Team 14 Main
Contents
Contact information:
Imran 425-736-6490, iali@microsoft.com Osama 425-241-7464, osamam@microsoft.com Asad ??????, asadj@microsoft.com Jared ??????, jaredsmelser@yahoo.com Zaheer 408-250-7872,zaheerm@uclink.berkeley.edu
Assignments
Programming - IMRAN, ASAD, OSAMA
For each of your assigned sections, write 2-3 pages each and post on the wiki. Each section should be complete by MONDAY morning so that we can review it together as soon as possible. Also, we need to start posting our first drafts on the wiki as soon as possible.
http://www.cs.washington.edu/education/courses/csep590/05au/project.html
This attack takes advantage of a programming error introduced by the software programmer. The flaw does not reside in the hardware or the configuration of the system. The programmer’s oversight can cause a user’s action to write meaningless data into computer memory (e.g. cause “corruption”). If a non-malicious user does this he/she will bring the system to an inoperable state (e.g. “system crash”). However, unlike the non-malicious user, the attacker will perform very specific actions so that instead of a system crash the attacker is able to make the computer run his/her program instead of the program that the original programmer had intended.
There are two levels of damage that can be caused by exploiting this vulnerability. In the first level (denoted “level 1” for the purpose of this report), the attacker can bring the computer or software program into a non-operable state. As a result, the system can no longer perform the functionality it was intended for. For example, if a website server is running software that has this vulnerability, the attacker could crash the server so that nobody can access the website. This however, does benefit the attacker unless their only objective was to prevent people from accessing the website.
The second level (denoted “level 2” for the purpose of this report) of damage is much more dangerous. Instead of crashing the computer system, the attacker can make the computer system do his/her bidding. The attacker can write a small program to perform whatever action he/she wants performed on the vulnerable computer and push that into the computer for execution. At this point, the options for attacker are vast. For example, he/she could write a program that opens a back door to the computer system so that he/she can come back later for more malicious activity. The attacker’s malicious program could steal critical data, take down the security safeguards, or use this compromised system as a launch pad to attack other computer systems.
It is important to realize the attacker’s malicious program gains the same rights and access to information as the vulnerable program. For example, if the vulnerable program has no way of accessing a company’s payroll information then the malicious program won’t be able to access that information either. But if program has access to the all the files on the computer (or worse the entire network), the malicious program will also have access to those files.
In the case of the Red Team exercise, we behaved like the attacker and exploited a vulnerability in the Target program. We were given the malicious program that we wanted the compromised system to run. Our job was to inject and make the Target program run the malicious program. Our technique required us to have access to the source code for the Target program. We dissected the program using a Debugger to analyze the exact characteristics of the vulnerability. A Debugger is a well known type of software (e.g. like a word processor, email program, web browser, etc) used by every software developer. Once we figured out how to exploit the vulnerability, we wrote a program that would inject the malicious program onto the Target program for execution. The objective of the malicious program was to change the privilege level of the user to the highest privilege. As a result, the user will have access to the all the information on the system.
The difficulty of exploiting this vulnerability comes from the tedious steps required to perform the exploit. The theory behind the exploit can be taught to any intermediate programmer. In our case we had access to the source code of the Target program which, in most cases, an attacker will not have access to. This makes determining the exact point of vulnerability in the Target program much more difficult. Without access to the source code, the next easiest step is to acquire the product you are trying to break. For example, if someone wanted to learn how to exploit a vulnerability in Oracle Database System they would need to get their hands on a copy of Oracle. They would then setup Oracle and reverse engineer the relevant portions of the Oracle software to determine the exact characteristics of the vulnerability. This step may present a challenge for software systems that are not easily available (e.g. if an organization is running some proprietary software that is not commercially available). If the attacker cannot get his/her hands on the software package, then he/she would have to resort to trial and error where he/she continually probes the target service until the desired outcomes is achieved. In this case it is quite possible that repeated attack attempts would be discovered by security administrators and the attacker would be stopped before he/she became successful.
Of course, the ideal way to defend against this classification of attack is to fix the original source code and fix the programmer’s oversight. This is the most expensive way to address the problem. The flaw type under discussion here has a very well defined pattern. Some software development organizations have tools that can scan the source code and identify faulty source code that is vulnerable. In the cases where the software development company does not have access to such tools, there are other more general defense mechanisms. However, these mechanisms don’t prevent the exploit.
