viruses, trojan horses, and worms - umass amherst · viruses, trojan horses, and worms some...

1

UNIVERSITY OF MASSACHUSETTS AMHERST •• CMPSCI 120 Fall 2010

Some material adapted from Web 101 Copyright © 2007 Pearson Education, Inc. Publishing as Pearson Addison-Wesley

Viruses, Trojan Horses, and WormsSome software is a security risk, often all called “viruses”, butthere are 3 different classes:

Virusesprogram or code that replicates; i.e., infects another program,boot sector, partition sector, or document that supports macros,by inserting itself or attaching itself to that medium

most only replicate, but many do a large amount of damageWorms

program that makes copies of itself; for example, from one diskdrive to another, or by copying itself using email or anothertransport mechanism and spreads through a network

some worms run over several computers; others communicateamong themselves over the network

may do damage and compromise the security of the computermay be malicious or may take up system resources, causing aslowdown in performance

see Symantec Security Response Glossary



see Symantec Security Response Glossary

Viruses, Trojan Horses, and Worms

Some software is a security risk, often allcalled “viruses”, but there are 3 differentclasses:Trojan horses

program that slips into a computer under theguise of another program but neither replicatesnor copies itselfoften, someone emails you a Trojan Horse, e.g.,a game that when you run it, you also run theTrojan horsea Trojan horse does not email itselfcauses damage or compromises the security ofthe computer, e.g., could record your keystrokesor allow someone to access your computer

2


What are the risks?Client-side Vulnerabilities:

C1. Web BrowsersC2. Office SoftwareC3. Email ClientsC4. Media Players

Server-side Vulnerabilities:S1. Web ApplicationsS2. Windows ServicesS3. Unix and Mac OSServices

S4. Backup SoftwareS5. Anti-virus SoftwareS6. Management ServersS7. Database Software

Security Policy & Personnel:H1. Excessive User Rights andUnauthorized Devices

H2. Phishing/Spear PhishingH3. Unencrypted Laptops andRemovable Media

Application Abuse:A1. Instant MessagingA2. Peer-to-Peer Programs

Network Devices:N1. VoIP Servers and Phones

SANS Top-20 2007 Security Risks

All systems at risk!!


What actions can be taken?How do you know your computer isinfected?there is no particular waybe aware of any unusual or unexpectedbehaviors

If your computer gets infected withmalicious code, there are steps you cantake to recover.the fastest and easiest way to detect andremove malicious programs from yourcomputer is to run a virus removal programon a regular schedule.companies like Symantec, McAfee, and othersprovide virus removal tools

3


What actions can be taken?Minimize the damage

if you have access to an IT department, contactthem immediatelyif you are on your home computer or a laptop,disconnect your computer from the internet prevents access to your computer to perform taskssuch as locating personal data, manipulating ordeleting files, or using your computer to attackother computers.

Remove the malicious codeuse anti-virus software, update the virusdefinitions (if possible), and perform a manualscan of your entire systemreinstall your operating system, usually with asystem restore disk and install all of theappropriate patches to fix known vulnerabilities



Take control & secure your computer

Use antivirus software and keep it updatedscan files on computer, disks, CDs, email anddownloaded filesif you need to work without a virus scanner, youshould manually scan each file before opening orexecuting it

Keep bootable disks out of your drive unless you areactively working with the files on the diskSome viruses can hide on the boot sector on a diskThese are triggered when the computer starts up andaccesses the disk

Use a firewall on your home computer (especially if youuse a broadband connection)

Encrypt all files that contain sensitive information orstore them offline on removable media

4



E-Mail VirusesE-mail is the number one source of computer viruses

attachments are the most common culpritsome attachments contain scripts

a script is a small program written in a scripting language (e.g.Visual Basic)

Microsoft Word documents are a popular source of viruses

Mailers that render (html) messages into Web-likedisplays are susceptible to script attackssome messages contain scripts if the script is automatically executed, it can cause harm

You can take precautions:configure your mailer to not open attachments automaticallyconfigure your mailer to not display html automaticallysave attachments and scan them firstdon’t open a document that contains a macro



