Internet Security

1
Internet Security

• Mark Baker

University of Portsmouth, UK Mark.Baker_at_Computer.o
rg Southampton, December 20012 http//dsg.port.ac
.uk/mab/Talks/UoS02/
2
Overview

• Setting the scene A look backwards!
• Incidents
• Types of Attack
• Actors and Threats
• Trends and The Future.

3
Looking Back 30 Years Ago

• Early 70s
• No significant networks.
• Mainframe computing
• Batch, not interactive
• Computer security was physical security.
• Users in the 10s of thousands.

4
Looking Back 20 Years Ago

• Early 80s
• First Intel-based PCs
• Apple II, Commodore Pet, others already out.
• ARPAnet had 231 nodes
• Usenet created.
• First computer virus about to appear
• Apple II virus in an academic setting.
• 100s of thousands of users.

5
Looking Back 15 Years Ago

• Mid 80s
• First Intel/MS computer virus (Brain)
• Copied itself onto the floppy disk, changing the
  disk volume label to "(c) Brain and leaving the
  authors names/addresses on the floppy boot
  sector.
• Usenet had 105 nodes.
• ARPAnet NSFnet.
• 414-gang hits the newspapers hacked into NY
  cancer hospital, deleted file!
• Cuckoos Egg incident occurring see Clifford
  Stoll bookThe Cuckoo's Egg Tracking a Spy
  Through the Maze of Computer Espionage.
• Millions of users.

6
Looking Back 10 Years Ago

• Early 90s.
• 100s of computer viruses worms.
• Web protocols invented.
• TCP/IP (Internet) has 106 nodes.
• First security scanner (COPS).
• First general logging software (Tripwire).
• Many at large incidents

7
Looking Back 5 Years Ago

• Mid 1990s
• Commercial use of the network allowed.
• Initial DNS gold rush .com explosion!
• First Word macro viruses (concept).
• 10,000 viruses threshold reached.
• First major Denial-of-Service (DOS) attack.
• 107 Internet users.

8
The Internet Today

• Millions of systems on all 7 continents.
• In excess of 400 million users have access.
• 220 countries around the world have registered
  for access.
• Internet population doubling in approximately 10
  months last 11 years!
• Volume of traffic doubling approximately every 90
  days.

9
Future Environments

• World-wide.
• High speed networking.
• Cheap (free?), ubiquitous computing.
• Widely-deployed encryption.
• Truly mobile computing.
• Many embedded systems connected.
• Billions of users.

10
State of Security Poor

• Examples abound
• DoD reports 22,000 attacks on Pentagon systems in
  2000 (over 250,000 through all DoD).
• 3 incidents at Microsoft, Oct 2000, Jan 2001.
• Feb 2000, Denial of Service against eBay, Yahoo,
  Amazon.
• China/US Cyber-skirmish.
• Code Red worms, SirCam virus in fall 2001.
• CSI/FBI figures
• Fewer than 20 sites report no unauthorized use.
• Average loss of 1 million per year.

11
Real losses

• Melissa, March 99 - http//www.melissavirus.com/
• MS Word 97 2000,
• 300 million in damages,
• Approximately 4 days,150,000 systems.
• I LOVE YOU, May 2000
• MS Outlook,
• As much as 10 billion in damages,
• Approximately 24 hours, gt 500,000 systems,
• Code Red I
• MS IIS flaws, with fixes published months
  earlier,
• 360,000 systems in 14 hours, several billion in
  damages.
• Brain took 5 years to do 50 million.

12
Growth of Viruses In the Wild
13
Security Attacks
http//wtc.trendmicro.com/wtc/
14
Security Attacks
http//wtc.trendmicro.com/wtc/
15
More Data

• CERT/CC fielded 21,756 incidents in 2000.
• Growth from
• 3734 in 1998,
• 9859 in 1999.
• On-going probes
• 50-60 incidents per day on Internet.
• 10-12 incidents per day on DSL.
• 5-6 incidents per day on dial-up.

