CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview

CSCD 434/539

Lecture 2 Spring 2014

Computer Security Overview

Overview• History of Computer Security• Definitions

– Confidentiality, Integrity, Availability– Examples

• Threats to Computer Systems– How bad is it?

• Vulnerabilities– Defined, Statistics

• Examples

History of Computer Security

History of Computer Security Computer Security http://di.ionio.gr/~emagos/security/0/Gollmann%27s

%20Chapter%201-%20History%20of%20Computer%20Security.pdf

Computer security can trace its origins back to 1960s Multi-user systems emerged, needing mechanisms for protecting the system from its users, and the users from each other

We observe that computer security has passed through the following epochs:• 1970s: age of the Mainframe,• 1980s: age of the PC,• 1990s: age of the Internet,• 2000s: age of the Web


Age of the Mainframes Mainframes were deployed in government

departments and in large commercial organizations Two applications from public administration are of

particular significance Defense sector saw potential benefits of using

computers, Yet, classified information would have to be processed

securely Developed a formal statemachine model for multi-level

security policies regulating access to classified data, Bell–LaPadula model was highly influential on

computer security research into 1980s … more later Multics project developed an operating system that

had security as one of its main design objectives

Time out for a Quiz

What popular operating system was

developed based on the Multics

Operating System?

Unix !!!!


Mainframes continued Multi-level Security (MLS) dominated security

research into following decade Leading to development of high-assurance

systems whose design had been verified employing formal methods

However, these high-assurance systems did not solve problems of following epochs


• Military dominated computer security• Obsessed with (MLS) Confidentiality

• Want to Prove formally that secrets could remain secret in presence of unclassified people in multi-user environment

• Concerned with detecting covert channels where spies or insiders would signal each other

– Great Collection of early security papers

http://seclab.cs.ucdavis.edu/projects/history/

Multi-level Security in a NutshellBell-Lapadula Model There are security classifications or security levels– Users/principals/subjects have security clearances– Objects have security classifications• Example Top Secret Secret Confidential Unclassified• Top Secret > Secret > Confidential > Unclassified• Security goal (confidentiality): Ensures that

information does not flow to those not cleared for that level


Age of the PC PC was singleuser machine, first successful

applications were word processors and spreadsheet programs, and users no longer were concerned with classified data

At a stroke, multi-level security and multiuser security became irrelevant

1980s also saw first worms and viruses, were proposed in research papers before they later appeared in wild

Second Quiz …

Who was the first to use term

“computer worm” in print?

John Brunner's 1975 novel,

The Shockwave Rider


Age of the Internet World Wide Web (1991) and graphical web

browsers, 1993 created a whole new paradigm Both developments facilitated a whole new

range of applications Typical end system was PC, no longer stand-

alone or connected to a LAN, but connected to Internet

Connecting a machine to Internet has two major ramifications.

System owner no longer controls who can send inputs to this machine and system owner no longer controls what input is sent to machine

History of Computer Security Age of the Internet Thus, malformed packets could be sent to

private computers attached to Internet and result in exploiting vulnerabilities in software

On-line denial-of-service attacks became a possibility and towards the end of the 1990s a fact

This became greatly expanded into 2000's with World Wide Web ...


Age of the World Wide Web Application-level software implementing Web

services has become a main target for attacks Major attack patterns are SQL injection,

crosssite scripting, and attacks against domain name system

Application software accounts for an increasing number of reported vulnerabilities and real attacks

Attacks have stolen contact data from Gmail users, worm spread to over a million users on MySpace


World Wide Web Picture of attacker has changed Hackers of 1990s often matched stereotype of a

male in his teens or twenties with limited social skills

In rare cases, attacks were made for financial gain Today, criminal organizations have moved to web

Criminals have no interest in high profile fast spreading worm attacks … for fun !!!

