Vulnerabilities of Contemporary Information and Communication Technologies and Impact on Societies Dr. Klaus Brunnstein, Professor for Application of Informatics, University Hamburg World Summit on Information Societies Geneva December 11, 2003

1
Vulnerabilities of Contemporary Information and
Communication Technologiesand Impact on
SocietiesDr. Klaus Brunnstein, Professor for
Application of Informatics, University
HamburgWorld Summit on Information
SocietiesGeneva December 11, 2003

• Perspectives Industrial versus Information
  Society
• Risks inherent in contemporary ICTs
• 3. Impacts Towards a Risk Society?

2
Perspectives Industrial versus
Information Society 1.1 From Industrial to
Information Societies

Physical Goods Virtual Goods
Sector A Sector B Sector C Sector D Sector
E Ressources Products Services Ressources Products
Pre- Industrial
Agriculture Transport KnowHow Books
Manufacture Organisation
Media

Industry Transport KnowHow IPR
Agriculture Managemnt PublicInfo Media
Industrial
Industry I-Production/I-Commerce

I-Access
I-Bases Agriculture Transport
VirtualTransport lt
Virtual Organisation
I-Economy I-Society
3
Perspectives Industrial versus
Information Society 1.2 Trends
Schumpeter/Kondratieff Cycles

• Schumpeter, Kondratieff Model for industrial
  development (international competition), for last
  (2) phases of Industrial Society (Supply-side of
  markets)
• Model applied to Generic Technology and extended
  backward to preceding phases (1-2)
• Phase 1 (1760) Vapor driven stationary engine
• Phase 2 (1810) Vapor driven mobile engine
• Phase 3 (1860) Oil-driven engines
• Phase 4 (1910) Electricity-driven engines,
  networks
• Precondition for
  computing/networking!
• Duration of cycles about 40-50
  (45) years

4
Perspectives Industrial versus Information
Society 1.3 Cycle Theory Information Economies

• Assumption History repeats, though differently
• Adaptation of Schumpeter/Kondratieff Model
• Phase 1 (1940) Computer Mainframe .. PC ..
  Chips
• Stationary, local code/control
  Computer-
• companies support economic
  development
• Phase 2 (1985) LAN ... WAN, mobile code/agents,
• data searchingmining, value-added
  services
• Network companies lead development
• Phase 3 (2030) ??? (Nano miniaturization
• 
  Quantum/Optical Computing) ???
• Phase 4 (2075) ???

5
Perspectives Industrial versus Information
Society 1.4 Trends Changing Relations
e-Relations
G2B
G2B

B2B
Organisations
B2G
G2G
B2G
Business
Government
B2O
G2C
E-Commerce E-Banking
O2C
H2B B2H
B2C
Citizen
E-Voting E-TaxDeclaration
C2G
Customer
H2H
Electronic AGORA
User Daily-Life Applications
HealthCare
Patient
E-Care
E-Fun, E-Gaming
E-Learning
Leisure
I-Search
Science
Education
Libraries
6
Perspectives Industrial versus Information
Society 1.5) 2005 100 Mio servers, 1000 mio
clients, 10,000 smart devices
Semi/InSecure Clients
Next Generation Ubiquitous Computing (M-devices,
wearware,..)
Next Generation Ubiquitous
Computing (M-devices, Wearware, ...)

?
U.C.
Local Area Networks (LAN)
Secure LANs
U.C.
.....
ePDA
Wide Area Network (WAN)
TCP/IP-basiert
Car managmt system
.....
Secure LANs
PDA Personal Digital Assistant ePDA
enhanced PDA (communication, agents, ...)
.....
Secure Clients
7
Perspectives Industrial versus Information
Society 1.6 Trends Daily life with smart devices

