CS 457 -

Fall 2014 Major Security Threats Today

• Worms/viruses • DDoS attacks • Phishing, key-loggers, etc. • SPAM • Attacks against infrastructure (electricity, nuclear, financial , etc.) • Privacy Worms

• Worms vs. viruses vs. Trojan Horses • How do worms propagate? – Apply an exploit to gain access to a machine (typically a buffer overflow) – Scan the for other vulnerable machines – Infect and repeat Worms are Yesterday’s News • Code Red I, July 2001 – Used Microsoft web server vulnerability – Randomly generates IP addresses, intrudes machines – Set to attack whitehouse.gov • Code Red II – Used same vulnerability – Slightly more sophisticated address probing technique • Nimda (reverse of “admin”) – Scanning technique different from Code Red II • Sapphire/Slammer, Jan 2003 – Uses small UDP packets, so very fast – By contrast, previous worms had larger scanners and used TCP 4 NIMDA in NBNL Modeling Worm Propagation

• Random Constant Spread (RCS) • Assumptions – Good random generator – No infections are cured – Compromise rate independent from CPU or network speed – Can only be compromised once RCS Model Nda = (Na) K(1-a)dt

– N: total number of vulnerable servers – K: initial compromise rate – T: time which fixes when the incident happens • – a: proportion of vulnerable machines which have been compromised – t: time (in hours) RCS Model and Measurement Better Worms

How can hackers improve worm spread? • Hit-list scanning • Permutation scanning • Topologically aware worms Hit-list scanning Hit-list scanning Hit-list scanning Hit-list scanning

100 Hit-list scanning

100 Hit-list scanning

50 50 Hit-list scanning

50 50 Hit-list scanning

25 25

25 25 Hit-list scanning Hit-list scanning

• Accelerates initial spread • Must prepare the list in advance • Flash worms! • Other options: address permutation scanning – Scan inside and outside the local network

Warhol worm

• ‘Hit-list’ + ‘Permutation’ • Can infect most vulnerable targets in order of 10s of mins • Hit-list – Improve initial spread • Permutation scan – Keeps it alive SLAMMER Worm • Slammer began to infect hosts slightly before 05:30 UTC on Saturday, 25 January 2003 • Slammer was the fastest worm in history. • It infected more than 90 percent of vulnerable hosts within 10 minutes. It infected at least 75,000 hosts • Caused network outages and other, unforeseen problems, such as canceled airline flights, interference with elections, and ATM failures Geographical Distribution

§The geographical spread of Slammer in the 30 minutes after its release §The diameter of each circle is a function of the logarithm of the number of infected machines Slammer Characteristics

• Exploited a buffer-overflow vulnerability in Microsoft's SQL Server • Slammer used a single UDP packet (404 bytes to UDP port 1434) and was therefore bandwidth-limited (i.e., very fast!) • No malicious payload, but caused considerable harm by overloading networks • It could have been a lot worse.. Distributed Denial of Service Attacker’s Zombies Console Victim

Attack

DDoS target network or victim resources How to Estimate DDoS Activity? • Monitor backscatter • Methodology: – Grab a large, allocated but unused IP space – Log every packet that arrives – Identify backscatter from attacks – Extrapolate to the entire IP space Backscatter in Action Backscatter Analysis

• Let: m = number of packets n = number of hosts monitored by us • P (Host receiving unsolicited response) = m/2³² • P (observing an attack) = nm/2³²

• Assuming random source address selection and R’ as measured average inter-arrival rate of backscatter • Extrapolated Attack Rate R ≥ R’2³²/n Analysis Limitations

• Address Uniformity Ø Ingress Filtering in some ISP’s Ø Reflector Attacks • Reliable Delivery Ø Reliable delivery of Attack Packets? Ø Every Attack Packet generates a response? • Backscatter Hypothesis Ø Assumption that unsolicited packets represent backscatter? Ø Misinterpretation of random port scan as backscatter? Breakdown by Protocol Response

90-94% of the attacks are TCP packets 45% of the attacks are ICMP floods

NOTE: These numbers are OLD! No need to remember them, use as an example Breakdown by Protocol and Attack Rate

Ø 90% of the attacks use TCP as their protocol of choice Ø Next major is ICMP-based attacks

Ø Fastest Attack rate seen is 517000 packets per seconds Ø Minimum to have an affect is 500 SYN packets per second Ø Minimum with special 14000 per second Breakdown by Target Port

25% of attack programs select random ports above 1024 Among remaining attacks, the most popular categories are 6667 (IRC), 80 (HTTP), 23 (Telnet), 113 (Authd) SPAM

• Accounts for a large percentage of email traffic • Many countermeasures: Spam filters with statistical detection, block lists, content hashes, etc. • Recent developments – Spam using images to foil statistical methods – Response: OCR – Countermeasure: speckled images – Response: image fingerprints – Countermeasure: alter a few pixels – And so on.. • Bottom line: Hackers need your computer so they will try hard to get it Defenses

• Firewalls • Intrusion Detection Systems – Anomaly-based – Signature-based • None can defend against flooding attacks • Other options: buy a bigger pipe! Economic losses

• Economic Losses: labor costs to analyze, repair and cleanse infected systems, loss of user productivity, loss of revenue due to loss or degraded performance of system, etc.

¨ Gartner Survey: 3.6 million people lost money in phishing schemes resulting in an estimated loss of $3.2 billion in 2007

¨ Symantec Security Report: About 130 million credit card numbers were stolen in 2009

¨ Cyber Secure Institute: The economic losses due to the Conficker worm could be as high as $9.1 billion. How to Rent a

• Pay-Per-Install service [1] – Sell installations on compromised machines – PPI install rates vary, $7-$8 for 1,000 installs in least popular regions, $100-$180 in most demand regions

• Spam-advertised websites [2] – Over 100,000 orders placed per month and revenue is around 10 million

[1] Measuring Pay-per-Install: The Commoditization [2] Show Me the Money: Characterizing of Malware Distribution (USENIX 11) Spam-advertised Revenue (USENIX 11) Infrastructure Threats

• Increasingly, infrastructure control and the Internet are interconnected – Convenience, cost • But this opens attack avenue to critical infrastructure! – Hackers can turn off electricity, tamper with nuclear plants, wreck havoc with the financial industry • Example: Stuxnet – virus that targets a specific control system in a nuclear power plant Stealing Private Information

• Phishing • Drive-by downloads • Key loggers • Privacy Issues • Digital information lives forever! • Social networks (Facebook, twitter) – What are the right privacy controls? – Tension between business models and your privacy • Web crawlers, continuous Internet archives – Can easily store multiple versions of the entire Web • Attacks on your computer – Cookie hijacks (a hacker can hijack your Facebook account) – Key loggers, etc. • Web-cam and digital camera proliferation What is the Future of our Digital Lives? • Computers and computer networks are here to stay • We have been experiencing growing pains in the digital era since 1995 – but what is the impact on our privacy? Does it matter? • Whose responsibility is it to protect the user?