Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived.

Similar presentations

Presentation on theme: "ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived."— Presentation transcript:

1 ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived from slides produced by Sara Basse, the Author of the Gift of Fire textbook, and also other professors who have taught this course including Stan Matwin and Liam Peyton

2 EECS2911 - Lethbridge2 Criminal acts using Computers: Hacking vs. Attacking vs. other Crimes Hacking Currently most widely used definition is: To gain illegal or unauthorized access to a file, computer, or network Attacking is often used synonymously Other computer crimes More general than hacking or attacking Includes also people with authorized access doing unauthorized actions E.g. an employee with access to accounts transferring funds into his or her bank account

3 EECS2911 - Lethbridge3 Hacking The term Hacking has changed over time Phase 1: early 1960s to 1970s A mostly positive term A creative programmer who wrote elegant or clever code A "hack" was an especially clever piece of code Some still prefer to use this terminology today and refer to others as crackers Later in this phase, hacking began to relate to code that wasn t designed to be maintainable -Lack of engineering discipline -A hack became a quick fix

4 EECS2911 - Lethbridge4 Hacking (cont.) Phase 2: 1970s to mid 1990s Hacking took on criminal connotations Revised consensus definition: Breaking into computers for which the hacker does not have authorized access Still primarily individuals Includes the spreading of computer worms and viruses and phone phreaking Companies began using hackers to analyze and improve security

5 EECS2911 - Lethbridge5 Hacking (cont.) Phase 3: beginning with the mid 1990s The growth of the Web changed hacking viruses and worms could be spread rapidly Political hacking (Hacktivism) surfaced Denial-of-service (DoS) attacks used to shut down Web sites Strongly suspected government-supported hacking Industrial espionage Large scale theft of personal and financial information

6 EECS2911 - Lethbridge6 Black Hat vs. White Hat Hackers Black hat Those who hack to commit crimes White hat Work to test defenses Break in to see if it is possible, at the request of target One type of security consultant Script kiddie Criminals that use programs written by hackers, with little skill Grey hat Mostly white hat, but acknowledges some hacktivism

7 EECS2911 - Lethbridge7 Hacktivism, or Political Hacking Use of hacking to promote a political cause Disagreement about Whether it is a form of civil disobedience How (whether) it should be punished Some use the appearance of hacktivism to hide other criminal activities Discussion question How do you determine whether something is legitimate hacktivism or simple vandalism?

8 EECS2911 - Lethbridge8 DEF CON The main hacker conference Lots of discussion of hacking techniques Ostensibly for white hats, security companies, etc. But everybody knows the black hats come too As does law enforcement, software makers etc.

9 EECS2911 - Lethbridge9 Typical Attack Methods for Initial Break-in Vulnerability exploits Makes use of code that scans for and/or makes use of a known vulnerability, typically to run malicious code Programming errors that lead to vulnerabilities discussed later Password cracking Running programs that try to guess or decrypt passwords Packet sniffing Seeking passwords or other data on the open internet Pharming and DNS poisoning Getting routers or computers to lead people to the wrong place when an Internet address is specified Social engineering Tricking people to reveal passwords, clues to passwords or information to establish a false identity E.g. phishing (also used without hacking for simple fraud)

10 EECS2911 - Lethbridge10 Typical Actions By Hackers After Breaking In Adding a payload Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc. Theft of data For sale, use in fraud or spying Emails, credit cards, transaction records, identity records, corporate or military secrets Vandalism and corruption Making a system not appear or behave as it should Setting up spoofing Redirecting legitimate users to an illegitimate place Setting up for other future hacks

11 EECS2911 - Lethbridge11 Typical Actions By Hackers After Breaking In (continued) Executing illegitimate transactions E.g. Transferring funds to the hacker s offshore account Taking control of a device or system E.g. potentially damaging a power plant Impersonating others Acting as if they are a legitimate user Denial of service Overloading network or computational resources so legitimate users can t use the system

12 EECS2911 - Lethbridge12 Criminal Actions can Also Be Performed by Legitimate Users Without Hacking Any of the actions on the previous two slides Embezzlement by executing illegitimate transactions Overstepping authority Can be accidental or on purpose E.g. authorizing one s own travel expenses E.g. granting oneself a pilot s license

13 EECS2911 - Lethbridge13 Motivations of Attackers Financial gain E.g. Hacking into bank accounts E.g. Theft of identities that can be sold Achieving personal objectives E.g. Granting oneself a pilot s license E.g. Building a collection of pirated movies Fun, entertainment, challenge or bragging rights Revenge / anger / hatred Political / military Private, radical group or state sponsored

