1. 1 Introduction to Email Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06

2. 2 Email Virus Infection Mechanisms Virus code in email attachment  Require user to click/execute attachment  No vulnerability needed on target computer Exploit email software vulnerability (e.g., outlook)  Infect by simply checking email Contain URL directing to malicious web servers  Trick user to download/execute (e.g., patch)  Could be a mini web server set up on sender

3. 3 Why Users Keep Clicking Virus Attachment? Email protocol (SMTP) has no built-in security  No encryption  Easy to fake the “From: …” field  Appear to come from your friends, admin,… Social engineering tricks  Warning: your computer is infected!  Fun video clip, photos, doc to share from friends

4. 4 Email Virus Spreading Steps Obtain email addresses  Address book, web cache, …  Search “mailto:...” in google, yahoo, etc (MyDoom) Send out virus email  Usually, use its own SMTP engine  The host normally connects to an outgoing email server for sending  Many email viruses avoid certain email domain

5. 5 Other Email-based Malware Spam  Profit-driven  Usually sent from compromised hosts Spyware (trojan) Adware Phishing  Trick user to connect to a fake website  Record user input of account information

6. 6 Distributed Denial of Service (DDoS) Attack Send large amount of traffic to a server so that the server has no resource to serve normal users Attacking format:  Consume target memory/CPU resource  SYN flood (backscatter paper presented before)  Database query…  Congest target Internet connection  Many sources attack traffic overwhelm target link  Very hard to defend

7. 7 Why hard to defined DDoS attack? Internet IP protocol has no built-in security  No authentication of source IP  SYN flood with faked source IP  However, IP is true after connection is setup Servers are supposed to accept unsolicited service requests Lack of collaboration ways among Internet community  How can you ask an ISP in another country to block certain traffic for you?

8. 8 DoS spoofed attack defense: IP traceback Suppose a victim can call ISPs upstream to block certain traffic SYN flood: which traffic to block? IP traceback:  Find out the real attacking host for SYN flood  Based on large amount of attacking packets  Need a little help from routers (packet marking)

9. 9 Worm defense: Worm traceback Find who is the first to be infected  Useful for enterprise network  Find the security breach point afterwards  Based on worm attacking flow

10. 10 RFID Background RFID: radio-frequency identification  Tiny computer chip with an antenna to transmit information to an RFID reader RFID tag in consumer market  Store a unique ID number  “Wireless” bar code Huge market profit in the future  Cheap tags for most consumer products  Different tags for vast applications

11. 11 RFID Background Power issue  Active: battery-powered, long range  E-pass  Passive: no battery, powered by radio signal from RFID reader  Consumer tags (no crypto/authentication, cheap)  ExxonMobil SpeedPass (crypto-enable, expensive) Memory issue  Read-only (cheapest)  Read/Write

12. 12 Current approaches for Privacy Preservation Crypto/authentication:  No resource available on cheap RFID tags  Applicable on high-end RFID (e.g., SpeedPass)  Attackers can use laptop/PDA to decrypt Kill tag (when in consumer’s hands):  Kill all ID, or kill long-range ID  Pro: simple, reliable (understandable to people)  Con: non-reversible, no more service from RFID

13. 13 Current approaches for Privacy Preservation Radio signal shield  Pro: simple/understandable  Con: suitable for a small range of tags  Tags in wallet: credit card, currency Jam radio signal: (e.g., RFID blocker)  Like denial-of-service to ID query from reader  Con: a separate device, hard to configure deny service (intrusive)