CS155 Computer Security Overview

Questions and Answers

What is a primary motivation for attackers compromising end user machines?

To steal user credentials (correct)

To enhance system performance

To improve user experience

To install software updates

What type of malware is known to inject JavaScript into bank login pages?

SilentBanker (correct)

Virus

Trojans

Ransomware

How does FinSpy primarily collect data on mobile devices?

Through phishing emails only

Via web browser vulnerabilities

By physical access and malware links (correct)

From app store updates

Which vulnerability was exploited by the WannaCry ransomware?

Eternalblue

What mechanism do attackers use to maintain access to a compromised PC?

Keylogger capabilities

What characteristic of ransomware makes it a worldwide problem?

Disruption of essential services

What is a common method for distributing financial malware?

Spam emails

In what way did the WannaCry worm exploit the Eternalblue vulnerability?

By exploiting port 445 in SMB

What is a primary goal of this computer security course?

Understanding exploit techniques and learning to defend against them

Which of the following is NOT listed as a security tool in the course overview?

Malware analysis

In the context of secure system architecture, what does 'sandboxing' primarily refer to?

Running applications in isolation to prevent them from affecting other processes

Which programming concept is primarily focused on securing web applications against attacks in this course?

Robust web design principles

What is one of the key strategies for network security discussed in the course?

Monitoring network traffic for suspicious activity

Which of the following products had the highest number of vulnerabilities reported in 2023?

Microsoft Server

What is the primary focus of the first part of the course?

Architecting for security and securing legacy code

Which of the following best describes the distribution of exploits used in attacks?

Most exploits focus primarily on web browsers

What is one of the most damaging results of server-side attacks mentioned in the content?

Infecting visiting users

What is a common step in the typical process of a server-side attack?

Lateral movement

Which attack was notably carried out against the Democratic National Committee (DNC)?

Election interference

What was the primary method used by attackers in the SolarWinds Orion case?

Corrupting the software update process

What is an example of security tools that can stop various stages of a server-side attack?

Active monitoring tools

What was exploited in the Equifax data breach that impacted approximately 143 million users?

Known vulnerabilities in a web framework

During which phase of a cyber attack might attackers gather information about the target environment?

Reconnaissance

Study Notes

Course Overview

• Course name: CS155 Computer Security
• Course website: https://cs155.Stanford.edu
• Instructors: Dan Boneh and Zakir Durumeric
• Course materials: Three programming projects (pairs) and two written homeworks
• Project #1: Posted Wednesday. Attend the first section.
• Tools: EdDiscussions and Gradescope
• Extensions: Automatic 72-hour extension

The Computer Security Problem

• Lots of buggy software
• Finding and exploiting vulnerabilities generates income
• Vulnerabilities monetized: Exploitation marketplaces (initial foothold), Malware marketplaces (post-compromise)
• Motivations: Significant economic and political incentives driving the use of vulnerabilities

Top 10 Products by Vulnerabilities (2023)

• Data from CVEdetails.com, 2023 | Product name | Vendor | # vulnerabilities | |---|---|---| | Android | Google | 1422 | | Microsoft Server | Microsoft | 2059 | | Fedora | Fedora Project | 540 | | Windows 11 | Microsoft | 1004 | | Debian Linux | Debian | 487 | | MacOS | Apple | 418 | | Chrome | Google | 296 | | iPhone OS | Apple | 269 |

Distribution of Exploits Used in Attacks (2021)

• Data from Kaspersky Security Bulletin 2021
• Exploits categorized by target.
• Office: 49.75%
• Browser: 32.23%
• Android: 7.58%
• Java: 4.38%
• Others: < 4%

Top 10 Countries Attacked (2021)

• Data from Kaspersky Security Bulletin 2021
• Ranked by percentage of attacked users. | Country | %* | |---|---| | Ecuador | 9.01 | | France | 8.04 | | Spain | 7.30 | | Vietnam | 6.89 | | Canada | 6.81 | | India | 6.45 | | Italy | 6.27 | | Turkey | 6.19 | | United States | 5.91 | | Mexico | 5.60 |

Goals for the Course

• Understand exploit techniques
• Learn to defend against common exploits
• Understand available security tools
• Learn to architect secure systems

Course Structure

• Part 1: Basics (architecting for security)
  • Securing applications, operating systems, and legacy code (sandboxing, access control, security testing)
• Part 2: Web security (defending against web attackers)
  • Building robust websites and understanding the browser security model
• Part 3: Network security (defending against network attackers)
  • Monitoring and architecting secure networks
• Part 4: Securing mobile and cloud applications, hardware features

Compromising End User Machines

• Goal: Stealing user credentials (e.g., keyloggers for banking passwords, corporate passwords, gaming accounts)
• SilentBanker malware is an example
• Adversary-in-the-browser (AITB) techniques

