 Cool, can everyone see the screen? Yes, all right. Awesome. Well, let's get started. We're at the finish line, everyone. You're so close to the end. You can almost taste that sweet, sweet burn of summer on your skin. And so the last thing we're gonna talk about now is I wanna do kind of a last two weeks on cyber crime and malware. So you've learned a lot in this course so far. I really hope so. Or at least we've given you the opportunity to learn a lot in this course so far. And you've learned about how to think like an attacker, how to evaluate risks, how to threat model and understand the threats to a situation. We talked about authentication, authorization, access control, network security, application security, cryptography. And now I kinda wanna go over some of the more common what we think of as cyber crime. So what do criminals do with this information, right? Because we kind of, if you recall, way back when we started this class, we talked about how to break into a house, right? And those are very kind of academic ideas and things that we can think about. And they definitely are things that we want to consider. But the actual goal when you think about things like crime is the attacker has some goal that they're trying to go after, right? And that was important to threat modeling. If we had, let's say, we had different threats depending on what the goal of the attacker was. And that would then have us come up with new kinds of mitigations, new kinds of policies and mechanisms to try to prevent those. So we're gonna go over kind of the current landscape of cyber crime in a similar way to see what are the things that attackers are motivated by. And yeah, so feel free, ask a lot of questions on this section. We're gonna be covering some really cool stuff here. And so the first thing I wanna talk about is malware. So malware is this general term for, you can think of it as malicious software put together, right? And it's basically any kind of malicious, like software that has essentially bad intentions. So what does that actually mean? So if you are, like what are some examples maybe you've heard of or seen in relation to malware, or maybe experienced. Yeah, ransomware, that's a good one in from the chat. The I love you virus, ooh, key loggers is a good one. That's one I didn't include, but we can talk about that. Yeah, so some kind of viruses. Yeah, so you can think of any kind of malicious software. And actually the, so you're installing, let's say Zoom on your system and running Zoom now. Is Zoom malware? Hopefully not, how do you know? What would make something malware? Yeah, so chat's talking about if it's not something you want on your machine, it could be if they steal personal data, maybe it's malware, malicious intent. So that's a really good one. And yeah, that's kind of the notion here, right? And it's really interesting. We often don't think about software as having intent, right? But it's about the people developing that malware or that piece of software that can be a normal piece of software that just works that you use versus something malicious. And the other thing to think about is software could be normal. Like we can use Zoom as an example, right? Now, if somebody hacks into Zoom's system, it changes the update to include some bit of malicious code to let's say wipe everybody's machine at a certain point in time. Now that updates gets pushed out to everyone that's running Zoom, it updates, and then at a certain point in time, everyone's machine gets to leave it. So you can have the behavior and intentions of a piece of software can actually change through time, right? It's not limited to, okay, Zoom is good, it's always good, it's always gonna be good. And that's because of things that can update. So Dean has a good point. You can have accidentally made malware if there's a bug. So there's a big difference. So and then the distinction does get a little fine, but when we think of, so the reason actually why I bring up Zoom is there's a contest called Pone to Own. It's a PWN to own. And it's a big contest where it used to be, actually the funny story with here is what they would do is give contestants like a laptop that's the state of the art, let's say a Windows laptop or a Mac laptop. And if you have an exploit that will completely compromise that system, they would give you that laptop and you'd get to keep it. So that was the Pone to Own contest. The funny thing is the price of the level of what these exploits are worth and these vulnerabilities is actually significantly outpaced the cost of a laptop. So now it's on the order of $100,000 or $200,000 that people earn by proving that they can exploit these systems. And actually one of the targets this year was Zoom. So somebody found a, if you're connected to a Zoom meeting, I think you had to be in the same organization. I didn't get all the details, but you could take over other people's Zoom that's running on their systems, right? So that's a key distinction where the intention of Zoom itself is not to be malware, right? There's no malicious intention, but it's just a vulnerable, it has a vulnerability that allows an attacker to take it over. And then at that point it can act malicious and usually it will download something that is actually malware to do something that an attacker wants. So that's a good distinction that we need to make between malware versus vulnerable software. Now, where this gets fuzzy is what if I intentionally put a vulnerability in my software that I know is incredibly simple that I can take over and do whatever I want, right? Is that malware? It's like it's intentionally vulnerable so that people can take it over. So you could say that that is malware, but this is where the kind of we're trying to apply this kind of categorization to this very diverse ecosystem. Yeah, similar to a backdoor, the actual way that you could think about this and this has been attempted before is, so everyone knows that Linux is run on a lot of systems and servers, right? So what if you spent years becoming a kernel developer for Linux, you push code to the Linux kernel and you push code that intentionally has a vulnerability, you introduce code there that has a vulnerability that you can then either sell that vulnerability to somebody else or yeah, and PHP got backdoored, I think they hacked directly into their Git servers or something. It's not clear exactly what happened, but yeah, so it would be, the difference is rather than putting malicious functionality directly, hack into their systems and, or not hack into their systems, but convince a developer to accept your change, your request that actually has a known vulnerability that you know about. So you're intentionally making the software vulnerable something you know about. Cool. And so why do people wanna do this? So that's kind of the malware component. So now we kind of know we have this malware component and the whole goal of these criminals is to make money. So at least that's now and I'll talk a briefly on the history, but the interesting history about kind of malicious software is originally done for like literally the Lolls or just for cred. So if people knew that you developed some malicious software, you would get reputation in the underground community as somebody who was able to do really cool stuff, but now it's all about money. So people realize the potential of exploiting these systems to make money. So in all of these cases we're gonna talk about, I want you to think how do people make money off of these kind of criminal activities? And the case I really like talking about is you could go read this article, it's from the Rolling Stone Magazine, did an article expose of this thing called, I love this, the title is the Fast Times and Hardfall of the Green Hat Gang. And then the subtitle is how three teenage friends fueled by sex, drugs and illegal code pulled off the biggest cyber crime of all time. And so A, I like this