Computer Security Lecture Notes PDF

Summary

These lecture notes cover various aspects of computer security from a technical point of view. Topics like viruses, worms, and denial-of-service attacks are discussed. The document also touches upon different security aspects such as detection mechanisms and security measures.

Full Transcript

Quine -- self-replicating/reproducing/copying/modifying

Self-modifying codes -- used by programs that do not want to reveal
their presence. Used in certain attacks, such as buff overflows

Interpreted languages -- edit the source code

Mobile Malcode -- malicious programs which spread from machine to
machine without the consent of the owners/operators/users

Trapdoors (Back doors) -- secret entry point into a program. Allows
those who know access bypassing usual security procedures

Logic bomb -- one of the oldest types of malicious software

Trojan horse -- programs that appear to have one function but actually
perform another

Modern trojan horse -- resemble a program that the user wishes to run

Zombie -- program which secretly takes over another networked computer

Virus -- is a piece of code that inserts into a host, including
operating systems, to propagate.

Dormant -- waiting on trigger event

Propagation -- replicating to programs/disks

Triggering -- by event to execute payload

Propagation -- method by which the virus spreads itself.

Macros -- usually executable files:.com,.exe,.bat

System sector viruses -- infect control sectors on a disk

Partition (MBR) sectors -- system sectors viruses spread easily via
floppy disk infections

Companion viruses -- create a.com files for each.exe files

Cluster viruses -- change the DOS directory info so that directory
entries point to the virus code instead of the real program

Polymorphic viruses -- change with each infection

Control flow permutations -- attempt to defeat scanners

Virus writing tool kit -- have been created to simplify creation of new
viruses

Scanning -- depend on prior knowledge of a virus

Integrity checking -- read entire disk and record integrity data that
acts as a signature for the files and system sectors

Integrity checking -- use cryptographic computation technique instead of
simple checksum

Interception -- monitoring for system-level routines that perform
destructive acts. Good for detecting logic bombs and trojan horse

Pakistani Brain Virus -- first PC Virus

Pakistani Brain virus -- written by pakistani brothers to protect their
copyright

Chernobyl -- destructive virus

Chernobyl -- designed to inflict harm

Flash BIOs -- would cause permanent hardware damage to vulnerable
motherboards

Melissa -- Early macro virus

Worms -- autonomous, active code that can replicate to remote hosts
without any triggering

Metaserver -- a server for information about other servers

Game metaserver -- use to attack a small population

Topological information -- look for local information to find new
targets

Passive worms -- wait for information about other targets

Self-carried -- transmit itself as part of the infection process

Human activation -- needs social engineering, especially for email worms

None/nonfunctional -- most common, still can have significant effects
through traffic and machine load

Internet remote control -- code red II open backdoor on victim machines:
anyone with a web browser can execute arbitrary code

Morris -- first major autonomous worm. Attack multiple vulnerabilities

Code Red -- First recent "fast" worm, 2^nd^ wave infected 360, 000
servers in 14 hrs

CRClean -- unreleased anti code red worm

Nimda -- local subnet scanning.

Scalper -- released 10 days after vulnerability revealed

Slammer -- spread worldwide in 10 minutes

Stuxnet -- a sophisticated computer worm discovered in 2010

SCADA Systems -- specifically designed to target Siemens Step 7 software

Fred Cohen -- first documented work with viruses

Leo Adelman -- coined the term "virus"

Virus -- a program that can infect other programs by modifying them to
include a version of itself

Early mail virus -- one of the earliest viruses that propagated
automatically when an infected attachment is executed

Morris worm -- best known classic worm

Robert Morris -- released morris worm

Quishing -- a cybersecurity threat in which attackers use QR codes to
redirect victims to malicious websites or prompt them to download
harmful content.

Quishing -- the goal of this attack is to steal sensitive information,
such as passwords, financial data, or personally identifiable
information and use that information for other purposes, such as
identity theft, financial fraud, or ransomware

Denial of Service Attacks -- point-to-point network denial service

Smurf -- distributed denial of service attacks

Denial of Service attack -- an explicit attempt by attackers to prevent
legitimate users of a service from using that service

Threat model -- taxonomy from CERT

Slashdot Effect -- occurs when a popular website links to a smaller
website, causing a massive increase in traffic.

Status -- DoS attacks increasing in frequency, severity and
sophistication

DNS Query attacks -- were responsible for the vast majority of overall
DDoS attacks.

Software and Computer Services -- was the most attacked industry in 2023
comprising 36% of all attacks.

Flooding Attacks -- point-to-point attacks

Distributed attacks -- hierarchical structures

Corruption attacks -- application/service specific

Attack using Trin00 -- scan for known vulnerabilities, then attack with
UDP traffic

Spoofed Source Address -- random source addresses in attack packets

Subnet Spoofed Source address -- random address from address space
assigned to the agent machine's subnet

En route spoofed source address -- address spoofed en route from agent
machine to victim

Valid Source Address -- used when attack strategy requires several
request/reply exchanges between an agent and the victim machine

Attack rate dynamics -- agent machine sends a stream of packets to the
victim

Constant rate -- attack packets generated at constant rate, usually as
many as resources allow

Variable rate -- delay or avoid detection and response

Increasing rate -- gradually increasing rate causes a slow exhaustion of
victim's resources

Fluctuating rate -- occasionally relieving the effect. Victim can
experience period service disruptions

SyN Flooding attack -- takes advantage of three way handshake. Server
start "half-open" connections. These build up.. until queue is full and
all additional request are blocked

Point-to-point -- one sender, one receiver

Reliable, in-order byte steam -- no "message boundaries"

Pipelined -- TCP congestion and flow control set window size

Full duplex data -- bi-directional data flow in same connection

Connection-oriented -- handshaking (exchange of control msg) init's
sender, receiver state before data exchange

Flow controlled -- sender will not overwhelm receiver

Passive RST -- transmitted upon arrival of a packet at a closed port
(usually by servers)

Active RST -- initiated by the client to abort a TCP connection

Intrusion -- a set of actions aimed to compromise the security goals

Intrusion detection -- the process of identifying and responding to
intrusion activities

Intrusion Prevention -- extension of ID with exercises of access control
to protect computers from exploitation

Features -- capture intrusion evidences

Models -- piece evidences together

Misuse detection - (AKA signature based)

Anomaly detection -- (AKA Statistical based)

Hos-Based IDSs -- using OS auditing mechanisms

Network IDSs -- deploying sensors at strategic locations

Firewall -- active filtering

Network IDS -- passive monitoring

Adaptive -- detect new intrusions

Scenario-based -- correlate (multiple sources of) audit data and attack
information

Cost-sensitive -- model cost factors related to intrusion detection

Uses of Quines

- Hide code to prevent reverse engineering

- Evade detection by virus/spyware scanning software

Self-modifying codes

- Interpreted languages -- edit the source code

- Compiled languages -- binary edit the compiled code

Virus phases

- Dormant

- Propagation

- Triggering

- Execution

- Exploiting features/weaknesses

Two primary components (Anatomy of a virus)

- Propagation mechanism

- Payload

Virus Detection

- Scanning

- Integrity Checking

- Interception

- Combination of all three

Major Worms

- Morris

- Code red

- CRClean

- Nimda

- Scalper

- Slammer

Passive Worms

- CRClean

- Anti-Code Red II worms