The Melissa Virus - A Disaster Waiting to Happen

Transcription

1 Information and Security Trust No One. - The X-Files Topics The Need for Security Lab 2 : Passwords Domain 1: General Security Concepts Security Horror Story... January Microsoft Launched a $200 million advertising campaign Monday touting reliability of its software. Within 3 days... What Happened Hackers conduct denial of service attacks, blocking people out of Microsoft.com, MSNBC.com and Hotmail.com. In addition, during the recovery phase, there was a 22 hour lock out... By an employee error Your Employees... Case Study Online Gambling Online Gambling Gambling is tightly controlled by various government agencies. It is illegal in many locations The Internet is changing all that Video: 60min Online Gambling What did you think? Software Demo Office Passwords Password Recovery Office allows for passwords on documents How good is it? Office Password Recovery performs brute force recovery tests every combination Let's test it...

2 Chapter 2 The Need for Security Our bad neighbor makes us early stirrers, Which is both healthful and good husbandry. -- William Shakespeare ( ) King Henry, in Henry V, act 4, sc. 1 Business Needs First Information security performs four important functions for an organization Protects ability to function Enables safe operation of applications implemented on its IT systems Protects data the organization collects and uses Safeguards technology assets in use Protecting the Functionality of an Organization Management (general and IT) responsible for implementation Information security is both management issue and people issue Organization should address information security in terms of business impact and cost Enabling the Safe Operation of Applications Protecting Data that Organizations Collect and Use Safeguarding Technology Assets in Organizations Organization need environments that safeguard applications using IT systems Management must continue to oversee infrastructure once in place not defer to IT department Organization, without data, loses its record of transactions and/or ability to deliver value to customers Protecting data in motion and data at rest both critical aspects of information security Organizations must have secure infrastructure services based on size and scope of enterprise Additional security services may be needed as organization expands More robust solutions may be needed to replace security programs the organization has outgrown Threats Threat: an object, person, or other entity that represents a constant danger to an asset Management must be informed of the different threats facing the organization By examining each threat category, management effectively protects information through policy, education, training, and technology controls Threats (continued) The 2004 CSI/FBI survey found: 79 percent of organizations reported cyber security breaches within the last 12 months 54 percent of those organizations reported financial losses totaling over $141 million Threats to Information Security

3 Acts of Human Error or Failure Includes acts performed without malicious intent Causes include: Inexperience Improper training Incorrect assumptions Employees are among the greatest threats to an organization s data Acts of Human Error or Failure (continued) Employee mistakes can easily lead to: Revelation of classified data Entry of erroneous data Accidental data deletion or modification Data storage in unprotected areas Failure to protect information Many of these threats can be prevented with controls Figure 2-1 Acts of Human Error or Failure Compromises to Intellectual Property Intellectual property (IP): ownership of ideas and control over the tangible or virtual representation of those ideas The most common IP breaches involve software piracy Two watchdog organizations investigate software abuse: Software & Information Industry Association (SIIA) Business Software Alliance (BSA) Enforcement of copyright law has been attempted with technical security mechanisms Deliberate Acts of Espionage or Trespass Access of protected information by unauthorized individuals Competitive intelligence (legal) vs. industrial espionage (illegal) Shoulder surfing occurs anywhere a person accesses confidential information Controls let trespassers know they are encroaching on organization s cyberspace Hackers uses skill, guile, or fraud to bypass controls protecting others information Deliberate Acts of Espionage or Trespass (continued) Expert hacker Develops software scripts and program exploits Usually a master of many skills Will often create attack software and share with others Deliberate Acts of Espionage or Trespass (continued) Unskilled hacker Many more unskilled hackers than expert hackers Use expertly written software to exploit a system Do not usually fully understand the systems they hack

4 Deliberate Acts of Espionage or Trespass (continued) Other terms for system rule breakers: Cracker: cracks or removes software protection designed to prevent unauthorized duplication Phreaker: hacks the public telephone network Deliberate Acts of Information Extortion Attacker steals information from computer system and demands compensation for its return or nondisclosure Commonly done in credit card number theft Deliberate Acts of Sabotage or Vandalism Attacks on the face of an organization its Web site Threats can range from petty vandalism to organized sabotage Web site defacing can erode consumer confidence, dropping sales and organization s net worth Threat of hacktivist or cyber-activist operations rising Cyber-terrorism: much more sinister form of hacking Figure Cyber Activists Wanted Deliberate Acts of Theft Illegal taking of another s physical, electronic, or intellectual property Physical theft is controlled relatively easily Electronic theft is more complex problem; evidence of crime not readily apparent Deliberate Software Attacks Malicious software (malware) designed to damage, destroy, or deny service to target systems Includes viruses, worms, Trojan horses, logic bombs, back doors, and denial-of-services attacks Forces of Nature Forces of nature are among the most dangerous threats Disrupt not only individual lives, but also storage, transmission, and use of information Organizations must implement controls to limit damage and prepare contingency plans for continued operations Deviations in Quality of Service Includes situations where products or services not delivered as expected Information system depends on many interdependent support systems Internet service, communications, and power irregularities dramatically affect availability of information and systems

