Computer Security & Forensics

Securing Software

Network Security

Forensics

Network Types

Human Factors

Lecture 1 - Adversaries & Attacks

Book Guide:

Computer Security & Forensics
Security in Computing, Chapters 4 & 10.
S&L p45, p23

Topics:

Adversaries
-Individuals
-Hackers
-Lone criminals
-Insiders
-Organizations
-Businesses
-Organised crime
-Terrorists
-Governments (CIA, MI6 etc)

Attacks
-Criminal
-Fraud, Damage, IP Theft, Identity Theft, Data theft
-Privacy - Targeted & Harvesting
-Surveillance, Traffic Analysis
-Adverse Publicity
-DoS (Denial of Service), Blackmail, Web Site Defacement
-Legal
-Descredit system using legal process.

Adversaries - Individuals

Individual - Hacker/Cracker

Media frequently uses term "Hacker" to refer to some form of malicious individual with relevant computer skills who aims to sabotage a computer system for personal gain or amusement -'Cracker' is more appropriate.

Original motivation is for expert knowledge and the power that it might give them. Similar older approaches:
-Ham Radio
-Phone Phreakers
-Computer Geeks

Covers a wide range of skill sets:

Script Kiddies - Download toolkits but no real idea how they work.

Gray / Black Hat Hackers - Skilled career hackers who may or may not turn to cracking. Passionate, highly motivated, skilled. Not necessarily coordinated.

Present and learn new tricks via online communities & conferences, such as defcon:
www.defcon.org

Case Examples:

Kevin Mitnick

Jailed for numerous hacks and social engineering tricks.
Insists his motivation was more curiosity than financial gain.
Now works as a computer security consultant.

Gary McKinnon

Accused of hacking into dozens of US military and NASA computers in 2001 and 2002 and causing $700,000 worth of damage. Accepts that he hacked into many sites but not that he caused any real damage. Was looking for evidence of UFO's.

Used fairly straightforward techniques to gain access, principally weak passwords.

"I found out that the US military use Windows and having realized this, I assumed it would probably be an easy hack if they hadn't secured it properly."

Jon Johansen / DVD Jon

Implicated in the development of a hack that provided a work around to DVD encryption and content protection - DeCSS.

Prosecuted but not found guilty by Norwegian court in 2003, claimed "the other guys did it."

Still active in developing software hacks for Digital Rights Management (DRM), iTunes, iPhone etc.

Individual - Lone Criminals

Goal is making money. Computer systems provide the environment and the method.

Often less skilled and will happily use available toolkits. Whatever works and provides financial gain. Frequently audacious. Often caught due to lack of knowledge.

Individual - Insiders

A malicious or disgruntled employee can be very destructive, particularly if computer systems are very 'open' or an individual has wide access to systems and data.

Safest option is to operate on a 'need to know' basis.
Authorisation levels and authentication - e.g. DB access levels.
Military Systems (and some terrorist organisations - Cells)

Can be very restrictive and affect normal operations.
Many security breaches occur because individuals get tired of using the required secure approach.

Most destructive effect occurs when malicious insider keeps quiet and works with external individuals to maximise damage.

Adversaries - Groups

Groups - Businesses

Businesses have always strived to get a competitive advantage over their competitors. They may therefore be interested in looking for security weeknesses in their rivals.

Their intention is usually to gain information of tactical value, e.g. design plans.
Rare that they would actively attack and undermine a competitor.
Normally, this is illegal..

"Regular cybercriminals may be attempting to steal your employees' credit card details, but spyware can also be used for coprorate espionage designed to steal your business plans and customer databases." -Graham Cluley, Sophos.

Case Study:

Israeli Modi'in Ezrahi private investigators
-This group installed a trojan horse at businesses targeted by their clients.
-Trojan allowed PI group to collect information on rival businesses.
-Members of PI group ended up in jail or heavily fined.

Groups - Organized Crime

Organised Crime is becoming a key player in international security breaches.

Increasingly there is more money to made online crime, even more so than drugs!
Organized crime has the resources and motivation to exploit security breaches.
Some organized crime networks are said to have strong links to corrupt government regimes.

One of the more infamous groups is the 'Russian Business Network'
Alleged to provide the infrastructure for the majority of modern e-crime.
Implicated in significant share of online crime commited in te UK.
Alleged links to Russian mafia and possibly even elements of government.

90% of breaches in 2008 involved organised crime targeting corporate information.
-285 million records stolen in 2008
-230 million between 2004-2007

Credit card data accounts for 32% of goods advertised in the underground economy.

Some market prices for organized crime:

-US Based Credit Card (with CVV), $1-$6
-Identity (ssn, dob, bank account, credit card, ...) $14-$18
-Online banking account with $9,900 balance. $300
-Compromised Computer , $6 - $20
-Phishing Web Site Hosting - Per Site $3-$5
-Verified Paypal account with balance, $50-$500
-Skype Account, $12
-WoW account, $10

Groups - Terrorists

Two significant goals for terrorist groups using security exploits
-Financial Gain to fund activities - similar methods to criminal groups.
-Creating 'terror' through control and destruction of critical infrastructure.

Current focus appears to be on financial gain but the long term danger is when critical systems are attacked.

Power generation is one obvious scenario.
-Modern power stations are networked to provide flexible generation and control of power output. This system is susceptible to attack, bringing country to a standstill.

-Even software updates on one part of a network have brought the other part down.

