ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived.
Download ReportTranscript ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived.
ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived from slides produced by Sara Basse, the Author of the “Gift of Fire” textbook , and also other professors who have taught this course including Stan Matwin and Liam Peyton Criminal acts using Computers: Hacking vs. Attacking vs. other Crimes Hacking • Currently most widely used definition is: —To gain illegal or unauthorized access to a file, computer, or network • Attacking is often used synonymously Other computer crimes • More general than hacking or attacking • Includes also people with authorized access doing unauthorized actions —E.g. an employee with access to accounts transferring funds into his or her bank account EECS2911 - Lethbridge 2 Hacking The term ‘Hacking’ has changed over time Phase 1: early 1960s to 1970s • A mostly positive term —A creative programmer who wrote elegant or clever code —A "hack" was an especially clever piece of code —Some still prefer to use this terminology today and refer to others as ‘crackers’ —Later in this phase, hacking began to relate to code that wasn’t designed to be maintainable - Lack of engineering discipline - A hack became a quick fix EECS2911 - Lethbridge 3 Hacking (cont.) Phase 2: 1970s to mid 1990s • Hacking took on criminal connotations • Revised consensus definition: —Breaking into computers for which the hacker does not have authorized access • Still primarily individuals • Includes the spreading of computer worms and viruses and ‘phone phreaking’ • Companies began using hackers to analyze and improve security EECS2911 - Lethbridge 4 Hacking (cont.) Phase 3: beginning with the mid 1990s • The growth of the Web changed hacking —viruses and worms could be spread rapidly • Political hacking (Hacktivism) surfaced • Denial-of-service (DoS) attacks used to shut down Web sites • Strongly suspected government-supported hacking • Industrial espionage • Large scale theft of personal and financial information EECS2911 - Lethbridge 5 Black Hat vs. White Hat Hackers Black hat • Those who hack to commit crimes White hat • Work to test defenses • Break in to see if it is possible, at the request of target • One type of security consultant Script kiddie • Criminals that use programs written by hackers, with little skill Grey hat • Mostly white hat, but acknowledges some hacktivism EECS2911 - Lethbridge 6 Hacktivism, or Political Hacking Use of hacking to promote a political cause Disagreement about • Whether it is a form of civil disobedience • How (whether) it should be punished Some use the appearance of hacktivism to hide other criminal activities Discussion question • How do you determine whether something is legitimate hacktivism or simple vandalism? EECS2911 - Lethbridge 7 DEF CON The main hacker conference • http://www.defcon.org/ Lots of discussion of hacking techniques • Ostensibly for white hats, security companies, etc. • But everybody knows the black hats come too • As does law enforcement, software makers etc. EECS2911 - Lethbridge 8 Typical Attack Methods for Initial Break-in Vulnerability exploits • Makes use of code that scans for and/or makes use of a known vulnerability, typically to run malicious code • Programming errors that lead to vulnerabilities discussed later Password cracking • Running programs that try to guess or decrypt passwords Packet sniffing • Seeking passwords or other data on the open internet Pharming and DNS poisoning • Getting routers or computers to lead people to the wrong place when an Internet address is specified Social engineering • Tricking people to reveal passwords, clues to passwords or information to establish a false identity • E.g. phishing (also used without hacking for simple fraud) EECS2911 - Lethbridge 9 Typical Actions By Hackers After Breaking In Adding a payload • Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc. Theft of data • For sale, use in fraud or spying • Emails, credit cards, transaction records, identity records, corporate or military secrets Vandalism and corruption • Making a system not appear or behave as it should • Setting up spoofing —Redirecting legitimate users to an illegitimate place • Setting up for other future hacks EECS2911 - Lethbridge 10 Typical Actions By Hackers After Breaking In (continued) Executing illegitimate transactions • E.g. Transferring funds to the hacker’s offshore account Taking control of a device or system • E.g. potentially damaging a power plant Impersonating others • Acting as if they are a legitimate user Denial of service • Overloading network or computational resources so legitimate users can’t use the system EECS2911 - Lethbridge 11 Criminal Actions can Also Be Performed by Legitimate Users Without Hacking Any of the actions on the previous two slides • Embezzlement by executing illegitimate transactions Overstepping authority • Can be accidental or on purpose • E.g. authorizing one’s own travel expenses • E.g. granting oneself a pilot’s license EECS2911 - Lethbridge 12 Motivations of Attackers Financial gain • E.g. Hacking into bank accounts • E.g. Theft of identities that can be sold Achieving personal objectives • E.g. Granting oneself a pilot’s license • E.g. Building a collection of pirated movies Fun, entertainment, challenge or bragging rights Revenge / anger / hatred Political / military • Private, radical group or state sponsored EECS2911 - Lethbridge 13 Some Thoughts on Attack Frequency A significant proportion of successful attacks