Team 12 Main

From CyberSecurity
Revision as of 03:31, 23 October 2005 by Chris DuPuis (talk | contribs)

Jump to: navigation, search

Edit this outline as necessary, adding in details where they fit.

I. Information about the attack. 

   A. Report from each engineering member on techniques used, difficulty of attack, feasibility of automating attacks.
      1. Simple buffer overflow attack, as described in the readings.  Ended up needing a hard-coded address to stick in the return address portion of the stack.  This leads to less effective mechanism for a remote attack.  A more dynamic method for determining the address of the buffer that contains the exploit code is required to be feasible, especially for automating the attacks.
      Interestingly, availability of the source code of the target program allowed a much quicker exploit.  Thus, obfuscation does indeed have value, but should obviously not be the primary form of defense.

--Dennis Galvin 20:27, 21 October 2005 (PDT)

The attack was based on methods gleaned from information freely available on the internet. Although specific links to the material were provided in our assignment, a Google search will easily locate the information required to mount such an attack. The aleph one article (http://www.phrack.org/phrack/49/P49-14) was particularly instrumental in mounting a successful attack. In this paper from 1996, Elias Levy (alias Aleph One (http://en.wikipedia.org/wiki/Elias_Levy)) provides an excellent tutorial for individuals with a small amount of background to successfully exploit buffer overflows. Levy advocates strongly for full disclosure of security vulnerabilities, and moderated the BugTraq mailing list (which encourages vendors to fix their software by fully disclosing vulnerabilities), and has been active in computer security endeavors (see Wikipedia article and links from there).

We were provided accounts on two separate machines at UC San Diego. On each of the machines was a copy of the vulnerable program. One of the machines had the program installed in a way which allowed a successful buffer overflow exploit to gain 'root' (administrative) privelege even though the user executing the exploit did not have that privelege.

The initial approach was to read the Aleph One paper, trying various experiments as I followed the progression of the tutorial. Estimated time for completion of the tutorial was approximately 4 hours. At the end of the tutorial, I attempted the final exploit in the paper 'exploit4.c' by copying and pasting the code from the article into a source file, compiling the file using tools on one of the target computers. Following directions in the article, I then ran the program using increasing size of command line argument (which contained the exploit code). This program set up a command shell which had the exploit code in an environment variable. For each size of buffer I used, I then attempted to run the vulnerable program. The progression of sizes tried was 64 bytes (the size of the exploitable buffer in the target program), 80 bytes, 96 bytes. Aleph One suggested that a size of 100 bytes greater than the exploitable buffer size was adequate, but clearly less was required, as both the 80 and 96 byte attempts succeeded in generating a shell prompt with non-administrative privelege. At this point, I logged onto the machine where the target program was installed to be run with administrative (root) priveleges. The success was instant.

--Chris DuPuis 21:42, 21 October 2005 (PDT) Technical note on the attack: the value of stack pointer is influenced by the size of the environment, the current working directory, and the filename passed to execl(). (I used fork() and execl() instead of system().) A hard-coded value for the stack pointer can be used if you clear out the environ with a call to clearenv(), set the cwd with a call to chdir("/"), and hard code the filename.

--Cmckenzie 11:39, 21 October 2005 (PDT) I'm concerned about our ability to describe this effectively in 'plain english'. I don't think a cut and paste from the readings will do the trick.

II. Potential financial damages 

   A. Home computer
      1. Credit card fraud - This can be exploited several different ways, but in the end, the consumer's liability is limited to $50.00.  Thus, it is a more significant risk for the financial institutions than for the consumer.

--Cmckenzie 11:39, 21 October 2005 (PDT)We still need to assess the risk, whoever is ultimately legally liable for the loss. There is a useful statistic on the average cost of an incident of internet credit card fraud which places the value in the US at around $2K (I misplaced the stat but I'll find it again). Losses are potentially very great if this vulnerability allows the implementation of an automated system for credit card fraud - $2K every how many seconds? Also worth thinking about the different implications for high/low net worth individuals. 

      2. Identity theft - This can have much more serious financial consequences for the individual and can take several years to sort out.

--Cmckenzie 11:39, 21 October 2005 (PDT)There's a stat somewhere on this too, I'll try to find it if noone else does. 

      3. Botnet/DDOS applications

--Cmckenzie 11:39, 21 October 2005 (PDT)Cost is entirely borne by others. The incremental increase in cost of having a single computer added to a DOS is, I would guess, very low, so the cost here depends on scalability. 

      4. Reporting incorrect information.

--Cmckenzie 11:39, 21 October 2005 (PDT)5. Ability to execute/enter financial transactions (online trading, loan apps, etc) outside the authority of the normal user. 