The alternate mechanisms try to reduce the damage an attacker can cause from “Level 2” to “Level 1” (discussed previously). One solution is for the software developer to compile his/her source code with a flag that will cause the program to check for memory corruption at critical points and cause the program to self terminate if memory corruption is detected (known as a dynamic cookie on the stack). This prevents the attacker from getting his/her malicious program executed on the target computer. With the aid of modern software compilers, this is a relatively easy option to implement.
Another solution is available on newer processors (i.e. AMD 64-bit processor and Intel 64-bit processor) that have a slightly different architecture that would cause this program to crash if this type of attack was employed. These new processors separate data and program so that this attack could corrupt the data but not alter the program that the computer executes. This is a very expensive solution as it requires purchasing new hardware and possibly modifying the software to run on the new hardware.
Another solution, which can be enabled on Linux machines, is called Address Space Layout Randomization (ASLR). This causes programs to run with slightly different memory characteristics every time they run. Since this exploit requires the program to run with the same memory characteristics every time it runs, the randomness prevents from the attacker from making the computer execute his/her malicious program. This is the best solution to provide a reasonable level of protection to vulnerable software. It does not require changes to the original software or hardware. The disadvantage is a slightly slower speed of execution of the software, which is a reasonable price to pay.
The impact of a breach can be further mitigated by ensuring that the software is running with the lowest privileges that it needs to perform its function. For example, if a program does not need to access payroll files, then one must ensure that the program does not have the right to access the payroll files. This requires a paradigm shift by the programmer or system administrator to change from a pattern where you deny access to critical files to a pattern where you deny everything and only allow access to necessary files. This reduces the attack surface that has to be protected.
Estimated dollar value - ASAD
[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.]
Estimated Dollar value of the Damage – Asad Jawahar
The cost of damage that can be caused by this type of attack depends on the assets that are on this machine and that are now compromised. These assets include things like personal or confidential data, Social Security Numbers, network resources that the machine is connected to etc.
Private Home Computer
Assets: A private home computer would usually contain a lot of personal information including Social Security Numbers, Bank account information, Address book, Email, other personal documents, pictures and music. The hacker can cause significant damage if he/she gets their hands on these assets. Here is an estimate of the potential damage:
Damage Estimate: 1. Lost SSN(s), bank account info and personal information can be used for identity theft. The hacker could open new credit accounts in the name of the owner and draw large sums of money. The attacker may be able to draw even larger sums of money in the shape of other loans eg, car loans or even a mortgage which could cost a lot more but these are unlikely to happen since the creditors do more diligence when giving out such loans. The damage in this case is the sum of the loss to the bank and the amount it costs the victim to recover his/her credit history. According to a study conducted by the identify theft resource center (http://www.idtheftcenter.org/idaftermath.pdf), fraudulent charges average more than $90,000 per name user and it takes an average of 600 hours of the victims time to work through it. The average cost associated with lost time was $16,971. This brings average cost to over $100,000. Some people reported upwards of a million dollars in damages.
2. If the user has email, address books, music and pictures on the computer, then the hacker can steal this information and could potentially be used to launch other attacks. For example the address book and email account could be used to lure other victims. The cost of this kind of an attack is hard to determine. The other potential damage that the hacker could cause is destruction of data For example the pictures on the machine could be deleted or even worse the hard drive could be formatted resulting in complete loss of data. If the data is not backed up, then the victim would have to use some specialized software or call data recovery specialists. The cost of disk recovery runs in the thousands of dollars.
Walmart Corporate Computer
Assets: A corporate computer used for letters and correspondence by Walmart’s Corporate VP for ordering stuff from China would contain information about Walmart’s suppliers in China, some information about Walmart’s inventory, ordering information, Walmart’s account information and routing information etc. The corporate computer is most likely also connected to the corporate network which means it can be used to launch an attack on other corporate assets on the network. The estimated potential damage is:
Estimated Damage: 1. The hacker could place false orders on behalf of Walmart causing supplier(s) to produce or even ship the order if the attack goes undetected long enough. This could cause damages worth millions of dollars.
2. The hacker could also cancel some orders resulting in Walmart running out of inventory and losing business to competitors. The supplier will be affected because he may have to store the extra product. The cost of this could also run in millions of dollars.
