System Threats and Risks Niken D Cahyani Gandeva Bayu Satrya Telkom Institute of Technology

Learning Objectives After completing this chapter you should be able to do the following: Describe the different types of software-based attacks List types of hardware attacks Define virtualization and explain how attackers are targeting virtual systems

1. Software-Based Attacks Malicious software, or malware, is software that enters a computer system without the owner’s knowledge or consent. Malware is a general term that refers to a wide variety of damaging or annoying software. One way to classify malware is by primary objective. The three primary objectives of malware are  to infect a computer system,  conceal the malware’s malicious actions,  or bring profit from the actions that it performs

1.1. Infecting Malware The two types of malware that have the primary objective of infecting a computer system are viruses and worms. These are also some of the earliest types of malware to impact personal computer systems.

a. Viruses A computer virus is a program that secretly attaches itself to a legitimate “carrier,” such as a document or program, and then executes when that document is opened or program is launched. Like its biological counterpart, a virus requires a carrier to transport it from one system to another; if a virus cannot attach itself to a carrier it cannot spread. Once a virus infects a computer it performs two separate tasks. First, it looks for a means to replicate itself by spreading to other computers. Second task, which is to activate its malicious payload. A virus might do something as simple as display an annoying message

b. Worms The second major type of malware is a worm. A worm is a program designed to take advantage of a vulnerability in an application or an operating system in order to enter a system. Once the worm has exploited the vulnerability on one system, it immediately searches for another computer that has the same vulnerability.

Viruses VS Worms Although often confused with viruses, worms are significantly different. First, a virus must attach itself to a program or document and is spread by traveling with the carrier. A worm, however, can travel by itself. A second difference is that a virus needs the user to perform an action such as starting a program or opening an attachment to start the infection, while a worm does not require any user action to begin its execution. Some early worms were benign and designed simply to spread quickly and not corrupt the systems they infected.

1.2. Concealing Malware Several types of malware have the primary objective of hiding their presence from the user, as opposed to infecting and damaging the system like a virus or worm. Concealing malware includes Trojan horses, rootkits, logic bombs, and privilege escalation.

a. Trojan Horses According to ancient legend, the Greeks won the Trojan War by hiding soldiers in a large hollow wooden horse that was presented as a gift to the city of Troy. Once the horse was wheeled into the fortified city, the soldiers crept out of the horse during the night and attacked the unsuspecting defenders. A computer Trojan horse (or just Trojan) is a program advertised as performing one activity but actually does something else (or it may perform both the advertised and malicious activities).

b. Rootkits In late 2005, Sony BMG Music Entertainment shocked the computer world by secretly installing hidden software on any computer that played particular Sony music CDs. The software that Sony installed was intended to prevent the music CDs from being copied. These CDs created a hidden directory and installed their own device driver software on the computer. Other Sony software then rerouted normal functions away from Microsoft Windows to Sony’s own routines. Finally, the Sony software disguised its presence. A rootkit is a set of software tools used by an intruder to break into a computer, obtain special privileges to perform unauthorized functions, and then hide all traces of its existence.

c. Logic Bombs A logic bomb is a computer program or a part of a program that lies dormant until it is triggered by a specific logical event, such as a certain date reached on the system calendar or a person’s rank in an organization dropped below a previous level. Once triggered, the program can perform any number of malicious activities. For example, a logic bomb could be planted in a company’s payroll system by an employee. The program could be designed so that if the employee’s name were removed from the payroll (meaning he quit or was fired)

Famous Logic Bomb

d. Privilege Escalation Operating systems and many applications have the ability to restrict a user’s privileges in accessing its specific functions. Privilege escalation is exploiting a vulnerability in software to gain access to resources that the user would normally be restricted from obtaining. There are two types of privilege escalation.  The first is when a user with a lower privilege uses privilege escalation to access functions reserved for higher privilege users.  The second type of privilege escalation is when a user with restricted privileges accesses the different restricted functions of a similar user

1.3. Malware for Profit A third category of malware is that which is intended to bring profit to the attackers. This includes spam, spyware, and botnets.

a. Spam The amount of spam, or unsolicited , that goes through the Internet continues to escalate. According to Postini, a communications and security compliance firm, one out of every 12 s is spam. Spam significantly reduces work productivity: more than 11 percent of workers receive 50 spam messages each day and spend more than half an hour deleting them. Nucleus Research reports that spam , on average, costs U.S. organizations $874 per person annually in lost productivity.

a. Spam [con’t] The reason so many spam messages that advertise drugs, cheap mortgage rates, or items for sale are sent is because sending spam is a lucrative business. It costs spammers next to nothing to send millions of spam messages. Even if they receive only a very small percentage of responses, the spammers make a tremendous profit. Consider the following costs involved for spamming:  addresses  Equipment and Internet connection

b. Spyware Spyware is a general term used to describe software that violates a user’s personal security. The Anti-Spyware Coalition defines spyware as tracking software that is deployed without adequate notice, consent, or control for the user. This software is implemented in ways that impair a user’s control over:  The use of system resources, including what programs are installed on their computers  The collection, use, and distribution of personal or otherwise sensitive information  Material changes that affect the user experience, privacy, or system security

