Brief History of Malware - Villanova Universitymdamian/Past/csc8400fa15/notes/Security.pdf ·...
Transcript of Brief History of Malware - Villanova Universitymdamian/Past/csc8400fa15/notes/Security.pdf ·...
1
Basics of Cryptography Password and File Security
Brief History of Malware
Security Goal: Confiden3ality
q Suppose you are a customer using a credit card to order an item from a website
q Threat: - An adversary may eavesdrop on your network
communica;on, reading your messages to obtain your credit card informa;on
q Solu;on: - Encrypt your message to keep the content secret - A protocol that does so is said to provide confiden'ality
2
Security Goal: Data Integrity
q Confiden;ality is not enough q Threat:
- An adversary cannot read the contents of your encrypted message, but is s;ll able to change a few bits in it
- This may result in a valid order for, say, a completely different item or perhaps 100 units of the item
q Solu;on: - Enable the receiver to detect message tempering - A protocol that does so is said to provide data integrity
Security Goal: Authen3ca3on
q Another threat to the customer is unknowingly being directed to a false website
q Threat: - This can result from a Domain Name System aFack, in which
false informa;on is entered to locate a server - This leads to transla;ng a correct URL into the address of a
false website
q Solu;on: - Ensure that you really talk to whom you think you’re talking - A protocol that does so is said to provide authen'ca'on
3
Cryptographic Building Blocks
Crytpography q Cryptography
- The field of study related to encoded informa;on (comes from Greek word for "secret wri;ng")
q Encryp;on - The process of conver;ng plaintext into ciphertext
Decryption
plaintext message
ciphertext message
Encryption cannot be read can be read
q Decryp;on - The process of conver;ng ciphertext into plaintext
4
Basic Blocks of Cryptography q Cipher
- An algorithm used to encrypt and decrypt text
q Key - The set of parameters that guide a cipher
q Neither is any good without the other
Examples of Ciphers q Subs;tu;on cipher
- A cipher that subs;tutes one character with another - Example: Caesar cipher
Ø shiQs characters a certain number of posi;ons in the alphabet
q Transposi;on cipher - A cipher that rearranges the order of exis;ng characters in a
message in a certain way (e.g., a route cipher)
5
Caesar Cipher
A B C D E F G H I J K L M N O P Q R S T U V W X Y ZD E F G H I J K L M N O P Q R S T U V W X Y Z A B C
q Subs;tute the leFers in the second row for the leFers in the top row to encrypt a message
q Encrypt(COMPUTER) gives FRPSXWHU q Subs;tute the leFers in the first row for the leFers in the
second row to decrypt a message q Decrypt(Encrypt(COMPUTER)) gives COMPUTER
q The key is _____________________
Transposi3on Cipher
T O D A Y+ I S + M O N D A Y
q Write the leFers in a row of five, using '+' as a blank. Encrypt by star;ng spiraling inward from the top leQ moving counter clockwise
q Encrypt(TODAY IS MONDAY) gives T+ONDAYMYADOIS+ q Decrypt by recrea;ng the grid and reading the leFers across
the row
q The key is __________________________
6
Modern Ciphers
Cipher Structure (Data Encryp;on Standard)
q The ciphers are complex, operate at the bit level
q The encryp;on key is a random string of bits
q A single bit change in the input results in a totally independent random output
q Believed to be fairly secure
Modern Ciphers q Encryp;on uses encryp'on key Ke
q Decryp;on uses decryp'on key Kd
encrypt
0110111010010001 key Ke
decrypt
1001001100111010 key Kd
The quick brown fox
plaintext
4f60ce544b43c13f1d
ciphertext
q Encryp;on and decryp;on key are related: Decrypt(Encrypt (plaintext, Ke), Kd) = plaintext
The quick brown fox plaintext
4f60ce544b43c13f1d ciphertext
7
Principles of Ciphers q Algorithm:
- should be public (inspires trust that the algorithm works)
q Key: - should be long enough to prevent breaking of the encryp;on - should be short enough to keep algorithm efficient - typical key lengths: 56-‐bit, 128-‐bit, 256-‐bit, 512-‐bit
q Symmetric key ciphers: - sender, receiver keys are iden'cal and private
q Public-‐key ciphers: - encryp;on key public, decryp;on key secret (private)
Symmetric (Private) Key Ciphers
q Same (symmetric) key used for encryp;on / decryp;on
encrypt
0110111010010001 key K
The quick brown fox 4f60ce544b43c13f1d decrypt
8
Asymmetric (Public) Key Ciphers q Sender, receiver do not share secret key q Each uses a pair of related keys (private, public) q Private decryp'on key known only to receiver q Public encryp'on key known to all
The quick brown fox encrypt
0110111010010001 key Kpublic
4f60ce544b43c13f1d
4f60ce544b43c13f1d decrypt
1001001100111010 key Kprivate
The quick brown fox
q Any text encrypted with Kpublic can be decrypted with Kprivate q Any text encrypted with Kprivate can be decrypted with Kpublic
Hash Func3ons
hash function H The quick brown fox... 85d013f4
hash function H The quick red fox... ad917c7f
q H is a one-‐way func;on that produces a message digest - One-‐way property: can’t recover m from H(m) - Possible to have H(m1) = H(m2) for m1 ≠ m2
q H(m) has fixed-‐length, regardless of the length of m
Message m Message Digest H(m)
9
How Do Digital Signatures Work?
