CSC 2400Computer Systems I

Lecture 10

Security & Ethics

2

Buffer Overflow Security hole: Not checking the max string size

Basis for classic buffer overflow attacks– 1988 Internet worm– Modern attacks on Web servers– AOL/Microsoft IM war

char s[8];int i;

gets(s); /* reads “123456789” from stdin */

Attack of the Giant Worm

On November 2, 1988, a worm began to thread its way through the Internet. Once installed, it multiplied, clogging available space, until computers ground to a halt. The worm exploited UNIX holes in sendmail and fingerd. Around 2500 computers were infected.Within 12 hours, the Computer Systems Research Group at Berkeley developed a way of stopping the spread of this worm.Total Cost? Although no data were destroyed, the time involved in fixing and testing was estimated to be between $1,000,000 and $100,000,000.

3

The Culprit? Robert J. Morris, a

Cornell graduate student in computer science, was convicted on May 4, 1990 to 3-year probation and a $10,000 fine.

“I'm at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in the PDOS group.

4

First National Attack

For the first time, a national attack on the Internet was exposed.

As a result, the Computer Emergency Response Team (CERT), at the Software Engineering Institute of Carnegie Mellon University was developed.

5

Other Examples

Some other examples of destructive computer behavior include:Cuckoo’s Egg: Clifford Stoll spent a year tracking down a hacker in West Germany who had successfully penetrated 30 computers, including the Lawrence Berkeley Labs, and other government computers. (The Cuckoo's Egg: Tracking a Spy through the Maze of Computer Espionage by Clifford Stoll, Doubleday 1989.)

6

Other Examples

HBO: In April of 1986, an HBO channel was taken over by an intruder known as Captain Midnight, who overpowered the HBO uplink transmitter signal with a stronger signal, and sent out his own messages to eight million viewers.

Friday the 13th: A student at Hebrew University in Jerusalem discovered that thousands of university computers were infected with a virus. The virus slowed down processing on certain Fridays the 13th and was scheduled to erase the hard disks of many computers on May 13, 1988.

7

Computer Security• In 1983, Kevin Mitnick did an intrusion on a Pentagon’s computer• In 1994, Vladimir Levin intruded in an American bank computer and

stole 10 millions dollars• Jonathan James “c0mrade”, 16 years old, infiltrated a NASA

computer in 1999 and had access to data worth 1,7 millions dollars• Today (CSI Report, 2007):

– 46% of companies have admitted to suffering financial losses due to security incidences. The reported loss amounted to a total of approximately $66,930,000.

– 39% of companies have been unable (or unwilling) to estimate the cost of their losses.

• Financial Losses, Personal losses, Privacy losses, Data Losses, Computer Malfunction and more…..

8

Computer Security

• Computer and Network security was not at all well known prior to the 1990s or about 2000

• Today, it is something everyone is aware of the need, but not sure what is really means

• Interesting topic of threats, countermeasures, risks, stories, events and paranoia– With some mathematics, algorithms, designs and

software issues mixed in– Yet, not enough people, even security specialists

understand the issues and implications

9

Media Stories

• Consumers are bombarded with media reports narrating dangers of the online world– Identity Theft– Embezzlement and fraud– Credit card

theft– Corporate

Loss

• Just “fear mongering”?

10

Security? What is that?

• Lock the doors and windows and you are secure– NOT

• Call the police when you feel insecure– Really?

• Computers are powerful, programmable machines– Whoever programs them controls them (and not you)

• Networks are ubiquitous– Carries genuine as well as malicious traffic

• End result: Complete computer security is unattainable, it is a cat and mouse game– Similar to crime vs. law enforcement

11

Goals of Computer Security

• Integrity:– Guarantee that the data is what we expect

• Confidentiality– The information must just be accessible to the

authorized people

• Reliability– Computers should work without having unexpected

problems

• Authentication– Guarantee that only authorized persons can access to

the resources

12

Security Basics

• What does it mean to be secure?– “Include protection of information from theft or corruption, or the

preservation of availability, as defined in the security policy.” - The Wikipedia

