ebook img

Elements of computer security PDF

350 Pages·2010·3.224 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Elements of computer security

David Salomon Elements of Computer Security 123 Prof.DavidSalomon(emeritus) ComputerScienceDept. CaliforniaStateUniversity,Northridge Northridge,CA91330-8281 USA [email protected] Serieseditor IanMackie Advisoryboard SamsonAbramsky,UniversityofOxford,UK ChrisHankin,ImperialCollegeLondon,UK DexterKozen,CornellUniversity,USA AndrewPitts,UniversityofCambridge,UK HanneRiisNielson,TechnicalUniversityofDenmark,Denmark StevenSkiena,StonyBrookUniversity,USA IainStewart,UniversityofDurham,UK DavidZhang,TheHongKongPolytechnicUniversity,HongKong ISBN978-0-85729-005-2 e-ISBN978-0-85729-006-9 DOI10.1007/978-0-85729-006-9 SpringerLondonDordrechtHeidelbergNewYork BritishLibraryCataloguinginPublicationData AcataloguerecordforthisbookisavailablefromtheBritishLibrary LibraryofCongressControlNumber:2010933120 (cid:2)c Springer-VerlagLondonLimited2010 Apartfromanyfairdealingforthepurposesofresearchorprivatestudy,orcriticismorreview,as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced,storedortransmitted,inanyformorbyanymeans,withthepriorpermissioninwriting of the publishers, or in the case of reprographic reproduction in accordance with the terms of licenses issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside thosetermsshouldbesenttothepublishers. The use of registered names, trademarks, etc., in this publication does not imply, even in the absenceofaspecificstatement,thatsuchnamesareexemptfromtherelevantlawsandregulations andthereforefreeforgeneraluse. Thepublishermakesnorepresentation,expressorimplied,withregardtotheaccuracyoftheinfor- mationcontainedinthisbookandcannotacceptanylegalresponsibilityorliabilityforanyerrorsor omissionsthatmaybemade. Printedonacid-freepaper. SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Contents 1 Physical Security 17 1.1 Side-Channel Attacks 17 1.2 Physical Threats 22 1.3 Laptop Security 29 1.4 Disaster Recovery Planning 32 1.5 Privacy Protection 33 2 Viruses 37 2.1 Operating Systems 38 2.2 Computer Viruses 40 2.3 Virus Writers 45 2.4 Virus Propagation 49 2.5 Virus Classification 51 2.6 Boot Sector Viruses 54 2.7 File Infector Viruses 57 2.8 Companion Viruses 61 2.9 Multipartite Viruses 62 2.10 Macro and Script Viruses 63 2.11 Infected Images 65 2.12 Virus Life Cycle 69 2.13 Viruses and UNIX 71 2.14 Viruses and the Macintosh 72 2.15 Virus Replication 72 2.16 Virus Payload 73 2.17 Virus Organization 81 2.18 Virus Naming 82 2.19 Virus Hiding Methods 83 2.20 Polymorphism 88 2.21 Virus Stealth Techniques 90 2.22 Interrupts and Viruses 92 2.23 Trapdoors 96 3 Worms 99 3.1 Code Red I 101 3.2 Worming Techniques 103 3.3 Proposing a CCDC 114 3.4 The Internet Worm 117 3.5 iPhone Worms 120 4 Trojan Horses 123 4.1 Applications of Trojans 124 4.2 Installing a Trojan 126 4.3 Rigging a Compiler 129 5 Examples of Malware 137 5.1 The Lehigh Virus 137 5.2 The Brain Virus 138 5.3 The Michaelangelo Virus 139 5.4 The SirCAM Virus 140 5.5 The Melissa Virus 141 5.6 Scores Virus 142 5.7 Swiss Amiga Virus 143 5.8 Christmas Card Virus 144 5.9 VBS.KAK Worm 145 5.10 The Cruncher Virus 145 5.11 Opener Virus 146 5.12 MTX Worm/Virus 148 6 Prevention and Defense 151 6.1 Understanding Vulnerabilities 151 6.2 Defenses Against Malware 156 6.3 Anti-Virus Software 157 6.4 Backups and Such 168 6.5 Botnets, Zombies, and Remote Control 173 6.6 Hoaxes 175 7 Network Security 179 7.1 Internet Vulnerabilities 179 7.2 Port Scanning 180 7.3 Spoofs 181 7.4 Spam 186 7.5 Denial of Service 199 7.6 Firewall Basics 202 7.7 Other Threats 205 8 Authentication 209 8.1 Local Authentication 210 8.2 Biometric Techniques 210 8.3 Passwords 216 9 Spyware 233 9.1 Introduction and Definition 234 9.2 RIAA and Spyware 238 9.3 Terrorism and Spyware 239 9.4 Political Contributions 241 9.5 Distribution of Spyware 242 9.6 Remote Reporting 245 9.7 Adware 248 9.8 Spyware? 249 10 Identity Theft 255 10.1 Introduction 256 10.2 Shredding 261 10.3 Internet Cookies 263 10.4 Phishing 264 10.5 The Homograph Threat 270 11 Privacy and Trust 273 11.1 Privacy Issues 274 11.2 Online Privacy 277 11.3 Children’s Privacy 279 11.4 Digital Forensics 285 11.5 Trust 286 A The Hacker 291 B l33t Speak 299 C Virus Timeline 303 Concluding Remarks 325 Glossary 331 Bibliography 347 Index 1 Physical Security What normally comes to mind, when hearing about or discussing computer security, is eithervirusesor someof themany security issuesthathave to do withnetworks,suchaslossofprivacy,identitytheft,orhowtosecuresensitive datasentonanetwork. Computersecurity,however,isavastdisciplinethat also includes mundane topics such as how to physically protect computer equipment and secure it against fire, theft, or flood. This chapter is a short discussion of various topics that have to do with physical security. 