ELG / CSI / SEG 2911

Professional Practice
Pratique professionnelle

TOPIC 8
Computer Crime and Security

Some of the material in these slides is derived from slides produced by Sara Basse,
the Author of the “Gift of Fire” textbook , and also other professors who have taught
this course including Stan Matwin and Liam Peyton
Criminal acts using Computers:
Hacking vs. Attacking vs. other Crimes
Hacking
• Currently most widely used definition is:
—To gain illegal or unauthorized access to a file,
computer, or network
• Attacking is often used synonymously

Other computer crimes

• More general than hacking or attacking
• Includes also people with authorized access doing
unauthorized actions
—E.g. an employee with access to accounts
transferring funds into his or her bank account

EECS2911 - Lethbridge 2
Hacking

The term ‘Hacking’ has changed over time

Phase 1: early 1960s to 1970s

• A mostly positive term
—A creative programmer who wrote elegant or clever
code
—A "hack" was an especially clever piece of code
—Some still prefer to use this terminology today and
refer to others as ‘crackers’
—Later in this phase, hacking began to relate to code
that wasn’t designed to be maintainable
- Lack of engineering discipline
- A hack became a quick fix

EECS2911 - Lethbridge 3
Hacking (cont.)

Phase 2: 1970s to mid 1990s

• Hacking took on criminal connotations
• Revised consensus definition:
—Breaking into computers for which the hacker does
not have authorized access
• Still primarily individuals
• Includes the spreading of computer worms and viruses
and ‘phone phreaking’
• Companies began using hackers to analyze and improve
security

EECS2911 - Lethbridge 4
Hacking (cont.)

Phase 3: beginning with the mid 1990s

• The growth of the Web changed hacking
—viruses and worms could be spread rapidly
• Political hacking (Hacktivism) surfaced
• Denial-of-service (DoS) attacks used to shut down Web
sites
• Strongly suspected government-supported hacking
• Industrial espionage
• Large scale theft of personal and financial information

EECS2911 - Lethbridge 5
Black Hat vs. White Hat Hackers

Black hat
• Those who hack to commit crimes

White hat
• Work to test defenses
• Break in to see if it is possible, at the request of target
• One type of security consultant

Script kiddie
• Criminals that use programs written by hackers, with little skill

Grey hat
• Mostly white hat, but acknowledges some hacktivism

EECS2911 - Lethbridge 6
Hacktivism, or Political Hacking
Use of hacking to promote a political cause

Disagreement about
• Whether it is a form of civil disobedience
• How (whether) it should be punished

Some use the appearance of hacktivism to hide other criminal

activities

Discussion question
• How do you determine whether something is legitimate hacktivism
or simple vandalism?

EECS2911 - Lethbridge 7
DEF CON

The main hacker conference

• http://www.defcon.org/

Lots of discussion of hacking techniques

• Ostensibly for white hats, security companies, etc.
• But everybody knows the black hats come too
• As does law enforcement, software makers etc.

EECS2911 - Lethbridge 8
Typical Attack Methods
for Initial Break-in
Vulnerability exploits
• Makes use of code that scans for and/or makes use of a known
vulnerability, typically to run malicious code
• Programming errors that lead to vulnerabilities discussed later
Password cracking
• Running programs that try to guess or decrypt passwords
Packet sniffing
• Seeking passwords or other data on the open internet
Pharming and DNS poisoning
• Getting routers or computers to lead people to the wrong place when
an Internet address is specified
Social engineering
• Tricking people to reveal passwords, clues to passwords or
information to establish a false identity
• E.g. phishing (also used without hacking for simple fraud)

EECS2911 - Lethbridge 9
Typical Actions By Hackers
After Breaking In
Adding a payload
• Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc.