Effect Spyware

b. Adware Adware is a software program that delivers advertising content in a manner that is unexpected and unwanted by the user. Adware typically displays advertising banners, pop-up ads, or opens new Web browser windows while the user is accessing the Internet. Almost all users resist adware because:  Adware may display objectionable content, such as gambling sites or pornography.  Frequent pop-up ads can interfere with a user’s productivity.  Pop-up ads can slow a computer or even cause crashes and the loss of data.  Unwanted advertisements can be a nuisance.

d. Keyloggers A keylogger is either a small hardware device or a program that monitors each keystroke a user types on the computer’s keyboard. As the user types, the keystrokes are collected and saved as text. This information can be retrieved later by the attacker or secretly transmitted to a remote location. The attacker then searches for any useful information in the captured text such as passwords, credit card numbers, or personal information As a hardware device, a keylogger is a small device inserted between the keyboard connector and computer keyboard port.

e. Botnets One of the popular payloads of malware today that is carried by Trojan horses, worms, and viruses is a program that will allow the infected computer to be placed under the remote control of an attacker. This infected “robot” computer is known as a zombie. When hundreds, thousands, or even tens of thousands of zombie computers are under the control of an attacker, this creates a botnet.

e. Botnets Attackers use Internet Relay Chat (IRC) to remotely control the zombies. IRC is an open communication protocol that is used for real-time “chatting” with other IRC users over the Internet. It is mainly designed for group or one-to-many communication in discussion forums called channels. Users access IRC networks by connecting a local IRC client to a remote IRC server, and multiple IRC servers can connect to other IRC servers to create large IRC networks

Uses of Botnets

Objectives After completing this chapter you should be able to do the following: Describe the different types of software-based attacks List types of hardware attacks Define virtualization and explain how attackers are targeting virtual systems

2. Hardware-Based Attacks Just as attacks can be directed at software operating systems and applications through malware, attacks can also be directed to hardware. Hardware that often is the target of attacks includes the BIOS, USB devices, network attached storage, and even cell phones.

2.1. BIOS All personal computers have a chip that contains the Basic Input/Output System (BIOS) which is a coded program embedded on the processor chip that recognizes and controls different devices on the computer system. The BIOS program is executed when the computer system is first turned on and provides low-level access to the hard disk, video, and keyboard. On older computer systems the BIOS was a Read Only Memory (ROM) chip and could not be reprogrammed. Today’s computer systems have a PROM (Programmable Read Only Memory) chip in which the contents can be rewritten to provide new functionality.

2.2. USB Devices “USB devices” is a generic term for a wide variety of external devices that can be attached through the USB (universal serial bus) connector and are small, lightweight, removable, and contain rewritable storage. Two of the most common types of USB removable storage devices, or devices that can store data from a computer and then be disconnected, are USB flash memory and MP3 players. USB devices use flash memory. Flash memory is a type of EEPROM (Electrically Erasable Programmable Read-Only Memory), nonvolatile computer memory that can be electrically erased and rewritten repeatedly.

2.3. Network Attached Storage (NAS) Print and file servers, introduced over 30 years ago, have been the primary means of storing and retrieving data through a local area network. However, as storage needs have dramatically increased, print and file servers have been supplemented with new storage technologies. A Storage Area Network (SAN) is a specialized high-speed network for attaching servers to storage devices. A SAN is sometimes referred to as a “network behind the servers”.

Example NAS

2.4. Cell Phones Cellular telephones (cell phones) are portable communication devices that function in a manner that is unlike wired telephones. There are two keys to cellular telephone networks. The first is that the coverage area is divided into smaller individual sections called cells. In a typical city, the cells, which are hexagon-shaped, measure 10 square miles (26 square kilometers). At the center of each cell is a cell transmitter to which the mobile devices in that cell send and receive radio frequency (RF) signals.

2.4. Cell Phones [con’t] Attackers try to take advantage of these services in order to launch the following attacks:  Lure users to malicious Web sites  Infect a cell phone  Launch attacks on other cell phones  Access account information  Abuse the cell phone service

Objectives After completing this chapter you should be able to do the following: Describe the different types of software-based attacks List types of hardware attacks Define virtualization and explain how attackers are targeting virtual systems

3. Attacks on Virtualized Systems Just as attacks can be software-based or hardware-based, attacks can also target software that is emulating hardware. This type of software, known as virtualization, is becoming one of the prime targets of attackers.

3.1. What Is Virtualization? Virtualization is a means of managing and presenting computer resources by function without regard to their physical layout or location. For example, computer storage devices can be virtualized in that multiple physical storage devices are viewed as a single logical unit. One type of virtualization in which an entire operating system environment is simulated, is known as operating system virtualization. With operating system virtualization, a virtual machine is simulated as a self-contained software environment by the host system (the native operating system to the hardware) but appears as a guest system (a foreign virtual operating system)

OS Virtualization

3.2. Attacks on Virtual Systems There are several advantages to virtualization. Many data centers are turning to virtualization to consolidate multiple physical servers running different operating systems into one single server, effectively reducing the floor space needed for multiple servers as well as reducing electrical and air-conditioning costs. Virtualization can also be beneficial in providing uninterrupted server access to users. Data centers need to have the ability to schedule planned “downtime” for servers to perform maintenance on the hardware or software. However, with the mobility and almost unlimited access needed for users, it is often difficult to find a time when users will not be inconvenienced by the downtime.

Hypervisor security plug-in