because you can see these aren't your, what the media likes to portray as like basement dwelling nerds. And there's crazy stories of them super high on, I don't even remember what the drug was. And they were like, one of them was so high he couldn't actually type and he was telling the other ones what to do to exploit some SQL injection or to get access to some system that they got kicked out of. But what they did was break into credit card processors and then steal credit cards while their credit card numbers while they were being processed and then sell that credit card numbers. They were responsible for hundreds of millions of credit card thefts and got hundreds of millions of dollars. Yes, you can see here on the lower right, it says Albert Gonzalez, who's the guy at the bottom. No, no, that's not right. It's the guy at the top here. He's was the mastermind behind this group and they stole at least 170 million credit card numbers. Yeah, it's crazy. I mean, they made millions of dollars selling these credit card numbers. So this is just one little taste of kind of what these criminal enterprises entail and that there is a lot of money to be made in cyber crime. Of course, as we talked about ethics, super important. So, I would hate it if one of you ended up in an article like this. Yes, they are definitely all, I think they're either all in jail or out of jail right now. But yes, they got caught, they got arrested. It is the core part of every crime is that like, it all takes is one mistake and that's kind of what unraveled their whole thing was one mistake. And so you don't want to make that mistake. And when you do, you go to jail. So don't do that. That's why we talked and stressed about ethics and it's super important to conduct yourself ethically. Even if you have the skills to do something like that or think you do, A, you probably don't and B, if you get caught, the consequences are totally not worth it. Okay, so we're gonna start off with viruses. So you can see there's actually a lot of parallels between biology and computer programs. And in some sense of these metaphors do make sense. So specifically, and this is where we get into kind of a little nitty gritty about talking about these different. So virus is a type of malware. So it's a malicious piece of software. And the goal is it's a program that replicates itself usually on one system. So you would either, it used to be, you'd plug a USB drive into a machine and there was code on that USB drive that would get automatically executed. And what it would do is it would copy itself to every other program on your system so that when you ran that it got executed or it would update your master boot record so that the soon as your computer booted up it actually would execute this malicious piece of code. So, when you think about virus and the funny thing is it's always when you start, when you understand this stuff and then you start to watch TV shows that talk about cyber security or cyber crime or these kinds of things, like you can see that they gravitate towards certain terms like a virus even though it definitely doesn't necessarily make sense. And these are some of the earliest forms of malware. Just a second. Okay, so yeah, so in chat somebody's talking about getting something. So yeah, this is kind of what I'm talking about. Virus has been a catch all term that most people think about when they think about malware but something that blocks you from using the internet and redirects you to a page to buy their specific antivirus to get it off is probably, is definitely a piece of malware but it isn't like the traditional classic definition of a virus because it's not usually propagating itself to multiple things on your system but definitely is not good. And these have been around really since the dawn of computing which is why it's so fascinating. Here's an example of a, it's called MacMag. This is from 1988 is when this is from. And there's a picture of it that would infect your Macintosh overwrite it so that you'd see this and we talk about, now it's about crime and wanting to get more, get money but this person just wanted a universal message of peace and even has their name. So you can see part of that human goal to get credit, right? They, and yeah, you have the written by so you have the credits here. So I think this is fascinating of like the super early stage where it's like it's not even, it's clearly unwanted. You don't want somebody to install something on your computer that does this but at least there is a click to continue at the bottom here that you could just click through and this would go away I guess but still unwanted. Another virus that's super interesting was the Melissa. So what you would get is an email. Actually this is more like a worm. This is where the examples break down I should probably move this over a little bit but you could, it propagated through emails so it actually was through a Word document. So it used vulnerabilities I believe early Word documents have and even modern ones do a scripting language that they call macros and it can have visual basic or something like that but they used to be enabled by default so you'd open up any random Word document and it would automatically execute these macros and what it would do is go through the top 50 contacts in your Outlook and email them this email so it was propagating itself that way. And yeah, the distinction here is this virus required user input you had to actually double click this doc and then once you executed that doc you were now executing malicious code that would then propagate to other machines. So yes, like your Facebook friends trying to sell you Ray-Bans exactly and it's this exact same technique and you can even try to parse and look at the message and try to understand, okay, what kind of psychological tricks are they trying to get you to use to do this? So here's the document you asked for, maybe this is somebody from a work context so you are expecting them and if you're not, so what if you're not expecting a document from them and somebody says, hey, here's this document you asked for would that increase your willingness to click on it or decrease? Yeah, specifically now you're curious, it's like, well, what the heck are they talking about? What if it's something important? What if it should be something? Of course, you'd probably just leave it now because you understand that but if you put yourself in the mindset of somebody from the late 90s and 1999 or early 2000s, you wouldn't necessarily, that wouldn't bring up alarm bells. And then there's this other, so here is the kind of hook to get you interested in it and then there's this, don't show anyone else. And then an old school emoticon, I don't know if you guys actually know what these are, you just all use emojis now, but, right? So, next chat, right? So specifically now this don't show anyone else is then further designed to psychologically get you to click on that list, right? Because it's like, oh, this is a document that I'm not supposed to show anyone. Yeah, exactly. Don't click the red button, thank you. Chat proving that they do understand emoticon, so I appreciate that. And yeah, so, yeah, that's, you can see how these, and these are kind of part of, so what makes these so fascinating is that it's part technical, right? So the technical part here is the macros in this Word document, realizing that, okay, if I have the capability to, from a Word document, execute different kinds of instructions and those instructions can send a Word document to somebody else, including those own instructions, right? Those are the super cool technical parts, but there's a really important gap here with the human, right? Because we have to trick the human to double click on that Word, on that document. And this gets into the concept of social engineering, where we try to trick people to do something we want. There's a DEF CON actually has a social engineering