Hey, can you send me my banking informa;on, please sign it so I
know someone isn’t lying to me!
Alice Bob
What Does Bob Do?
Alice’s Bank
Statement
Now Bob has two things to send Alice, a message and a digital signature.
Alice’s Bank
Statement 0110110110110101
1011010011010110
Hash Func;on H Digest Encrypt with
bank’s private key 0110110110110101
Signature
A digest encrypted with a private key is called a digital signature.
10
How Do Digital Signatures Work?
Hey, can you send me my banking informa;on, please sign it so I
know someone isn’t lying to me!
Alice Bob
Alice’s Bank
Statement 0110110110110101
How Does Alice Verify?
Alice’s Bank
Statement
0110110110110101
They match! So someone with Bob’s secret must have signed the document!
Signature Decrypt with bank’s public key 10110100
11010110
Digest
1011010011010110
Hash Func;on H Digest
q Issue: - what if Bob generates his own (private, public) key, then sends
the public key to Alice claiming to be the bank’s public key?
11
Authen3ca3on of Public Keys
q Algorithms to generate a matched pair of public and private keys are publicly known
q How can Alice guarantee that the public key Bob claims really belongs to Bob?
q Solu;on is the public key cer'ficate - Statement specifying the key and iden;ty - Signed by a Cer'fica'on Authority
Cer3fica3on Authority (CA)
q Trusted en;ty that issues public-‐key cer;ficates -‐ A public-‐key cer;ficate, or simply a cer'ficate, is a signed statement binding a public key to an iden;fy
q Cer;fica;on Authority -‐ Binds a public key to an en;ty and issues a cer;ficate -‐ The CA itself has a well-‐known public key -‐ The CA signs the cer;ficate with its private key
12
Public Key Infrastructure and Cer3ficates
Authenticity of public keys depends on the authenticity of CA’s public key, PKverisign Verisign’s
private key
amazon.com (subject ID) and public key
Hash function
Signature function
Sent to online customer
CA: Verisign
CA’s certificates are installed by Microsoft, Apple, Firefox, etc.
Verify Amazon’s certificate using PKverisign
q To be able to do business, amazon gets a public key cer;ficate from Verisign
q If Alice wants to shop on amazon, amazon sends its cer;ficate to Alice
q Verisign’s public key is already preinstalled in Alice’s browser
Click here for Security Info
15
Guidelines for Passwords q Easy to remember, hard to guess q Don’t use family or pet names q Don’t make it accessible q Use combina;on uppercase/lowercase leFers, digits
and special characters q Don’t leave computer when logged in q Don’t ever tell anyone q Don’t include in an email q Don’t use the same password in lots of places
Good and Bad Passwords
q Bad passwords - frank - Fido - password - 4444 - Pikachu - 102560 - Aus;nStamp
q Good Passwords? - jfIej,43j-‐EmmL+y - 09864376537263 - P0kem0N - FSa7Yago - 0nceuP0nAt1m8 - PokeGCTall150
16
How to Store Passwords?
q Where are passwords stored? - Bad idea to store passwords as plain text in a file
q But need a way to verify passwords q Cryptographic solu;on: Hash the passwords
- Store digest = Hash(password) - Password file does not reveal the passwords
- But aFacker with password file can try to guess passguess and check if digest is iden;cal to Hash(passguess)
- If yes, the aFacker has found the password!
