ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and...

ELG / CSI / SEG 2911Professional Practice

Pratique professionnelle

TOPIC 8

Computer Crime and Security

Some of the material in these slides is derived from slides produced by Sara Basse, the Author of the “Gift of Fire” textbook , and also other professors who have taught

this course including Stan Matwin and Liam Peyton

EECS2911 - Lethbridge 2

Criminal acts using Computers:Hacking vs. Attacking vs. other Crimes

Hacking• Currently most widely used definition is:

—To gain illegal or unauthorized access to a file, computer, or network

• Attacking is often used synonymously

Other computer crimes• More general than hacking or attacking• Includes also people with authorized access doing

unauthorized actions—E.g. an employee with access to accounts

transferring funds into his or her bank account


Hacking

The term ‘Hacking’ has changed over time

Phase 1: early 1960s to 1970s • A mostly positive term

—A creative programmer who wrote elegant or clever code

—A "hack" was an especially clever piece of code—Some still prefer to use this terminology today and

refer to others as ‘crackers’—Later in this phase, hacking began to relate to code

that wasn’t designed to be maintainable- Lack of engineering discipline- A hack became a quick fix


Hacking (cont.)

Phase 2: 1970s to mid 1990s • Hacking took on criminal connotations• Revised consensus definition:

—Breaking into computers for which the hacker does not have authorized access

• Still primarily individuals• Includes the spreading of computer worms and viruses

and ‘phone phreaking’• Companies began using hackers to analyze and improve

security


Hacking (cont.)

Phase 3: beginning with the mid 1990s

• The growth of the Web changed hacking

—viruses and worms could be spread rapidly

• Political hacking (Hacktivism) surfaced

• Denial-of-service (DoS) attacks used to shut down Web sites

• Strongly suspected government-supported hacking

• Industrial espionage

• Large scale theft of personal and financial information


Black Hat vs. White Hat Hackers

Black hat

• Those who hack to commit crimes

White hat

• Work to test defenses

• Break in to see if it is possible, at the request of target

• One type of security consultant

Script kiddie

• Criminals that use programs written by hackers, with little skill

Grey hat

• Mostly white hat, but acknowledges some hacktivism


Hacktivism, or Political Hacking

Use of hacking to promote a political cause

Disagreement about• Whether it is a form of civil disobedience• How (whether) it should be punished

Some use the appearance of hacktivism to hide other criminal activities

Discussion question• How do you determine whether something is legitimate hacktivism

or simple vandalism?


DEF CON

The main hacker conference

• http://www.defcon.org/

Lots of discussion of hacking techniques

• Ostensibly for white hats, security companies, etc.

• But everybody knows the black hats come too

• As does law enforcement, software makers etc.


Typical Attack Methodsfor Initial Break-in

Vulnerability exploits• Makes use of code that scans for and/or makes use of a known

vulnerability, typically to run malicious code• Programming errors that lead to vulnerabilities discussed later

Password cracking• Running programs that try to guess or decrypt passwords

Packet sniffing• Seeking passwords or other data on the open internet

Pharming and DNS poisoning• Getting routers or computers to lead people to the wrong place

when an Internet address is specifiedSocial engineering

• Tricking people to reveal passwords, clues to passwords or information to establish a false identity

• E.g. phishing (also used without hacking for simple fraud)


Typical Actions By HackersAfter Breaking In

Adding a payload• Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc.

Theft of data• For sale, use in fraud or spying• Emails, credit cards, transaction records, identity records, corporate

or military secrets

Vandalism and corruption• Making a system not appear or behave as it should• Setting up spoofing

—Redirecting legitimate users to an illegitimate place• Setting up for other future hacks


Typical Actions By HackersAfter Breaking In (continued)

Executing illegitimate transactions• E.g. Transferring funds to the hacker’s offshore account

Taking control of a device or system• E.g. potentially damaging a power plant

Impersonating others• Acting as if they are a legitimate user

Denial of service• Overloading network or computational resources so legitimate users

can’t use the system


Criminal Actions can Also Be Performed by Legitimate Users Without Hacking

Any of the actions on the previous two slides• Embezzlement by executing illegitimate transactions

Overstepping authority• Can be accidental or on purpose• E.g. authorizing one’s own travel expenses• E.g. granting oneself a pilot’s license


Motivations of AttackersFinancial gain

• E.g. Hacking into bank accounts• E.g. Theft of identities that can be sold

Achieving personal objectives• E.g. Granting oneself a pilot’s license• E.g. Building a collection of pirated movies