CTF, where they set up a target and they'll do all kinds of crazy stuff. So if you look up online for YouTube videos of like DEF CON social engineering, there's a case where a journalist meets with a really good social engineer and they say, okay, try to get, reset my password to my phone, my phone. So they're able to call like AT&T or whoever it is and they get AT&T to change the password of this user's account, literally while the user's on the other side. So they've gotten permission, they're not doing this maliciously and they use all kinds of human psychology tricks. I remember one that was a, that it was, I think a woman doing this where she had a sound of a baby in the background. Yeah, the baby in the background, exactly. So they play the sound of the baby in the background and then their whole story was like, oh my God, my husband set this up, he's not home right now, we need to pay our bill. I'm locked out of this account and then the baby, they make the baby cry sound and then they purposely like move the phone away and be like, oh, blah, blah, blah. And then like come back and be like, okay, I'm sorry, I'm dealing with this baby, I just really don't. And then they play on the human emotions of the customer service agent to change the password without any of the additional information that they need. It's great. So yeah, so you can see that there has to be kind of these human social engineering. So you can think of it as the technical parts are taking advantage of technical vulnerabilities in the system, whereas the social engineering parts are taking advantage of human elements. Yeah, so that's why I like the Melissa example. And the difference between a virus and a worm is that a worm self-propagates. So it infects one machine, it scans the network and infects another machine and then scans the network and infects other machines. So, and so for that to happen, right? So now we have to take our understanding that we have now of the technical knowledge of things that we've learned. So you have one machine here. So let's say I infect this, so this is worm one. Now it's gonna, what does that mean about what kind of vulnerabilities have to exist on my machine in order to be infected by a self-propagating worm? Yeah, it has to be some kind of network, right? So it has to be accessible on the network. So it's like we talked about, either to be running a vulnerable service or it has to be in the operating system itself and it has to be accessible from the network and it has to give me code execution. I have to control the system. So that can be with what we talked about in application security, buffer overflows, any kind of things. And the kind of term for this is RCE or remote code execution. And so one machine gets infected, it scans all the other machines, it finds a machine two, propagates the worm over there, it scans machines, propagates over here. And what's so dangerous? And so the difference in the chat, so something somebody said, right, the key difference is a worm propagates without any user interaction whereas a virus usually needs some kind of human interaction. Yeah, so in the previous Melissa example, exactly, the user had to double click that word document, it wasn't just self propagating everywhere. So spreading through USB is not a worm behavior, exactly. It would be a virus basically because you need a human carrier, which actually does have a lot of, there's a lot of parallels with biology where a pathogen may need a carrier. So if you think of malaria, malaria is passed to humans through what? That's called a vector, maybe an infection vector. Yeah, mosquitoes, thank you. So yeah, it's mosquitoes that pass. So the malaria doesn't do anything to the mosquitoes itself as far as I know. And of course I'm very much out of my depth here. So take everything I say about biology at skeptically, but I believe it doesn't do anything to the mosquitoes itself but it's the vector that transmits humans. Just like when you're holding a USB drive with a computer virus on it, it's not doing anything to you, but it's when you take that and plug it into another system, now you've transmitted that there. Okay, great. We talked about, oh yeah, worms. So what's the kind of infection rate gonna be like versus for a worm? So let's say it's something that is on the internet, let's say like a Linux, so there's a Linux remote network remote code execution. Yeah, there's a very specific term. Michael just dropped it into chat that we should all be very familiar with now. And that's exponential growth, right? Because you first have one machine infected and let's say that machine infects two other machines. So now you have three machines infected. Those, each of them infect two machines and so on and so forth. So what you get is this crazy exponential growth that we've seen in these number of infections. And actually, and so luckily today worms aren't super prevalent, but and the very first internet worm actually happened again in 1988. I guess it was a good time for computer security. So funny story. So hey, and the, if you're interested in this kind of hacker history, I highly recommend reading the blog post at the bottom. It's, it was a fascinating story. So RTM at the time, I believe was a student, either MIT or Princeton, I actually can't remember. And he created this worm and there's a lot of controversy surrounding what actually happened and what was his intention. His story was he was trying to develop this just as a proof of concept in his lab, but it essentially got out. And it seems kind of crazy because this is 1988. This is actually before the web. So there's no web browser, no nothing to browse the web, but there was an internet. So and basically it would, it actually had multiple infection vectors and infection techniques, but the interesting thing is so it would infect a system and what it would do, of course. So like a, you know, if I, so I had my example right of W1, I infect W2. Now W2 is running essentially the same code. So what's the stops W2 from infecting W1 again? And is that what you want? Right. So worm one scan and scan and scan in a bunch of machines trying to infect them. Worm two scanning, scanning, scanning a bunch of machines. It finds a machine worm one. It infects it. So let's say I have W. It's called W is the name of the worm. This is now running W and W2 in the process is scanning. So it infects both W2 and W1 and W4 scans. It infects everyone. Yeah. So in some way, so you can see that if you just actually just let this go, you'll be running so many copies of the worm on your system that your system is, it will be unusable because you're running so many systems. And it's not just their parent, right? W2 has no direct relation to W4 because W3 infected W4, it's not its parent, but it can still infect W2 nonetheless because the vulnerability still exists on that machine. So it can take over that vulnerability and drop anything. So basically what you want, the very first thing you want your worm to do is something like if worm running, then exit, right? And this way, if you infect it, it looks, it sees, ah-ha, there's another copy of this worm running, I'm going to shut off. And so this is what's super cool is even in 1988, RTM realized this and wrote this functionality into his program, but there was a bug in it where it didn't work correctly. And so what would happen is so many machines are being infected. And remember, each copy of W is itself scanning not the web, the internet for other IP addresses and hosts that it could target. It had this RTM worm had really cool logic. It would scan the system, look for basically what we think of as now is like the SSH config and SSH hosts, it would look at ETC hosts, see what hosts were known, scan those, it would look for trust relationships, all kinds of crazy stuff to identify targets before it would randomly search. And so apparently these machines, there were so many machines infected that