Difference between revisions of "Team 14 Main"
| Line 22: | Line 22: | ||
A plain English, no jargon description of attack techniques attempted, vulnerabilities exposed, estimated difficulty, and the estimated cost/feasibility of defending against other, similar attacks in the future. (We encourage the policy members of the team to write this section of the report -- it will ensure that the technical members of the team have helped teach them the technical basics.)] | A plain English, no jargon description of attack techniques attempted, vulnerabilities exposed, estimated difficulty, and the estimated cost/feasibility of defending against other, similar attacks in the future. (We encourage the policy members of the team to write this section of the report -- it will ensure that the technical members of the team have helped teach them the technical basics.)] | ||
| − | |||
== Estimated dollar value - ASAD == | == Estimated dollar value - ASAD == | ||
| Line 28: | Line 27: | ||
[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.] | [Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.] | ||
| − | |||
== Feasibility and Strategic value - IMRAN == | == Feasibility and Strategic value - IMRAN == | ||
| Line 34: | Line 32: | ||
[Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.] | [Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.] | ||
| − | + | '''Summary''' | |
| − | |||
| − | Summary | ||
The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks. | The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks. | ||
| − | 1)Scalability of technique | + | '''1)Scalability of technique''' |
An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. | An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. | ||
On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system. | On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system. | ||
| − | 2)Feasibility of acquiring the required technical and financial resources | + | '''2)Feasibility of acquiring the required technical and financial resources''' |
The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. | The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. | ||
As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. | As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. | ||
In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume. | In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume. | ||
| − | 3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5 | + | '''3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5''' |
Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. | Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. | ||
A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. | A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. | ||
The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization. | The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization. | ||
| − | Conclusion | + | '''Conclusion''' |
In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have. | In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have. | ||
| − | |||
== Feasibility and cost of defending against such attacks - JARED/ZAHEER == | == Feasibility and cost of defending against such attacks - JARED/ZAHEER == | ||
Revision as of 21:37, 23 October 2005
Contents
Contact information:
Imran 425-736-6490, iali@microsoft.com Osama 425-241-7464, osamam@microsoft.com Asad ??????, asadj@microsoft.com Jared ??????, jaredsmelser@yahoo.com Zaheer 408-250-7872,zaheerm@uclink.berkeley.edu
Assignments
Programming - IMRAN, ASAD, OSAMA
For each of your assigned sections, write 2-3 pages each and post on the wiki. Each section should be complete by MONDAY morning so that we can review it together as soon as possible. Also, we need to start posting our first drafts on the wiki as soon as possible.
http://www.cs.washington.edu/education/courses/csep590/05au/project.html
Description of attacks - OSAMA
[Team members should treat each attack as a controlled experiment, recording such variables as time-to-break-in, techniques attempted, success rate, hypothetical defenses, and the feasibility of automating successful attacks. Each engineering member is encouraged to mount his/her own attack separately in order to gain maximum experience with the target. A plain English, no jargon description of attack techniques attempted, vulnerabilities exposed, estimated difficulty, and the estimated cost/feasibility of defending against other, similar attacks in the future. (We encourage the policy members of the team to write this section of the report -- it will ensure that the technical members of the team have helped teach them the technical basics.)]
Estimated dollar value - ASAD
[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.]
Feasibility and Strategic value - IMRAN
[Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.]
Summary The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks.
1)Scalability of technique An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system.
2)Feasibility of acquiring the required technical and financial resources The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume.
3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5 Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization.
Conclusion In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have.
Feasibility and cost of defending against such attacks - JARED/ZAHEER
[Feasibility and cost of defending against such attacks. For each class of target (home, corporate, financial), teams should 1) identify existing financial and non-financial incentives for installing defenses, 2) evaluate the adequacy of these incentives, 3) discuss whether additional protection would be cost-effective, 4) identify the lowest cost provider for upgrading protection (e.g., Microsoft, Norton, AOL, Corporate IT networks, computer owners), and 5) list and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). ]
Zaheer/Jared
-The best way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that prevents buffer overflow, such as C or C++. http://www-128.ibm.com/developerworks/linux/library/l-sp4.html
-Financial incentives for upgrading protection include protecting sensitive information that can be used against the company
-The President’s Commission on Critical Infrastructure Protection was set up to help companies protect their computers from attacks funded by foreign countries -Among their changes are tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center -http://www.washingtontechnology.com/news/12_12/news/12388-1.html
-BufferShield 1.01g for Windows -AMD NoExecute -hp-ux 11i -Gateway Teros-100 APS (at $25,000, described as “a little steep”) -CheckPoint VPN-1