• Types of Security– Network Security– System and software security– Physical Security

• Very little in computing is inherently secure, you must protect yourself!– Software cannot protect software (maybe hardware can)– Networks can be protected better than software

13

Some Types of Attacks

• What are some common attacks?– Network Attacks

• Packet sniffing, man-in-the-middle, DNS hacking

– Web attacks• Phishing, SQL Injection, Cross Site Scripting

– OS, applications and software attacks• Virus, Trojan, Worms, Rootkits, Buffer Overflow

– Social Engineering• (NOT social networking)

• Not all hackers are evil wrongdoers trying to steal your info– Ethical Hackers, Consultants, Penetration testers,

Researchers

Need to know: Networking,Web Programming,Operating Systems,Programming languages and compilers.

14

Network Attacks

• Packet Sniffing– Internet traffic consists of data “packets”, and these

can be “sniffed”– Leads to other attacks such as

password sniffing, cookie stealing session hijacking, information stealing

• Man in the Middle– Insert a router in the path between client and

server, and change the packets as they pass through

• DNS hijacking– Insert malicious routes into DNS tables to send

traffic for genuine sites to malicious sites

Need to know: Networking protocols, routing, TCP-IP

15

Web Attacks

• Phishing– An evil website pretends to be a trusted website– Example:

• You type, by mistake, “mibank.com” instead of “mybank.com”• mibank.com designs the site to look like mybank.com so the

user types in their info as usual• BAD! Now an evil person has your info!

• SQL Injection– Interesting Video showing an example

• Cross Site Scripting– Writing a complex Javascript program that steals data left

by other sites that you have visited in same browsing session

Need to know: Web Programming,Javascript,SQL

16

• Definition– Piece of code that automatically reproduces itself. It’s

attached to other programs or files, but requires user intervention to propagate.

• Infection (targets/carriers)– Executable files

– Boot sectors

– Documents (macros), scripts (web pages), etc.

• Propagationis made by the user. The mechanisms are storage elements, mails, downloaded files or shared folders

Infection

Propagation

Payload

Virus

Need to know: Computer Architecture, programming 17

Worm

• Definition– Piece of code that automatically reproduces

itself over the network. It doesn’t need the user intervention to propagate (autonomous).

• Infection– Via buffer overflow, file sharing, configuration

errors and other vulnerabilities.

• Target selection algorithm– Email addresses, DNS, IP, network

neighborhood

• Payload– Malicious programs– Backdoor, DDoS agent, etc.

Infection

Propagationengine

Payload

TargetSelectionalgorithm

Scanningengine

18

Backdoor, trojan, rootkits

• Goal– The goal of backdoor, Trojan and rootkits is to take possession of a

machine subsequently through an infection made via a backdoor.

• Backdoor– A backdoor is a program placed by a black-hacker that allows him to

access a system. A backdoor have many functionalities such as keyboard-sniffer, display spying, etc.

• Trojan– A Trojan is a software that seems useful or benign, but is actually hiding a

malicious functionality.

• Rootkits (the ultimate virus)– Rootkits operate like backdoor and Trojan, but also modify existing

programs in the operating system. That allows a black-hacker to control the system without being detected. A rootkit can be in user-mode or in kernel-mode.

19

Social Engineering

*http://bash.org/?244321

20

Social Engineering

• Why is this social engineering?– Manipulating a person or persons into divulging confidential information

• I am not dumb, so does this really apply to me?– YES! Attackers are ALSO not dumb.

– Social Engineers are coming up with much better and much more elaborate schemes to attack users.

– Even corporate executives can be tricked into revealing VERY secret info

• What can I do to protect myself?– NEVER give out your password to ANYBODY.

– Any system administrator should have the ability to change your password without having to know an old password

Need to know: How to win friends (victims) and influence (scam) people (not CS). 21

Password Attacks

• Password Guessing – Ineffective except in targeted cases

• Dictionary Attacks– Password are stored in computers as hashes, and these hashes

can sometimes get exposed– Check all known words with the stored hashes

• Rainbow Tables– Trade off storage and computation – uses a large number of pre-

computed hashes without having a dictionary– Innovative algorithm, that can find passwords fast!