ThreatsCERT

Microsoft - Multiple Vulnerabilities November 9, 2010Oracle Multiple Vulnerabilities October 14, 2010Microsoft - Multiple Vulnerabilities October 12, 2010Adobe Reader and Acrobat Affected by MultipleVulnerabilities October 6, 2010Adobe Flash Vulnerabilities September 20, 2010

McAfeeGlobal Threat Level = “Elevated”

Critical Security-related updates have been released bymultiple vendors (Microsoft, Adobe, Oracle, VMWare)."Low" malware activity observations around the PWS-Zbot, FakeAlert and Pinkslipbot families. October 18, 2010

5


ThreatsSome threats can contain a blend of different types ofattacks

W32/Nimda worm (2001)spread through a variety of means (via email, opennetwork shares and browsing of compromised web sites)exploiting vulnerabilities in Microsoft Windows andbackdoors left by Code Red II and Sadmind worms

Conficker (2009)spreading through low security networks, memory sticks,and PCs without current security updates

infects nearly 20 million Microsoft server systems runningeverything from Windows 2000 to Windows Vista andWindows Server 2008, including French air force, RoyalNavy warships and submarines, Sheffield Hospital network,UK Ministry of Defence, German Bundeswehr all affected

Microsoft has allocated $250,000 to identify its creator


Denial-of-service attackDenial-of-service attack (DoSattack) or distributed denial-of-service attack (DDoS attack)an attempt to make a computerresource unavailable to itsintended users.

common method of attackinvolves saturating the target(victim) machine with externalcommunications requests

Denial-of-service attacks areconsidered violations of theIAB's Internet Proper Use Policy also commonly constituteviolations of the laws of individualnations

6


Summary of ThreatsAdWare, Spyware

displays commercial advertisements, mostly a nuisance, but alsocan install tracking software

monitors usage and/or keystrokes and sends data to remote user,dangerous

Pharmingredirects valid URLs to bogus sites, dangerous

Phishing, Spear Phishingemails requests for personal information, dangerous

Rootkitundetectable modifications to the OS that permit remote,surreptitious access to your computer, very dangerous

Spamunsolicited e-mail, low (unless you open an attachment)

DangerousTrojan Horse, Virus, Worm



SecuritySecurity Goals Goals

Integrity

Confidentiality

Availability

Computer and Information Security

Concealmentof informationor resources

Ability to useinformation orresources

Trustworthinessof data orresources

Adapted from COM 260 slides developed by S. Jane Fritz St. Joseph's College

7


Why do we need security?Increased reliance onInformation Technology:e-mail, e-banking, e-commerce,e-trading, etc.

Supply chains, servicesarchitectures

Critical infrastructureFinance and marketsHealthcareResearchDefenseEntertainment

securewalled

environments that

provide alldigital

services.

a bewilderinglywide array ofniche offeringsand a DigitalEcosystemdominated byintermediaries

organicgrassrootscommunities aspowerhouses ofeconomicvaluecreation


Security ConcernsDamage to any IT-based system or activitycan result in severe disruption of services andlossesSystems connected by networks are moreprone to attacks and also suffer more as aresult of the attacks than stand-alone systems(Reasons?)Concerns such as the following are common

How do I know the party I am talking on thenetwork is really the one I want to talk?How can I be assured that no one else is listeningand learning the data that I send over a networkCan I ever stay relaxed that no hacker can entermy network and play havoc?

Adapted from COM 260 slides developed by S. Jane Fritz St. Joseph's College

8


ISO 7 Layer Model

1

2

3

4

5

6

7

How to transmit “bits”Physical

How to organize data into frames & transmitData Link

How addresses are assigned and packets areforwarded

Network

How to provide reliable delivery (errorchecking, sequencing, etc.)