   B. Walmart ordering computer

      1. All of the home computer items, and...

--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not identity theft or cc fraud, if Walmart have 1/10th of no concept of security. Perhaps low level staff would be allowed to use their computers for personal business, but it would pay to not allow this if a computer had large ordering authority. 

      2. Ordering things inappropriately.

--Cmckenzie 11:39, 21 October 2005 (PDT)Potential cost - if ordering is done with no further communication, potentially write-off entire value of order. Potential loss = ordering authority of computer. 

      3. Failing to order things when requested.

--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not as bad. Potential loss = loss on profit per item rather than write off of entire cost. 

      4. Business strategy advantage for either supplier, competitor of supplier, or competitor of Walmart (depending on who compromises the computer)

   C. Trading computer

      1. Making trades inappropriately.

--Cmckenzie 11:39, 21 October 2005 (PDT)[Maybe interesting to think about, but disregard this comment to some extent - reread the question and it is specifically about computer used to trade stocks on NYSE] The cost of this is going to depend on what can be traded. For example, making inappropriate futures contracts would probably allow an incredibly large loss to be made, though there would be a strong argument that such contracts wouldn't be legally binding, meaning the outcome was only a small loss of efficiency within the market. If contracts can be made and (4) is done too, then, maybe, bigger trouble. That said, trades happen at two endpoints and are centrally recorded on exchanges, so it may be difficult to kill off the records. Also, if the attacker can cover their steps sufficiently well, the institution may be unable to prove that the trades were executed without authorisation. 

      2. Failing to make trades when requested

--Chris DuPuis 21:32, 21 October 2005 (PDT) One possible motivation for failing to make trades would be to undermine investors' confidence in the trading house. If the Schwab computers reported errors whenever a particular large customer tried to make large trades, that customer would be unlikely to remain with Schwab for long.

Also, a program that introduces delays into transactions (which would be easily hidden in the background of unpredictable delays inherent in Internet processing) could be written. Such a program could delay particularly significant transactions for a few seconds, and signal a remote program that the transaction was about to take place. With the knowledge thata major trade was immanent, this remote program could buy (or sell) stock to profit from the inside information. (The signal could be something as untraceable as buying an unusual number of shares of some unpopular stock.) 

      3. Reporting incorrect information.

      4. Failing to store records of trades

--Cmckenzie 11:39, 21 October 2005 (PDT)This is an interesting idea. Managing to undermine property rights within a trading system would be potentially very destructive. Interestingly, I have a contact with a risk management guy at a large scale funds management and consulting group, who told me that they keep more paper records than you would guess despite automatization, to fight this very problem.

III. Applications of value to terrorists (Brian's written up some of this in e-mail - please paste it in Brian)


--brianmcg 18:40, 21 October 2005 (PDT)

Attack Scalability, Feasibility and Value

The scalability, feasibility and potential value of a buffer overflow attack varies with the type and age of the attack used and the target of the attack. The overflow exploit itself grants access to a system, but the real damage is determined by the quality of the attack carried out after the system is controlled. In general, as the value of the attack increases, the scalability and feasibility of the attack decreases. This is due to the increased difficulty in exploiting more valued targets due to better security, requiring additional technical and financial resources be used by the attackers. 


      A. Scalability

--brianmcg 18:40, 21 October 2005 (PDT) The scalability of the attack is determined by how easily the attack could be expanded form a single exploit to something that could either be use against multiple targets or by multiple groups of attackers for greater effect. A widespread and quickly carried out attack would be required to do maximum damage before it is identified and systems are secured against it. Highly scalable attacks would require fewer, smaller teams (since the more and larger the teams the more difficult the coordination would be) with less technical capabilities (since highly technical people are harder to find). The most scalable attack would be one that required a single person and was designed to self propagating quickly over a network, exploiting and then searching for hosts to infect. Less scalable attacks might require multiple steps, wouldn’t propagate on their own or require a human for any stage of the attack.

Attacks can be placed into one of two categories – general and targeted. General attacks are against any system publicly accessible from the Internet using an exploit against flawed service accepting connections on publicly accessible ports. Targeted attacks are against systems that are not directly accessible from the internet as they are protected by a firewall or run on a separate network infrastructure. These targets are presumable more valuable because they are better secured, but would require a more complicated strategy to attack, decreasing the scalability and likelihood of such an attack.

In the case where a buffer overflow attack is against a system that is directly accessible over the Internet and exposes a flaw that is part of a network service, the attack is inherently scalable. The attackers would only be limited by the speed with which they could scan systems for the flaw and exploit them. The rate of scanning systems for the flaw would be determined by the number of systems the attackers have at their disposal to carry out the search. If the exploit includes changing the exploited system into one of the attacking systems, then the attack can propagate very quickly, which is why worms of this type are the most likely to make the news and cause major disruptions to the Internet.

