CYBER SECURITY, Part II Malware and Scams

A Quick Review of the basics!

3 The Security Pillars Authentication Authorization Privacy Information Integrity Non Repudiation Availability

Viruses, Worms, Trojan Horses and Spybots aka, Malware Primarily attack on Authentication,Data Integrity, System Availability and Privacy

Viruses!! 5

6 Computer Viruses In the early 1980s, Fred Cohen did extensive theoretical research at USC, as well as setting up and performing numerous practical experiments, regarding viral type programs. Dr. Cohen's definition of a computer virus as "a program that can 'infect' other programs by modifying them to include a... version of itself" is generally accepted as a standard. Aka….a illicit program hidden inside of a legitimate program that propagates through various computer and network media Cohen created “research viruses” as part of his thesis Today we are concerned with viruses “in the wild”

7 Viruses Malicious software code that is usually embedded in executable programs or documents File Infector viruses can sit in a systems memory and attach themselves to any programs that the user opens Some viruses actually create new copies of existing programs that contain malicious code and substitute them for the original A common technique is to infect Word documents that may then be ed to other systems Famous Viruses in the past were called Chernobyl, Career of Evil, Concept The worst viruses destroy the file directory or the data on your Disk!

8 How do they propagate? Early viruses spread when people exchanged floppy disks that contained programs or data with other users and inserted them into their machines (relatively slow propagation) Today, with the speed and global reach of the internet, viruses can spread many times faster attached to s, and file downloads such as mp3s, images and video files (very fast propagation and attack at a distance)

9 Types of Viruses File Infector Viruses –Some of the oldest types –Looks like an executable file (.exe,.com,.bin,.sys) –Hides in system memory and embeds itself in applications that the user opens –Capable of infecting multiple application files –Some Infector viruses make a copy of the real application and hide themselves inside the copy. When the user clicks on the file name, the copy runs, not the original. Macro Viruses –Hide in the popular macro commands that are popular in windows applications –These viruses infect any documents that the application opens (Word, Excel, Access, etc.)

10 Types of Viruses Boot Sector Viruses –These viruses infect the boot track of the disk drive when the machine is booted up –By altering the boot drive, the virus can render the machine inoperable –Michelangelo was a famous boot sector virus that launches on computers on March 6 th and puts the infected machines out of service –On March 6, 1992 there was almost hysteria about the effect that this virus would have on all the PCs installed worldwide

11 Worms Responsible for today’s most widespread attacks and sometimes confused with Viruses Unlike viruses, worms are designed to self replicate and automatically spread themselves from system to system using the network connections Worms usually use as their carrier method since is such a popular application Some worms mail themselves to everyone listed in your address book as an efficient replication mechanism The Anna-Kournikova.jpg.vbs worm did over $80 million worth of damage because people couldn’t resist the temptation of seeing a nude photo of her

12 Kournikova worm smashes through the net !!!! Sophos Anti-Virus, a world leader in corporate anti-virus protection, has warned users to be wary of a new in-the-wild worm that poses as a picture of the popular Russian tennis pin-up, Anna Kournikova. The worm has been widely reported as infecting users around the world. 2001

13 The Trojan Horse

14 Trojans Modeled after the ancient technique of hiding a threat inside of a seemingly benign package Trojans are usually attached to s and contain a program that performs nasty stuff on your computer When the user opens the , the system resets and when it boots up, the Trojan program does its thing very secretly Trojans can open up backdoor communications on your system which allows someone to actually see what you are typing on the keyboard (Usernames, Passwords, CC#s, Phone numbers, SS#s)!!!!!!! Trojans can also allow someone to effectively hijack your computer and use it control everything that your machine does without you knowing it (Zombies!)

15 In Summary A wide variety of threats Viruses, Worms and Trojans are sometimes combined in order to confuse the detection and removal techniques The attacks continue and get more sophisticated all the time.

16 How to attempt to protect yourself from Malware Install Viruses protection software Subscribe to the update Service and have the updates installed automatically on your machine Perform a complete Virus scan of your machine at least once a week –Automatically while you are asleep! Do not put flash memory cards from unknown parties into your machine Only accept software downloads from reputable companies (almost 10% of all the files on popular file sharing sites are in fact Malware) Install and run Spybot Search and Destroy regularly Don’t open any s promising racy photos or videos of Anna Kournikova, Pamela Anderson, Paris Hilton or Ben Affleck, George Clooney or Brad Pitt! Or anyone else for that matter….