Transport

How to establish communicationSession

How to represent & display dataPresentation

How application uses networkApplication

FunctionsLayer


IP

TCP

email,Web,NFS

RPC

802.11

Only as secure as the single weakest layer…

Physical

Data Link

Network

Transport

Session

Presentation

Application

OSI Network Stack and Attacks

Physical

Data Link

Network

Transport

Session

Presentation

ApplicationSendmail, FTP, NFS bugs, chosen-protocol and

version-rollback attacks

RPC worms, portmapper exploits

Network port scanning is aninformation gathering process,and when performed byunknown individuals it isconsidered a prelude to attack

SYN flooding, RIP attacks,sequence number prediction

A SYN synchronization packet issent to a receiving application,which acknowledges receipt ofthe packet with a SYN-ACK, towhich the sending applicationresponds with an ACK. In a SYNflood attack, the hacker sendsa large volume of SYN packets toa victim.

IP smurfing and otheraddress spoofing attacks

A smurf program builds anetwork packet that appearsto originate from anotheraddress (spoofing) andcontains a ping message thatis addressed to an IPbroadcast address, the echoresponses to the pingmessage are sent back to the"victim" address.

WEP attacksA key recovery attack onWEP intercepts a numberof packets to recover thesecret key.

9


Attacks, Services and Mechanisms

Security Attack: Any action thatcompromises the security ofinformation.Security Mechanism: A mechanism thatis designed to detect, prevent, orrecover from a security attack.Security Service: A service thatenhances the security of dataprocessing systems and informationtransfers. A security service makes useof one or more security mechanisms


Security Attacks

Interruption: Thisis an attack onavailabilityDisrupting trafficPhysically

breakingcommunicationline

Modification:This is an attackon integrityCorrupting

transmitted dataor tamperingwith it before itreaches itsdestination

Interception: Thisis an attack onconfidentialityOverhearing,

eavesdroppingover acommunicationline

Fabrication: Thisis an attack onauthenticityFaking data as if

it were createdby a legitimateand authenticparty

10


Threats and AttacksAttack - an assault on system security- anintelligent act that is a deliberate attemptto evade security services and violate thesecurity policy of a system.Threat - a potential for violation of securityor a possible danger that might exploit avulnerabilityDisclosure – unauthorized access toinformationDeception – acceptance of false dataDisruption- interruption or prevention ofcorrect operationUsurpation- unauthorized control of somepart of a system

ExamplesSnooping intercepting information (“passive”wiretapping)Modification or alteration of information by“active” wiretappingMasquerading or spoofingRepudiation of originDelay or denial of service


Friends and enemies: Alice, Bob, Eve

well-known in network security worldBob, Alice (lovers!) want to communicate “securely”Eve (intruder) may intercept, delete, add messages

securesender

securereceiver

channel data, controlmessages

data data

Alice Bob

Eve

Passive Attacks: Eve readsAlice’s message to Bob oranalyzes traffic between Bob &Alice

Active Attacks: Evemasquerades as Alice andsends messages to Bob

11


Authentication

Fails!

Alice’s IP

Alice’s IP

Fails!


AuthenticationAlice sends the message, "I am Alice,"to Bob

Bob chooses a nonce, R, and sends itto Alice

Alice encrypts the nonce using Aliceand Bob's symmetric secret key, KA-B., and sends the encrypted nonce, KA-B(R) back to Bob.

the fact that Alice knows KA-B anduses it to encrypt a value that letsBob know that the message hereceives was generated by Alice. Thenonce is used to insure that Alice is"live.”

Bob decrypts the received message.If the decrypted nonce equals thenonce he sent Alice, then Alice isauthenticated.

12


Who might Bob, Alice be?… well, real-life Bobs and Alices! Web browser/server for electronic

transactions (e.g., on-line purchases) on-line banking client/server DNS servers routers exchanging routing table

updates other examples?


The language of cryptography

m plaintext messageKA(m) ciphertext, encrypted

with key KA

m = KB(KA(m))

plaintext plaintextciphertext

KA

encryptionalgorithm

decryption algorithm

Alice’sencryptionkey

Bob’sdecryptionkey

KB

13


Types of Cryptography

Crypto often uses keys:Algorithm is known toeveryone

Only “keys” are secret Symmetric key cryptography

Involves the use one key Public key cryptography

Involves the use of two keys


Bob and Alice share same (symmetric) key: KS

key is knowing substitution pattern in monoalphabetic substitution cipherQ: how do Bob and Alice agree on key value?