Fun, entertainment, challenge or bragging rights

Revenge / anger / hatred

Political / military• Private, radical group or state sponsored


Some Thoughts on Attack FrequencyA significant proportion of successful attacks are by ‘insiders’

• E.g. employees committing fraud• Physical security can be breached

—Watching password entry over-the-shoulder, reading written passwords, accessing the physical disk or RAM, bypassing the network

Much attacking today is automated: Botnets

Attackers may try millions of random attacks until they find a ‘weak link’

• They will only keep attacking one target if is is extremely valuable


Some Methods of Catching Hackers

Law enforcement agents• Read hacker newsletters• Participate in chat rooms, newsgroups, blogs etc.

undercover—Track a hacker’s “handle”

Set up and study ‘honeypots’• Fake sites or userids that look real and attract hackers

Use computer forensics• Retrieve evidence from computers

—E.g. logs, caches, old hard disks


Penalties for Hackers

Many young hackers have matured and gone on to productive and responsible careers

Temptation to over- or under-punish

Sentencing depends on intent and damage done

Most young hackers receive probation, community service, and/or fines


HackingDiscussion Questions

Is hacking that does no direct damage or theft a victimless crime?

Do you think hiring former hackers to enhance security is a good idea or a bad idea?

• Why or why not?


Defense Against Attacks: Security

Internet started with open access as a means of sharing information for research

Attitudes about security were slow to catch up with the risks

Security is often playing catch-up to hackers as new vulnerabilities are discovered and exploited


Responsibility for Security

Responsibility for Security• Developers

—Responsibility to develop with security as a goal• Businesses

—Responsibility to use security tools and monitor their systems to prevent attacks from succeeding

• Consumers—Responsibility to ask questions and educate

themselves on the tools to maintain security- Using personal firewalls, anti-virus and anti-spyware- Refraining from visiting questionable sites or downloading

questionable content- Controlling access by children and guests


Developing Secure Systems:A combination of factors

Dependability• The system runs as intended under all circumstances,

even when under attack

Trustworthiness• The system contains no vulnerabilities that can be

exploited by an attacker

Survivability• The system protects itself from attacks actively• Recovers from attacks, that it wasn’t able to resist or

tolerate, as quickly as possible and with as little damage as possible


Systems thinking

A system is only as secure as its weakest link

• Can be the

—Operating system

—Reused components

—Network

—Humans

—Paper records

—Hardware

So analyse every possible aspect of the system for its impact on security


Techniques and Technologies for SecurityWe will discuss each of these

• Using knowledge of attacker’s motivation and methods• Physical security• Firewalls• Cryptography• Passwords• Biometrics• Hardware security devices• Concealing sensitive information• Monitoring for suspicious activity• Applying the principle of least privilege• Making security usable• Proper retention and disposition policy• Securing the IT Infrastructure• Backing up security using multiple methods• Avoiding certain programming errors


Using Knowledge of Attacker Motivation and Methods

The more ‘benefit’ for the attacker, the more capable an attacker to expect

• So invest more in security when stakes are higher

Increase the expense of attacking• E.g. ensure it take more time by using more bits in

cryptographic keys


Using Knowledge of Attacker Motivation and Methods (continued)

Increase attacker uncertainty

• Hide and randomize names and locations of resources

—Obfuscation

• Avoid clear feedback that could give clues to an attacker about whether they are succeeding or not

• Use honeypots

—Targets that take work to attack, look as though they have valuables, but are fake

Isolate from network if possible, or make invisible on network


Physical Security

Protect people from sitting down at or near computers to try attacks

• Keep doors and filing cabinets locked

• Chain computers securely to desk

• Track entry and exit of personnel using ID cards

• Employ security personnel and video surveillance

• Ensure everybody knows each other

• Maintain a clean-desk policy

• Use shields for password/pin entry

• Be careful about radio-frequency signal interception


Firewalls

Used to monitor and filter out communication from• Untrusted sites• Those that fit a profile of suspicious activity


Cryptography and Passwords

Both require knowledge of a secret to access a system or data

If a password is not also encrypted, it is useless since hackers can see the password in transmission

Major mistake:

• Sending a password in email in ‘plain-text’


Cryptography

Beware: cryptography is only one tool in security• Some people assume it is the only or main tool

Private key cryptography• Sender and recipient know the secret key and algorithm

Public key cryptography• You encrypt using the public key published by the recipient• The result can only be decrypted using a mathematically related

private key• Cracking relies on factoring extraordinarily large numbers

—Infeasible to to this quickly, although often can be done—The more ‘bits’ in the key, the more computer power needed


