Network SecurityNetwork SecurityThreats to the E-LearnerThreats to the E-Learner

Steven FurnellSteven FurnellNetwork Research GroupNetwork Research Group

University of PlymouthUniversity of Plymouth

United KingdomUnited Kingdom

OverviewOverview

IntroductionIntroduction

Threats facing e-learnersThreats facing e-learners

What e-learners need to knowWhat e-learners need to know

Addressing the problemsAddressing the problems

ConclusionsConclusions

IntroductionIntroduction

The Internet has always had a reputation The Internet has always had a reputation for being unsafe for being unsafe

Increasing range of threats and scams that Increasing range of threats and scams that specifically target the end-user communityspecifically target the end-user community affects both domestic and workplace contextsaffects both domestic and workplace contexts

Users can represent attractive targetsUsers can represent attractive targets lack of technical knowledge, and occasional lack of technical knowledge, and occasional

gullibility, can make them vulnerable gullibility, can make them vulnerable attackers hunt the easy prey!attackers hunt the easy prey!

IntroductionIntroduction

Many threats not only Many threats not only affectaffect online users, online users, but specifically but specifically targettarget them themRepresents a clear concernRepresents a clear concern for users themselves, who do not wish to for users themselves, who do not wish to

become victimsbecome victims for institutions, if their users should unwittingly for institutions, if their users should unwittingly

cause or facilitate a security breachcause or facilitate a security breach

Important to ensure that users do not Important to ensure that users do not undermine the attempts to protect themundermine the attempts to protect them

Threats facing Threats facing e-learnerse-learners

yoursystem@riskyoursystem@risk

Virus

Spam

Hacking

Denial of

ServicePhishing

Identity Theft

WormsSpyware

TrojanHorses

SpamSpam

Junk email that is, at the least, an annoyanceJunk email that is, at the least, an annoyance

Can also lead to other problems:Can also lead to other problems: can cause embarrassment and offence as a result of can cause embarrassment and offence as a result of

their frequently dubious subject mattertheir frequently dubious subject matter users can waste time looking at it or be tricked into users can waste time looking at it or be tricked into

scamsscams

Can easy receive several hundred kilobytes of Can easy receive several hundred kilobytes of spam per dayspam per day costly if downloading on a slow link and/or paying by costly if downloading on a slow link and/or paying by

the bytethe byte

SpamSpam

Over 66% of email traffic Over 66% of email traffic in the last monthin the last month

(MessageLabs)(MessageLabs)

Spam examplesSpam examples

Many messages give themselves away as being Many messages give themselves away as being unlikely to be legitimate simply from the titles:unlikely to be legitimate simply from the titles:

Don't Buy Vi-gra Don't Buy Vi-gra you can't beat our RX you can't beat our RX She wants a better sex? All you need's here! She wants a better sex? All you need's here! Put your property on the front pagePut your property on the front page St0ck Market Standout? St0ck Market Standout? Horny pills - low price Horny pills - low price I am really happy I got this nice thing on-line!I am really happy I got this nice thing on-line! The Ultimate pharmacyThe Ultimate pharmacy 仛弌夛偄偺婫愡両仛仛弌夛偄偺婫愡両仛

Spam examplesSpam examples

Others, however, could be mistaken for Others, however, could be mistaken for something legitimate . . . something legitimate . . .

FYI FYI You computer are INFECTEDYou computer are INFECTED Urgent and confidentialUrgent and confidential Dear SirDear Sir Re [5]:Re [5]:

Some users may still get suspicious because of Some users may still get suspicious because of unknown sender, but others may be fooledunknown sender, but others may be fooled

Bogus QualificationsBogus Qualifications

Trust in the e-learning provider is vital for Trust in the e-learning provider is vital for both e-learners and prospective employersboth e-learners and prospective employers

Bogus qualifications can already be obtained Bogus qualifications can already be obtained via the Internetvia the Internet may lead to suspicion and adverse publicitymay lead to suspicion and adverse publicity undermine the credibility of legitimate e-learning undermine the credibility of legitimate e-learning

courses / providerscourses / providers

Consider the following, received via email . . . Consider the following, received via email . . .

Bogus QualificationsBogus Qualifications

PhishingPhishing

Another threat typically initiated via emailAnother threat typically initiated via emailAttempts to dupe users into divulging Attempts to dupe users into divulging sensitive informationsensitive informationCurrent attacks have tended to target Current attacks have tended to target personal data relating to the user personal data relating to the user e.g. bank account and credit card detailse.g. bank account and credit card details

However, similar techniques could target However, similar techniques could target information to compromise an institutioninformation to compromise an institution e.g. passwords and institutional detailse.g. passwords and institutional details

Going phishingGoing phishingA bogus email message . . .A bogus email message . . .

