ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived.

Download Report

Transcript ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived.

ELG / CSI / SEG 2911
Professional Practice
Pratique professionnelle
TOPIC 8
Computer Crime and Security
Some of the material in these slides is derived from slides produced by Sara Basse,
the Author of the “Gift of Fire” textbook , and also other professors who have taught
this course including Stan Matwin and Liam Peyton
Criminal acts using Computers:
Hacking vs. Attacking vs. other Crimes
Hacking
• Currently most widely used definition is:
—To gain illegal or unauthorized access to a file,
computer, or network
• Attacking is often used synonymously
Other computer crimes
• More general than hacking or attacking
• Includes also people with authorized access doing
unauthorized actions
—E.g. an employee with access to accounts
transferring funds into his or her bank account
EECS2911 - Lethbridge
2
Hacking
The term ‘Hacking’ has changed over time
Phase 1: early 1960s to 1970s
• A mostly positive term
—A creative programmer who wrote elegant or clever
code
—A "hack" was an especially clever piece of code
—Some still prefer to use this terminology today and
refer to others as ‘crackers’
—Later in this phase, hacking began to relate to code
that wasn’t designed to be maintainable
- Lack of engineering discipline
- A hack became a quick fix
EECS2911 - Lethbridge
3
Hacking (cont.)
Phase 2: 1970s to mid 1990s
• Hacking took on criminal connotations
• Revised consensus definition:
—Breaking into computers for which the hacker does
not have authorized access
• Still primarily individuals
• Includes the spreading of computer worms and viruses
and ‘phone phreaking’
• Companies began using hackers to analyze and improve
security
EECS2911 - Lethbridge
4
Hacking (cont.)
Phase 3: beginning with the mid 1990s
• The growth of the Web changed hacking
—viruses and worms could be spread rapidly
• Political hacking (Hacktivism) surfaced
• Denial-of-service (DoS) attacks used to shut down Web
sites
• Strongly suspected government-supported hacking
• Industrial espionage
• Large scale theft of personal and financial information
EECS2911 - Lethbridge
5
Black Hat vs. White Hat Hackers
Black hat
• Those who hack to commit crimes
White hat
• Work to test defenses
• Break in to see if it is possible, at the request of target
• One type of security consultant
Script kiddie
• Criminals that use programs written by hackers, with little skill
Grey hat
• Mostly white hat, but acknowledges some hacktivism
EECS2911 - Lethbridge
6
Hacktivism, or Political Hacking
Use of hacking to promote a political cause
Disagreement about
• Whether it is a form of civil disobedience
• How (whether) it should be punished
Some use the appearance of hacktivism to hide other criminal
activities
Discussion question
• How do you determine whether something is legitimate hacktivism
or simple vandalism?
EECS2911 - Lethbridge
7
DEF CON
The main hacker conference
• http://www.defcon.org/
Lots of discussion of hacking techniques
• Ostensibly for white hats, security companies, etc.
• But everybody knows the black hats come too
• As does law enforcement, software makers etc.
EECS2911 - Lethbridge
8
Typical Attack Methods
for Initial Break-in
Vulnerability exploits
• Makes use of code that scans for and/or makes use of a known
vulnerability, typically to run malicious code
• Programming errors that lead to vulnerabilities discussed later
Password cracking
• Running programs that try to guess or decrypt passwords
Packet sniffing
• Seeking passwords or other data on the open internet
Pharming and DNS poisoning
• Getting routers or computers to lead people to the wrong place when
an Internet address is specified
Social engineering
• Tricking people to reveal passwords, clues to passwords or
information to establish a false identity
• E.g. phishing (also used without hacking for simple fraud)
EECS2911 - Lethbridge
9
Typical Actions By Hackers
After Breaking In
Adding a payload
• Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc.
