Professional Documents
Culture Documents
Computor Crime and Security
Computor Crime and Security
Professional Practice
Pratique professionnelle
TOPIC 8
Computer Crime and Security
Some of the material in these slides is derived from slides produced by Sara Basse,
the Author of the “Gift of Fire” textbook , and also other professors who have taught
this course including Stan Matwin and Liam Peyton
Criminal acts using Computers:
Hacking vs. Attacking vs. other Crimes
Hacking
• Currently most widely used definition is:
—To gain illegal or unauthorized access to a file,
computer, or network
• Attacking is often used synonymously
EECS2911 - Lethbridge 2
Hacking
EECS2911 - Lethbridge 3
Hacking (cont.)
EECS2911 - Lethbridge 4
Hacking (cont.)
EECS2911 - Lethbridge 5
Black Hat vs. White Hat Hackers
Black hat
• Those who hack to commit crimes
White hat
• Work to test defenses
• Break in to see if it is possible, at the request of target
• One type of security consultant
Script kiddie
• Criminals that use programs written by hackers, with little skill
Grey hat
• Mostly white hat, but acknowledges some hacktivism
EECS2911 - Lethbridge 6
Hacktivism, or Political Hacking
Use of hacking to promote a political cause
Disagreement about
• Whether it is a form of civil disobedience
• How (whether) it should be punished
Discussion question
• How do you determine whether something is legitimate hacktivism
or simple vandalism?
EECS2911 - Lethbridge 7
DEF CON
EECS2911 - Lethbridge 8
Typical Attack Methods
for Initial Break-in
Vulnerability exploits
• Makes use of code that scans for and/or makes use of a known
vulnerability, typically to run malicious code
• Programming errors that lead to vulnerabilities discussed later
Password cracking
• Running programs that try to guess or decrypt passwords
Packet sniffing
• Seeking passwords or other data on the open internet
Pharming and DNS poisoning
• Getting routers or computers to lead people to the wrong place when
an Internet address is specified
Social engineering
• Tricking people to reveal passwords, clues to passwords or
information to establish a false identity
• E.g. phishing (also used without hacking for simple fraud)
EECS2911 - Lethbridge 9
Typical Actions By Hackers
After Breaking In
Adding a payload
• Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc.
Theft of data
• For sale, use in fraud or spying
• Emails, credit cards, transaction records, identity records, corporate
or military secrets
EECS2911 - Lethbridge 10
Typical Actions By Hackers
After Breaking In (continued)
Executing illegitimate transactions
• E.g. Transferring funds to the hacker’s offshore account
Impersonating others
• Acting as if they are a legitimate user
Denial of service
• Overloading network or computational resources so legitimate users
can’t use the system
EECS2911 - Lethbridge 11
Criminal Actions can Also Be Performed by
Legitimate Users Without Hacking
Any of the actions on the previous two slides
• Embezzlement by executing illegitimate transactions
Overstepping authority
• Can be accidental or on purpose
• E.g. authorizing one’s own travel expenses
• E.g. granting oneself a pilot’s license
EECS2911 - Lethbridge 12
Motivations of Attackers
Financial gain
• E.g. Hacking into bank accounts
• E.g. Theft of identities that can be sold
Political / military
• Private, radical group or state sponsored
EECS2911 - Lethbridge 13
Some Thoughts on Attack Frequency
A significant proportion of successful attacks are by
‘insiders’
• E.g. employees committing fraud
• Physical security can be breached
—Watching password entry over-the-shoulder, reading
written passwords, accessing the physical disk or
RAM, bypassing the network
Much attacking today is automated: Botnets
Attackers may try millions of random attacks until they
find a ‘weak link’
• They will only keep attacking one target if is is
extremely valuable
EECS2911 - Lethbridge 14
Some Methods of Catching Hackers
EECS2911 - Lethbridge 15
Penalties for Hackers
Many young hackers have matured and gone on to
productive and responsible careers
EECS2911 - Lethbridge 16
Hacking
Discussion Questions
Is hacking that does no direct damage or theft a
victimless crime?