Place trojans on their victims’ machines to harvest sensitive data, passwords, PINs, or Credit Cards or to use the victims’ machines as part of a botnet

Modern State of Computer Security

Modern State of Computer

Security 1. Computers are Connected and Interdependent

This codependency magnifies effects of any failures

Slammer worm, 2003, Infected 75,000 computers in 11 minutes Continued to scan 55 million computers /

sec

Blaster worm, 2003,

Infected 138,000 in first 4 hours

Over 1.4 million computers worldwide

Many others .... http://hardgeek.org/2009/09/10-worst-computer-virus-attacks-in-

history/


Security2. Computing today is very Homogeneous

– A single architecture and a handful of OS's dominate

• Linux, Mac OS and Windows

• In biology, homogeneous populations ... terrible idea– A single disease or virus can wipe them out

because they all share the same weakness– The disease needs one infection method!!

• Computers are the animals ... think cows• Internet provides the infection vector ... virus that

sickens cows ... Mad Cow disease


Security3. Adversaries are all levels and Global

– Range from script kiddies to serious groups such as those that steal defense secrets or industrial espionage

– Global reach with many in countries where we can't extradite them

• China, Eastern Europe, Russia and S. America

Hacker Timelinehttp://en.wikipedia.org/wiki/

Timeline_of_computer_security_hacker_history

Computer Security Definitions

Security Defined

• System Secure if …–Has these properties

• Confidentiality• Integrity• Availability

C.I.A

Confidentiality Defined

• Confidentiality– What does it mean for data to be

confidential?– Data must only be accessed, used,

copied, or disclosed by persons who have been authorized

• To access, use, copy, or disclose information …

– You ensure information is not accessed by unauthorized users

Confidentiality Example

• Communication between two people should not be compromised

network

Eavesdropping,packet sniffing,illegal copying

Threats

We have made an important discovery …

Definitions• More on Confidentiality

• How do you prevent confidentiality loss?• Confidentiality is preventing disclosure

of information to unauthorized individuals or systems

• Example, credit card transaction on the Internet

• System enforces confidentiality by encrypting card number during transmission or limiting the places where it might appear

Integrity Defined

• Integrity– What is Data Integrity?– Data must not be

• Created• Changed, or • Deleted without authorization

– Ensuring that information is not altered by unauthorized persons

Integrity Defined• Messages should be received as originally

intended

network

Intercept messages,tamper, release again

I love you darling!!

I don’t want to see you again

Threats

DefinitionsMore on Integrity

– Integrity means that data cannot be modified without authorization

– Example of violation– Integrity is violated

• When an employee (accidentally or with malicious intent) deletes important data files,• When a computer virus infects a computer,• When an employee is able to modify his own salary in a payroll database, • When an unauthorized user vandalizes web site

Availability Defined

• Availability – Systems function correctly when

information is provided when its needed– The opposite of availability is denial of

service (DOS)

Availability Example• Disrupting communications

completely

network

Overwhelm or crash servers,disrupt infrastructure

Threats

Definitions

More on Availability– Information must be available when it is

needed. – High availability systems goal is remain

available at all times, preventing service disruptions due to power outages, hardware failures, and system upgrades

– Example of violation?– Ensuring availability also involves

preventing DoS attacks denial-of-service attacks

CIA

• While a good way to measure system security– DOD environment

• Not sufficient for modern computers– Today, computers are complex– Many more layers of applications and

uses – More difficult to both define and

measure security

Simple View Computer Security

• You have something you want to protect

• You have someone or something you

want

to protect it from

• You are willing to expend effort and

resources in order to protect it

Question

• Is Computer Security a Process or a

State?

Security Defined

• It is a process, not a state There is no fundamental point when

system is secure• Have Risk,• Do Assessment• Manage risk,• Mitigate what can't be managed • Need to identify what’s “Good Enough”• Security is a tradeoff, can't protect

everything

Examples

ATM Machine Example

• ATM Machine– User asks for cash, spits it out– Door opens, user takes cash, door closes– What happens if user doesn’t take cash?

