Upload
dangthu
View
221
Download
1
Embed Size (px)
Citation preview
DanBoneh
Thecomputersecurityproblem• Lotsofbuggysoftware
• Socialengineeringisveryeffective
• Moneycanbemadefromfindingandexploitingvulns.
1. Marketplaceforvulnerabilities
2. Marketplaceforownedmachines(PPI)
3. Manymethodstoprofitfromownedmachinescurrentstateofcomputer security
DanBoneh
Lotsofvulnerabilitydisclosures(2015)
source:www.cvedetails.com/top-50-products.php?year=2015
DanBoneh
Mobilemalware(Nov.2013– Oct.2014)
date
TheriseofmobilebankingTrojans(KasperskySecurityBulletin2014)
DanBoneh
Whyownmachines:1.IPaddressandbandwidthstealing
Attacker’sgoal:looklikearandomInternetuser
UsetheIPaddressofinfectedmachineorphonefor:
• Spam (e.g.thestormbotnet)Spamalytics:1:12Mpharma spamsleadstopurchase
1:260Kgreetingcardspamsleadstoinfection
• DenialofService:Services: 1hour(20$),24hours(100$)
• Clickfraud(e.g.Clickbot.a)
DanBoneh
Whyownmachines:2.Stealusercredentialsandinjectads
keylog forbankingpasswords,webpasswords,gamingpwds.
Example:SilentBanker (andmanylikeit)
BankMalwareinjects
JavascriptBanksends loginpageneededtologin
Whenusersubmitsinformation, alsosenttoattacker
Userrequestsloginpage
SimilarmechanismusedbyZeusbotnet
Man-in-the-Browser(MITB)
DanBoneh
Lotsoffinancialmalware
• size:3.5KB• spreadviaemail
attachments• alsofoundonhomerouters
Source:KasperskySecurityBulletin2015
DanBoneh
Usersattacked:stats
≈300,000usersworldwide Aworldwideproblem
Source:KasperskySecurityBulletin2015
DanBoneh
Whyownmachines: 3.Ransomware
CryptoWall (2014-)• targetsWindows• spreadbyspamemails
≈200,000machinesin2015
Aworldwideproblem.
DanBoneh
Whyownmachines:4.Spreadtoisolatedsystems
Example:Stuxtnet
Windowsinfection⇒
SiemensPCS7SCADAcontrolsoftwareonWindows⇒
Siemensdevicecontrolleronisolatednetwork
Moreonthislaterincourse
DanBoneh
Server-sideattacks• Financialdatatheft:oftencreditcardnumbers
– Example: Targetattack(2013),≈140MCCnumbersstolen
– Manysimilar(smaller)attackssince2000
• Politicalmotivation:– Aurora,TunisiaFacebook(Feb.2011),GitHub (Mar.2015)
• Infectvisitingusers
DanBoneh
Example: Mpack• PHP-basedtoolsinstalledoncompromisedwebsites– Embeddedasaniframe oninfectedpage– Infectsbrowsersthatvisitsite
• Features– managementconsoleprovidesstatsoninfectionrates– Soldforseveral100$– Customercarecanbepurchased,one-yearsupportcontract
• Impact:500,000infectedsites(compromised viaSQLinjection)
– Severaldefenses:e.g.Googlesafebrowsing
DanBoneh
Insiderattacks:exampleHiddentrapdoorinLinux (nov 2003)
– Allowsattackertotakeoveracomputer– Practicallyundetectablechange(uncoveredviaCVSlogs)
Insertedlineinwait4()
Lookslikeastandarderrorcheck,but…
if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL;
See: http://lwn.net/Articles/57135/
DanBoneh
Manymoreexamples• AccesstoSIPRnet andaCD-RW:260,000cables⇒ Wikileaks
• SysAdmin forcityofSFgovernment.Changedpasswords,lockingoutcityfromrouteraccess
• Insidelogicbombtookdown2000UBSservers
⋮
Cansecuritytechnologyhelp?
DanBoneh
Howcompanieslosedata
Source:Californiabreachnotificationreport,2015
lost/stolenlaptops
malware/phishing
insiderattack
insidererror
Howdowehavethisdata?
DanBoneh
MarketplaceforVulnerabilities
Option1:bugbountyprograms(many)
• GoogleVulnerabilityRewardProgram:upto$20K• MicrosoftBountyProgram:upto$100K• MozillaBugBountyprogram:$7500• Pwn2Owncompetition:$15K
Option2:• Zerodayinitiative(ZDI),iDefense:$2K– $25K
DanBoneh
Marketplaceforownedmachines
Pay-per-install(PPI)services
PPIoperation:1. Ownvictim’smachine2. Downloadandinstallclient’scode3. Chargeclient
Source:Cabalerro etal. (www.icir.org/vern/papers/ppi-usesec11.pdf)
spambot keyloggerclients
PPIservice
Victims
DanBoneh
Marketplaceforownedmachines
Source:Cabalerro etal. (www.icir.org/vern/papers/ppi-usesec11.pdf)
spambot keyloggerclients
PPIservice
Victims
Cost:US- 100-180$/1000machines
Asia- 7-8$/1000machines
DanBoneh
ThiscourseGoals:
• Beawareofexploittechniques
• Learntodefendandavoidcommonexploits
• Learntoarchitectsecuresystems
DanBoneh
ThiscoursePart1:basics (architectingforsecurity)
• Securingapps,OS,andlegacycodeIsolation,authentication,andaccesscontrol
Part2:Websecurity(defendingagainstawebattacker)• Buildingrobustwebsites, understandthebrowsersecuritymodel
Part3:networksecurity(defendingagainstanetworkattacker)• Monitoringandarchitectingsecurenetworks.
Part4:securingmobileapplications