were looking for other machines to infect that when you turned on a machine, it would immediately get infected with a bunch of worms and slow the machine down so much that you had to just turn it off. And so they had to actually shut down the whole internet. So at the time, this was in 1988, so what they had to do was they had to, they must have had to transfer the patch or whatever. Oh, that's what they did. So yeah, they shut it down. So they turned off all computers on the internet or disconnected them from the internet, cleaned up all the copies of the worm, hopefully patched the, I think people released the patch. So they patched the vulnerabilities and then turned it back on. So think about how crazy that is. It completely shut down the whole thing, the whole internet and the damages were estimated in the order of several hundreds of thousands of dollars in time, effort, all this kind of stuff. So RTM was actually sentenced to three years probation and a $10,000 fine. He's pretty lucky he didn't get more. Although another interesting tidbit is RTM's dad was, I believe, high up in the NSA. I think he was the head scientist of the NSA or something like that. So let's say, and the other thing, are you all familiar with the company Y Combinator? I think that's the logo. Yeah, he was one of the founding members. Y Combinator is a, it's a startup incubator that was created by a bunch of people that created a company in the first.web called the ViyaWeb, which was a way for companies to make their own portals think like Squarespace, but way, way back in the day for companies to make their own e-commerce websites. And their company was bought by Yahoo for a bunch of money and then they created this startup incubator called Y Combinator. And anyways, RTM is one of the three or four people that were involved in ViyaWeb and Y Combinator. And I think he's a professor at, I wanna say MIT right now. So super interesting history. And at CERT, so, oh yeah. So what the US realized is like, and just what you're realizing in chat, somebody said, imagine that happening today. Yeah, imagine that happening today, that would be horrible. And so the US government realized this and created this agency called CERT. So CERT is the computer emergency response team who's responsible for monitoring these types of internet threats. It could be new vulnerabilities, new types of things and trying to coordinate responses so that we can get things fixed in time. So yeah, this is a super really fascinating stuff here. I highly recommend looking into this if you are interested in this. And, but it doesn't just end. So there was a number of various web vulnerabilities. Actually the early 2000s was a prime time for that. There were Code Red, Slammer. I think it was SQL Slammer was the name of that one. Where at the time Microsoft was so popular, it basically like 90% of the computers ran of some version of Windows and people would find remotely exploitable like these remote code execution vulnerabilities over the network in Microsoft. And this actually caused Microsoft's culture to get more serious about security because of this. And everyone kind of pointed the finger at Microsoft even though on some sense, they were just the current most popular piece of software and that's why people would target it. But what I love is of course this concept of a worm, something that propagates throughout a system is actually not inherently limited to just networks and remote code execution. And this is what I like this example. This is about wormable web vulnerabilities. So we're not gonna touch on web vulnerabilities in this class, but I can give you some flavor of them through this example. So there was a what's known as a stored cross-site scripting vulnerability. So if there exists some kind of stored cross-site scripting vulnerability, it's essentially a vulnerability where user input is kept and it's shown to the user and it's executed as JavaScript. So essentially attackers can execute JavaScript on a webpage when you browse that page. And you can turn this into some self-propagating worm and social networks are particularly susceptible. So the case I'm gonna talk about is this case called Sammy is my hero from 2005 on Myspace. But this happens kind of relatively frequently or every so often in social networks like Facebook. Facebook has been a long time, but Twitter will have this. There was a tweet deck where basically somebody found a vulnerability and tweet deck where you could make a tweet. And then anytime you saw that tweet, you would then tweet a tweet just like that. And when somebody else saw that tweet, it would tweet a tweet just like that. And it's because of this, because an attacker could control this JavaScript. So this JavaScript would cause tweets to be issued on your behalf. And so let's look at this Myspace example. So this is a write-up from the time. And I just love the nostalgia here. I won't do anything horrible and ask like how many of you actually use Myspace, but you can think of it as an early Facebook where all profiles were public. And so you can see this Google search here for the phrase Sammy is my hero. And you can see it pop up in a lot of different places. And the idea was, if I remember correctly, in Myspace profile, there were various different parts of your profile that you could edit. And the craze, it seems crazy now, but you could like completely customize. Yeah, some of these people talking about it in chat. You could completely customize using HTML what your Myspace page looked like. And so somebody found a vulnerability. Actually, Sammy is the one who found this vulnerability. And yeah, here's another, an MSN search. So this is how old this is of almost 4,000 results contained in the domain Myspace.com that have the phrase Sammy is my hero. So it's not that anything was actually that everyone suddenly really liked this person, Sammy. What happened was is, and okay, yeah, this is what, so this is a write up from Sammy. So what happened was this person, the security researcher found this vulnerability and basically had it where he could change his profile such that when somebody viewed his profile, his JavaScript code would execute. So he's on his system here. He writes his JavaScript code, saves it to Myspace. And then when you visit his profile page, you're executing that JavaScript code that Sammy wrote. And what Sammy did was he would up, that JavaScript code would update your own profile. So propagate itself there, add the phrase Sammy is my hero and also send a friend request to Sammy. So you can see the impact here. This is almost a million friend requests on Sammy's page. So this is, these are all the people that saw this. So you could think it again, starts really slowly you visit one person and then they visit your page and then they post on their profile and people that visit their profile get this same thing included in their profile. And so it spreads through the social network like a virus or a worm. So yeah, I really like this example. He has a good write up. If you just look up Sammy is my hero, you'll find this. Anyways, yeah, I think it was a really cool example to show that like the concept of worms are not dead. And the other thing we'll talk about is Trojan horse. So hopefully, is it anyone not familiar with the ancient, I don't even know what's a myth. Is it a story of the Trojan horse and the Trojan wars? Yeah, the Brad Pitt movie, you can look at there. You can watch that movie and then say you're doing, research for class to understand. Yeah, I guess I just don't know if it's true or a myth or what in there. But anyways, the basic idea is the, was it the Trojans? Anyways, the point is these people were having a war. They had some city they wanted to get into. And what they said was basically like, okay, we're gonna have peace. We're gonna make you a present. They built this giant wooden horse on wheels that to say, hey, we're all good, everything's