16
Magnitude of the Problem

• There is no perfect code.
• Assume a conservative rate for serious faults
• 1 error per 1K LoC in unaudited code (20 pages)
• 1 error per 5K LoC in examined code (100 pages)

• Kernels
• OpenBSD 2.6
• 1874K lines, implying
• 375 faults
• HP/UX
• 2341K lines, implying
• 470 faults
• Linux 2.2.121
• 1500K lines, implying
• 1500 faults
• Windows 2000
• gt30 million lines, implying
• gt 6,000 faults

17
OS Vulnerabilities

• About 30 are buffer overflows or unchecked
  data.
• Over 90 are coding/design flaws.
• - Securityfocus.com

18
Typical user

• Less than 1 year online.
• No background in computing.
• Has major OS, 1 GHz machine, but uses only 3
  applications.
• Does not make backups.
• On-line constantly.
• In other words, a target!

19
The World in 2004 (at this rate)

• 100,000 computer viruses
• 99 for one vendors software
• New viruses _at_ more than 1 per hour.
• Most common desktop system
• Almost 100 million Lines Of Code, 1GHz
• 1 security patch announced per day.
• Attacks over network exceed 10 per hour.
• Losses to business and government will exceed
  100 billion per year.

20
Actors
21
Defences

• Virus prevention
• Largely pattern based, need updates.
• Firewalls
• Because we cannot control users.
• Largely pattern based, need updates.
• Virtual Private Networks (VPNs).
• Security scanners
• Look for known flaws and misconfiguration.
• Encryption
• Scramble data so information cannot be read.

22
But

• Virus prevention
• Patterns need to be updated continuously.
• Firewalls
• Cannot handle terabit pipes, wireless networks,
  VPNS.
• VPNs
• How will these work in mobile networks?
• Security scanners
• Too intrusive, need almost hourly updates to run
• Encryption
• Key length and exchange, certification

23
A Comment on Patches

• Fixes for flaws that require an expert to install
  are not a good fix!
• Fixes that break something else are not a good
  fix!
• Frequent fixes may be ignored.
• Goal should be good design, not continual
  patching.

24
Case Study Securing a Web site
25
An insecure Web Server

• Destination Source Size Interpretation
• 146.84.96.2 69.200.33.157 718 TCP S1401 D1080
  SEQ66300
• GET/html/checkoutnormal.cgi?idGAiWIK.l2CvCNg
• emailsomebody_at_aol.com
• card_number4128000066664606
• expiration_month02expiration_year00
• cardholder_nameJerryCurl
• bill_street_13039Nowherebill_street_2
• bill_citySunnyvillebill_stateNC
• bill_zip27410bill_phone3362995454
• gift_cert_id HTTP/1.0
• ..Referer http//www.911gifts.com/html/checkout-n
  ormal.cgi?idGAiWIK.l,vCNg..
• ConnectionKeep-Alive..User-Agent Mozilla/4.6
  en
• (WinNT U)..Host www.911gifts.com..Accept
  image/gif,image/x-xbitmap,
• image/jpeg, image/pjpeg, image/png,
  /..Accept-Encoding gzip..Accept-Language
• en..Accept-Charset iso-8859-1,,utf-8..Cookie
  user_IDbLL19yvnaak....aE..

