Computer Security: The Dark Side of ICT IWKS 2300 Fall 2019 John Bennett Why Should You Care about Computer Security ? • Cybercrime costs the global economy around $1.5 trillion a year, more than the illegal drug trade (estimated to be ~$500B) • 1 in 10 URLs are malicious • Election-related cybercrime is prevalent worldwide • ~800 million adult victims globally in 2018 • ~500 million identities exposed in 2018 • Almost three quarters of online adults have been a victim of cybercrime in their lifetime (this figure is 80% for men between 18 and 31 who access the Internet from their mobile phone) • More than 400 million unique variations of malware • Three times more adults worldwide have suffered from online crime than from offline crime • Millennials are the most vulnerable to online crime (~50% have been cybercrime victims; yet ~30% still share passwords) • 63% would rather go on a bad date than have to deal with customer service after a security breach Source: Symantec Cybercrime Report 2019 The Dark Side of ICT • Some Risks • Malware • Identity Theft • Some Underlying Technologies • Encryption • Authentication • Some Practical Advice for CU Students Malware: Barbarians at the Gates Types of Malware Adware Programs that secretly gather personal information through the Internet and relay it back to another computer • Tracks browser usage (e.g., “tracking cookie”) • Often used for advertising “Dialers” Programs that access pay-per-minute sites (without your knowledge) • Typically to accrue charges Types of Malware Hack Tools Programs used to gain unauthorized access to your computer. • e.g., keystroke logger (tracks and records individual keystrokes, then sends this information to someone else). Hoax Email chain letter • no file attachment • no third party validation Types of Malware Jokes Programs that change or interrupt the normal behavior of your computer • General distraction or nuisance • Harmless Remote Access Programs that allow another computer to attack or alter your computer • Usually preceded by another form of attack Types of Malware Spyware Stand-alone programs that can secretly monitor system activity • detects passwords or other confidential information and transmits this information to another computer • Often in shareware, freeware, email, and IMs Trojan Horse A program that causes damage or compromises the security of the computer • Neither replicates nor copies itself • Does not email itself Ransomware A program that hijacks/locks the computer and demands money to unlock • Computer is rarely unlocked even if you pay Types of Malware Virus A program that replicates; that is, infects another program, boot sector, partition sector, or document, by inserting itself or attaching itself to that medium • Most viruses only replicate • Some do a large amount of damage as well Worm A program that makes copies of itself; from one computer/disk drive to another • Worm may do damage and compromise the security of the computer • The process of replication may cause “denial of service attack” Types of Malware Formjacking The use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of eCommerce sites Cryptojacking Programs installed by coinminers on victims’ devices used to mine cryptocurrencies Election Interference Using various kinds of malware to influence the outcome of an election Identity Theft and Fraud How hard is it to steal an identity? • What information do you need? • Is it easier to steal or create an identify? • Who are the most vulnerable to identity theft? (Some) Ways to Steal an Identity • Garbology (Dumpster Diving) • Post Mail Theft / False change of address • Digital Copy Machines • Electronic Theft of Credit Card Data • Phishing (phone and email) • Purchase of “novelty” fake drivers licenses and other ID cards • “Old-Fashioned” Theft • By insiders (employees of companies that have such data) • By others • Credit reports under false pretenses - US Odds: about 1/100 in your lifetime; about 1/10000 this year - Identity Theft Twice as Likely in English-Speaking Countries (although non-English language crime is increasing) Types of Identity Fraud in the US • Credit Card • Opened line of credit • Charged to existing card • Otherwise abused credit • Utilities • Bank Account • SSN • DL, Tax Return, or other Govt. ID • Employment • Loan • Other US DATA 2013 2018 2018 The Top 15 in the US (2013/2018) 2013 2018 The Bottom 10 in the US (2013/2018) What is at Risk? From Where? Your personal/business information, no matter where it is stored, is at risk from anywhere in the world! Where is your information? • Social Networking sites (Facebook, Twitter, Instagram, etc.) • Location-Based Social Networking Sites (Foursquare, Loopt, GyPSii, Citysense, Plazes. etc.) • Search Engines (Look yourself up) • Resume Websites (Monster, Indeed, CareerBuilder, etc.) • Official Websites/Medical Systems/School Systems • Associations/Professional/Hobbies Websites (LinkedIn, Ancestry.com, etc.) • In