CS-630: Cyber and Network Security

Lecture # 1: Security Goals, History of

Attack and Underground Economy
Prof. Dr. Sufian Hameed
Department of Computer Science
FAST-NUCES

FAST-NUCES
What is This Class About ?

Learn About Security

Make a Difference

FAST-NUCES
How Can You Make a Difference?

 Be a more security-- aware user

 Make better security decisions
 Be a more security– aware developer
 Design & build more secure systems
 Be a security practitioner & researcher
 Identify security issues
 Propose new security solutions

FAST-NUCES
 Computer Security Today

FAST-NUCES
Why Computer Security ?

Computer systems are ubiquitous in our daily life

 Computers store and process our data and
information
 Computers access and control our resources

Valuable Data Private Data Dangerous Data

FAST-NUCES
The Sony Breach

 An Example: The Playstation Network (PSN)

Attack
 Illegal intrusion into network around April 2011
 Severe consequences for users and companies
 Financial damage of over 24 billion dollars

FAST-NUCES
Top Data Breaches

FAST-NUCES
Further Example
 Stuxnet Worm
 Computer worm detected in January 2010
 Initially spread via MS Windows and
targets Siemens industrial software and
equipment (SCADA)
 Spies on and disrupts industrial systems
 Possible sabotage against uranium
enrichment infrastructure in Iran
 Rustock Botnet
 Network of 1.7 million infected systems (zombies)
 Capability of sending 22 million spam messages per day
 Active from around 2007 to March 2011
 Taken down by Microsoft, U.S. Fed Agents and University of Washington
 On July 18, 2011, Microsoft put a bounty of US$ 250 K on the individual
behind Rustock botnet.
FAST-NUCES
… more trouble ahead

 Cyberspace — a dangerous place

 Omnipresence of computer attacks, viruses and worms
 Persistent underground economy (worth billions of
dollars)
 Soon cyber-terrorism and cyber-warfare?

FAST-NUCES
Who is who ?

Informal terminology of attackers

Various other types of attackers, e.g. crime, military, agencies, ...

FAST-NUCES
Security is fun too!

 Security is different from other disciplines

 Established concepts are put into questions
 Intersection with many areas of computer science
 Often, it’s a game of good and evil players
 Practice and theory of security are often fun
 Monitoring, detection and analysis of real attacks
 Reasoning about limits of attacks and defenses

FAST-NUCES
 Security Goals and Mechanisms

FAST-NUCES
A Formal View

FAST-NUCES
Security Goals

 Security goals (memory hook: “CIA”)

 Confidentiality of information and resources
 Integrity of information and resources
 Availability of information and resources
 Basic definitions
 Threat = potential violation of a protective goal
 Security = protection from intentional threats
 Safety = protection from accidental threats

FAST-NUCES
Confidentiality

Confidentiality
Protection of resources from unauthorized disclosure
Check: Who is authorized to access which resources?
 Security measures
 Encryption of data, resource hiding
 Examples
 An attacker eavesdrop a telephone conversation
 An attacker reads the emails on your computer

FAST-NUCES
Integrity

Integrity
Protection of resources from unauthorized
manipulation
Check: Who has does what on which resources?
 Security measures
 Authorization, checksums, digital fingerprints
 Examples
 An attacker changes the receipt of a bank transaction
 An attacker tampers with files on your computer

FAST-NUCES
Availability

Availability
Protection of resources from unauthorized disruption
Check: When and how are which resources used?
 Security Measures
 Restriction, redundancy, load balancing
 Examples
 An attacker crashes the web server of a company
 An attacker formats the hard disk of your computer

FAST-NUCES
Threats & Attacks

 Basic classes of threats

 Disclosure = unauthorized access to information
 Deception = acceptance of false data (e.g. masquerading)
 Disruption = interruption or prevention of correct
operation
 Usurpation = unauthorized control of resources
 Attack = attempt to violate a security goal (intentional
threat)
 Often combinations of different threat classes

FAST-NUCES
Examples of Attacks

 Snooping = passive eavesdropping of information

→ disclosure
✸ network sniffing, keyboard logging
 Manipulation = active modification of information
→ deception, disruption and usurpation
✸ redirection of control flow, man-in-the-middle attacks
 Spoofing = impersonation of one entity by another
→ deception and usurpation
✸ address spoofing, phishing attacks

FAST-NUCES
Security Mechanisms

 Security policies and mechanisms

 Policy = statement of what is and what is not allowed
 Mechanism = method or tool enforcing a security policy
 Strategies for security mechanisms
 Prevention of attacks
 Detection of attacks
 Recovery from attacks
 Bruce Schneier: Security is a process, not a product!