RansomWare! Ransomware is a type of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator(s) of the malware in order for the restriction to be removed. 17

18 Beware of Bogus Virus Protection! (RansomWare) The user gets a very visible warning about infections on their PC from what appears to be a legitimate source (Microsoft, etc) They are instructed to click on a button and download software to protect themselves. By doing so they download and install a program that incessantly pops up on their screen instructing them to pay for a viral antidote which disrupts everything else they are trying to do They then have to go to a website and pay to remove the annoying software that they mistakenly downloaded in the first place! VERRRRY ANNOYING!!!! and costly

CryptoWall and CryptoLocker A file-encrypting ransomware program called CryptoWall infected over 600,000 computer systems in the past six months and held 5 billion files hostage, earning its creators more than $1 million, researchers found. The threat has been spreading since at least November 2013, but until the first quarter of this year it remained mostly overshadowed by CryptoLocker, another ransomware program that infected over half a million systems from September 2013 through May, earning its perpetrators an estimated $3 Million! 19

20 More Threats and Scams Nigerian Letters Phishing Pharming Spoofing

21 Nigerian Letters Also known as “Advance Fee Fraud” Been successfully run since the 1980’s over mail and over the Internet Convinces the target that they will get a huge commission for helping free up money held in an offshore bank account. Target is solicitied for small “fees” and their personal info to expedite the process Of course, no money is forthcoming Read all about them here

Nigerian Letter Example Attention.Friend Its my pleasure to inform you that i have verify from the bank director regarding the transfer of your fund and it was good news because the requested fee was less expessive for you to afford. your consignment containing your fund($ ) i have deposited it with the CAPITAL CITY BANK PLC so that your fund will be wired to your account immediately you contact the bank director with your banking details. However i went to CAPITAL CITY BANK PLC to discuss this with the bank director as its has not been delivered to you However he told me that your fund can be transfered to you via a direct wire transfer(KTT) into your account.He told me to instruct you to contact the bank to apply for a direct wire transfer into your account to avoid loosing your fund due to delay. Therefore you can contact the bank with below information, send to them your banking information. CAPITAL CITY BANK PLC OF BENIN REPUBLIC 20/22 HOSPITAL ROUTE COTONOU BENIN REPUBLIC

Phising, Pharming and Spoofing 23 Who Am I ????

24 Phishing Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic transaction. Phishing is an example of social engineering techniques used to fool users and exploits the poor usability of current web security technologies. Phishing alludes to baits used to "catch" financial information and passwords.

Pharming Pharming is a hacker’s attack aiming to redirect a website’s traffic to another, bogus website Pharming can be conducted either by changing the host’s file on a victim’s computer or by exploitation of a vulnerability in DNS server software. Antivirus softwareAntivirus software and spyware removal software cannot protect against pharming.spyware removal software Pharming is also known as Page Hijacking

26 Spoofing Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Another meaning for spoof is fake websites. Normally, the website will adopt the design of the target website and sometimes has a similar URLURL spoofing is activity in which the sender address and other parts of the header are altered to appear as though the e- mail originated from a different source. Because core SMTP doesn't provide any authentication, it is easy to impersonate and forge s. It is usually fraudulent but can be legitimate. It is commonly used in spam and phishing s to hide the origin of the message. Most often used in conjunction with Pharming

Phishing Video l

These days, Phishing, Pharming and Spoofing are often all combined in the same attempt to compromise someone’s personal information

Looking for Privacy Encryption and Decryption “Kryptos logos” (Hidden Word)

30 Encryption and Data Security (Privacy) Cryptography is the art and science of keeping message secret Encryption techniques convert data into a secret code for transmission The process of retrieving the original message at the receiver is called decryption

31 Encryption with and without keys Earlier, less sophisticated encryption did not involve the use of keys but relied solely on a secret formula or algorithm This is very weak encryption since: –It is now essential to keep the algorithm secret between all authorized parties –Disseminating the algorithm risks its secrecy –Once the algorithm is compromised, an entirely new one must be developed and distributed The use of keys in conjunction with a public algorithm is much stronger because: –The algorithm can be published so that everyone knows it –The keys are secret –The keys can be changed whenever necessary to preserve their secrecy

32 Encryption Keys Keys are essential information -- usually a large numerical parameter(s) -- needed for encryption and/or decryption algorithms Encryption keys are used to encode plaintext as encoded ciphertext Decryption keys are used to decode ciphertext and recover the original plaintext Decryption keys are sometimes discovered by brute force methods employing computers to search large potential key combinations

33 Two Types of Encryption using keys Symmetric keys also know as Secret Key Encryption Asymmetric keys also known as Public Key Encryption Public Key Encryption aka PKI is now the dominant form of Encryption in use in all digital transactions