14 EECS2911 - Lethbridge14 Some Thoughts on Attack Frequency A significant proportion of successful attacks are by insiders E.g. employees committing fraud Physical security can be breached Watching password entry over-the-shoulder, reading written passwords, accessing the physical disk or RAM, bypassing the network Much attacking today is automated: Botnets Attackers may try millions of random attacks until they find a weak link They will only keep attacking one target if is is extremely valuable

15 EECS2911 - Lethbridge15 Some Methods of Catching Hackers Law enforcement agents Read hacker newsletters Participate in chat rooms, newsgroups, blogs etc. undercover Track a hacker s handle Set up and study honeypots Fake sites or userids that look real and attract hackers Use computer forensics Retrieve evidence from computers E.g. logs, caches, old hard disks

16 EECS2911 - Lethbridge16 Penalties for Hackers Many young hackers have matured and gone on to productive and responsible careers Temptation to over- or under-punish Sentencing depends on intent and damage done Most young hackers receive probation, community service, and/or fines

17 EECS2911 - Lethbridge17 Hacking Discussion Questions Is hacking that does no direct damage or theft a victimless crime? Do you think hiring former hackers to enhance security is a good idea or a bad idea? Why or why not?

18 EECS2911 - Lethbridge18 Defense Against Attacks: Security Internet started with open access as a means of sharing information for research Attitudes about security were slow to catch up with the risks Security is often playing catch-up to hackers as new vulnerabilities are discovered and exploited

19 EECS2911 - Lethbridge19 Responsibility for Security Developers Responsibility to develop with security as a goal Businesses Responsibility to use security tools and monitor their systems to prevent attacks from succeeding Consumers Responsibility to ask questions and educate themselves on the tools to maintain security -Using personal firewalls, anti-virus and anti-spyware -Refraining from visiting questionable sites or downloading questionable content -Controlling access by children and guests

20 EECS2911 - Lethbridge20 Developing Secure Systems: A combination of factors Dependability The system runs as intended under all circumstances, even when under attack Trustworthiness The system contains no vulnerabilities that can be exploited by an attacker Survivability The system protects itself from attacks actively Recovers from attacks, that it wasn t able to resist or tolerate, as quickly as possible and with as little damage as possible

21 EECS2911 - Lethbridge21 Systems thinking A system is only as secure as its weakest link Can be the Operating system Reused components Network Humans Paper records Hardware So analyse every possible aspect of the system for its impact on security

22 EECS2911 - Lethbridge22 Techniques and Technologies for Security We will discuss each of these Using knowledge of attacker s motivation and methods Physical security Firewalls Cryptography Passwords Biometrics Hardware security devices Concealing sensitive information Monitoring for suspicious activity Applying the principle of least privilege Making security usable Proper retention and disposition policy Securing the IT Infrastructure Backing up security using multiple methods Avoiding certain programming errors

23 EECS2911 - Lethbridge23 Using Knowledge of Attacker Motivation and Methods The more benefit for the attacker, the more capable an attacker to expect So invest more in security when stakes are higher Increase the expense of attacking E.g. ensure it take more time by using more bits in cryptographic keys

24 EECS2911 - Lethbridge24 Using Knowledge of Attacker Motivation and Methods (continued) Increase attacker uncertainty Hide and randomize names and locations of resources Obfuscation Avoid clear feedback that could give clues to an attacker about whether they are succeeding or not Use honeypots Targets that take work to attack, look as though they have valuables, but are fake Isolate from network if possible, or make invisible on network

25 EECS2911 - Lethbridge25 Physical Security Protect people from sitting down at or near computers to try attacks Keep doors and filing cabinets locked Chain computers securely to desk Track entry and exit of personnel using ID cards Employ security personnel and video surveillance Ensure everybody knows each other Maintain a clean-desk policy Use shields for password/pin entry Be careful about radio-frequency signal interception

26 EECS2911 - Lethbridge26 Firewalls Used to monitor and filter out communication from Untrusted sites Those that fit a profile of suspicious activity

27 EECS2911 - Lethbridge27 Cryptography and Passwords Both require knowledge of a secret to access a system or data If a password is not also encrypted, it is useless since hackers can see the password in transmission Major mistake: Sending a password in email in plain-text

28 EECS2911 - Lethbridge28 Cryptography Beware: cryptography is only one tool in security Some people assume it is the only or main tool Private key cryptography Sender and recipient know the secret key and algorithm Public key cryptography You encrypt using the public key published by the recipient The result can only be decrypted using a mathematically related private key Cracking relies on factoring extraordinarily large numbers Infeasible to to this quickly, although often can be done The more bits in the key, the more computer power needed

