Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!

Published byReynold Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!"— Presentation transcript:

1 Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me! http://crypto.stanford.edu/cs155

2 Dan Boneh The computer security problem Two factors: Lots of buggy software (and gullible users) Money can be made from finding and exploiting vulns. 1.Marketplace for vulnerabilities 2.Marketplace for owned machines (PPI) 3.Many methods to profit from owned client machines current state of computer security

3 Dan Boneh MITRE tracks vulnerability disclosures Source: IBM X-Force, Mar 2011 Data: http://cve.mitre.org/ Cumulative DisclosuresPercentage from Web applications 2010

4 Dan Boneh Vulnerable applications being exploited Source: Kaspersky Security Bulletin 2014

5 Dan Boneh Mobile malware (Nov. 2013 – Oct. 2014) date The rise of mobile banking Trojans (Kaspersky Security Bulletin 2014)

6 Dan Boneh Introduction Sample attacks

7 Dan Boneh The computer security problem Two factors: Lots of buggy software (and gullible users) Money can be made from finding and exploiting vulns. 1.Marketplace for vulnerabilities 2.Marketplace for owned machines (PPI) 3.Many methods to profit from owned client machines current state of computer security

8 Dan Boneh Why own machines: 1. IP address and bandwidth stealing Attacker’s goal: look like a random Internet user Use the IP address of infected machine or phone for: Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase 1:260K greeting card spams leads to infection Denial of Service: Services: 1 hour (20$), 24 hours (100$) Click fraud (e.g. Clickbot.a)

9 Dan Boneh Why own machines: 2. Steal user credentials and inject ads keylog for banking passwords, web passwords, gaming pwds. Example: SilentBanker (and many like it) Bank Malware injects Javascript Bank sends login page needed to log in When user submits information, also sent to attacker User requests login page Similar mechanism used by Zeus botnet

10 Dan Boneh Why own machines: 3. Spread to isolated systems Example: Stuxtnet Windows infection ⇒ Siemens PCS 7 SCADA control software on Windows ⇒ Siemens device controller on isolated network More on this later in course

11 Dan Boneh Server-side attacks Financial data theft: often credit card numbers – Example: Target attack (2013), ≈ 140M CC numbers stolen – Many similar (smaller) attacks since 2000 Political motivation: – Aurora, Tunisia Facebook (Feb. 2011), GitHub (Mar. 2015) Infect visiting users

12 Dan Boneh Example: Mpack PHP-based tools installed on compromised web sites – Embedded as an iframe on infected page – Infects browsers that visit site Features – management console provides stats on infection rates – Sold for several 100$ – Customer care can be purchased, one-year support contract Impact: 500,000 infected sites (compromised via SQL injection) – Several defenses: e.g. Google safe browsing

13 Dan Boneh Insider attacks: example Hidden trap door in Linux (nov 2003) – Allows attacker to take over a computer – Practically undetectable change (uncovered via CVS logs) Inserted line in wait4() Looks like a standard error check, but … if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; See: http://lwn.net/Articles/57135/

14 Dan Boneh Many more examples Access to SIPRnet and a CD-RW: 260,000 cables ⇒ Wikileaks SysAdmin for city of SF government. Changed passwords, locking out city from router access Inside logic bomb took down 2000 UBS servers ⋮ Can security technology help?

15 Dan Boneh Introduction The Marketplace for Vulnerabilities

16 Dan Boneh Marketplace for Vulnerabilities Option 1: bug bounty programs (many) Google Vulnerability Reward Program: up to 100K $ Microsoft Bounty Program: up to 100K $ Mozilla Bug Bounty program: 500$ - 3000$ Pwn2Own competition: 15K $ Option 2: ZDI, iDefense: 2K – 25K $

17 Dan Boneh Marketplace for Vulnerabilities Option 3: black market Source: Andy Greenberg (Forbes, 3/23/2012 )

18 Dan Boneh Marketplace for owned machines Pay-per-install (PPI) services PPI operation: 1.Own victim’s machine 2.Download and install client’s code 3.Charge client Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) spam bot keylogger clients PPI service Victims

19 Dan Boneh Marketplace for owned machines Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) spam bot keylogger clients PPI service Victims Cost: US - 100-180$ / 1000 machines Asia - 7-8$ / 1000 machines

20 Dan Boneh This course Goals: Be aware of exploit techniques Learn to defend and avoid common exploits Learn to architect secure systems

21 Dan Boneh This course Part 1: basics (architecting for security) Securing apps, OS, and legacy code Isolation, authentication, and access control Part 2: Web security (defending against a web attacker) Building robust web sites, understand the browser security model Part 3: network security (defending against a network attacker) Monitoring and architecting secure networks. Part 4: securing mobile applications

22 Dan Boneh Don’t try this at home !

23 Dan Boneh Ken Thompson’s clever Trojan

Download ppt "Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!"

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
ISRT IS 376 OCTOBER 28, 2014 INTERNET SECURITY THREAT REPORT  2014.

ISRT IS 376 OCTOBER 28, 2014 INTERNET SECURITY THREAT REPORT  2014.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.

#AVeSPresents AVeS Cyber Security Confidence in your Digital Information 2014/09/25 Charl Ueckermann Managing Director AVeS Cyber Security Lex Informatica.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Computer Security Dan Boneh and David Mazieres CS 155 Spring 2007

Computer Security Dan Boneh and David Mazieres CS 155 Spring 2007
Internet Security Awareness Presenter: Royce Wilkerson.

Internet Security Awareness Presenter: Royce Wilkerson.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.

Viruses, Hacking, and AntiVirus. What is a Virus? A type of Malware – Malware is short for malicious software A virus – a computer program – Can replicate.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Presentation By Deepak Katta

Presentation By Deepak Katta
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.

Similar presentations

Ads by Google