Team 12 Main

Edit this outline as necessary, adding in details where they fit.

I. Information about the attack

   A. Report from each engineering member on techniques used, difficulty of attack, feasibility of automating attacks.

Team_12_Exploit_Code

      1. Simple buffer overflow attack, as described in the readings.  Ended up needing a hard-coded address to stick in the return address portion of the stack.  This leads to less effective mechanism for a remote attack.  A more dynamic method for determining the address of the buffer that contains the exploit code is required to be feasible, especially for automating the attacks.
      Interestingly, availability of the source code of the target program allowed a much quicker exploit.  Thus, obfuscation does indeed have value, but should obviously not be the primary form of defense. 

--Dennis Galvin 20:27, 21 October 2005 (PDT)

The attack was based on methods gleaned from information freely available on the internet. Although specific links to the material were provided in our assignment, a Google search will easily locate the information required to mount such an attack. The aleph one article (http://www.phrack.org/phrack/49/P49-14) was particularly instrumental in mounting a successful attack. In this paper from 1996, Elias Levy (alias Aleph One (http://en.wikipedia.org/wiki/Elias_Levy)) provides an excellent tutorial for individuals with a small amount of background to successfully exploit buffer overflows. Levy advocates strongly for full disclosure of security vulnerabilities, and moderated the BugTraq mailing list (which encourages vendors to fix their software by fully disclosing vulnerabilities), and has been active in computer security endeavors (see Wikipedia article and links from there).

We were provided accounts on two separate machines at UC San Diego. On each of the machines was a copy of the vulnerable program. One of the machines had the program installed in a way which allowed a successful buffer overflow exploit to gain 'root' (administrative) privelege even though the user executing the exploit did not have that privelege.

The initial approach was to read the Aleph One paper, trying various experiments as I followed the progression of the tutorial. Estimated time for completion of the tutorial was approximately 4 hours. At the end of the tutorial, I attempted the final exploit in the paper 'exploit4.c' by copying and pasting the code from the article into a source file, compiling the file using tools on one of the target computers. Following directions in the article, I then ran the program using increasing size of command line argument (which contained the exploit code). This program set up a command shell which had the exploit code in an environment variable. For each size of buffer I used, I then attempted to run the vulnerable program. The progression of sizes tried was 64 bytes (the size of the exploitable buffer in the target program), 80 bytes, 96 bytes. Aleph One suggested that a size of 100 bytes greater than the exploitable buffer size was adequate, but clearly less was required, as both the 80 and 96 byte attempts succeeded in generating a shell prompt with non-administrative privelege. At this point, I logged onto the machine where the target program was installed to be run with administrative (root) priveleges. The success was instant.

--Chris DuPuis 21:42, 21 October 2005 (PDT) Technical note on the attack: the value of stack pointer is influenced by the size of the environment, the current working directory, and the filename passed to execl(). (I used fork() and execl() instead of system().) A hard-coded value for the stack pointer can be used if you clear out the environ with a call to clearenv(), set the cwd with a call to chdir("/"), and hard code the filename.

--Cmckenzie 11:39, 21 October 2005 (PDT) I'm concerned about our ability to describe this effectively in 'plain english'. I don't think a cut and paste from the readings will do the trick.

--Chris DuPuis 14:04, 23 October 2005 (PDT) Here is a bit of expanatory material about the exploit. It needs some work, but it should be easy enough to understand. (It's just not really a complete description.)

The flaw that was exploited is called a "stack overflow". In basic terms, it may be described as follows:

A computer program is composed of a sequence of simple computer instructions (such as "add two numbers" and "store a value in memory") and complex procedures that do more complicated tasks (such as "prompt the user for a password" or "send a document via email"). These complex procedures go by many names--functions, subroutines, methods, and procedures--but we will call them "procedures" here. A program makes a "call" to a procedure, which causes the procedure to do its particular task. The procedure then "returns" to the program, at the point immediately after the call that activated it. The procedure knows where this point is because it has a "pointer", something like a bookmark, that indicates where the next instruction may be found.