• e.g. 14 character alphanumeric passwords are found in about 4-10 minutes of computing using a 1GB rainbow table

Need to know: Data structures, algorithms, cryptography 22

Computer Security Issues

• Vulnerability is a point where a system is susceptible to attack.

• A threat is a possible danger to the system. The danger might be a person (a system cracker or a spy), a thing (a faulty piece of equipment), or an event (a fire or a flood) that might exploit a vulnerability of the system.

• Countermeasures are techniques for protecting your system

23

Vulnerabilities in Systems

• How do viruses, rootkits enter a system?– Even without the user doing something “stupid”

• There are vulnerabilities in most software systems. – Buffer Overflow is the most dangerous and common one

• How does it work?– All programs run from memory.– Some programs allow access to reserved memory locations

when given incorrect input.– Hackers find out where to place incorrect input and take control. – Easy to abuse by hackers, allows a hacker complete access to

all resources

Need to know: Assembly and machine level programming

24

How can you achieve security?

• Many techniques exist for ensuring computer and network security– Cryptography– Secure networks– Antivirus software– Firewalls

• In addition, users have to practice “safe computing”– Not downloading from unsafe websites– Not opening attachments– Not trusting what you see on websites– Avoiding Scams

25

Cryptography

• Simply – secret codes• Encryption

– Converting data to unreadable codes to prevent anyone form accessing this information

– Need a “key” to find the original data – keys take a few million-trillion years to guess

• Public keys– An ingenious system of proving you know your password without

disclosing your password. Also used for digital signatures– Used heavily in SSL connections

• Hashing– Creating fingerprints of documents

Need to know: Mathematics, number theory, cryptographic protocols

26

Cryptographic Protocols

Symmetric encryption

Authentication

Asymmetric encryption

Public Key Infrastructure

27

Why Care?

• Online banking, trading, purchasing may be insecure– Credit card and identity theft

• Personal files could be corrupted– All school work, music, videos, etc. may be lost

• Computer may become too slow to run– If you aren't part of the solution you are part of the problem

• Pwn2Own contest - 2008– Mac (Leopard) fell first via Safari, Vista took time but was

hacked via Flash Player, Ubuntu stood ground.

• Upon discovery, vulnerabilities can be used against many computers connected to the internet.

28

COMPUTER ETHICS

29

Computer Ethics Computers are involved to some extent

in almost every aspect of our lives

They often perform life-critical tasks

Computer science is not regulated to the extent of medicine, air travel, or construction zoning

Therefore, we need to carefully consider the issues of ethics

30

Ethics

Ethics are standards of moral conduct

Standards of right and wrong behavior

A gauge of personal integrity

The basis of trust and cooperation in relationships with others

31

Ethical Principals

Ethical principals are tools which are used to think through difficult situations.

Three useful ethical principals: An act is ethical if all of society benefits

from the act. An act is ethical if people are treated as an

end and not as a means to an end. An act is ethical if it is fair to all parties

involved. 32

Computer Ethics

Computer ethics are morally acceptable use of computers

i.e. using computers appropriately

Standards or guidelines are important in this industry, because technology changes are outstripping the legal system’s ability to keep up

33

Ethics for Computer Professionals

Computer Professionals: Are experts in their field, Know customers rely on their knowledge, expertise,

and honesty, Understand their products (and related risks) affect

many people, Follow good professional standards and practices, Maintain an expected level of competence and are

up-to-date on current knowledge and technology, and

Educate the non-computer professional

34

Computer Ethics Four primary issues

Privacy – responsibility to protect data about individuals

Accuracy - responsibility of data collectors to authenticate information and ensure its accuracy

Property - who owns information and software and how can they be sold and exchanged

Access - responsibility of data collectors to control access and determine what information a person has the right to obtain about others and how the information can be used 35

