CSCD 396

Essential Computer
Security
Fall 2009


Lecture 2 - Security Overview
Reading: Chapter 1
Overview
Learning Objectives
Become acquainted with the threats
Look at popular statistics reports
Understand why computer security is difficult
Learn basic security definitions


Motivation for Computer Security
Most people ... have attitude
Why should I care?
So, why should you care?
Motivation for Computer Security
So, why should you care?
Threats are real!
Identity theft, malware, stolen resources for
botnets, credit card theft
Privacy ... corporate and government threats
You need to know your right to protect your
privacy!!!
Look at a few statistics to motivate the need for
computer security
Symantec Report
Symantec Notes 2008/2009 trends
Web based attacks continue to be very popular
Popular, trusted sites with a large number of visitors, can
yield thousands of compromises from a single attack
In 2008, huge increase in malware available
Semantec, number signatures for their anti-malware
products increased substantially
Summer 2009
Michael Jackson death, Farah Fawcett too
Spammed out hundreds of fake news links resulted in
drivey-by downloads of malware

Symantec Signatures
1,656,227 signatures is 165% increase over
2007
More Symantec Stats
Phishing Incentive is
largely financial
More Symantec Stats
Once attackers have obtained financial
information or other personal details
Names, addresses,and government
identification numbers
Frequently sell data on underground economy
Most popular item for sale ... credit card
numbers
Organized groups figured out ways to use
those cards to obtain and use those funds

More Symantec Stats
Some groups in underground economy
specialize in manufacturing blank plastic
cards with magnetic stripes
Can be encoded with stolen credit card and
bankcard data.
Requires highly organized level of
sophistication, cards often produced in one
country, imprinted, and then shipped to
countries from where stolen data originated
More Symantec Stats
Popularity of items for sale on underground economy
Trojan Named Gozi
In 2007, SecureWorks Security Research Group discovered
new Trojan captured credentials of several Internet banking
and e-commerce websites
http://www.secureworks.com/research/threats/gozi/
Trojan, Gozi, forwarded captured credentials to online
database - were being sold to the highest bidder
SecureWorks Security Research Group uncovered a cache
of stolen information
Over 10,000 account records containing
Online banking user credentials
Patient healthcare information
Employee login information for confidential government and law
enforcement applications
Further investigation data offered for sale by Russian
hackers for amount totaling over $2 million
Conficker Worm
In 2009, new threat, a new worm!
Also ... Downup, Downandup, Conflicker, and Kido
SRI researcher reported in March 2009,
Cumulative census of Conficker.A indicates it
affected more than 4.7 million IP addresses,
while Conficker.B, has affected 6.7 million IP
addresses
Exploit used by Conficker known in September/2008
Chinese hackers were reportedly first to produce a
commercial package to sell this exploit (for $37.80)
Conficker Worm
Exploit causes Windows 2000, XP, 2003 servers,
and Vista to execute an arbitrary code segment
without authentication
Spreads itself primarily through a buffer overflow
vulnerability in the Server Service on Windows
computers.
Worm uses a specially crafted RPC request to execute
code on the target computer
Affects systems with firewalls enabled, but which
operate with print and file sharing enabled
Patch for this exploit was released by Microsoft on
October 23 2008

CSI/FBI Cybercrime survey
Annual CSI Study 2009: Cost of Cybercrime is still high,
http://www.personal.utulsa.edu/~james-
childress/cs5493/CSISurvey/CSISurvey2009.pdf
Interesting in that fewer respondents will answer the
losses questions ... data for this past year show a
decrease in losses but still up over two years ago
Average annual losses of $234,000 in the past year, up
from the $168,000 they reported two years ago
43% of the overall respondents said that they had suffered a
security incident.
33% said their organizations had supposedly originated
phishing attacks
Financial fraud - the source of the greatest financial loss
> $450,000
AVG Security Software Predictions 2008
1.Web exploits and web-based social engineering attacks
Viruses will continue to be a threat, also see explosion of
exploits through social engineering and Web 2.0 attacks in
2008
2. Storm Worm on the rise. Orchestrated attacks are
expected across multiple platforms.
3. Email-propagated viruses. Many novice users remain
unaware of email security issues and continue to open
attachments from senders they do not know or click on
unsafe hyperlinks.
4. Web exploits targeting trusted web sites
5. With increasing adoption of Microsoft's latest operating
system, Vista will become a bigger and thus a more
tempting target for the bad guys
Return from the Dead Exploits
that come back
Links to exploits that return again and again
Gozi
http://www.trustdefender.com/blog/2010/02/28/gozi-a-
perfect-example-of-an-older-trojan-re-inventing-itself/
Storm Worm
http://community.ca.com/blogs/securityadvisor/archive/201
0/04/26/the-come-back-of-storm-worm.aspx
Conficker
http://www.zdnet.com/blog/hardware/making-sense-of-the-
latest-conficker-update/4131