Theft of data
• For sale, use in fraud or spying
• Emails, credit cards, transaction records, identity records, corporate
or military secrets
Vandalism and corruption
• Making a system not appear or behave as it should
• Setting up spoofing
—Redirecting legitimate users to an illegitimate place
• Setting up for other future hacks
EECS2911 - Lethbridge
10
Typical Actions By Hackers
After Breaking In (continued)
Executing illegitimate transactions
• E.g. Transferring funds to the hacker’s offshore account
Taking control of a device or system
• E.g. potentially damaging a power plant
Impersonating others
• Acting as if they are a legitimate user
Denial of service
• Overloading network or computational resources so legitimate users
can’t use the system
EECS2911 - Lethbridge
11
Criminal Actions can Also Be Performed by
Legitimate Users Without Hacking
Any of the actions on the previous two slides
• Embezzlement by executing illegitimate transactions
Overstepping authority
• Can be accidental or on purpose
• E.g. authorizing one’s own travel expenses
• E.g. granting oneself a pilot’s license
EECS2911 - Lethbridge
12
Motivations of Attackers
Financial gain
• E.g. Hacking into bank accounts
• E.g. Theft of identities that can be sold
Achieving personal objectives
• E.g. Granting oneself a pilot’s license
• E.g. Building a collection of pirated movies
Fun, entertainment, challenge or bragging rights
Revenge / anger / hatred
Political / military
• Private, radical group or state sponsored
EECS2911 - Lethbridge
13
Some Thoughts on Attack Frequency
A significant proportion of successful attacks are by
‘insiders’
• E.g. employees committing fraud
• Physical security can be breached
—Watching password entry over-the-shoulder, reading
written passwords, accessing the physical disk or
RAM, bypassing the network
Much attacking today is automated: Botnets
Attackers may try millions of random attacks until they
find a ‘weak link’
• They will only keep attacking one target if is is
extremely valuable
EECS2911 - Lethbridge
14
Some Methods of Catching Hackers
Law enforcement agents
• Read hacker newsletters
• Participate in chat rooms, newsgroups, blogs etc.
undercover
—Track a hacker’s “handle”
Set up and study ‘honeypots’
• Fake sites or userids that look real and attract hackers
Use computer forensics
• Retrieve evidence from computers
—E.g. logs, caches, old hard disks
EECS2911 - Lethbridge
15
Penalties for Hackers
Many young hackers have matured and gone on to
productive and responsible careers
Temptation to over- or under-punish
Sentencing depends on intent and damage done
Most young hackers receive probation, community
service, and/or fines
EECS2911 - Lethbridge
16
Hacking
Discussion Questions
Is hacking that does no direct damage or theft a
victimless crime?
Do you think hiring former hackers to enhance security
is a good idea or a bad idea?
• Why or why not?
EECS2911 - Lethbridge
17
Defense Against Attacks: Security
Internet started with open access as a means of sharing
information for research
Attitudes about security were slow to catch up with the
risks
Security is often playing catch-up to hackers as new
vulnerabilities are discovered and exploited
EECS2911 - Lethbridge
18
Responsibility for Security
Responsibility for Security
• Developers
—Responsibility to develop with security as a goal
• Businesses
—Responsibility to use security tools and monitor their
systems to prevent attacks from succeeding
• Consumers
—Responsibility to ask questions and educate
themselves on the tools to maintain security
- Using personal firewalls, anti-virus and anti-spyware
- Refraining from visiting questionable sites or downloading
questionable content
- Controlling access by children and guests
EECS2911 - Lethbridge
19
Developing Secure Systems:
A combination of factors
Dependability
• The system runs as intended under all circumstances,
even when under attack
Trustworthiness
• The system contains no vulnerabilities that can be
exploited by an attacker
Survivability
• The system protects itself from attacks actively
• Recovers from attacks, that it wasn’t able to resist or
tolerate, as quickly as possible and with as little damage
as possible
EECS2911 - Lethbridge
20
Systems thinking
A system is only as secure as its weakest link
• Can be the
—Operating system
—Reused components
—Network
—Humans
—Paper records
—Hardware
So analyse every possible aspect of the system for its
impact on security
EECS2911 - Lethbridge
21
Techniques and Technologies for Security
We will discuss each of these
• Using knowledge of attacker’s motivation and methods
• Physical security
