Title: Vulnerabilities of Contemporary Information and Communication Technologies and Impact on Societies Dr. Klaus Brunnstein, Professor for Application of Informatics, University Hamburg World Summit on Information Societies Geneva December 11, 2003
1Vulnerabilities of Contemporary Information and
Communication Technologiesand Impact on
SocietiesDr. Klaus Brunnstein, Professor for
Application of Informatics, University
HamburgWorld Summit on Information
SocietiesGeneva December 11, 2003
- Perspectives Industrial versus Information
Society - Risks inherent in contemporary ICTs
- 3. Impacts Towards a Risk Society?
2 Perspectives Industrial versus
Information Society 1.1 From Industrial to
Information Societies
Physical Goods Virtual Goods
Sector A Sector B Sector C Sector D Sector
E Ressources Products Services Ressources Products
Pre- Industrial
Agriculture Transport KnowHow Books
Manufacture Organisation
Media
Industry Transport KnowHow IPR
Agriculture Managemnt PublicInfo Media
Industrial
Industry I-Production/I-Commerce
I-Access
I-Bases Agriculture Transport
VirtualTransport lt
Virtual Organisation
I-Economy I-Society
3 Perspectives Industrial versus
Information Society 1.2 Trends
Schumpeter/Kondratieff Cycles
- Schumpeter, Kondratieff Model for industrial
development (international competition), for last
(2) phases of Industrial Society (Supply-side of
markets) - Model applied to Generic Technology and extended
backward to preceding phases (1-2) - Phase 1 (1760) Vapor driven stationary engine
- Phase 2 (1810) Vapor driven mobile engine
- Phase 3 (1860) Oil-driven engines
- Phase 4 (1910) Electricity-driven engines,
networks - Precondition for
computing/networking! - Duration of cycles about 40-50
(45) years
4Perspectives Industrial versus Information
Society 1.3 Cycle Theory Information Economies
- Assumption History repeats, though differently
- Adaptation of Schumpeter/Kondratieff Model
- Phase 1 (1940) Computer Mainframe .. PC ..
Chips - Stationary, local code/control
Computer- - companies support economic
development - Phase 2 (1985) LAN ... WAN, mobile code/agents,
- data searchingmining, value-added
services - Network companies lead development
- Phase 3 (2030) ??? (Nano miniaturization
-
Quantum/Optical Computing) ??? - Phase 4 (2075) ???
5Perspectives Industrial versus Information
Society 1.4 Trends Changing Relations
e-Relations
G2B
G2B
B2B
Organisations
B2G
G2G
B2G
Business
Government
B2O
G2C
E-Commerce E-Banking
O2C
H2B B2H
B2C
Citizen
E-Voting E-TaxDeclaration
C2G
Customer
H2H
Electronic AGORA
User Daily-Life Applications
HealthCare
Patient
E-Care
E-Fun, E-Gaming
E-Learning
Leisure
I-Search
Science
Education
Libraries
6Perspectives Industrial versus Information
Society 1.5) 2005 100 Mio servers, 1000 mio
clients, 10,000 smart devices
Semi/InSecure Clients
Next Generation Ubiquitous Computing (M-devices,
wearware,..)
Next Generation Ubiquitous
Computing (M-devices, Wearware, ...)
?
U.C.
Local Area Networks (LAN)
Secure LANs
U.C.
.....
ePDA
Wide Area Network (WAN)
TCP/IP-basiert
Car managmt system
.....
Secure LANs
PDA Personal Digital Assistant ePDA
enhanced PDA (communication, agents, ...)
.....
Secure Clients
7Perspectives Industrial versus Information
Society 1.6 Trends Daily life with smart devices
- Scenario A daily-life application ?
- After a hard day of meetings, you are heading
home, where you have invited several friends for
a party. While you are activating your Car
Management System (CMS) and starting your car,
your Personal Electronic Transactor (PET ?) which
is included in your watch connects to your
Household Management System (HMS) to analyse
whether all your stored preferred ressources red
wine, cheese sausage are readily available. As
an update of the red wine bottles is needed, HMS
informs CMS to show the route to your winehouse
including a deviation due to some actual traffic
jam, PET will display the itineray and
requirements to you ...... - More examples ? nomadic distributed
computing
8Risks inherent in contemporary ICTs 2.1 Risk
Classes
- Risk Class 1 IT Paradigms
- System Complexity WYSIWIG and WYRIWIR dont
apply - Interoperability of incompatible systems risky
scripts - Risk Class 2 Basic IT concepts
- e.g. Internet Protocol IP considered harmful
- Risk Class 3 Implementation (SW techniques,
languages) - No assurance of functions features
- Language dominates perception of programmers
(Java, script kiddies) - Language weaknesses malware easy to write
- Risk Class 4 Installation and Administration
- Difficult to audit, dependency upon experts
- Risk Class 5 User-induced risks
- Users canNOT understand what is going on in
complex systems - Ill-guided minds find easy ways to gain control
over - other systems and content of other users!
