Presentation is loading. Please wait.

Presentation is loading. Please wait.

ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle

Similar presentations


Presentation on theme: "ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle"— Presentation transcript:

1 ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle
TOPIC 8 Computer Crime and Security Some of the material in these slides is derived from slides produced by Sara Basse, the Author of the “Gift of Fire” textbook , and also other professors who have taught this course including Stan Matwin and Liam Peyton

2 Criminal acts using Computers: Hacking vs. Attacking vs. other Crimes
Currently most widely used definition is: To gain illegal or unauthorized access to a file, computer, or network Attacking is often used synonymously Other computer crimes More general than hacking or attacking Includes also people with authorized access doing unauthorized actions E.g. an employee with access to accounts transferring funds into his or her bank account EECS Lethbridge

3 Hacking The term ‘Hacking’ has changed over time
Phase 1: early 1960s to 1970s A mostly positive term A creative programmer who wrote elegant or clever code A "hack" was an especially clever piece of code Some still prefer to use this terminology today and refer to others as ‘crackers’ Later in this phase, hacking began to relate to code that wasn’t designed to be maintainable Lack of engineering discipline A hack became a quick fix EECS Lethbridge

4 Hacking (cont.) Phase 2: 1970s to mid 1990s
Hacking took on criminal connotations Revised consensus definition: Breaking into computers for which the hacker does not have authorized access Still primarily individuals Includes the spreading of computer worms and viruses and ‘phone phreaking’ Companies began using hackers to analyze and improve security EECS Lethbridge

5 Hacking (cont.) Phase 3: beginning with the mid 1990s
The growth of the Web changed hacking viruses and worms could be spread rapidly Political hacking (Hacktivism) surfaced Denial-of-service (DoS) attacks used to shut down Web sites Strongly suspected government-supported hacking Industrial espionage Large scale theft of personal and financial information EECS Lethbridge

6 Black Hat vs. White Hat Hackers
Those who hack to commit crimes White hat Work to test defenses Break in to see if it is possible, at the request of target One type of security consultant Script kiddie Criminals that use programs written by hackers, with little skill Grey hat Mostly white hat, but acknowledges some hacktivism EECS Lethbridge

7 Hacktivism, or Political Hacking
Use of hacking to promote a political cause Disagreement about Whether it is a form of civil disobedience How (whether) it should be punished Some use the appearance of hacktivism to hide other criminal activities Discussion question How do you determine whether something is legitimate hacktivism or simple vandalism? EECS Lethbridge

8 DEF CON The main hacker conference http://www.defcon.org/
Lots of discussion of hacking techniques Ostensibly for white hats, security companies, etc. But everybody knows the black hats come too As does law enforcement, software makers etc. EECS Lethbridge

9 Typical Attack Methods for Initial Break-in
Vulnerability exploits Makes use of code that scans for and/or makes use of a known vulnerability, typically to run malicious code Programming errors that lead to vulnerabilities discussed later Password cracking Running programs that try to guess or decrypt passwords Packet sniffing Seeking passwords or other data on the open internet Pharming and DNS poisoning Getting routers or computers to lead people to the wrong place when an Internet address is specified Social engineering Tricking people to reveal passwords, clues to passwords or information to establish a false identity E.g. phishing (also used without hacking for simple fraud) EECS Lethbridge

10 Typical Actions By Hackers After Breaking In
Adding a payload Inserting viruses, spyware, rootkits, trojans, bots, backdoors, etc. Theft of data For sale, use in fraud or spying s, credit cards, transaction records, identity records, corporate or military secrets Vandalism and corruption Making a system not appear or behave as it should Setting up spoofing Redirecting legitimate users to an illegitimate place Setting up for other future hacks EECS Lethbridge

11 Typical Actions By Hackers After Breaking In (continued)
Executing illegitimate transactions E.g. Transferring funds to the hacker’s offshore account Taking control of a device or system E.g. potentially damaging a power plant Impersonating others Acting as if they are a legitimate user Denial of service Overloading network or computational resources so legitimate users can’t use the system EECS Lethbridge

12 Criminal Actions can Also Be Performed by Legitimate Users Without Hacking
Any of the actions on the previous two slides Embezzlement by executing illegitimate transactions Overstepping authority Can be accidental or on purpose E.g. authorizing one’s own travel expenses E.g. granting oneself a pilot’s license EECS Lethbridge

13 Motivations of Attackers
Financial gain E.g. Hacking into bank accounts E.g. Theft of identities that can be sold Achieving personal objectives E.g. Granting oneself a pilot’s license E.g. Building a collection of pirated movies Fun, entertainment, challenge or bragging rights Revenge / anger / hatred Political / military Private, radical group or state sponsored EECS Lethbridge