• Firewalls
• Cryptography
• Passwords
• Biometrics
• Hardware security devices
• Concealing sensitive information
• Monitoring for suspicious activity
• Applying the principle of least privilege
• Making security usable
• Proper retention and disposition policy
• Securing the IT Infrastructure
• Backing up security using multiple methods
• Avoiding certain programming errors
EECS2911 - Lethbridge
22
Using Knowledge of Attacker Motivation and
Methods
The more ‘benefit’ for the attacker, the more capable
an attacker to expect
• So invest more in security when stakes are higher
Increase the expense of attacking
• E.g. ensure it take more time by using more bits in
cryptographic keys
EECS2911 - Lethbridge
23
Using Knowledge of Attacker Motivation and
Methods (continued)
Increase attacker uncertainty
• Hide and randomize names and locations of resources
—Obfuscation
• Avoid clear feedback that could give clues to an attacker
about whether they are succeeding or not
• Use honeypots
—Targets that take work to attack, look as though they
have valuables, but are fake
Isolate from network if possible, or make invisible on
network
EECS2911 - Lethbridge
24
Physical Security
Protect people from sitting down at or near computers
to try attacks
• Keep doors and filing cabinets locked
• Chain computers securely to desk
• Track entry and exit of personnel using ID cards
• Employ security personnel and video surveillance
• Ensure everybody knows each other
• Maintain a clean-desk policy
• Use shields for password/pin entry
• Be careful about radio-frequency signal interception
EECS2911 - Lethbridge
25
Firewalls
Used to monitor and filter out communication from
• Untrusted sites
• Those that fit a profile of suspicious activity
EECS2911 - Lethbridge
26
Cryptography and Passwords
Both require knowledge of a secret to access a system or
data
If a password is not also encrypted, it is useless since
hackers can see the password in transmission
Major mistake:
• Sending a password in email in ‘plain-text’
EECS2911 - Lethbridge
27
Cryptography
Beware: cryptography is only one tool in security
• Some people assume it is the only or main tool
Private key cryptography
• Sender and recipient know the secret key and algorithm
Public key cryptography
• You encrypt using the public key published by the recipient
• The result can only be decrypted using a mathematically related
private key
• Cracking relies on factoring extraordinarily large numbers
—Infeasible to to this quickly, although often can be done
—The more ‘bits’ in the key, the more computer power needed
EECS2911 - Lethbridge
28
Attacks on cryptographically- or passwordprotected systems - 1
On-line
• If the key is related to a human-created non-random
password, then try common password choices
—Dictionary words (“dictionary attacks”)
—Passwords the user has used on other systems
Off-line
• Getting a sample of the data and using a dedicated
computer to algorithmically try combinations
• For a random password and good algorithms, an attack
has to be exhaustive, making it very hard
EECS2911 - Lethbridge
29
Attacks on cryptographically- or passwordprotected systems - 2
As we discussed: Social engineering
Weak password-resetting protocols
• E.g. resetting password requires only access to an email
account, or simple identity information
Man-in-the-middle
• Inserting software that will relay cryptographic keys
before they are used
Keystroke logging
EECS2911 - Lethbridge
30
Attacks on cryptographically- or passwordprotected systems - 3
There are many hackers tools available on the Internet
• E.g. for doing dictionary attacks
• Try these against your own system to see how secure it
will be
EECS2911 - Lethbridge
31
Secure Passwords
Note that a password is rarely as secure as the number
of bits in a cryptographic key
• Not as long
• Not as random
Nevertheless encourage / require users to use
• Longer passwords (8+ characters)
• Combination of character types
—Lower/upper case, numbers, special characters
• Minimal duplicate characters
• No numbers at the end
• No password similar to a recently used password
• Not containing dictionary words
EECS2911 - Lethbridge
32
Top Hat Monocle Question
Cryptography
EECS2911 - Lethbridge
33
Biometrics
Biological characteristics unique to an individual
• Cannot readily be stolen
Various types based on recognition of
• Fingerprint
• Iris
• Palm pattern
• Face
• Voice
• Signature
All have some risk of false positive and false negative
• Should be backed up by other schemes for critical applications
EECS2911 - Lethbridge
34
Hardware Devices for Security
Typical devices: Smart cards or ‘USB Dongles’
