam Run more sandboxed applications Denial of service
59
Virtual Machine Monitors
The ultimate sandbox Multiple copies of the operating system runs on the same machine (guest operating systems) The core of the system is the “Virtual Machine Monitor” Everything is totally separate, each OS has a different file system, different network address Isolation can be perfect, but isolation is not security VMM based integrity checking has much promise
60
Cryptography
Cryptography has a treasure chest of algorithms and protocols for handling security (or computation and data)
(Cryptographically Secure) Random Numbers (One way) Hash functions Symmetric Encryption (e.g. DES, AES, IDEA) Asymmetric Encryption (RSA, Rabin, ECC)
Cryptography, if properly implemented can provide high degrees of data security and reliable authentication
Without using shared secret “IF” keys are kept secret Prone to viral attacks
61
PKI Systems
PKI = Public Key Infrastructure
A set of protocols that use asymmetric encryption and hashing Authentication Systems Digital signatures for non-repudiable transactions Digital Certificates for secure authentication
PKI based authentication stops the phishing problem and password leakage problem Keyboard sniffers are not always effective with PKI systems Microsoft Cardspace seems to be the first “consumer” targeted PKI based identity management system PKI based smartcards are the best implementation
Not yet being deployed
62
Smartcards
Smartcard =
Stored secrets Compute engine Communication path Non tamperable
secrets
processor
Most smartcards are not very smart
Stored value cards, shared secret challenge response cards, GSM SIM cards
PKI based smartcards provide an excellent authentication solution
DoD CAC Belgian ID card
63
RFID cards
More common, less secure Contactless – Accessible via radio waves. Can be read at large distances, with expensive equipment Prone to the tracking vulnerability Many attacks against RFID passport discovered Challenge-response RFID cards are better
The current crop is tainted with bad algorithms Stops cloning, but does not stop stealing Room for improvement
64
Out of band communications
A simple and yet powerful technique Many scenarios possible for example:
Make a web transaction that involves a credit card payment An automated phone call received Confirm PIN using phone keypad Confirm amount Must be resilient against fake phone calls
Very hard for attacker to compromise credit card and cellphone and phone PIN
65
Simple is Effective
Complex is breakable All complicated solutions have vulnerabilities and features that can be exploited
Think of a complex piece of software….
– – – – Web browser Microsoft Office Outlook Many more examples
We need simple solutions
Easy to understand Easy to detect anomalous behavior
66
Awareness and Education
Education is the answer to many problems, but Cannot educate the masses effectively
Computing and network infrastructure has very deep penetration Consumers are getting educated, but more keep coming online
Learn by experience?
Bad idea
Smart people protect themselves
….but the others create problems for everyone
67
Administration and Configuration
Out of the box configurations of systems and gadgets are vulnerable
Default passwords Security features disabled
“Proper Configuration” is of paramount important
e.g. 500 mile email radius How? Very few smart administrators seem to know Obscurity is used to defeat attackers (in a way, bad idea)
• Security policy of your organization • Host system security • Auditing • Router security • Firewalls • Intrusion detection systems • Incident response plan
Checklist for organizational systems
68