EECS2911 - Lethbridge 17
Defense Against Attacks: Security
Internet started with open access as a means of sharing
information for research
EECS2911 - Lethbridge 18
Responsibility for Security
EECS2911 - Lethbridge 19
Developing Secure Systems:
A combination of factors
Dependability
• The system runs as intended under all circumstances,
even when under attack
Trustworthiness
• The system contains no vulnerabilities that can be
exploited by an attacker
Survivability
• The system protects itself from attacks actively
• Recovers from attacks, that it wasn’t able to resist or
tolerate, as quickly as possible and with as little damage
as possible
EECS2911 - Lethbridge 20
Systems thinking
EECS2911 - Lethbridge 21
Techniques and Technologies for Security
We will discuss each of these
• Using knowledge of attacker’s motivation and methods
• Physical security
• Firewalls
• Cryptography
• Passwords
• Biometrics
• Hardware security devices
• Concealing sensitive information
• Monitoring for suspicious activity
• Applying the principle of least privilege
• Making security usable
• Proper retention and disposition policy
• Securing the IT Infrastructure
• Backing up security using multiple methods
• Avoiding certain programming errors
EECS2911 - Lethbridge 22
Using Knowledge of Attacker Motivation and
Methods
The more ‘benefit’ for the attacker, the more capable an
attacker to expect
• So invest more in security when stakes are higher
EECS2911 - Lethbridge 23
Using Knowledge of Attacker Motivation and
Methods (continued)
Increase attacker uncertainty
• Hide and randomize names and locations of resources
—Obfuscation
• Avoid clear feedback that could give clues to an attacker
about whether they are succeeding or not
• Use honeypots
—Targets that take work to attack, look as though they
have valuables, but are fake
EECS2911 - Lethbridge 24
Physical Security
EECS2911 - Lethbridge 25
Firewalls
Used to monitor and filter out communication from
• Untrusted sites
• Those that fit a profile of suspicious activity
EECS2911 - Lethbridge 26
Cryptography and Passwords
Both require knowledge of a secret to access a system or
data
Major mistake:
• Sending a password in email in ‘plain-text’
EECS2911 - Lethbridge 27
Cryptography
Beware: cryptography is only one tool in security
• Some people assume it is the only or main tool
EECS2911 - Lethbridge 28
Attacks on cryptographically- or password-
protected systems - 1
On-line
• If the key is related to a human-created non-random
password, then try common password choices
—Dictionary words (“dictionary attacks”)
—Passwords the user has used on other systems
Off-line
• Getting a sample of the data and using a dedicated
computer to algorithmically try combinations
• For a random password and good algorithms, an attack
has to be exhaustive, making it very hard
EECS2911 - Lethbridge 29
Attacks on cryptographically- or password-
protected systems - 2
As we discussed: Social engineering
Man-in-the-middle
• Inserting software that will relay cryptographic keys
before they are used
Keystroke logging
EECS2911 - Lethbridge 30
Attacks on cryptographically- or password-
protected systems - 3
There are many hackers tools available on the Internet
• E.g. for doing dictionary attacks
• Try these against your own system to see how secure it
will be
EECS2911 - Lethbridge 31
Secure Passwords
Note that a password is rarely as secure as the number of
bits in a cryptographic key
• Not as long
• Not as random
EECS2911 - Lethbridge 32
Top Hat Monocle Question
Cryptography
EECS2911 - Lethbridge 33
Biometrics
Biological characteristics unique to an individual
• Cannot readily be stolen
EECS2911 - Lethbridge 34
Hardware Devices for Security
EECS2911 - Lethbridge 35
Concealing Sensitive Information
EECS2911 - Lethbridge 36
Monitoring for Suspicious Activity
Incorporate adequate monitoring and logging so attacks can be
detected, tracked and forensically analysed
EECS2911 - Lethbridge 37
Apply the Principle Of Least Privilege
EECS2911 - Lethbridge 38
Make Security Usable
EECS2911 - Lethbridge 39
Apply Proper Retention and Disposition
Policy
Automatically dispose of data that is no longer needed
• The more retained data, the more loss in case of a breach and the
more attractive to attackers