For a buffer overflow attack against a system that isn’t directly accessible over the internet or against software accessible only after logging in to the targeted computer, the difficulty in penetrating the security to reach the flawed program causes the attack to be far less scalable. Breaking through a DMZ to access a computer on an internal company or government network would require more specialized skill sets and exploratory attacks as the defenses are not known until they are reached. For this reason attacks that target systems or software that are not directly accessible over the internet are not as scalable.

--Chris DuPuis 21:51, 21 October 2005 (PDT) Note: While local exploits are less dangerous as targets for outside attackers, they provide a huge hole that can be exploited by insider hackers, which (according to this article account for 70% of all malicious attacks. So in some sense, local root exploits scale to the space of all companies that have disgruntled employees.

--Chris DuPuis 20:31, 22 October 2005 (PDT) (Note that this was 70% in 2000. Outside attacks have certainly gone up since then. Have inside attacks also gone up? An insider would have a foot up in knowing which systems to target, which attacks would be least defended against, and how best to take advantage of the exploit. 

      B. Feasibility of acquiring the technical and financial resources

--brianmcg 18:40, 21 October 2005 (PDT) The feasibility of the attack is determined by the likelihood of a flaw in software, the difficulty inherent in carrying it out, and affected by the technical and financial resources needed to execute the attack. Buffer overflow flaws in software are fairly common, and are routinely discovered and patched. There are almost certainly flaws remaining in software running on Windows and *nix systems, and new software (with new flaws) is being written all of the time. As we saw in this exercise, exploiting flawed software with a buffer overflow attack is not difficult for a programmer who has time to research the system that will be attacked. However, the targets we exploited were much easier to understand than actual software running on most systems. The technical feasibility is determined by how easy it is to find or otherwise procure an exploit that is not widely protected against.

Technical Feasibility

Assuming that shortly after an exploit is publicly known, most computers are upgraded to be secured from the attack, one of two things would be needed to carry out a new attack on a large scale. Either the terrorist organization would need to have skilled members who are actively researching systems for previously unknown exploits, or they would need to have members who have achieved enough trust or credibility in a cracker community such that they have access to online resources where zero day (that is, knowledge of an attack as it is discovered and before security companies are aware of it) attack information is posted by those who have done the primary research and first identified the exploit. The assumption that most attacks are only useful shortly after an exploit is identified is likely correct for valuable targets, since the more valuable a system, the more likely it will be patched, upgraded and protected from older attacks. While some systems are not kept up to date with security patches, they are likely less valuable, though they can be used to propagate other new attacks. This yields the requirements that skilled technical resources are needed for an attack against a valuable target.

Less technical resources would be needed to carry out attacks using known exploits since by the time an attack is commonly known, usually a kit has been put together for carrying it out. The user of a rootkit (a user friendly tool used to gain root access to a system) need not understand the software being exploited or the security flaw, but simply needs to understand how to use the tools provided. Waiting for an exploit to be available in this format would reduce the technical requirements of the attack but also significantly reduces the value of the attack as more potential targets are secured against it, making it more feasible, but likely less valuable.

A terrorist group that wants to research its own attacks would require skilled individuals being supported while they research potential targets. The terrorist organization would not be able to guarantee any amount of output of new exploits since the frequency and quality of the new exploits would be completely dependant on the skill of the their members. People with these skills would not have to be university trained, but would need a significant education in programming. Technical people with these skills are readily available in many countries and would not be difficult to identify. However, building a team of such members is likely not very feasible unless they fund placing its own members through training to become programmers. Because of limited resources such research by a terrorist group is not very likely.

As an alternative, a terrorist group could rely on others for the exploit research. This requires less technical skill, since they need only understand the exploit, not discover it, making it more feasible for them to have the technical resources since the more complicated work is done for them by others. This however would be more difficult from as social perspective since gaining access to 0day information requires an established presence in a community that may not be easy for many terrorist organizations to acquire. So the technical feasibility is greater, but other barriers would arise.

For better secured, more valuable systems that are not directly reachable over the internet, it would be significantly harder for the terrorist group to find technical resources required for such an attack. Buffer overflow attacks could be used to gain root access to such a system, but multiple exploits would likely be needed to carry out the complete attack. In addition the quality of the attack would need to be significantly higher because the attack takes more time. The longer and more complicated the attack, the more likely that the attack will be discovered before it is completed, requiring that the attackers take additional precautions to avoid leaving a trail (only storing in memory, hiding processes and effects of the early stages of the attack or exploration).