5 Internet Service Issues Internet service provider (ISP) failures can considerably undermine availability of information Outsourced Web hosting provider assumes responsibility for all Internet services as well as hardware and Web site operating system software Communications and Other Service Provider Issues Other utility services affect organizations: telephone, water, wastewater, trash pickup, etc. Loss of these services can affect organization s ability to function Power Irregularities Commonplace Lead to fluctuations such as power excesses, power shortages, and power losses Organizations with inadequately conditioned power are susceptible Controls can be applied to manage power quality Technical Hardware Failures or Errors Occur when manufacturer distributes equipment containing flaws to users Can cause system to perform outside of expected parameters, resulting in unreliable or poor service Some errors are terminal; some are intermittent Technical Software Failures or Errors Purchased software that contains unrevealed faults Combinations of certain software and hardware can reveal new software bugs Entire Web sites dedicated to documenting bugs Technological Obsolescence Antiquated/outdated infrastructure can lead to unreliable, untrustworthy systems Proper managerial planning should prevent technology obsolescence; IT plays large role Attacks Act or action that exploits vulnerability (i.e., an identified weakness) in controlled system Accomplished by threat agent which damages or steals organization s information Table Attack Replication Vectors New Table Attacks (continued) Malicious code: includes execution of viruses, worms, Trojan horses, and active Web scripts with intent to destroy or steal information Hoaxes: transmission of a virus hoax with a real virus attached; more devious form of attack Back door: gaining access to system or network using known or previously unknown/newly discovered access mechanism

6 Attacks (continued) Password crack: attempting to reverse calculate a password Brute force: trying every possible combination of options of a password Dictionary: selects specific accounts to attack and uses commonly used passwords (i.e., the dictionary) to guide guesses Attacks (continued) Denial-of-service (DoS): attacker sends large number of connection or information requests to a target Target system cannot handle successfully along with other, legitimate service requests May result in system crash or inability to perform ordinary functions Distributed denial-of-service (DDoS): coordinated stream of requests is launched against target from many locations simultaneously Figure Denial-of-Service Attacks Attacks (continued) Spoofing: technique used to gain unauthorized access; intruder assumes a trusted IP address Man-in-the-middle: attacker monitors network packets, modifies them, and inserts them back into network Spam: unsolicited commercial ; more a nuisance than an attack, though is emerging as a vector for some attacks Figure Man-in-the-Middle Attacks (continued) Mail bombing: also a DoS; attacker routes large quantities of to target Sniffers: program or device that monitors data traveling over network; can be used both for legitimate purposes and for stealing information from a network Social engineering: using social skills to convince people to reveal access credentials or other valuable information to attacker Attacks (continued) People are the weakest link. You can have the best technology; firewalls, intrusion-detection systems, biometric devices... and somebody can call an unsuspecting employee. That's all she wrote, baby. They got everything. Kevin Mitnick Brick attack : best configured firewall in the world can t stand up to a well-placed brick

7 Attacks (continued) Buffer overflow: application error occurring when more data is sent to a buffer than can be handled Timing attack: relatively new; works by exploring contents of a Web browser s cache to create malicious cookie Hands On Security+ Lab 2: Passwords Setting Password Length Log in as administrator Administrative Tools Local Security Policy Account Policies Password Policy Minimum Password Length Set Length to 9 Log Off Administrator Logon on as User1 Change Password What happens? Setting Password Complexity Log in as administrator Administrative Tools Local Security Policy Account Policies Password Policy Passwords must meet complexity reqs Enable Log Off Administrator Logon on as User1 Change Password What happens? Preventing Display of Last Login Log in as administrator Administrative Tools Local Security Policy Security Options Do not display last name in login... Enable Log Off Administrator Ctrl-Alt-Del to login What happens? Account Lockout Policy Log in as administrator Administrative Tools Local Security Policy Account Policies Account Lockout Policy Account Lockout threshold Set to 3 Lockout Duration and Reset Log Off Administrator Use the wrong password for User2 What happens? Run As Command It is best if the administrator uses a normal account, and then use the Run As command to do administration work. Log in as User 2 Try to open Local Security Policy Shift/Right Click on Local Security Policy Select Run As Log in as Administrator Security+ Domain 1: General Security Concepts 1.4 Attacks Active Passive Password Malicious Code Cryptographic