Theft of data
• For sale, use in fraud or spying
• Emails, credit cards, transaction records, identity records, corporate
or military secrets

Vandalism and corruption

• Making a system not appear or behave as it should
• Setting up spoofing
—Redirecting legitimate users to an illegitimate place
• Setting up for other future hacks

EECS2911 - Lethbridge 10
Typical Actions By Hackers
After Breaking In (continued)
Executing illegitimate transactions
• E.g. Transferring funds to the hacker’s offshore account

Taking control of a device or system

• E.g. potentially damaging a power plant

Impersonating others
• Acting as if they are a legitimate user

Denial of service
• Overloading network or computational resources so legitimate users
can’t use the system

EECS2911 - Lethbridge 11
Criminal Actions can Also Be Performed by
Legitimate Users Without Hacking
Any of the actions on the previous two slides
• Embezzlement by executing illegitimate transactions

Overstepping authority
• Can be accidental or on purpose
• E.g. authorizing one’s own travel expenses
• E.g. granting oneself a pilot’s license

EECS2911 - Lethbridge 12
Motivations of Attackers
Financial gain
• E.g. Hacking into bank accounts
• E.g. Theft of identities that can be sold

Achieving personal objectives

• E.g. Granting oneself a pilot’s license
• E.g. Building a collection of pirated movies

Fun, entertainment, challenge or bragging rights

Revenge / anger / hatred

Political / military
• Private, radical group or state sponsored

EECS2911 - Lethbridge 13
Some Thoughts on Attack Frequency
A significant proportion of successful attacks are by
‘insiders’
• E.g. employees committing fraud
• Physical security can be breached
—Watching password entry over-the-shoulder, reading
written passwords, accessing the physical disk or
RAM, bypassing the network
Much attacking today is automated: Botnets
Attackers may try millions of random attacks until they
find a ‘weak link’
• They will only keep attacking one target if is is
extremely valuable

EECS2911 - Lethbridge 14
Some Methods of Catching Hackers

Law enforcement agents

• Read hacker newsletters
• Participate in chat rooms, newsgroups, blogs etc.
undercover
—Track a hacker’s “handle”

Set up and study ‘honeypots’

• Fake sites or userids that look real and attract hackers

Use computer forensics

• Retrieve evidence from computers
—E.g. logs, caches, old hard disks

EECS2911 - Lethbridge 15
Penalties for Hackers
Many young hackers have matured and gone on to
productive and responsible careers

Temptation to over- or under-punish

Sentencing depends on intent and damage done

Most young hackers receive probation, community

service, and/or fines

EECS2911 - Lethbridge 16
Hacking
Discussion Questions
Is hacking that does no direct damage or theft a
victimless crime?

Do you think hiring former hackers to enhance security

is a good idea or a bad idea?
• Why or why not?

EECS2911 - Lethbridge 17
Defense Against Attacks: Security
Internet started with open access as a means of sharing
information for research

Attitudes about security were slow to catch up with the

risks

Security is often playing catch-up to hackers as new

vulnerabilities are discovered and exploited

EECS2911 - Lethbridge 18
Responsibility for Security

Responsibility for Security

• Developers
—Responsibility to develop with security as a goal
• Businesses
—Responsibility to use security tools and monitor their
systems to prevent attacks from succeeding
• Consumers
—Responsibility to ask questions and educate
themselves on the tools to maintain security
- Using personal firewalls, anti-virus and anti-spyware
- Refraining from visiting questionable sites or downloading
questionable content
- Controlling access by children and guests

EECS2911 - Lethbridge 19
Developing Secure Systems:
A combination of factors
Dependability
• The system runs as intended under all circumstances,
even when under attack

Trustworthiness
• The system contains no vulnerabilities that can be
exploited by an attacker

Survivability
• The system protects itself from attacks actively
• Recovers from attacks, that it wasn’t able to resist or
tolerate, as quickly as possible and with as little damage
as possible
EECS2911 - Lethbridge 20
Systems thinking

A system is only as secure as its weakest link

• Can be the
—Operating system
—Reused components
—Network
—Humans
—Paper records
—Hardware

So analyse every possible aspect of the system for its

impact on security

EECS2911 - Lethbridge 21
Techniques and Technologies for Security
We will discuss each of these
• Using knowledge of attacker’s motivation and methods
• Physical security
• Firewalls
• Cryptography
• Passwords
• Biometrics
• Hardware security devices
• Concealing sensitive information
• Monitoring for suspicious activity
• Applying the principle of least privilege
• Making security usable
• Proper retention and disposition policy
• Securing the IT Infrastructure
• Backing up security using multiple methods
• Avoiding certain programming errors

