Team 14 Main

From CyberSecurity
Revision as of 04:53, 25 October 2005 by Asadj (talk | contribs) (Estimated dollar value - ASAD)

Jump to: navigation, search

Contact information:

Imran 425-736-6490, iali@microsoft.com Osama 425-241-7464, osamam@microsoft.com Asad  ??????, asadj@microsoft.com Jared ??????, jaredsmelser@yahoo.com Zaheer 408-250-7872,zaheerm@uclink.berkeley.edu

Assignments

Programming - IMRAN, ASAD, OSAMA

For each of your assigned sections, write 2-3 pages each and post on the wiki. Each section should be complete by MONDAY morning so that we can review it together as soon as possible. Also, we need to start posting our first drafts on the wiki as soon as possible.

http://www.cs.washington.edu/education/courses/csep590/05au/project.html

Description of attacks - OSAMA

[Team members should treat each attack as a controlled experiment, recording such variables as time-to-break-in, techniques attempted, success rate, hypothetical defenses, and the feasibility of automating successful attacks. Each engineering member is encouraged to mount his/her own attack separately in order to gain maximum experience with the target. A plain English, no jargon description of attack techniques attempted, vulnerabilities exposed, estimated difficulty, and the estimated cost/feasibility of defending against other, similar attacks in the future. (We encourage the policy members of the team to write this section of the report -- it will ensure that the technical members of the team have helped teach them the technical basics.)]


Estimated dollar value - ASAD

[Estimated dollar value of the damage that such an attack could cause 1) to a private home computer, 2) to a corporate computer used for letters and correspondence by Walmart's Corporate VP for Ordering Stuff from China, and 3) to a Charles Schwab computer used to place buy/sell orders on the New York Stock Exchange. Your estimate should consider potential damage to both the computer's owner and third parties.]


Estimated Dollar value of the Damage – Asad Jawahar

The cost of damage that can be caused by this type of attack depends on the assets that are on this machine and that are now compromised. These assets include things like personal or confidential data, Social Security Numbers, network resources that the machine is connected to etc.

Private Home Computer

Assets: A private home computer would usually contain a lot of personal information including Social Security Numbers, Bank account information, Address book, Email, other personal documents, pictures and music. The hacker can cause significant damage if he/she gets their hands on these assets. Here is an estimate of the potential damage:

Damage Estimate: 1. Lost SSN(s), bank account info and personal information can be used for identity theft. The hacker could open new credit accounts in the name of the owner and draw large sums of money. The attacker may be able to draw even larger sums of money in the shape of other loans eg, car loans or even a mortgage which could cost a lot more but these are unlikely to happen since the creditors do more diligence when giving out such loans. The damage in this case is the sum of the loss to the bank and the amount it costs the victim to recover his/her credit history. According to a study conducted by the identify theft resource center (http://www.idtheftcenter.org/idaftermath.pdf), fraudulent charges average more than $90,000 per name user and it takes an average of 600 hours of the victims time to work through it. The average cost associated with lost time was $16,971. This brings average cost to over $100,000. Some people reported upwards of a million dollars in damages.

2. If the user has email, address books, music and pictures on the computer, then the hacker can steal this information and could potentially be used to launch other attacks. For example the address book and email account could be used to lure other victims. The cost of this kind of an attack is hard to determine. The other potential damage that the hacker could cause is destruction of data For example the pictures on the machine could be deleted or even worse the hard drive could be formatted resulting in complete loss of data. If the data is not backed up, then the victim would have to use some specialized software or call data recovery specialists. The cost of disk recovery runs in the thousands of dollars.

Walmart Corporate Computer

Assets: A corporate computer used for letters and correspondence by Walmart’s Corporate VP for ordering stuff from China would contain information about Walmart’s suppliers in China, some information about Walmart’s inventory, ordering information, Walmart’s account information and routing information etc. The corporate computer is most likely also connected to the corporate network which means it can be used to launch an attack on other corporate assets on the network. The estimated potential damage is:

Estimated Damage: 1. The hacker could place false orders on behalf of Walmart causing supplier(s) to produce or even ship the order if the attack goes undetected long enough. This could cause damages worth millions of dollars.

2. The hacker could also cancel some orders resulting in Walmart running out of inventory and losing business to competitors. The supplier will be affected because he may have to store the extra product. The cost of this could also run in millions of dollars.

3. If there is some bidding process going on between Walmart and suppliers in China then the hacker could divulge confidential bidding information resulting in unfair award of contract. This could eventually run into litigation issues costing millions.

4. The hacker could post confidential business data on the net where competitors can see and misuse it for example Walmart’s suppliers, the price quotes they give to Walmart, Walmart’s current orders, etc This information could be used by competitors to identify Walmart’s business strategy like which new products they are bringing into the market etc. Cost to Walmart due to lost business could be in millions of dollars.