—Physical presence of device lends credence to
authenticity
—But they can be stolen or forged, so they should not
be fully relied on
Risks from devices
• E.g. USB keys or disks that harbor viruses
EECS2911 - Lethbridge
35
Concealing Sensitive Information
Use whatever methods possible to avoid exposing data
that can be used by hackers
• Do not print a full credit card number and expiration
date on receipts
• Use trusted payment services like PayPal that will act as
a third party
—allowing a customer to make a purchase without
revealing their credit card information to the vendor
Don’t reveal genealogical information until 100 years
has passed
EECS2911 - Lethbridge
36
Monitoring for Suspicious Activity
Incorporate adequate monitoring and logging so attacks can be
detected, tracked and forensically analysed
Step up security when certain changes or events occur
• Access from a new network or IP address or late at night
• Uncharacteristic purchases or amount of money spent
• Repeated failed passwords
• Very quick response to password prompt
Best to degrade access slowly
• Balance detection with blocking legitimate use
Flag accounts where fraud is suspected or more likely
• E.g. credit reports where someone has reported a theft
EECS2911 - Lethbridge
37
Apply the Principle Of Least Privilege
Limit and control the number of legitimate users
Grant only needed privileges to users
• Principle of least privilege
• Information access on ‘need to know’ basis
• Have unused privileges expire
Ensure users know acceptable and unacceptable
practice
EECS2911 - Lethbridge
38
Make Security Usable
Balance the benefits of more onerous procedures with
the risk users will bypass them
Increasingly onerous procedures
—Requirement to use ‘strong’ passwords
—Requirement to change passwords frequently
—Requirement to use different passwords on each
system
Risk that people will write down passwords
EECS2911 - Lethbridge
39
Apply Proper Retention and Disposition
Policy
Automatically dispose of data that is no longer needed
• The more retained data, the more loss in case of a breach and the
more attractive to attackers
Examples of retention periods
• Personal (non-work) information
—Delete immediately
• Most emails and other communications
—Delete after between 1-3 years
• Drafts and working documents
—Delete a year after the project is over and final results
confirmed
• Financial transactions and research data needed for audit
—Delete after 7 years or 10 years depending on jurisdiction
EECS2911 - Lethbridge
40
Securing the IT Infrastructure
• Require laptops to have data on board encrypted at all times
• Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen
computers
• Screen savers that prompt for password after you leave the computer
for a while
• Automatic lockout when a computer isn’t where it expects to be or
finds itself not connected
• Force maximum use of anti-virus software and firewalls
• For guest use of wireless network, have time-limited individual
accounts on a separate subnet
• Disallow arbitrary software installation
• Disallow attachment of removable media
• Automatically patch all machines
• Power-up password before booting
EECS2911 - Lethbridge
41
Securing the IT Infrastructure (continued)
•
•
•
•
•
•
•
•
Close unneeded TCP ports
Deploy a VPN for access to network
Back up vigorously, but secure the backups
Update cryptographic and other techniques as vulnerabilities are
revealed
—E.g. avoid WEP on a wireless network
Force new systems to have the securest settings enabled
Use sandboxes and virtualization to ‘contain’ security breaches
Securely erase / destroy old systems
Employ an IT security officer
EECS2911 - Lethbridge
42
Backing up Security Using
Multiple Methods
Use of CAPTCHAS http://www.captcha.net/
Ability to answer pre-saved questions
• But beware of those that reveal personal information
Require use of mail and a certain phone line
• Common for ctivation of new accounts such as credit cards
—Requires calling from home phone number
—Checks mailing address, phone number and old card
information on record
Emailing you at another account before setting up a new one
Employ services that actually send someone to your door to see
your ID documents
• Used by banks to protect against identity theft
EECS2911 - Lethbridge
43
Avoid the CWE/SANS Most Dangerous
Programming Errors
Reference: http://www.sans.org/top25errors/
CATEGORY: Insecure Interaction Between Components
• Improper Input Validation
—E.g. allowing arbitrary html to be entered
—E.g. allowing violation of input constraints
• Improper Encoding or Escaping of Output
