Introduction to ICT security (intro - oct'17)
1© Antonio Lioy - Politecnico di Torino (2005-2017)
Introduction to the security of ICT systems
Antonio Lioy
< lioy @ polito.it >
Politecnico di Torino
Dip. Automatica e Informatica
Agenda
introduction to information security:
evolution of ICT systems and the security problem
problems and vocabulary of ICT security
technological attacks (sniffing, spoofing, …)
non-technological attacks (social engineering)
Why security is “hot” today?
Introduction to ICT security (intro - oct'17)
2© Antonio Lioy - Politecnico di Torino (2005-2017)
Traditional paradigms
centralised information and processing
access to data from “dumb” terminals
“unicast” communication over dedicated lines
concentrator
EDP center
terminals
New paradigms
distributed information and processing
access from distributed intelligent terminals
“broadcast” communication and/or shared lines
new application paradigms (web, SMS, …)
LAN
WAN
INNOVATION
Technology as innovation engine
communication network
personaldevices
(PC, tablet, …)
security
Introduction to ICT security (intro - oct'17)
3© Antonio Lioy - Politecnico di Torino (2005-2017)
A definition of ICT security
It is the set of products, services, organization rules andindividual behaviours that protect the ICT system of acompany.
It has the duty to protect the resources from undesiredaccess, guarantee the privacy of information, ensure theservice operation and availability in case of unpredictableevents (C.I.A. = Confidentiality, Integrity, Availability).
The objective is to guard the information with the sameprofessionalism and attention as for the jewels anddeposit certificates stored in a bank caveau.
The ICT system is the safe of our most valuableinformation; ICT security is the equivalent of the locks,combinations and keys required to protect it.
EVENTS
ASSET
Risk estimationSERVICE
ICT resourceshuman
resources
location
data
vulnerabilities threats
RISK ESTIMATION
impactevent
probability
Terms
ASSET = the set of goods, data and people needed for an IT service
VULNERABILITY = weakness of an asset
e.g. pwd = login; sensible to flooding
THREAT = deliberate action / accidental event that can produce the loss of a security property exploiting a vulnerability
ATTACK = threat occurrence (deliberate action)
(NEGATIVE) EVENT = threat occurrence (accidental event)
Introduction to ICT security (intro - oct'17)
4© Antonio Lioy - Politecnico di Torino (2005-2017)
management
analysis
Analysis and management of security
vulnerabilities
asset threatsrisks
selectcountermeasures
implementcountermeasures
audit
Security in the lifecycle of a system
requirementsanalysis
risk assessment
technical options
identify securityproducts
design
integratesecurity
develop implement
designsecurityservices
set-up security
livesystem
manage security
security policy &
procedures
test
testsecurity
Relations in the security field
threats vulnerabilities
security risks assets
asset valuesand potential
impacts
exploit
reduce devalue
underwrite
securitycontrol
securityrequirements
Introduction to ICT security (intro - oct'17)
5© Antonio Lioy - Politecnico di Torino (2005-2017)
window of exposure
protectionpublicationdiscovery
Window of exposure
new vulnerabilitydiscovered
vulnerabilityis made public
vendor informedof vulnerability
vendor notifiesits customers(sometimes) security tools updated
(e.g. IDS signatures)
a patchis published
patch iswidelyknown
patchinstalled
t
risk
exploit (!)
State of the art: new attacks (malware)
WOE: average value for browser 2008-10
http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=browser_window_of_exposure
Introduction to ICT security (intro - oct'17)
6© Antonio Lioy - Politecnico di Torino (2005-2017)
WOE: server web (2010)
What is security?
Security is a process,not a product
(Bruce Schneier, Crypto-Gram, May 2005)
Computer Security: Will We Ever Learn?
If we've learned anything from the past couple of years, it’s that computer security flaws are inevitable. Systems break, vulnerabilities are reported in the press, and still many people put their faith in the next product, or the next upgrade, or the next patch. “This time it’s secure,” they say. So far, it hasn’t been.
Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products. The trick is to reduce your risk of exposure regardless of the products or patches.
European Central Bank
ECB Recommendations for the security of Internet payments (31/1/2013)
application to:
payment schemes governance authorities
payment service providers (PSP)
merchants (optional)
main recommendations:
protect the initiation of Internet payments, as well as access to sensitive payment data, by strong customer authentication
(continue)
Introduction to ICT security (intro - oct'17)
7© Antonio Lioy - Politecnico di Torino (2005-2017)
European Central Bank
limit the number of log-in or authentication attempts, define rules for Internet payment services session “time out” and set time limits for the validity of authentication
establish transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions
implement multiple layers of security defences in order to mitigate identified risks
provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions
(abstract) security properties
autenticazione( semplice / mutua ) authentication ( simple / mutual )
autenticazione della controparte peer authentication
autenticazione dei dati data / origin authentication
autorizzazione,controllo accessi
authorization,access control
integrità integrity
riservatezza, confidenzialità confidentiality, privacy, secrecy
non ripudio non repudiation
disponibilità availability
tracciabilità accountability
Peer authentication (single)
Barbara
Hi, I’m Alice
Prove it!
Introduction to ICT security (intro - oct'17)
8© Antonio Lioy - Politecnico di Torino (2005-2017)
Peer authentication (mutual)
BarbaraSteal & Rob Ltd.
Is that mye-bank?
Sure!How can you doubt?
Hi, I’m Barbara
Hi Barbara, nice to meet you!
Data authentication
Increase by 30% the salary of Prof. Lioy
The Dean
Non repudiation
formal proof – acceptable by a court of justice –that gives undeniable evidence of the data creator
several facets:
(sender/author) authentication
integrity
(sender/author) identification
. . .
Introduction to ICT security (intro - oct'17)
9© Antonio Lioy - Politecnico di Torino (2005-2017)
Non repudiation - example
let’s consider non-repudiation of an electronic signature:
syntax (is that your signature?)
semantics (did you understand what you were signing?)
will (have you signed voluntarily?)
identification (was really YOU the signer?)
time (when did you sign?)
place (where did you sign?)
Authorization (access control)
Barbara
Gimme Alice’s car!
Did she authorizedyou to borrow it?
Pyramid of security
authentication
authorization
privacy
integrity
log
$$$
auth.
authorization
privacy
integrity
log
$$$
Introduction to ICT security (intro - oct'17)
10© Antonio Lioy - Politecnico di Torino (2005-2017)
Privacy (communication)
Do you know that Laurais NOT a natural blonde?
What a shame!
Laura
Bloody *?%$#”!
Privacy (data, actions, position)
black_money.xls
www.playboy.com
Torino, cell 2455
Integrity (data modification)
Pay 1,000 Euroto Antonio Lioy
Pay 10,000 Euroto Antonio Lioy
computernetwork
Introduction to ICT security (intro - oct'17)
11© Antonio Lioy - Politecnico di Torino (2005-2017)
Integrity (data filtering)
Transfer 2500 Euro from AntonioLioy’s account to the Rolex’s one
computernetwork
computernetworkPay 1,000 EURO
to Antonio Lioy.
Replay attack
Pay 1,000 EUROto Antonio Lioy
Pay 1,000 EUROto Antonio Lioy.Pay 1,000 EURO
to Antonio Lioy.
Where is the enemy? outside our organization
boundary / perimeter defence (firewall) outside our organization, with the exception of our
partners Extranet protection (VPN)
inside our organization LAN / Intranet protection (?!)