5. If the machine is on corporate network then it could be used to launch an attack on other assets on the network including employee information, financial data, customer data, etc which can be used for ID theft. If the hacker can successfully launch attacks on these assets then the damage caused will be very extensive and would probably run in hundreds of millions.

6. Walmart’s image will be tarnished due to this incident resulting in lost business.

7. The hacker could wipe out the hard drive resulting in loss of data if it wasn’t backed up. This could cost a few thousand dollars to recover.

Charles Schwab computer used to place buy/sell orders on NYSE

Assets: A computer used to buy/sell orders will have some sort of trading software installed on it. If the software does not require a login or the user has stored the password then the hacker can perform transactions on behalf of Charles Schwab. Also the computer is probably on the corporate network which means it can be used to launch attacks on other assets on the network. The estimated cost of damage is:

Estimated damage: 1. If the hacker can successfully use the trading software then he/she could cause a lot of damage by placing orders on NYSE. The hacker could buy a certain stock from a ligitimate account and then place larger orders on behalf of Charles Schwab using the hacked computer to drive up the cost. This would also affect a lot of other traders on the stock market. The hacker could also short or bulk sell a certain stock causing it’s value to tumble in the market causing a lot of loss to Charles Schwab, the company whose stock got hit and other traders. The cost of this will be in hundreds of millions of dollars.

2. The hacker could mount an attack on other assets on the network and if successful could retrieve employee and customer information and use it for ID theft. The cost would run in hundreds of millions of dollars.

3. The incident will tarnish Charles Schwab image and they will lose customers and business costing millions.

4. The SEC may impose some fines on Charles Schwab for inaccurate order execution. In the past companies have been fined in millions.

Feasibility and Strategic value - IMRAN

[Estimated feasibility and strategic value of the attack technique to a terrorist organization. Teams should consider, at a minimum, 1) scalability of techniques, 2) feasibility of acquiring the required technical and financial resources, and 3) potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5.]

Summary The buffer overrun attack technique is a feasible technique for a terrorist organization to meet some of their aims. The strategic value of such an attack would be less than a ‘typical’ terrorist attack as it would lack the drama and media attention of a physical attack on a material object such as a nuclear power plant. However, the actual feasibility of such an attack could be diminished due to current advances in operating system security features and a greater public awareness of security problems such as phishing and virus attacks.

1)Scalability of technique An attack using buffer overruns could be used to attack multiple clients, i.e. who run applications with this vulnerability. For example, a terrorist organization could find a vulnerability on a web control on a frequently used website such as http://www.cnn.com. The organization could then infiltrate the company or the website and have this code placed in the website. Another attack could use phishing so that users are fooled into using a website spelled very close to the same, such as www.cnnn.com which would not have the same audience, but could still be an effective attack technique. Since this is code, it is generally not difficult to distribute and is therefore easy to spread the attack. Another way to deliver such an attack would be to use a trojan horse via some sort of email message with an attachment that causes damage or which takes advantage of a buffer overrun to gain root access to a user’s system. If a terrorist organization would like to hit a wide range of people, the above techniques would be scalable given the high rate of Internet connectivity in the US. Even if the organization, would like to hit a targeted number of government machines or businesses, this technique is still feasible, especially given the fact that many IT orgs (including the government) have machines running operating systems with known security vulnerabilities. On the other hand, recent releases of operating systems have built-in mechanisms against buffer overrun. For example managed code does not allow this to happen and it is almost impossible to use this technique unless calls to unmanaged code are made. I would argue that the scalability would only be slightly diminished especially given the fact that there are still components of the OS that still contain vulnerabilities to this. For example, the Sasser worm exploited a vulnerability in a core component of the Windows operating system.

2)Feasibility of acquiring the required technical and financial resources The required resources lean more towards being more technical rather than financial in nature. In order to engineer an exploit, generally anyone with a Computer Science degree could do this, once taught the underlying techniques and given the tools. Websites such as www.phrack.com already give detailed information on known vulnerabilities which could guide a determined engineer. On a global level, there is definitely not a shortage of qualified people who could accomplish this. As for financial resources, all that is needed is a PC with internet access is what is mostly needed, plus any money to pay for doing this. These are not usually activities for mercenaries, instead, members of a terrorist organization could easily have this technical knowledge or recruit members who are fresh graduates from university. According to an article in the Washington Post, (http://www.washingtonpost.com/ac2/wp-dyn/A50765-2002Jun26) , groups such as Al-Qaeda are already recruiting members with advanced technical capabilities, such as recent university graduates. Rather than developing their own computer skills, terrorist groups might also try to hire or trick unaffiliated hackers into helping. There are also many highly skilled and underpaid computer specialists from the former Soviet Union. Hackers who dislike America might also decide to perpetrate an attack independently. Following the April 2001 collision of a U.S. Navy spy plane and a Chinese fighter jet, Chinese hackers launched denial of service attacks against American Web sites. A terrorist organization could contact these hackers and convince them to join them in their particular cause. In general, it is becoming increasingly easy for terrorist organizations to acquire resources to attack vulnerable targets, mostly due to the fact that there is a global supply of highly skilled engineers who may be tricked or persuaded into helping an organization given the right financial or ideological incentives. This is indeed confirmed by both government and private sector reports indicating that recent attacks have grown in both sophistication and volume.