fine. And so the city saw that and was like, yes, everything's fine, like this is a peace offering, it's great. And so they brought in this horse into their city. And then at night, what they didn't realize is there was a bunch of soldiers hiding inside the horse that in the middle of the night were able to get out of the horse, I don't know, murder everybody, open the gates, do everything, right? Yeah, so the Greeks gave the horse the Trojans. Yeah, thank you. I'm trying to figure out that exact. But then why is it a Trojan horse? Isn't it, shouldn't it be a Greek horse? Anyways, that part's not super important, but I did a gift to them, so it's theirs. No takesies, vaccines, even though it's a terrible gift. Okay. Just like we call it the French Eiffel Tower, or not, we do call it that, or the French Statue of Liberty is what I was thinking of. But anyways, so the point is there's an analogy to computer programs where you download some software that's supposed to be benign, but it actually turns out to be malware. So for instance, it could be a video game crack system that actually does crack the video game, but does other malicious things. Yeah, people are, any type of illegal type of software, like people are talking about Lime Wire or Banzai Buddy or Kaza or any of these other early things would often contain functionality that you really didn't want. So the same kind of concept applies here. And okay, so we think that, and kind of the difference here is a Trojan horse is very different from a virus where it doesn't, it doesn't really have, it doesn't have any propagation mechanism on its own. It relies basically on social engineering and tricking users to download a programming and executing it, right? So this is kind of that key technical difference and distinction here. And so, okay, we'll talk briefly about defenses. So one of the ways in which, so we actually have this interesting problem of how do we then detect and prevent malware from entering our systems? Like clearly it's bad, well, maybe not clearly, but I think we could all agree we don't want this malware on our systems, correct? Yeah, somebody in the chat said don't click random links. I think that's not, I think that's not feasible. I don't think you can actually not click random links. I think I could get you to click any link I wanted. Yeah, so we have this problem. And why this is such a problem is comes down to the nature. So again, what did we say was the difference in nature between benign software and malware? Intent, right? And what do we have? Well, we basically have a binary full of ones and zeros and we have to analyze that piece of software, that binary to say, what's your intent? Are you benign or malicious? And this intent is a very difficult thing to, from a technical perspective, understand, right? And so we may say, well, it's really easy. So we know, let's say a virus tries to propagate itself. So we can look for code that propagates itself. But it turns out it's actually really easy for attackers to obfuscate and change their logic. So it looks really benign, but is actually malicious when you execute it. And so trying to understand the intent of software is one of these core ideas of protection. And so antivirus is not really trying to do that. What they basically have is a bunch of signatures that say, okay, this sequence, whatever, this sequence is malware. So if you ever see this sequence, then it's malicious software. And they scan all files on their system. So they may have a combination of some kind of allow list where they say, this is software that I know is good or a block list that I know is bad. And essentially this is all kind of human driven where when an antivirus company gets a new potential malware sample, they manually analyze it, create the signature, and then push the signatures out to everyone that has that system that is running that system. It'll update its signature list. And when it scans your system, it'll identify this new signature. So does this actually prevent people from executing malicious software? All malicious software? I guess another way to phrase it is has malicious software gone away since antivirus is a thing? Yeah, why not? Yeah, it only helps after it's discovered. So I like to think of the notion of, you've seen maybe, I think I'm pretty sure it's penguins, right? You've seen penguins by a cliff, right? They all kind of like huddle up by a cliff. This is when they're gonna go hunting. So like, obviously they need to go into the water to catch fish and eat fish. But part of the problem is there's like sea lions and stuff that will actually eat the penguins. And so they kind of all huddle to the cliff until one falls over and that penguin like swims around. And then when that penguin's not eaten, then the rest of them jump in. So they like wait to see what happens with one of them. I should check if that's correct. I know it's some animal. I've always believed it's penguins, but anyways, maybe I'll double check. Yeah, that sounds correct. So listen to me, I'm a doctor and it sounds correct. So yeah, anyways, so the similar notion applies here where a new malicious piece of software is developed, somebody's gonna get infected and then it's when we notice then that antivirus gets pushed out. So people ask a lot, should we run antivirus? And it's kind of like, well, yeah, you wanna be protected against things that we know are bad, right? But that are out there, but it's not a 100% foolproof never going to get infected. The other thing to remember is, so there's a site called virus total, oops, which is actually used by security practitioners. So if you ever have some sample that you think may be malicious, you can upload it there. It'll run it across, I think 16 or 20 different antivirus systems that are all up to date and it will tell you which one's trigger and alert. But the bad guys actually have a similar version of, and the reason why this website exists is if there's something suspicious that they see that they don't flag, they report this results to the antivirus companies. So you can see have an early feed of what's out there. But bad guys have the same thing, but without the reporting. So this is why they're almost guaranteed to infect people because again, you can change the ones and zeros and make multiple different versions. And in fact, we didn't talk about it, but a polymorphic virus or worm is something that changes itself, the binary every time it propagates. So it always looks different and there's cool programming tricks of how you can do this. And so what they do is they start with their malicious binary or their malicious application. They run it against criminal owned and run the same thing as virus total. So they run it against every antivirus in existence. If any of them alert, then it change it. They change it. And then if that alerts, they change it until they finally get one that bypasses all known antivirus. Yeah, it's like, it is like a virus evolving into different strains in real life, which is super cool. But the super interesting difference is that it's like human driven often. So the humans are either writing the algorithms to do it or they're actually making the changes themselves. So anyway, so this is a kind of a good refresher and understanding of now you kind of understand the technical reasons why antivirus does the way works the way it is. Cool, okay. Now we're gonna get into phishing. So all of what we talked about so far is basically malicious types of software and I've taken a historical perspective a little bit. So the really cool thing is we're gonna have somebody from one of my PhD students who graduated who's now working at PayPal. He's gonna come give a talk on Thursday about phishing. And the really cool thing is he will have a question on the final CTF that's going to be about phishing. So that'll be really fun and it'll be based on his talk. So you will see that. Okay, yes, phishing. Okay, so