Or how about your own city wide train set?
www.theregister.co.uk/2008/01/11/tram_hack

Groups - Governments

When hackers, criminals and insiders team up, you have a problem. If a government forms a similar team, you have a much bigger problem.

Cuckoo's Egg, Cliff Stoll
-One of the first recorded instances of hacking military sites and how it was tracked down.
-Hacking traced to Markus Hess who was selling information to the Soviet KGB with some involvement from Hungarian spy.
-Russian intelligence activities have probably improved a bit since then.

Israeli air attack on Syria
-Command and control, radar systems switched off - Aviation week.

Greek telephone hack
-For nearly 7 months, the telephone conversations of senior Greek politicans were monitored by compromising telephone switches and 'tapping' software modules in the switches. Notably all relevant logging tools were disabled so hackers could not be traced..

Attacks


Privacy Attacks

Targeted Surveillance
-A small group or even an individual may be singled out due to the potential to exploit them financialy or politically.
-Standard techniques may be to install a key listener via a Trojan or evesdrop on network communications.
-Packet sniffing software is very common and gives easy access to unencrypted data.

Data Harvesting
-More commonly, attackers will listen out on computers and network communications and look for interesting patterns or phrases, e.g. text fields in forms with names like 'password'
-Storage of such data is less of an issue, teh bigger concern is analysing the vast amount of data that can be generated.
-Companies already record and analyse user browsing behaviour across many independent web sites. For example, Google and Doubleclick keep track of users moving from one site to another via Javascript and cookies.

Traffic Analysis
-Traffic analysis looks at not just what you say, but who you say it to.
-Often used by military and law enforcement to identify key individuals.
-GCHQ in the UK and ECHELON monitor and analyse network traffic for this purpose.
-Look for certain patterns of communication or tags in data (or even just data that is encrypted) to identify individuals and the computers they use.

Criminal Attacks

The goal for criminal attacks is usually financial gain, either directly or indirectly.

Fraud - 419 Scams

419 originates from Nigerian Criminal Code
A social engineering scam that relies on greed where victim assumes they will receive a large payout for helping transfer cash. First they must provide money up front to help out the process. Originally a large source of spam email.

Phishing - Creating a false web site / login account to harvest user details.

-More and more prevalent
-Gain access to account name and password for financial gain.
-SS and recent DNS bug make this a dangerous threat.

Virus Laden email attachments purporting to come from legitimate user.
-User opens fraudulent attachment which installs Trojan virus...
-Many different types of attachment are dangerous:
-EXE, PIF, BAT, ZIP

Damage

Motivation - Terrorism, Malice, Revenge.

Method

Shutdown of network and attached systems (could include business, defence or utilities).
Deletion of data, user accounts or both.
Allow infiltration of 3rd party who will inflict the real damage.

Intellectual Property (IP) Theft aka Piracy - covers a broad range of topics.

Design Documents
Source Code
Software Applications - 'warez'
-A good way to disseminate Trojans.
-Even the hackers get caught out via back doors in downloaded hacker tools.

Music, videos, games..

Digital media is relatively easy to copy and disseminate - not constrained by duplication resources and copy is usually a perfect replica.

Identity Theft

Stealing a persons identity can be very damaging and cause significant frustration for the affected victim.

For example, if a false credit card is created in your name, you have to prove that you did not buy a given product or transfer funds to a mystery account.
Thieves used to steal identity paperwork (e.g. bills or bank statements) from bins or even houses. Now they can get it all online..
Current authentication techniques are very weak and have not really caught up with the ability of fraudsters to fake or obtain relevant information.

Data Theft

Very common form of attack where goal is to obtain confidential data with the aim of using it for financial gain - e.g. user account details, credit card numbers.

Frequently the aim of the website attacks where such information is normally stored.

Adverse Publicity Attacks

Undermine a service with the goal of either removing it or extorting 'protection' money.

-For example, a DoS may be launched against a website making it unreachable.
-If time critical information is required (e.g. Online Bookies), organizations may pay up in the hope the attacker will go elsewhere.

Web Site Defacement
-This is less subtle and usually aims to undermine the credibility of an organization
-E.g. Defacing supposedly secure systems on a bank web site or a security companies site.
-less frequent these days since hackers are more interested in making money than showing off.
-Example by 4chan - operation titstorm, Australian government attempted to legalize an anti-pornography filter across the internet, and 4chan tore down their website, and covered the prime ministers page in pornography.

Gain Publicity or notoriety
-Sometimes the goal is to gain media attention for some cause or just to get noticed by their peers.

Identification & Authentication

Security Policies

Requirements

Module Info

Course Makeup:

40% - Assignment
60% - Exam

Cryptography

Topics:

Background
Symmetric & Asymmetric Encryption
Cryptographic Algorithms
Crytographic Attacks
Creating Encryption Algorithms
Using Encryption
Commercial Encryption
Cryptographic Hash Functions
Public Key Encryption
Digital Signatures
Certificates

Background

"Cryptography is the study and practice of protecting information by data encoding and transformation techniques. It includes means of hiding information (such as encryption) and means of proving information is authentic and has not been altered from it's original form (such as digital signatures)"

Cryptography plays a significant role in meeting the security requirements of
-privacy
-authentication
-integrity

Cryptography & Privacy

Encrypted Data is Private Data
-If I wish to send you a private message, I can encrypt it with a method that is only known to you and me.
-An eavesdropper would have to know or work out what the encryption method was and usually which particular "key" is required to read the message.

Cryptography & Authentication

Passwords
-When you login, your password is encrypted and checked against the encrypted version that was stored when your account was setup.
Certificates
-