Cell Phones, PDAs, Smartphones (GPS coordinates on all JPEGS) • E-Mail (official and personal), E-mail servers • Cars (What’s in your glove box?) • Homes/businesses (Where is your personal/business information (electronic and hard copy)) located? • Real mail boxes • Your garbage Cybersecurity Risk – Mobile Devices Mobile devices can be hacked; conversations can be heard and recorded even if the mobile device is not “on”. There are thousands of pieces of malicious Android software. Android is at the top of the list of the highest targeted mobile platforms at present. Most of these are coming from third-party Android markets. Facebook Researchers were able to accurately infer Facebook users’ ethnicity, IQ, sexual preference, substance use, personal wealth and political views using only a record of the subjects and items they had "liked" on Facebook – even if users had chosen not to reveal that information. http://www.guardian.co.uk/technology/2013/mar/11/facebook-users-reveal-intimate-secrets Remote Administration Attacks • A RAT (Remote Administration Tool) is designed to allow system vendors to take control of your computer as a diagnostic tool. • “RATers” co-opt this software to (among other things) turn on the camera of your computer without your knowledge. • College-aged women's systems are preferentially targeted for this kind of attack. Things the RAT Tool DarkComet can do • Control your computer remotely • Execute various types of scripts on your system • Modify/View/Steal your files • Put files of its own on your system • Listen to your microphone • Log your keystrokes • Scan your network • View your network shares • Steal your contacts / Add new contacts • Steal from your clipboard (things you’ve copied) • Control your printer • Lock/Restart/Shutdown your computer • Watch your webcam • Use your computer to attack others Some Underlying Technologies • Encryption (protecting secrets) • Authentication (proving I am who I say I am) Encryption • Based on science of cryptography • Symmetric-key encryption • secret code that each of the two computers must know • For example, code is "Shift alphabet by 2 letters“ e.g. “Attack Now” becomes “Cvvbem Pqy” • Public-key encryption • uses a combination of a private key and a public key • private key is known only to your computer, public key is given by your computer to any computer that wants to communicate securely with it. Single-Key Systems (From Caesar until 1975) • Sender and receiver agree on a key • Apply the key to the message (by means of an invertible function called the “key”) to produce “ciphertext” • Apply the key to the ciphertext and you get the message back {M}K = C K K {C} = {{M}K } = M Public Key Cryptosystems • Everyone has two keys, public (literally!) and secret • These keys are inverses of each other S P {{M}P } = M = {{M}S } • Knowing the public key doesn't help you guess the secret key • To send you a message, I simply encrypt it using your public key {M}P(you) = C • Only you can decrypt it, because only you know the inverse -- your secret key S(you) S(you) {C} = {{M}P(you) } = M Digital Signatures • To send you a message that can only have come from me, I encrypt it first with my secret key, and then with your public key: P(you) {{M}S(me) } = C • To decrypt, you first apply your secret key (which only you can do): P(you) S(you) {C}S(you) = {{{M}S(me) } } = {M}S(me) • Then you apply my public key: {{M}S(me) }P(me) = M More on Signatures • If you save a copy of {M}S(me) ...then you can send it to someone else as proof to them that I said what you claim I did -- no one but me could have created that message. • You can further encrypt it for secrecy on the wire, just as I did when I sent it to you: {{M}S(me) }P(third party) How Do We Pick the Keys? [RSA] (Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman, 1977) • Your secret key is a pair of big prime numbers** • Your public key is the even bigger composite number that's the product of these primes** **The actual encryption/decryption functions are somewhat more complex, involving modular arithmetic, and a bunch of number theory derived from Euler's theorem (a generalization of Fermat's little theorem). Security of RSA Everything depends upon our belief that it’s really hard to factor products of large prime numbers**. • This belief is based upon years of work in number theory and in the theory of computation. If you could find the prime factors of the public key, you could break the cipher. **The security of RSA also depends upon the difficulty associated with finding eth roots modulo a composite number N whose factors are not known (the “RSA problem”) Security of RSA (cont.) • RSA keys are typically 1024–2048 bits long • 1024-bit keys may be breakable • 4096-bit keys are not likely to be breakable But… • In 1994, Peter Shor published an algorithm showing that a quantum computer could in principle perform the factorization needed to break RSA in polynomial time.