Financial Feasibility

The financial resources required depend on the method of acquiring and implementing the exploit. The resources needed for the terrorist organization to generate their own exploits would be significant as the organization would need to employ, train or recruit technical personnel who would otherwise be able to have legitimate jobs that pay well. The likelihood of discovering an exploit is completely dependant on the skill of the engineer, and it is likely that more money would be needed to entice better technical members to join or work for the organization. If the group has a member with access to information about newly discovered exploits, far less financing would be required for this type of attack as anyone with enough charisma and enough technical knowledge to pass could potentially gain access to information about newly discovered exploits. It might be possible to buy 0day exploits from those who have access to them (not necessarily the person who first discovered the exploit). The cost would likely be far less than funding the research on its own, but more than the cost if the group has a member that has connections among those researching 0day exploits. 

      C. Potential value of cyberattack as a tool for accomplishing the aims of terrorists (David C would like to work on this section)

--brianmcg 18:40, 21 October 2005 (PDT) Value

The value of an attack would be judged based on the amount of disruption caused, the notoriety of the attack and/or the amount of money or information it would yield the terrorist organization.

A buffer overflow attack carried out against systems that can be exploited over a network connection would likely impact the largest number of systems, causing the most disruption to the average user. The impact would likely be to inconvenience people temporarily until a fix is provided depending on the effect of the code propagated by the exploit. Because a large number of people would be affected, it is likely that the attack would gain significant publicity for the terrorist organization, though it would be up to the group to claim responsibility for the attack if they wished. The financial impacts of the attack would include a temporary stop in commerce for effected users, the sum total of which might be significant, but the impact would be spread out over so many people that no one organization might be heavily impacted.

A significant amount of money could be made by the terrorist organization if the once the host is compromised by the buffer overflow, the system is scanned for credit card, bank information, passwords, etc. If this information is relayed back to the terrorist organization and resold or used quickly, a large amount of revenue could be generated. The terrorist organization might choose to target a specific target for political or other reasons. Law enforcement agencies that might be attempting to track the group would have information useful to the terrorists including potential spies, locations under surveillance and other intelligence gathering methods. 


         1. Successfully attacking the financial markets, possibly through means such as causing trading computers to fail to store the records of transactions, could seriously damage both domestic and international confidence in the U.S. financial markets.  That could have signicant economic consequences as the economy runs on more or less of a confidence and trust basis.  (Summarization - not all I have to say!)

IV. Defenses 


      A. Home Computer

         1. Anti-Virus software
  
         2. Anti-Spyware software

         3. Firewalls

         4. High quality software (implying few intrinsic vulnerabilities)

         5. Easily configured for high-security settings

         6. Defaults to secure

         7. Effective patching / updating mechanism

--Dennis Galvin 15:05, 22 October 2005 (PDT) All of the above are definitely an asset. These with the exception of "High Quality Software" are technologically approachable. High Quality Software is a moving target, because as bugs are discovered and exploits published, the old software is no longer considered high quality. There is also the ripple effect where a change in the operating system software can render third party software non-secure. Of the seven suggested means above, six and one-half are in software (some people consider firewalls "hardware" though the hardware is running software (firmware) internally.

A policy based defense: ISP's serving the home market could disallow servers by default. Only turning it on for credible reasons and a port by port basis by application of the customer. [Surely there must be some other policy angles that can be worked in here]

One of the biggest impediments to securing the home computer use sector is that home computer users are not very computer literate. In the medium to large size business sector the actual end users are also not literate. The difference is the businesses generally provide internal technical support. 


      B. Walmart Ordering Computer

         1. All of the above

         2. Intrusion detection tools

         3. Auditing tools

         4. Managed software deployment and maintenance tools.

--Dennis Galvin 15:05, 22 October 2005 (PDT) Walmart is clearly a huge business. As a corporation, they need to set an IT policy, and take responsibility for insuring the integrity of their computing mesh. The above measures are partially the means of implementing that policy. Some components of an effective policy to defend against attacks may include: 1) defining access rights (for instance only IT folk are allowed sign on as administrators); 2) testing of patches before rollout; 3) Testing of software before it is installed; 4) Acceptable use policy; 5) Strong password policy and enforcement; 6) Containment policy when intrusions are detected. The chosen policy must be clearly articulated and understood at the level required by all levels (upper management to greeters) in the firm.

--Chris DuPuis 20:24, 22 October 2005 (PDT) Another aspect of a security policy is to define the services that each class of network user requires, and to put up obstacles (such as firewall rules and enforced corporate policies) to any other network service. By making strict enough policies, the majority of workstations, which have no need to be connected to by other computers, and only need to connect to other computers for web and mail service, can be protected from the kind of remote exploit that we are considering here. This allows the administrator to concentrate on the more difficult task of keeping the servers that provide services on the Internet secure. 


      C. Trading Computer
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_12_Main&oldid=2081"