Internet Security: An Optimist Gropes For Hope - PowerPoint PPT Presentation

About This Presentation
Title:

Internet Security: An Optimist Gropes For Hope

Description:

Most common question from the press: 'Is Internet security getting better or worse? ... if you can crack something offline, it becomes a game of sniff-and-crack ... – PowerPoint PPT presentation

Number of Views:74
Avg rating:3.0/5.0
Slides: 104
Provided by: billch
Category:

less

Transcript and Presenter's Notes

Title: Internet Security: An Optimist Gropes For Hope


1
Internet Security An Optimist Gropes For Hope
  • Bill Cheswick, Chief Scientist
  • Lumeta Corp
  • ches_at_lumeta.com

2
(No Transcript)
3
Most common question from the press
  • Is Internet security getting better or worse?

4
Universal Answer
  • It is getting worse.

5
Why?
6
Aug. 1993
  • Writing FWAIS first edition
  • Most people use the Internet for email
  • The web was in the future
  • Most attacks were still theoretical

7
In August 1993
  • Morris sequence number hijack documented in the
    80s, but not seen in the wild
  • Wholesale password sniffing hadnt been seen
  • No DOS attacks
  • Windows had no standard TCP stack, so it wasnt a
    player
  • After Morris worm, but worms were scarce
  • Sendmail had been patched and all was well in the
    world (not)

8
CERT advisories 1994
  • first advisory, released February 3, was a
    response to a dramatic increase in network
    monitoring by intruders, who were capturing
    passwords and installing "back doors" for future
    access to systems
  • attacks increased in a single week from a few
    isolated reports to indications that tens of
    thousands of systems may have been compromised
  • Unlike most security incidents, this one received
    extensive attention from the media
  • the CERT team notified an archive site that their
    software being readied for distribution had been
    modified

9
CERT advisories, 1994
  • CA-9401 Ongoing Network Monitoring Attacks
  • CA-9402 Revised Patch for SunOS
    /usr/etc/rpm.mountd Vulnerability
  • CA-9403 AIX Performance Tools Vulnerabilities
  • CA-9404 SunOS /usr/ucb/rdist Vulnerability
  • CA-9405 MD5 Checksums SunOS files
  • CA-9406 Writable /etc/utmp Vulnerability - SunOS
    4.1.X
  • CA-9407 wuarchive ftpd Trojan Horse
  • CA-9408 ftpd Vulnerabilities- wuarchive and BSDI
    ftpd

10
CERT advisories, 1994 (cont.)
  • CA-9409 /bin/login Vulnerability
  • CA-9410 IBM AIX bsh Vulnerability
  • CA-9411 Majordomo Vulnerabilities
  • CA-9412 Sendmail Vulnerabilities
  • CA-9413 SGI IRIX Help Vulnerability
  • CA-9414 Trojan Horse in IRC Client for UNIX
  • CA-9415 NFS Vulnerabilities

11
Many attacks were theoretical
  • SYN packet flooding
  • Mail flooding and similar application overflows
  • TCP hijacking
  • Hadnt seen a worm in years
  • Unix viruses were research topics
  • Attacks on the TCP/IP stacks
  • Packet amplification

12
and then they happened
  • Massive sniffing (1994)
  • SYN packet DOS attacks (1996)
  • TCP hijacking (1996)
  • Ping-of-death (1996?)
  • Son of crashme
  • SMURF (1997?)
  • Massive worm and viral outbreaks
  • Mellissa, Code Red, etc. etc.

13
There are a lot more players, and on average they
are a lot less secure
14
When I started at the Labs (Dec 1987)
  • Most of the hosts on the Internet were listed in
    a single file named hosts.txt
  • Most of the systems were various flavors of Unix
    or VMS
  • Most systems had some sort of professional system
    administration, at least sometimes
  • Win98 was ten years away
  • There wasnt much at stake, perhaps even on
    MILNET
  • MILNET was easy to disconnect, and sometimes was
  • Well, maybe.
  • Numerous attacks were theoretical

15
Now, everyone is on the Internet
  • Grandma has ruined it for all of us
  • The Internet subway goes to all the bad
    neighborhoods
  • Vast, dangerous software packages with dangerous
    capabilities run nearly everywhere
  • Most of the theoretical attacks are now
    implemented and used regularly.