where this kind of story comes from. So we're gonna go get into phishing but I first want to give you the history of phishing. So the super interesting thing is I don't know if anybody's old enough to have seen one of these CDs of free AOL. So back in the early days of the internet and the web, not everyone had cable internet to their house. The only communication mechanism into most houses was the phone line. And so companies like AOL would provide internet access over the phone lines and over modems and you'd have to like actually dial in. So this was a, you would literally like your modem would dial into AOL numbers and you would get online. And one of the things that was in there was chat rooms. So this is kind of an older concept. Although I guess really you're all reinventing these with things like Discord and we have the CSC 365 chat room with a lot of different channels some of which I avoid like the plague. But so you can get, when you get on AOL, your first thing you hear you get into these chat room listings. And so there were people who wanted to get access to AOL but didn't want to pay for it because it was actually really expensive. It was something like $2 or $3 an hour which was like $5 or $6 an hour for internet access. So just think right now of how long you spend on the internet and then think about if you had to pay $6 an hour or so to get on the internet and use the internet. It's kind of crazy. And so there were a group of basically criminals kind of this criminal underground that came up that wanted to defraud people and steal their AOL usernames and passwords that they could log in as them and essentially charge them. And there's this really fascinating report that was written in this, it's called Early Fishing and you can just Google for that or this person's name where he was one of those early people that were trying to defraud and steal AOL usernames and passwords from people. So what they'd first do was get an anonymous account so get a free AOL account that you could have that wasn't tied to you. Create an official looking screen name. So your screen name would be like AOL security or something like that. Create some kind of bait message. So create a message that says, hey everyone, just wanted to check the security of your system. Please send me a message with your username passwords so we can verify the security of your system, right? That common bait that we talked about that uses social engineering and human psychology in order to trick people. And then they would find a new member room. So these were those chat rooms that were dedicated to new members. And so this is literally, think about this. It's maybe hard to remember, but think about it. You've never used the internet before in your entire life. You find out about this new fangled AOL thing. You sign on. The first thing you see is that screen with like, hey, here's some chat rooms you may like. Hey, here's a new member room. You're like, great, I can get on this room. I've heard about chat rooms. You get in there, you see a message from somebody claiming to be AOL security that, uh-oh, there's a problem with your account. You say, oh, that's scary. I better respond to this. I don't wanna lose access to this cool new internet. So they said literally you could get scammed out of your AOL username and password within like five minutes of connecting to the service. And they would deliberately target these new members. And so you'd send this bait message to every person in this new member room and you'd keep doing that until you were disconnected by AOL. And you'd get disconnected by AOL because oftentimes AOL employees would be in these new member rooms to help people. And so you'd accidentally send your spam message, your phishing message to those people. And so this person actually then, but this was a very tedious and manual process. So they created software to help them. So this was software, it's called AOL. And it was designed to help people fish and steal usernames and passwords. So what did it do? And this is actually where the, where, and this person claims they came up with the actual word phishing, the phishing. So just like phishing for fish in the ocean, here you're phishing for either usernames or usernames and passwords or credit card numbers. So here you can configure it to say, hey, you're gonna fish for passwords, fish for credit cards, what you're gonna say, here's your phrase, right? And here it's exactly what we just said. I didn't even like memorize this slide, but it's like, hey, I'm with the American online billing department. Due to a problem we are experiencing with our records, we have lost vital information concerning your account. Please send us a username password, I'm sure is the next thing. And so here was the actual status page, right? So here you can see the phishing for passwords where we can see it actually use this phishing thing. And so this has basically all the components of a modern phishing campaign of what's necessary. You need a list of targets. So in this case, it's the list of people in the room. In email-based phishing, it's usually a list of emails. Then here's what we call the lure. So L-U-R-E is lure. So again, there's a lot of phishing metaphors. So lure is the thing you use with the hook or whatever to get fish to bite. And so this is exactly the same thing with people. You're trying to trick people into responding to your message and doing what you want, right? So this is that social engineering component. As anyone ever clicked on, let's say Elon Musk's tweet, tweets. And you can see the replies to there. What's usually one of the first ones that's on there? Yeah, a free Bitcoin link or something like that or a Bitcoin scam, right? And it's people who created fake Elon Musk accounts looking like Elon Musk, just like this, right? It's they were creating fake AOL looking accounts. They make fake Elon Musk accounts and then put their lure of trying to trick people to send them Bitcoin, right? They're people pretending to be him. And they have an automated system, probably not the same software, right? But an automated system like this that looks anytime he posts, they reply to it and then they must have a network of other accounts or something that they all like that tweet that reply. So it bubbles up to the top there. It's actually kind of fascinating that Twitter hasn't shut down stuff like this. Like it's incredibly clear when you see any of these things that these are all scams. Anyways, you can see all these components, right? So you need targets, you need a lure and you need a scams, right? So this is, oh yeah, here we have. We need you to hit the respond button and reply back with your current password. So we may verify this information and correct the problem as soon as possible to avoid unneeded cancellation of your account. So think about this. This is actually a crazy thing. They're not saying, hey, reply back with your current password. They're saying, we need you to hit the respond button and reply back with your current password. Why do they do that? Why is this line in here? The users are that new exactly. The users literally just logged on to AOL. They've maybe never got an instant message before. They've never got a private message. So they're including instructions of how to use AOL inside the scam, the phishing lure itself, right? So then we can get the thing. And then what we do is the software would mark down, okay, mark doh 101 password infinity and we'd use that later to see if that's legitimate. This is reminding you of the scams from assignment three. Yeah, that's good. Right? And you can see that the effective ones use, took psychology into effect. And you have to think about what people know about and what they don't know about, right? Whereas like the scams that were very obviously like a fake profile picture on the Discord. What was the name of that? Was it Donna or something? That fake one? Diana, there