EECS2911 - Lethbridge 22
Using Knowledge of Attacker Motivation and
Methods
The more ‘benefit’ for the attacker, the more capable an
attacker to expect
• So invest more in security when stakes are higher

Increase the expense of attacking

• E.g. ensure it take more time by using more bits in
cryptographic keys

EECS2911 - Lethbridge 23
Using Knowledge of Attacker Motivation and
Methods (continued)
Increase attacker uncertainty
• Hide and randomize names and locations of resources
—Obfuscation
• Avoid clear feedback that could give clues to an attacker
about whether they are succeeding or not
• Use honeypots
—Targets that take work to attack, look as though they
have valuables, but are fake

Isolate from network if possible, or make invisible on

network

EECS2911 - Lethbridge 24
Physical Security

Protect people from sitting down at or near computers

to try attacks
• Keep doors and filing cabinets locked
• Chain computers securely to desk
• Track entry and exit of personnel using ID cards
• Employ security personnel and video surveillance
• Ensure everybody knows each other
• Maintain a clean-desk policy
• Use shields for password/pin entry
• Be careful about radio-frequency signal interception

EECS2911 - Lethbridge 25
Firewalls
Used to monitor and filter out communication from
• Untrusted sites
• Those that fit a profile of suspicious activity

EECS2911 - Lethbridge 26
Cryptography and Passwords
Both require knowledge of a secret to access a system or
data

If a password is not also encrypted, it is useless since

hackers can see the password in transmission

Major mistake:
• Sending a password in email in ‘plain-text’

EECS2911 - Lethbridge 27
Cryptography
Beware: cryptography is only one tool in security
• Some people assume it is the only or main tool

Private key cryptography

• Sender and recipient know the secret key and algorithm

Public key cryptography

• You encrypt using the public key published by the recipient
• The result can only be decrypted using a mathematically related
private key
• Cracking relies on factoring extraordinarily large numbers
—Infeasible to to this quickly, although often can be done
—The more ‘bits’ in the key, the more computer power needed

EECS2911 - Lethbridge 28
Attacks on cryptographically- or password-
protected systems - 1
On-line
• If the key is related to a human-created non-random
password, then try common password choices
—Dictionary words (“dictionary attacks”)
—Passwords the user has used on other systems

Off-line
• Getting a sample of the data and using a dedicated
computer to algorithmically try combinations
• For a random password and good algorithms, an attack
has to be exhaustive, making it very hard

EECS2911 - Lethbridge 29
Attacks on cryptographically- or password-
protected systems - 2
As we discussed: Social engineering

Weak password-resetting protocols

• E.g. resetting password requires only access to an email
account, or simple identity information

Man-in-the-middle
• Inserting software that will relay cryptographic keys
before they are used

Keystroke logging

EECS2911 - Lethbridge 30
Attacks on cryptographically- or password-
protected systems - 3
There are many hackers tools available on the Internet
• E.g. for doing dictionary attacks
• Try these against your own system to see how secure it
will be

EECS2911 - Lethbridge 31
Secure Passwords
Note that a password is rarely as secure as the number of
bits in a cryptographic key
• Not as long
• Not as random

Nevertheless encourage / require users to use

• Longer passwords (8+ characters)
• Combination of character types
—Lower/upper case, numbers, special characters
• Minimal duplicate characters
• No numbers at the end
• No password similar to a recently used password
• Not containing dictionary words

EECS2911 - Lethbridge 32
Top Hat Monocle Question

Cryptography

EECS2911 - Lethbridge 33
Biometrics
Biological characteristics unique to an individual
• Cannot readily be stolen

Various types based on recognition of

• Fingerprint
• Irise
• Palm pattern
• Face
• Voice
• Signature

All have some risk of false positive and false negative

• Should be backed up by other schemes for critical applications

EECS2911 - Lethbridge 34
Hardware Devices for Security

Typical devices: Smart cards or ‘USB Dongles’

—Physical presence of device lends credence to
authenticity
—But they can be stolen or forged, so they should not
be fully relied on