When a program is started, the computer reads the first instruction in the program, and does what the instruction says to do. Then it moves on to the second instruction, and does what that says to do, and so forth. When the next instruction is a call to a procedure, the computer stores the current location in the program and jumps to the procedure (think of it as putting a bookmark in a book, and flipping to the back to read an endnote). Under normal conditions, when the procedure is finished, the computer reads this stored location, and jumps back to where it was interrupted. (Just as a reader would go back to the passage following the reference to the endnote.)

Our exploit takes advantage of a flaw in the program to modify this pointer (the current location in the program), so that the procedure returns to the wrong location when it finishes. In fact, we make the procedure return to some instructions that we provided as input to the program.

--Cmckenzie 16:18, 23 October 2005 (PDT) This is a very clean explanation, thanks. I'm not sure if you need to put it in the assignment, but for my own interest, is there a plain english way to describe how you modify the pointer?

--Chris DuPuis 20:12, 23 October 2005 (PDT) Sure. The target program is very simple. The program takes one argument. (Arguments are all of the stuff on the command line after the name of the program. For example, when you enter "mail john_doe@example.com", the program "mail" (a very simple Unix email program) is started, and the one argument to the mail program is "john_doe@example.com". (In the case of the mail program, this is interpreted to mean "compose a new mail message to john_doe@example.com", but other programs use arguments differently.))

So, our program lets the user enter one argument. It copies the value of that argument to an empty place in memory (usually called a "buffer"), much like a student might copy a question from a textbook onto his homework paper.

However, the program doesn't check that there is enough space before it starts copying, and it doesn't stop copying until it gets to the end of the argument. This becomes a problem if the argument is larger than the buffer. Picture a student copying out of a textbook, filling up his paper, and continuing to write all over the surface of the desk, on the floor, the walls, the TA, etc.

This copying of the argument into places where it shouldn't be copied is how the pointer gets overwritten.

II. Estimated dollar value of damage caused by an attack

--Cmckenzie 19:24, 23 October 2005 (PDT)

Methodology The potential dollar value of an attack is difficult to quantify as many/most things that can be targeted by the attack fall into two categories which defy easy economic assessment. Firstly, targets may have no clearly established market value. This category includes private business information, non-financial personal information, etc, the value of which depends on private judgements or specific conditions of business that are not generalisable. Secondly, there are things that are inherently incapable of valuation under most economic schema, though they affect economic relationships. This category includes intangibles like trust, relationships, emotional affects. Some of these intangibles may be capable of rough valuation ex post. For example, by assessing the fall-off in the dollar value of a business relationship after an attack due to a lack of trust or sense of security. However, such assessments are case specific and not capable of ex ante estimation or extension to the general case.

This report will provide dollar value estimates for reasonable upper and lower bounds for damage as well as expected values where discernible. Discussion will also highlight areas where dollar value estimates are difficult or impossible due to either inherently or practically unquantifiable variables. Finally, discussion will extend to the likely allocation of cost amongst different institutions.

1.Home Computer

Direct financial fraud E(x)=$1,289.50 Although not enormously complicated, significant technical expertise over and above implementing the buffer overflow exploit is required to install keystroke monitors and screen capture devices that collect credit card or bank account information and enable this kind of fraud.

Users who employ internet banking or make purchases with credit/debit cards are far more vulnerable to direct financial loss. Currently 44% of internet users bank online1 and 34% shop online2. One would expect that there is a significant overlap between these groups, though this was not looked at in the research cited – I will thus make the assumption that 50% of internet users engage in at least one of these activities. The average value of an incident of internet based financial fraud is $2,579 for January-June 20053. Given that approximately 50% of US based internet users are vulnerable, the expected value of a single attack on a single terminal for the purpose of financial gain is $1289.50 (the probability of a successful attack multiplied by the average value thereof - 0.5 X $2,579). Clearly, the ability to automate and scale up such attacks significantly increases the potential gain linearly in proportion to the number of terminals that may be attacked. The minimum value of a single incident is $0 for users who do not bank or shop online, and the maximum is the total sum value of any credit lines and bank accounts which the user employs online.

Intangibles may contribute further to losses – the effect of a single case is small but if many incidents occur merchant and consumer confidence may be undermined and the effeciency of e-commerce could be jeopardised.