we go, yeah, thanks. Yeah, that was clearly a fake account, right? I don't know who created that, but it was very clearly fake. Now there is some interesting psychology, at least with email spam with like the Nigerian print scams where people hypothesize that they actually intentionally make it look like a scam so that anyone who falls victim to that is really gonna fall victim to it, right? If they're sophisticated stamps, if they're so sophisticated at a certain point in time you'll drop off and stop responding. And the other thing about this, right? So going back to this example, yeah. So some of the, I don't know if I saw it in this class but in previous classes that assignment three, the web of trust assignment, the biggest scammers were people that would help people. So they would, you know, they'd talk to people and then they would teach them how to do the assignment and how to assign GBG keys and they would teach them correctly how to do it but not correctly how to verify keys. And so they'd make them sign their adversarial key. So anyway, so these are the, this is kind of, so it's crazy, this thing that existed and this is probably like 94, 95. So you think about that's almost what? Almost 30 years of phishing attacks and they still exist. So on the left is a lure for American Express. So this is saying that, hey, we have an important notification on your card. Your access has been temporarily restricted because of suspicious activity. So you have to think human psychology does American Express care about suspicious activity on my card? Yes, absolutely yes. They will sometimes block your card until you verify that you actually have control of it. And so you can click this sign onto the security center link. You're taken to a webpage here on the right that looks exactly like the American Express login page. And so you type in your username, password, add password, click login and then you do that. And now what happens? Yeah, now my username and password goes not to American Express but goes to a criminal and the attacker may actually at that point then redirect me to real American Express. And it may say, and so what do you think happens when you click that and then you get redirected to the same page? What do you think people do? Yeah, you don't even know. You maybe think it's something messed up, you fill it in again. Maybe you think that it's a, you can actually do this really clever sometimes where it'll say a wrong or invalid username, password. If you can send that for them and that way they're actually, it seems like you just mistyped your username, password. And so you think you're fine, you go about your day and now criminals have your username, password of your credit card, which is not good. And the really interesting thing is, oh, I didn't talk about it but one of the interesting things of in like mid-2000s, like 2005 to 2013 or something like that, one of the big problems was drive by downloads attacks. So this was the web browser that you'd use to visit the website has some bug in it. This is my little bug. And when you visit a webpage, the webpage would exploit that bug and then start executing JavaScript code on your system. So this was like a drive by download attack where basically this was a, if I got you to click a link, I could take over your whole machine. And this is basically the blue line here is malicious sites. So these are like web-based malware over time from 2007 to 2019. And this is from Google. And what they found is basically that these used to be, ah, yeah, I did on my timeframe, right? Like mid-2007 to mid-2011 was kind of this peak of web-based malware. But as browser security got better and better and it became much more difficult to exploit browsers like Chrome and whatever, phishing has actually gone up. So phishing is now one of the most significant ways that people get exploited on the internet. And yeah, and this is kind of the other one is like looking at total malicious sites that exist. You can see this huge rise in phishing sites compared to other types of malware sites. And it's just fascinating to watch this. And I think Adamost will talk about this more in detail. So I won't gonna get two details, but yeah. What's the big spike in 2016? Probably the election would be my guess. Anything around an election year is there's a lot more malicious activity. And we'll actually talk about that right now. So spear phishing. So again, taking the phishing metaphor, phishing is a very broad activity, right? You have to have that target list of people you're trying to send a lure to. You send a bunch of lures. Whereas spear phishing is, and you may get something from there, but spear phishing would be phishing and targeting one individual or one group and trying to get them specifically. So in December 29th of 2016, the Department of Homeland Security and the FBI released a report entitled Grizzly, is it steep? Is that how you pronounce that, step? Russian malicious cyber activity. And I really like this. Cyber operations attributed toward to Russian civilian and military intelligence services to compromise and exploit networks and end points associated with the US election, as well as a range of US government, political and private sector entities. Step, okay, thank you everyone. Yeah, it made more sense when I said that. And there were two major spear phishing attacks. So in summer of 2015, a malicious language was sent to 1,000 recipients using legitimate domains to host malware and send spear phishing emails. And the summer of 2016 sent targeted spear phishing and tricking recipients into sending into changing their password. So here's the, here's an example. So this is the, an example from the Podesta email hack, which I all should hopefully remember that right. This was, and these were a bunch of emails that were released right before the 2016 election. And they came from this hack basically. And so you can look at this. So this is the email that came in. It says, hi, John, someone used your password to try to sign into your Google account. Here are the details, location, Ukraine, that seems bad. Google stopped this sign-in attempt. You should change your password immediately. And one of the fascinating things about this case is you think like, oh, what an idiot, this person fell victim to this clear scam. A, this is the exact email that Google will send if there is a problem with your account. I believe it'll be something very similar to this. The sec, and it may probably doesn't have this change password button, but if you look it up, John Podesta sent this email to his IT staff or his IT team. It was like, hey, is this legit? And they, I can't remember the exact phrasing, but the person sent back basically like, yes, do it instead of like, no, don't do it. And so that's why Podesta went and changed his password because he thought his IT people said it was fine. It may have been like a no versus now thing or something. Anyways, there was like a typo where the person was like, well, no, I meant not to do it, but I accidentally typed to do it. Yeah, they left out the word not or something. Thank you. Yeah, I think that's what it was. And so when you click this link and you can check out this article here, this is talks about it. And so you click the change the password and that change the password was a, and this is what's crazy. So it was a bitly link. So that one was a bitly link that that bitly link and bitly is a redirection service would send them to this web address of myaccount.google.com-securitysettingspage.tk slash security slash signs options password, blah, blah, blah. So here's the bitly link, crazy. Two total clicks in March of 2016. So this is why somebody was actually able to do forensics on this. And I believe the super interesting thing if I remember this correctly is they actually found this phishing email in the email dump itself. And that's how they were able to reverse engineer this so and do the