Problems with Large Databases

Spreading information without consent Some large companies use medical records

and credit records as a factor in important personnel decisions

Spreading inaccurate information Mistakes in one computer file can easily

migrate to others Inaccurate data may linger for years

36

U.S. Federal Privacy Laws

General Federal Privacy Laws: Freedom Of Information Act, 1968 Privacy Act Of 1974 Electronic Communications Privacy Act Of 1986 Computer Matching And Privacy Protection Act

Of 1988 Computer Security Act Of 1987 Federal Internet Privacy Protection Act Of 1997

37

Privacy Laws Affecting Private Institutions: Fair Credit Reporting Act, 1970 Right To Financial Privacy Act Of 1978 Privacy Protection Act Of 1980 Cable Communications Policy Act Of 1984 Electronic Communications Privacy Act Of 1986 Video Privacy Protection Act Of 1988 Consumer Internet Privacy Protection Act Of 1997 Communications Privacy & Consumer Empowerment Act

Of 1997 Data Privacy Act Of 1997

U.S. Federal Privacy Laws

38

Private Networks Employers may legally monitor electronic

mail In 2001, 63% of companies monitored

employee Internet connections including about two-thirds of the 60 billion electronic messages sent by 40 million e-mail users.

Most online services reserve the right to censor content

These rights lead to contentious issues over property rights versus free speech and privacy

39

The Internet and the Web Most people don’t worry about email privacy

on the Web due to illusion of anonymity Each e-mail you send results in at least 3 or 4

copies being stored on different computers.

Web sites often load files on your computer called cookies to record times and pages visited and other personal information

Spyware - software that tracks your online movements, mines the information stored on your computer, or uses your computer for some task you know nothing about. 40

General Internet Issues

Inflammatory interchange of messages via internet (email, chat rooms, etc.)

Chain mail

Virus warning hoaxes

“Spam” – unsolicited, bulk email

41

E-Mail Netiquette Promptly respond to messages. Delete messages after you read them if you

don’t need to save the information. Don’t send messages you wouldn’t want

others to read. Keep the message short and to the point. Don’t type in all capital letters. Be careful with sarcasm and humor in your

message.

42

Internet Content & Free Speech Issues

Information on internet includes hate, violence, and information that is harmful for children How much of this should be regulated? Do filters solve problems or create

more?

Is web site information used for course work and research reliable?

43

Information OwnershipIssues

Illegal software copying (pirating)

Infringement of copyrights by copying of pictures or text from web pages

Plagiarism by copying text from other sources when original work is expected

44

TermsINTELLECTUAL PROPERTY: Intangible

creations protected by law

TRADE SECRET: Intellectual work or products belonging to a business, not in public domain

COPYRIGHT: Statutory grant protecting intellectual property from copying by others for 28 years

PATENT: Legal document granting owner exclusive monopoly on an invention for 17 years

45

Copyright Laws

Software developers (or the companies they work for) own their programs.

Software buyers only own the right to use the software according to the license agreement.

No copying, reselling, lending, renting, leasing, or distributing is legal without the software owner’s permission.

46

Software Licenses

There are four types of software licenses:

Public Domain

Freeware

Shareware

All Rights Reserved

47

Public Domain License

Public domain software has no owner and is not protected by copyright law.

It was either created with public funds, or the ownership was forfeited by the creator.

Can be copied, sold, and/or modified

Often is of poor quality/unreliable

48

Freeware License

Freeware is copyrighted software that is licensed to be copied and distributed without charge.

Freeware is free, but it’s still under the owner’s control.

Examples: Eudora Light Netscape

49

Shareware License

A shareware software license allows you to use the software for a trial period, but you must pay a registration fee to the owner for permanent use. Some shareware trials expire on a certain

date Payment depends on the honor system

Purchasing (the right to use) the software may also get you a version with more powerful features and published documentation.

50

All Rights Reserved License

May be used by the purchaser according the exact details spelled out in the license agreement.

You can’t legally use it--or even possess it-- without the owner’s permission.

