Internet Security:Are You at Risk?

Internet Security:Are You at Risk?

Dan Massey

Colorado State University

November 10, 2004

11/10/04 2

Some MotivationSome Motivation

The asking price for use of a network of 20,000 zombie PCs: $2,000 to $3,000. Such networks typically are used to broadcast spam and phishing scams and to spread e-mail viruses designed mainly to create yet more zombies.

11/10/04 3

Vulnerabilities and Counter Measures Vulnerabilities and Counter Measures

Vulnerabilities: Why Should You Care You Receive The Resulting Spam Email

• An annoyance if you simply filter or delete the email• A real problem if you believe it and reveal private data.

You May Be The Owner of a Zombie PC• Essentially a PC where attackers have gained access.• Thriving market exists for compromised network PCs

You Rely on Network Based Services • Bank ATMs, airlines, utilities, etc. all make use of networks• Compromised PCs can be used to disrupt networks

or conceal the identity of attackers.

• Counter Measures: What features help protect you?

11/10/04 4

Historical DevelopmentHistorical Development

• Internet Originally a Small Research Project Few computers at research centers Connected via slow (by today’s standard) links All users are experts on the system First real “killer application”: email

• Planned for Some “Security” Concerns The main “threat” was that computers or network

links might stop working.

11/10/04 5

Early “Security” ProblemsEarly “Security” Problems

• Rare Cases of Malfunctioning Computers Computer at MIT malfunctioned and most east coast

computers could no longer reach the west coast. Solution: user community teamed up to find and fix the

problem.

• Rare Cases of Application Misuse Someone sent an email message announcing a new

product that was for sale. Solution: community instructed the sender to never again

send “spam” email and the sender apologized

11/10/04 6

Spam Email TodaySpam Email Today

From: PowerSafe@citibank.com

We recently noticed one or more attempts to log in to your Citibank account from a foreign IP address and we have reasons to believe that your account was used by a third party without your authorization. If you recently accessed your account while traveling to Brasil, the unusual login attempts may have been initiated by you.

…<visit some website that will ask for account data>…

If you choose to ignore our request, you leave us no choice but to temporally suspend your account.

11/10/04 7

Countering This AttackCountering This Attack

• Solution 1: Block Email Before It Enters the Network Great Deal of Ad Hoc Work In This Area But hard to control all access points

• and often block valid email as collateral damage.

• Solution 2: Drop Email Before It Reaches Receiver Hard to determine valid vs. invalid senders

• Solution 3: Drop or Ignore the Message at Receiver The only defense that will save me in this case. But fortunately we have a solid solution…

11/10/04 8

Cryptographic Counter MeasuresCryptographic Counter Measures

• The Solution: Cryptographic Magic Happens Citibank establishes a key pair

• Private key is known only by Citibank• Public key is published and known by all

Enables Secure Communication with Citibank• I encrypt my account number using the Citibank public key.• Send encrypted data to the requestor• Only someone with the private key can decrypt.

• Result: Attacker just gets an encrypted mess No need for you or Citibank to worry about this email.

11/10/04 9

Does This Work in Practice?Does This Work in Practice?

• Do You Encrypt Confidential Data Using Public Key Cryptography?

From My Bank’s Website:

At (BigBank), ensuring the security of your online information is important to us, and that's why you can rest assured that no one but Wells Fargo has access to your information.

Signing on to view your accounts from the (BigBank) Home Page is safe. The moment you click the Sign On button, your username and password are encrypted using Secure Sockets Layer (SSL) technology, keeping your information secure.

11/10/04 10

Your Role in the SystemYour Role in the System

• In theory, we have fixed the problem….• The Problem: Cryptographic Magic Happens• Several Important Assumptions About You

You will only send data over encrypted channels. You will obtain the correct Public Key for Citibank You will encrypt data with the correct key.

• No point encrypting your data with the attacker’s key!

• In practice, the system really relies on you ignoring the email message. Otherwise Citibank and you share the damages.

11/10/04 11

Internet Risks So Far Internet Risks So Far

• Attackers Seek Your Private Data Your job is to protect this information

• Defense 1: I’m smart enough to ignore spam email Ideally because you know the attacker doesn’t have the right

x509 certificate.