ATM Machine Example

• Assumption if this happens, subsequent user shouldn’t get cash that doesn’t belong to him– All following transactions, machine

refuses to open door– Cash could go to wrong user– Creates a DoS for rest of users

Security Protocols Difficult

• Hard to get security protocols right• Designers don’t anticipate everything

that could go wrong– Users or attackers frequently seem to

find the flaw

• Even something seemingly simple can have flaws

US Tax System Example

• Tax refunds, how hard is that?– Algorithm for processing form

• Verify identity of form filled out by a given person

• Verify income and with-holding are correct

• If these two steps ok && amount of Withholding > tax owed

• then send person refund check

• What could go wrong?

US Tax System Example

• Except, no rule against duplicate checks– Person could file for multiple refund

checks under this system– And, that happened for a while – Was eventually caught …

Computer Security Threats

Threats to Computer Security• So, what are the threats?

• Passive– Sniffing of data• Viewing of information – physical • Over your shoulder, taking pictures of

screens– Dumpster diving– Social Engineering

• Active– Interception of data, injection of data – Virus, worm, trojan horse program– DOS or DDOS

Is Security that Bad?

License

Is Security that Bad?

How big is the security

problem?

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

1995 1997 1999 2001 2003 2005

http://www.cert.org/stats/

CERT Vulnerabilities reported

Malware Over TimeNumber of new malicious programs has remained stable does not automatically imply any stabilization in the number of attacks

http://www.securelist.com/en/analysis/204792161/Kaspersky_Security_Bulletin_Malware_Evolution_2010

Malware 2010• Data from Kapersky Labs

• In 2010, total number of recorded incidents exceeded 1.5 billion for the first time since we began our observations!

• Attacks via browsers accounted for over 30% of these incidents, that’s over 500 million blocked attacks

• Vulnerabilities have really come to the fore in 2010• Exploiting vulnerabilities has become the prime method for

penetrating users’ computers

– Vulnerabilities in Microsoft products rapidly losing ground

to those in Adobe and Apple products such as Safari,

QuickTime and iTunes.

Malware 2010• More Statistics Increase in number of attacks via P2P networks

• P2P networks are now a major channel through which malware penetrates users’ computers.

• In terms of security incident rates, we estimate this infection vector to be second only to browser attacks.

• Practically all types of threats, including file viruses, Rogue AVs, backdoors and various worms spread via P2P-networks.

Malware Complexity 2010

• Stuxnet worm– Experts needed 3 months – To understand its functionality – Stuxnet left all previously known malware

behind in terms of the number of publications it generated

– Malware author success = major security community attention

Malware in 2010

• Used to be ...– Users who have jailbroken their iPhones to

install third-party applications increased risk to themselves

– Now ... even those installing native applications downloaded from Apple Store are also exposing themselves to a degree of threat

– Several incidents involved legitimate Apple applications

• iPhone apps were detected covertly gathered data, sent it to software manufacturers

DDoS Attack Example

• July 21, 2008, Web site for president of Georgia was knocked offline by a distributed denial-of-service (DDOS) attack

• Georgia's presidential Web site was down for a day, starting early Saturday until Sunday

Network experts said the attack was executed by a botnet

Whats a botnet?

Botnet Defined

• A botnet is a large number of compromised computers that are used to generate spam, relay viruses or flood a network or Web server with excessive requests to cause it to fail

• The computer is compromised via a Trojan that often works by opening an Internet Relay Chat (IRC) channel that waits for commands from the person in control of the botnet

• There is a thriving botnet business selling lists of compromised computers to hackers and spammers http://www.pcmag.com/encyclopedia_term/0,2542,t=botnet&i=38866,00.asp

Another DDoS Attack Example• February 16th, 2007• Anti-phishing group, CastleCops.com was

knocked out by a massive DDoS, – Volunteer-driven site, run by husband and

wife team had been coping with on-and-off attacks since February 13

– An intense wave that began around 3:45 PM EST completely crippled the server capacity

• CastleCops.com just celebrated its fifth anniversary as a high-profile anti-malware community

• Comment: This site ceased operation Dec. 2008

Why do threats succeed?

