cis 381: social & ethical issues of computingdkoop/cis381-2019sp/lectures/lecture...7.3 malware...
TRANSCRIPT
CIS 381: Social & Ethical Issues of Computing
Security Dr. David Koop
D. Koop, CIS 381, Spring 2019
Hackers, Past and Present• Original meaning of hacker:
explorer, risk taker, system innovator (e.g. MIT’s Tech Model Railroad Club in 1950s)
• Change in meaning from electronics to computers and networks
• WarGames (1983): Hacking military supercomputer
• Modern meaning of hacker: someone who gains unauthorized access to computers and computer networks
�2D. Koop, CIS 381, Spring 2019
[M. J. Quinn]
Password Advice• Do not use short passwords • Do not rely solely on words from the dictionary • Do not rely on substituting numbers for letters • Do not reuse passwords • Give ridiculous answers to security questions • Enable two-factor authentication if available • Have password recoveries sent to a secure email address
�3
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Case Study: Firesheep• October 2010: Eric Butler released Firesheep extension to Firefox
browser • Firesheep made it possible for ordinary computer users to easily
sidejack Web sessions • More than 500,000 downloads in first week • Attracted great deal of media attention • Early 2011: Facebook and Twitter announced options to use their
sites securely
• Evaluate: Was this a good action?
�4
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Viruses• Virus: Piece of self-replicating code
embedded within another program (host)
• Viruses associated with program files - Hard disks, floppy disks, CD-
ROMS - Email attachments
• How viruses spread - Diskettes or CDs - Email - Files downloaded from Internet
�5
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
7.3 Malware 329
WW
W
W
W
Figure 7.4 A worm spreads to other computers by exploiting security holes in computernetworks.
punk: Outlaws and Hackers on the Computer Frontier, written by Katie Hafner and JohnMarkoff [25].
BACKGROUND OF ROBERT TAPPAN MORRIS JR.
Robert Tappan Morris Jr. began learning about the Unix operating system when he wasstill in junior high school. His father was a computer security researcher at Bell Labs, andyoung Morris was given an account on a Bell Labs computer that he could access froma teletype at home. It didn’t take him long to discover security holes in Unix. In a 1982interview with Gina Kolata, a writer for Smithsonian magazine, Morris admitted he hadbroken into networked computers and read other people’s email. “I never told myselfthat there was nothing wrong with what I was doing,” he said, but he acknowledgedthat he found breaking into systems challenging and exciting, and he admitted that hecontinued to do it.
As an undergraduate at Harvard, Morris majored in computer science. He quicklygained a reputation for being the computer lab’s Unix expert. After his freshman year,Morris worked at Bell Labs. The result of his work was a technical paper describing asecurity hole in Berkeley Unix.
While at Harvard, Morris was responsible for several computer pranks. In one ofthem, he installed a program that required people logging in to answer a question posedby “the Oracle” and then to ask the Oracle another question. (The Oracle programworked by passing questions and answers among people trying to log in.)
Worm• Worm:
- Self-contained program - Spreads via computer network - Exploits security holes
• Tappen's Internet Worm - Released worm onto Internet from
MIT computer - Spread to significant numbers of
Unix computers - Infected computers kept crashing
or became unresponsive
�6
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Conficker Worm• Conficker (a.k.a. Downadup) worm appeared 2008 on Windows
computers • Particularly difficult to eradicate • Uses pseudorandom domains to download from • Different variants released (type E installs malware) • Millions of copies of worm are circulating • Purpose of worm still unknown
�7
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Trojan Horses + Spyware & Adware• Trojan horse:
- Program with benign capability that masks a sinister purpose - Performs expected task but also unknown, sinister actions
• Backdoor Trojan: Trojan horse that gives attack access to victim’s computer
• Spyware: Program that communicates over an Internet connection without user’s knowledge or consent - Log keystrokes or take snapshots of computer screen - Send reports back to host computer
• Adware: Type of spyware that displays pop-up advertisements related to user’s activity
�8
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Term Paper• Topics have been assigned • 4-5 people per group • Term papers are individual • Topic presentations are done in groups, but each person should
speak for 3-4 minutes • As a group, rank your preferred presentation days
- April 17, April 19, April 22, April 24, April 29, May 1 • Individual term papers are due May 6 (assigned exam date) • Need to evaluate issues using ethical frameworks • Groups can choose to examine different issues related to a topic or
