Right Now, At Right Now, At this Very this Very

Moment, Your Moment, Your Computer isComputer is

InfectedInfected

November 8 | Froms Bits to RSA Dongles: An Introduction to IT Security

start with bits and start with bits and bytesbytes

• bit: (binary digit) bit• The basic unit of information in

computing, the amount of information stored by a digital device in one of two possible distinct states, not 1 and 2, off/on

• digital value of 1 = positive voltage, up to 5 volts

• digital value of 0 = 0 volts• 8 bits = 1 byte, usually, but depends on

hardware• byte: the number of bits needed to

encode a single character of text in a computer

from binary # to from binary # to lettersletters

01110000 = p01101001 = i01111010 = z01111010 = z01100001 = a

data and packetsdata and packets• data: binary files, 01010010010010010 … etc.• packet: a unit of data• from binary to text or image• packet: control information and payload• control information: data the network needs to

deliver the payload, ex. address, error control• payload: the content of your “digital letter”• From files to programs and applications

OSI modelOSI model

OSI modelOSI model

computer viruscomputer virus

A Windows-based, backdoor Trojan horse

• A program that can replicate itself and spread

• With reproductive ability• Must attach itself to an existing

program• Will typically corrupt or modify

files on targeted computer

• Malware, a more general term to include: viruses, computer worms (causing network harm), Trojan horses (appear benign), rootkits, spyware, adware, etc.

virus transmissionvirus transmission• Viruses have targeted various types of transmission media or hosts. This list is

not exhaustive:• Binary executable files (such as COM files and EXE files in MS-DOS, 

Portable Executable files in Microsoft Windows, the Mach-O format in OSX, and ELF files inLinux)

• Volume Boot Records of floppy disks and hard disk partitions• The master boot record (MBR) of a hard disk• General-purpose script files (such as batch files in MS-DOS and 

Microsoft Windows, VBScript files, and shell script files on Unix-like platforms).• Application-specific script files (such as Telix-scripts)• System specific autorun script files (such as Autorun.inf file needed by Windows

to automatically run software stored on USB Memory Storage Devices).• Documents that can contain macros (such as Microsoft Word documents, 

Microsoft Excel spreadsheets, AmiPro documents, and Microsoft Access database files)

• Cross-site scripting vulnerabilities in web applications (see XSS Worm)• Arbitrary computer files. An exploitable buffer overflow, format string, 

race condition or other exploitable bug in a program which reads the file could be used to trigger the execution of code hidden within it. Most bugs of this type can be made more difficult to exploit in computer architectures with protection features such as an execute disable bit and/or address space layout randomization.

from binary to decimalfrom binary to decimal

216

0 65535

portsports• A port is an application–specific or process-

specific software construct serving as a communications endpoint in a computer’s host operating system, part of the Internet Protocol suite system

• Example: HTTP:80 | SMTP:25 | DHCP:68 (client)• Ports are numbered from 0 to 65535• Equivalent to 65536 ways into your computer• Introducing netstat what your computer is doing

with ports• netstat –a active connections• netstat –help switches and [interval]

common portscommon ports• 21: File Transfer Protocol (FTP)• 22: Secure Shell (SSH)• 23: Telnet remote login service• 25: Simple Mail Transfer Protocol (SMTP)• 53: Domain Name System (DNS) service• 80: Hypertext Transfer Protocol (HTTP) World Wide Web• 110: Post Office Protocol (POP)• 119: Network News Transfer Protocol (NNTP)• 143: Internet Message Access Protocol (IMAP)• 161: Simple Network Management Protocol (SNMP)• 443: HTTP Secure (HTTPS)

the “brangelina” of the “brangelina” of portsports

• internet: network of networks, millions of networks

• web: system of interlinked hypertext documents• port: 80• Try it: http://www.techcomfort.com:81

• Try it: http://www.techcomfort.com:80

• Port scan your computer using an on-line tool.• http://viewdns.info/portscan

• Port scan your computer using an on-line tool.• http://viewdns.info

portsports• Dean Brady has just instructed us via

secure e-mail? to construct a device to combat the “port” menace and make GSPP computers safe for policy analysis. What can we do?

firewallsfirewalls• A device or set of devices

designed to permit or deny network transmissions

• Based on a set of rules• Allowing legitimate

communications• Blocking unauthorized

access• Network address translation,

(NAT) to hide real IP address• Datacenter rules

private networksprivate networks

• Private addresses are commonly used in corporate networks, which for security reasons, are not connected directly to the Internet

• Private addresses are seen as enhancing network security for the internal network, since it is difficult for an Internet host to connect directly to an internal system.

anti-virus softwareanti-virus software• A program used to prevent, detect, and remove

malware, including but not limited to computer viruses, computer worms, trojan horses, spyware and adware

• Many viruses have a signature; detection of a virus involves searching for known patterns

• But what about viruses for which no signature currently exists?