FAST-NUCES
Prevention
 Prevention of attacks
 Prevention of attacks prior to violation of security goals
 Examples
 Data reduction and separation
Removal or separation of information and resources
 Authentication and encryption
Restriction of access to information and resources
 Limitations
 Inapplicable in many settings, e.g. open services

FAST-NUCES
Detection

 Detection of attacks
 Detection of attacks during violation of security goals
 Examples
 Anti-virus scanners
Detection of malicious code on computers
 Network intrusion detection
Detection of attacks in computer networks
 Limitations
 Ineffective against unknown and “invisible” attacks

FAST-NUCES
Recovery

 Recovery
 Recovery from attacks after violation of security goals
 Examples
 Computer forensics
Investigation and analysis of security incidents
 Malware analysis
Observation and analysis of malicious software
 Limitations
 Severe damage might have already occurred

FAST-NUCES
Further Concepts

 Authenticity = truthfulness of information and

resources
 May be viewed as an aspect of integrity
 Accountability = linking of actions and users
 Realization of non-repudiation in computer systems
 Privacy = Security and control of personal information
 Property of individuals and not of data

FAST-NUCES
 History of Attacks

FAST-NUCES
Brain: Where it all started …..
 Brain released in January 1986, is considered to be the
first computer virus for MS-DOS.
 Infects the boot sector of storage media formatted with
the DOS File Allocation Table (FAT) file system.
 Written by two brothers, Basit Farooq Alvi and Amjad
Farooq Alvi from lahore.

FAST-NUCES
Morris
 The Morris worm (November
2, 1988) was one of the
first computer
worms distributed via
the Internet.
 It was written by a student at
Cornell University, Robert
Tappan Morris.
 The small program disables
roughly 6,000 computers (10%
of the internet) by flooding
their memory banks with
copies of itself.
 He is fined $10,000 and
sentenced to three years'
probation.

FAST-NUCES
Melissa
 Melissa virus, created by David L Smith, was reported
in 1999
 Exploited MS-Word, Outlook
 The virus was attached along with emails which had a
message: “Here is that document you asked for, don’t
show it to anybody else”
 On activation, it sends the same to the top 50 people in
the contacts list
 Caused a heavy damage due to heavy traffic and it lead
to the shutting down of email gateways of companies
like Intel Corp., Alcatel Lucent, Microsoft .etc

FAST-NUCES
ILoveLetter worm
 The "I Love You" virus (5 may 2000) infects millions of
Windows PC overnight
 Started spreading as an email message with the subject line
"ILOVEYOU" and the attachment "LOVE-LETTER-FOR-
YOU.txt.vbs“
 Opening the attachment activated the Visual Basic script
 The worm did damage on the local machine, overwriting image
files, and sent a copy of itself to the first 50 addresses in
the Windows Address Book used by Microsoft Outlook.
 Also sends passwords and usernames stored on infected
computers back to the virus's author.
 Authorities trace the virus to a young Filipino computer student,
but he goes free because the Philippines has no laws against
hacking and spreading computer viruses.

FAST-NUCES
CodeRed

 The Code Red worm, released on 13th July, 2001,

attacked Microsoft’s IIS web servers
 Sneaked through the server via a patch in the indexing
software with IIS
 Used the buffer overflow technique (a long string of
repeated character ‘N’ was used to overflow a buffer)
 A fix was found in a month’s time which limited the
damage to $2.5 billion.
The affected sites were defaced with the message
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

FAST-NUCES
Nimda

 Nimda was a file infector worm released on September

18, 2001,
 Spread through out the world in 22 minutes
 It used different methods for propagation i.e. emails,
open network shares, backdoor left by other viruses
 Nimda spelled backwards is “Admin”
 Damage caused by Nimda : $ 635 million!

FAST-NUCES
SQL Slammer aka Sapphire worm

 SQL Slammer or the worm that ate the internet (January

25, 2003) caused a denial of service on some Internet hosts
and dramatically slowed down general Internet traffic
 Exploits the vulnerability in the Microsoft SQL servers and
uses the buffer overflow bug to slow down the servers
 Slows down the entire Internet.
 Infects hundreds of thousands of computers in less than
three hours
 The fastest-spreading worm ever knocking cash machines
offline and delaying airline flights

FAST-NUCES
SQL Slammer

FAST-NUCES
 Current Trends

FAST-NUCES
Historical hackers (prior to 2000)

 Profile:
 Male
 Between 14 and 34 years of age
 Computer addicted
 No social life

No Commercial Interest !!!

