CS 4001: Computing, Society & ProfessionalismMunmun DeChoudhury |AssistantProfessor|SchoolofInteractiveComputing

Week 12: Computer and Network SecurityMarch 30, 2017

Chapter Overview

• Introduction

• Hacking

• Malware

• Onlinevoting

• Cybercrimeandcyberattacks

7.1 Introduction

• Computersgettingfasterandlessexpensive

• Utilityofnetworkedcomputersincreasing§ Shoppingandbanking§ Managingpersonalinformation§ Controllingindustrialprocesses

• Increasinguseofcomputers® growingimportanceofcomputersecurity

7.2 Hacking

Hackers, Past and Present

• Originalmeaningofhacker:explorer,risktaker,systeminnovator§ MIT’sTechModelRailroadClubin1950s

• 1960s-1980s:Focusshiftedfromelectronicstocomputersandnetworks§ 1983movieWarGames

• Modernmeaningofhacker:someonewhogainsunauthorizedaccesstocomputersandcomputernetworks

Obtaining Login Names and Passwords

• Bruteforcemethodsanddictionaryattacks

• Eavesdropping

• Dumpsterdiving

• Socialengineering

Sidejacking

• Sidejacking:hijackingofanopenWebsessionbycapturingauser’scookie

• Sidejacking possibleonunencryptedwirelessnetworksbecausemanysitessendcookies“intheclear”

• Internetsecuritycommunitycomplainedaboutsidejacking vulnerabilityforyears,butecommercesitesdidnotchangepractices

Computer Fraud and Abuse Act

• Criminalizeswidevarietyofhacker-relatedactivities§ Transmittingcodethatdamagesacomputer§ AccessinganyInternet-connectedcomputerwithout

authorization§ Transmittingclassified governmentinformation§ Traffickingincomputerpasswords§ Computerfraud§ Computerextortion

• Maximumpenalty:20yearsinprisonand$250,000fine

Other Laws

• Otherlaws– ElectronicCommissionPrivacyAct(cannotinterceptelectroniccommunicationsorreademailwithoutauthorization)

• WireFraudAct,NationalStolenPropertyAct,IdentityTheftandAssumptionDeterrenceAct

ClassActivity1:CaseStudyofFiresheep

Firesheep: Act Utilitarian Analysis

• ReleaseofFiresheepledmediatofocusonsecurityproblem

• Benefitswerehigh:afewmonthslaterFacebookandTwittermadetheirsitesmoresecure

• Harmswereminimal:noevidencethatreleaseofFiresheepcausedbigincreaseinidentitytheftormaliciouspranks

• Conclusion:ReleaseofFiresheepwasgood

Firesheep: Kantian Analysis

• Accessingsomeoneelse’suseraccountisaninvasionoftheirprivacyandiswrong

• Butlerprovidedatoolthatmadeitmuchsimplerforpeopletodosomethingthatiswrong,sohehassomemoralaccountabilityfortheirmisdeeds

• Butlerwaswillingtotolerateshort-termincreaseinprivacyviolationsinhopethatmediapressurewouldforceWebretailerstoaddsecurity

• HetreatedvictimsofFiresheep asameanstohisend

• ItwaswrongforButlertoreleaseFiresheep

Firesheep: Virtue Ethics Analysis

• Butlersharedexpertiseandknowledgetohelppeopleandeducatethemoftheprivacyrisksofusingsomenon-encryptedwebsites

• ButlerexhibitedcouragebytakingpersonalresponsibilityforcreatingFiresheep,andhedemonstratedbenevolencebymakingitfreelyavailable

• Butler’sinterestinpromotingthecommongood

7.3 Malware

Viruses

• Virus:Pieceofself-replicatingcodeembeddedwithinanotherprogram(host)

• Virusesassociatedwithprogramfiles§ Harddisks,floppydisks,CD-ROMS§ Emailattachments

• Howvirusesspread§ DiskettesorCDs§ Email§ FilesdownloadedfromInternet

How a Virus Replicates

Email Attachment with Possible Virus

How an Email Virus Spreads

Antivirus Software Packages

• Allowcomputeruserstodetectanddestroyviruses

• Mustbekeptup-to-datetobemosteffective

• Manypeopledonotkeeptheirantivirussoftwarepackagesup-to-date

• Consumersneedtobewareoffakeantivirusapplications

Worm

• Self-containedprogram

• Spreadsthroughacomputernetwork

• Exploitssecurityholesinnetworkedcomputers

How a Worm Spreads

Cross-site Scripting

• Anotherwaymalwaremaybedownloadedwithoutuser’sknowledge

• ProblemappearsonWebsitesthatallowpeopletoreadwhatothershaveposted

• Attackerinjectsclient-sidescriptintoaWebsite

• Victim’s(thenextuser’s)browserexecutesscript,whichmaystealcookies,trackuser’sactivity,orperformanothermaliciousaction