Going phishingGoing phishing. . . and a bogus website. . . and a bogus website

55,643 new sites in April 200755,643 new sites in April 200711,121 in April 200611,121 in April 2006

(Anti-Phishing Working Group)(Anti-Phishing Working Group)

SpywareSpyware

Parasitic software that invades users’ Parasitic software that invades users’ privacyprivacyCan divulge details of browsing habits Can divulge details of browsing habits and other sensitive details from target and other sensitive details from target systemsystem

captured information can be transmitted to a captured information can be transmitted to a 33rdrd party party

puts both personal and corporate data at risk puts both personal and corporate data at risk of abuseof abuse

One of the most prominent threats in One of the most prominent threats in recent yearsrecent years

6 out of 10 home PCs are infected6 out of 10 home PCs are infected(AOL/NCSA 2005)(AOL/NCSA 2005)

SpywareSpyware

One of the most prominent One of the most prominent threats in recent yearsthreats in recent years

Market for anti-spyware Market for anti-spyware products predicted to grow products predicted to grow from $12M in 2003 to from $12M in 2003 to $305M by 2008 $305M by 2008

(source: IDC)(source: IDC)

MalwareMalware

Viruses, worms and Trojan Viruses, worms and Trojan horseshorsesOver 231,540 known strainsOver 231,540 known strains over 8,830 in Mar 2007over 8,830 in Mar 2007

Commonly targets end-usersCommonly targets end-users bogus email attachmentsbogus email attachments infected web pagesinfected web pages peer-to-peer file sharingpeer-to-peer file sharing

Once run, the malware may then Once run, the malware may then target the user in other ways target the user in other ways e.g. stealing their data or hijacking e.g. stealing their data or hijacking

their system their system

Malware EvolutionMalware EvolutionMany early viruses were more of a nuisance than Many early viruses were more of a nuisance than actually harmfulactually harmful

The Ambulance virus (1990)The Ambulance virus (1990)

Less reliance upon usersLess reliance upon users

Early 1990sEarly 1990s Relied upon people to exchange disks Relied upon people to exchange disks between systems, to spread boot sector and between systems, to spread boot sector and file virusesfile viruses

Mid 1990sMid 1990s A move towards macro viruses, which A move towards macro viruses, which enabled the malware to be embedded in files enabled the malware to be embedded in files that users were more likely to exchange with that users were more likely to exchange with each othereach other

Late 1990sLate 1990s The appearance of automated mass mailing The appearance of automated mass mailing functionality, removing the reliance upon functionality, removing the reliance upon users to manually send infected filesusers to manually send infected files

TodayToday Avoiding the need to dupe the user into Avoiding the need to dupe the user into opening an infected email attachment, by opening an infected email attachment, by exploiting vulnerabilities that enable infection exploiting vulnerabilities that enable infection without user interventionwithout user intervention

Chances of avoiding malwareChances of avoiding malware

0

100

200

300

400

500

600

700

800

900

2000 2001 2002 2003 2004 2005 2006

Pro

po

rtio

n o

f in

fect

ed e

mai

ls (

1 in

x)

1 in 790messagesinfected

1 in 68messagesinfected

Slammer / Sapphire Slammer / Sapphire WormWorm

Fastest spreading wormFastest spreading wormExploited a known vulnerability in the Exploited a known vulnerability in the software (patch already released by Microsoft software (patch already released by Microsoft in July 2002)in July 2002)Not destructive – its only aim was to spreadNot destructive – its only aim was to spread

Infected systems doubled every 8.5 Infected systems doubled every 8.5 secondsseconds90% of vulnerable systems got infected in 90% of vulnerable systems got infected in just 10 minutesjust 10 minutes

The Spread of a WormThe Spread of a WormSapphire / Slammer 2003Sapphire / Slammer 2003

25 Jan 2003 - 05:29:00 / 0 victims

The Spread of a WormThe Spread of a Worm31 Minutes Later31 Minutes Later

25 Jan 2003 - 06:00:00 / 74,855 victims

Slammer: The end resultSlammer: The end result

Ultimately infected over 120,000 systemsUltimately infected over 120,000 systemsVolume of Slammer traffic affected many people:Volume of Slammer traffic affected many people:

