CYBER SECURITY, Part II Malware and Scams

A Quick Review of the basics!

33

The Security Pillars

• Authentication

• Authorization

• Privacy

• Information Integrity

• Non Repudiation

• Availability

Viruses, Worms, Trojan Horses and Spybots

aka, Malware

Primarily attack on Authentication,Data Integrity, System Availability and Privacy

Viruses!!

55

66

Computer Viruses

• In the early 1980s, Fred Cohen did extensive theoretical research at USC, as well as setting up and performing numerous practical experiments, regarding viral type programs.

• Dr. Cohen's definition of a computer virus as "a program that can 'infect' other programs by modifying them to include a ... version of itself" is generally accepted as a standard.

• Aka….a illicit program hidden inside of a legitimate program that propagates through various computer and network media

• Cohen created “research viruses” as part of his thesis

• Today we are concerned with viruses “in the wild”

77

Viruses

• Malicious software code that is usually embedded in executable programs or documents

• File Infector viruses can sit in a systems memory and attach themselves to any programs that the user opens

• Some viruses actually create new copies of existing programs that contain malicious code and substitute them for the original

• A common technique is to infect Word documents that may then be emailed to other systems

• Famous Viruses in the past were called Chernobyl, Career of Evil, Concept

• The worst viruses destroy the file directory or the data on your Disk!

88

How do they propagate?

• Early viruses spread when people exchanged floppy disks that contained programs or data with other users and inserted them into their machines (relatively slow propagation)

• Today, with the speed and global reach of the internet, viruses can spread many times faster attached to emails, and file downloads such as mp3s, images and video files

• (very fast propagation and attack at a distance)

99

Types of Viruses

• File Infector Viruses

– Some of the oldest types

– Looks like an executable file (.exe, .com, .bin, .sys)

– Hides in system memory and embeds itself in applications that the user opens

– Capable of infecting multiple application files

– Some Infector viruses make a copy of the real application and hide themselves inside the copy. When the user clicks on the file name, the copy runs, not the original.

• Macro Viruses

– Hide in the popular macro commands that are popular in windows applications

– These viruses infect any documents that the application opens (Word, Excel, Access, etc.)

1010

Types of Viruses

• Boot Sector Viruses

– These viruses infect the boot track of the disk drive when the machine is booted up

– By altering the boot drive, the virus can render the machine inoperable

– Michelangelo was a famous boot sector virus that launches on computers on March 6th and puts the infected machines out of service

– On March 6, 1992 there was almost hysteria about the effect that this virus would have on all the PCs installed worldwide

1111

Worms

• Responsible for today’s most widespread attacks and sometimes confused with Viruses

• Unlike viruses, worms are designed to self replicate and automatically spread themselves from system to system using the network connections

• Worms usually use email as their carrier method since email is such a popular application

• Some worms mail themselves to everyone listed in your address book as an efficient replication mechanism

• The Anna-Kournikova.jpg.vbs worm did over $80 million worth of damage because people couldn’t resist the temptation of seeing a nude photo of her

1212

Kournikova worm smashes through the net !!!!

Sophos Anti-Virus, a world leader in corporate anti-virus protection, has warned users to be wary of a new in-the-wild worm that poses as a picture of the popular Russian tennis pin-up, Anna Kournikova. The worm has been widely reported as infecting users around the world. 2001

1313

The Trojan Horse

1414

Trojans

• Modeled after the ancient technique of hiding a threat inside of a seemingly benign package

• Trojans are usually attached to emails and contain a program that performs nasty stuff on your computer

• When the user opens the email, the system resets and when it boots up, the Trojan program does its thing very secretly

• Trojans can open up backdoor communications on your system which allows someone to actually see what you are typing on the keyboard (Usernames, Passwords, CC#s, Phone numbers, SS#s)!!!!!!!

• Trojans can also allow someone to effectively hijack your computer and use it control everything that your machine does without you knowing it (Zombies!)

1515

In Summary

• A wide variety of threats

• Viruses, Worms and Trojans are sometimes combined in order to confuse the detection and removal techniques

• The attacks continue and get more sophisticated all the time.

1616

How to attempt to protect yourself from Malware

• Install Viruses protection software

• Subscribe to the update Service and have the updates installed automatically on your machine

• Perform a complete Virus scan of your machine at least once a week

– Automatically while you are asleep!

• Do not put flash memory cards from unknown parties into your machine

• Only accept software downloads from reputable companies (almost 10% of all the files on popular file sharing sites are in fact Malware)

• Install and run Spybot Search and Destroy regularly

• Don’t open any emails promising racy photos or videos of Anna Kournikova, Pamela Anderson, Paris Hilton or Ben Affleck, George Clooney or Brad Pitt! Or anyone else for that matter….

RansomWare!

Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed.

1717

1818

Beware of Bogus Virus Protection! (RansomWare)

• The user gets a very visible warning about infections on their PC from what appears to be a legitimate source (Microsoft, etc)

• They are instructed to click on a button and download software to protect themselves.

• By doing so they download and install a program that incessantly pops up on their screen instructing them to pay for a viral antidote which disrupts everything else they are trying to do

• They then have to go to a website and pay to remove the annoying software that they mistakenly downloaded in the first place!