3. If there is some bidding process going on between Walmart and suppliers in China then the hacker could divulge confidential bidding information resulting in unfair award of contract. This could eventually run into litigation issues costing millions.
4. The hacker could post confidential business data on the net where competitors can see and misuse it for example Walmart’s suppliers, the price quotes they give to Walmart, Walmart’s current orders, etc This information could be used by competitors to identify Walmart’s business strategy like which new products they are bringing into the market etc. Cost to Walmart due to lost business could be in millions of dollars.
5. If the machine is on corporate network then it could be used to launch an attack on other assets on the network including employee information, financial data, customer data, etc which can be used for ID theft. If the hacker can successfully launch attacks on these assets then the damage caused will be very extensive and would probably run in hundreds of millions.
6. Walmart’s image will be tarnished due to this incident resulting in lost business.
7. The hacker could wipe out the hard drive resulting in loss of data if it wasn’t backed up. This could cost a few thousand dollars to recover.
Charles Schwab computer used to place buy/sell orders on NYSE
Assets: A computer used to buy/sell orders will have some sort of trading software installed on it. If the software does not require a login or the user has stored the password then the hacker can perform transactions on behalf of Charles Schwab. Also the computer is probably on the corporate network which means it can be used to launch attacks on other assets on the network. The estimated cost of damage is:
Estimated damage: 1. If the hacker can successfully use the trading software then he/she could cause a lot of damage by placing orders on NYSE. The hacker could buy a certain stock from a ligitimate account and then place larger orders on behalf of Charles Schwab using the hacked computer to drive up the cost. This would also affect a lot of other traders on the stock market. The hacker could also short or bulk sell a certain stock causing it’s value to tumble in the market causing a lot of loss to Charles Schwab, the company whose stock got hit and other traders. The cost of this will be in hundreds of millions of dollars.
2. The hacker could mount an attack on other assets on the network and if successful could retrieve employee and customer information and use it for ID theft. The cost would run in hundreds of millions of dollars.
3. The incident will tarnish Charles Schwab image and they will lose customers and business costing millions.
4. The SEC may impose some fines on Charles Schwab for inaccurate order execution. In the past companies have been fined in millions.
Feasibility and Strategic value - IMRAN
[Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.]
Summary The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks.
1)Scalability of technique An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system.
2)Feasibility of acquiring the required technical and financial resources The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume.
3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5 Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization.
Conclusion In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have.
Feasibility and cost of defending against such attacks - JARED/ZAHEER
[Feasibility and cost of defending against such attacks. For each class of target (home, corporate, financial), teams should 1) identify existing financial and non-financial incentives for installing defenses, 2) evaluate the adequacy of these incentives, 3) discuss whether additional protection would be cost-effective, 4) identify the lowest cost provider for upgrading protection (e.g., Microsoft, Norton, AOL, Corporate IT networks, computer owners), and 5) list and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). ]
The best way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that helps prevent buffer overflow, such as C or C++. http://www-128.ibm.com/developerworks/linux/library/l-sp4.html
Financial incentives for upgrading protection include protecting sensitive information that can be used against the company
In terms of software upgrades, most providers offer free downloads. the lowest cost provider is Microsoft. With the Service Pack 2 that comes with Windows, the customer can choose Executable Space Protection solutions designed to prevent overwriting of data. There are also various "patch managers," the least expensive of which is Symantec Livestate Patch Manager, priced at $17.90. The NX, or "no execute" feature is available on a variety of processors including the AMD-64 Athlon 64 X-2 Dual-Core processor ranging from $354-$902 and the AMD Athlon 64 Processor, from $122-$375.
The President’s Commission on Critical Infrastructure Protection was set up to help companies protect their computers from attacks funded by foreign countries -Among their changes are tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center -http://www.washingtontechnology.com/news/12_12/news/12388-1.html
dissregard zaheer's work above it has been incerted into the paper below in italics
To understand the incentives of installing defenses for buffer overload attacks, one must first determine the target of the attack. To better understand the field of targets, we will categorize them into three groups: attacks on governmental agencies, attacks on corporate entities and finally, attacks on private personal computers. Each group has both common and dissimilar reasons for preventing Buffer Overload Attacks and because of this, the incentives for these groups vary in size and need. The most common incentive however, for all three is that of financial motivations. Often when a computer or server is attacked the most costly problem is the loss of control to the user. This loss of control manifests itself in varying forms such as an inability to use the targeted computer or server; this problem is most damaging to corporate entities to whom the losses involved in a disruption in service can reach up to millions of dollars depending on the severity of the attack as well as the time in which the company in question takes to purge the infected data and return on line.