Dic3onary AQack
q AFacker pre-‐computes Hash(x) for all x in a dic3onary of common passwords
q Suppose aFacker gets access to password file containing hashed passwords - AFacker only needs to compare hashes to his pre-‐
computed dic;onary - Same aFack will work each ;me
q Can we prevent this aFack? Or at least make aFacker’s job more difficult?
17
Dic3onary AQack vs. Brute-‐Force AQack
ü Words, phrases, common passwords
ü Further processing – replacing “hello” with “h3110”
ü Try all possible combina;ons up to a given length
ü Computa;onally more expensive
Password Cracking: Do the Math
q Assump;ons - Passwords are 8 chars, 128 choices per character - Then 1288 = 256 possible passwords
q Research presented at Password12 in Norway shows that 8-‐character passwords are no longer safe - a 25-‐GPU cluster can cycle through
350 billion guesses per second - any password can be cracked in just
5.5 hours
18
q Prepend a random string (salt) to each new password - Usually same size as the output digest
q Compute digest = Hash(salt+password) and store the pair (salt, digest) in the password file
q Note: the salt is not secret q Easy to verify password, difficult to crack q AFacker would have to recompute dic;onary hashes for each
user ⎯ lots more work!
Making Password Cracking Harder
What is Social Engineering?
*http://bash.org/?244321
q Manipula;ng a person into divulging confiden;al informa;on
19
The BoQom Line q Password cracking is too easy!
- Users choose bad passwords - Social engineering aFacks - Password cracking tools available online
q Password Crackers q Password Portal q L0phtCrack and LC4 (Windows) q John the Ripper (Unix)
q The bad guy has all of the advantages q Passwords are a big security problem
File Security
20
File Permissions q Files must be protected from unauthorized reading
and wri;ng ac;ons q Data resides in files; protec;ng files protects data q File permissions
- Read, write, and execute privileges - In Windows, change permission on the Security tab on a
file’s Proper;es dialog box - In Unix, three permission sewngs: owner; group to which
owner belongs; all other users; each sewng consist of rwx (r for reading, w for wri;ng, and x for execu;ng)
Unix File Permissions q chmod command used to change file permissions
q Example: chmod 644 filename
1 1 0 1 0 0 1 0 0
21
A Brief History of Malware
Viruses, Trojans, Worms and Botnets
1982 The ElkCloner Virus
q One of the first known viruses q WriFen by 15-‐year-‐old high school student Rich Skrenta q Spread by infec;ng the Apple opera;ng system stored on floppy
disks. If a computer booted from an infected floppy disk, a copy of the virus was placed in the computer's memory
q Displayed an awful poem once every 50 boot-‐up aFempts
22
Background: What is a Virus?
q A virus is a small piece of soQware that piggybacks on real programs - For example, a virus might aFach itself to a spreadsheet program - Each ;me the spreadsheet program runs, the virus runs, too, and it has
the chance to reproduce (by aFaching to other programs)
q OQen spreads by email aFachment or Internet download - Disguised as funny images, audio, video, or soQware
q Reproduces when the infected program is launched - The viral code is executed as well - Searches for a file to infect - Checks if the file is already infected – if not, then infects it - Returns control to the host program
q Before it takes any ac;on it reproduces itself
Background: File (Parasi3c) Virus
uninfected
Start End
Prepended Virus
Start End
Appended Virus
Jump End
= virus code
= program flow
� ‚
ƒ „ …
23
1988 The Morris Worm
q One of the first known worms q WriFen by Robert Morris, graduate student at Cornell University
- Later sentenced to three years of proba;on, 400 hours community service, and $10,050 in charge
q It was created not to cause any disrup;on but to measure the size of the Internet by propaga;ng itself across the network
q One side effect: it slowed computers (about 10% of the Internet) down to the point of being useless
q One of the worm’s propaga;on techniques was a buffer overflow aFack against a vulnerable version of finger daemon: - Sent special input string to finger daemon - Caused it to execute code that created a new worm copy
Background: What is a Worm?