• VERRRRY ANNOYING!!!! and costly

CryptoWall and CryptoLocker

A file-encrypting ransomware program called CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage, earning its creators more than $1 million, researchers found.

The threat has been spreading since at least November 2013, but until the first quarter of this year it remained mostly overshadowed by CryptoLocker, another ransomware program that infected over half a million systems from September 2013 through May, earning its perpetrators an estimated $3 Million!

1919

2020

More Threats and Scams

• Nigerian Letters

• Phishing

• Pharming

• Spoofing

2121

Nigerian Letters

• Also known as “Advance Fee Fraud”

• Been successfully run since the 1980’s over mail and over the Internet

• Convinces the target that they will get a huge commission for helping free up money held in an offshore bank account.

• Target is solicitied for small “fees” and their personal info to expedite the process

• Of course, no money is forthcoming

• Read all about them here http://home.rmci.net/alphae/419coal/

Nigerian Letter ExampleAttention.FriendIts my pleasure to inform you that i have verify from the bank director regarding the transfer of your fund and it was good news because the requested fee was less expessive for you to afford.your consignment containing your fund($800.000.00) i have deposited it with the CAPITAL CITY BANK PLC so that your fund will be wired to your account immediately you contact the bank director with your banking details.However i went to CAPITAL CITY BANK PLC to discuss this with the bank director as its has not been delivered to you However he told me that your fund can be transfered to you via a direct wire transfer(KTT) into your account.He told me to instruct you to contact the bank to apply for a direct wire transfer into your account to avoid loosing your fund due to delay.Therefore you can contact the bank with below information, send to them your banking information.CAPITAL CITY BANK PLC OF BENIN REPUBLIC 20/22 HOSPITAL ROUTECOTONOU BENIN REPUBLIC

Phising, Pharming and Spoofing

•  

2323

Who Am I ????

2424

Phishing

• Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic transaction.

• Phishing is an example of social engineering techniques used to fool users and exploits the poor usability of current web security technologies.

• Phishing alludes to baits used to "catch" financial information and passwords.

Pharming

Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website

Pharming can be conducted either by changing the host’s file on a victim’s computer or by exploitation of a vulnerability in DNS server software.

Antivirus software and spyware removal software cannot protect against pharming.

Pharming is also known as Page Hijacking

2626

Spoofing

• Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Another meaning for spoof is fake websites. Normally, the website will adopt the design of the target website and sometimes has a similar URL

• E-mail spoofing is e-mail activity in which the sender address and other parts of the e-mail header are altered to appear as though the e-mail originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge emails. It is usually fraudulent but can be legitimate. It is commonly used in spam and phishing e-mails to hide the origin of the e-mail message.

• Most often used in conjunction with Pharming

Phishing Video

http://www.youtube.com/watch?v=Y4mnIwtIWB4&feature=fvwrel

These days, Phishing, Pharming and Spoofing are often all

combined in the same attempt to compromise someone’s personal

information

Looking for Privacy

Encryption and Decryption

“Kryptos logos”

(Hidden Word)

3030

Encryption and Data Security (Privacy)

• Cryptography is the art and science of keeping message secret

• Encryption techniques convert data into a secret code for transmission

• The process of retrieving the original message at the receiver is called decryption

3131

Encryption with and without keys

• Earlier, less sophisticated encryption did not involve the use of keys but relied solely on a secret formula or algorithm

• This is very weak encryption since:

– It is now essential to keep the algorithm secret between all authorized parties

– Disseminating the algorithm risks its secrecy

– Once the algorithm is compromised, an entirely new one must be developed and distributed

• The use of keys in conjunction with a public algorithm is much stronger because:

– The algorithm can be published so that everyone knows it

– The keys are secret

– The keys can be changed whenever necessary to preserve their secrecy

3232

Encryption Keys

• Keys are essential information -- usually a large numerical parameter(s) -- needed for encryption and/or decryption algorithms

• Encryption keys are used to encode plaintext as encoded ciphertext

• Decryption keys are used to decode ciphertext and recover the original plaintext

• Decryption keys are sometimes discovered by brute force methods employing computers to search large potential key combinations

3333

Two Types of Encryption using keys

• Symmetric keys also know as Secret Key Encryption

• Asymmetric keys also known as Public Key Encryption

• Public Key Encryption aka PKI is now the dominant form of Encryption in use in all digital transactions

3434

Disadvantages of Secret (Private) Key Ciphers

• Both parties have to keep the secret

– The more parties that have to share a secret, the less chance that the secret will remain secret

• Sending the secret key to the receiving party risks its secrecy

• If the key is compromised then it has to be transmitted to all parties before they can resume communications

3535

Asymmetric or Public Key Ciphers

• This involves the use of TWO different keys.

• One key is PUBLIC and published by a Trusted Third Party, known as a Certificate Authority (CA). This key is contained in a Digital Certificate

• One key is PRIVATE and held secret by its owner

• The Private key owner is registered with the CA and has proven their identity to a specific level of certainty

• The Private key owner can now SEND a message encrypted using the private key to anyone they like

• The Receiver of this message cannot read it without decrypting it

• The Receiver goes to the CA (on the web) and requests the Sender’s Public Key

• The Receiver uses the public key to decrypt the Sender’s message

3636

Who are the Certificate Authorities?