In this case the loss may be borne in a number of different ways, depending on the specifics. Legislation sets the limit of user liability for credit card fraud at $504. However a massive loss can be borne by the merchant. If they have shipped or sold a fraudulently purchased item, they lose the entire value as the credit card issuer will 'chargeback' the fraudulent charge and the merchant has no recourse5. The position is similar in the case of debit cards, as most major financial institutions have voluntarily commited to a $50 limit for consumer liability in cases of fraud, but this may be shirked by smaller and less reputable institutions and the obligation to report theft is stronger – consumer losses up to $500 may occur if notification of the card's issuing institution does not occur within 48 hours of the consumer gaining knowledge of the theft, or the whole value of the checking account if the consumer does not notify within 60 days. As with credit cards, chargebacks mean the loss falls almost exclusively on merchants.

Identity Theft

Using similar technology to that employed in direct financial fraud, identity theft can often lead to substantially larger losses. Attacks targeting identity theft have a smaller chance of success as more information is needed than for a credit card or bank account fraud, but if an incident does occur it can lead to great losses. A 2003 study found that the average incident of identity theft lead to $92,893 in fraudulent charges6 – often from opening lines of credit in the victims name. The loss is normally born by the financial institution, but it can take huge efforts on the part of the victim to overcome poor credit ratings and to deal with creditors. Consequently the ultimate economic impact is substantially greater than the amount of money stolen.

Botnet/DDOS

Beyond direct financial fraud, the installation of malware can also facilitate denial of service (DDOS) attacks on networks secondary to the computer that has been attacked. These techniques involve the co-opting of many computers which all simultaneously request information from the same server, essentially congesting the network and preventing it from functioning. It is worth noting that significant further work would be required to use buffer overflow techniques to successfully set up DDOS schemes, as the time and labour intensive technique we used will only allow small numbers of computers to be captured. The marginal benefit (to the DDOS attack) of gaining control of any one machine is very small, so automation would be essential to gain sufficient scale to effectively carry out an attack. Such attacks could be carried out by a terrorist group to engage in protection rackets for fundraising purposes, to inflict a financial loss on an ideological enemy, or to disrupt any internet based service. The damages inflicted are largely dependent on the goal of the attack and the nature of the target. Of particular concern is that terrorists could coordinate a physical and web based attack to disrupt emergency services and other coordination heavy post-disaster essential services, or to prevent technology based aggregation and dissemination of important information. As such a DDOS attack involves much more than a buffer overflow exploit on a single computer, its impact will be considered only in general terms. The impact on the co-opted computer is negligible.

(i)Protection racket/fundraising The economic impact is proportional to the rate at which the disrupted service earns money and the length of time for which the attack is sustained before the deployment of effective countermeasures. The cost of countermeasures also needs to be taken into account.

(ii)Infliction of financial harm for ideological/non-financial reasons As above, the economic impact is proportional to the rate at which the disrupted service earns money, the length of time for which the attack is sustained before the deployment of effective countermeasures and the cost of countermeasures.

(iii)Disruption of internet based services There is now significant coordination of government, non-profit and business activity via the internet. Disruption via DDOS could have drastic consequences, especially if it was coordinated with the aftermath of a physical terrorist attack in a large population center.

2.Walmart VP Computer

The use of a buffer overflow to gain control of a Walmart computer could have many of the same consequences as an attack on a personal computer. It is likely walmart would disallow the use of their computers for personal shopping and banking, making fraud and identity theft less likely, but the Walmart computer could definitely be exploited for use in a DDOS attack. Obviously the larger and fundamentally different concern is that, given the VP's responsibility and authority with respect to ordering from China, is that the computer could be used to inflict a large cost on Walmart or its suppliers by placing false orders, cancelling orders or otherwise maliciously manipulating the supply chain. Walmart is a sufficiently large entity that large scale malfeasance in the supply chain could have serious flow-on costs to the whole US economy. Clearly, ordering unnecessary product will cost walmart the difference between what they paid and the price at which they are ultimately able to sell the product combined with the opportunity cost of not ordering something more profitable with the money. The precise cost will vary across different markets according to consumer demand, the durability of the good, the lucrativeness of the missed opportunities, etc.