• Current anti-virus software is not good enough to stop the bad guys

malwaremalware• Viruses have gone

into stealth-mode• Malwarebytes’ Anti-

Malware• Download, install

and run• What do you find?• Not enough…

ex. RSA attackedex. RSA attacked• The attacker in this case sent two different phishing emails

over a two-day period. The two emails were sent to two small groups of employees; you wouldn’t consider these users particularly high profile or high value targets. The email subject line read “2011 Recruitment Plan.”

• The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file. It was a spreadsheet titled “2011 Recruitment plan.xls.

• The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609).

• The next step in a typical Advanced Persistent Threat (APT) is to install some sort of a remote administration tool that allows the attacker to control the machine.  In our case the weapon of choice was a Poison Ivy variant set in a reverse-connect mode that makes it more difficult to detect, as the PC reaches out to the command and control rather than the other way around.

RSA, not the only onesRSA, not the only ones• The information

suggests that more than 760 other organizations had networks that were compromised with some of the same resources used to hit RSA. Almost 20 percent of the current Fortune 100 companies are on this list.

RSA, not the only onesRSA, not the only ones• 302-DIRECT-MEDIA-ASN

8e6 Technologies, Inc.AAPT AAPT LimitedABBOTT Abbot LabsABOVENET-CUSTOMER – Abovenet Communications, IncACCNETWORKS – Advanced Computer ConnectionsACEDATACENTERS-AS-1 – Ace Data Centers, Inc.ACSEAST – ACS Inc.ACS-INTERNET – Affiliated Computer ServicesACS-INTERNET – Armstrong Cable ServicesADELPHIA-AS – Road Runner HoldCo LLCAdministracion Nacional de TelecomunicacionesAERO-NET – The Aerospace CorporationAHP – WYETH-AYERST/AMERICAN HOME PRODUCTSAIRLOGIC – Digital Magicians, Inc.AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia ServicesAIS-WEST – American Internet Services, LLC.AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSCALCANET Corporate ALCANET AccessALCANET-DE-AS Alcanet International Deutschland GmbHALCATEL-NA – Alcanet International NAALCHEMYNET – Alchemy Communications, Inc.Alestra, S. de R.L. de C.V.ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,IndiaALMAZAYA Almazaya gateway L.L.CAMAZON-AES – Amazon.com, Inc.AMERITECH-AS – AT&T Services, Inc.AMNET-AU-AP Amnet IT Services Pty LtdANITEX-AS Anitex Autonomus SystemAOL-ATDN – AOL Transit Data NetworkAPI-DIGITAL – API Digital Communications Group, LLCAPOLLO-AS LATTELEKOM-APOLLOAPOLLO-GROUP-INC – University of PhoenixAPT-AP ASARLINGTONVA – Arlington County Government

• ARMENTEL Armenia Telephone CompanyAS INFONETAS3215 France Telecom – OrangeAS3602-RTI – Rogers Cable Communications Inc.AS4196 – Wells Fargo & CompanyAS702 Verizon Business EMEA – Commercial IP service provider in EuropeASATTCA AT&T Global Network Services – APASC-NET – Alabama Supercomputer NetworkASDANIS DANIS SRLASGARR GARR Italian academic and research networkASIAINFO-AS-AP ASIA INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd.ASIANDEVBANK – Asian Development BankASN852 – Telus Advanced CommunicationsAS-NLAYER – nLayer Communications, Inc.ASTOUND-CABLE – Wave Broadband, LLCAT&T Global Network Services – EMEAAT&T USATMAN ATMAN Autonomous SystemATOMNET ATOM SAATOS-AS ATOS Origin Infogerance Autonomous SystemATT-INTERNET4 – AT&T Services, Inc.AUGERE-AS-AP Augere Wireless Broadband Bangladesh LimitedAVAYA AVAYAAVENUE-AS Physical person-businessman Kuprienko Victor VictorovichAXAUTSYS ARAX I.S.P.

• 302-DIRECT-MEDIA-ASN8e6 Technologies, Inc.AAPT AAPT LimitedABBOTT Abbot LabsABOVENET-CUSTOMER – Abovenet Communications, IncACCNETWORKS – Advanced Computer ConnectionsACEDATACENTERS-AS-1 – Ace Data Centers, Inc.ACSEAST – ACS Inc.ACS-INTERNET – Affiliated Computer ServicesACS-INTERNET – Armstrong Cable ServicesADELPHIA-AS – Road Runner HoldCo LLCAdministracion Nacional de TelecomunicacionesAERO-NET – The Aerospace CorporationAHP – WYETH-AYERST/AMERICAN HOME PRODUCTSAIRLOGIC – Digital Magicians, Inc.AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia ServicesAIS-WEST – American Internet Services, LLC.AKADO-STOLITSA-AS _AKADO-Stolitsa_ JSCALCANET Corporate ALCANET AccessALCANET-DE-AS Alcanet International Deutschland GmbHALCATEL-NA – Alcanet International NAALCHEMYNET – Alchemy Communications, Inc.Alestra, S. de R.L. de C.V.ALLIANCE-GATEWAY-AS-AP Alliance Broadband Services Pvt. Ltd.,Alliance Gateway AS,Broadband Services Provider,Kolkata,IndiaALMAZAYA Almazaya gateway L.L.CAMAZON-AES – Amazon.com, Inc.AMERITECH-AS – AT&T Services, Inc.AMNET-AU-AP Amnet IT Services Pty LtdANITEX-AS Anitex Autonomus SystemAOL-ATDN – AOL Transit Data NetworkAPI-DIGITAL – API Digital Communications Group, LLCAPOLLO-AS LATTELEKOM-APOLLOAPOLLO-GROUP-INC – University of PhoenixAPT-AP ASARLINGTONVA – Arlington County Government