Drive-by Downloads

• UnintentionaldownloadingofmalwarecausedbyvisitingacompromisedWebsite

• AlsohappenswhenWebsurferseespop-upwindowaskingpermissiontodownloadsoftwareandclicks“Okay”

• GoogleAnti-MalwareTeamsays1.3percentofqueriestoGoogle’ssearchenginereturnamaliciousURLsomewhereonresultspage

Trojan Horses and Backdoor Trojans

• Trojanhorse:Programwithbenigncapabilitythatmasksasinisterpurpose

• BackdoorTrojan:Trojanhorsethatgivesattackeraccesstovictim’scomputer§ Mayclaimtocleansemalwarefromauser’s

computer,butinrealityitinstallsspyware

Rootkits

• Rootkit:Asetofprogramsthatprovidesprivilegedaccesstoacomputer

• Activatedeverytimecomputerisbooted

• Usessecurityprivilegestomaskitspresence

Spyware and Adware

• Spyware:ProgramthatcommunicatesoveranInternetconnectionwithoutuser’sknowledgeorconsent§ MonitorWebsurfing§ Logkeystrokes§ Takesnapshotsofcomputerscreen§ Sendreportsbacktohostcomputer

• Adware:Typeofspywarethatdisplayspop-upadvertisementsrelatedtouser’sactivity

• BackdoorTrojansoftenusedtodeliverspywareandadware

Bots

• Bot:AkindofbackdoorTrojanthatrespondstocommandssentbyacommand-and-controlprogramonanothercomputer

• Firstbotssupportedlegitimateactivities§ InternetRelayChat§ MultiplayerInternetgames

• Otherbotssupportillegalactivities§ Distributingspam§ CollectingpersoninformationforIDtheft§ Denial-of-serviceattacks

Botnets and Bot Herders

• Botnet:Collectionofbot-infectedcomputerscontrolledbythesamecommand-and-controlprogram

• Somebotnetshaveoveramillioncomputersinthem

• Botherder:Someonewhocontrolsabotnet

ClassActivity2:TheInternetWorm(RobertTappanMorrisCaseStudy)

Ethical Evaluation

• Kantianevaluation§ Morrisusedothersbygainingaccesstotheircomputers

withoutpermission

• Socialcontracttheoryevaluation§ Morrisviolatedpropertyrightsoforganizations

• Utilitarianevaluation§ Benefits:Organizationslearnedofsecurityflaws§ Harms:Timespentbythosefightingworm,unavailable

computers,disruptednetworktraffic,Morris’spunishments

• MorriswaswrongtohavereleasedtheInternetworm

Defensive Measures

• Securitypatches:Codeupdatestoremovesecurityvulnerabilities

• Anti-malwaretools:Softwaretoscanharddrives,detectfilesthatcontainvirusesorspyware,anddeletethesefiles

• Firewall:Asoftwareapplicationinstalledonasinglecomputerthatcanselectivelyblocknetworktraffictoandfromthatcomputer

7.5 Online Voting

Motivation for Online Voting

• 2000U.S.Presidentialelectioncloselycontested

• Floridapivotalstate

• MostFloridacountiesusedkeypunchvotingmachines

• Twovotingirregularitiestracedtothesemachines§ Hangingchad§ “Butterflyballot”inPalmBeachCounty

The Infamous “Butterfly Ballot”

AP Photo/Gary I. Rothstein

GroupActivity:EthicalEvaluationofOnlineVoting:1) ActUtilitarianPerspective;2) 2)KantianPerspective

Supposeonlinevotingreplacedtraditionalvoting

Utilitarian Analysis

• Benefit:Timesavings§ Assume50%ofadultsactuallyvote§ Supposevotersaves1hourbyvotingonline§ AveragepayinU.S.is$18.00/hour§ Timesavingsworth$9peradultAmerican

• HarmofDDoSattackdifficulttodetermine§ WhatisprobabilityofaDDoSattack?§ Whatistheprobabilityanattackwouldsucceed?§ Whatistheprobabilityasuccessfulattackwould

changetheoutcomeoftheelection?