Several factors concerning the corporate structure and legal architecture of the supply chain protect against too substantial a loss being inflicted. Firstly, it is legally necessary for a supplier to know they are dealing with someone with authority to bind a corporation in contract. Secondly, it is likely that a supplier would be inclined to question an abnormal transaction – in fact, even without human intervention, software to filter for this sort of incident is likely to be installed already and may give rise to an alert. Whilst Walmart's conduct in honouring orders from the computer before may go some way to giving the supplier the right to assume such orders will be honoured, if a particularly large or abnormal order comes through, it is likely that the supplier will make further inquiries, both to ensure that the order is binding on Walmart due to the corporate authority of the orderer and also out of normal business courtesy. Walmart can also limit their potential losses by conferring corporate authority on the VP to make orders only up to a certain necessary amount, so that abnormal orders are non-binding.

It is likely that, given the protections built into the corporate mechanism where limited authority is given to any one VP and where abnormal transactions are likely to be both non-binding and to give rise to human intervention, the damage caused by a buffer overflow exploit on the VP's computer is likely to be primarily nuisance - lost work hours for the VP and colleagues and for the supplier in China. The economic impact will be measurable, though it is contingent on too many factors to estimate. Nonetheless, it is unlikely to be significant in the scale of Walmart's day to day operations.

   A. Home computer
      1. Credit card fraud - This can be exploited several different ways, but in the end, the consumer's liability is limited to $50.00.  Thus, it is a more significant risk for the financial institutions than for the consumer.

--Cmckenzie 11:39, 21 October 2005 (PDT)We still need to assess the risk, whoever is ultimately legally liable for the loss. There is a useful statistic on the average cost of an incident of internet credit card fraud which places the value in the US at around $2K (I misplaced the stat but I'll find it again). Losses are potentially very great if this vulnerability allows the implementation of an automated system for credit card fraud - $2K every how many seconds? Also worth thinking about the different implications for high/low net worth individuals.

      2. Identity theft - This can have much more serious financial consequences for the individual and can take several years to sort out.

--Cmckenzie 11:39, 21 October 2005 (PDT)There's a stat somewhere on this too, I'll try to find it if noone else does.

      3. Botnet/DDOS applications

--Cmckenzie 11:39, 21 October 2005 (PDT)Cost is entirely borne by others. The incremental increase in cost of having a single computer added to a DOS is, I would guess, very low, so the cost here depends on scalability.

      4. Reporting incorrect information.

--Cmckenzie 11:39, 21 October 2005 (PDT)5. Ability to execute/enter financial transactions (online trading, loan apps, etc) outside the authority of the normal user.

   B. Walmart ordering computer

      1. All of the home computer items, and...

--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not identity theft or cc fraud, if Walmart have 1/10th of no concept of security. Perhaps low level staff would be allowed to use their computers for personal business, but it would pay to not allow this if a computer had large ordering authority.

      2. Ordering things inappropriately.

--Cmckenzie 11:39, 21 October 2005 (PDT)Potential cost - if ordering is done with no further communication, potentially write-off entire value of order. Potential loss = ordering authority of computer.

      3. Failing to order things when requested.

--Cmckenzie 11:39, 21 October 2005 (PDT)Probably not as bad. Potential loss = loss on profit per item rather than write off of entire cost.

      4. Business strategy advantage for either supplier, competitor of supplier, or competitor of Walmart (depending on who compromises the computer)

   C. Trading computer

      1. Making trades inappropriately.

--Cmckenzie 11:39, 21 October 2005 (PDT)[Maybe interesting to think about, but disregard this comment to some extent - reread the question and it is specifically about computer used to trade stocks on NYSE] The cost of this is going to depend on what can be traded. For example, making inappropriate futures contracts would probably allow an incredibly large loss to be made, though there would be a strong argument that such contracts wouldn't be legally binding, meaning the outcome was only a small loss of efficiency within the market. If contracts can be made and (4) is done too, then, maybe, bigger trouble. That said, trades happen at two endpoints and are centrally recorded on exchanges, so it may be difficult to kill off the records. Also, if the attacker can cover their steps sufficiently well, the institution may be unable to prove that the trades were executed without authorisation.