1.1 Side-Channel Attacks In order to whet the reader’s appetite we start with a new, exotic area of physical threats termed side-channel attacks. Today it is easy to locate the many references for this area, so we only mention three. Reference [SDat- tacks 10] maintains a listing of side-channel attack related publications and patents, [Bar-El 10] is a summary of the field, and [Shamir and Tromer 04] discuss several aspects of this topic. A sensitive, secret computer installation may be made very secure. It maybesurroundedbyhighelectrifiedfences,employasmallarmyofguards, be protected by powerful firewalls complemented by watchful system pro- grammersworkingthreeshifts,andrunvirusdetectionsoftwarecontinuously. Yet,itispossibletospyonsuchaninstallation“fromtheside”bycapturing and listening to information that is continuously and unintentionally leaked byelectronicdevicesinside. Thebasisofthisapproachisthewell-knownfact that people are nosy and machines are noisy. First, a bit of history. One of the earliest side-channel attacks took place in 1956 when Britain’s military intelligence (MI5) executed operation D. Salomon, Elements of Computer Security, Undergraduate Topics in Computer Science, DOI 10.1007/978-0-85729-006-9_1, © Springer-Verlag London Limited 2010 18 1 Physical Security ENGULF that tapped (perhaps among others) the telephone of the Egyp- tian embassy in London to record the sound from its Hagelin cipher ma- chines. The sound was used to determine the settings on the Hagelin ma- chines [Wright 89]. A better-known side-channel attack was published by WimVanEck[vanEck85]in1985,thatshowedhowtoeavesdroponaCRT by detecting its electromagnetic emission. The following story (heard by this author back in the 1970s) illustrates the power of a side-channel attack. In the early days of computing, punched cards were the main way to input data into a computer, and printers were the main output. Then came terminalswithkeyboardsandprinters,followedbyterminalswithkeyboards and monitor screens. A CRT monitor works like a television tube. An elec- tronbeam is directedto a glass plate (the screen)that’scoatedwitha phos- phor compound. When the electrons hit the screen, their kinetic energy is converted to light, and a small dot flashes momentarily on the glass. The beamisthenmovedtoanotherpointonthescreen,andtheprocesscontinues until all the required information is displayed on the screen. The process is then repeated in order to refresh the glow on the screen. An anonymous electronics engineer had an idea. He knew that an ac- celerated (and also decelerated) electric charge radiates, so he decided to try to detect and receive the radiation from a monitor screen with a small antenna and use it to reconstruct the information displayed on the screen. He drove a van full of his equipment next to an office building where workers were hunched attheircomputersandmanymonitorsglowed, and within half an hour, a monitor screen in the van showed the data displayed on one of the screens in the building. This was a clas- sic example of advanced electronic eavesdrop- ping applied in industrial spying. For further discussion of this threat, see [Zalewski 05] and [Backes 10]. Modern monitors use LCDs or plasma screens that presumably don’t radiate, but in the past, the only countermeasures to side-channel attacks were to either surround a computer room with a conductive material, to block any electromagnetic radiation from escaping, or to have a guarded, empty area around the entire building and move the parking lots away from the building. The information that emanates naturally from a computer consists of electromagneticradiation,sound,lightfromdisplays,andvariationsinpower consumption. ItisintuitivelyclearthatanidleCPU(i.e.,aCPUthathasexecutedan HLT instruction) requires less power than a busy CPU. Thus, measuring the powerconsumptionofaCPUcantellaspywhethertheCPUisbusyoridle. Even more, power consumption depends on the instruction being executed, so while the CPU executes a loop it consumes a certain amount of power, and when it comes out of the loop its power consumption may change. 