26
A Secure Web Server

• Destination Source Size Interpretation
• 146.84.96.2 69.200.33.157 984 TCP S1097 D1080
  SEQ62734 ACK997241013
• WIN7970
• ASCII Interpretation
• ....0..P..z...E....._at_....aE.!..T..I.8....p..P.."
  4........5.Qr0y)_.Ft...yg.4.h...m..lg..
• ....K..r....Y.d...U...D.1.i.Y.lt.!..........c..
  g.Y.P/.l.X.u.\..D.c.N..I...f-vt.gt.I..
• .....j.....h....o./..........9.Ru..ldF..Lj..C6./
  ...Q...............\U....G.....x.....
• ...H......Wb..h...-J..NN.iY5....v....cH..oW..
  .d........V.gVsXv.K..e.............0H.
• .j../.\13.j.pK..J.j.../....9Ghn....H.a.........
  ...oX.Y........h....r..G..b.lt.....!..
• d....5........B....9.7(........?.C..
  Ye.....C...k9.....CUM9..K./......4..g....N...
  .
• .C....3Dgt.wT.............W2.,......-..A..
  ..!...t..H....S......q/o.6...........z...
• B.gV.D...(.V...e...7.m...A...hq.G..g....Z..)7").
  !.',..3.Oa......G...0ji....fl.....
• ...T-K.I....D...g...v.M.2...
  ..?O..Zb..J....H.........Y'G.T.....wk..E..t.y...B
  ....Y.c
• .lt.l.nmk...R....q.W....w?......a....F.9."c...
  .....8.g..g...cH...!j.....kZ..H....
• ....K..(.xb .gv.lt.....y.F..T......J........?...
  ..o..j...,O7sX....L_.....m.........
• ..J.(c....?.

27
What Do We Want to Protect?

• Customer base - Who is visiting your site?
• Customer personal information - Credit cards,
  email accounts, addresses, etc.
• Site specific information (software, hardware).
• Use patterns - hide web usage from monitoring
  (e.g. disguise usage from employees to bosses).

28
Why Protect this Data?

• If we do not protect the customer base,
  competitors can steal a valuable resource, our
  customers.
• Customers do not want to shop at sites that do
  not ensure the security of their personal
  information.
• Site specific information can be used in denial
  of service attacks.

29
How Do Hackers Attack?

• Sniffing monitoring network traffic.
• Man-in-the-middle attacker pretends to be the
  other party in a communication.
• Unauthorized Access break into a machine and
  steal the data.
• Denial of service consume resources thus
  blocking commerce activity.

30
How Do We Protect Our Site?

• Encryption is used to ensure privacy.
• Authentication is used to guarantee the identity
  of the other party.
• Intrusion detection, attack signatures (methods
  of known attacks), and firewalls are used to
  protect against denial of service.
• Intermediate routing (proxies) are used to
  provide anonymity.

31
Encryption 101

• Encryption - the process of transforming
  cleartext into ciphertext
• Cleartext (plaintext) - data in its original
  unencrypted form.
• Cipher - encryption algorithm key.
• Ciphertext - Encrypted output from a cipher.

32
Private Key Algorithms DES

• This algorithm uses a single key to encode and
  decode messages.
• DES is a so-called private key cipher - here data
  is encrypted and decrypted with the same key.
• Both sender and receiver must keep the key a
  secret from others.
• Because the DES algorithm itself is publicly
  know, learning the encryption key would allow an
  encrypted message to be read by anyone.

33
Private Key Algorithms DES
34
Public Key Algorithms RSA

• An example of a public key algorithm is the RSA
  algorithm by Ronald, Shamir and Adleman.
• The RSA algorithm is a very powerful public key
  algorithm that has resisted efforts at
  penetration.
• Typically, private key algorithms like DES cannot
  protect against fraud by the sender or the
  receiver of a message.
• The RSA algorithm, on the other hand, provides
  authentication, as well as encryption.

35
Public Key Algorithms RSA

• RSA uses two keys a private key and a public
  key.
• With RSA, there is no distinction between the
  function of a users public and private keys.
• A key can be used as either the public or the
  private key.
• The keys for the RSA algorithm are generated
  mathematically - in part, by combining prime
  numbers.
• The security of the RSA algorithm, and other like
  it, depends on the use of very large numbers (RSA
  uses 154 bit or 512 bit keys).

36
Public Key Confidentially
37
Public Key Authentication
38
Public Key Confidentiality Authentication.
39
But We Still have Key Management!