FAST-NUCES Source: Raimund Genes
Historical Hackers
 1990s:
 Phone phreaking, Free calls
 Early 2000s:
 Email worms
 CodeRed, Nimda

FAST-NUCES
Financially Motivated
 Shift in late 2000s
 Spam
 Pharmaceuticals
 Fake products
 Carding/Fraud
 Identify theft, credit fraud

FAST-NUCES
Politically Motivated
 Stuxnet

FAST-NUCES
Politically Motivated

FAST-NUCES
Typical Botherder: 0x80" (pronounced X-eighty)
High school dropout
 “…most of these people infect are so stupid they really ain't got no business being on
the Internet in the first place.“
Working hours: approx. 2 minutes/day to manage Botnet
Monthly earnings: $6,800 on average
Daily Activities:
 Chatting with people while his bots make him money
 Recently paid $800 for an hour alone in a VIP room ….
Job Description:
 Controls 13,000+ computers in more than 20 countries
 Infected Bot PCs download Adware then search for new victim PCs
 Adware displays ads and mines data on victim's online browsing habits.
 Bots collect password, e-mail address, SS#, credit and banking data

Washington Post: Invasion of the Computer Snatchers

FAST-NUCES
Some things in the news

 Nigerian letter (419 Scams) still works:

 Michigan Treasurer Sends 1.2MUSD of State Funds !!!
 Many zero-day attacks
 Google, Excel, Word, Powerpoint, Office …
 Criminal access to important devices
 Numerous lost, stolen laptops, storage media, containing
customer information
 Second-hand computers (hard drives) pose risk
 Vint Cerf estimates ¼ of PCs on Internet are bots

FAST-NUCES
 Texas CISO, Feb 2010
Trends from 2010
 Malware, worms, and Trojan horses
 spread by email, instant messaging, malicious or infected websites
 Botnets and zombies
 improving their encryption capabilities, more difficult to detect
 Scareware – fake/rogue security software
 Attacks on client-side software
 browsers, media players, PDF readers, etc.
 Ransom attacks
 malware encrypts hard drives, or DDOS attack
 Social network attacks
 Users’ trust in online friends makes these networks a prime target.
 Cloud Computing - growing use will make this a prime target for attack.
 Web Applications - developed with inadequate security controls
 Budget cuts - problem for security personnel and a boon to cyber criminals.

FAST-NUCES
Same list in Oklahoma Monthly Security Tips Newsletter
 Monetization of Exploits

FAST-NUCES
Marketplace for Vulnerabilities
Option 1: Bug Bounty Programs
 Google vulnerability reward program: 3K $
 Mozilla big bounty program: 500 $
 Pwn2Own competition: 15K $

Option 2:
 ZDI, iDefense purchases: 2K-10K $
 Zero Day Initiative | 3Com | TippingPoint, a division of
3Com, http://www.zerodayinitiative.com/
 Vulnerability Contributor Program // iDefense Labs,
http://labs.idefense.com/vcp/

FAST-NUCES
Marketplace for Vulnerabilities
 Option 3: Black Market

Source: Charlie Miller (http://securityevaluators.com/files/papers/0daymarket.pdf). This is a

very good read, also discussed the challenges involving legitimate buyers.

FAST-NUCES
 Underground Economy
• Spam service
• Rent-a-bot
• Cash-out

FAST-NUCES
Marketplace for Pay-Per-Install (PPI)

FAST-NUCES
Credit: Zulfikar Ramzan
FAST-NUCES
FAST-NUCES
FAST-NUCES
FAST-NUCES
Recommended reading

 The Underground Economy of the Pay-Per-Install

(PPI) Business by Kevin Stevens
 Measuring Pay-per-Install: The Commoditization of
Malware Distribution by Juan Caballero (Usenix Sec
2011)

FAST-NUCES
Why are there security vulnerabilities?
 Lots of buggy software...
 Why do programmers write insecure code?
 Awareness is the main issue

 Some contributing factors

 Few courses in computer security
 Programming text books do not emphasize security
 Few security audits
 C is an unsafe language
 Programmers have many other things to worry about
 Legacy software (some solutions, e.g. Sandboxing)
 Consumers do not care about security
 Security is expensive and takes time

FAST-NUCES
 If you remember only one thing from this course:

A vulnerability that is “too complicated for anyone to

ever find” will be found !

I hope you remember more than one thing

FAST-NUCES
 Summary

FAST-NUCES
Summary

 Threat landscape is highly dynamic as it is driven by

economic motivation, and especially organized crime
 No “final state of security”
 Prevention not always possible; intelligent response
mechanisms are strongly needed.

FAST-NUCES
Acknowledgements

Material in this lecture are taken from the slides prepared

by:
 Prof. Dr. Konrad Rieck (Uni-Göttingen)

FAST-NUCES