examine a similar issue using different frameworks
�9D. Koop, CIS 381, Spring 2019
Assignment 5• Computer Reliability • About radiation treatments and their reliance on increasingly
complicated software • Due Monday
�10D. Koop, CIS 381, Spring 2019
Bots• Bot: A kind of backdoor Trojan that responds to commands sent by
a command-and-control program on another computer • First bots supported legitimate activities
- Internet Relay Chat - Multiplayer Internet games
• Other bots support illegal activities - Distributing spam - Collecting person information for ID theft - Denial-of-service attacks
�11
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Botnets and Bot Herders• Botnet: Collection of bot-infected computers controlled by the
same command-and-control program • Bot herder: Someone who controls a botnet • Some botnets have over a million computers in them
�12
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Defensive Measures• Security patches: Code updates to remove security vulnerabilities • Anti-malware tools: Software to scan hard drives, detect files that
contain viruses or spyware, and delete these files • Firewall: A software application installed on a single computer that
can selectively block network traffic to and from that computer
�13
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Cyber Crime and Cyber Attacks• Internet sales over $1 trillion annually • Organized crime and politically motivated attacks • Various types of attacks
- Phishing - SQL Injection - Distributed Denial of Service (DDOS)
�14D. Koop, CIS 381, Spring 2019
Phishing and Spear-phishing• Phishing: Large-scale effort to gain
sensitive information from gullible computer users - At least 67,000 phishing attacks
globally in second half of 2010 - New development: phishing
attacks on Chinese e-commerce sites
• Spear-phishing: Variant of phishing in which email addresses chosen selectively to target particular group of recipients
�15
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
SQL Injection• Method of attacking a database-driven Web application with
improper security • Attack inserts (injects) SQL query into text string from client to
application • Application returns sensitive information
�17
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
DoS and DDoS Attacks• Denial-of-service (DoS) attack: Intentional action designed to
prevent legitimate users from making use of a computer service • Aim of a DoS attack is not to steal information but to disrupt a
server’s ability to respond to its clients • Distributed denial-of-service attack (DDoS): DoS attack launched
from many computers, such as a botnet
�18
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Cyber Crime• Criminal organizations making significant amounts of money from
malware • Jeanson James Ancheta • Blue Security and Pharmamaster • Albert Gonzalez • Avalanche Gang
�19
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
The Rise and Fall of Blue Security• Blue Security: An Israeli company selling a spam deterrence system • Blue Frog bot would automatically respond to each spam message
with an opt-out message • Spammers started receiving hundreds of thousands of opt-out
messages, disrupting their operations • 6 of 10 of world’s top spammers agreed to stop sending spam to
users of Blue Frog
�20
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
The Rise and Fall of Blue Security• One spammer (PharmaMaster) started sending Blue Frog users
10-20 times more spam • PharmaMaster then launched DDoS attacks on Blue Security and
its business customers • Blue Security could not protect its customers from DDoS attacks
and virus-laced emails • Blue Security reluctantly terminated its anti-spam activities
�21
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Politically Motivated Cyber Attacks• Estonia (2007) • Georgia (2008) • Georgia (2009) • Exiled Tibetan Government (2009) • United States and South Korea (2009) • Iran (2009) • Espionage attributed to People’s Liberation Army • Anonymous
�22
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Attacks on Social Networking Sites• Massive DDoS attack made Twitter service unavailable for several
hours on August 6, 2009 • Three other sites attacked at same time: Facebook, LiveJournal,
and Google • All sites used by a political blogger from the Republic of Georgia • Attacks occurred on first anniversary of war between Georgia and
Russia over South Ossetia
�23
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Fourth of July Attacks• 4th of July weekend in 2009: DDoS attack on governmental
agencies and commercial Web sites in United States and South Korea
• Attack may have been launched by North Korea in retaliation for United Nations sanctions
�24
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
SCADA Systems• Industrial processes require constant monitoring • Computers allow automation and centralization of monitoring via