      2. Failing to make trades when requested

--Chris DuPuis 21:32, 21 October 2005 (PDT) One possible motivation for failing to make trades would be to undermine investors' confidence in the trading house. If the Schwab computers reported errors whenever a particular large customer tried to make large trades, that customer would be unlikely to remain with Schwab for long.

Also, a program that introduces delays into transactions (which would be easily hidden in the background of unpredictable delays inherent in Internet processing) could be written. Such a program could delay particularly significant transactions for a few seconds, and signal a remote program that the transaction was about to take place. With the knowledge thata major trade was immanent, this remote program could buy (or sell) stock to profit from the inside information. (The signal could be something as untraceable as buying an unusual number of shares of some unpopular stock.)

      3. Reporting incorrect information.

      4. Failing to store records of trades

--Cmckenzie 11:39, 21 October 2005 (PDT)This is an interesting idea. Managing to undermine property rights within a trading system would be potentially very destructive. Interestingly, I have a contact with a risk management guy at a large scale funds management and consulting group, who told me that they keep more paper records than you would guess despite automatization, to fight this very problem.

III. Applications of value to terrorists

(Brian's written up some of this in e-mail - please paste it in Brian)

--brianmcg 18:40, 21 October 2005 (PDT)

Attack Scalability, Feasibility and Value

The scalability, feasibility and potential value of a buffer overflow attack varies with the type and age of the attack used and the target of the attack. The overflow exploit itself grants access to a system, but the real damage is determined by the quality of the attack carried out after the system is controlled. In general, as the value of the attack increases, the scalability and feasibility of the attack decreases. This is due to the increased difficulty in exploiting more valued targets due to better security, requiring additional technical and financial resources be used by the attackers.

      A. Scalability

--brianmcg 18:40, 21 October 2005 (PDT) The scalability of the attack is determined by how easily the attack could be expanded form a single exploit to something that could either be use against multiple targets or by multiple groups of attackers for greater effect. A widespread and quickly carried out attack would be required to do maximum damage before it is identified and systems are secured against it. Highly scalable attacks would require fewer, smaller teams (since the more and larger the teams the more difficult the coordination would be) with less technical capabilities (since highly technical people are harder to find). The most scalable attack would be one that required a single person and was designed to self propagating quickly over a network, exploiting and then searching for hosts to infect. Less scalable attacks might require multiple steps, wouldn’t propagate on their own or require a human for any stage of the attack.

Attacks can be placed into one of two categories – general and targeted. General attacks are against any system publicly accessible from the Internet using an exploit against flawed service accepting connections on publicly accessible ports. Targeted attacks are against systems that are not directly accessible from the internet as they are protected by a firewall or run on a separate network infrastructure. These targets are presumable more valuable because they are better secured, but would require a more complicated strategy to attack, decreasing the scalability and likelihood of such an attack.

In the case where a buffer overflow attack is against a system that is directly accessible over the Internet and exposes a flaw that is part of a network service, the attack is inherently scalable. The attackers would only be limited by the speed with which they could scan systems for the flaw and exploit them. The rate of scanning systems for the flaw would be determined by the number of systems the attackers have at their disposal to carry out the search. If the exploit includes changing the exploited system into one of the attacking systems, then the attack can propagate very quickly, which is why worms of this type are the most likely to make the news and cause major disruptions to the Internet.

For a buffer overflow attack against a system that isn’t directly accessible over the internet or against software accessible only after logging in to the targeted computer, the difficulty in penetrating the security to reach the flawed program causes the attack to be far less scalable. Breaking through a DMZ to access a computer on an internal company or government network would require more specialized skill sets and exploratory attacks as the defenses are not known until they are reached. For this reason attacks that target systems or software that are not directly accessible over the internet are not as scalable.

--Chris DuPuis 21:51, 21 October 2005 (PDT) Note: While local exploits are less dangerous as targets for outside attackers, they provide a huge hole that can be exploited by insider hackers, which (according to this article account for 70% of all malicious attacks. So in some sense, local root exploits scale to the space of all companies that have disgruntled employees.

