Internet Security: Are You at Risk

1
Internet SecurityAre You at Risk?

• Dan Massey
• Colorado State University
• November 10, 2004

2
Some Motivation
The asking price for use of a network of 20,000
zombie PCs 2,000 to 3,000. Such networks
typically are used to broadcast spam and
phishing scams and to spread e-mail viruses
designed mainly to create yet more zombies.
3
Vulnerabilities and Counter Measures

• Vulnerabilities Why Should You Care
• You Receive The Resulting Spam Email
• An annoyance if you simply filter or delete the
  email
• A real problem if you believe it and reveal
  private data.
• You May Be The Owner of a Zombie PC
• Essentially a PC where attackers have gained
  access.
• Thriving market exists for compromised network
  PCs
• You Rely on Network Based Services
• Bank ATMs, airlines, utilities, etc. all make use
  of networks
• Compromised PCs can be used to disrupt networks
• or conceal the identity of attackers.
• Counter Measures What features help protect
  you?

4
Historical Development

• Internet Originally a Small Research Project
• Few computers at research centers
• Connected via slow (by todays standard) links
• All users are experts on the system
• First real killer application email
• Planned for Some Security Concerns
• The main threat was that computers or network
  links might stop working.

5
Early Security Problems

• Rare Cases of Malfunctioning Computers
• Computer at MIT malfunctioned and most east coast
  computers could no longer reach the west coast.
• Solution user community teamed up to find and
  fix the problem.
• Rare Cases of Application Misuse
• Someone sent an email message announcing a new
  product that was for sale.
• Solution community instructed the sender to
  never again send spam email and the sender
  apologized

6
Spam Email Today

• From PowerSafe_at_citibank.com
• We recently noticed one or more attempts to
  log in to your Citibank account from a foreign IP
  address and we have reasons to believe that your
  account was used by a third party without your
  authorization. If you recently accessed your
  account while traveling to Brasil, the unusual
  login attempts may have been initiated by you.
• ltvisit some website that will ask for
  account datagt
• If you choose to ignore our request, you
  leave us no choice but to temporally suspend your
  account.

7
Countering This Attack

• Solution 1 Block Email Before It Enters the
  Network
• Great Deal of Ad Hoc Work In This Area
• But hard to control all access points
• and often block valid email as collateral damage.
  
• Solution 2 Drop Email Before It Reaches
  Receiver
• Hard to determine valid vs. invalid senders
• Solution 3 Drop or Ignore the Message at
  Receiver
• The only defense that will save me in this case.
• But fortunately we have a solid solution

8
Cryptographic Counter Measures

• The Solution Cryptographic Magic Happens
• Citibank establishes a key pair
• Private key is known only by Citibank
• Public key is published and known by all
• Enables Secure Communication with Citibank
• I encrypt my account number using the Citibank
  public key.
• Send encrypted data to the requestor
• Only someone with the private key can decrypt.
• Result Attacker just gets an encrypted mess
• No need for you or Citibank to worry about this
  email.

9
Does This Work in Practice?

• Do You Encrypt Confidential Data Using Public Key
  Cryptography?

From My Banks Website At (BigBank), ensuring
the security of your online information is
important to us, and that's why you can rest
assured that no one but Wells Fargo has access
to your information. Signing on to view your
accounts from the (BigBank) Home Page is safe.
The moment you click the Sign On button, your
username and password are encrypted using Secure
Sockets Layer (SSL) technology, keeping your
information secure.
10
Your Role in the System

• In theory, we have fixed the problem.
• The Problem Cryptographic Magic Happens
• Several Important Assumptions About You
• You will only send data over encrypted channels.
• You will obtain the correct Public Key for
  Citibank
• You will encrypt data with the correct key.
• No point encrypting your data with the attackers
  key!
• In practice, the system really relies on you
  ignoring the email message.
• Otherwise Citibank and you share the damages.