EECS2911 - Lethbridge 40
Securing the IT Infrastructure
• Require laptops to have data on board encrypted at all times
• Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen
computers
• Screen savers that prompt for password after you leave the
computer for a while
• Automatic lockout when a computer isn’t where it expects to be or
finds itself not connected
• Force maximum use of anti-virus software and firewalls
• For guest use of wireless network, have time-limited individual
accounts on a separate subnet
• Disallow arbitrary software installation
• Disallow attachment of removable media
• Automatically patch all machines
• Power-up password before booting
EECS2911 - Lethbridge 41
Securing the IT Infrastructure (continued)
• Close unneeded TCP ports
• Deploy a VPN for access to network
• Back up vigorously, but secure the backups
• Update cryptographic and other techniques as vulnerabilities are
revealed
—E.g. avoid WEP on a wireless network
• Force new systems to have the securest settings enabled
• Use sandboxes and virtualization to ‘contain’ security breaches
• Securely erase / destroy old systems
• Employ an IT security officer
EECS2911 - Lethbridge 42
Backing up Security Using
Multiple Methods
Use of CAPTCHAS http://www.captcha.net/
Employ services that actually send someone to your door to see your ID
documents
• Used by banks to protect against identity theft
EECS2911 - Lethbridge 43
Avoid the CWE/SANS Most Dangerous
Programming Errors
Reference: http://www.sans.org/top25errors/
EECS2911 - Lethbridge 44
The Most Dangerous Programming Errors 2
EECS2911 - Lethbridge 45
The Most Dangerous Programming Errors 3
CATEGORY: Risky Resource Management
• Failure to Constrain Operations within the Bounds of a
Memory Buffer
—AKA “Buffer Overflow Errors”
• External Control of Critical State Data
—E.g. cookies, files, etc. that can be manipulated by a
hacker
• External Control of File Name or Path
—E.g. If the hacker gets to choose a file name he can
type “../” to walk up the directory hierarchy
• Untrusted Search Path
—The application goes to a location of the hacker’s
choosing instead of where intended
EECS2911 - Lethbridge 46
The Most Dangerous Programming Errors 4
• Failure to Control Generation of Code
—'Code Injection'
—Many apps generate & execute their own code
• Download of Code Without Integrity Check
—The hacker’s code gets downloaded instead
• Improper Resource Shutdown or Release
—E.g. a file is left open, then accessed by a hacker
• Improper Initialization
—A hacker may be able to initialize for you, or see
data from a previous use
• Incorrect Calculation
—Hackers take control of inputs used in numeric
calculation
EECS2911 - Lethbridge 47
The Most Dangerous Programming Errors 5
EECS2911 - Lethbridge 48
Security in the software lifecycle
Requirements
• Ensure security needs are identified and quantified
• Threat and risk analysis
Formal specification of security properties
Design
• Follow proper design practices
Testing and quality assurance
• Rigorously inspect and test all security mechanisms
• Employ people to act as hackers to try to break system
Deployment
• Ensure safeguards are properly installed and put into use
Evolution
• Adapt as new threats become known
EECS2911 - Lethbridge 49
A useful web site on security
EECS2911 - Lethbridge 50
Other Computer Crimes: Auctions
EECS2911 - Lethbridge 51
Other Computer Crimes
Click fraud
• Repeated clicking on an ad to either increase a site’s revenue or to
use up a competitor's advertising budget
Stock fraud
• Most common method is to buy a stock low, send out e-mails
urging others to buy, and then sell when the price goes up, usually
only for a short time
Digital Forgery
• New technologies (scanners and high quality printers) are used to
create fake checks, passports, visas, birth certificates, etc., with little
skill and investment
EECS2911 - Lethbridge 52
Whose Laws Rule the Web?
EECS2911 - Lethbridge 53
An International Treaty:
The Convention on Cybercrime
International agreement to foster international cooperation among
law enforcement agencies of different countries in fighting
• Copyright violations
• Pornography
• Fraud
• Other online fraud
http://conventions.coe.int/Treaty/EN/Treaties/Html/185.htm
EECS2911 - Lethbridge 54