3) Potential value of cyberattack as a tool for achieving the various terrorist aims identified in lectures 1, 2, 3, and/or 5 Given the feasibility and relatively low cost of conducting cyberattacks, I would argue that a terrorist organization would gain more ‘return on their investment’ as opposed to a risky physical attack on a government facility for example. An organization would also require fewer people and coordination to conduct such as an attack. Given the fact that most terrorist organizations usually choose the easiest and well known path to conduct their attacks, they would find a buffer overrun attack easier, especially given the fact that these sort of attacks have been used for some time. A typical terrorist organization usually aims to disseminate their beliefs or cause and this type of attack would help serve this aim. For example a group that believes that a group of people have conflicting beliefs, could attack a website representing or publicizing their views. A buffer overrun attack could also target an enemy government servers that is used to control something vital, such as a city’s drinking supply. Once control is achieved and the damage is done, public opinion could be swayed to help persuade the government to stop action against this terrorist organization. On the other hand, this technique could backfire and cause the government to further strengthen its action against the organization. The economic value of this cyberattack should also be understood. As mentioned in a previous lecture, there are ‘cybergangs’ that actively charge website owners money for not attacking them using techniques such as Denial of Service attacks. A terrorist organization could use this technique to generate revenue in order to finance other attacks. A cyberattack could be used to derail the economy of an enemy government. The organization could target, for example, a stock exchange’s central server by using a buffer overrun and gaining access to key information. The losses incurred by the stock exchange could potentially be very high and cause a substantial loss of income in lost trade to the government. Such attacks are generally meant to sow discord in the public, business and government, which is usually the primary objective of a terrorist organization.

Conclusion In general, a buffer overrun attack has a lot of potential value in achieving the aims of a terrorist organization. Given the global reach of the Internet and the increasing dependency of government and business on networks, there is now a dramatic increase in the number of vulnerable targets as compared to ten years ago. Even though there is a lot of progress being made in the cybersecurity field, I would argue that it will be difficult to keep up with hackers and the terrorist organizations that employ such techniques. Therefore, this is a field that more terrorist organizations will consider given the low cost and the strategic value such attacks would have.


Feasibility and cost of defending against such attacks - JARED/ZAHEER

[Feasibility and cost of defending against such attacks. For each class of target (home, corporate, financial), teams should 1) identify existing financial and non-financial incentives for installing defenses, 2) evaluate the adequacy of these incentives, 3) discuss whether additional protection would be cost-effective, 4) identify the lowest cost provider for upgrading protection (e.g., Microsoft, Norton, AOL, Corporate IT networks, computer owners), and 5) list and evaluate possible policy levers for government intervention (e.g., tax incentives, legal liability, insurance). ]

The best way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that helps prevent buffer overflow, such as C or C++. http://www-128.ibm.com/developerworks/linux/library/l-sp4.html

Financial incentives for upgrading protection include protecting sensitive information that can be used against the company

In terms of software upgrades, most providers offer free downloads. the lowest cost provider is Microsoft. With the Service Pack 2 that comes with Windows, the customer can choose Executable Space Protection solutions designed to prevent overwriting of data. There are also various "patch managers," the least expensive of which is Symantec Livestate Patch Manager, priced at $17.90. The NX, or "no execute" feature is available on a variety of processors including the AMD-64 Athlon 64 X-2 Dual-Core processor ranging from $354-$902 and the AMD Athlon 64 Processor, from $122-$375.

The President’s Commission on Critical Infrastructure Protection was set up to help companies protect their computers from attacks funded by foreign countries -Among their changes are tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center -http://www.washingtontechnology.com/news/12_12/news/12388-1.html


dissregard zaheer's work above it has been incerted into the paper below in italics

To understand the incentives of installing defenses for buffer overload attacks, one must first determine the target of the attack. To better understand the field of targets, we will categorize them into three groups: attacks on governmental agencies, attacks on corporate entities and finally, attacks on private personal computers. Each group has both common and dissimilar reasons for preventing Buffer Overload Attacks and because of this, the incentives for these groups vary in size and need. The most common incentive however, for all three is that of financial motivations. Often when a computer or server is attacked the most costly problem is the loss of control to the user. This loss of control manifests itself in varying forms such as an inability to use the targeted computer or server; this problem is most damaging to corporate entities to whom the losses involved in a disruption in service can reach up to millions of dollars depending on the severity of the attack as well as the time in which the company in question takes to purge the infected data and return on line.