Difficulty of Computer Security
General Comments
Online security mirrors offline
Motivation and psychology same for online and
offline world
Where there is money, there is crime
Difference between online and offline is
Harder to track, capture and convict online
criminals
Plus, several aspects of online attacks
magnify their effects

Computer Security is Difficult
Why do you think this is true?
Computer Security is Difficult
Why is this so?
1. Automation of attacks
Tools enable attackers to access thousands
of computers quickly
Slammer worm, 2003, infected 75,000
computers in 11 minutes, continued to scan
55 million computers / sec
Blaster worm, 2003, infected 138,000 in
first 4 hours, and over 1.4 million
computers

Computer Security is Difficult
2. Sophistication of attacks
Convergence of threats by sophisticated tools
MPack and other Trojans exhibit trait
Once installed, they can be used to view
confidential information that can then be used
in identity theft or fraud
They can also be used to launch phishing
attacks or to host phishing Web sites
Finally, they can be used as spam zombies
Computer Security is Difficult
3. Software vulnerabilities are increasing
Hard for software vendors to keep up with
vulnerabilities discovered, less than 6 days from
discovery of vulnerability to creation of exploit
CMU/CERT
Software
Vulnerabilities

http://www.cert.org
/stats/
Years
Vulnerabilities
1995 171
2005 5990
Computer Security is Difficult
4. Zero Day attacks
A vulnerability discovered by attacker, not the
developer. So, zero day grace period. Must
scramble to find the vulnerability and patch it
Example:
Hacker released attack code that exploited an
unpatched vulnerability in Apple' Quicktime week after
company updated media player to plug nine other
serious vulnerabilities, September 18, 2008
Apple updated player five times since beginning 2008,
and fixed more than 30 flaws!!

Computer Security is Difficult
5. No Borders, No Boundaries
Attackers can be distant from targets
Instead of worrying about criminals in your home
town, worry about all criminals in the world
And, how do you prosecute people across
country borders?
Think this is easy?

Computer Security is Difficult
5. No Borders, No Boundaries

Example: In 1995, 29 year old hacker from
Russia made $12,000,000 breaking into Citibank
computers
Most of the Money was later recovered but
expediting hacker from Russia to stand trial was
difficult
He was later apprehended in London and
extradited to the US to stand trial
Got three years ... see link at end of lecture

Computer Security is Difficult
6. Technique Propagation
Publish attacks so everyone can use them
Damage can grow exponentially
Only need a few skilled people, many use their
exploits and this amplifies the damage of attacks
So, search in Google for string,
How to write a virus?
Comes back with 17,100,000 hits!
Some good advice on writing RFID viruses
Computer Security is Difficult
7. Badly Designed Security Controls, users are
required to make security decisions
Most users do not have enough knowledge to
make the kind of decisions they are required to
make
How many will click Cancel?





Computer Security Defined
Definitions
Information Security
Information security - protecting information
and information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction
Terms information security, computer security
and information assurance are frequently
used interchangeably
http://en.wikipedia.org/wiki/Information_security
Definitions
Three common attributes of computer
security
What are they?
Definitions
Three common attributes of computer
security
What are they?
1. Confidentiality
Example?
Confidentiality is preventing disclosure of
information to unauthorized individuals or systems
Example, credit card transaction on the Internet
System enforces confidentiality by encrypting the
card number during transmission or limiting the
places where it might appear