Brought down the entire telecommunications Brought down the entire telecommunications service in South Koreaservice in South KoreaDisrupted over 13,000 Bank of America cash Disrupted over 13,000 Bank of America cash machinesmachinesdegraded performance by up to 30% in the degraded performance by up to 30% in the Asia-Pacific region and by 10% in the USAsia-Pacific region and by 10% in the US

Disruptive effects estimated to have cost up to Disruptive effects estimated to have cost up to $1.2bn $1.2bn

HackingHacking

Hackers may target an Hackers may target an end-user system for end-user system for various reasons:various reasons: a soft option for some a soft option for some

mischiefmischief a convenient file repositorya convenient file repository a platform for attacking a platform for attacking

other systemsother systems

Users can also be Users can also be targeted as sources of targeted as sources of sensitive informationsensitive information social engineeringsocial engineering

HackingHacking

Hackers may enter by many meansHackers may enter by many means may use one of the other threats as an entry may use one of the other threats as an entry

mechanismmechanism e.g. phishing for a password, using malware e.g. phishing for a password, using malware

to open a backdoorto open a backdoor

May achieve unlimited control over the May achieve unlimited control over the compromised systemcompromised system exposing the user to a full range of exposing the user to a full range of

confidentiality, integrity and availability confidentiality, integrity and availability impactsimpacts

Examples of what hackers doExamples of what hackers doWebsite Defacement – December 1996Website Defacement – December 1996

One of 20 defacements recorded that year

Examples of what hackers doExamples of what hackers doWebsite Defacement – June 2003Website Defacement – June 2003

One of 1000s of defacements recorded that month

Impacts and ease of avoidanceImpacts and ease of avoidance

The threats are not of equal magnitudeThe threats are not of equal magnitude differing potential to trouble end-usersdiffering potential to trouble end-users

Likelihood of avoiding the impact is often Likelihood of avoiding the impact is often different to avoiding the threatdifferent to avoiding the threat e.g. Spame.g. Spam

extremely prevalent but generally easy to prevent extremely prevalent but generally easy to prevent it becoming a real problem to usersit becoming a real problem to users

avoiding the impact will be related to security avoiding the impact will be related to security safeguards and user awarenesssafeguards and user awareness

Impacts and ease of avoidanceImpacts and ease of avoidance

Spam

Phishing

Spyware

Malware

Hacking

Potential impact

Imp

act

av

oid

an

ce

+

Hard

-

Med

Easy

Impacts and ease of avoidanceImpacts and ease of avoidance

SpywareSpyware Easier to avoid than malwareEasier to avoid than malware

often installed from an explicit user action (e.g. often installed from an explicit user action (e.g. installing free software of dubious origin)installing free software of dubious origin)

Often harder to eradicate once installedOften harder to eradicate once installed

MalwareMalware Harder to avoid – more attack vectorsHarder to avoid – more attack vectors Greater range of potential impactsGreater range of potential impacts

What e-learners What e-learners need to knowneed to know

What e-learners need to knowWhat e-learners need to know

Why the threats might Why the threats might affect them, and what the affect them, and what the impacts could beimpacts could be

Possible contexts in Possible contexts in which each threat can be which each threat can be encounteredencountered

Capabilities of any Capabilities of any technological safeguards technological safeguards in use (i.e. the level of in use (i.e. the level of protection provided)protection provided)

Understanding the threatUnderstanding the threat

Need to appreciate how a threat could harm themNeed to appreciate how a threat could harm them what could spyware determine from their activities?what could spyware determine from their activities? what could malware damage or steal?what could malware damage or steal?

Also need to appreciate why Also need to appreciate why theythey would be would be targetedtargeted may otherwise assume that there is no reason for it to may otherwise assume that there is no reason for it to

happen (e.g. little to offer compared to bigger targets)happen (e.g. little to offer compared to bigger targets)

Choice of target depends upon the attacker’s Choice of target depends upon the attacker’s motivesmotives a vulnerable end-user system may be much more a vulnerable end-user system may be much more

convenient than a hardened corporate serverconvenient than a hardened corporate server e.g. many botnet participants are compromised user e.g. many botnet participants are compromised user

systemssystems

Understanding the attack vectorsUnderstanding the attack vectors

Email is still the main (visible) routeEmail is still the main (visible) routeBUT other avenues are also vulnerable and BUT other avenues are also vulnerable and getting usedgetting used e.g. Instant Messaging is now a viable option for both e.g. Instant Messaging is now a viable option for both

malware infection and phishing attemptsmalware infection and phishing attempts however, without advice to contrary, users may feel however, without advice to contrary, users may feel

they are safe as long as they are not using emailthey are safe as long as they are not using email

Threats are becoming more complex in terms of Threats are becoming more complex in terms of the tricks they use to dupe usersthe tricks they use to dupe users heightens the need for awareness amongst the heightens the need for awareness amongst the

possible victimspossible victims

Understanding the protectionUnderstanding the protection

Users are presented with a potentially Users are presented with a potentially confusing array of technologiesconfusing array of technologies anti-virus, anti-spyware, anti-spam, personal anti-virus, anti-spyware, anti-spam, personal

firewall, etc.firewall, etc.