everywhere! application-level protection data protection
Introduction to ICT security (intro - oct'17)
12© Antonio Lioy - Politecnico di Torino (2005-2017)
Attack origin (2016)
percentage of external / internal attacks:
internal 20%
external 80%
note: biased statistics due to the type of survey, the CSI/FBI one (last published on 2011) had more internal attacks
(from Verizon Data Breach Investigation Report 2016)
Temporal evolution of the main attackslisted in the annual
CSI/FBI survey
Scoop of a Global Post reporter in the town between Pakistanand Afghanistan
US PCs sold at the Peshàwar market Computers of the US army with restricted data sold for 650$along the road where Nato troops are attacked by the talebans.… Still full of classified informations, such as names, sites, andweak points. (corriere.it, 9/2/09)
Stolen laptop / smartphone
not only an economic loss to replace the stolen device …
but also the loss of data that become unavailable (backup?) …
or the spreading of restricted information
Introduction to ICT security (intro - oct'17)
13© Antonio Lioy - Politecnico di Torino (2005-2017)
Insecurity: the deep roots (I)
“Attack technology is developing in a open-source environment and is evolving rapidly”
“Defensive strategies are reactionary”
“Thousands - perhaps millions - of system with weak security are connected to the Internet”
“The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrators … has decreased dramatically in the last 5 years”
Insecurity: the deep roots (II)
“Increasingly complex sw is being written by programmers who have no training in writing secure code”
“Attacks and attack tools transcend geography and national boundaries”
“The difficulty of criminal investigation of cybercrime coupled with the complexity of international law means that … prosecution of computer crime is unlikely”
from “Roadmap for defeating DDOS attacks”(feb. 2000, after Clinton meeting at White House)updates on www.sans.org/dosstep/roadmap.php
Basic problems (technological)
the networks are insecure:
(most) communications are made in clear
LANs operate in broadcast
geographical connections are NOT made through end-to-end dedicated lines but:
through shared lines
through third-party routers
weak user authentication (normally password-based)
there is no server authentication
the software contains many bugs!
Introduction to ICT security (intro - oct'17)
14© Antonio Lioy - Politecnico di Torino (2005-2017)
Some classes of attacks
IP spoofing / shadow serversomeone takes the place of a (legitimate) host
packet sniffingpasswords and/or sensitive data are read by (unauthorized) third parties
connection hijacking / data spoofingdata inserted / modified during their transmission
denial-of-service (distributed DoS)the functionality of a service is limited or disrupted (e.g. ping bombing)
IP spoofing (masquerading)
forging the source network address
typically the level 3 (IP) address is forged, but it is equally easy to forge the level 2 address (e.g. ETH, TR, ...)
a better name would be source address spoofing
attacks:
data forging
(unauthorized) access to systems
countermeasures:
do NEVER useaddress-based authentication
Packet sniffing (eavesdropping)
reading the packets addressed to another network node
easy to do in broadcast networks (e.g. LAN) or at the switching nodes (e.g. router, switch)
attacks:
allows to intercept anything (password, data, ...)
countermeasure:
non-broadcast networks (!?)
encryption of packet payload
011010 10010100 01
Introduction to ICT security (intro - oct'17)
15© Antonio Lioy - Politecnico di Torino (2005-2017)
Denial-of-service (DoS)
keeping a host busy so that it can’t provide its services
examples:
mail / log saturation
ping flooding (“ping bombing”)
SYN attack
attacks:
block the use of a system / service
countermeasures:
none!
monitoring and oversizing can mitigate the effects
Distributed denial-of-service (DDOS)
software for DoS installed on many nodes (named daemon, zombie or malbot) to create a Botnet
daemons remotely controlled by a master
C&C (command & control) infrastructure
C/S or P2P communications
encrypted or "covert" channels (e.g. UDP over ICMP)
auto-update capability
effect of the base DoS attack multiplied by the number of daemons
DDoS attack
attacker
VICTIM
controlattack
master master master
daemon daemon daemon daemon daemon
Introduction to ICT security (intro - oct'17)
16© Antonio Lioy - Politecnico di Torino (2005-2017)
DDoS: improving the attack
use a "reflector"
to hide the attacker's tracks
to multiply the attackers (e.g. smurfing, fraggle)
use an amplification factor N:1
depends on the attack protocol used, look for a refelector server with |response| >> |request|
easy with datagram (e.g. ICMP, UDP) but possible also with stream under certain conditions (e.g. self-attack HTTP)
e.g. typical DNS amplification 70:1 but NTP amplification 20-200:1
Feb 8th 2000, 10.30am (PST) @ Yahoo Server Farm
“the initial flood of packets, which we later realized was in excess of 1G bits/sec, took down one of our routers …”
“… after the router recovered we lost all routing to our upstream ISP …”
“… it was somewhat difficult to tell what was going on, but at the very least we noticed lots of ICMP traffic …”
“… at 1.30pm we got basic routing back up and then realized that we were under a DDoS attack”
http://packetstorm.decepticons.org/distributed/yahoo.txt
The lawyer said ...
