1. 95-752:8-1 Application Security

2. 95-752:8-2 Malicious Code Vulnerable Software Hacker toolkits Back/Trapdoors Greedy Programs / Logic bombs Salami Attacks Trapdoors Worms/Viruses Bot Networks

3. 95-752:8-3 Vulnerable Software Buffer overflows Insecure running environment Insecure temporary files Insecure program calls Weak encryption Poor programming “If people built buildings the way that programmers write software, the first woodpecker to come along would destroy civilization.”

4. 95-752:8-4 Handling Vulnerabilities Locating Dealing with vendors Applying patches Disabling services Reconfiguring software/services

5. 95-752:8-5 Hacker Toolkits Programs that automatically scan for security problems on systems – Useful for system administrators to find problems for fixing – Useful for hackers to find problems for exploitation Examples: – SATAN – COPS – ISS Countermeasure: Detection Software

6. 95-752:8-6 Back/Trapdoors Pieces of code written into applications of operating systems to grant programmers easy access Useful for debugging and monitoring Too often, not removed Examples: –Dennis Richie’s loging/compiler hack –Sendmail DEBUG mode Countermeasures –Sandboxing –Code Reviews

7. 95-752:8-7 Logic Bombs Pieces of code to cause undesired effects when event occurs Used to enforce licenses (time-outs) Used for revenge by disgruntled Can be hard to determine malicious Examples –British accounting firm logic bomb –British bank hack Countermeasures –Personnel security

8. 95-752:8-8 Viruses Pieces of code that attach to existing programs Not distinct program No beneficial use – VERY destructive Examples: –Michelangelo –Love letter Countermeasures –Virus detection/disinfection software

9. 95-752:8-9 Structure of a Virus Marker: determine if a potential carrier program has been previously infected Infector: Seeks out potential carriers and infects Trigger check: Establishes if current conditions are sufficient for manipulation Manipulation: Carry out malicious task

10. 95-752:8-10 Types of Viruses Memory-resident Hardware Buffered Hide-and-seek Live-and-die Boot segment Macro

11. 95-752:8-11 Worms Stand-alone programs that copy themselves from system to system Some use in network computation Examples: –Dolphin worm (Xerox PARC) –Code Red (2001, $12B cost) –Morris Worm (1988, $20M cost) Countermeasures –Sandboxing –Quick patching: fix holes, stop worm

12. 95-752:8-12 Trojan Horses Programs that have malicious covert purpose Have been used for license enforcement Examples: –FIX2001 –AOL4FREE –RIDBO Countermeasures –Sandboxing –Code reviews

13. 95-752:8-13 Greedy Programs Programs that copy themselves Core wars Have been used in destructive web pages, standalone programs Can be very difficult to show deliberate usage Countermeasures: – CPU quotas on process families – Process quotas – Review of imported software & web pages

14. 95-752:8-14 Bot Networks Collections of compromised machines Typically, compromised by scripts Respond to commands, perhaps encrypted Examples: Leaves Code Red II Countermeasures: Vul patching, Integrity checks