are by ‘insiders’ • E.g. employees committing fraud • Physical security can be breached —Watching password entry over-the-shoulder, reading written passwords, accessing the physical disk or RAM, bypassing the network Much attacking today is automated: Botnets Attackers may try millions of random attacks until they find a ‘weak link’ • They will only keep attacking one target if is is extremely valuable EECS2911 - Lethbridge 14 Some Methods of Catching Hackers Law enforcement agents • Read hacker newsletters • Participate in chat rooms, newsgroups, blogs etc. undercover —Track a hacker’s “handle” Set up and study ‘honeypots’ • Fake sites or userids that look real and attract hackers Use computer forensics • Retrieve evidence from computers —E.g. logs, caches, old hard disks EECS2911 - Lethbridge 15 Penalties for Hackers Many young hackers have matured and gone on to productive and responsible careers Temptation to over- or under-punish Sentencing depends on intent and damage done Most young hackers receive probation, community service, and/or fines EECS2911 - Lethbridge 16 Hacking Discussion Questions Is hacking that does no direct damage or theft a victimless crime? Do you think hiring former hackers to enhance security is a good idea or a bad idea? • Why or why not? EECS2911 - Lethbridge 17 Defense Against Attacks: Security Internet started with open access as a means of sharing information for research Attitudes about security were slow to catch up with the risks Security is often playing catch-up to hackers as new vulnerabilities are discovered and exploited EECS2911 - Lethbridge 18 Responsibility for Security Responsibility for Security • Developers —Responsibility to develop with security as a goal • Businesses —Responsibility to use security tools and monitor their systems to prevent attacks from succeeding • Consumers —Responsibility to ask questions and educate themselves on the tools to maintain security - Using personal firewalls, anti-virus and anti-spyware - Refraining from visiting questionable sites or downloading questionable content - Controlling access by children and guests EECS2911 - Lethbridge 19 Developing Secure Systems: A combination of factors Dependability • The system runs as intended under all circumstances, even when under attack Trustworthiness • The system contains no vulnerabilities that can be exploited by an attacker Survivability • The system protects itself from attacks actively • Recovers from attacks, that it wasn’t able to resist or tolerate, as quickly as possible and with as little damage as possible EECS2911 - Lethbridge 20 Systems thinking A system is only as secure as its weakest link • Can be the —Operating system —Reused components —Network —Humans —Paper records —Hardware So analyse every possible aspect of the system for its impact on security EECS2911 - Lethbridge 21 Techniques and Technologies for Security We will discuss each of these • Using knowledge of attacker’s motivation and methods • Physical security • Firewalls • Cryptography • Passwords • Biometrics • Hardware security devices • Concealing sensitive information • Monitoring for suspicious activity • Applying the principle of least privilege • Making security usable • Proper retention and disposition policy • Securing the IT Infrastructure • Backing up security using multiple methods • Avoiding certain programming errors EECS2911 - Lethbridge 22 Using Knowledge of Attacker Motivation and Methods The more ‘benefit’ for the attacker, the more capable an attacker to expect • So invest more in security when stakes are higher Increase the expense of attacking • E.g. ensure it take more time by using more bits in cryptographic keys EECS2911 - Lethbridge 23 Using Knowledge of Attacker Motivation and Methods (continued) Increase attacker uncertainty • Hide and randomize names and locations of resources —Obfuscation • Avoid clear feedback that could give clues to an attacker about whether they are succeeding or not • Use honeypots —Targets that take work to attack, look as though they have valuables, but are fake Isolate from network if possible, or make invisible on network EECS2911 - Lethbridge 24 Physical Security Protect people from sitting down at or near computers to try attacks • Keep doors and filing cabinets locked • Chain computers securely to desk • Track entry and exit of personnel using ID cards • Employ security personnel and video surveillance • Ensure everybody knows each other • Maintain a clean-desk policy • Use shields for password/pin entry • Be careful about radio-frequency signal interception EECS2911 - Lethbridge 25 Firewalls Used to monitor and filter out communication from • Untrusted sites • Those that fit a profile of suspicious activity EECS2911 - Lethbridge 26 Cryptography and Passwords Both require knowledge of a secret to access a system or data If a password is not also encrypted, it is useless since hackers can see the password in transmission Major mistake: • Sending a password in email in ‘plain-text’ EECS2911 - Lethbridge 27 Cryptography Beware: cryptography is only one tool in security • Some people assume it is the only or main tool Private key cryptography • Sender and recipient know the secret key and algorithm Public key cryptography • You encrypt using the public key published by the recipient • The result can only be decrypted using a mathematically related private key • Cracking relies on factoring extraordinarily large numbers —Infeasible to to this quickly, although often can be done —The more ‘bits’ in the key, the more computer power needed EECS2911 - Lethbridge 28 Attacks on cryptographically- or passwordprotected systems - 1 On-line • If the key is related to a human-created non-random password, then try common password choices —Dictionary words (“dictionary attacks”) —Passwords the user has used on other systems Off-line • Getting a sample of the data and using a dedicated computer to algorithmically try combinations • For a random password and good algorithms, an attack has to be exhaustive, making it very hard EECS2911 - Lethbridge 29 Attacks on cryptographically- or passwordprotected systems - 2 As we discussed: Social engineering Weak password-resetting protocols • E.g. resetting password requires only access to an email account, or simple identity information Man-in-the-middle • Inserting software that will relay cryptographic keys before they are used Keystroke logging EECS2911 - Lethbridge 30 Attacks on cryptographically- or passwordprotected systems - 3 There are many hackers tools available on the Internet • E.g. for doing dictionary attacks • Try these against your own system to see how secure it will be EECS2911 - Lethbridge 31 Secure Passwords Note that a password is rarely as secure as the number of bits in a cryptographic key • Not as long • Not as random Nevertheless encourage / require users to use • Longer passwords (8+ characters) • Combination of character types —Lower/upper case, numbers, special characters • Minimal duplicate characters • No numbers at the end • No password similar to a recently used password • Not containing dictionary words EECS2911 - Lethbridge 32 Top Hat Monocle Question Cryptography EECS2911 - Lethbridge 33 Biometrics Biological characteristics unique to an individual • Cannot readily be stolen Various types based on recognition of • Fingerprint • Iris • Palm pattern • Face • Voice • Signature All have some risk of false positive and false negative • Should be backed up by other schemes for critical applications EECS2911 - Lethbridge 34 Hardware Devices for Security Typical devices: Smart cards or ‘USB Dongles’ —Physical presence of device lends credence to authenticity —But they can be stolen or forged, so they should not be fully relied on Risks from devices • E.g. USB keys or disks that harbor viruses EECS2911 - Lethbridge 35 Concealing Sensitive Information Use whatever methods possible to avoid exposing data that can be used by hackers • Do not print a full credit card number and expiration date on receipts • Use trusted payment services like PayPal that will act as a third party —allowing a customer to make a purchase without revealing their credit card information to the vendor Don’t reveal genealogical information until 100 years has passed EECS2911 - Lethbridge 36 Monitoring for Suspicious Activity Incorporate adequate monitoring and logging so attacks can be detected, tracked and forensically analysed Step up security when certain changes or events occur • Access from a new network or IP address or late at night • Uncharacteristic purchases or amount of money spent • Repeated failed passwords • Very quick response to password prompt Best to degrade access slowly • Balance detection with blocking legitimate use Flag accounts where fraud is suspected or more likely • E.g. credit reports where someone has reported a theft EECS2911 - Lethbridge 37 Apply the Principle Of Least Privilege Limit and control the number of legitimate users Grant only needed privileges to users • Principle of least privilege • Information access on ‘need to know’ basis • Have unused privileges expire Ensure users know acceptable and unacceptable practice EECS2911 - Lethbridge 38 Make Security Usable Balance the benefits of more onerous procedures with the risk users will bypass them Increasingly onerous procedures —Requirement to use ‘strong’ passwords —Requirement to change passwords frequently —Requirement to use different passwords on each system Risk that people will write down passwords EECS2911 - Lethbridge 39 Apply Proper Retention and Disposition Policy Automatically dispose of data that is no longer needed • The more retained data, the more loss in case of a breach and the more attractive to attackers Examples of retention periods • Personal (non-work) information —Delete immediately • Most emails and other communications —Delete after between 1-3 years • Drafts and working documents —Delete a year after the project is over and final results confirmed • Financial transactions and research data needed for audit —Delete after 7 years or 10 years depending on jurisdiction EECS2911 - Lethbridge 40 Securing the IT Infrastructure • Require laptops to have data on board encrypted at all times • Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen computers • Screen savers that prompt for password after you leave the computer for a while • Automatic lockout when a computer isn’t where it expects to be or finds itself not connected • Force maximum use of anti-virus software and firewalls • For guest use of wireless network, have time-limited individual accounts on a separate subnet • Disallow arbitrary software installation • Disallow attachment of removable media • Automatically patch all machines • Power-up password before booting EECS2911 - Lethbridge 41 Securing the IT Infrastructure (continued) • • • • • • • • Close unneeded TCP ports Deploy a VPN for access to network Back up vigorously, but secure the backups Update cryptographic and other techniques as vulnerabilities are revealed —E.g. avoid WEP on a wireless network Force new systems to have the securest settings enabled Use sandboxes and virtualization