CS155 Computer Security Overview

Questions and Answers

What is a primary motivation for attackers compromising end user machines?

• To steal user credentials (correct)
• To enhance system performance
• To improve user experience
• To install software updates

What type of malware is known to inject JavaScript into bank login pages?

• SilentBanker (correct)
• Virus
• Trojans
• Ransomware

How does FinSpy primarily collect data on mobile devices?

• Through phishing emails only
• Via web browser vulnerabilities
• By physical access and malware links (correct)
• From app store updates

Which vulnerability was exploited by the WannaCry ransomware?

Eternalblue (B)

What mechanism do attackers use to maintain access to a compromised PC?

Keylogger capabilities (C)

What characteristic of ransomware makes it a worldwide problem?

Disruption of essential services (B)

What is a common method for distributing financial malware?

Spam emails (B)

In what way did the WannaCry worm exploit the Eternalblue vulnerability?

By exploiting port 445 in SMB (A)

What is a primary goal of this computer security course?

Understanding exploit techniques and learning to defend against them (D)

Which of the following is NOT listed as a security tool in the course overview?

Malware analysis (A)

In the context of secure system architecture, what does 'sandboxing' primarily refer to?

Running applications in isolation to prevent them from affecting other processes (A)

Which programming concept is primarily focused on securing web applications against attacks in this course?

Robust web design principles (D)

What is one of the key strategies for network security discussed in the course?

Monitoring network traffic for suspicious activity (A)

Which of the following products had the highest number of vulnerabilities reported in 2023?

Microsoft Server (D)

What is the primary focus of the first part of the course?

Architecting for security and securing legacy code (B)

Which of the following best describes the distribution of exploits used in attacks?

Most exploits focus primarily on web browsers (B)

What is one of the most damaging results of server-side attacks mentioned in the content?

Infecting visiting users (B)

What is a common step in the typical process of a server-side attack?

Lateral movement (B)

Which attack was notably carried out against the Democratic National Committee (DNC)?

Election interference (B)

What was the primary method used by attackers in the SolarWinds Orion case?

Corrupting the software update process (B)

What is an example of security tools that can stop various stages of a server-side attack?

Active monitoring tools (C)

What was exploited in the Equifax data breach that impacted approximately 143 million users?

Known vulnerabilities in a web framework (D)

During which phase of a cyber attack might attackers gather information about the target environment?

Reconnaissance (C)

Flashcards

SilentBanker

Malware that steals user credentials by injecting JavaScript code into bank login pages.

Adversary-in-the-Browser (AITB)

A technique where attackers inject malicious code into webpages.

Financial Malware

Software designed to steal financial information from users.

FinSpy

Malware that collects user data from mobile devices.

Ransomware

Malware that encrypts user data and demands payment for its release.

EternalBlue Vulnerability

A security vulnerability in SMB protocol that was weaponized to spread ransomware.

WannaCry Ransomware

A specific ransomware attack that used the EternalBlue vulnerability.

Motivation for Attackers

Motivations of attackers include financial gain, data extortion, and political objectives.

Security Problem

Software bugs can be exploited by attackers to gain unauthorized access and cause harm.

Exploit Marketplace

A market where attackers buy and sell tools and techniques to exploit vulnerabilities.

Malware Marketplace

A market where attackers buy and sell malicious software designed to steal data or disrupt systems.

Android Vulnerability

Most vulnerable product with over 1400 security flaws in 2023, according to CVE Details.

Exploits in Attacks

Java, Android, Browsers, and Office applications are frequently targeted by attackers.

Global Security Problem

Cyberattacks affect users worldwide, with some countries facing a higher risk.

Course Goals

The course aims to teach students techniques to understand and prevent common exploits, use security tools, and architect secure systems.

Course Structure

The course is divided into three parts covering security basics, web security, and network security.

Server-side Attacks

Attacks that target a server's software or infrastructure, aiming to compromise the server itself.