Kantian Analysis

• Thewillofeachvotershouldbereflectedinthatvoter’sballot

• Theintegrityofeachballotisparamount

• Abilitytodoarecountnecessarytoguaranteeintegrityofeachballot

• Thereshouldbeapaperrecordofeveryvote

• Eliminatingpaperrecordstosavetimeand/ormoneyiswrong

Conclusions

• Existingsystemsarehighlylocalized

• Widespreadtaintingmorepossiblewithonlinesystem

• Nopaperrecordswithonlinesystem

• Evidenceoftamperingwithonlineelections

• Relyingonsecurityofhomecomputersmeanssystemvulnerabletofraud

• Strongcasefornotallowingonlinevoting

Benefits of Online Voting

• Morepeoplewouldvote

• Voteswouldbecountedmorequickly

• Noambiguitywithelectronicvotes

• Costlessmoney

• Eliminateballotboxtampering

• Softwarecanpreventaccidentalover-voting

• Softwarecanpreventunder-voting

Risks of Online Voting

• Givesunfairadvantagetothosewithhomecomputers

• Moredifficulttopreservevoterprivacy

• Moreopportunitiesforvoteselling

• ObvioustargetforaDDoSattack

• Securityofelectiondependsonsecurityofhomecomputers

• Susceptibletovote-changingvirusorRAT

• Susceptibletophonyvoteservers

• Nopapercopiesofballotsforauditingorrecounts

7.4 Cyber Crime and Cyber Attacks

Phishing and Spear-phishing

• Phishing:Large-scaleefforttogainsensitiveinformationfromgulliblecomputerusers§ Phishingemailsaresenttousersaskingthemto

entersensitiveinformationonanimposterwebsite§ Atleast67,000phishingattacksgloballyinsecondhalfof

2010§ Newdevelopment:phishingattacksonChinesee-commerce

sites

• Spear-phishing:Variantofphishinginwhichemailaddresseschosenselectivelytotargetparticulargroupofrecipients

SQL Injection

• Methodofattackingadatabase-drivenWebapplicationwithimpropersecurity

• Attackinserts(injects)SQLqueryintotextstringfromclienttoapplication

• Applicationreturnssensitiveinformation

Denial-of-service and DDOS Attacks

• Denial-of-serviceattack:Intentionalactiondesignedtopreventlegitimateusersfrommakinguseofacomputerservice

• AimofaDoS attackisnottostealinformationbuttodisruptaserver’sabilitytorespondtoitsclients

• Distributeddenial-of-serviceattack:DoS attacklaunchedfrommanycomputers,suchasabotnet

The Rise and Fall of Blue Security Part I: The Rise

• BlueSecurity:AnIsraelicompanysellingaspamdeterrencesystem

• BlueFrogbotwouldautomaticallyrespondtoeachspammessagewithanopt-outmessage

• Spammersstartedreceivinghundredsofthousandsofopt-outmessages,disruptingtheiroperations

• 6of10ofworld’stopspammersagreedtostopsendingspamtousersofBlueFrog

The Rise and Fall of Blue Security Part II: The Fall

• Onespammer(PharmaMaster)startedsendingBlueFrogusers10-20timesmorespam

• PharmaMasterthenlaunchedDDoSattacksonBlueSecurityanditsbusinesscustomers

• BlueSecuritycouldnotprotectitscustomersfromDDoSattacksandvirus-lacedemails

• BlueSecurityreluctantlyterminateditsanti-spamactivities

Attacks on Twitter and Other Social Networking Sites

• MassiveDDoSattackmadeTwitterserviceunavailableforseveralhoursonAugust6,2009

• Threeothersitesattackedatsametime:Facebook,LiveJournal,andGoogle

• AllsitesusedbyapoliticalbloggerfromtheRepublicofGeorgia

• AttacksoccurredonfirstanniversaryofwarbetweenGeorgiaandRussiaoverSouthOssetia

1-

Anonymous

• Anonymous: loosely organized international movement of hacktivists (hackers with a social or political cause)

• Various DDoS attacks attributed to Anonymous members

1-47

Year Victim Reason

2008 Church of Scientology Attempted suppression of Tom Cruise interview

2009 RIAA, MPAA RIAA, MPAA’s attempt to take down the Pirate Bay

2009 PayPal, VISA, MasterCard

Financial organizations freezing funds flowing to Julian Assange of WikiLeaks

2012 U.S. Dept. of Justice, RIAA, MPAA

U.S. Dept. of Justice action against Megaupload