• Defense 2:I pick hard to crack passwords and change them.

• Defense 3:I’m a student and my bank account is already empty. You are probably more valuable as a Zombie!

11/10/04 12

Compromised PCsCompromised PCs

• Network PCs are a valuable commodity Provides attackers with resources (cpu, disk) Makes tracking attackers difficult Enable Distributed Denial of Service Attacks

• Real and Thriving Market in Hacked PCs Network Security Discussion from NANOG:

One problem hackers face: “Botnets (compromised PC collections) contain too many government computers”

11/10/04 13

How Can this HappenHow Can this Happen

• From “Secrets and Lies” by Schneier (all old issues so don’t try them!) Under certain conditions, a malformed clip art file can let arbitrary code

execute on the users computer. MS Explorer 5.0 allows an attacker to setup a Web page giving him the

ability to execute any program on a visitor’s machine.

• Vulnerabilities in complex software an unavoidable.

System Relies on You to Install Updates

11/10/04 14

Impact of Compromised PCsImpact of Compromised PCs

A visit from the FBIBy Scott Granneman, SecurityFocusPosted: 28/01/2004 at 13:02 GMT

A favorite trick is to surreptitiously turn on the Webcam of an owned computer in order to watch the dupe at work, or watch what he's typing on screen. This part isn't surprising. But Dave had countless screenshots, captured from impounded machines or acquired online from hacker hangouts, where the script kiddie, after watching for a while, just can't help himself any longer, and starts to insult or mock or screw with the duped owner.

<snip> A man was working a crossword puzzle online when the hacker helpfully suggested a word for 14 Down

11/10/04 15

Impact of Compromised PCsImpact of Compromised PCs

• More Serious (non-webcam) Consequences Attacker has access to your files Logs your keystrokes Gains data about you

• Real Goal is Likely Something Larger Your PC provides the attacker a hiding place Provides resources Provides bandwidth

11/10/04 16

Distributed Denial of ServiceDistributed Denial of Service

• Attackers Control Massive Resources Networks of 100,000+ compromised PCs Each PC can send thousands of messages/sec What if one directs all messages at singe site?

• Example: attacker selects www.colostate.edu as target Direct all zombies to send data to target as fast as possible Consumes all available resources at target

• No bandwidth, no CPU, etc to handel valid requests.

• How Do You Defend Against This? Answer today: largely ad hoc filtering

11/10/04 17

DDoS Remains a Real ThreatDDoS Remains a Real Threat

Akamai DDoS Attack Whacks Web Traffic, Sites

By Chris Gonsalves June 15, 2004

An apparent DDoS (distributed denial of service) attack on the DNS run by Akamai Technologies Inc. slowed traffic across the Internet early Tuesday and brought the sites of the firm's major customers to a screeching halt for roughly two hours.

11/10/04 18

Slammer Worm After 30 Minutes

(graph by CAIDA)

Slammer Worm After 30 Minutes

(graph by CAIDA)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

11/10/04 19

Worms and Network DesignWorms and Network Design

• Assumed there is some important purpose for the communication

Ex: data and resources used in calculations to find a cure for cancer.

• Resource Identification Success

Found and made use of 75K computers on 6 continents

Located 90% of available resources in 10 minutes

• Routing and Transport Success

UDP transport provided successful simple best effort delivery

Network routing delivered packets from one end of globe to another

• Of Course Some Challenges Still Remain….

Unforeseen interactions resulted in canceled airline flights, ATM failures…

to exploit a known microsoft security hole

these 75K did not want to provide resources!

11/10/04 20

Network Security TodayNetwork Security Today

• Designed a Robust Network That Finds a Way to Deliver Data Now recognize some data shouldn’t be delivered.

• Strong Theoretical Models To Block Attacks But typically assume expert configuration and informed

users.

• Open Research Challenge:

Build Robust and Secure Networks That Survive Both Failures and Attacks

11/10/04 21

Challenges To YouChallenges To You

• Network Security Depends On You Use security models when possible Update and patch your PC

• Help Us Build the Necessary Systems Need approaches the apply state of the art

mathematics and computer science. But must also assume human errors and lack of

expertise. Many open challenges…