--Chris DuPuis 20:31, 22 October 2005 (PDT) (Note that this was 70% in 2000. Outside attacks have certainly gone up since then. Have inside attacks also gone up? An insider would have a foot up in knowing which systems to target, which attacks would be least defended against, and how best to take advantage of the exploit.

      B. Feasibility of acquiring the technical and financial resources

--brianmcg 18:40, 21 October 2005 (PDT) The feasibility of the attack is determined by the likelihood of a flaw in software, the difficulty inherent in carrying it out, and affected by the technical and financial resources needed to execute the attack. Buffer overflow flaws in software are fairly common, and are routinely discovered and patched. There are almost certainly flaws remaining in software running on Windows and *nix systems, and new software (with new flaws) is being written all of the time. As we saw in this exercise, exploiting flawed software with a buffer overflow attack is not difficult for a programmer who has time to research the system that will be attacked. However, the targets we exploited were much easier to understand than actual software running on most systems. The technical feasibility is determined by how easy it is to find or otherwise procure an exploit that is not widely protected against.

Technical Feasibility

Assuming that shortly after an exploit is publicly known, most computers are upgraded to be secured from the attack, one of two things would be needed to carry out a new attack on a large scale. Either the terrorist organization would need to have skilled members who are actively researching systems for previously unknown exploits, or they would need to have members who have achieved enough trust or credibility in a cracker community such that they have access to online resources where zero day (that is, knowledge of an attack as it is discovered and before security companies are aware of it) attack information is posted by those who have done the primary research and first identified the exploit. The assumption that most attacks are only useful shortly after an exploit is identified is likely correct for valuable targets, since the more valuable a system, the more likely it will be patched, upgraded and protected from older attacks. While some systems are not kept up to date with security patches, they are likely less valuable, though they can be used to propagate other new attacks. This yields the requirements that skilled technical resources are needed for an attack against a valuable target.

Less technical resources would be needed to carry out attacks using known exploits since by the time an attack is commonly known, usually a kit has been put together for carrying it out. The user of a rootkit (a user friendly tool used to gain root access to a system) need not understand the software being exploited or the security flaw, but simply needs to understand how to use the tools provided. Waiting for an exploit to be available in this format would reduce the technical requirements of the attack but also significantly reduces the value of the attack as more potential targets are secured against it, making it more feasible, but likely less valuable.

A terrorist group that wants to research its own attacks would require skilled individuals being supported while they research potential targets. The terrorist organization would not be able to guarantee any amount of output of new exploits since the frequency and quality of the new exploits would be completely dependant on the skill of the their members. People with these skills would not have to be university trained, but would need a significant education in programming. Technical people with these skills are readily available in many countries and would not be difficult to identify. However, building a team of such members is likely not very feasible unless they fund placing its own members through training to become programmers. Because of limited resources such research by a terrorist group is not very likely.

As an alternative, a terrorist group could rely on others for the exploit research. This requires less technical skill, since they need only understand the exploit, not discover it, making it more feasible for them to have the technical resources since the more complicated work is done for them by others. This however would be more difficult from as social perspective since gaining access to 0day information requires an established presence in a community that may not be easy for many terrorist organizations to acquire. So the technical feasibility is greater, but other barriers would arise.

For better secured, more valuable systems that are not directly reachable over the internet, it would be significantly harder for the terrorist group to find technical resources required for such an attack. Buffer overflow attacks could be used to gain root access to such a system, but multiple exploits would likely be needed to carry out the complete attack. In addition the quality of the attack would need to be significantly higher because the attack takes more time. The longer and more complicated the attack, the more likely that the attack will be discovered before it is completed, requiring that the attackers take additional precautions to avoid leaving a trail (only storing in memory, hiding processes and effects of the early stages of the attack or exploration).