14 Some Thoughts on Attack Frequency
A significant proportion of successful attacks are by ‘insiders’ E.g. employees committing fraud Physical security can be breached Watching password entry over-the-shoulder, reading written passwords, accessing the physical disk or RAM, bypassing the network Much attacking today is automated: Botnets Attackers may try millions of random attacks until they find a ‘weak link’ They will only keep attacking one target if is is extremely valuable EECS Lethbridge

15 Some Methods of Catching Hackers
Law enforcement agents Read hacker newsletters Participate in chat rooms, newsgroups, blogs etc. undercover Track a hacker’s “handle” Set up and study ‘honeypots’ Fake sites or userids that look real and attract hackers Use computer forensics Retrieve evidence from computers E.g. logs, caches, old hard disks EECS Lethbridge

16 Penalties for Hackers Many young hackers have matured and gone on to productive and responsible careers Temptation to over- or under-punish Sentencing depends on intent and damage done Most young hackers receive probation, community service, and/or fines EECS Lethbridge

17 Hacking Discussion Questions
Is hacking that does no direct damage or theft a victimless crime? Do you think hiring former hackers to enhance security is a good idea or a bad idea? Why or why not? EECS Lethbridge

18 Defense Against Attacks: Security
Internet started with open access as a means of sharing information for research Attitudes about security were slow to catch up with the risks Security is often playing catch-up to hackers as new vulnerabilities are discovered and exploited EECS Lethbridge

19 Responsibility for Security
Developers Responsibility to develop with security as a goal Businesses Responsibility to use security tools and monitor their systems to prevent attacks from succeeding Consumers Responsibility to ask questions and educate themselves on the tools to maintain security Using personal firewalls, anti-virus and anti-spyware Refraining from visiting questionable sites or downloading questionable content Controlling access by children and guests EECS Lethbridge

20 Developing Secure Systems: A combination of factors
Dependability The system runs as intended under all circumstances, even when under attack Trustworthiness The system contains no vulnerabilities that can be exploited by an attacker Survivability The system protects itself from attacks actively Recovers from attacks, that it wasn’t able to resist or tolerate, as quickly as possible and with as little damage as possible EECS Lethbridge

21 Systems thinking A system is only as secure as its weakest link
Can be the Operating system Reused components Network Humans Paper records Hardware So analyse every possible aspect of the system for its impact on security EECS Lethbridge

22 Techniques and Technologies for Security
We will discuss each of these Using knowledge of attacker’s motivation and methods Physical security Firewalls Cryptography Passwords Biometrics Hardware security devices Concealing sensitive information Monitoring for suspicious activity Applying the principle of least privilege Making security usable Proper retention and disposition policy Securing the IT Infrastructure Backing up security using multiple methods Avoiding certain programming errors EECS Lethbridge

23 Using Knowledge of Attacker Motivation and Methods
The more ‘benefit’ for the attacker, the more capable an attacker to expect So invest more in security when stakes are higher Increase the expense of attacking E.g. ensure it take more time by using more bits in cryptographic keys EECS Lethbridge

24 Using Knowledge of Attacker Motivation and Methods (continued)
Increase attacker uncertainty Hide and randomize names and locations of resources Obfuscation Avoid clear feedback that could give clues to an attacker about whether they are succeeding or not Use honeypots Targets that take work to attack, look as though they have valuables, but are fake Isolate from network if possible, or make invisible on network EECS Lethbridge

25 Physical Security Protect people from sitting down at or near computers to try attacks Keep doors and filing cabinets locked Chain computers securely to desk Track entry and exit of personnel using ID cards Employ security personnel and video surveillance Ensure everybody knows each other Maintain a clean-desk policy Use shields for password/pin entry Be careful about radio-frequency signal interception EECS Lethbridge

26 Firewalls Used to monitor and filter out communication from
Untrusted sites Those that fit a profile of suspicious activity EECS Lethbridge

27 Cryptography and Passwords
Both require knowledge of a secret to access a system or data If a password is not also encrypted, it is useless since hackers can see the password in transmission Major mistake: Sending a password in in ‘plain-text’ EECS Lethbridge

28 Cryptography Beware: cryptography is only one tool in security
Some people assume it is the only or main tool Private key cryptography Sender and recipient know the secret key and algorithm Public key cryptography You encrypt using the public key published by the recipient The result can only be decrypted using a mathematically related private key Cracking relies on factoring extraordinarily large numbers Infeasible to to this quickly, although often can be done The more ‘bits’ in the key, the more computer power needed EECS Lethbridge