“There is a distinct probability that if your sitehas been hijacked for a denial of service attack,
then you could be liable for damages.
I would definitely advise clientsthey have grounds to sue.”
Nick Lockett,e-commerce lawyer at Sidley & Austin
“Be Secure or Be Sued”Silicon.com, 16 Nov 2000
http://www.silicon.com/a40900
Introduction to ICT security (intro - oct'17)
17© Antonio Lioy - Politecnico di Torino (2005-2017)
DDoS towards "Krebs on security" blog
27 September 2016
665 Gbps
botnet of IoT devices (or claiming to be such)
no use of reflectors or amplification factors, just millions of devices performing perfectly valid requests
blog protected by Akamai, but on 27/9 it gave up (double of its sustainable traffic) and decided to make the blog unreachable
unkown reason of the attack (perhaps connected to Krebs' analysis of similar attacks against on-line game servers)
Shadow server
host that manages to show itself (to victims) as a service provider without having the right to do so
requires address spoofing and packet sniffing
shadow server must be faster than the real one, or the real one must be unable to respond (due to a failure or because is under attack, e.g. DoS)
attacks:
issue wrong answers, providing thus a “wrong” service to victims instead of the real one
capture victim’s data provided to the wrong service
countermeasures:
server authentication
Connection hijacking / MITM
also named data spoofing
attacker takes control of a communication channel to insert, delete, or manipulate the traffic
logical or physical MITM (Man In The Middle)
attacks:
reading, insertion of false data, deletion or modification of data exchanged between two parties
countermeasure:
authentication, integrity and serialization of each single network packet
Introduction to ICT security (intro - oct'17)
18© Antonio Lioy - Politecnico di Torino (2005-2017)
Trojan / MITB
Trojan (horse)
MITB = man-in-the-browser
network channels more protected …
… but user terminals less protected
Smartphone, smart-TV, …
IoT (Internet-of-Things)
"ignorant" users
classic attack tools (e.g. keylogger as part of a game) and modern ones (e.g. browser extension)
Zeus
also know as Zbot
currently a major malware + botnet
discovered (born?) on 2007, sold (?) on 2010
can be used:
directly(e.g. MITB for keylogging or form grabbing)
indirectly, to load other malware(e.g. the CryptoLocker ransomware)
very difficult to discover and remove
hides itself with stealth techniques
about 3.6 M active copies just in the USA
Software bug
even the best software (either off-the-shelf or custom) contains bugs that can be used for various aims
easiest exploit: DoS
example: WinNT server (3.51, 4.0)
telnet to TCP port 135
send 10 random characters, then CR
server unavailable!(CPU load at 100% even though no useful work is done)
solution: install SP3. . . . . .
Introduction to ICT security (intro - oct'17)
19© Antonio Lioy - Politecnico di Torino (2005-2017)
Some typical application-level problems
buffer overflow
allows the execution of arbitrary code injected through a specially crafted input
store sensible information in the cookies
readable by third parties (in transit o locally on the client)
store passwords in clear in a DB
readable by third parties (e.g. backup operator)
“invent” a protection system
risk of inadequate protection
Virus & Co. (malware) virus
damages the target and replicates itself
propagated by humans (involuntarily)
worm
damages the target because replicates itself (resource saturation)
automatic propagation
Trojan (horse) = malware vector
backdoor = unauthorized access point
rootkit = privileged access tools, hidden (modified program, library, driver, kernel module, hypervisor) and stealth
Virus and worm (malware)
requires complicity (may be involuntary) from:
the user (gratis, free, urgent, important, …)
the sys manager (wrong configuration)
the producer (automatic execution, trusted, …)
countermeasures:
user awareness
correct configuration / secure sw
install antivirus (and keep updated!)