Financial Feasibility

The financial resources required depend on the method of acquiring and implementing the exploit. The resources needed for the terrorist organization to generate their own exploits would be significant as the organization would need to employ, train or recruit technical personnel who would otherwise be able to have legitimate jobs that pay well. The likelihood of discovering an exploit is completely dependant on the skill of the engineer, and it is likely that more money would be needed to entice better technical members to join or work for the organization. If the group has a member with access to information about newly discovered exploits, far less financing would be required for this type of attack as anyone with enough charisma and enough technical knowledge to pass could potentially gain access to information about newly discovered exploits. It might be possible to buy 0day exploits from those who have access to them (not necessarily the person who first discovered the exploit). The cost would likely be far less than funding the research on its own, but more than the cost if the group has a member that has connections among those researching 0day exploits.

      C. Potential value of cyberattack as a tool for accomplishing the aims of terrorists (David C would like to work on this section)

--brianmcg 18:40, 21 October 2005 (PDT) Value

The value of an attack would be judged based on the amount of disruption caused, the notoriety of the attack and/or the amount of money or information it would yield the terrorist organization.

A buffer overflow attack carried out against systems that can be exploited over a network connection would likely impact the largest number of systems, causing the most disruption to the average user. The impact would likely be to inconvenience people temporarily until a fix is provided depending on the effect of the code propagated by the exploit. Because a large number of people would be affected, it is likely that the attack would gain significant publicity for the terrorist organization, though it would be up to the group to claim responsibility for the attack if they wished. The financial impacts of the attack would include a temporary stop in commerce for effected users, the sum total of which might be significant, but the impact would be spread out over so many people that no one organization might be heavily impacted.

A significant amount of money could be made by the terrorist organization if the once the host is compromised by the buffer overflow, the system is scanned for credit card, bank information, passwords, etc. If this information is relayed back to the terrorist organization and resold or used quickly, a large amount of revenue could be generated. The terrorist organization might choose to target a specific target for political or other reasons. Law enforcement agencies that might be attempting to track the group would have information useful to the terrorists including potential spies, locations under surveillance and other intelligence gathering methods.

         1. Successfully attacking the financial markets, possibly through means such as causing trading computers to fail to store the records of transactions, could seriously damage both domestic and international confidence in the U.S. financial markets.  That could have signicant economic consequences as the economy runs on more or less of a confidence and trust basis.  (Summarization - not all I have to say!) 

IV.Defenses

Home Computer scenario

--Dennis Galvin 16:25, 23 October 2005 (PDT)

We first identified a number of potential defenses which might have some applicability to attacks against and through home computers.

• Anti-Virus and Anti-Spyware software: There are both shrink-wrap (commercial) and freeware/open source products available in this category. The commercially available products typically have a low initial cost and renewable subscription to virus signatures. A signficant portion of users do not renew their subscriptions, however, leading to vulnerable computers which can be compromised.

• Firewalls: These can be software or hardware. The hardware firewalls can be purchased for home use. The more fully featured and fully configurable hardware firewalls found in businesses are generally not required for home use. Software firewalls are available as both add-on purchases and Microsoft has now integrated a firewall into the Windows XP operating system.

• High quality software: Software by its nature has flaws. Software developers and publishers strive to develop less vulnerable products, and repair (patch) vulnerabilities in already released products. The computer operating system software needs to be as flaw free as possible.

• Operating systems and security products default to most secure settings, and easily configured for high security: The Windows family of operating systems have moved this direction, but there is far to go. Linux is notoriously difficult to configure securely, although it is becoming easier and there are now some more secure distributions and utilities for locking down a Linux box (e.g. Bastille). Mac is Unix now, so somebody please say something about Macs if you can. Windows needs refuse to install unsigned drivers and codecs (this will begin to force accountability in third party software).

• Effective patching/updating mechanisms: Windows and some Linux distributions have moved in the direction of making it easy to update systems (Windows Update and Synaptic respectively). Many users still do not patch regularly or in the case of Windows have turned off automatic updates.

• ISP default port blocking policy: Prevent home users from operating exposed servers unless separate application is made for credible reasons. Exposed servers can be attacked and compromised. Providers can be more proactive as attacks are mounted by aggressively blocking inbound traffic on ports affected by the attacks. ISP's need to very aggressively block outbound attack traffic from their networks and shut off access to / from attack sources (many do, but others – especially in non-US countries do not).