29 EECS2911 - Lethbridge29 Attacks on cryptographically- or password- protected systems - 1 On-line If the key is related to a human-created non-random password, then try common password choices Dictionary words ( dictionary attacks ) Passwords the user has used on other systems Off-line Getting a sample of the data and using a dedicated computer to algorithmically try combinations For a random password and good algorithms, an attack has to be exhaustive, making it very hard

30 EECS2911 - Lethbridge30 Attacks on cryptographically- or password- protected systems - 2 As we discussed: Social engineering Weak password-resetting protocols E.g. resetting password requires only access to an email account, or simple identity information Man-in-the-middle Inserting software that will relay cryptographic keys before they are used Keystroke logging

31 EECS2911 - Lethbridge31 Attacks on cryptographically- or password- protected systems - 3 There are many hackers tools available on the Internet E.g. for doing dictionary attacks Try these against your own system to see how secure it will be

32 EECS2911 - Lethbridge32 Secure Passwords Note that a password is rarely as secure as the number of bits in a cryptographic key Not as long Not as random Nevertheless encourage / require users to use Longer passwords (8+ characters) Combination of character types Lower/upper case, numbers, special characters Minimal duplicate characters No numbers at the end No password similar to a recently used password Not containing dictionary words

33 Top Hat Monocle Question Cryptography EECS2911 - Lethbridge33

34 EECS2911 - Lethbridge34 Biometrics Biological characteristics unique to an individual Cannot readily be stolen Various types based on recognition of Fingerprint Iris Palm pattern Face Voice Signature All have some risk of false positive and false negative Should be backed up by other schemes for critical applications

35 EECS2911 - Lethbridge35 Hardware Devices for Security Typical devices: Smart cards or USB Dongles Physical presence of device lends credence to authenticity But they can be stolen or forged, so they should not be fully relied on Risks from devices E.g. USB keys or disks that harbor viruses

36 EECS2911 - Lethbridge36 Concealing Sensitive Information Use whatever methods possible to avoid exposing data that can be used by hackers Do not print a full credit card number and expiration date on receipts Use trusted payment services like PayPal that will act as a third party allowing a customer to make a purchase without revealing their credit card information to the vendor Don t reveal genealogical information until 100 years has passed

37 EECS2911 - Lethbridge37 Monitoring for Suspicious Activity Incorporate adequate monitoring and logging so attacks can be detected, tracked and forensically analysed Step up security when certain changes or events occur Access from a new network or IP address or late at night Uncharacteristic purchases or amount of money spent Repeated failed passwords Very quick response to password prompt Best to degrade access slowly Balance detection with blocking legitimate use Flag accounts where fraud is suspected or more likely E.g. credit reports where someone has reported a theft

38 EECS2911 - Lethbridge38 Apply the Principle Of Least Privilege Limit and control the number of legitimate users Grant only needed privileges to users Principle of least privilege Information access on need to know basis Have unused privileges expire Ensure users know acceptable and unacceptable practice

39 EECS2911 - Lethbridge39 Make Security Usable Balance the benefits of more onerous procedures with the risk users will bypass them Increasingly onerous procedures Requirement to use strong passwords Requirement to change passwords frequently Requirement to use different passwords on each system Risk that people will write down passwords

40 EECS2911 - Lethbridge40 Apply Proper Retention and Disposition Policy Automatically dispose of data that is no longer needed The more retained data, the more loss in case of a breach and the more attractive to attackers Examples of retention periods Personal (non-work) information Delete immediately Most emails and other communications Delete after between 1-3 years Drafts and working documents Delete a year after the project is over and final results confirmed Financial transactions and research data needed for audit Delete after 7 years or 10 years depending on jurisdiction

41 EECS2911 - Lethbridge41 Securing the IT Infrastructure Require laptops to have data on board encrypted at all times Use call home and remote-wipe tools to deal with stolen computers Screen savers that prompt for password after you leave the computer for a while Automatic lockout when a computer isn t where it expects to be or finds itself not connected Force maximum use of anti-virus software and firewalls For guest use of wireless network, have time-limited individual accounts on a separate subnet Disallow arbitrary software installation Disallow attachment of removable media Automatically patch all machines Power-up password before booting

42 EECS2911 - Lethbridge42 Securing the IT Infrastructure (continued) Close unneeded TCP ports Deploy a VPN for access to network Back up vigorously, but secure the backups Update cryptographic and other techniques as vulnerabilities are revealed E.g. avoid WEP on a wireless network Force new systems to have the securest settings enabled Use sandboxes and virtualization to contain security breaches Securely erase / destroy old systems Employ an IT security officer