Introduction to ICT security (intro - oct'17)
20© Antonio Lioy - Politecnico di Torino (2005-2017)
Malware food chain
business opportunity(vulnerability)
malicious codevulnerabilitymarketplace
malware toolkit market
malware distributors (spam, web, …)
Hall of fame. . .. . .
VICTIM
Zeus
source: http://en.wikipedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg
source: http://en.wikipedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg
Introduction to ICT security (intro - oct'17)
21© Antonio Lioy - Politecnico di Torino (2005-2017)
source: http://en.wikipedia.org/wiki/File:FBI_Fraud_Scheme_Zeus_Trojan.jpg
Ransomware
ransomware = malware oriented to get a ransom
on desktop and laptop (disk content made unreadable) …
… but also for tablet and smartphone (made unusable)
unblocked (not always) after paying a certainamount of money
Ransomware-as-a-service
TOX malware (server in the TOR anonymous network)
ask for the ransom and handles the payment (with a 20% service fee)
the "customer" has only the task to distribute it to the victims
fast grwoth (1000 customers/week, 100 infections/hour)
Introduction to ICT security (intro - oct'17)
22© Antonio Lioy - Politecnico di Torino (2005-2017)
Ransomware: not only technologybut also procedures and organization
encrypted data? no problem, I have a backup!
how old is the backup?
the case of the TV archive …
off-line or network backup?
the case of the digital dentist …
verified or "trusted" backup?
the silent ransomware …
Technology and human beings
http://jklossner.com/computerworld/images/security26.gif
Basic problems (non technological)
low problem understanding (awareness)
mistakes of human beings (especially when overloaded, stressed, …)
human beings have a natural tendency to trust
complex interfaces / architectures can mislead the user and originate erroneous behaviours
performance decrease due to the application of security measures
…
Introduction to ICT security (intro - oct'17)
23© Antonio Lioy - Politecnico di Torino (2005-2017)
Social engineering
ask for the (involuntary) user’s participation to the attack action
usually naive users are targeted (e.g. “do change immediately your password with the following one, because your PC is under attack”) ...
… but experienced users are targeted too (e.g. by copying an authentic mail but changing its attachment or URL)
via mail, phone or even paper
Social engineering: examples
phishing (~ fishing):
“dear Internet banking user, please fill in the attached module and return it to us ASAP according to the privacy law 675 …”
psychological pressure:
“help me, otherwise I’ll be in troubles …”
“do it, or I’ll report it to your boss …”
showing acquaintance with the company’s procedures, habits and personnel helps in gaining trust and make the target lower his defences
Fake mail / IM
it's easy to create false mail messages
… but it's difficult to use the correct tone
… it's better to use the original mail with a differentattachment
… but also to create false SMS or IM
false cash withdrawal warning
false kidnapping alarm!
Introduction to ICT security (intro - oct'17)
24© Antonio Lioy - Politecnico di Torino (2005-2017)
(Repubblica, 30/9/2017)
Mr. Confindustria a Bruxelles truffato da unhacker: persi 500mila euro. Licenziato.
"Sposta subito mezzo milione su questo conto estero".Ma la mail era di un hacker. E i soldi sono spariti.Il finto ordine a firma della direttrice Panucci:"Esegui e non mi chiamare che sto fuori col presidente".
A mail from CIA …
From: [email protected]: Tue, 22 Nov 2005 17:51:14 UTCX-Original-Message-ID: <[email protected]>Subject: You_visit_illegal_websites
Dear Sir/Madam,we have logged your IP-address on more than 30 illegal Websites.Important: Please answer our questions!The list of questions are attached.