• Vulnerabilities !!!• Vulnerabilities !!!• Vulnerabilities !!!• Vulnerabilities !!!• Vulnerabilities !!!

Is it because hackers are so smart, or is it just too easy?

Vulnerability Defined

• What is a security vulnerability?

• A vulnerability is an error or weakness in a component that allows it to be attacked

• Typically, something that runs in an OS or other application

• If exploited, each vulnerability can potentially compromise the system or network

Vulnerabilities Explained

• Software vulnerabilities highly specific – Classic vulnerability affects a single feature

of one release of a software product installed under a specific operating system

• Out of trillions of lines of code running in networked systems, – A vulnerability may exist in a single line. – Like a unique grain of sand in a mile-long

beach ...– As the number of network components

grows every year, so do the number of vulnerabilities

Vulnerability Example• CVE-2005-3641

– Oracle Databases running on Windows XP with Simple File Sharing enabled, allows remote attackers to bypass authentication by supplying a valid username.

Impact– CVSS Severity: 7.0 (High) – Range: Remotely exploitable – Authentication: Not required to exploit – Impact Type: Provides unauthorized access,

Allows partial confidentiality, integrity, and availability violation , Allows disruption of service

Vulnerabilities

• True or False?– “Vulnerabilities that lead to system

security breaches are a result of sloppy or ignorant programmers producing bad, error-prone code”

Vulnerabilities• If previous statement isn’t true,

– What causes vulnerabilities?• Software is one cause

– Bugs, coding errors or incomplete specifications that didn’t account for security

• Network protocols – bad design– Incorrect assumptions about protocols and

how they would be used … classic example is TCP/IP

• Human error

– Social engineering and human ignorance• Physical access

– Insecure premises allowing unauthorized access

Steal cars with a laptop

NEW YORK - Security technology created to protect luxury vehicles may now make it easier for tech-savy thieves to drive away with them. In April ‘07, high-tech criminals made international headlines when they used a laptop and transmitter to open the locks and start the ignition of an armor-plated BMW X5 belonging to soccer player David Beckham, the second X5 stolen from him using this technology within six months

How did they do it?

•… Beckham's BMW X5s were stolen by thieves who hacked into the codes for the vehicles' RFID chips …

60

Disable Cars Over the Internet

• Young man, used an Internet service

to remotely disable ignitions and set off car horns

of more than 100 cars– Ramos-Lopez used a former colleague's password to

deactivate starters and set off car horns, police said– Several car owners said they had to call tow trucks and

were left stranded at work or home– The Texas Auto Center dealership in Austin installs GPS

devices that can prevent cars from starting• System is used to repossess cars when buyers are

overdue on payments• Car horns can be activated when repo agents go to

collect vehicles and believe the owners are hiding them

Human Vulnerabilities• Social Engineering

– Alive and well in spite of lots of publicity• Email Scams

– Investment schemes in African economy• “Nigerian uncle has died intestate Need to

transfer $8M to US with your assistance. You will get 10% of funds, need your bank info to initiate the transfer …”

– Phishing• Want to get your money!!• “Your paypal account needs updating, please

enter your username and password …”

Improving Security

• Design it in from the beginning– Security is typically an afterthought …

still• People more concerned with performance

and nice features than security, want to sell products

• Microsoft ?? and Linux and Apple too ....

– Security is often seen as something users don’t want – hinders their use of the system

– Must create security requirements that need to be met along with other requirements

Security is Hard

• Security hard to define– Without good definition, almost

impossible to achieve– One way to think of security,

• Consider system states

– Think of security of a system as its ability to stay in good states

– Be wary of anyone who says they have built a secure system

• How do they know?

Class Contributions

• Extra Credit !!! Any topic in class, 5

Points

– If you can find relevant actual examples or

news - must be current, past year

– Example: If we are talking about Attackers

• Story must be about Attackers, within last year

– You get to share it with the class!!!

The End• Next Time

– We will look at vulnerabilities in TCP/IP and other protocols

– See reading assignment

Documents

CSCD 434/539 Lecture 2 Spring 2014 Computer Security Overview