CS363Week 6 - Friday

Last time

What did we talk about last time? Viruses and other malicious code

Questions?

Project 1

Security Tidbit 1

You guys probably don't use online dating tools much (yet)

Tinder is an app for iOS and Android that uses your Facebook network and geographic location to suggest matches If both matched people "like" the other, the

app allows them to communicate Include Security discovered that it was

possible to use the Tinder API to track the location of any user

The vulnerability was known for months and finally fixed around the beginning of 2014

Follow the story: http://www.net-security.org/secworld.php?

id=16391

Security Tidbit 2

A leaked NSA document viewed by Der Spiegel contained a 50-page catalog of hardware and software exploits made by the ANT division of the NSA for their Tailored Access Operations (TAO) It reads like a product brochure and even has prices! http://www.spiegel.de/international/world/catalog-

reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

Many of the details date from 2008 There is presumably a newer catalog now Bruce Schneier has been discussing some of the

more interesting items in the catalog

Security Tidbit 2 (continued)

CANDYGRAM is one of the exploits Schneier recently discussed

It's hardware and software that pretends to be a GSM cell tower

When a phone on a target list gets close enough to it, the phone connects to the "tower" and NSA agents receive SMS messages

Of course, the NSA can get data from cell phone providers

But this might be faster when working in the field

Cost: $40,000 More information:

https://www.schneier.com/blog/archives/2014/02/candygram_nsa_e.html

Exam 1 Post-Mortem

Virus Case Studies

The Internet Worm

In 1988 Robert Morris, a Cornell graduate student, wrote an worm that infected a lot of the Internet that existed at that time

Serious connectivity issues happened because of the worm and because people disconnected uninfected system

He claimed the point was the measure the size of the Internet

The worm’s goal:1. Determine where it could spread to2. Spread its infection3. Remain undiscovered

Determining where to spread It tried to find user accounts on the host

machine It tried 432 common passwords and

compared their hash to the list of password hashes

Ideally, this list should not have been visible It tried to exploit a bug in the fingerd

program (using a buffer overflow) and a trapdoor in the sendmail mail program Both were known vulnerabilities that should

have been patched

Spreading infection

Once a target was found, the worm would send a short loader program to the target machine

The program (99 lines of C) would compile and then get the rest of the virus

It would use a one-time password to talk to the host

If the host got the wrong password, it would break connection

This mechanism was to prevent outsiders from gaining access to the worm’s code

Remain undiscovered

Any errors in transmission would cause the loader to delete any code and exit

As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies

It periodically changed its name and process identifier so that it would be harder to spot

What happened

The worm would ask machines if they were already infected

Because of a flaw in the code, it would reinfect machines 1 out of 7 times

Huge numbers of copies of the worm started filling infected machines System and network performance dropped

Estimates of the damage are between $100,000 and $97 million Morris was fined $10,000 and sentenced to 400 hours of

community service The CERT was formed to deal with similar

problems

Code Red

Code Red appeared in 2001 It infected a quarter of a million systems

in 9 hours It is estimated that it infected 1/8 of the

systems that were vulnerable It exploited a vulnerability by

creating a buffer overflow in a DLL in the Microsoft Internet Information Server software

It only worked on systems running an MS web server, but many machines did by default

Versions

The original version of Code Red defaced the website that was being run

Then, it tried to spread to other machines on days 1-19 of a month

Then, it did a distributed denial of service attack on whitehouse.gov on days 20-27

Later versions attacked random IP addresses

It also installed a trap door so that infected systems could be controlled from the outside

Targeted Malicious Code

Trapdoors

A trapdoor is a way to access functionality that is not documented

They are often inserted during development for testing purposes

Sometimes a trapdoor is because of error cases that are not correctly checked or handled

Causes of trapdoors

Intentionally created trapdoors can exist in production code when developers: Forget to remove them Intentionally leave them in for testing Intentionally leave them in for

maintenance Intentionally leave them in as a covert

means of access to the production system

Salami attacks

I have never heard this term before I read this book

This is the Office Space attack Steal tiny amounts of money when a cent is

rounded in financial transactions Or, steal a few cents from millions of

people Steal more if the account hasn’t been used

much The rewards can be huge, and these kinds

of attacks are hard to catch

The Sony XCP rootkit

A rootkit is malicious code that gives an attacker access to a system as root (a privileged user) and hides from detection

Sony put a program on music CDs called XCP (extended copy protection) which allowed users to listen to the CD on Windows but not rip its contents

It installed itself without the user’s knowledge It had to have control over Windows and be hard to

remove It would hide the presence of any program starting

with the name $sys$, but malicious users could take advantage of that

Privilege escalation

Most programs are supposed to execute with some kind of baseline privileges Not the high level privileges needed to change system

data Windows Vista, 7, and 8 ask you if you want to

have privileges escalated Some times you can be tricked Symantec needed high level privileges to run Live

Update Unfortunately, it ran some local programs with high

privileges If a malicious user had replaced those local programs

with his own, ouch

Keystroke logging

It’s possible to install software that logs all the keystrokes a user enters

If designed correctly, these values come from the keyboard drivers, so all data (including passwords) is visible

There are also hardware keystroke loggers Most are around $40 Is your keyboard free from a logger?

Quiz

Upcoming

Next time…

Controls against program threats OS security Omar Mustardo presents

Reminders

Read Sections 4.1 through 4.4Finish Project 1

Due tonight!