Another loss of control concern to all three groups is the ability of the attacker to obtain sensitive material. The FDIC recently wrote, “Identity theft in general and account hijacking in particular continue to be significant problems for the financial services industry and consumers.”(http://www.fdic.gov/consumers/consumer/idtheftstudysupp/index.html) These types of attacks are common to both the private and corporate users. For the private user, his or her personal information can be taken and used fraudulently after the theft resulting in thousands of dollars of loss in time and money. While this loss is often profound to the individual victim, the loss to the corporate user is twofold. This type of security breach can result in the theft of not just one individual’s information but thousands of individuals. The secondary damage to the corporation then becomes a loss in reputation, resulting in a lack of confidence in the transaction between the consumer and the vendor. For governmental agencies the ability of an attacker to obtain sensitive data can be costly both in financial and non-financial terms. The lesser, but still costly issue, with attacks is the damage to infrastructure (i.e. flight control, police emergency numbers, etc.). The greater threat is that of stolen data (i.e. intellectual property, national defense, and state secrets). It is here that the incentives for installing software to defend against attacks is vitally important, the sensitivity of the stolen information is causational to the scope of the security breach. When analyzing the benefit verses cost for defending against attacks in both financial and non-financial terms, it is the scope of the breach which will determine scope of need for response.

Many of the issues involved in these types of attacks and their subsequent harm to these three groups can be seen as types of market failures; once an individual or agency establishes the criteria for market failure (i.e. disruption of service and or stolen data), the incentives for corrective measures become adequate and the market compensates for these types of attacks. Currently, many software and hardware manufactures are creating protection against Buffer Overload Attacks.

The strongest way to protect against buffer overflow is secure programming, even at the cost of inefficient programming, or using a language that helps prevent buffer overflow, such as C or C++. (http://www-128.ibm.com/developerworks/linux/library/l-sp4.html) In terms of software upgrades, most providers offer free downloads, for example, the lowest cost provider is Microsoft. With the Service Pack 2 that comes with Windows, the customer can choose Executable Space Protection solutions designed to prevent overwriting of data. There are also various "patch managers," the least expensive of which is Symantec Livestate Patch Manager, priced at $17.90. The NX, or "no execute" feature is available on a variety of processors including the AMD-64 Athlon 64 X-2 Dual-Core processor ranging from $354-$902 and the AMD Athlon 64 Processor, from $122-$375.

In response to threats to national security, the President’s Commission on Critical Infrastructure Protection was set up to help companies protect their systems from attacks funded by foreign countries. Their implementations include tax deductions for purchases of computer security technology, longer jail terms for hackers, a $250 million per year government investment in security technology, and a government-industry security center. http://www.washingtontechnology.com/news/12_12/news/12388-1.html

While these forms of protection can be cost effective for the private user and some small businesses, the potential cost to multi-million dollar companies and governmental agencies is too great to rely on these forms of protection alone. In addition to software and hardware solutions, it would be prudent for large companies and governmental agencies to finance additional forms of protection. Both should invest in a highly trained and qualified workforce dedicated to the prevention and management of attacks. In conjunction with a larger and more qualified staff, firewall investment, load-balancing, traffic-shaping technology and extra bandwidth (for DoS attacks) should be considered.

As discussed prior, many of these problems can be seen as market failures; at times the market can not correct itself in a meaningful way when outside forces (hackers and terrorists) are affecting it in a detrimental manner. In this case, it is often up to the government to intercede and create a favorable and safe marketplace conducive to free trade. One option is to determine the market failures and create policy to solve the problems in question. A market failure in which the government could intercede with little market intervention is in the failure of information asymmetry. Information asymmetry is when one party knows more than the other and capitalizes on it to the disadvantage of the other. In this case, it is a lack of understanding by the common private user, unaware that by not safeguarding his or her computer they are not only susceptible to attack themselves, but are also used by hackers to infect other individuals. Correcting this asymmetry by informing computer users how to be responsible net citizens, the government could obstruct many attacks before they gain momentum. As well, the government and vested private industry could create market incentives for the common user to install better protection. These incentives would take the form of lower consumer prices from industry and tax incentives from the government, the cost of which would be offset by gains to revenue as well as tax gains from recuperated revenue. While the government is creating new task forces and redirecting existing agencies to fight this problem the money invested in this fight is a drop in the bucket compared to the losses reported and unreported by these three groups; not until this problem is given the attention it needs, Buffer Overload Attacks and other cyber crimes will continue occur.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_14_Main&oldid=2374"