Supervisory Control and Data Acquisition (SCADA) systems • Today, SCADA systems are open systems based on Internet
Protocol - Less expensive than proprietary systems - Easier to maintain than proprietary systems - Allow remote diagnostics
• Allowing remote diagnostics creates security risk
�25
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Stuxnet• In January 2010, Iranians discovered Natanz Nuclear Facility had
been targeted by worm for the past two years • Stuxnet targeted plant’s control systems of centrifuges, causing
them to fail at an unusually high rate - Attacked SCADA systems running Siemens software - Uranium must be processed to increase concentration of active
isotope, U-235, which in is only 0.7% of natural uranium - Small difference in weight allows the U-235 isotope to be
separated from the predominant U-238 isotope - Centrifuges spin at over 60,000 RPM to separate isotopes and
enrich the uranium
�26
[S. Abraham]D. Koop, CIS 381, Spring 2019
Stuxnet
�27
[L-Dopa, IEEE Spectrum]D. Koop, CIS 381, Spring 2019
Stuxnet Aftermath• First version of worm caused failures in centrifuges, second version
caused OSes to repeatedly crash and reboot - Belarusian malware-detection firm called to investigate - Four zero-day (previously unknown) exploits used to break into
Microsoft operating system • In 2012 Chevron first US corporation to publicly confirm that
Stuxnet had spread across its machines - Siemens systems have no direct connection to Internet, so five
outside companies believed to be connected with nuclear program were infected
• Authors of Stuxnet never confirmed but leaks to press suggest from US and Israel worked in collaboration to create it [Sanger, NYTimes]
�28
[S. Abraham]D. Koop, CIS 381, Spring 2019
Stuxnet Differences• Worm caused physical damage rather than just stealing or
modifying information • Sophistication and levels of attack suggest virus took around two to
three years to author • Likely US operation targeted software created by US corporations • Connections discovered between Stuxnet and Flame discovered
- Used for cyber espionage in the Middle East - Could exchange data with any Bluetooth-enabled device - Entered systems disguised as a legitimate Windows 7 update
�29
[S. Abraham]D. Koop, CIS 381, Spring 2019
Cyber Espionage• Hundreds of computer security breaches in more than a dozen
countries investigated by Mandiant • Hundreds of terabytes of data stolen • Mandiant blamed Unit 61398 of the People’s Liberation Army • China’s foreign ministry stated that accusation was groundless and
irresponsible
�30
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Anonymous• Anonymous: loosely organized international movement of
hacktivists (hackers with a social or political cause) • Various DDoS attacks attributed to Anonymous members
�31
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Year Victim Reason2008 Church of Scientology Attempted suppression of Tom Cruise interview2009 RIAA, MPAA RIAA, MPAA’s attempt to take down the Pirate Bay2009 PayPal, VISA,
MasterCardFinancial organizations freezing funds flowing to Julian Assange of WikiLeaks
2012 U.S. Dept. of Justice, RIAA, MPAA
U.S. Dept. of Justice action against Megaupload
2013 Israel Protest Israeli treatment of Palestinians2014 City of Cleveland Protest killing of 12-year-old Tamir Rice by a
Cleveland police officer2015 Jihadist groups Terrorist attack on Paris office of Charlie Hebdo
magazine
Convictions of Anonymous Members• Dozens of people around the world have been arrested for
participation in Anonymous cyber attacks • Dmitriy Guzner (Church of Scientology attacks): 366 days in prison
and $37,500 in restitution • Brian Mettenbrink (Church of Scientology attacks): 1 year in prison
and $20,000 in restitution • Jake Davis (Sony Pictures attacks): 2 years in prison
�32
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Motivation for Online Voting• 2000 U.S. Presidential election closely contested • Florida pivotal state • Most Florida counties used keypunch voting machines • Two voting irregularities traced to these machines
- Hanging chad - “Butterfly ballot” in Palm Beach County
�33
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
The Infamous “Butterfly Ballot”
�34
[AP Photo/Gary I. Rothstein]D. Koop, CIS 381, Spring 2019
Benefits of Online Voting• More people would vote • Votes would be counted more quickly • No ambiguity with electronic votes • Cost less money • Eliminate ballot box tampering • Software can prevent accidental over-voting • Software can prevent under-voting
�35
[M. J. Quinn]D. Koop, CIS 381, Spring 2019
Risks of Online Voting• Gives unfair advantage to those with home computers • More difficult to preserve voter privacy • More opportunities for vote selling • Obvious target for a DDoS attack • Security of election depends on security of home computers • Susceptible to vote-changing virus or RAT • Susceptible to phony vote servers • No paper copies of ballots for auditing or recounts
�36
[M. J. Quinn]D. Koop, CIS 381, Spring 2019