• Redesign the internet communications protocol to be more secure, preventing address spoofing. This is a massive, costly undertaking, but will need to be done eventually anyway (PITAC report).

• User education: What good is all of the above if users will defeat all security just so they can have a cool screen saver somebody sent them in an e-mail. This is very tough to do, as owners have different motivations for purchasing computers, some computers are used entirely by children, and there is no licensing requirement to operate a computer.

Identify existing financial and non-financial incentives for installing defenses

• Financial incentives: For the home computer scenario, there are few extant financial incentives, and a couple of significant disincentives for the owner. Installing defenses can be one component of protection from identity theft, and disclosure of personal information to a wider audience. Both of these types of breaches can have significant financial effects on the computer owners. Additionally restoring a compromised system to working order may require additional expertise and software which comes as a cost to the computer owner. The cost (disincentive) of implementation of these security measures is borne entirely by the computer user, and many home computer users do not possess the skills required to put these measures in place. Home computers are along for the ride when the internet communications protocols are eventually reworked.

• Non-Financial incentives: Not installing defenses can lead to time the computer and its resources are unavailable for entertainment, educational pursuits, communication, news gathering, etc. Restated: Installing defenses is one component of maximizing the reliability, and availability of the computer. For ISP's aggressive port blocking should improve their user experience which might contribute to more word of mouth referrals.

Evaluate the adequacy of these incentives

• In general the incentives are dismissed by a significant fraction of computer owners until something bad happens to their computer or one belonging to an acquaintance. Home users perception of the safety of their computer is often at odds with reality (http://www.pcworld.com/news/article/0,aid,118311,00.asp, http://answers.google.com/answers/threadview?id=304308). The incentives for the other players have had and continue to have a positive effect in areas such as improving the quality of software, and ISP's blocking attack traffic.

• Unfortunately the incentives are largely non-existent in the major areas of user education and redesigning the internet protocols.

Discuss whether additional protection would be cost-effective

• It is only effective if the vast majority of computer owners would opt for buying in. As most of the costs for defenses would be passed on to the owners.

Identify lowest cost provider for upgrading protection (e.g. Microsoft, Norton, AOL, Corporate IT networks, computer owners)

• The lowest cost provider for upgrading defenses is going to vary depending on which defenses are implemented. Clearly the lowest cost provider of the more secure operating system software with more secure defaults and intuitive security features is going to be the OS publisher (e.g. Microsoft, Apple, etc). The lowest cost provider for creating the innovations to the commonly used by all infra-structure will be government funding of basic research.

List and evaluate possible policy levers for government intervention (e.g. tax incentives, legal liability, insurance)

• Require OS vendors to provide a minimum amount of anti-virus, anti-spyware, firewall software in the operating systems.
• Increase regulatory penalties for ISP's whose customer base are the source of attacks.

Team_12_Corporate_Defenses

      B. Walmart Ordering Computer

         1. All of the above

         2. Intrusion detection tools

         3. Auditing tools

         4. Managed software deployment and maintenance tools.

--Dennis Galvin 15:05, 22 October 2005 (PDT) Walmart is clearly a huge business. As a corporation, they need to set an IT policy, and take responsibility for insuring the integrity of their computing mesh. The above measures are partially the means of implementing that policy. Some components of an effective policy to defend against attacks may include: 1) defining access rights (for instance only IT folk are allowed sign on as administrators); 2) testing of patches before rollout; 3) Testing of software before it is installed; 4) Acceptable use policy; 5) Strong password policy and enforcement; 6) Containment policy when intrusions are detected. The chosen policy must be clearly articulated and understood at the level required by all levels (upper management to greeters) in the firm.

--Chris DuPuis 20:24, 22 October 2005 (PDT) Another aspect of a security policy is to define the services that each class of network user requires, and to put up obstacles (such as firewall rules and enforced corporate policies) to any other network service. By making strict enough policies, the majority of workstations, which have no need to be connected to by other computers, and only need to connect to other computers for web and mail service, can be protected from the kind of remote exploit that we are considering here. This allows the administrator to concentrate on the more difficult task of keeping the servers that provide services on the Internet secure.

      C. Trading Computer