130 likes | 142 Views
Delve into the evolution of cyber threats, from early hacks like Kevin Mitnick's to modern mega-viruses and the emergence of a security economy. Explore the three generations of hackers, their motivations, techniques, and impacts on information security. Learn about data theft, revenue models in cybersecurity, and the rise of resources for hire. Discover the challenges in combating cybercrime and the trends shaping the future of cybersecurity. (500 characters)
E N D
The Security Economy James Hamilton Microsoft SQL Server Architect http://research.microsoft.com/~JamesRH JamesRH@Microsoft.com 2004.06.17
Agenda • Threat environment is worsening rapidly • Capitalism in play • Personal/Financial advantage drives innovation • The security Economy • 1st Gen: Fun and fame • 2nd Gen: Revenue models emerge • 3rd Gen: Resources for hire • What can be done?
Threat: Cracking not new Phenomena • 1981: Kevin Mitnick (Condor) cracks LA School System & PacBell • steals passwords • 1992: 414 Gang cracks Los Alamos & cancer center • 1983: Mitnick (Condor) cracks Pentagon Computers • 1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet • 1986: Pakistani Brain virus – 1st malicious virus • 1996: Chaos Computing Club hacks LBL • 1987: Jerusalem Virus – 1st infecting files • 1988: Robert Morris releases 1st internet worm • Sendmail buffer overrun -- over 6,000 systems infected • 1988: Mitnick cracks MCI DECnet • Steals VMS source code • 1989: Fry Guy cracks McDonalds • Credit cards and $6,000 in cash and product • 1991: Michelangelo virus • 1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds • 1992: Morty Rosenfeld (Storm Shadow) cracks TRW • Credit card reports and numbers • 1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,… • 1994: Vladimir Levin cracks CitBank network Source: Bill Wall, Harris computer Corp
Incidents Reported Industry-wide • CERT/CC incident statistics 1988 through 2003 • Incident: single security issue grouping together all impacts of that that issue • Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality Source: http://www.cert.org/stats/cert_stats.html
1st Gen: Fun and fame • A new frontier for experimentation & learning • Many of the same folks who phone phreaked when inband signaling was still employed • Mostly non-destructive experimentation • Community learning & sharing • Trade ideas & methods at security focused conferences • e.g. Blackhat http://www.blackhat.com/ • Building on the ideas of others • Phrack ezine: http://www.phrack.org/show.php?p=49&a=14 • 29A: http://29a.host.sk/ • Not all work from first principles • Baseless loaders • Encryption & morphing engines • Fun but clearly not a viable business
DB Attack: Data Thief • Cesar Cerrudo author • Originally produced as an SQL Injection Demonstration • UI driven: • use local database to store stolen data • You select target web page • Displays a menu of all tables available in database in UI • Transfers contents of selected tables to local database • No programming or IQ required • Download: http://www.appsecinc.com/resources/freetools/
2nd Gen: Revenue models emerge • Selling bugs • Vender provided bounties: Qmail http://cr.yp.to/qmail/guarantee.html • Third Party: IDefense http://idefense.com/poi/teams/vcp.jsp?flashstatus=true • Professional services feedback loop • Problem exists so opportunity for security services • When not billing time, crack products • Establish both the problem & credibility • More spent in patch application & more concern about security • More opportunity for security services • New opportunity for 1st gen fun and fame folks • Get known & join security services shop • Separation of virus creation from distribution • Posted to web sites (research & freedom of speech defense)
3rd Gen: Resources for hire • Systems lying dormant waiting to be needed • No indication they are infected • Theft of assets: • AOL PW, Paypal PW, credit card numbers, game and S/W keys, etc. • Zombies bot-nets: • Spam distribution http://news.com.com/Mounties+charge+teenage+virus+suspect/2100-7349_3-5221785.html?tag=cd.top • Copywrite or illegal media distribution • DDos attacks • Anonymous or difficult to track actions • Zombie systems for sale http://www.theregister.co.uk/2004/04/30/spam_biz • 20 cents each: $500/10,000 http://www.theregister.com/2004/05/12/phatbot_zombie_trade/
3rd Gen: Resources for hire (cont…) • Mega-virus/worms most dangerous new trend • Aggregate large number of already found attacks into a single virus/worm • Polymorphic • Attempt to evade signature searching • Disable anti-virus • Could even simulate AV running (no known examples) • Consolidation in AV market would make this easier • Disable competition for resources & control • Remove other viruses, worms & bots • P2P command & control • Phatbot first to go P2P rather than IRC • WASTE provides an (optionally) encrypted P2P channel http://waste.sourceforge.net/ • Phatbot uses Gnutella as directory service • Infected systems can be efficiently found & controlled and therefore have value
Phatbot Feature List • Polymorph on install to evade antivirus signatures as it spreads from system to system • Checks to see if it is allowed to send mail to AOL, for spamming purposes • Can steal Windows Product Keys • Can run an IDENT server on demand • Starts an FTP server to deliver the trojan binary to exploited hosts • Can run a socks, HTTP or HTTPS proxy on demand • Can start a redirection service for GRE or TCP protocols • Can scan for and use the following exploits to spread itself to new victims: • DCOM, DCOM2, MyDoom backdoor, DameWare, Locator Service, weak pw Shares, WebDav • WKS - Windows Workstation Service • Newer versions of Agobot and Phatbot have added scanner modules for: • Bagle virus backdoor, CPanel resetpass vulnerability, UPnP vulnerability, Weak SQL admin PW • Attempts to kill instances of MSBlast, Welchia and Sobig.F • Sniffs IRC network traffic looking for logins to other botnets & IRC operator passwords • Can sniff FTP network traffic for usernames and passwords • Can sniff HTTP network traffic for Paypal cookies • Contains a list of nearly 600 processes to kill if found on an infected system. • Antivirus software, others are competing viruses/trojans • Tests available bandwidth by posting large amounts of data to the following websites: • www.st.lib.keio.ac.jp, www.lib.nthu.edu.tw, www.stanford.edu, www.xo.net, …. • Can steal AOL account logins and passwords • Can steal CD Keys for several popular games • Can harvest emails from the web for spam purposes • Can harvest emails from the local system for spam purposes Source: http://www.lurhq.com/phatbot.html
bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.quit quits the bot bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.status gives status bot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.execute makes the bot execute a .exe bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than X mac.login logs the user in mac.logout logs the user out ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.update executes a file from a http url http.execute updates the bot from a http url http.download downloads a file from http rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.reboot reboots the computer pctrl.kill kills a process pctrl.list lists all processes scan.stop signal stop to child threads scan.start signal start to child threads scan.disable disables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flood redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.quit disconnect waste waste.privmsg sends a privmsg waste.part makes the bot part a channel waste.netinfo prints netinfo waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is .edu waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste Phatbot Command Set Source: http://www.lurhq.com/phatbot.html
What can be done? • No single defense effective • Secure by default: • Default features secure • If less than 80% use, then off-by-default • Security focused design & development process • Simple security features • Threat models, targeted testing, attack teams, accountable code reviews, security audit, … • Fundamental architectural change: • More redundancy, many layers of defense, rigidly enforced fault containment domains, restartable components, low trust between components, limited communications allowed between components, limited communications external to components… • Innovative security focused tools • /GS, /SafeEH, NX (no execute), .. • Static analysis with source annotations & more constrained prog langs • Statistical attack detection with auto defense • Tight feedback loop • Customers system state sent “home” (with approval) • Auto-patching & configuration checkers • Black hat forums & other sources constantly monitored • Security Communications: • Customer education