Attacks on cryptographically- or password- protected systems - 1

On-line

• If the key is related to a human-created non-random password, then try common password choices

—Dictionary words (“dictionary attacks”)—Passwords the user has used on other systems

Off-line

• Getting a sample of the data and using a dedicated computer to algorithmically try combinations

• For a random password and good algorithms, an attack has to be exhaustive, making it very hard



As we discussed: Social engineering

Weak password-resetting protocols

• E.g. resetting password requires only access to an email account, or simple identity information

Man-in-the-middle

• Inserting software that will relay cryptographic keys before they are used

Keystroke logging



There are many hackers tools available on the Internet

• E.g. for doing dictionary attacks

• Try these against your own system to see how secure it will be


Secure PasswordsNote that a password is rarely as secure as the number of bits in a cryptographic key

• Not as long• Not as random

Nevertheless encourage / require users to use• Longer passwords (8+ characters)• Combination of character types

—Lower/upper case, numbers, special characters• Minimal duplicate characters• No numbers at the end• No password similar to a recently used password• Not containing dictionary words

Top Hat Monocle Question

Cryptography



BiometricsBiological characteristics unique to an individual

• Cannot readily be stolen

Various types based on recognition of

• Fingerprint

• Iris

• Palm pattern

• Face

• Voice

• Signature

All have some risk of false positive and false negative

• Should be backed up by other schemes for critical applications


Hardware Devices for Security

Typical devices: Smart cards or ‘USB Dongles’—Physical presence of device lends credence to

authenticity

—But they can be stolen or forged, so they should not be fully relied on

Risks from devices

• E.g. USB keys or disks that harbor viruses


Concealing Sensitive Information

Use whatever methods possible to avoid exposing data that can be used by hackers

• Do not print a full credit card number and expiration date on receipts

• Use trusted payment services like PayPal that will act as a third party

—allowing a customer to make a purchase without revealing their credit card information to the vendor

Don’t reveal genealogical information until 100 years has passed


Monitoring for Suspicious Activity

Incorporate adequate monitoring and logging so attacks can be detected, tracked and forensically analysed

Step up security when certain changes or events occur• Access from a new network or IP address or late at night• Uncharacteristic purchases or amount of money spent• Repeated failed passwords• Very quick response to password prompt

Best to degrade access slowly• Balance detection with blocking legitimate use

Flag accounts where fraud is suspected or more likely• E.g. credit reports where someone has reported a theft


Apply the Principle Of Least Privilege

Limit and control the number of legitimate users

Grant only needed privileges to users• Principle of least privilege• Information access on ‘need to know’ basis• Have unused privileges expire

Ensure users know acceptable and unacceptable practice


Make Security Usable

Balance the benefits of more onerous procedures with the risk users will bypass them

Increasingly onerous procedures—Requirement to use ‘strong’ passwords—Requirement to change passwords frequently—Requirement to use different passwords on each

system

Risk that people will write down passwords


Apply Proper Retention and Disposition Policy

Automatically dispose of data that is no longer needed• The more retained data, the more loss in case of a breach and the

more attractive to attackers

Examples of retention periods• Personal (non-work) information

—Delete immediately• Most emails and other communications

—Delete after between 1-3 years• Drafts and working documents

—Delete a year after the project is over and final results confirmed

• Financial transactions and research data needed for audit—Delete after 7 years or 10 years depending on jurisdiction


Securing the IT Infrastructure• Require laptops to have data on board encrypted at all times• Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen

computers• Screen savers that prompt for password after you leave the

computer for a while• Automatic lockout when a computer isn’t where it expects to be or

finds itself not connected• Force maximum use of anti-virus software and firewalls• For guest use of wireless network, have time-limited individual

accounts on a separate subnet• Disallow arbitrary software installation• Disallow attachment of removable media• Automatically patch all machines• Power-up password before booting


Securing the IT Infrastructure (continued)

• Close unneeded TCP ports

• Deploy a VPN for access to network

• Back up vigorously, but secure the backups

• Update cryptographic and other techniques as vulnerabilities are revealed

—E.g. avoid WEP on a wireless network

• Force new systems to have the securest settings enabled

• Use sandboxes and virtualization to ‘contain’ security breaches

• Securely erase / destroy old systems

• Employ an IT security officer


Backing up Security UsingMultiple Methods

Use of CAPTCHAS http://www.captcha.net/

Ability to answer pre-saved questions• But beware of those that reveal personal information