1.1 Side-Channel Attacks 19 Our computers are electronic. They work by moving electrons between the various parts of the computer. A working CPU therefore emits electro- magnetic radiation that can be detected outside the computer, outside the computer room, and even outside the computer building. A spy who knows thetypeofCPUbeingspiedoncanexecutemanyprogramsonthesametype of CPU, measure the radiation emitted, and thus associate certain patterns of radiation with certain types of computer operations, such as loops, idle, or input/output. Oncesuch an associationhasbeenestablished,thespy can train a computer program to analyze radiation emitted by a spied computer and draw useful conclusions about the activity of the spied CPU at various times. A CPU is an integrated circuit (IC, or a chip) enclosed in a ceramic or plastic container and has no moving parts. Yet, inside the container there are several parts (a cavity for the CPU chip, the chip itself, wires, and printed connections) and they vibrate, thereby generating sound. This type of acoustic emanation can be detected by a sensitive microphone and analyzed, similar to electromagnetic radiation, to provide clues on the state oftheCPU.Experiments suggestthateach type of CPUoperationproduces a characteristic sound—a typical acoustic signature. Thus, listening to the sound produced by a CPU that’s busy all day encrypting secret messages may yield the encryption key (or keys) used by the operator; a significant achievement. A CPU is normally part of a larger enclosure that has many other elec- tronic parts and fans. These also emit sound waves and the computer room may also be noisy. This background noise complicates the analysis of sound waves emitted by the CPU, but it has been discovered that the latter sound is mostly above 10 kHz, whereas other sounds generated in and out of a computer are of much lower frequencies. ThesoundcreatedbyaCPUdependsontheCPUtype, onthetemper- ature inside the computer box, and on other environmental factors such as humidity. This fact complicates the analysis of sound waves from the CPU, but experiments conducted in various environments indicate that it is still possibletoobtainusefulinformationaboutthestatusofaCPUbyanalyzing what can be termed its audio output. It is possible to absorb the sound emanated by a CPU by enclosing the computer box with a sound dampening material. An alternative is to generate artificial high-frequency sound outside the computer, to mask the sound that the spy is trying to capture and record. A more sophisticated technique is to absorb the sound emanated by the CPU and have another CPU running a different program to generate sound to foil any spy who maybelisteningoutside. Theseconsiderationsapplyalsotoelectromagnetic radiation emitted by the CPU. A hard disk also generates sound because its head assembly moves in a radial direction to seek various cylinders. However, there is only a loose associationbetweenCPUinput/outputoperationsandthemovementsofthe head, because of the use of cache memories and the fact that many CPUs work on several programs simultaneously (multitasking). 20 1 Physical Security Researchersinthisfieldfeelthatacousticemanationsareimportantand should be studied and fully understood, because it is harder to stop sound thantoabsorbelectromagneticwaves. Acommoncold-warspyingtechnique was to listen to a conversation in a closed room by directing a laser beam at a window and measuring its reflection from the glass pane that vibrates because of the sound waves inside. Animportantclassofside-channelattacksistheso-calledtimingattacks. Atimingattackusesthefactthatmanyimportantcomputationalprocedures take an amount of time that depends on the input. Thus, by measuring the time it takes to complete a procedure, a spy can learn something about the input to the procedure. An important example is the RSA encryption algorithm (see document on cryptography in the book’s Web site). Part of thisalgorithmcomputesanexpressionoftheformabwherebistheencryption key. Asimplemethodtocomputeanexponentiationistomultiplyabyitself b 1 times, so measuring the time it takes to compute ab may give a spy − an idea of the size of b and thus help in breaking a code. For a reference on timing attacks, see [Boneh and Brumley 04]. The idea of a side-channel attack is not limited to emanations from the CPU.Thenextsectiondiscussesanapplicationtokeystrokes,andtherehave also been attempts to exploit the sounds made by certain types of printers to reconstructthe informationbeing printed. For a reference, see [Kuhn04]. Ithaslongbeenadreamofcryptographerstoconstructaperfectmachine... The development in the last twenty years of electronic machines that ac- cumulate data, or “remember” sequences of numbers or letters, may mean thatthisdreamhasalreadybeenfulfilled. Ifso, itwillbethenightmareto end all nightmares for the world’s cryptanalysts. In fact, the people who liveinthevicinityoftheNationalSecurityAgencythinkthattherealready are too many cipher and decoding machines in existence. The electronic equipment plays havoc with their television reception. —From [Moore and Waller 65]. 