• Scenario A daily-life application ?
• After a hard day of meetings, you are heading
  home, where you have invited several friends for
  a party. While you are activating your Car
  Management System (CMS) and starting your car,
  your Personal Electronic Transactor (PET ?) which
  is included in your watch connects to your
  Household Management System (HMS) to analyse
  whether all your stored preferred ressources red
  wine, cheese sausage are readily available. As
  an update of the red wine bottles is needed, HMS
  informs CMS to show the route to your winehouse
  including a deviation due to some actual traffic
  jam, PET will display the itineray and
  requirements to you ......
• More examples ? nomadic distributed
  computing

8
Risks inherent in contemporary ICTs 2.1 Risk
Classes

• Risk Class 1 IT Paradigms
• System Complexity WYSIWIG and WYRIWIR dont
  apply
• Interoperability of incompatible systems risky
  scripts
• Risk Class 2 Basic IT concepts
• e.g. Internet Protocol IP considered harmful
• Risk Class 3 Implementation (SW techniques,
  languages)
• No assurance of functions features
• Language dominates perception of programmers
  (Java, script kiddies)
• Language weaknesses malware easy to write
• Risk Class 4 Installation and Administration
• Difficult to audit, dependency upon experts
• Risk Class 5 User-induced risks
• Users canNOT understand what is going on in
  complex systems
• Ill-guided minds find easy ways to gain control
  over
• other systems and content of other users!

9
Risks inherent in contemporary ICTs 2.2 Complex
Systems can not be controlled

• Survey of architecture of contemporary systems

Presentation layer WYSIWIG (What You See is
What You)
O(100 MB)
Application layer
O(GB-TB)
System Layer Organisation of resources (storage,
processor, devices) problem solving (deadlocks
etc) security services process support
O(1 GB)
Firmware, drivers
Bus
Hardware layer processor, storage, bus
connections to devices and network
Net
WYSIWYG principle does NOT hold (even for experts
10
Risks inherent in contemporary ICTs 2.3A
Software Bugs CERT/CC reports 11/2002..03/2003

• CERT Summary CS-2003-01
• March 21, 2003
• Source CERT/CC Current Activity
• http//www.cert.org/current/current
  _activity.html
• 1. Buffer Overflow Vulnerability in Core Windows
  DLL
• 2. Remote Buffer Overflow in Sendmail
• 3. Increased Activity Targeting Windows
  Shares
• 4. Samba Contains Buffer Overflow in
  SMB/CIFS Packet Fragment
• Reassembly Code
• 5. MS-SQL Server Worm
• 6. Multiple Vulnerabilities in
  Implementations of the Session
• Initiation Protocol (SIP)
• 7. Multiple Vulnerabilities in SSH
  Implementations
• 8. Buffer Overflow in Microsoft Windows
  Shell
• 9. Double-Free Bug in CVS Server
• 10. Buffer Overflow in Windows Locator Service
• Colour code vulnerabilities related to Microsoft
  / other software manufacturers

11
Risks inherent in contemporary ICTs 2.3B
Software Bugs CERT/CC reports 04/2003..06/2003

• CERT Summary CS-2003-02
• June 3, 2003
• 1. Integer overflow in Sun RPC XDR library
  routines
• 2. Multiple Vulnerabilities in Lotus Notes
  and Domino
• 3. Buffer Overflow in Sendmail
• 4. Multiple Vulnerabilities in Snort
  Preprocessors

12
Risks inherent in contemporary ICTs 2.3C
Software Bugs CERT/CC reports 07/2003..09/2003

• CERT Summary CS-2003-03
• September 8, 2003
• 1. W32/Sobig.F Worm
• 2. Exploitation of Vulnerabilities in
  Microsoft RPC Interface
• a. W32/Blaster Worm
• b. W32/Welchia
• 3. Cisco IOS Interface Blocked by IPv4 Packet
• 4. Vulnerabilities in Microsoft Windows
  Libraries and Internet Explorer
• a. Buffer Overflow in Microsoft Windows
  HTML Conversion Library
• b. Integer Overflows in Microsoft Windows
  DirectX MIDI Library
• c. Multiple Vulnerabilities in Microsoft
  Internet Explorer
• 5. Malicious Code Propagation and Antivirus
  Software Updates
• Colour code vulnerabilities related to
  Microsoftrelated application software