to ‘contain’ security breaches Securely erase / destroy old systems Employ an IT security officer EECS2911 - Lethbridge 42 Backing up Security Using Multiple Methods Use of CAPTCHAS http://www.captcha.net/ Ability to answer pre-saved questions • But beware of those that reveal personal information Require use of mail and a certain phone line • Common for ctivation of new accounts such as credit cards —Requires calling from home phone number —Checks mailing address, phone number and old card information on record Emailing you at another account before setting up a new one Employ services that actually send someone to your door to see your ID documents • Used by banks to protect against identity theft EECS2911 - Lethbridge 43 Avoid the CWE/SANS Most Dangerous Programming Errors Reference: http://www.sans.org/top25errors/ CATEGORY: Insecure Interaction Between Components • Improper Input Validation —E.g. allowing arbitrary html to be entered —E.g. allowing violation of input constraints • Improper Encoding or Escaping of Output —E.g. hackers may be able to get one system to output a command that will be executed by another • Failure to Preserve SQL Query Structure (aka 'SQL Injection') —E.g. a data string that ends an insert, followed by ‘Delete table’ • Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') —E.g. Allowing a script from an arbitrary linked site to change contents from your site EECS2911 - Lethbridge 44 The Most Dangerous Programming Errors 2 • Failure to Preserve OS Command Structure —'OS Command Injection • Cleartext Transmission of Sensitive Information • Cross-Site Request Forgery (CSRF) —It looks to a server that the request is coming from a page it served • Race Condition —Applications behave unpredictably, giving hackers information • Error Message Information Leak EECS2911 - Lethbridge 45 The Most Dangerous Programming Errors 3 CATEGORY: Risky Resource Management • Failure to Constrain Operations within the Bounds of a Memory Buffer —AKA “Buffer Overflow Errors” • External Control of Critical State Data —E.g. cookies, files, etc. that can be manipulated by a hacker • External Control of File Name or Path —E.g. If the hacker gets to choose a file name he can type “../” to walk up the directory hierarchy • Untrusted Search Path —The application goes to a location of the hacker’s choosing instead of where intended EECS2911 - Lethbridge 46 The Most Dangerous Programming Errors 4 • Failure to Control Generation of Code —'Code Injection' —Many apps generate & execute their own code • Download of Code Without Integrity Check —The hacker’s code gets downloaded instead • Improper Resource Shutdown or Release —E.g. a file is left open, then accessed by a hacker • Improper Initialization —A hacker may be able to initialize for you, or see data from a previous use • Incorrect Calculation —Hackers take control of inputs used in numeric calculation EECS2911 - Lethbridge 47 The Most Dangerous Programming Errors 5 CATEGORY: Porous Defenses • Improper Access Control (Authorization) • Use of a Broken or Risky Cryptographic Algorithm —E.g. WEP • Hard-Coded Password • Insecure Permission Assignment for Critical Resource • Use of Insufficiently Random Values • Execution with Unnecessary Privileges • Client-Side Enforcement of Server-Side Security EECS2911 - Lethbridge 48 Security in the software lifecycle Requirements • Ensure security needs are identified and quantified • Threat and risk analysis Formal specification of security properties Design • Follow proper design practices Testing and quality assurance • Rigorously inspect and test all security mechanisms • Employ people to act as hackers to try to break system Deployment • Ensure safeguards are properly installed and put into use Evolution • Adapt as new threats become known EECS2911 - Lethbridge 49 A useful web site on security From the US government: • Build security in —https://buildsecurityin.us-cert.gov/daisy/bsi/547BSI.html EECS2911 - Lethbridge 50 Other Computer Crimes: Auctions Online auction sites are one of the top sources of fraud complaints • Some sellers do not send items or send inferior products • Shill bidding is used to artificially raise prices • Sellers give themselves or friends glowing reviews to garner consumer trust Auction sites use various techniques to counter dishonest sellers EECS2911 - Lethbridge 51 Other Computer Crimes Click fraud • Repeated clicking on an ad to either increase a site’s revenue or to use up a competitor's advertising budget Stock fraud • Most common method is to buy a stock low, send out e-mails urging others to buy, and then sell when the price goes up, usually only for a short time Digital Forgery • New technologies (scanners and high quality printers) are used to create fake checks, passports, visas, birth certificates, etc., with little skill and investment EECS2911 - Lethbridge 52 Whose Laws Rule the Web? When Digital Actions Cross Borders: • Laws vary from country to country • Corporations that do business in multiple countries must comply with the laws of all the countries involved • Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal EECS2911 - Lethbridge 53 An International Treaty: The Convention on Cybercrime International agreement to foster international cooperation among law enforcement agencies of different countries in fighting • Copyright violations • Pornography • Fraud • Other online fraud http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm Includes Europe, US, Canada, Japan Sets common standards or ways to resolve international cases EECS2911 - Lethbridge 54