Another loss of control concern to all three groups is the ability of the attacker to obtain sensitive material. The FDIC recently wrote, “Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers.”(http://www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html) These types of attacks are common to both the private and corporate users. For the private user, his or her personal information can be taken and used fraudulently after the theft resulting in thousands of dollars of loss in time and money. While this loss is often profound to the individual victim, the loss to the corporate user is twofold. This type of security breach can result in the theft of not just one individual’s information but thousands of individuals. The secondary damage to the corporation then becomes a loss in reputation, resulting in a lack of confidence in the transaction between the consumer and the vendor. For governmental agencies the ability of an attacker to obtain sensitive data can be costly both in financial and non-financial terms. The lesser, but still costly issue, with attacks is the damage to infrastructure (i.e. flight control, police emergency numbers, etc.). The greater threat is that of stolen data (i.e. intellectual property, national defense, and state secrets). It is here that the incentives for installing software to defend against attacks is vitally important, the sensitivity of the stolen information is causational to the scope of the security breach. When analyzing the benefit verses cost for defending against attacks in both financial and non-financial terms, it is the scope of the breach which will determine scope of need for response.
Many of the issues involved in these types of attacks and their subsequent harm to these three groups can be seen as types of market failures; once an individual or agency establishes the criteria for market failure (i.e. disruption of service and or stolen data), the incentives for corrective measures become adequate and the market compensates for these types of attacks. Currently, many software and hardware manufactures are creating protection against Buffer Overload Attacks.
The strongest way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that helps prevent buffer overflow, such as C or C++. (http://www-128.ibm.com/developerworks/linux/library/l-sp4.html) In terms of software upgrades, most providers offer free downloads, for example, the lowest cost provider is Microsoft. With the Service Pack 2 that comes with Windows, the customer can choose Executable Space Protection solutions designed to prevent overwriting of data. There are also various "patch managers," the least expensive of which is Symantec Livestate Patch Manager, priced at $17.90. The NX, or "no execute" feature is available on a variety of processors including the AMD-64 Athlon 64 X-2 Dual-Core processor ranging from $354-$902 and the AMD Athlon 64 Processor, from $122-$375.
In response to threats to national security, the President’s Commission on Critical Infrastructure Protection was set up to help companies protect their systems from attacks funded by foreign countries. Their implementations include tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center. http://www.washingtontechnology.com/news/12_12/news/12388-1.html
While these forms of protection can be cost effective for the private user and some small businesses, the potential cost to multi-million dollar companies and governmental agencies is too great to rely on these forms of protection alone. In addition to software and hardware solutions, it would be prudent for large companies and governmental agencies to finance additional forms of protection. Both should invest in a highly trained and qualified workforce dedicated to the prevention and management of attacks. In conjunction with a larger and more qualified staff, firewall investment, load-balancing, traffic-shaping technology and extra bandwidth (for DoS attacks) should be considered.
As discussed prior, many of these problems can be seen as market failures; at times the market can not correct itself in a meaningful way when outside forces (hackers and terrorists) are affecting it in a detrimental manner. In this case, it is often up to the government to intercede and create a favorable and safe marketplace conducive to free trade. One option is to determine the market failures and create policy to solve the problems in question. A market failure in which the government could intercede with little market intervention is in the failure of information asymmetry. Information asymmetry is when one party knows more than the other and capitalizes on it to the disadvantage of the other. In this case, it is a lack of understanding by the common private user, unaware that by not safeguarding his or her computer they are not only susceptible to attack themselves, but are also used by hackers to infect other individuals. Correcting this asymmetry by informing computer users how to be responsible net citizens, the government could obstruct many attacks before they gain momentum. As well, the government and vested private industry could create market incentives for the common user to install better protection. These incentives would take the form of lower consumer prices from industry and tax incentives from the government, the cost of which would be offset by gains to revenue as well as tax gains from recuperated revenue. While the government is creating new task forces and redirecting existing agencies to fight this problem the money invested in this fight is a drop in the bucket compared to the losses reported and unreported by these three groups; not until this problem is given the attention it needs, Buffer Overload Attacks and other cyber crimes will continue occur.