11
Internet Risks So Far

• Attackers Seek Your Private Data
• Your job is to protect this information
• Defense 1 Im smart enough to ignore spam email
• Ideally because you know the attacker doesnt
  have the right x509 certificate.
• Defense 2I pick hard to crack passwords and
  change them.
• Defense 3Im a student and my bank account is
  already empty.
• You are probably more valuable as a Zombie!

12
Compromised PCs

• Network PCs are a valuable commodity
• Provides attackers with resources (cpu, disk)
• Makes tracking attackers difficult
• Enable Distributed Denial of Service Attacks
• Real and Thriving Market in Hacked PCs
• Network Security Discussion from NANOGOne
  problem hackers face Botnets (compromised PC
  collections) contain too many government
  computers

13
How Can this Happen

• From Secrets and Lies by Schneier (all old
  issues so dont try them!)
• Under certain conditions, a malformed clip art
  file can let arbitrary code execute on the users
  computer.
• MS Explorer 5.0 allows an attacker to setup a Web
  page giving him the ability to execute any
  program on a visitors machine.
• Vulnerabilities in complex software an
  unavoidable.
• System Relies on You to Install Updates

14
Impact of Compromised PCs
A visit from the FBI By Scott Granneman,
SecurityFocus Posted 28/01/2004 at 1302 GMT A
favorite trick is to surreptitiously turn on the
Webcam of an owned computer in order to watch
the dupe at work, or watch what he's typing on
screen. This part isn't surprising. But Dave had
countless screenshots, captured from impounded
machines or acquired online from hacker
hangouts, where the script kiddie, after
watching for a while, just can't help himself any
longer, and starts to insult or mock or screw
with the duped owner. ltsnipgt A man was working
a crossword puzzle online when the hacker
helpfully suggested a word for 14 Down
15
Impact of Compromised PCs

• More Serious (non-webcam) Consequences
• Attacker has access to your files
• Logs your keystrokes
• Gains data about you
• Real Goal is Likely Something Larger
• Your PC provides the attacker a hiding place
• Provides resources
• Provides bandwidth

16
Distributed Denial of Service

• Attackers Control Massive Resources
• Networks of 100,000 compromised PCs
• Each PC can send thousands of messages/sec
• What if one directs all messages at singe site?
• Example
• attacker selects www.colostate.edu as target
• Direct all zombies to send data to target as fast
  as possible
• Consumes all available resources at target
• No bandwidth, no CPU, etc to handel valid
  requests.
• How Do You Defend Against This?
• Answer today largely ad hoc filtering

17
DDoS Remains a Real Threat
Akamai DDoS Attack Whacks Web Traffic, Sites
By Chris Gonsalves June 15, 2004 An
apparent DDoS (distributed denial of service)
attack on the DNS run by Akamai Technologies
Inc. slowed traffic across the Internet early
Tuesday and brought the sites of the firm's
major customers to a screeching halt for roughly
two hours.
18
Slammer Worm After 30 Minutes (graph by CAIDA)
19
Worms and Network Design

• Assumed there is some important purpose for the
  communication
• Ex data and resources used in calculations to
  find a cure for cancer.
• Resource Identification Success
• Found and made use of 75K computers on 6
  continents
• Located 90 of available resources in 10 minutes
• Routing and Transport Success
• UDP transport provided successful simple best
  effort delivery
• Network routing delivered packets from one end of
  globe to another
• Of Course Some Challenges Still Remain.
• Unforeseen interactions resulted in canceled
  airline flights, ATM failures

to exploit a known microsoft security hole
these 75K did not want to provide resources!
20
Network Security Today

• Designed a Robust Network That Finds a Way to
  Deliver Data
• Now recognize some data shouldnt be delivered.
• Strong Theoretical Models To Block Attacks
• But typically assume expert configuration and
  informed users.
• Open Research ChallengeBuild Robust and Secure
  Networks That Survive Both Failures and Attacks

21
Challenges To You

• Network Security Depends On You
• Use security models when possible
• Update and patch your PC
• Help Us Build the Necessary Systems
• Need approaches the apply state of the art
  mathematics and computer science.
• But must also assume human errors and lack of
  expertise.
• Many open challenges