Risks from devices

• E.g. USB keys or disks that harbor viruses

EECS2911 - Lethbridge 35
Concealing Sensitive Information

Use whatever methods possible to avoid exposing data

that can be used by hackers
• Do not print a full credit card number and expiration
date on receipts
• Use trusted payment services like PayPal that will act as
a third party
—allowing a customer to make a purchase without
revealing their credit card information to the vendor

Don’t reveal genealogical information until 100 years

has passed

EECS2911 - Lethbridge 36
Monitoring for Suspicious Activity
Incorporate adequate monitoring and logging so attacks can be
detected, tracked and forensically analysed

Step up security when certain changes or events occur

• Access from a new network or IP address or late at night
• Uncharacteristic purchases or amount of money spent
• Repeated failed passwords
• Very quick response to password prompt

Best to degrade access slowly

• Balance detection with blocking legitimate use

Flag accounts where fraud is suspected or more likely

• E.g. credit reports where someone has reported a theft

EECS2911 - Lethbridge 37
Apply the Principle Of Least Privilege

Limit and control the number of legitimate users

Grant only needed privileges to users

• Principle of least privilege
• Information access on ‘need to know’ basis
• Have unused privileges expire

Ensure users know acceptable and unacceptable

practice

EECS2911 - Lethbridge 38
Make Security Usable

Balance the benefits of more onerous procedures with

the risk users will bypass them

Increasingly onerous procedures

—Requirement to use ‘strong’ passwords
—Requirement to change passwords frequently
—Requirement to use different passwords on each
system

Risk that people will write down passwords

EECS2911 - Lethbridge 39
Apply Proper Retention and Disposition
Policy
Automatically dispose of data that is no longer needed
• The more retained data, the more loss in case of a breach and the
more attractive to attackers

Examples of retention periods

• Personal (non-work) information
—Delete immediately
• Most emails and other communications
—Delete after between 1-3 years
• Drafts and working documents
—Delete a year after the project is over and final results
confirmed
• Financial transactions and research data needed for audit
—Delete after 7 years or 10 years depending on jurisdiction

EECS2911 - Lethbridge 40
Securing the IT Infrastructure
• Require laptops to have data on board encrypted at all times
• Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen
computers
• Screen savers that prompt for password after you leave the
computer for a while
• Automatic lockout when a computer isn’t where it expects to be or
finds itself not connected
• Force maximum use of anti-virus software and firewalls
• For guest use of wireless network, have time-limited individual
accounts on a separate subnet
• Disallow arbitrary software installation
• Disallow attachment of removable media
• Automatically patch all machines
• Power-up password before booting

EECS2911 - Lethbridge 41
Securing the IT Infrastructure (continued)
• Close unneeded TCP ports
• Deploy a VPN for access to network
• Back up vigorously, but secure the backups
• Update cryptographic and other techniques as vulnerabilities are
revealed
—E.g. avoid WEP on a wireless network
• Force new systems to have the securest settings enabled
• Use sandboxes and virtualization to ‘contain’ security breaches
• Securely erase / destroy old systems
• Employ an IT security officer

EECS2911 - Lethbridge 42
Backing up Security Using
Multiple Methods
Use of CAPTCHAS http://www.captcha.net/

Ability to answer pre-saved questions

• But beware of those that reveal personal information

Require use of mail and a certain phone line

• Common for ctivation of new accounts such as credit cards
—Requires calling from home phone number
—Checks mailing address, phone number and old card information on
record

Emailing you at another account before setting up a new one

Employ services that actually send someone to your door to see your ID
documents
• Used by banks to protect against identity theft

EECS2911 - Lethbridge 43
Avoid the CWE/SANS Most Dangerous
Programming Errors
Reference: http://www.sans.org/top25errors/

CATEGORY: Insecure Interaction Between Components

• Improper Input Validation
—E.g. allowing arbitrary html to be entered
—E.g. allowing violation of input constraints
• Improper Encoding or Escaping of Output
—E.g. hackers may be able to get one system to output a
command that will be executed by another
• Failure to Preserve SQL Query Structure (aka 'SQL Injection')
—E.g. a data string that ends an insert, followed by ‘Delete table’
• Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
—E.g. Allowing a script from an arbitrary linked site to change
contents from your site