1.1.1 Acoustic Keyboard Eavesdropping Chapter 9 mentions keystroke loggers (or keystroke recorders) among other examples of spyware. A keystroke logger is a program that records every keystroketheusermakes,andstoresthisdataortransmitsittoitsowner(the spy). Asimilarconceptisascreencapture,aprogramthatperiodicallytakes a snapshot of the monitor screen and saves it or transmits it outside. There areprogramsthatidentifyanddeletespyware,butspyingonacomputercan also be done physically. A crude idea is to try to spy on a computer user by looking behind their shoulder, but a more practical, more sophisticated technique is to install a miniature radio transmitter inside a keyboard, to transmitkeystrokestoanearbyspy(seeExerciseIntro.3). Suchatransmitter is a physical threat and cannot be detected by spyware-removal software. An even more sophisticated spying technique records keystrokes by lis- tening to the sounds that individual keys make when pressed. Old timers in the computing field may remember that pressing a key on an old keyboard 1.1 Side-Channel Attacks 21 oftenresultedintwoormorecopiesofthekeyreadfromthekeyboarddueto bouncingof the keys. In a modern keyboard, the keys are placedon top of a plasticsheetanddifferentareasofthissheetvibratedifferently(andtherefore create different air vibrations, sounds) when a key is pressed. Thus, striking different keys generates different sounds (also the timing of keys varies, an A may take the keyboardslightlylongertoproducethanaB). Theearisnotsensitiveenoughtohearthedif- ferencesbetweensoundsgeneratedbydifferent keys, but a good quality microphone is. The idea of acoustic keyboard eavesdropping is for a spy to hide a mi- crophoneascloseaspossibletoakeyboard,torecordthesoundmadebythe keys when pressed, to digitize the sound, and to send the audio samples to a computer program controlled by the spy. Experiments have demonstrated that a sensitive parabolic microphone can record keyboard sounds reliably from distances of up to 50 feet (about 17 meters) from the keyboard even in the presence of background noise. Once the program learns to distinguish the individual sounds, it has to be trained so it can tell which key produces a given sound. In principle, the spy has to use another method, such as a keystroke logger, to capture many keystrokes, then feed the (ASCII codes of the) keys and the corresponding sounds to the program. In practice, however, it has been discovered that keyboards of the same make and model produce very similar sounds. Once the spy knows the kind of keyboard used by the victim, he may train his program on a keyboard of the same type, then feed it the sounds created by the poor victim’s keyboard. If the program can recognize, say, 80% of the keystrokes of that keyboard, the spy can use his intelligence to guess the remaining keystrokes and employ this information to train the program further. Exercise 1.1: Is it enough for a spy to detect 80% of a password? ¶ Currently, such spying is exotic and (we hope) rare, but it is a danger- ous development in the field of computer security because it is a physical threatandit cannotbe recognizedandblocked by software. Futuredevelop- ments may bring this type of spying to the attention (and the price range) of many would-be eavesdroppers, with unforeseen (and perhaps disastrous) consequences. A spy can often get to within 50 feet of his target’s house by parking a car in the street, renting a room in a nearby house or adjacent apartment, or planting the microphone in a plant in the backyard. (Many front-andbackyardshavelow-voltagelinestolighttheperimeterofthehouse at night, and this electricity may be tapped into to power the microphone.) Inaplaceofworkitmaybeeasytoinstallamicrophoneinadesknexttothe victim’s desk or in an office adjacent to the victim’s office, and such spying may be extremely difficult to detect. At present it seems that computer hackers and criminals are not aware of this threat and continue to break into computers by means of viruses and by breaking firewalls. Admittedly, someone who wants to control a vast

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.