Data Theft

A type of server-side attack where attackers steal sensitive information stored on the server, such as credit card details or intellectual property.

Political Motivation

Attacks carried out for political reasons, often targeting government systems, political parties, or critical infrastructure.

Infect Visiting Users

A server-side attack where the goal is to infect users who visit the compromised server with malware.

Reconnaissance

The initial phase of an attack where attackers gather information about their target, including vulnerabilities and potential entry points.

Foothold

The first successful breach into a target system, granting the attackers access to the target.

Lateral Movement

The attacker's attempt to move from the initial foothold to other systems within the network, expanding their control.

Sunspot

The malware used in the SolarWinds attack that injected malicious code into the Orion software update process.

Study Notes

Course Overview

• Course name: CS155 Computer Security
• Course website: https://cs155.Stanford.edu
• Instructors: Dan Boneh and Zakir Durumeric
• Course materials: Three programming projects (pairs) and two written homeworks
• Project #1: Posted Wednesday. Attend the first section.
• Tools: EdDiscussions and Gradescope
• Extensions: Automatic 72-hour extension

The Computer Security Problem

• Lots of buggy software
• Finding and exploiting vulnerabilities generates income
• Vulnerabilities monetized: Exploitation marketplaces (initial foothold), Malware marketplaces (post-compromise)
• Motivations: Significant economic and political incentives driving the use of vulnerabilities

Top 10 Products by Vulnerabilities (2023)

• Data from CVEdetails.com, 2023 | Product name | Vendor | # vulnerabilities | |---|---|---| | Android | Google | 1422 | | Microsoft Server | Microsoft | 2059 | | Fedora | Fedora Project | 540 | | Windows 11 | Microsoft | 1004 | | Debian Linux | Debian | 487 | | MacOS | Apple | 418 | | Chrome | Google | 296 | | iPhone OS | Apple | 269 |

Distribution of Exploits Used in Attacks (2021)

• Data from Kaspersky Security Bulletin 2021
• Exploits categorized by target.
• Office: 49.75%
• Browser: 32.23%
• Android: 7.58%
• Java: 4.38%
• Others: < 4%

Top 10 Countries Attacked (2021)

• Data from Kaspersky Security Bulletin 2021
• Ranked by percentage of attacked users. | Country | %* | |---|---| | Ecuador | 9.01 | | France | 8.04 | | Spain | 7.30 | | Vietnam | 6.89 | | Canada | 6.81 | | India | 6.45 | | Italy | 6.27 | | Turkey | 6.19 | | United States | 5.91 | | Mexico | 5.60 |

Goals for the Course

• Understand exploit techniques
• Learn to defend against common exploits
• Understand available security tools
• Learn to architect secure systems

Course Structure

• Part 1: Basics (architecting for security)
  • Securing applications, operating systems, and legacy code (sandboxing, access control, security testing)
• Part 2: Web security (defending against web attackers)
  • Building robust websites and understanding the browser security model
• Part 3: Network security (defending against network attackers)
  • Monitoring and architecting secure networks
• Part 4: Securing mobile and cloud applications, hardware features

Compromising End User Machines

• Goal: Stealing user credentials (e.g., keyloggers for banking passwords, corporate passwords, gaming accounts)
• SilentBanker malware is an example
• Adversary-in-the-browser (AITB) techniques

Financial Malware

• Variety of financial malware (Zbot, CryptoShuffler, SpyEye, Trickster, RTM, Nimnul, Danabot, Cridex, Nymaim, Neurevt)
• Methods: Keyloggers to steal passwords, spread via spam or hacked websites

Mobile Device Attacks

• Similar attacks like FinSpy are used on iOS and Android (and Windows)
• Methods: Collecting contacts, call history, location info
• Installation methods: Links in SMS or email pre-2017; physical access post-2017