Require use of mail and a certain phone line• Common for ctivation of new accounts such as credit cards

—Requires calling from home phone number—Checks mailing address, phone number and old card information

on record

Emailing you at another account before setting up a new one

Employ services that actually send someone to your door to see your ID documents

• Used by banks to protect against identity theft


Avoid the CWE/SANS Most Dangerous Programming Errors

Reference: http://www.sans.org/top25errors/

CATEGORY: Insecure Interaction Between Components• Improper Input Validation

—E.g. allowing arbitrary html to be entered—E.g. allowing violation of input constraints

• Improper Encoding or Escaping of Output—E.g. hackers may be able to get one system to output a

command that will be executed by another• Failure to Preserve SQL Query Structure (aka 'SQL Injection')

—E.g. a data string that ends an insert, followed by ‘Delete table’• Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')

—E.g. Allowing a script from an arbitrary linked site to change contents from your site


The Most Dangerous Programming Errors 2

• Failure to Preserve OS Command Structure

—'OS Command Injection

• Cleartext Transmission of Sensitive Information

• Cross-Site Request Forgery (CSRF)

—It looks to a server that the request is coming from a page it served

• Race Condition

—Applications behave unpredictably, giving hackers information

• Error Message Information Leak



CATEGORY: Risky Resource Management• Failure to Constrain Operations within the Bounds of a

Memory Buffer—AKA “Buffer Overflow Errors”

• External Control of Critical State Data—E.g. cookies, files, etc. that can be manipulated by a

hacker• External Control of File Name or Path

—E.g. If the hacker gets to choose a file name he can type “../” to walk up the directory hierarchy

• Untrusted Search Path—The application goes to a location of the hacker’s

choosing instead of where intended


The Most Dangerous Programming Errors 4• Failure to Control Generation of Code

—'Code Injection'—Many apps generate & execute their own code

• Download of Code Without Integrity Check—The hacker’s code gets downloaded instead

• Improper Resource Shutdown or Release—E.g. a file is left open, then accessed by a hacker

• Improper Initialization—A hacker may be able to initialize for you, or see

data from a previous use• Incorrect Calculation

—Hackers take control of inputs used in numeric calculation



CATEGORY: Porous Defenses

• Improper Access Control (Authorization)

• Use of a Broken or Risky Cryptographic Algorithm

—E.g. WEP

• Hard-Coded Password

• Insecure Permission Assignment for Critical Resource

• Use of Insufficiently Random Values

• Execution with Unnecessary Privileges

• Client-Side Enforcement of Server-Side Security


Security in the software lifecycleRequirements

• Ensure security needs are identified and quantified

• Threat and risk analysis

Formal specification of security properties

Design

• Follow proper design practices

Testing and quality assurance

• Rigorously inspect and test all security mechanisms

• Employ people to act as hackers to try to break system

Deployment

• Ensure safeguards are properly installed and put into use

Evolution

• Adapt as new threats become known


A useful web site on security

From the US government:

• Build security in

—https://buildsecurityin.us-cert.gov/daisy/bsi/547-BSI.html


Other Computer Crimes: Auctions

Online auction sites are one of the top sources of fraud complaints

• Some sellers do not send items or send inferior products• Shill bidding is used to artificially raise prices• Sellers give themselves or friends glowing reviews to

garner consumer trust

Auction sites use various techniques to counter dishonest sellers


Other Computer Crimes

Click fraud• Repeated clicking on an ad to either increase a site’s revenue or to

use up a competitor's advertising budget

Stock fraud• Most common method is to buy a stock low, send out e-mails

urging others to buy, and then sell when the price goes up, usually only for a short time

Digital Forgery• New technologies (scanners and high quality printers) are used to

create fake checks, passports, visas, birth certificates, etc., with little skill and investment


Whose Laws Rule the Web?

When Digital Actions Cross Borders:

• Laws vary from country to country

• Corporations that do business in multiple countries must comply with the laws of all the countries involved

• Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal


An International Treaty: The Convention on Cybercrime

International agreement to foster international cooperation among law enforcement agencies of different countries in fighting

• Copyright violations

• Pornography

• Fraud

• Other online fraud

http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm

Includes Europe, US, Canada, Japan

Sets common standards or ways to resolve international cases

Date post:	30-Mar-2015
Category:	Documents
Upload:	leslie-congdon
View:	218 times
Download:	0 times

ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and...

Documents