KS (m) m = KS(KS(m))

Symmetric key cryptography

plaintext plaintextciphertext

KS

encryptionalgorithm


Alice’sencryptionkey

Bob’sdecryptionkey

KSAlice Bob

message, m

14


Bob

Public key cryptography

plaintextmessage, m

ciphertextencryptionalgorithm


Bob’s publickey

plaintextmessageK (m)

B+

K B+

Bob’s privatekey

K B-

m = K (K (m))B+

B-

Alice


Privacy

An important issue todayIndividuals feelUncomfortable: ownership of informationUnsafe: information can be misused (e.g., identity thefts)

Enterprises need toKeep their customers feel safeMaintain good reputationsProtect themselves from any legal disputeObey legal regulations

15


DefinitionPrivacy is the ability of a person to control theavailability of information about and exposure of him- orherself. It is related to being able to function in societyanonymously (including pseudonymous or blindcredential identification).

Types of privacy giving raise to special concerns:Political privacyConsumer privacyMedical privacyInformation technology end-user privacy; also calleddata privacyPrivate property


Data PrivacyData Privacy problems exist wherever uniquelyidentifiable data relating to a person orpersons are collected and stored, in digitalform or otherwise. Improper or non-existentdisclosure control can be the root cause forprivacy issues.The most common sources of data that areaffected by data privacy issues are:Health informationCriminal justiceFinancial informationGenetic information

16


Data PrivacyThe challenge in data privacy is to share datawhile protecting the personally identifiableinformation.Consider the example of health data which arecollected from hospitals in a district; it isstandard practice to share this only in aggregateformThe idea of sharing the data in aggregate form isto ensure that only non-identifiable data areshared.

The legal protection of the right to privacy ingeneral and of data privacy in particular variesgreatly around the world.


Data vs Information

Protecting information means to protectnot only the data directly representingthe informationInformation must be protected alsoagainst transmissions through:Covert channelsInferenceIt is typical of database systemsIt refers to the derivation of sensitiveinformation from non-sensitive data

17


Inference - Example

7021MISMIgor

507CSMHomer

6823MBAFGala

8116MISFFlora

668CSMErrol

7522MISMDon

7016CSFCarol

5815CSMBill

638MBAFAlma

Grade AveUnitsProgramSexName


Inference - ExampleAssume that there is a policy stating that theaverage grade of a single student cannot bedisclosed; however statistical summaries can bedisclosed

Suppose that an attacker knows that Carol is afemale CS student

By combining the results of the followinglegitimate queries:Q1: SELECT Count (*) FROM Students WHERE Sex=‘F’ AND Programme = ‘CS’Q2: SELECT Avg (Grade Ave) FROM Students WHERESex =‘F’ AND Programme = ‘CS’The attacker learns from Q1 that there is only one femalestudent so the value 70 returned by Q2 is precisely heraverage grade

18


Technologies with Privacy Concerns

Biometrics (DNA, fingerprints, iris)and face recognitionVideo surveillance, ubiquitousnetworks and sensorsCellular phonesPersonal RobotsDNA sequences, Genomic Data


ApproachesAnonymization Techniques

Have been investigated in the areas of networks(see the Anonymity Terminology by AndreasPfitzman) and databases (see the notion of k-anonymity by L. Sweeney)

Privacy-Preserving Data MiningP3P policies

Are tailored to the specification of privacypractices by organizations and to thespecification user privacy preferences

Hippocratic DatabasesAre tailored to support privacy policies

Fine-Grained Access Control TechniquesPrivate Information Retrieval Techniques

19


Privacy vs Security

Privacy is not just confidentialityand integrity of user dataPrivacy includes otherrequirements:Support for user preferencesSupport for obligation executionUsabilityProof of compliance

viruses, trojan horses, and worms - umass amherst · viruses, trojan horses, and worms some...

Documents