Difference between revisions of "Team 14 Main"
(→Feasibility and cost of defending against such attacks - JARED/ZAHEER) |
(→Estimated dollar value - ASAD) |
||
| Line 27: | Line 27: | ||
[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.] | [Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.] | ||
| + | |||
| + | '''Estimated Dollar value of the Damage – Asad Jawahar''' | ||
| + | |||
| + | The cost of damage that can be caused by this type of attack depends on the assets that are on this machine and that are now compromised. These assets include things like personal or confidential data, Social Security Numbers, network resources that the machine is connected to etc. | ||
| + | |||
| + | '''Private Home Computer''' | ||
| + | |||
| + | ''Assets:'' A private home computer would usually contain a lot of personal information including Social Security Numbers, Bank account information, Address book, Email, other personal documents, pictures and music. The hacker can cause significant damage if he/she gets their hands on these assets. Here is an estimate of the potential damage: | ||
| + | |||
| + | 1. Lost SSN(s), bank account info and personal information can be used for identity theft. The hacker could open new credit accounts in the name of the owner and draw large sums of money. The attacker may even be able to draw even larger sums of money in the shape of other loans eg, car loans or even a mortgage which could cost a lot more but these are unlikely to happen since the creditors do more diligence when giving out such loans. The damage is the sum of the loss to the bank and the amount it costs the victim to recover his/her credit history. According to a study conducted by the identify theft resource center (http://www.idtheftcenter.org/idaftermath.pdf), fraudulent charges average more than $90,000 per name user and it takes an average of 600 hours of the victims time to work through it. The average cost associated with lost time was $16,971. This brings average cost to over $100,000. Some people reported upwards of a million dollars in damages. | ||
| + | |||
| + | 2. If the user has email, address books, music and pictures on the computer, then the hacker can steal this information and could potentially be used to launch other attacks. For example the address book and email account could be used to lure other victims. The cost of this kind of an attack is hard to determine. The other potential damage that the hacker could cause is destruction of data For example the pictures on the machine could be deleted or even worse the hard drive could be formatted resulting in complete loss of data. If the data is not backed up, then the victim would have to use some specialized software or call specialists. The cost of disk recovery runs in the thousands of dollars. | ||
| + | |||
| + | '''Walmart Corporate Computer''' | ||
| + | ''Assets:'' A corporate computer used for letters and correspondence by Walmart’s Corporate VP for ordering stuff from China would contain information about Walmart’s suppliers in China, some information about Walmart’s inventory, ordering information, Walmart’s account information and routing information etc. The corporate computer is most likely also connected to the corporate network which means it can be used to launch an attack on other corporate assets on the network. The estimated potential damage is: | ||
| + | |||
| + | 1. The hacker could place false orders on behalf of Walmart causing to supplier to produce or even ship the order if the attack goes undetected long enough. This could cause damages worth millions of dollars. | ||
| + | |||
| + | 2. The hacker could also cancel some orders resulting in Walmart running out of inventory and losing business to competitors. The supplier will be affected because he may have to store the extra product. The cost of this would also run in millions of dollars. | ||
| + | |||
| + | 3. If there is some bidding process going on between Walmart and suppliers in China then the hacker could divulge confidential bidding information resulting in unfair award of contract. This could eventually run into litigation issues costing millions. | ||
| + | |||
| + | 4. The hacker could post confidential business data on the net where competitors can see and misuse it for example Walmart’s suppliers, the price quotes they give to Walmart, Walmart’s current orders, etc This information could be used by competitors to identify Walmart’s business strategy like which new products they are bringing into the market etc. Cost to Walmart due to lost business could be in millions of dollars. | ||
| + | |||
| + | 5. If the machine is on corporate network then it could be used to launch an attack on other assets on the network including employee information, financial data, customer data, etc. If the hacker can successfully launch attacks on these assets then the damage caused will be very extensive and would probably run in hundreds of millions. | ||
| + | |||
| + | 6. Walmart’s image will be tarnished due to this incident resulting in lost business. | ||
| + | |||
| + | 7. The hacker could wipe out the hard drive resulting in lose of data if it wasn’t backed up. This could cost a few thousand dollars to recover. | ||
| + | |||
| + | '''Charles Schwab computer used to place buy/sell orders on NYSE''' | ||