Financial Malware

• Variety of financial malware (Zbot, CryptoShuffler, SpyEye, Trickster, RTM, Nimnul, Danabot, Cridex, Nymaim, Neurevt)
• Methods: Keyloggers to steal passwords, spread via spam or hacked websites

Mobile Device Attacks

• Similar attacks like FinSpy are used on iOS and Android (and Windows)
• Methods: Collecting contacts, call history, location info
• Installation methods: Links in SMS or email pre-2017; physical access post-2017

Ransomware

• Data from Kaspersky Security Bulletin 2021
  • Ranked by percentage of attacked users. | Name | % of attacked users** | |---|---| | WannaCry | 7.71 | | Locky | 6.70 | | Cerber | 5.89 | | Jaff | 2.58 | | . . . | . . . |
• Worm spreads via SMB vulnerability (port 445)
• EternalBlue vulnerability exploited, released by ShadowBrokers
• May 12, 2017: Detection and initial exploitation

Bitcoin Mining Trojans

• Data from Kaspersky Security Bulletin 2021
• Data on # affected users, by date
• Examples: Trojan.Win32.Miner.bbb, Trojan.Win32.Miner.ays, Trojan.JS.Miner.m, Trojan.Win32.Miner.gen

Server-Side Attacks

• (1) Data theft (credit card numbers, intellectual property) - Equifax (July 2017): Exploited known vulnerability in Apache Struts (RCE). Many more similar attacks.
• (2) Political motivation - DNC (2015), Ukraine attacks (2014, 2015, 2016, power grid, 2017: NotPetya,...)
• (3) Infecting visiting users

Attack Steps

• Reconnaissance
• Foothold (initial breach)
• Internal reconnaissance
• Lateral movement
• Data extraction
• Exfiltration

Case Study 1: SolarWinds Orion (2020)

• Orion: Monitoring tools
• Attack: Attacker corrupted the SolarWinds update process.
• Malware: Sunburst
• Result: Large-scale infections. Detected in Decem 2020

Sunspot: Malware Injection

• How attackers corrupted the SolarWinds build process:
• Taskhostsvc.exe monitored MsBuild.exe (visual Studio) processes.
• If an Orion building process was found, replace a file Inventory Manager.cs with malware version, while keeping original version (InventoryManager.bk).
• How organizations detect/prevent this? Prevention techniques.

The Fallout

• Large number of organizations and government systems exposed.
• More generally: A supply chain attack (vendor compromise leads to multiple customer compromises)

Case Study 2: Typo Squatting

• Pip: Python package installer.
• The Python Package Index (PyPI) hosts many projects.
• Security risk: Malware disguised as legitimate packages.
  • Example: Malware package urllib3 instead of urllib3

Security Considerations

• Every package installed creates a dependency.
• Package maintainer can inject code.
• Supply chain attacks are possible (attacking the package maintainer can compromise dependent projects).
• Recent example: xz Utils (malicious install script)

Security Considerations: Typo-Squatting

• Malware package with a similar name to a popular package
• Unsuspecting developers install the wrong package
  • Examples: urllib3 (URLs), python-nmap (network scanning)

Case Study 3: Large Language Models (LLMs)

• Prompt injection attacks: Attacking LLMs through adversarial inputs.
• Example: Image-based prompt injection attack

The Marketplace for Exploits

• Option 1: Bug bounty programs (e.g., Google, Microsoft, Apple, Stanford, Pwn2Own)

  • Google: up to $31,337

• Option 2: Zerodium (high-paying, focused zero-day exploits)

Zerodium Payouts

• Data on payouts for various exploits (RCE, LPE, SBX) targeting different platforms (Windows, macOS, Linux, etc.).

What to do?

• Inspect compiler source code
• Recompile the compiler
• Problem: C compiler is written with C, compiling itself.
  • What if the compiler binary has a backdoor?

Thompson's Clever Backdoor

• Attack step 1: Modifying compiler source to include a backdoor when it encounters login-program and compiler-program (different entries).
• Attack step 2: Compiling the modified compiler creating a corrupt compiler binary.

What Can We Trust?

• Trust in laptop components, applications, OS, BIOS/UEFI, motherboard, software updates
• Solution: Reinstate OS and applications
• Method for reinstating; Boot Tails from a USB drive (Debian)
• Trusted Computing Base (TCB): Minimally trusted part that is assumed to be not compromised and building a secure environment on top of that

Next Lecture

• Control hijacking vulnerabilities

Description

Explore the course details of CS155 Computer Security, including programming projects, written assignments, and insights into vulnerability exploitation. This quiz covers the implications of buggy software and the economic motivations behind vulnerabilities in the tech industry.