43 EECS2911 - Lethbridge43 Backing up Security Using Multiple Methods Use of CAPTCHAS Ability to answer pre-saved questions But beware of those that reveal personal information Require use of mail and a certain phone line Common for ctivation of new accounts such as credit cards Requires calling from home phone number Checks mailing address, phone number and old card information on record Emailing you at another account before setting up a new one Employ services that actually send someone to your door to see your ID documents Used by banks to protect against identity theft

44 EECS2911 - Lethbridge44 Avoid the CWE/SANS Most Dangerous Programming Errors Reference: CATEGORY: Insecure Interaction Between Components Improper Input Validation E.g. allowing arbitrary html to be entered E.g. allowing violation of input constraints Improper Encoding or Escaping of Output E.g. hackers may be able to get one system to output a command that will be executed by another Failure to Preserve SQL Query Structure (aka 'SQL Injection') E.g. a data string that ends an insert, followed by Delete table Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') E.g. Allowing a script from an arbitrary linked site to change contents from your site

45 EECS2911 - Lethbridge45 The Most Dangerous Programming Errors 2 Failure to Preserve OS Command Structure 'OS Command Injection Cleartext Transmission of Sensitive Information Cross-Site Request Forgery (CSRF) It looks to a server that the request is coming from a page it served Race Condition Applications behave unpredictably, giving hackers information Error Message Information Leak

46 EECS2911 - Lethbridge46 The Most Dangerous Programming Errors 3 CATEGORY: Risky Resource Management Failure to Constrain Operations within the Bounds of a Memory Buffer AKA Buffer Overflow Errors External Control of Critical State Data E.g. cookies, files, etc. that can be manipulated by a hacker External Control of File Name or Path E.g. If the hacker gets to choose a file name he can type../ to walk up the directory hierarchy Untrusted Search Path The application goes to a location of the hacker s choosing instead of where intended

47 EECS2911 - Lethbridge47 The Most Dangerous Programming Errors 4 Failure to Control Generation of Code 'Code Injection' Many apps generate & execute their own code Download of Code Without Integrity Check The hacker s code gets downloaded instead Improper Resource Shutdown or Release E.g. a file is left open, then accessed by a hacker Improper Initialization A hacker may be able to initialize for you, or see data from a previous use Incorrect Calculation Hackers take control of inputs used in numeric calculation

48 EECS2911 - Lethbridge48 The Most Dangerous Programming Errors 5 CATEGORY: Porous Defenses Improper Access Control (Authorization) Use of a Broken or Risky Cryptographic Algorithm E.g. WEP Hard-Coded Password Insecure Permission Assignment for Critical Resource Use of Insufficiently Random Values Execution with Unnecessary Privileges Client-Side Enforcement of Server-Side Security

49 EECS2911 - Lethbridge49 Security in the software lifecycle Requirements Ensure security needs are identified and quantified Threat and risk analysis Formal specification of security properties Design Follow proper design practices Testing and quality assurance Rigorously inspect and test all security mechanisms Employ people to act as hackers to try to break system Deployment Ensure safeguards are properly installed and put into use Evolution Adapt as new threats become known

50 EECS2911 - Lethbridge50 A useful web site on security From the US government: Build security in BSI.html BSI.html

51 EECS2911 - Lethbridge51 Other Computer Crimes: Auctions Online auction sites are one of the top sources of fraud complaints Some sellers do not send items or send inferior products Shill bidding is used to artificially raise prices Sellers give themselves or friends glowing reviews to garner consumer trust Auction sites use various techniques to counter dishonest sellers

52 EECS2911 - Lethbridge52 Other Computer Crimes Click fraud Repeated clicking on an ad to either increase a site s revenue or to use up a competitor's advertising budget Stock fraud Most common method is to buy a stock low, send out e-mails urging others to buy, and then sell when the price goes up, usually only for a short time Digital Forgery New technologies (scanners and high quality printers) are used to create fake checks, passports, visas, birth certificates, etc., with little skill and investment

53 EECS2911 - Lethbridge53 Whose Laws Rule the Web? When Digital Actions Cross Borders: Laws vary from country to country Corporations that do business in multiple countries must comply with the laws of all the countries involved Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal

54 EECS2911 - Lethbridge54 An International Treaty: The Convention on Cybercrime International agreement to foster international cooperation among law enforcement agencies of different countries in fighting Copyright violations Pornography Fraud Other online fraud Includes Europe, US, Canada, Japan Sets common standards or ways to resolve international cases

Download ppt "ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle TOPIC 8 Computer Crime and Security Some of the material in these slides is derived."

Similar presentations

Ads by Google