16
Weve been losing ground for decades
  • Bad guys are figuring out attacks that we have
    been waiting for over the years
  • Very few surprises
  • Arms races are proceeding on many fronts
  • Defense has improved slowly, even on systems
    where it ought to be easy to improve
  • System administration is a nightmare
  • Open research problem

17
Life cycle of a security bug, roughly
  • It is first discovered
  • It is first exploited, usually manually
  • It is announced
  • A patch is made available
  • Some people patch the hole
  • A worm or virus exploits the hole
  • More people patch it
  • Eventually the software goes away

18
Yeahbuttal
19
Cost vs. Benefits
  • If you look at just one of these, you are doing
    half the job

20
OTOH, tools we didnt have in 1994
  • Available, working, distributable crypto
  • No ssh
  • Firewalls build it yourself
  • Stateful inspection had been pondered, but not
    available
  • Want to hack a kernel?
  • IDS, honey pots, and lots of other tools available

21
Bright spots, now
  • The crypto export war appears to be over
  • There are better tools available for some
    situations
  • Ssh
  • IPsec
  • Better Linux and Unix systems
  • Microsoft security initiative
  • Honeyd and other tools
  • Unx/Linux/GNU is freely available, and a
    reasonable solution

22
I am optimistic. Good security is possible
  • One can engineer reliable systems out of
    unreliable parts
  • We have the home-field advantage we can choose
    to set the rules on our hosts
  • World-class encryption is now available and cheap
  • The Bad Guys are giving us lots of practice

23
There are a lot of benefits
  • Some successful web business models
  • Fedexpackage progress
  • Amazon access to the 100,000th book on the best
    seller list
  • Access to vast educational resources
  • College courses
  • Research papers in most disciplines
  • Access to raw data
  • Better access to government (still spotty at the
    local level.)

24
Financial business models are working
  • On-line banking and brokerage access
  • Paypal (bismuth)
  • Internet access is so widely available and used
    that the states are starting to tax it
  • Insurance companies are still reluctant to write
    hacking insurance
  • What does hurricane Andrew look like?

25
And Microsoft
26
What does good security feel like?
  • Confidence without hubris

27
The Morris worm Nov. 1988
  • I was running the Bell Labs firewall
  • Heard about the worm on the radio upon awakening
  • What was my first reaction?
  • This is what good security is about

28
Some facts to keep in mind economics
  • Security is never perfect economic concerns are
    always present
  • What is the value of what we are trying to
    protect, and what is our adversary willing to
    spend
  • Miscomputation of this balance is the underlying
    cause of security breaches
  • We are always aiming for good enough, though
    good enough has to be good enough

29
Some things we cant fix
  • We have to engineer around them

30
Social Engineering
Hello, this is Dennis Ritchie calling. Im in
Israel now and I have forgotten my
password. Hello, ltadmin-namegt, Ive
just started work here. ltBoss-namegt said I
should have an account on lttarget-hostgt
31
I need to manage expectations here
  • The Internet will never be 100 secure. Such
    security is not possible
  • Some problems are over-constrained
  • Security is always about economics
  • Good enough is good enough
  • For many, the Internet is already good enough
  • Amazon, ebay, fedex, etc. etc.
  • Viruses, worms, spam arent that bad

32
Software will always have bugs
  • Perhaps DEK would be interested in working on
    inetd, and a web server. A kernel. Heck, the
    works
  • Marcus Ranum couldnt get inetd right in 60 lines
  • Perhaps formal methods will work some day
  • Must produce widely-useful morsels of software
  • Start with the likes of ASN.1 and openssl