34 Disadvantages of Secret (Private) Key Ciphers Both parties have to keep the secret –The more parties that have to share a secret, the less chance that the secret will remain secret Sending the secret key to the receiving party risks its secrecy If the key is compromised then it has to be transmitted to all parties before they can resume communications

35 Asymmetric or Public Key Ciphers This involves the use of TWO different keys. One key is PUBLIC and published by a Trusted Third Party, known as a Certificate Authority (CA). This key is contained in a Digital Certificate One key is PRIVATE and held secret by its owner The Private key owner is registered with the CA and has proven their identity to a specific level of certainty The Private key owner can now SEND a message encrypted using the private key to anyone they like The Receiver of this message cannot read it without decrypting it The Receiver goes to the CA (on the web) and requests the Sender’s Public Key The Receiver uses the public key to decrypt the Sender’s message

36 Who are the Certificate Authorities? CAs are Bonded, Trusted, Third Party Companies that have been authorized to set up Public Key Infrastructures (PKI) on the Web for the purpose of issuing and managing Public and Private keys for their subscribers They operate very secure servers on the web that allow two parties to use the Public Key methods to send secure information over the internet Subscribers have to pay to belong and must authenticate themselves to the to the CA periodically to prove who they are. There are different levels of authentication depending upon the nature of your transactions You can see a list of Certificate Authorities in your Browser!

37 Asymmetric or Public Key Ciphers The first practical public key algorithm was published by Rivest, Shamir, and Adleman in 1976 and is know as RSA (for their last names) RSA is still a widely used algorithm which is a testament to its strength and viability Public key ciphers employ an algorithm with two keys -- a public key and a private key A sender looks up the recipient's public key and uses it to encode a message The recipient then decodes the message with his or her private key (this private key is necessary to decode the message) This also works in reverse.

38 Asymmetric or Public Key Ciphers Illustrated

Secure Socket Layer The use of Public Key Infrastructures to secure information exchanges over the web is called the Secure Socket Layer (SSL) SSL is the predominate method used to apply RSA and other algorithms for securing and sensitive electronic transactions Recently, security vulnerabilities were discovered in SSL which potentially could allow unauthorized parties to compromise the method. https-and-ssl-security-on-the-web/ https-and-ssl-security-on-the-web/ 39

SSL uses several exchanges to setup the secure link 40

41 Non-Repudiation using RSA If a party is registered with a CA and sends a document or a transaction encrypted with their secret key to another party they effectively create what is known as a DIGITAL SIGNATURE Digital Signatures are legally binding in the same way your hand written signature is binding (U.S. Congress and EEC laws) –It is very difficult to REPUDIATE that transaction since only the sending party knew the secret key in order to create the encrypted message –The message is read and processed by the receiving party using the Sender’s Public key, which is the ONLY key that will work. If the Receiver can successfully decode the message then it has proof that the message was generated by the specific sender –Very important principle when applied to legally binding documents and transactions such as; Contracts Offers Affadavits Confidential Information

Website demo illustrating Digital Certificates and Public Key Encryption

CyberWar! 43

Stuxnet --- Who done it ????? Stuxnet is a virus that is widely believed to have been developed by the U.S. and Israeil intelligence communities. It’s purpose was to infiltrate programmable control systems used in the process control industries. In particular, this worm was targeted at the controllers that operate the centrifuges used in Iran to process uranium, a key component in the quest for nuclear weapons, or reactors. Stuxnet Video: 44

Cyberwar - Recent News -WSJ- October 13, html? html? Iran Blamed for Cyberattacks U.S. Officials Say Iranian Hackers Behind Electronic Assaults on U.S. Banks, Foreign Energy Firms 45

Questions?

47 Symmetric or Secret Key Ciphers Secret key ciphers use a single secret key (or set of keys) for both encryption and decryption The secret key must be transferred securely in order for secret key methods to be secure Data Encryption Standard (DES) is a US government sponsored secret key cipher. DES uses a 56-bit key. International Data Encryption Algorithm (IDEA) has replaced DES. It uses a 128-bit key. Longer keys make it more difficult for brute force discovery of the secret key

48 Authentication using RSA The process used to verify the identity of a respondent is called authentication Authentication is very important for electronic commerce and other network transactions Authentication exploits the symmetry of public and private keys To authenticate that a person is who they say they are: –send that person a nonsense message and ask them to encode it with their private key and return it to you –when the message is returned, if the person is who they claim to be, you should be able to recover your nonsense message using their public key which is published by the CA

49 Using Encryption to Authenticate in E-Commerce