Introduction to Email Malcode Do S Attack Traceback

Introduction to Email Malcode, Do. S Attack, Traceback, RFID Security Cliff C. Zou 03/02/06 1

Email Virus Infection Mechanisms n Virus code in email attachment u u n Exploit email software vulnerability (e. g. , outlook) u n Require user to click/execute attachment No vulnerability needed on target computer Infect by simply checking email Contain URL directing to malicious web servers u u Trick user to download/execute (e. g. , patch) Could be a mini web server set up on sender 2

Why Users Keep Clicking Virus Attachment? n Email protocol (SMTP) has no built-in security No encryption u Easy to fake the “From: …” field u Ø n Appear to come from your friends, admin, … Social engineering tricks Warning: your computer is infected! u Fun video clip, photos, doc to share from friends u 3

Email Virus Spreading Steps n Obtain email addresses u u n Address book, web cache, … Search “mailto: . . . ” in google, yahoo, etc (My. Doom) Send out virus email u Usually, use its own SMTP engine Ø u The host normally connects to an outgoing email server for sending Many email viruses avoid certain email domain 4

Other Email-based Malware n Spam Profit-driven u Usually sent from compromised hosts u n n n Spyware (trojan) Adware Phishing Trick user to connect to a fake website u Record user input of account information u 5

Distributed Denial of Service (DDo. S) Attack n n Send large amount of traffic to a server so that the server has no resource to serve normal users Attacking format: u Consume target memory/CPU resource Ø Ø u SYN flood (backscatter paper presented before) Database query… Congest target Internet connection Ø Ø Many sources attack traffic overwhelm target link Very hard to defend 6

Why hard to defined DDo. S attack? n Internet IP protocol has no built-in security u No authentication of source IP Ø Ø n n SYN flood with faked source IP However, IP is true after connection is setup Servers are supposed to accept unsolicited service requests Lack of collaboration ways among Internet community u How can you ask an ISP in another country to block certain traffic for you? 7

Do. S spoofed attack defense: IP traceback n Suppose a victim can call ISPs upstream to block certain traffic n SYN flood: which traffic to block? n IP traceback: Find out the real attacking host for SYN flood u Based on large amount of attacking packets u Need a little help from routers (packet marking) u 8

Worm defense: Worm traceback n Find who is the first to be infected Useful for enterprise network u Find the security breach point afterwards u Based on worm attacking flow u 9

RFID Background n RFID: radio-frequency identification u n RFID tag in consumer market u u n Tiny computer chip with an antenna to transmit information to an RFID reader Store a unique ID number “Wireless” bar code Huge market profit in the future u u Cheap tags for most consumer products Different tags for vast applications 10

RFID Background n Power issue u Active: battery-powered, long range Ø u Passive: no battery, powered by radio signal from RFID reader Ø Ø n E-pass Consumer tags (no crypto/authentication, cheap) Exxon. Mobil Speed. Pass (crypto-enable, expensive) Memory issue u u Read-only (cheapest) Read/Write 11

Current approaches for Privacy Preservation n Crypto/authentication: u No resource available on cheap RFID tags Ø u n Applicable on high-end RFID (e. g. , Speed. Pass) Attackers can use laptop/PDA to decrypt Kill tag (when in consumer’s hands): Kill all ID, or kill long-range ID u Pro: simple, reliable (understandable to people) u Con: non-reversible, no more service from RFID u 12

Current approaches for Privacy Preservation n Radio signal shield Pro: simple/understandable u Con: suitable for a small range of tags u Ø n Tags in wallet: credit card, currency Jam radio signal: (e. g. , RFID blocker) Like denial-of-service to ID query from reader u Con: a separate device, hard to configure u deny service (intrusive) 13