9Risks inherent in contemporary ICTs 2.2 Complex
Systems can not be controlled
- Survey of architecture of contemporary systems
Presentation layer WYSIWIG (What You See is
What You)
O(100 MB)
Application layer
O(GB-TB)
System Layer Organisation of resources (storage,
processor, devices) problem solving (deadlocks
etc) security services process support
O(1 GB)
Firmware, drivers
Bus
Hardware layer processor, storage, bus
connections to devices and network
Net
WYSIWYG principle does NOT hold (even for experts
10Risks inherent in contemporary ICTs 2.3A
Software Bugs CERT/CC reports 11/2002..03/2003
- CERT Summary CS-2003-01
- March 21, 2003
- Source CERT/CC Current Activity
- http//www.cert.org/current/current
_activity.html - 1. Buffer Overflow Vulnerability in Core Windows
DLL - 2. Remote Buffer Overflow in Sendmail
- 3. Increased Activity Targeting Windows
Shares - 4. Samba Contains Buffer Overflow in
SMB/CIFS Packet Fragment - Reassembly Code
- 5. MS-SQL Server Worm
- 6. Multiple Vulnerabilities in
Implementations of the Session - Initiation Protocol (SIP)
- 7. Multiple Vulnerabilities in SSH
Implementations - 8. Buffer Overflow in Microsoft Windows
Shell - 9. Double-Free Bug in CVS Server
- 10. Buffer Overflow in Windows Locator Service
- Colour code vulnerabilities related to Microsoft
/ other software manufacturers
11Risks inherent in contemporary ICTs 2.3B
Software Bugs CERT/CC reports 04/2003..06/2003
- CERT Summary CS-2003-02
- June 3, 2003
-
- 1. Integer overflow in Sun RPC XDR library
routines - 2. Multiple Vulnerabilities in Lotus Notes
and Domino - 3. Buffer Overflow in Sendmail
- 4. Multiple Vulnerabilities in Snort
Preprocessors
12Risks inherent in contemporary ICTs 2.3C
Software Bugs CERT/CC reports 07/2003..09/2003
- CERT Summary CS-2003-03
- September 8, 2003
- 1. W32/Sobig.F Worm
- 2. Exploitation of Vulnerabilities in
Microsoft RPC Interface - a. W32/Blaster Worm
- b. W32/Welchia
- 3. Cisco IOS Interface Blocked by IPv4 Packet
- 4. Vulnerabilities in Microsoft Windows
Libraries and Internet Explorer - a. Buffer Overflow in Microsoft Windows
HTML Conversion Library - b. Integer Overflows in Microsoft Windows
DirectX MIDI Library - c. Multiple Vulnerabilities in Microsoft
Internet Explorer - 5. Malicious Code Propagation and Antivirus
Software Updates - Colour code vulnerabilities related to
Microsoftrelated application software
13Risks inherent in contemporary ICTs 2.3D
Software BugsCERT/CC reports 10/2003..11/2003
- CERT Summary CS-2003-04
- November 24, 2003
- 1. W32/Mimail Variants (added plus Paylap
variants) - 2. Buffer Overflow in Windows Workstation
Service - 3. Multiple Vulnerabilities in Microsoft
Windows and Exchange - 4. Multiple Vulnerabilities in SSL/TLS
Implementations - 5. Exploitation of Internet Explorer
Vulnerability - 6. W32/Swen.A Worm
- 7. Buffer Overflow in Sendmail
- 8. Buffer Management Vulnerability in OpenSSH
- 9. RPCSS Vulnerabilities in Microsoft Windows
14Risks inherent in contemporary ICTs 2.4
Distributed Denial-of-Service Attacks (DDoS)
- Experienced DDoS attacks of February 2000
Known victims Amazon,eBay,Yahoo,...
Business LAN
Server
Attacker
Zombie code attack programs waiting for
signal to attack
Mafiaboy (15 yr) Canada using TRINOO
Attacker deploys TRINOO, triggers attack
15Risks inherent in contemporary ICTs 2.5 Attacks
on Internet RootDNS Attacks
Domain Name Server bank1.com IP
adress1 Govt2.org IP adress2 User3.edu IP
adress3 ..... .....
InterNIC DNS Root Server A
Top Level Domain com, org, edu... ch,
de, tv, ...
A
Europe
Asia
M
I
H
J
H
E
F
G
B
D
C
L
USA East
USA West
IntraNet eg Bank2.ch
C.
?
Attack Oct.21,2002 2300 / 1 hour
?
?
?
6000 attack sites
IntraNet Bank1.com
?
?
?
?
C.
?
?
16Risks inherent in contemporary ICTs 2.6 Pandora
Box Viruses,Worms,Trojan, Sypware
- Application Programs Processing Valuable
Information
Trojan Horses...
Valuable Information Assets
Supporting Systems Operating/Database
Systems Script-Language Interpretation Language
Processing
Local Access
Trojan Horses, Backdoors, Traps
Trojan Horses...
Spoofing, Sniffing, Data
Hijacking, DDOS ...
NetOS
Viruses
Webmail etc
Worms
17Impacts Towards a Risk Society?3.1 Options
for handling risks
- Option 1 Deliberate decision Dont use!
- Option 2 Dont care! Enjoy!
- Preferred mode of young users
- ?Option 3 Educated user Learn to understand
the risks, try to reduce and act in cases of
emergency. -
- Option 4 Try to anticipate and avoid risks!
- Presently NOT POSSIBLE!
-
18Impacts Towards a Risk Society?3.2 Impact of
Insecurity under Dont Care!
- Impact of Insecure Systems Towards a risk
society - Loss of Control
- ? Loss of Productivity (e-jobs) Connectivity
- Loss of Trust
- Loss of Confidentiality
- Loss of Privacy
-
-
-
19Impacts Towards a Risk Society?3.3 Educated
users and ICT risks
- Learning to understand threats of contemporary
ICTs, and how to protect against such threats - 3A) Software bugs, critical software update
(patching) - 3B) Integrity threats computer viruses, worms
trojan horses, spyware countermeasures
AntiMalware - 3C) (Hacker) Attacks from Networks, filtering
adresses and services (ports) Firewalls - 3D) Loss of authenticity spoofing,
man-in-the-middle attacks, protection of
authenticity passwords vs. biometrics - 3E) Loss of confidentiality, protection through
encryption (symmetric, asymetric) - 3F) Loss of function in networks
Denial-of-Service attacks, - solution through redundant architecture
- 3G) Distinguish between useful and useless
(SPAM) email