—E.g. hackers may be able to get one system to output a
command that will be executed by another
• Failure to Preserve SQL Query Structure (aka 'SQL Injection')
—E.g. a data string that ends an insert, followed by ‘Delete table’
• Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
—E.g. Allowing a script from an arbitrary linked site to change
contents from your site
EECS2911 - Lethbridge
44
The Most Dangerous Programming Errors 2
• Failure to Preserve OS Command Structure
—'OS Command Injection
• Cleartext Transmission of Sensitive Information
• Cross-Site Request Forgery (CSRF)
—It looks to a server that the request is coming from a
page it served
• Race Condition
—Applications behave unpredictably, giving hackers
information
• Error Message Information Leak
EECS2911 - Lethbridge
45
The Most Dangerous Programming Errors 3
CATEGORY: Risky Resource Management
• Failure to Constrain Operations within the Bounds of a
Memory Buffer
—AKA “Buffer Overflow Errors”
• External Control of Critical State Data
—E.g. cookies, files, etc. that can be manipulated by a
hacker
• External Control of File Name or Path
—E.g. If the hacker gets to choose a file name he can
type “../” to walk up the directory hierarchy
• Untrusted Search Path
—The application goes to a location of the hacker’s
choosing instead of where intended
EECS2911 - Lethbridge
46
The Most Dangerous Programming Errors 4
• Failure to Control Generation of Code
—'Code Injection'
—Many apps generate & execute their own code
• Download of Code Without Integrity Check
—The hacker’s code gets downloaded instead
• Improper Resource Shutdown or Release
—E.g. a file is left open, then accessed by a hacker
• Improper Initialization
—A hacker may be able to initialize for you, or see
data from a previous use
• Incorrect Calculation
—Hackers take control of inputs used in numeric
calculation
EECS2911 - Lethbridge
47
The Most Dangerous Programming Errors 5
CATEGORY: Porous Defenses
• Improper Access Control (Authorization)
• Use of a Broken or Risky Cryptographic Algorithm
—E.g. WEP
• Hard-Coded Password
• Insecure Permission Assignment for Critical Resource
• Use of Insufficiently Random Values
• Execution with Unnecessary Privileges
• Client-Side Enforcement of Server-Side Security
EECS2911 - Lethbridge
48
Security in the software lifecycle
Requirements
• Ensure security needs are identified and quantified
• Threat and risk analysis
Formal specification of security properties
Design
• Follow proper design practices
Testing and quality assurance
• Rigorously inspect and test all security mechanisms
• Employ people to act as hackers to try to break system
Deployment
• Ensure safeguards are properly installed and put into use
Evolution
• Adapt as new threats become known
EECS2911 - Lethbridge
49
A useful web site on security
From the US government:
• Build security in
—https://buildsecurityin.us-cert.gov/daisy/bsi/547BSI.html
EECS2911 - Lethbridge
50
Other Computer Crimes: Auctions
Online auction sites are one of the top sources of fraud
complaints
• Some sellers do not send items or send inferior products
• Shill bidding is used to artificially raise prices
• Sellers give themselves or friends glowing reviews to
garner consumer trust
Auction sites use various techniques to counter
dishonest sellers
EECS2911 - Lethbridge
51
Other Computer Crimes
Click fraud
• Repeated clicking on an ad to either increase a site’s revenue or to
use up a competitor's advertising budget
Stock fraud
• Most common method is to buy a stock low, send out e-mails urging
others to buy, and then sell when the price goes up, usually only for
a short time
Digital Forgery
• New technologies (scanners and high quality printers) are used to
create fake checks, passports, visas, birth certificates, etc., with little
skill and investment
EECS2911 - Lethbridge
52
Whose Laws Rule the Web?
When Digital Actions Cross Borders:
• Laws vary from country to country
• Corporations that do business in multiple countries must
comply with the laws of all the countries involved
• Someone whose actions are legal in their own country
may face prosecution in another country where their
actions are illegal
EECS2911 - Lethbridge
53
An International Treaty:
The Convention on Cybercrime
International agreement to foster international cooperation among
law enforcement agencies of different countries in fighting
• Copyright violations
• Pornography
• Fraud
• Other online fraud
http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
Includes Europe, US, Canada, Japan
Sets common standards or ways to resolve international cases
EECS2911 - Lethbridge
54