CS363Week 6 - Friday
Last time
What did we talk about last time? Viruses and other malicious code
Questions?
Project 1
Security Tidbit 1
You guys probably don't use online dating tools much (yet)
Tinder is an app for iOS and Android that uses your Facebook network and geographic location to suggest matches If both matched people "like" the other, the
app allows them to communicate Include Security discovered that it was
possible to use the Tinder API to track the location of any user
The vulnerability was known for months and finally fixed around the beginning of 2014
Follow the story: http://www.net-security.org/secworld.php?
id=16391
Security Tidbit 2
A leaked NSA document viewed by Der Spiegel contained a 50-page catalog of hardware and software exploits made by the ANT division of the NSA for their Tailored Access Operations (TAO) It reads like a product brochure and even has prices! http://www.spiegel.de/international/world/catalog-
reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html
Many of the details date from 2008 There is presumably a newer catalog now Bruce Schneier has been discussing some of the
more interesting items in the catalog
Security Tidbit 2 (continued)
CANDYGRAM is one of the exploits Schneier recently discussed
It's hardware and software that pretends to be a GSM cell tower
When a phone on a target list gets close enough to it, the phone connects to the "tower" and NSA agents receive SMS messages
Of course, the NSA can get data from cell phone providers
But this might be faster when working in the field
Cost: $40,000 More information:
https://www.schneier.com/blog/archives/2014/02/candygram_nsa_e.html
Exam 1 Post-Mortem
Virus Case Studies
The Internet Worm
In 1988 Robert Morris, a Cornell graduate student, wrote an worm that infected a lot of the Internet that existed at that time
Serious connectivity issues happened because of the worm and because people disconnected uninfected system
He claimed the point was the measure the size of the Internet
The worm’s goal:1. Determine where it could spread to2. Spread its infection3. Remain undiscovered
Determining where to spread It tried to find user accounts on the host
machine It tried 432 common passwords and
compared their hash to the list of password hashes
Ideally, this list should not have been visible It tried to exploit a bug in the fingerd
program (using a buffer overflow) and a trapdoor in the sendmail mail program Both were known vulnerabilities that should
have been patched
Spreading infection
Once a target was found, the worm would send a short loader program to the target machine
The program (99 lines of C) would compile and then get the rest of the virus
It would use a one-time password to talk to the host
If the host got the wrong password, it would break connection
This mechanism was to prevent outsiders from gaining access to the worm’s code
Remain undiscovered
Any errors in transmission would cause the loader to delete any code and exit
As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies
It periodically changed its name and process identifier so that it would be harder to spot
What happened
The worm would ask machines if they were already infected
Because of a flaw in the code, it would reinfect machines 1 out of 7 times
Huge numbers of copies of the worm started filling infected machines System and network performance dropped
Estimates of the damage are between $100,000 and $97 million Morris was fined $10,000 and sentenced to 400 hours of
community service The CERT was formed to deal with similar
problems
Code Red
Code Red appeared in 2001 It infected a quarter of a million systems
in 9 hours It is estimated that it infected 1/8 of the
systems that were vulnerable It exploited a vulnerability by
creating a buffer overflow in a DLL in the Microsoft Internet Information Server software
It only worked on systems running an MS web server, but many machines did by default
Versions
The original version of Code Red defaced the website that was being run
Then, it tried to spread to other machines on days 1-19 of a month
Then, it did a distributed denial of service attack on whitehouse.gov on days 20-27
Later versions attacked random IP addresses
It also installed a trap door so that infected systems could be controlled from the outside
Targeted Malicious Code
Trapdoors
A trapdoor is a way to access functionality that is not documented
They are often inserted during development for testing purposes
Sometimes a trapdoor is because of error cases that are not correctly checked or handled
Causes of trapdoors
Intentionally created trapdoors can exist in production code when developers: Forget to remove them Intentionally leave them in for testing Intentionally leave them in for
maintenance Intentionally leave them in as a covert
means of access to the production system
Salami attacks
I have never heard this term before I read this book
This is the Office Space attack Steal tiny amounts of money when a cent is
rounded in financial transactions Or, steal a few cents from millions of
people Steal more if the account hasn’t been used
much The rewards can be huge, and these kinds
of attacks are hard to catch
The Sony XCP rootkit
A rootkit is malicious code that gives an attacker access to a system as root (a privileged user) and hides from detection
Sony put a program on music CDs called XCP (extended copy protection) which allowed users to listen to the CD on Windows but not rip its contents
It installed itself without the user’s knowledge It had to have control over Windows and be hard to
remove It would hide the presence of any program starting
with the name $sys$, but malicious users could take advantage of that
Privilege escalation
Most programs are supposed to execute with some kind of baseline privileges Not the high level privileges needed to change system
data Windows Vista, 7, and 8 ask you if you want to
have privileges escalated Some times you can be tricked Symantec needed high level privileges to run Live
Update Unfortunately, it ran some local programs with high
privileges If a malicious user had replaced those local programs
with his own, ouch
Keystroke logging
It’s possible to install software that logs all the keystrokes a user enters
If designed correctly, these values come from the keyboard drivers, so all data (including passwords) is visible
There are also hardware keystroke loggers Most are around $40 Is your keyboard free from a logger?
Quiz
Upcoming
Next time…
Controls against program threats OS security Omar Mustardo presents
Reminders
Read Sections 4.1 through 4.4Finish Project 1
Due tonight!
Top Related