51

Software Piracy SPA (Software Publishers Association) polices software piracy and mainly targets:

Illegal duplication Sale of copyrighted software Companies that purchase single copies and load the software on multiple computers or networks

They rely on whistle-blowers. Penalties (for primary user of PC) may include fines up to $250,000 and/or imprisonment up to 5 years in jail

52

System Quality

Bug-free software is difficult to produce It must be carefully designed, developed,

and tested Mistakes generated by computers can be

far reaching Commenting and documenting software is

required for effective maintenance throughout the life of the program

53

System Quality

ETHICAL ISSUES: When is software, system or service ready for release?

SOCIAL ISSUES: Can people trust quality of software, systems, services, data?

POLITICAL ISSUES: Should congress or industry develop standards for software, hardware, data quality? 54

Computer Crime

Computer criminals -using a computer to commit an illegal act

Who are computer criminals? Employees – disgruntled or dishonest --the

largest category Outside users - customers or suppliers “Hackers” and “crackers” - hackers do it

“for fun” but crackers have malicious intent Organized crime - tracking illegal

enterprises, forgery, counterfeiting55

Types of Computer Crime Damage to computers, programs or files

Viruses - migrate through systems attached to files and programs

Worms - continuously self-replicate Theft

Of hardware, software, data, computer time Software piracy - unauthorized copies of

copyrighted material View/Manipulation

“Unauthorized entry” and “harmless message” still illegal

56

Computer security involves protecting:

information, hardware and software

from unauthorized use and damage and

from sabotage and natural disasters

Computer Security

57

Restricting access both to the hardware locations (physical access) and into the system itself (over the network) using firewalls

Implementing a plan to prevent break-ins Changing passwords frequently Making backup copies Using anti-virus software Encrypting data to frustrate interception Anticipating disasters (disaster recovery plan) Hiring trustworthy employees

Measures to Protect Computer Security

58

Computer Ethics for Computer Professionals

Competence– Professionals keep up with the latest knowledge in their field and perform services only in their area of competence.

Responsibility– Professionals are loyal to their clients or employees, and they won’t disclose confidential information.

Integrity– Professionals express their opinions based on facts, and they are impartial in their judgments. 59

The ACM Code of Conduct According to the Association for Computing

Machinery (ACM) code, a computing professional: Contributes to society and human well-being Avoids harm to others Is honest and trustworthy Is fair and takes action not to discriminate Honors property rights, including copyrights

and patents Gives proper credit when using the

intellectual property of others Respects other individuals’ rights to privacy Honors confidentiality

60

Quality of Life Issues Rapid Change:

Reduced response time to competition Maintaining Boundaries:

Family, work, leisure Dependence And Vulnerability Employment:

Re-engineering job loss Equity & Access:

Increasing gap between haves and have nots Health Issues

61

Ergonomics

Ergonomics:

helps computer users to avoid

physical and mental health risks

and to increase

productivity

62

Physical Health Issues Avoid eyestrain and headache

Take regular breaks every couple of hours

Control ambient light and insure adequate monitor brightness

Avoid back and neck pain

Have adjustable equipment with adequate back support

Keep monitor at, or slightly below eye level 63

Physical Health Issues Avoid effects of electromagnetic fields

(VDT radiation) Possible connection to miscarriages and

cancers, but no statistical support yet Use caution if pregnant

Avoid repetitive strain injury (RSI) Injuries from fast, repetitive work Carpal tunnel syndrome (CTS) - nerve and

tendon damage in hands and wrists64

The Environment Microcomputers are the greatest user of

electricity in the workplace “Green” PCs

System unit and display - minimize unnecessary energy consumption and power down when not in use

Manufacturing - avoids harmful chemicals in production, focus on chlorofluorocarbons (CFC’s) which some blame for ozone layer depletion

65

Personal Responsibility of Users

Conserve Turn computers off at end of work day Use screen savers

Recycle Most of the paper we use is eligible Dispose of old parts via recycling

programs – most computer parts are dangerous in landfills

Educate Know the facts about ecological issues

66