Ransomware

• Data from Kaspersky Security Bulletin 2021
  • Ranked by percentage of attacked users. | Name | % of attacked users** | |---|---| | WannaCry | 7.71 | | Locky | 6.70 | | Cerber | 5.89 | | Jaff | 2.58 | | . . . | . . . |
• Worm spreads via SMB vulnerability (port 445)
• EternalBlue vulnerability exploited, released by ShadowBrokers
• May 12, 2017: Detection and initial exploitation

Bitcoin Mining Trojans

• Data from Kaspersky Security Bulletin 2021
• Data on # affected users, by date
• Examples: Trojan.Win32.Miner.bbb, Trojan.Win32.Miner.ays, Trojan.JS.Miner.m, Trojan.Win32.Miner.gen

Server-Side Attacks

• (1) Data theft (credit card numbers, intellectual property) - Equifax (July 2017): Exploited known vulnerability in Apache Struts (RCE). Many more similar attacks.
• (2) Political motivation - DNC (2015), Ukraine attacks (2014, 2015, 2016, power grid, 2017: NotPetya,...)
• (3) Infecting visiting users

Attack Steps

• Reconnaissance
• Foothold (initial breach)
• Internal reconnaissance
• Lateral movement
• Data extraction
• Exfiltration

Case Study 1: SolarWinds Orion (2020)

• Orion: Monitoring tools
• Attack: Attacker corrupted the SolarWinds update process.
• Malware: Sunburst
• Result: Large-scale infections. Detected in Decem 2020

Sunspot: Malware Injection

• How attackers corrupted the SolarWinds build process:
• Taskhostsvc.exe monitored MsBuild.exe (visual Studio) processes.
• If an Orion building process was found, replace a file Inventory Manager.cs with malware version, while keeping original version (InventoryManager.bk).
• How organizations detect/prevent this? Prevention techniques.

The Fallout

• Large number of organizations and government systems exposed.
• More generally: A supply chain attack (vendor compromise leads to multiple customer compromises)

Case Study 2: Typo Squatting

• Pip: Python package installer.
• The Python Package Index (PyPI) hosts many projects.
• Security risk: Malware disguised as legitimate packages.
  • Example: Malware package urllib3 instead of urllib3

Security Considerations

• Every package installed creates a dependency.
• Package maintainer can inject code.
• Supply chain attacks are possible (attacking the package maintainer can compromise dependent projects).
• Recent example: xz Utils (malicious install script)

Security Considerations: Typo-Squatting

• Malware package with a similar name to a popular package
• Unsuspecting developers install the wrong package
  • Examples: urllib3 (URLs), python-nmap (network scanning)

Case Study 3: Large Language Models (LLMs)

• Prompt injection attacks: Attacking LLMs through adversarial inputs.
• Example: Image-based prompt injection attack

The Marketplace for Exploits

• Option 1: Bug bounty programs (e.g., Google, Microsoft, Apple, Stanford, Pwn2Own)

  • Google: up to $31,337

• Option 2: Zerodium (high-paying, focused zero-day exploits)

Zerodium Payouts

• Data on payouts for various exploits (RCE, LPE, SBX) targeting different platforms (Windows, macOS, Linux, etc.).

What to do?

• Inspect compiler source code
• Recompile the compiler
• Problem: C compiler is written with C, compiling itself.
  • What if the compiler binary has a backdoor?

Thompson's Clever Backdoor

• Attack step 1: Modifying compiler source to include a backdoor when it encounters login-program and compiler-program (different entries).
• Attack step 2: Compiling the modified compiler creating a corrupt compiler binary.

What Can We Trust?

• Trust in laptop components, applications, OS, BIOS/UEFI, motherboard, software updates
• Solution: Reinstate OS and applications
• Method for reinstating; Boot Tails from a USB drive (Debian)
• Trusted Computing Base (TCB): Minimally trusted part that is assumed to be not compromised and building a secure environment on top of that

Next Lecture

• Control hijacking vulnerabilities