Software Process Eric Leonard Chad Parry Daryl Sterling Jr. Charistel Ticong University of Washington University of Washington UC San Diego UC Berkeley [email protected] [email protected] [email protected] [email protected] It could be said that one of the reasons that cybersecurity is such an important topic is because the software products that currently exist in the marketplace are so flawed. This could be an overstatement, but it is certain that existing software processes could be improved. Enterprises have long been concerned with developing the most feature-rich applications to give them a competitive advantage in the marketplace. This approach has created vulnerable code that falls prey to the threats of cyberterrorism, hacking and the financial risk posed by privacy legislation and litigation. Development processes must change to improve the security and privacy of software. Recommendations for public policy as well as software practices will be introduced. Factors Driving the Need for Changes to Modern Software Practices New Opportunities In the beginning, there was no internet. There were not 350 million hosts all sharing data and information at blazing speeds. There’s no way the four hosts connected to ARPAnet, the first internet, could have thought that what they started could change applications and human life forever. The original hosts on ARPAnet simple shared resources among research facilities and a few University of California schools, so every other connected host could be trusted and help accountable for anything that went wrong [ARPA]. Today, however, is a much different story. With new opportunities come new challenges. The internet not only makes it easier to communicate with people around the globe for the betterment of humankind, it also makes it easier to engage in activities of questionable ethics. The anonymity of the internet may be of great amusement in a chatroom, but it can be a nightmare when trying to assign accountability when a crime has taken place. Forensic techniques can only take you so far if your “witnesses” all say they didn’t see anything; but this situation is all too common when trying to track down instances of fraud on the internet. As if anonymity were not enough, speed is also a double not-so-hidden danger. Not only can a potential attacker have worldwide connectivity, one can also execute attacks at increasing speeds [0wn]. Broadband connections, from cable to T-1, are being installed in homes and entire apartment complexes making hi-speed internet connections more common.Malicious Code Different types of programs have been made to do a variety of different things, such as attack entire networks or hijack personal computers. Even though the pieces of software and the techniques are different, most of them share a common thread – they force their way onto a user’s’ machine. They can do this in a variety of ways. One way is to send information that is too big for what a program is designed to handle. Since the program must store the data somewhere, the “extra” data that it was sent usually overwrites something already on the user’s machine. The “extra” information often provides a means for an attacker to have a “way into” the machine. This type of an attack is called a buffer overflow exploit. Once in, the software usually “phones home” and downloads the most current version of itself so it can continue carrying out its intended purpose. Once it establishes a firm hold on the machine and has updated itself, if can lie in wait for a future coordinated event involving other compromised computers, or start spreading copies of itself right away. Not all malicious code forces its way onto a user’s machine. In many cases, the user allows it either blindly or knowingly. Some malicious software or software that is designed to present advertisements (Adware) to a user comes bundled with software that the user wants. With the rise of Peer-to-Peer file sharing programs, many developers have chosen to bundle their adware with the desired programs. And since, for the most part, users cannot be bothered with reading how a software package is going to be installed, they either opt for the “express install”, which can install just about anything, or blindly click “Yes” to any and all questions asked them, just so they can use the software. In addition to software packages, users also are bombarded with advertisements while surfing the web. During this time advertisements, which are designed to attract attention by nature, lure users into clicking anywhere within the advertisements window. Once clicked, a variety of software can be downloaded and installed on the users machine when they visit the resulting website. For Fame and Fortune People with the technical know-how create tools to do their biding, but sometimes there is no harm intended at all and a curious user tries the tool for fun. On another level, people use and develop hacking tools for bragging rights or to build a reputation in the hacking community. On the highest level, entire criminal organizations develop their own custom tools to deliver attacks, or setup a means to deliver an attack, inorder to extort money from a company who does not want their web services shut down for a period of time. In many cases, paying the crime organization is far more beneficial to the company, since having their web services stop would put them out much more money. Pharming & Phishing Gaining information about people on the internet is a key factor in the realm of identity theft and making false accounts for fraudulent purchases. One direct way, that plagues online services such as America Online, is to simply ask the user for usernames and passwords. Even though services such as AOL explicitly tell their users never to give away their account information, this technique of asking masses of users for their personal information, called phishing, has been very successful. Another technique, called pharming, is one where raw data is “harvested” from many users by making them believe they are
View Full Document
Unlocking...