• How can we generate strong keys?
• How can we store keys securely?
• How can we get accurate key information?
• Usually the weak point in practice
• Rely on random keys.
• Rely on host OS to store keys.
• Rely on word of mouth for key information.
• Not mentioned matters such as Digital Signatures
  or Certifying Authorities

40
The Nature of New Threats

• Only a few result from new technology
• Faster machines
• Wireless technology
• Faster communications.
• Increasing computerisation and connectivity.
• Poor quality in COTS.
• User attitude and education.
• Lack of experts and expertise.

41
New technology WirelessNetworking

• Enhances eavesdropping.
• Insertion of malicious code.
• Denial of service.
• Theft of devicesand thus, theft of identity.
• Loss and damage become bigger concerns.
• Encourages work in unsafe environments.

42
New technology Fastermachines and communications

• Stronger encryption required.
• Automated defences required.
• More aggregation of data, and associated
  problems.
• Greater reach from far away.

43
Poor quality in COTS

• Increasing pressure to use standard, homogenous
  solutions.
• Consumers push for features, BUT not security.
• Little awareness or training at vendors.
• Compatibility breeds more problems.
• No incentive for quality!

44
Using the Wrong Requirements

• Ensuring Successful Implementation of Commercial
  Items in Air Force Systems, USAF Scientific
  Advisory Board, April 2000
• COTS software is not secure. It is strongly
  recommended that COTS products, particularly
  software, not be used for critical applications.
• GCN, Sept 11, 2000
• The US Navys next-generation aircraft carrier
  will use Microsoft Windows 2000 to run its
  communications systems, aircraft and weapons
  launchers, and other ship electronicsWindows
  should reduce lifecycle crewing and maintenance
  costs, as well as procurement costs

45
User Attitude

• Most users want features, not security.
• Thin client computing not popular.
• User-installed software a threat.
• Dynamic update a threat Windows 2K/XP!
• Issue of home vs. workplace computing.
• Users do not want controls, and management often
  will not enforce them!

46
Psychological acceptability

• Want security infrastructure
• Easy to use
• Not generate false alarms.
• Not require frequent changes or updates.
• Should not require great expertise to get,
  correct or use.
• Current situationdoes not match user
  population!

47
Shortage of Experts

• Only a few university programmes of note
• Require resources, infrastructure, faculty.
• Hyper-competitive market.
• Too many managers mistake criminal experience for
  expertise.
• All heard the stories of hackers working for the
  bank they hacked!
• Shortage of real government understanding or
  commitment.
• Problem will get worse before it gets better.

48
How About the law?

• In the US
• Uniform Computer Information Transaction Act
  (UCITA), a proposed law designed to standardise
  the licensing of software and all other forms of
  digital information.
• UCITA is a complex law that will adversely affect
  everyone using software or any kind of digital
  information.
• AFFECT, Americans for Fair Electronic Commerce
  Transactions - see http//www.4cite.org
• Then there are international issues.
• Law enforcement handicapped
• Basic issues need to be debated
• Lack of resources and personnel
• Turf wars.

49
What can we do?

• Need assurance, not features
• Do a few things welland safely!
• Stop using the standardisation mantra -
  diversity of systems is a good thing, but
• Build in security from the start.
• Understand policy differences.
• Think about the use of technology
• Do not simply ask Can we do it? but also ask
  Should we do it?

50
Users need to be betterconsumers

• 28-30 million lines of code for an operating
  system!?
• Consumers need to start demanding quality and
  security instead of new features.
• Security Quality Assurance needs to be the
  explicit part of every design and measured for
  the consumer.
• Hacking into systems is not security
  penetrate and patch is not a design.

51
Closing thought

• There is more to life than increasing its
  speed. Ghandi

52

• Thanks to Eugene H. Spafford, Professor
  Director, Center for Education and Research in
  Information Assurance and Security (CERIAS),
  Purdue University, USA.

53

• Questions?