q A worm is a more dangerous evolu;on of viruses - self-‐propaga;ng piece of malicious soQware (exploits vulnerabili;es) - does not rely on user interven;on (such as clicking on a link)
q It aFacks vulnerable hosts, infects them, then uses them to aFack other vulnerable hosts
q Main goal is to disrupt network and deny access q Not concerned about detec;on
24
Background: Worms vs. Viruses
q Worms vs. Viruses - Viruses require interac;on - Worms act on their own - Viruses use social aFacks - Worms use technical aFacks
1989 The AIDS Trojan
q In 1989, a diskeFe proclaiming to be a database of AIDS informa;on was mailed to thousands of AIDS researchers
q The diskeFes contained Trojan soQware that rendered the computers useless
q To regain access, users would have to send $189 to PC Cyborg Corpora;on at a post office box in Panama
q The soQware was linked to an American doctor and AIDS researcher named Joseph Papp, who successfully invoked the insanity defense
25
Background: What is a Trojan?
q A Trojan horse is malware disguised as legi;mate soQware - Like a virus, it installs itself when users click on a link or an
aFachment - Unlike a virus, a Trojan horse does not replicate
q Named aQer the wooden horse the Greeks used to infiltrate Troy q Once installed, the Trojan can be controlled remotely by hackers
to extract passwords and other sensi;ve informa;on q Can be used as a relay point to forward adver;sing spam,
phishing e-‐mails and Trojan soQware to millions of other computers on the Internet
Background: What is Phishing?
q Phishing aFempts to trick Internet users into divulging their personal informa;on by masquerading as a trustworthy en;ty - For example, e-‐mails may contain the snazzy logos and the exact
language used on websites of respected financial ins;tu;ons or electronic commerce retailers. These emails link to websites that look just like the real thing
q Here’s an example of a phishing scam in an email
26
2000 The Web Denied q The first and one of the biggest
denial-‐of-‐service aFacks to date q Took down several high-‐profile Web
sites, including Amazon, CNN and Yahoo!
q Carried out by Canadian hacker MafiaBoy (alias for Michael Calce) q He later wrote a book about his experience that called for greater
Internet security, claiming serious vulnerabili;es s;ll exist
Background: What is Denial-‐of-‐Service? q Denial-‐of-‐Service (DoS) aFacks (from a single computer) and Distributed
Denial-‐of-‐Service (DDoS) aFacks (from mul;ple computers) typically involve flooding a computer with more packets of data than it can process, effec;vely blocking any legi;mate requests to access the system
27
2007 The Zeus Botnet
q A network of computers compromised via techniques such as phishing (tricking email recipients to click on links to soQware that infects computers)
q Designed to steal money from the owners of affected computers by capturing their keystrokes in order to steal banking informa;on
q An interna;onal police inves;ga;on has led to the arrest of over 100 people in the US, the UK, and Ukraine
q The network might s;ll be in opera;on despite the arrests
Background: What is a Botnet? q A botnet is a large network of bots (compromised computers)
q Today, millions of PCs are under the control of hackers worldwide
(25% of the Internet, according to Vint Cerf)
28
2010 Stuxnet
q 500 Kbytes Internet worm that infects Windows computers q Looks for soQware controlling industrial control systems q Believed to have been created to aFack Iran's nuclear facili;es q First aFack that allows hackers to manipulate real-‐world
equipment (which makes it very dangerous)
q hFps://www.youtube.com/watch?v=7g0pi4J8auQ
2012 Flame
q Cyber espionage tool - Records audio, keystrokes, screenshots, skype conversa;ons,
etc.
q Can spread via MS Update - Used hash collision to create a fake cer;ficate apparently
signed by MicrosoQ Cer;ficate Authority - Malware digitally signed with forged cer;ficate - Used man-‐in-‐the-‐middle aFack to subs;tute Windows patch
with malware
29
Man-‐in-‐the-‐Middle AQack?
Trend: Exponen3al Increase in Threats
MOTIVATION: FINANCIAL GAIN FOR PROFESSIONAL DEVELOPERS
30
Start a Hacker Career (not!) q hFps://www.youtube.com/watch?v=zFdxoLyOTLM, 3 mins
- Buy Zeus crimeware toolkit and establish a website - Lure people to go to the site - Infect with malware - Propagate malware to other computers - Establish a botnet: a business for rent - Send SPAM by botnet: a business for rent