Yours faithfully,Steven Allison
++++ Central Intelligence Agency -CIA-++++ Office of Public Affairs++++ Washington, D.C. 20505++++ phone: (703) 482-0623++++ 7:00 a.m. to 5:00 p.m., US Eastern time
the attachment isthe SOBER worm!
Introduction to ICT security (intro - oct'17)
25© Antonio Lioy - Politecnico di Torino (2005-2017)
Phishing using mail or IM to attract a network service user
to a fake server (shadow server) for:
acquiring her authentication credentials or other personal information
persuading her to install a plugin or extension which actually is a virus or a Trojan
specialized variants:
spear phishing (include several personal data to disguise the fake message as a good one, e.g. mail address, name of Dept/Office, phone no.)
whaling (targeted to VIP such as CEO or CIO, e.g. the 20,000 hit on April 08 that then installed a Trojan related to the servers of Piradius)
Pharming
term of controversial use
set of several techniques to re-direct a user towards a shadow server
changing the "hosts" file at the client
changing the nameserver pointers at the client
changing the nameservers at a DHCP server (e.g. an ADSL / wireless router)
poisoning the cache of a nameserver
via:
direct attack (vulnerability or malconfiguration)
indirect attack (virus or worm)
Social engineering techniques
(74%) solicitation / bribery
(44%) pretexting
(16%) counterfeiting / forgery
(11%) *ing
(4%) hoax / scam
(4%) influence tactics
(3%) extortion / blackmail
Note: percentage of use in social engineering attacks according to the Verizon/USSS 2011 survey.
Introduction to ICT security (intro - oct'17)
26© Antonio Lioy - Politecnico di Torino (2005-2017)
Social engineering channels
(78%) in-person
(14%) documents
(10%) e-mail
(6%) web / Internet
(5%) phone
(4%) SMS / texting
Note:
percentage of use in social engineering attacks according to the Verizon/USSS 2011 survey
new techniques are under development for the future …
Report Verizon DBIR 2014
nine main categories:
POS (point-of-sale) intrusions
web app attacks
insider and privilege misuse
physical theft and loss
miscellaneous errors
crimeware
payment card skimmers
DoS attacks
cyber-espionage
http://www.verizonenterprise.com/DBIR/2014/
Report Verizon DBIR2014
incident
a security event that compromises the integrity, confidentiality, or availability of an information asset
(data) breach
an incident that results in the disclosure or potential exposure of data
(data) disclosure
a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party
Introduction to ICT security (intro - oct'17)
27© Antonio Lioy - Politecnico di Torino (2005-2017)
Report Verizon DBIR 2014 (fig.16)
Report Verizon DBIR 2016DDOS attacks
yearbandwidth(average)
packets(average)
2011 4.7 Gbps 0.4 Mpps
2012 7.0 Gbps 2.6 Mpps
2013 10.0 Gbps 7.8 Mpps
2014 15-59 Gbps 3-15 Mpps
2015 5.5 Gbps 1.9 Mpps
T.J.Maxx attack (2007)
45 M credit/debit card numbers stolen
in a period of 18 months (up to January 2007)
a 10 M USD legal class action started by 300 banks (e.g. Massachusetts Bankers Association, Maine and Connecticut Associated Banks)
attack succeed due to use of WEP rather than WPA
attack performed by 10 people (3 USA, 3 UKR, 2 CHN, 1 BEL, 1 EST + "Delpiero")
one ex-cracker hired by the US secret service
blog.wired.com/27bstroke6/2008/08/11-charged-in-m.htmlwww.wired.com/politics/law/news/2007/06/secret_service#
Introduction to ICT security (intro - oct'17)
28© Antonio Lioy - Politecnico di Torino (2005-2017)
Phishing via Transformers3 (apr 2010)
Andersen Air Force Base (Guam island)
ORE (Operational Readiness Exercise)
phishing message
“the movie Transformers-3 will be filmed on Guam”
“looking for 20 airmen to be part of the movie”
application required disclosing sensitive information
event leaked on the web because one airman disclosed that on Transformer fans’ blog
journalists called to confirm movie location
www.networkworld.com/news/2010/043010-us-air-force-phishing-test.html
Stuxnet (2010)
prototype of a new kind of attack
worm + virus for Windows
attempt to propagate to other systems
attempt to damage the SCADA systems (of a specific manufacturer) attached to the infected nodes
malware for cyberphysical systems
attack and propagation vectors:
1 known vulnerability (patch available)
1 known vulnerability (no patch)
2 “zero-day” vulnerabilities
Stuxnet: timing and location 17/6/10 first encounter
24/6/10 noted use of a digital signature certificate
revoked on 17/7/10
… then a second certificate appears!