• CAs are Bonded, Trusted, Third Party Companies that have been authorized to set up Public Key Infrastructures (PKI) on the Web for the purpose of issuing and managing Public and Private keys for their subscribers

• They operate very secure servers on the web that allow two parties to use the Public Key methods to send secure information over the internet

• Subscribers have to pay to belong and must authenticate themselves to the to the CA periodically to prove who they are. There are different levels of authentication depending upon the nature of your transactions

• You can see a list of Certificate Authorities in your Browser!

3737

Asymmetric or Public Key Ciphers

• The first practical public key algorithm was published by Rivest, Shamir, and Adleman in 1976 and is know as RSA (for their last names)

• RSA is still a widely used algorithm which is a testament to its strength and viability

• Public key ciphers employ an algorithm with two keys -- a public key and a private key

• A sender looks up the recipient's public key and uses it to encode a message

• The recipient then decodes the message with his or her private key (this private key is necessary to decode the message)

• This also works in reverse.

3838

Asymmetric or Public Key Ciphers Illustrated

Secure Socket Layer

• The use of Public Key Infrastructures to secure information exchanges over the web is called the Secure Socket Layer (SSL)

• SSL is the predominate method used to apply RSA and other algorithms for securing email and sensitive electronic transactions

• Recently, security vulnerabilities were discovered in SSL which potentially could allow unauthorized parties to compromise the method.

• http://www.howtogeek.com/182425/5-serious-problems-with-https-and-ssl-security-on-the-web/

3939

SSL uses several exchanges to setup the secure link

4040

4141

Non-Repudiation using RSA

• If a party is registered with a CA and sends a document or a transaction encrypted with their secret key to another party they effectively create what is known as a DIGITAL SIGNATURE

• Digital Signatures are legally binding in the same way your hand written signature is binding (U.S. Congress and EEC laws)

– It is very difficult to REPUDIATE that transaction since only the sending party knew the secret key in order to create the encrypted message

– The message is read and processed by the receiving party using the Sender’s Public key, which is the ONLY key that will work. If the Receiver can successfully decode the message then it has proof that the message was generated by the specific sender

– Very important principle when applied to legally binding documents and transactions such as;

• Contracts

• Offers

• Affadavits

• Confidential Information

Website demo illustrating Digital Certificatesand Public Key Encryption

http://www.paypal.com

CyberWar!

4343

Stuxnet --- Who done it ?????

• Stuxnet is a virus that is widely believed to have been developed by the U.S. and Israeil intelligence communities. It’s purpose was to infiltrate programmable control systems used in the process control industries. In particular, this worm was targeted at the controllers that operate the centrifuges used in Iran to process uranium, a key component in the quest for nuclear weapons, or reactors.

• Stuxnet Video:

• http://vimeo.com/25118844

4444

Cyberwar - Recent News -WSJ- October 13, 2012

• http://online.wsj.com/article/SB10000872396390444657804578052931555576700.html?

Iran Blamed for Cyberattacks

U.S. Officials Say Iranian Hackers Behind Electronic Assaults on U.S. Banks, Foreign Energy Firms

4545

Questions?

4747

Symmetric or Secret Key Ciphers

• Secret key ciphers use a single secret key (or set of keys) for both encryption and decryption

• The secret key must be transferred securely in order for secret key methods to be secure

• Data Encryption Standard (DES) is a US government sponsored secret key cipher. DES uses a 56-bit key.

• International Data Encryption Algorithm (IDEA) has replaced DES. It uses a 128-bit key.

• Longer keys make it more difficult for brute force discovery of the secret key

4848

Authentication using RSA

• The process used to verify the identity of a respondent is called authentication

• Authentication is very important for electronic commerce and other network transactions

• Authentication exploits the symmetry of public and private keys

• To authenticate that a person is who they say they are:

– send that person a nonsense message and ask them to encode it with their private key and return it to you

– when the message is returned, if the person is who they claim to be, you should be able to recover your nonsense message using their public key which is published by the CA

4949

Using Encryption to Authenticate in E-Commerce

1919

Certificate Authority Process Flow

C o n s u m e r/S u b s c r ib e r

M e rc h a n t /R e ly in g 3 rd P a rty

C e rt if ic a t io nA u th o r ity

C e r t if ic a te

ID in foa n d P u b lic K e y

M e rc h a n d is eo r S e rv ic e

O rd e r in foP a y m e n t in fo

C e r t if ic a te

O b ta in o r a c c e s s C R L

P ro v id e C R L o r re s p o n s ere g a rd in g s p e c if ic c e r t if ic a te

C A 's K e y g e n e ra t io na n d K e y m a n a g e m e n t

C o n s u m e r 's K e yg e n e ra t io n a n d K e ym a n a g e m e n t

Mirek,publicKey=1234

Ver isign, certificate,Ver isign’s pub lic key

Shoes, CC#,certificate

Mirek, OK

Can you vouch?