CS 40 - Lecture 14

Cover page image

Lecture 13 Recap

Morris

November 2, 1988 (!)
Program attacked most of the several thousand (!) machines on the internet
Exploited “buffer overflow” problem in finger daemon
Attacked trusted neighboring computers
Due to programming error, consumed most of computers' resources
Released by a Cornell University student, Robert Morris...
...who was sentenced to 3 years probation, 400 hours community service and a $10,500 fine

buffer overflow cartoon

Program code and data are all contained in memory
Any memory block (called “buffer”) must have some maximum size
What happens if the buffer is filled with data that is longer than the buffer?
Java: An error occurs
C/C++: If no explicit check, the memory beyond the buffer is overwritten
Exploit: Send excessively long data block over network, overwrite part of the program

You are the attacker. Suppose you can fill locations 80, 81, etc., and there is no overflow check. Fill them so that the password check will succeed.

What do you fill them with? ActiveLecture.org

Attacker's problem: How to run code on your computer
Pathways:
- Make network connection to your computer and send data that exploits software vulnerability (such as buffer overruns)
- Trick you into launching an application
- Cause malicious script to run on your computer

Script = program in a simple language, usually tied to an application
Examples: VBScript (Microsoft Office), JavaScript (web browser)
Purpose: Automation of repetitive task (Office macros)
Easy to carry out powerful tasks (erase file, send email)
Runs automatically upon certain events that are not usually perceived as dangerous:
- Visiting a web page
- Opening an email message or attachment

May 2000: Internet was flooded with email messages with subject line “I LOVE YOU”
When opened in Microsoft email reader, script ran immediately (without asking)
Script opened address book and sent I LOVE YOU messages to everyone
No damage (except having to explain that you didn't actually love all those people)
Authored by Onel de Guzman, as part of his computer science master's thesis. (He didn't graduate.)

Scripts in browser run automatically (JavaScript, Java applets)
In theory, they are safe, but subtle browser bugs can make them unsafe
October 2005: Samy “cross-scripting attack” added a million MySpace users to the author's friend list. You were added if you viewed the page of one of the “friends”
Samy Kamkar sentenced to 3 years probation, 90 days community service

Network connections:
- Use Firewall
- Install OS patches
User action:
- Use anti-virus software and pay for updates
- Think before you click
- Read those security warnings
Script:
- Use Firefox, not IE
- Install patches
- Consider NoScript extension

Read this article: http://www.eweek.com/article2/0,1895,1940747,00.asp. How did the malware get to the user's computer?

ActiveLecture.org

Graffiti artists—bragging, no theft or vandalism
Thieves—look for account numbers, interfere with financial transactions
Zombie masters—use your computer for their own purposes (usually sending email spam)
Spammers—display ads on your computer, watch your browsing/shopping
Spies—invade your privacy, spy on your email, communication, etc.
Vandals—destroy your data

Network of infected computers
Remotely controlled by criminals
Usually used for sending spam email
Users are blissfully unaware
Estimate: about 25% of all computers are infected (http://news.bbc.co.uk/1/hi/business/6298641.stm)

Infected computer monitors keystrokes, web pages
Looks for credit card numbers, CVV codes, bank account numbers, addresses, social security numbers
Botnet operators sell data to criminals: http://www.cio.com/article/135500/
Data used to pump/dump stocks, purchase goods, clean out bank accounts
Who pays? With credit cards (but not debit cards), you are protected. With electronic funds transfer, you are not: http://www.iht.com/articles/2005/02/15/business/netbank.php