29 Attacks on cryptographically- or password- protected systems - 1
On-line If the key is related to a human-created non-random password, then try common password choices Dictionary words (“dictionary attacks”) Passwords the user has used on other systems Off-line Getting a sample of the data and using a dedicated computer to algorithmically try combinations For a random password and good algorithms, an attack has to be exhaustive, making it very hard EECS Lethbridge

30 Attacks on cryptographically- or password- protected systems - 2
As we discussed: Social engineering Weak password-resetting protocols E.g. resetting password requires only access to an account, or simple identity information Man-in-the-middle Inserting software that will relay cryptographic keys before they are used Keystroke logging EECS Lethbridge

31 Attacks on cryptographically- or password- protected systems - 3
There are many hackers tools available on the Internet E.g. for doing dictionary attacks Try these against your own system to see how secure it will be EECS Lethbridge

32 Secure Passwords Note that a password is rarely as secure as the number of bits in a cryptographic key Not as long Not as random Nevertheless encourage / require users to use Longer passwords (8+ characters) Combination of character types Lower/upper case, numbers, special characters Minimal duplicate characters No numbers at the end No password similar to a recently used password Not containing dictionary words EECS Lethbridge

33 Top Hat Monocle Question
Cryptography EECS Lethbridge

34 Biometrics Biological characteristics unique to an individual
Cannot readily be stolen Various types based on recognition of Fingerprint Iris Palm pattern Face Voice Signature All have some risk of false positive and false negative Should be backed up by other schemes for critical applications EECS Lethbridge

35 Hardware Devices for Security
Typical devices: Smart cards or ‘USB Dongles’ Physical presence of device lends credence to authenticity But they can be stolen or forged, so they should not be fully relied on Risks from devices E.g. USB keys or disks that harbor viruses EECS Lethbridge

36 Concealing Sensitive Information
Use whatever methods possible to avoid exposing data that can be used by hackers Do not print a full credit card number and expiration date on receipts Use trusted payment services like PayPal that will act as a third party allowing a customer to make a purchase without revealing their credit card information to the vendor Don’t reveal genealogical information until 100 years has passed EECS Lethbridge

37 Monitoring for Suspicious Activity
Incorporate adequate monitoring and logging so attacks can be detected, tracked and forensically analysed Step up security when certain changes or events occur Access from a new network or IP address or late at night Uncharacteristic purchases or amount of money spent Repeated failed passwords Very quick response to password prompt Best to degrade access slowly Balance detection with blocking legitimate use Flag accounts where fraud is suspected or more likely E.g. credit reports where someone has reported a theft EECS Lethbridge

38 Apply the Principle Of Least Privilege
Limit and control the number of legitimate users Grant only needed privileges to users Principle of least privilege Information access on ‘need to know’ basis Have unused privileges expire Ensure users know acceptable and unacceptable practice EECS Lethbridge

39 Make Security Usable Balance the benefits of more onerous procedures with the risk users will bypass them Increasingly onerous procedures Requirement to use ‘strong’ passwords Requirement to change passwords frequently Requirement to use different passwords on each system Risk that people will write down passwords EECS Lethbridge

40 Apply Proper Retention and Disposition Policy
Automatically dispose of data that is no longer needed The more retained data, the more loss in case of a breach and the more attractive to attackers Examples of retention periods Personal (non-work) information Delete immediately Most s and other communications Delete after between 1-3 years Drafts and working documents Delete a year after the project is over and final results confirmed Financial transactions and research data needed for audit Delete after 7 years or 10 years depending on jurisdiction EECS Lethbridge

41 Securing the IT Infrastructure
Require laptops to have data on board encrypted at all times Use ‘call home’ and ‘remote-wipe’ tools to deal with stolen computers Screen savers that prompt for password after you leave the computer for a while Automatic lockout when a computer isn’t where it expects to be or finds itself not connected Force maximum use of anti-virus software and firewalls For guest use of wireless network, have time-limited individual accounts on a separate subnet Disallow arbitrary software installation Disallow attachment of removable media Automatically patch all machines Power-up password before booting EECS Lethbridge

42 Securing the IT Infrastructure (continued)
Close unneeded TCP ports Deploy a VPN for access to network Back up vigorously, but secure the backups Update cryptographic and other techniques as vulnerabilities are revealed E.g. avoid WEP on a wireless network Force new systems to have the securest settings enabled Use sandboxes and virtualization to ‘contain’ security breaches Securely erase / destroy old systems Employ an IT security officer EECS Lethbridge