• ARMENTEL Armenia Telephone CompanyAS INFONETAS3215 France Telecom – OrangeAS3602-RTI – Rogers Cable Communications Inc.AS4196 – Wells Fargo & CompanyAS702 Verizon Business EMEA – Commercial IP service provider in EuropeASATTCA AT&T Global Network Services – APASC-NET – Alabama Supercomputer NetworkASDANIS DANIS SRLASGARR GARR Italian academic and research networkASIAINFO-AS-AP ASIA INFONET Co.,Ltd./ TRUE INTERNET Co.,Ltd.ASIANDEVBANK – Asian Development BankASN852 – Telus Advanced CommunicationsAS-NLAYER – nLayer Communications, Inc.ASTOUND-CABLE – Wave Broadband, LLCAT&T Global Network Services – EMEAAT&T USATMAN ATMAN Autonomous SystemATOMNET ATOM SAATOS-AS ATOS Origin Infogerance Autonomous SystemATT-INTERNET4 – AT&T Services, Inc.AUGERE-AS-AP Augere Wireless Broadband Bangladesh LimitedAVAYA AVAYAAVENUE-AS Physical person-businessman Kuprienko Victor VictorovichAXAUTSYS ARAX I.S.P.

BACOM – Bell CanadaBAHNHOF Bahnhof ABBALTKOM-AS SIA _Baltkom TV SIA_BANGLALINK-AS an Orascom Telecom Company, providing GSM service in BangladeshBANGLALION-WIMAX-BD Silver Tower (16 & 18th Floor)BANKINFORM-AS UkraineBASEFARM-ASN Basefarm AS. Oslo – NorwayBBIL-AP BHARTI Airtel Ltd.BBN Bredbaand Nord I/SBC-CLOUD-SERVICESBEAMTELE-AS-AP Beam Telecom Pvt LtdBEE-AS JSC _VimpelCom_BELINFONET Belinfonet Autonomus System, Minsk, BelarusBELLSOUTH-NET-BLK – BellSouth.net Inc.BELPAK-AS BELPAKBELWUE Landeshochschulnetz Baden-Wuerttemberg (BelWue)BENCHMARK-ELECTRONICS – Benchmark Electronics Inc.BEND-BROADBAND – Bend Cable Communications, LLCBEZEQ-INTERNATIONAL-AS Bezeqint Internet BackboneBIGNET-AS-ID Elka Prakarsa Utama, PTBLUEWIN-AS Swisscom (Schweiz) AGBM-AS-ID PT. Broadband Multimedia, TbkBN-AS Business network j.v.BNSF-AS – Burlington Northern Sante Fe Railway CorpBNT-NETWORK-ACCESS – Biz Net TechnologiesBORNET Boras Energi Nat ABBREEZE-NETWORK TOV TRK _Briz_BSC-CORP – Boston Scientific CorporationBSKYB-BROADBAND-AS BSkyB BroadbandBSNL-NIB National Internet BackboneBT BT European BackboneBT-ITALIA BT Italia S.p.A.BTN-ASN – Beyond The Network America, Inc.BTTB-AS-AP Telecom Operator & Internet Service Provider as wellBT-UK-AS BTnet UK Regional networkCABLECOM Cablecom GmbHCABLE-NET-1 – Cablevision Systems Corp.CABLEONE – CABLE ONE, INC.CABLEVISION S.A.CACHEFLOW-AS – Bluecoat Systems, Inc.CANET-ASN-4 – Bell Aliant Regional Communications, Inc.CANTV Servicios, VenezuelaCAPEQUILOG – CapEquiLogCARAVAN CJSC Caravan-TelecomCARRIER-NET – Carrier NetCATCHCOM VenteloCCCH-3 – Comcast Cable Communications Holdings, IncCDAGOVN – Government Telecommunications and Informatics ServicesCDS-AS Cifrovye Dispetcherskie Sistemy

command and controlcommand and control

conclusionsconclusions• Google and RSA aren’t safe, and you aren’t either• But there are lots of targets, so minimize your

footprint, make yourself a more difficult target• Run anti-virus with real-time protections,

whatever the vendor• Run anti-malware• Use a firewall, or multiple firewalls, hardware and

software• Use network address translation (NAT)• Make backups, so you can rebuild, if necessary

next time:next time:

SQL Quiz, IT Security SQL Quiz, IT Security (continued) and Final (continued) and Final

Projects PlanningProjects Planning

• Case Study: Distributed Denial: the Tech of Cyber Attack in the Russo-Georgian Conflict of August 2008