Week 6 - Friday

 What did we talk about last time?  Viruses and other malicious code

 You guys probably don't use online dating tools much (yet)  Tinder is an app for iOS and Android that uses your Facebook network and geographic location to suggest matches  If both matched people "like" the other, the app allows them to communicate  Include Security discovered that it was possible to use the Tinder API to track the location of any user  The vulnerability was known for months and finally fixed around the beginning of 2014  Follow the story:  security.org/secworld.php?id=16391

 A leaked NSA document viewed by Der Spiegel contained a 50-page catalog of hardware and software exploits made by the ANT division of the NSA for their Tailored Access Operations (TAO)  It reads like a product brochure and even has prices!  reveals-nsa-has-back-doors-for-numerous-devices-a html  Many of the details date from 2008  There is presumably a newer catalog now  Bruce Schneier has been discussing some of the more interesting items in the catalog

 CANDYGRAM is one of the exploits Schneier recently discussed  It's hardware and software that pretends to be a GSM cell tower  When a phone on a target list gets close enough to it, the phone connects to the "tower" and NSA agents receive SMS messages  Of course, the NSA can get data from cell phone providers  But this might be faster when working in the field  Cost: $40,000  More information:  14/02/candygram_nsa_e.html

 In 1988 Robert Morris, a Cornell graduate student, wrote an worm that infected a lot of the Internet that existed at that time  Serious connectivity issues happened because of the worm and because people disconnected uninfected system  He claimed the point was the measure the size of the Internet  The worm’s goal: 1. Determine where it could spread to 2. Spread its infection 3. Remain undiscovered

 It tried to find user accounts on the host machine  It tried 432 common passwords and compared their hash to the list of password hashes  Ideally, this list should not have been visible  It tried to exploit a bug in the fingerd program (using a buffer overflow) and a trapdoor in the sendmail mail program  Both were known vulnerabilities that should have been patched

 Once a target was found, the worm would send a short loader program to the target machine  The program (99 lines of C) would compile and then get the rest of the virus  It would use a one-time password to talk to the host  If the host got the wrong password, it would break connection  This mechanism was to prevent outsiders from gaining access to the worm’s code

 Any errors in transmission would cause the loader to delete any code and exit  As soon as the code was successfully transmitted, the worm would run, encrypt itself, and delete all disk copies  It periodically changed its name and process identifier so that it would be harder to spot

 The worm would ask machines if they were already infected  Because of a flaw in the code, it would reinfect machines 1 out of 7 times  Huge numbers of copies of the worm started filling infected machines  System and network performance dropped  Estimates of the damage are between $100,000 and $97 million  Morris was fined $10,000 and sentenced to 400 hours of community service  The CERT was formed to deal with similar problems

 Code Red appeared in 2001  It infected a quarter of a million systems in 9 hours  It is estimated that it infected 1/8 of the systems that were vulnerable  It exploited a vulnerability by creating a buffer overflow in a DLL in the Microsoft Internet Information Server software  It only worked on systems running an MS web server, but many machines did by default

 The original version of Code Red defaced the website that was being run  Then, it tried to spread to other machines on days 1-19 of a month  Then, it did a distributed denial of service attack on whitehouse.gov on days  Later versions attacked random IP addresses  It also installed a trap door so that infected systems could be controlled from the outside

 A trapdoor is a way to access functionality that is not documented  They are often inserted during development for testing purposes  Sometimes a trapdoor is because of error cases that are not correctly checked or handled

 Intentionally created trapdoors can exist in production code when developers:  Forget to remove them  Intentionally leave them in for testing  Intentionally leave them in for maintenance  Intentionally leave them in as a covert means of access to the production system

 I have never heard this term before I read this book  This is the Office Space attack  Steal tiny amounts of money when a cent is rounded in financial transactions  Or, steal a few cents from millions of people  Steal more if the account hasn’t been used much  The rewards can be huge, and these kinds of attacks are hard to catch

 A rootkit is malicious code that gives an attacker access to a system as root (a privileged user) and hides from detection  Sony put a program on music CDs called XCP (extended copy protection) which allowed users to listen to the CD on Windows but not rip its contents  It installed itself without the user’s knowledge  It had to have control over Windows and be hard to remove  It would hide the presence of any program starting with the name $sys$, but malicious users could take advantage of that

 Most programs are supposed to execute with some kind of baseline privileges  Not the high level privileges needed to change system data  Windows Vista, 7, and 8 ask you if you want to have privileges escalated  Some times you can be tricked  Symantec needed high level privileges to run Live Update  Unfortunately, it ran some local programs with high privileges  If a malicious user had replaced those local programs with his own, ouch

 It’s possible to install software that logs all the keystrokes a user enters  If designed correctly, these values come from the keyboard drivers, so all data (including passwords) is visible  There are also hardware keystroke loggers  Most are around $40  Is your keyboard free from a logger?

 Controls against program threats  OS security  Omar Mustardo presents

 Read Sections 4.1 through 4.4  Finish Project 1  Due tonight!