43 Backing up Security Using Multiple Methods
Use of CAPTCHAS Ability to answer pre-saved questions But beware of those that reveal personal information Require use of mail and a certain phone line Common for ctivation of new accounts such as credit cards Requires calling from home phone number Checks mailing address, phone number and old card information on record ing you at another account before setting up a new one Employ services that actually send someone to your door to see your ID documents Used by banks to protect against identity theft EECS Lethbridge

44 Avoid the CWE/SANS Most Dangerous Programming Errors
Reference: CATEGORY: Insecure Interaction Between Components Improper Input Validation E.g. allowing arbitrary html to be entered E.g. allowing violation of input constraints Improper Encoding or Escaping of Output E.g. hackers may be able to get one system to output a command that will be executed by another Failure to Preserve SQL Query Structure (aka 'SQL Injection') E.g. a data string that ends an insert, followed by ‘Delete table’ Failure to Preserve Web Page Structure (aka 'Cross-site Scripting') E.g. Allowing a script from an arbitrary linked site to change contents from your site EECS Lethbridge

45 The Most Dangerous Programming Errors 2
Failure to Preserve OS Command Structure 'OS Command Injection Cleartext Transmission of Sensitive Information Cross-Site Request Forgery (CSRF) It looks to a server that the request is coming from a page it served Race Condition Applications behave unpredictably, giving hackers information Error Message Information Leak EECS Lethbridge

46 The Most Dangerous Programming Errors 3
CATEGORY: Risky Resource Management Failure to Constrain Operations within the Bounds of a Memory Buffer AKA “Buffer Overflow Errors” External Control of Critical State Data E.g. cookies, files, etc. that can be manipulated by a hacker External Control of File Name or Path E.g. If the hacker gets to choose a file name he can type “../” to walk up the directory hierarchy Untrusted Search Path The application goes to a location of the hacker’s choosing instead of where intended EECS Lethbridge

47 The Most Dangerous Programming Errors 4
Failure to Control Generation of Code 'Code Injection' Many apps generate & execute their own code Download of Code Without Integrity Check The hacker’s code gets downloaded instead Improper Resource Shutdown or Release E.g. a file is left open, then accessed by a hacker Improper Initialization A hacker may be able to initialize for you, or see data from a previous use Incorrect Calculation Hackers take control of inputs used in numeric calculation EECS Lethbridge

48 The Most Dangerous Programming Errors 5
CATEGORY: Porous Defenses Improper Access Control (Authorization) Use of a Broken or Risky Cryptographic Algorithm E.g. WEP Hard-Coded Password Insecure Permission Assignment for Critical Resource Use of Insufficiently Random Values Execution with Unnecessary Privileges Client-Side Enforcement of Server-Side Security EECS Lethbridge

49 Security in the software lifecycle
Requirements Ensure security needs are identified and quantified Threat and risk analysis Formal specification of security properties Design Follow proper design practices Testing and quality assurance Rigorously inspect and test all security mechanisms Employ people to act as hackers to try to break system Deployment Ensure safeguards are properly installed and put into use Evolution Adapt as new threats become known EECS Lethbridge

50 A useful web site on security
From the US government: Build security in https://buildsecurityin.us-cert.gov/daisy/bsi/547-BSI.html EECS Lethbridge

51 Other Computer Crimes: Auctions
Online auction sites are one of the top sources of fraud complaints Some sellers do not send items or send inferior products Shill bidding is used to artificially raise prices Sellers give themselves or friends glowing reviews to garner consumer trust Auction sites use various techniques to counter dishonest sellers EECS Lethbridge

52 Other Computer Crimes Click fraud
Repeated clicking on an ad to either increase a site’s revenue or to use up a competitor's advertising budget Stock fraud Most common method is to buy a stock low, send out s urging others to buy, and then sell when the price goes up, usually only for a short time Digital Forgery New technologies (scanners and high quality printers) are used to create fake checks, passports, visas, birth certificates, etc., with little skill and investment EECS Lethbridge

53 Whose Laws Rule the Web? When Digital Actions Cross Borders:
Laws vary from country to country Corporations that do business in multiple countries must comply with the laws of all the countries involved Someone whose actions are legal in their own country may face prosecution in another country where their actions are illegal EECS Lethbridge

54 An International Treaty: The Convention on Cybercrime
International agreement to foster international cooperation among law enforcement agencies of different countries in fighting Copyright violations Pornography Fraud Other online fraud Includes Europe, US, Canada, Japan Sets common standards or ways to resolve international cases EECS Lethbridge


Download ppt "ELG / CSI / SEG 2911 Professional Practice Pratique professionnelle"

Similar presentations


Ads by Google