Definitions
2. Integrity
Integrity means that data cannot be modified
without authorization
Example?
Integrity is violated
When an employee (accidentally or with
malicious intent) deletes important data files,
When a computer virus infects a computer,
When an employee is able to modify his own
salary in a payroll database,
When an unauthorized user vandalizes web
site
Definitions
3. Availability
Information must be available when it is
needed.
High availability systems aim to remain
available at all times, preventing service
disruptions due to power outages, hardware
failures, and system upgrades
Example of violation?
Ensuring availability also involves preventing
DoS attacks denial-of-service attacks
See this in following slide ...
DDoS Attack Example
July 21, 2008, Web site for president of Georgia was
knocked offline by a distributed denial-of-service (DDOS)
attack
Another in a series of cyberattacks against countries
experiencing political friction with Russia
Georgia's presidential Web site was down for about a
day, starting early Saturday until Sunday
Network experts said the attack was executed by a
botnet
Definition of Botnet
http://www.pcmag.com/encyclopedia_term/0,2542,t=bot
net&i=38866,00.asp

Another DDoS Attack Example
February 16th, 2007
Anti-phishing group, CastleCops.com was
knocked out by a massive DDoS,
Volunteer-driven site, run by husband and wife
team had been coping with on-and-off attacks
since February 13
An intense wave that began around 3:45 PM EST
completely crippled the server capacity
CastleCops.com just celebrated its fifth anniversary
as a high-profile anti-malware community
Comment: This site ceased operation Dec. 2008
More Definitions
Vulnerability
How would you define it?
A security exposure in an operating system or other
system software or application software component
Security firms maintain databases of vulnerabilities
based on version number of the software
If exploited, each vulnerability can potentially
compromise the system or network
For a database of common vulnerabilities and
exposures, visit http://icat.nist.gov/icat.cfm
More Definitions
assets
In business and accounting, assets are
everything owned by a person or company
that can be converted into cash
Personally, anything that has value
Assets typically need to be protected
Part of the problem is
Information is not considered assets!
More Definitions
exploit
An exploit is piece of software, a chunk of
data, or sequence of commands that take
advantage of a bug, glitch or vulnerability
Purpose is to cause unintended or
unanticipated behavior to occur on computer
software or hardware
Gaining control of a computer system or allowing
privilege escalation or a denial of service attack
More Definitions
exploit
Examples of Current Active Exploits
Zues Trojan Steals your personal data
BackDoor-DTN - Trojan that has rootkit capabilities
Allows attacker to gain Administrator privileges
This backdoor has also password-stealing
capabilities and can log keystrokes of the system
Many others ... see viruslist.com link in references
Sum up Definitions
Attackers look for vulnerabilities in systems
Typically in software, but others exist
Once they find a vulnerability, use an exploit of
some kind to gain access to the system
Looking for assets that have value
Information assets are things like SSNs,
credit card information or other information
that lead to identity theft
Other assets are use of computers to create
botnets
References
Wiki page on Russian Hacker
http://en.wikipedia.org/wiki/Vladimir_Levin
Symantec Security Threat Report
http://www.symantec.com/business/theme.jsp?themeid=threatreport
Law Firm IT Manager Shows Gozi Video to Backdoor Service
http://lawfirmit.blogspot.com/2009/04/video-gozi-trojan.html
AVG Software Threats 2008
http://www.net-security.org/secworld.php?id=5703
CSI/FBI Annual Computer Security Survey
http://www.gocsi.com/forms/csi_survey.jhtml;jsessionid=
WAEOHNS1JTLLTQE1GHPSKH4ATMY32JVN

References Continued
Zues trojan Nasty exploit
http://itknowledgeexchange.techtarget.com/security-
bytes/zeus-trojan-evades-antivirus-software-trusteer-says/
BackDoor-DTN Trojan
http://www.esecurityplanet.com/alerts/article.php/3808996/36-
BackDoor-DTN-Trojan-Exploits-Microsoft-Flaw-to-Give-
Attacker-Admin-Privileges.htm
VirusList Site for Listing current infections
http://www.viruslist.com/
Questions for Monday
Next Monday, we will have a discussion
during second part of class
Want you to look up answers to following
questions.
Type or write down some answers
including references
You will be turning in this paper!
Be prepared to discuss them in class
Questions for next Monday

Come prepared to discuss
1. What is the most common software
vulnerability?
2. Why is this software vulnerability still a problem?
3. Name a known exploit that happened this last
year? How extensive was the damage? Who
was targeted?
4. Report on a computer security related problem
that happened to you or someone else you know
Cite your references!!
The End




Next Time: Attackers
Monday - Book, Chapters 1, 3, 16 (optional 7)
Wed: There is a Lab this week!!!
Read material, preparation for the lab,
See Lab1 under Labs