8 DoS/DDos Denial of Service Attack Single / Distributed Prevent access to services Resource Consumption Malformed Packets DDoS Buffer Overflows Very Common Demo: buffer.cpp SYN Attacks Spoofing Faking Return Address Used to prevent trace back Also used in Denial of Service What can be spoofed IP, MAC, User, Date... Anything... URL Spoofs Misspellings aool.com Similar names Mdonalds.com Assumed Names Dole96.org Other Domains nasa.com URL Spoofing Capture another page Point user to Attacker Site DNS poisoning Pump Search Engine Man in the Middle Attacks Others Replay TCP/IP Hijacking Wardialing Wardriving Dumpster Diving

9 1.6 Social Engineering Just Ask Them Kevin Mitnick Pizza Schwan's targets Kraft Need Production Information Posed as reporter, student ,000 pizzas a day 1.7 Vulnerability Scanning Find open ports and services Can use used by System Administrators Secure Systems Attackers Find Weaknesses Sniffing Password Attacks Brute Force Dictionary Based Examples Office Password Recovery 1.5 Malicious Code Malware Virus Trojan Horse Logic Bombs Worms Back Door Viruses Parasitic Bootstrap sector Multi-partite Companion Link Data file (Macro) Some Statistics NCSA: 1 Billion a year $800 per infected computer $10 per computer Every Fortune 500 has reported 1 in 300 s contains virus More Statistics One Report 200+ new viruses a month Costs: $16,000 in lost data and productivity Norton 3 new Viruses a day Viruses Code fragment that attaches to a larger program Is not independent Replicates Destructive Payload Symantec virus spread program

10 Memory Resident File Infection Worms Independent program Duplicates itself Spreads to other systems Trojan Horses Says it does one thing, but really does something else Steal passwords, files, etc Stand alone FLAG.EXE Program to display the US flag and Play the National Anthem On RBBS systems, would look for the Master Password file Copy Password file to FLAG.BAS in the Downloading Area Bombs Code planted deep in system Logic Bomb, Time bomb Typical Dec 31 "Employee # not in Payroll File" Used in commercial programs for copy protection and lease Trap Doors Back door, bypass security Removed before shipment Leaves very big hole in system Typically lead to a supervisor state and bypass normal audit trails Spoofs Tricks users into giving away info Tricks them into thinking their system is under attack Protecting Boot from known floppy Install only licensed software Don't install if package was opened Don't install software from home Install only needed software Be careful with downloads Run against virus scanner before installing Backups

11 Remedies Melissa - MS Word Macro Virus Anti-virus programs Spyware monitors Firewalls Keep them up to date! In Depth The Melissa Macro Virus Melissa - Secondary Effect Friday, March 26, AM Posted to alt.sex message board, allegedly by skyrocket@aol.com. Named 'Melissa,' after comments by 'Kwyjibo' found inside the virus. Anti-virus firms believe Melissa originated in Western Europe. Friday, March 26, PM Infects U.S. companies, swamping systems. National Infrastructure Protection Center notified of Melissa. Anti-virus companies call it the most prolific virus -- ever. Saturday, March 27, AM Researchers discover that the virus includes traceable identification numbers (GUIDs). Phar Lap Software's Richard M. Smith reverse-engineers an IP address from Melissa's GUID. Saturday, March 27, PM FBI warns U.S. organizations to watch out for Melissa on Monday. More U.S. companies hit. Some companies revert to paper, rather than , warnings Monday, March 29, AM Many IT departments stop the virus. An Excel strain of Melissa, nicknamed Papa, surfaces. The FBI launches a manhunt for Melissa's creator.

12 Monday, March 29, PM Traced to SkyRocket on AOL and Source of Kaos, a Web site run by VicodinES, a 'retired' virus writer. Owner of the SkyRocket account says he is not Melissa's creator. Kaos' site hasn't been active Tuesday, March 30, AM Source of Kaos site is unplugged. Many IT workers report that they have contained the virus Tuesday, March 30, PM New variants of Melissa are reported in the wild. The FBI seizes Source of Kaos' Web server in Orlando, Fla. Also talks to Source of Kaos's Roger Sibert -- asking questions about the whereabouts of VicondinES Thursday, April 1, AM AOL is presented with a court order from a state judge in New Jersey requesting information concerning the Melissa virus. Thursday, April 1, PM New Jersey police arrest David L. Smith, 30, of Aberdeen on charges of originating the Melissa virus outbreak. New Jersey's attorney general says Smith was snared with the help of AOL technicians. Friday, April 2, AM David Smith, described as a 'computer guy,' is released on $100,000 bail. Faces 40 years, $480,000 fines Got: $5,000 and 20 months Video: Melissa Final Results How much is your time worth? If you're David Smith, creator of the Melissa virus, it's apparently worth a whopping $4 million a month. Smith was sentenced in a New Jersey courtroom on May 1, 2002, receiving only twenty months in Federal prison and a $5,000 fine for creating and distributing the virus which is estimated to have caused $80 million in damage. Windows vs. Linux October 2004 Steve Balmer talks about Windows and Linux Security. What do you think? Do you think anything has changed over the past 2 years? End of Presentation