13
Risks inherent in contemporary ICTs 2.3D
Software BugsCERT/CC reports 10/2003..11/2003

• CERT Summary CS-2003-04
• November 24, 2003
• 1. W32/Mimail Variants (added plus Paylap
  variants)
• 2. Buffer Overflow in Windows Workstation
  Service
• 3. Multiple Vulnerabilities in Microsoft
  Windows and Exchange
• 4. Multiple Vulnerabilities in SSL/TLS
  Implementations
• 5. Exploitation of Internet Explorer
  Vulnerability
• 6. W32/Swen.A Worm
• 7. Buffer Overflow in Sendmail
• 8. Buffer Management Vulnerability in OpenSSH
• 9. RPCSS Vulnerabilities in Microsoft Windows

14
Risks inherent in contemporary ICTs 2.4
Distributed Denial-of-Service Attacks (DDoS)

• Experienced DDoS attacks of February 2000

Known victims Amazon,eBay,Yahoo,...
Business LAN
Server
Attacker
Zombie code attack programs waiting for
signal to attack
Mafiaboy (15 yr) Canada using TRINOO
Attacker deploys TRINOO, triggers attack
15
Risks inherent in contemporary ICTs 2.5 Attacks
on Internet RootDNS Attacks
Domain Name Server bank1.com IP
adress1 Govt2.org IP adress2 User3.edu IP
adress3 ..... .....

InterNIC DNS Root Server A
Top Level Domain com, org, edu... ch,
de, tv, ...
A
Europe
Asia
M
I
H
J
H
E
F
G
B
D
C
L
USA East
USA West
IntraNet eg Bank2.ch
C.
?
Attack Oct.21,2002 2300 / 1 hour
?
?
?
6000 attack sites
IntraNet Bank1.com
?
?
?
?
C.
?
?
16
Risks inherent in contemporary ICTs 2.6 Pandora
Box Viruses,Worms,Trojan, Sypware

• Application Programs Processing Valuable
  Information

Trojan Horses...
Valuable Information Assets
Supporting Systems Operating/Database
Systems Script-Language Interpretation Language
Processing
Local Access
Trojan Horses, Backdoors, Traps
Trojan Horses...
Spoofing, Sniffing, Data
Hijacking, DDOS ...
NetOS
Viruses
Webmail etc
Worms
17
Impacts Towards a Risk Society?3.1 Options
for handling risks

• Option 1 Deliberate decision Dont use!
• Option 2 Dont care! Enjoy!
• Preferred mode of young users
• ?Option 3 Educated user Learn to understand
  the risks, try to reduce and act in cases of
  emergency.
• Option 4 Try to anticipate and avoid risks!
• Presently NOT POSSIBLE!

18
Impacts Towards a Risk Society?3.2 Impact of
Insecurity under Dont Care!

• Impact of Insecure Systems Towards a risk
  society
• Loss of Control
• ? Loss of Productivity (e-jobs) Connectivity
• Loss of Trust
• Loss of Confidentiality
• Loss of Privacy

19
Impacts Towards a Risk Society?3.3 Educated
users and ICT risks

• Learning to understand threats of contemporary
  ICTs, and how to protect against such threats
• 3A) Software bugs, critical software update
  (patching)
• 3B) Integrity threats computer viruses, worms
  trojan horses, spyware countermeasures
  AntiMalware
• 3C) (Hacker) Attacks from Networks, filtering
  adresses and services (ports) Firewalls
• 3D) Loss of authenticity spoofing,
  man-in-the-middle attacks, protection of
  authenticity passwords vs. biometrics
• 3E) Loss of confidentiality, protection through
  encryption (symmetric, asymetric)
• 3F) Loss of function in networks
  Denial-of-Service attacks,
• solution through redundant architecture
• 3G) Distinguish between useful and useless
  (SPAM) email