| + | ''Assets:'' A computer used to buy/sell orders will have some sort of trading software installed on it. If the software does not require a login or the user has stored the password then the hacker can perform transactions on behalf of Charles Schwab. Also the computer is probably on the corporate network which means it can be used to launch attacks on other assets on the network. The estimated cost of damage is: | ||
| + | |||
| + | 1. If the hacker can successfully use the trading software then he/she could cause a lot of damage by placing orders on NYSE. The hacker could buy a certain stock and then place larger orders on behalf of Charles Schwab to drive up the cost. This would also affect a lot of other traders on the stock market. The hacker could also short or bulk sell a certain stock causing it’s value to tumble in the market causing a lot of loss to Charles Schwab, the company whose stock got hit and other traders. The cost of this will be in hundreds of millions of dollars. | ||
| + | |||
| + | 2. The hacker could mount an attack on other assets on the network and if successful could retrieve employee and customer information and use it for ID theft. The cost would run in hundreds of millions of dollars. | ||
| + | |||
| + | 3. The incident will tarnish Charles Schwab image and they will lose customers and business costing millions. | ||
| + | |||
| + | 4. The SEC may impose some fines on Charles Schwab for inaccurate order execution. In the past companies have been fined in millions. | ||
== Feasibility and Strategic value - IMRAN == | == Feasibility and Strategic value - IMRAN == | ||
Revision as of 22:56, 24 October 2005
Contents
Contact information:
Imran 425-736-6490, iali@microsoft.com Osama 425-241-7464, osamam@microsoft.com Asad ??????, asadj@microsoft.com Jared ??????, jaredsmelser@yahoo.com Zaheer 408-250-7872,zaheerm@uclink.berkeley.edu
Assignments
Programming - IMRAN, ASAD, OSAMA
For each of your assigned sections, write 2-3 pages each and post on the wiki. Each section should be complete by MONDAY morning so that we can review it together as soon as possible. Also, we need to start posting our first drafts on the wiki as soon as possible.
http://www.cs.washington.edu/education/courses/csep590/05au/project.html
Description of attacks - OSAMA
[Team members should treat each attack as a controlled experiment, recording such variables as time-to-break-in, techniques attempted, success rate, hypothetical defenses, and the feasibility of automating successful attacks. Each engineering member is encouraged to mount his/her own attack separately in order to gain maximum experience with the target. A plain English, no jargon description of attack techniques attempted, vulnerabilities exposed, estimated difficulty, and the estimated cost/feasibility of defending against other, similar attacks in the future. (We encourage the policy members of the team to write this section of the report -- it will ensure that the technical members of the team have helped teach them the technical basics.)]
Estimated dollar value - ASAD
[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.]
Estimated Dollar value of the Damage – Asad Jawahar
The cost of damage that can be caused by this type of attack depends on the assets that are on this machine and that are now compromised. These assets include things like personal or confidential data, Social Security Numbers, network resources that the machine is connected to etc.
Private Home Computer
Assets: A private home computer would usually contain a lot of personal information including Social Security Numbers, Bank account information, Address book, Email, other personal documents, pictures and music. The hacker can cause significant damage if he/she gets their hands on these assets. Here is an estimate of the potential damage:
1. Lost SSN(s), bank account info and personal information can be used for identity theft. The hacker could open new credit accounts in the name of the owner and draw large sums of money. The attacker may even be able to draw even larger sums of money in the shape of other loans eg, car loans or even a mortgage which could cost a lot more but these are unlikely to happen since the creditors do more diligence when giving out such loans. The damage is the sum of the loss to the bank and the amount it costs the victim to recover his/her credit history. According to a study conducted by the identify theft resource center (http://www.idtheftcenter.org/idaftermath.pdf), fraudulent charges average more than $90,000 per name user and it takes an average of 600 hours of the victims time to work through it. The average cost associated with lost time was $16,971. This brings average cost to over $100,000. Some people reported upwards of a million dollars in damages.
2. If the user has email, address books, music and pictures on the computer, then the hacker can steal this information and could potentially be used to launch other attacks. For example the address book and email account could be used to lure other victims. The cost of this kind of an attack is hard to determine. The other potential damage that the hacker could cause is destruction of data For example the pictures on the machine could be deleted or even worse the hard drive could be formatted resulting in complete loss of data. If the data is not backed up, then the victim would have to use some specialized software or call specialists. The cost of disk recovery runs in the thousands of dollars.