Need to understand how they relate to the Need to understand how they relate to the threatsthreats

In some cases, aspects are clear from the In some cases, aspects are clear from the names, but not always . . . names, but not always . . .

Understanding the protectionUnderstanding the protection

Malware protection is Malware protection is provided by software provided by software conventionally referred to conventionally referred to as anti-as anti-virusvirus Some users may wonder if Some users may wonder if

additional software is additional software is needed for worms and needed for worms and Trojan horsesTrojan horses

Others may over-estimate Others may over-estimate protection and assume that protection and assume that AV will handle all malicious AV will handle all malicious code, such as spywarecode, such as spyware

Understanding the protectionUnderstanding the protection

The name of the The name of the technology does not technology does not always indicate the threats always indicate the threats it deals withit deals withUsers’ own perception Users’ own perception may be inaccuratemay be inaccurate A firewall “blocks suspicious A firewall “blocks suspicious

Internet traffic”Internet traffic” But it doesn’t block spam or But it doesn’t block spam or

phishing messages, which phishing messages, which most users would consider most users would consider suspicioussuspicious

Addressing Addressing the problemsthe problems

What we need to protect us . . .What we need to protect us . . .

Anti-virus

Anti-Spam

Passwords

Intrusion

DetectionAnti-

Phishing

Anti-Spyware

PersonalFirewall Backup

AutoUpdates

Use security technologiesUse security technologies

Essential to deploy and maintain Essential to deploy and maintain appropriate protection on end-user appropriate protection on end-user systemssystemsPotentially troublesome for domestic usersPotentially troublesome for domestic users knowing what it is supposed to doknowing what it is supposed to do problems configuring and using itproblems configuring and using it

Users must feel like the beneficiaries of Users must feel like the beneficiaries of the technologies rather than the victimsthe technologies rather than the victims explain and trainexplain and train

Increase awarenessIncrease awareness

Problems relating to users’ understanding can Problems relating to users’ understanding can be addressed via awareness-raisingbe addressed via awareness-raisingPotential unwillingness to devote resourcesPotential unwillingness to devote resources e.g. impacts of phishing affect the individual rather e.g. impacts of phishing affect the individual rather

than the institution than the institution

However, any security awareness is goodHowever, any security awareness is good making users more threat-aware could increase their making users more threat-aware could increase their

caution in other contextscaution in other contexts

Some threats are harder to educate againstSome threats are harder to educate against malware cannot be defeated by awareness alone . . . malware cannot be defeated by awareness alone . . . . . . but a clear understanding of infection vectors can . . . but a clear understanding of infection vectors can

still helpstill help

Evidencing the problemEvidencing the problem

Presenting specific evidence can help to Presenting specific evidence can help to persuade and convincepersuade and convinceSecurity administrators could assess users’ Security administrators could assess users’ reactions to the threats:reactions to the threats: would they freely reply to an email that requests would they freely reply to an email that requests

sensitive information?sensitive information? would they open unsolicited email attachments from would they open unsolicited email attachments from

an unknown source?an unknown source?

Preferable to find out under controlled conditions Preferable to find out under controlled conditions than via a genuine breachthan via a genuine breachFindings could be presented back to the usersFindings could be presented back to the users

ConclusionsConclusions

ConclusionsConclusions

E-learners can clearly find themselves on the E-learners can clearly find themselves on the receiving end of a number of targeted threatsreceiving end of a number of targeted threats

New threats are likely to emerge in the future, New threats are likely to emerge in the future, alongside new end-user Internet servicesalongside new end-user Internet services

No single solutionNo single solution appropriate technologies appropriate technologies andand suitable awareness suitable awareness

initiatives are required initiatives are required

combined approaches will help to prevent users combined approaches will help to prevent users from being such easy preyfrom being such easy prey

Related books . . . Related books . . .

Prof. Steven Furnellsfurnell@plymouth.ac.uk

Network Research Groupwww.network-research-group.org