forensics on this. So they found this email in the email dump that was released. And then found this bitly link, found that it's only clicked twice in March of 2016, probably once from the scammers to verify that it worked and the second one from the victim. And then when you visit the site, it looks exactly like this, right? This is the Google sign-in page, right? And so what are some other things that you can see that they did here to make this look more legitimate? Profile picture, yeah. Sign in with a different account. All the icons had all the information about this person, right? This is why we can say this is a spear phishing attack because you can't make a general page like this, right? So they had picture, the name, everything. This is a custom design thing just for this one person. Then we look at the URL, right? You look up, it says myaccount.google.com and you may be don't really look that closely at the rest of it. One interesting fact that you can look at here is it's not using HTTPS. So there's no lock icon here, but nowadays we're actually seeing malware, like phishing sites that do use HTTPS. So it's not a wholesale blocker. It's actually incredibly easy now to get an SSL certificate. So that they very easily could have had HTTPS on this. Yeah, so this is fascinating, right? So you can see it's a pretty sophisticated spear phishing attack just to get one person. Okay, cool. We'll keep going a little bit more. And okay, other types of, now we get into a little bit more of a gray area of different types of software. So spyware, excuse me, spyware is a term for software that runs on your computer, doesn't do anything necessarily malicious. It's not like it's infecting your machine. It doesn't spread itself anywhere else, but it watches what you do and reports it to advertisers and other types of entities. And so you could think of maybe other types of things compromise the, so in the CIA triad, right? Other types of things maybe confident can compromise integrity. And here we're thinking confidentiality or even maybe a different way of putting that was privacy. Yeah, so people are talking about the respondents. Yeah, I think this is a tricky thing to categorize. I mean, to be perfectly honest, this is why in this class Tiffy and I aren't having exams and why we're having CTFs because I do feel that those pieces of software are overstepping their bounds and are basically spying into like, I mean, it is literally like this, right? Where it's like there's somebody watching you take the exam. Yeah, or another way to think about it, it'd be like, so somebody in the chat said it'd be, I mean, would you like a bird in your home that doesn't hurt you, but just watches you, right? Or you can think about this actually does happen. People go through the trash of other people, right? If you go through somebody's trash, you can actually learn a lot about them maybe, and sometimes they can even steal like social security numbers and other information that way. Cool, another interesting type of modern problem is what's known as business email compromise. So the idea is it can, how to get there is pretty interesting. It could be phishing or other types of things, but the idea is a cybercriminal poses as somebody high up in the company. So some kind of executive like the CEO, maybe they fish the CEO with a spear phishing attack to get their username passwords. Then they trick finance and they say, hey, I just had a meeting with a company. We need to send them a $10,000 invoice to close this deal and send the wire the money here. They send that to finance, finance approves it because that's their job and that money actually goes to a cybercriminal and not anyone else. So this is kind of a high, this is a low volume, maybe I guess $4 signs on a Yelp scale. Okay, another modern type of malware, kind of what people realize is basically with a virus, it's hard to make money from that, although there are ways to do that. And ransomware is a new, it's newly popular and we'll talk about why, but it actually, there's been forms of ransomware that existed where basically the idea is you either a virus infection computer or you download this Trojan horse or whatever, or maybe it's a self-propagating thing, but something executes on your computer, some piece of malware, and it encrypts with using cryptography all of the files on your system. And if they're smart, of course, that they encrypt everything, nothing will work. And so documents, photos, videos, databases and other files, right? And literally holding those ransom until you pay money. And this is what's crazy, they're not just doing it as a, right, if they just encrypted it and threw away the key, it'd be the same as deleting it and it'd be basically like a denial of service attack. But here, we guarantee that you can recover all your files safety and easily. You can decry, look at this, they're even, it's like a proof of life. They're saying that you can decrypt some of your files for free. Try now by clicking decrypt. But if you wanna decrypt all your files, you need to pay. You have only three days to submit the payment. After that, the price will be doubled. Also, if you don't pay in seven days, you won't be able to recover your files forever. Yeah, it is a hostage situation. I mean, they're literally holding your data hostage, like for ransom, right? We will, this is crazy. I can't believe this is true, but we will have free events for users who are so poor that they couldn't pay in six months. I don't think that's true. Now, of course, then how do you pay, right? Well, here's the major thing that actually incentivized this campaign is Bitcoin. So you'd actually pay through Bitcoin. No, at this point, they're already all encrypted, right? And so actually somebody's saying if they keep the Bitcoin, then this was genius, but actually that's bad because then once people realize and words spread that if you get infected with WannaCry, that this or ransomware, even if you pay, they won't give you your files back, then nobody will pay. So they actually have to operate like a business and have this actually work so that when you do pay, you get your files back. Yes, okay, great question. What I don't get is that people who are likely to fall off his attack would have no idea how to pay in Bitcoin. Here's where this gets fascinating. So just like if you remember that AOL example, where we saw how they would tell people how to use AOL's own software, I think it's changed now. This is, when did WannaCry happen? Can somebody Google this? Is this from like 2014, 2015, something like that? So it was 2017. Yeah, so at the time, I mean, it's still kind of difficult. Basically, the funny thing was this documentation for how to buy and transfer Bitcoins were some of the best documentations out there on the internet because the criminals actually had an incentive to teach people how to do this. So yeah, it's fascinating that they had some of the best documentation of how to buy Bitcoin, how to exchange Bitcoin, how to send it to an address, all this kinds of stuff. So yeah, once you do this, these links here would teach you all you needed to know. And remember, it's in the criminals financial incentive to have this be the best documentation ever, otherwise they're not gonna get paid. And there's a, you've probably heard about the next economic turn, the tragedy of the commons, right? If nobody paid these ransoms, they would go away, right? But of course, people don't have backups. They actually need the data, so they pay it. So there's a tragedy of the commons in that if nobody paid, then everyone's data would be available. These would go away and a few people would suffer from not having their data back. But because enough people pay and incentivize it that it keeps happening. So anyways, all right, we'll have Atomos on Thursday to talk about phishing and his PayPal perspective and then we'll get into different kinds of stuff on Tuesday.