14-15-16/7/10 security advisories by CERT and MS
gradual release of various patches until October’10
self-stopped its propagation on 24/6/2012
geographic location:
52% Iran
17% Indonesia
11% India
Introduction to ICT security (intro - oct'17)
29© Antonio Lioy - Politecnico di Torino (2005-2017)
Stuxnet: mechanisms
distribution and propagation:
USB key
shared disks (network share)
MS-RPC and MS-spool bugs
likely first infection vector a USB key of a maintenance technician
disguised as a driver
with a digital signature validated by Microsoft!!!
uses two different certificates
access from the infected node to the back-end DB thanks to a shared default pwd on every node
Stuxnet: lessons learnt
systems protected with physical separation(air gap) ... but without other standard protections:
no anti-virus
no patch
no firewall
unnecessary services active:
MS-RPC
shared network print queues
shared network disks
validation list for sw to be installed
Stuxnet's brothers
same development platform (tilded)
Duqu (sep'11)
not a worm or virus
gathers and send system info for attack preparation (reconnaissance & intelligence)
Flame (may'12)
system spyware (may record network traffic, audio, video, keyboard)
spreads via USB or network, no physical damage
backdoor (remote configuration and update)
active since two years before its recognition
Introduction to ICT security (intro - oct'17)
30© Antonio Lioy - Politecnico di Torino (2005-2017)
Sauron – one malware to rule them all
disclosed on August 2016 but active since 2011
Strider group
Remsec malware = stealthy backdoor + logger
selective targets (e.g. individuals in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium) only 36 infections since 2011
Loader + LUA modules (net loader, host loader, keylogger, net listener, basic/advanced pipe and HTTP back-door)
can also collect data from air-gapped computers and export them to Internet-connected nodes via hidden file system on approved USB keys
The three pillars of security
3. Investigation(forensic analysis,internal audit, …)
2. Detection(IDS, monitor, …)
1. Avoidance(FW, VPN, PKI, …)
0. Planning(security policy, …)
Hacker & C.
wannabe lamer
script kiddie
cracker
hacker
Introduction to ICT security (intro - oct'17)
31© Antonio Lioy - Politecnico di Torino (2005-2017)
Hacker (I)
hacker: /n./ [originally, someone who makes furniture with an axe]
1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
2. One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming.
3. A person capable of appreciating {hack value}.
4. A person who is good at programming quickly.
Hacker (II)
5. An expert at a particular program, or one who frequently does work using it or on it; as in “a Unix hacker”. (Definitions 1 through 5 are correlated, and people who fit them congregate.)
6. An expert or enthusiast of any kind. One might be an astronomy hacker, for example.
7. One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.
8. [deprecated] A malicious meddler who tries todiscover sensitive information by poking around. Hence “password hacker”, “network hacker”. The correct term for this sense is {cracker}.
Cracker
cracker: /n./ One who breaks security on a system.Coined ca. 1985 by hackers in defense againstjournalistic misuse of {hacker} (q.v., sense 8).An earlier attempt to establish “worm” in thissense around 1981-82 on Usenet was largelya failure.
Introduction to ICT security (intro - oct'17)
32© Antonio Lioy - Politecnico di Torino (2005-2017)
Kevin Siers, NC, USA (cartoon from the Charlotte Observer)
Top Related