EECS2911 - Lethbridge 44
The Most Dangerous Programming Errors 2

• Failure to Preserve OS Command Structure

—'OS Command Injection
• Cleartext Transmission of Sensitive Information
• Cross-Site Request Forgery (CSRF)
—It looks to a server that the request is coming from a
page it served
• Race Condition
—Applications behave unpredictably, giving hackers
information
• Error Message Information Leak

EECS2911 - Lethbridge 45
The Most Dangerous Programming Errors 3
CATEGORY: Risky Resource Management
• Failure to Constrain Operations within the Bounds of a
Memory Buffer
—AKA “Buffer Overflow Errors”
• External Control of Critical State Data
—E.g. cookies, files, etc. that can be manipulated by a
hacker
• External Control of File Name or Path
—E.g. If the hacker gets to choose a file name he can
type “../” to walk up the directory hierarchy
• Untrusted Search Path
—The application goes to a location of the hacker’s
choosing instead of where intended

EECS2911 - Lethbridge 46
The Most Dangerous Programming Errors 4
• Failure to Control Generation of Code
—'Code Injection'
—Many apps generate & execute their own code
• Download of Code Without Integrity Check
—The hacker’s code gets downloaded instead
• Improper Resource Shutdown or Release
—E.g. a file is left open, then accessed by a hacker
• Improper Initialization
—A hacker may be able to initialize for you, or see
data from a previous use
• Incorrect Calculation
—Hackers take control of inputs used in numeric
calculation
EECS2911 - Lethbridge 47
The Most Dangerous Programming Errors 5

CATEGORY: Porous Defenses

• Improper Access Control (Authorization)
• Use of a Broken or Risky Cryptographic Algorithm
—E.g. WEP
• Hard-Coded Password
• Insecure Permission Assignment for Critical Resource
• Use of Insufficiently Random Values
• Execution with Unnecessary Privileges
• Client-Side Enforcement of Server-Side Security

EECS2911 - Lethbridge 48
Security in the software lifecycle
Requirements
• Ensure security needs are identified and quantified
• Threat and risk analysis
Formal specification of security properties
Design
• Follow proper design practices
Testing and quality assurance
• Rigorously inspect and test all security mechanisms
• Employ people to act as hackers to try to break system
Deployment
• Ensure safeguards are properly installed and put into use
Evolution
• Adapt as new threats become known

EECS2911 - Lethbridge 49
A useful web site on security

From the US government:

• Build security in
—https://buildsecurityin.us-cert.gov/daisy/bsi/547-BSI
.html

EECS2911 - Lethbridge 50
Other Computer Crimes: Auctions

Online auction sites are one of the top sources of fraud

complaints
• Some sellers do not send items or send inferior products
• Shill bidding is used to artificially raise prices
• Sellers give themselves or friends glowing reviews to
garner consumer trust

Auction sites use various techniques to counter

dishonest sellers

EECS2911 - Lethbridge 51
Other Computer Crimes
Click fraud
• Repeated clicking on an ad to either increase a site’s revenue or to
use up a competitor's advertising budget

Stock fraud
• Most common method is to buy a stock low, send out e-mails
urging others to buy, and then sell when the price goes up, usually
only for a short time

Digital Forgery
• New technologies (scanners and high quality printers) are used to
create fake checks, passports, visas, birth certificates, etc., with little
skill and investment

EECS2911 - Lethbridge 52
Whose Laws Rule the Web?

When Digital Actions Cross Borders:

• Laws vary from country to country
• Corporations that do business in multiple countries must
comply with the laws of all the countries involved
• Someone whose actions are legal in their own country
may face prosecution in another country where their
actions are illegal

EECS2911 - Lethbridge 53
An International Treaty:
The Convention on Cybercrime
International agreement to foster international cooperation among
law enforcement agencies of different countries in fighting
• Copyright violations
• Pornography
• Fraud
• Other online fraud

http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm

Includes Europe, US, Canada, Japan

Sets common standards or ways to resolve international cases

EECS2911 - Lethbridge 54