Walmart Corporate Computer Assets: A corporate computer used for letters and correspondence by Walmart’s Corporate VP for ordering stuff from China would contain information about Walmart’s suppliers in China, some information about Walmart’s inventory, ordering information, Walmart’s account information and routing information etc. The corporate computer is most likely also connected to the corporate network which means it can be used to launch an attack on other corporate assets on the network. The estimated potential damage is:
1. The hacker could place false orders on behalf of Walmart causing to supplier to produce or even ship the order if the attack goes undetected long enough. This could cause damages worth millions of dollars.
2. The hacker could also cancel some orders resulting in Walmart running out of inventory and losing business to competitors. The supplier will be affected because he may have to store the extra product. The cost of this would also run in millions of dollars.
3. If there is some bidding process going on between Walmart and suppliers in China then the hacker could divulge confidential bidding information resulting in unfair award of contract. This could eventually run into litigation issues costing millions.
4. The hacker could post confidential business data on the net where competitors can see and misuse it for example Walmart’s suppliers, the price quotes they give to Walmart, Walmart’s current orders, etc This information could be used by competitors to identify Walmart’s business strategy like which new products they are bringing into the market etc. Cost to Walmart due to lost business could be in millions of dollars.
5. If the machine is on corporate network then it could be used to launch an attack on other assets on the network including employee information, financial data, customer data, etc. If the hacker can successfully launch attacks on these assets then the damage caused will be very extensive and would probably run in hundreds of millions.
6. Walmart’s image will be tarnished due to this incident resulting in lost business.
7. The hacker could wipe out the hard drive resulting in lose of data if it wasn’t backed up. This could cost a few thousand dollars to recover.
Charles Schwab computer used to place buy/sell orders on NYSE Assets: A computer used to buy/sell orders will have some sort of trading software installed on it. If the software does not require a login or the user has stored the password then the hacker can perform transactions on behalf of Charles Schwab. Also the computer is probably on the corporate network which means it can be used to launch attacks on other assets on the network. The estimated cost of damage is:
1. If the hacker can successfully use the trading software then he/she could cause a lot of damage by placing orders on NYSE. The hacker could buy a certain stock and then place larger orders on behalf of Charles Schwab to drive up the cost. This would also affect a lot of other traders on the stock market. The hacker could also short or bulk sell a certain stock causing it’s value to tumble in the market causing a lot of loss to Charles Schwab, the company whose stock got hit and other traders. The cost of this will be in hundreds of millions of dollars.
2. The hacker could mount an attack on other assets on the network and if successful could retrieve employee and customer information and use it for ID theft. The cost would run in hundreds of millions of dollars.
3. The incident will tarnish Charles Schwab image and they will lose customers and business costing millions.
4. The SEC may impose some fines on Charles Schwab for inaccurate order execution. In the past companies have been fined in millions.
Feasibility and Strategic value - IMRAN
[Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.]
Summary The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks.
1)Scalability of technique An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system.
2)Feasibility of acquiring the required technical and financial resources The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume.
3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5 Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization.
Conclusion In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have.
Feasibility and cost of defending against such attacks - JARED/ZAHEER
[Feasibility and cost of defending against such attacks. For each class of target (home, corporate, financial), teams should 1) identify existing financial and non-financial incentives for installing defenses, 2) evaluate the adequacy of these incentives, 3) discuss whether additional protection would be cost-effective, 4) identify the lowest cost provider for upgrading protection (e.g., Microsoft, Norton, AOL, Corporate IT networks, computer owners), and 5) list and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). ]
Zaheer/Jared
The best way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that helps prevent buffer overflow, such as C or C++. http://www-128.ibm.com/developerworks/linux/library/l-sp4.html
Financial incentives for upgrading protection include protecting sensitive information that can be used against the company
In terms of software upgrades, the lowest cost provider is Microsoft. With the Service Pack 2 that comes with Windows, the customer can choose Executable Space Protection solutions designed to prevent overwriting of data. There are also various "patch managers," the least expensive of which is Symantec Livestate Patch Manager, priced at $17.90. The NX, or "no execute" feature is available on a variety of processors including the AMD-64 Athlon 64 X-2 Dual-Core processor ranging from $354-$902 and the AMD Athlon 64 Processor, from $122-$375.
The President’s Commission on Critical Infrastructure Protection was set up to help companies protect their computers from attacks funded by foreign countries -Among their changes are tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center -http://www.washingtontechnology.com/news/12_12/news/12388-1.html