33
People pick lousy passwords
  • Best solution dont let them
  • Computer-generated keys are held in smart keys,
    USB dongles, etc.
  • Dont allow dictionary attacks on passwords,
    password-derived keys, PINS
  • This means that on-line authentication servers
    are neededif you can crack something offline, it
    becomes a game of sniff-and-crack

34
Some facts to keep in mind users are not
security experts
  • Computer systems are fantastically complex even
    the experts do not understand all the
    interactions
  • People pick lousy passwords

35
Social Engineering (cont.)
Click here to infect your computer.
36
Another problem with strange programs
37
Managing expectations Denial-of-Service
  • It is here to stay
  • Any public service can be abused by the public
  • There are mitigations, but I dont see full
    solutions
  • Best solution throw hardware at the problem

38
Wireless passwords

G1zmoniq! kkB5cKkn0 pf-itAot?78 Mhr370Chiz YuzTmKm
dugod123 tr.fbgi!
These are mostly POP3 (email) passwords
39
Experts cut corners, too
  • Fred Grampps password was easily found with a
    dictionary attack
  • Ssh hijacking at conferences
  • Temporary holes are forgotten

40
I cheated on my authentication test
acct challenge
response ches '00319 Thu Dec 20 153222
2001 ' '23456bcdf.k' OK root '00294 Fri Dec
21 164739 2001 ' 'nj3kdi2jh3yd6fh/' OK ches
'00311 Fri Dec 21 164850 2001 ' '/ldh3g7fgl'
OK ches '00360 Thu Jan 3 125229 2002 '
'jdi38kfj934hdydkf7' OK ches '00416 Fri Jan
4 090202 2002 ' 'jf/l3kf.l2cxn.' OK ches
'00301 Fri Jan 4 132912 2002 '
'j2mdjudurut2jdnch2hdtg3kdjfs'/s' OK ches
'00301 Fri Jan 4 132930 2002 '
'j2mdgfj./m3hd'k4hfz' OK ches '00308 Tue Jan
8 093526 2002 ' '/l6k3jdq,' OK ches '84588
Thu Jan 10 092418 2002 ' 'jf010fk.j' OK ches
'84588 Thu Jan 10 092435 2002 '
'heu212jdg431j/' OK ches '00306 Thu Jan 17
104600 2002 ' 'jfg.bv,vj/,1' OK ches '00309
Fri Jan 18 093709 2002 ' 'no way 1 way is
best!/1' OK ches '00309 Fri Jan 18 093736
2002 ' 'jzw' NO ches '00368 Tue Jan 22
095141 2002 ' '84137405jgf/' OK ches '00368
Tue Jan 22 095156 2002 ' 'k762307924a/q'
OK ches '80276 Fri Feb 1 150018 2002 '
'/,f9gjh,md' OK ches '00165 Wed Feb 6
103700 2002 ' 'jduse7fh.,cf' OK ches '67795
Mon Feb 11 085011 2002 ' 'dbfho1jdh1mdhfg'
OK ches '00164 Thu Feb 14 093716 2002 '
'jpiw8eury3yru8fkdh' OK ches '00164 Thu Feb
14 093734 2002 ' 'm1j4i0kk5'' OK ches
'00167 Mon Feb 18 093406 2002 ' 'dm,c.lv/fl7'
NO ches '77074 Tue Feb 19 090252 2002 ' 'd'
NO ches '77074 Tue Feb 19 090257 2002 '
'hbcg3'd/' OK ches '00158 Wed Feb 20
113324 2002 ' 'ebdj8fjtkd' OK
41
I cheated on my authentication test (cont.)
ches '00156 Thu Feb 21 095832 2002 '
'jdufi46945jhfy37/' OK ches '00210 Thu Feb 21
095912 2002 ' '123456abcdefihjd32/' OK ches
'00163 Mon Feb 25 092430 2002 ' 'd' NO ches
'00163 Mon Feb 25 092435 2002 '
'ozhdkf0ey2k/.,vk0l' OK ches '00154 Tue Feb
26 105448 2002 ' 'j4if9dl/0hgg/' OK ches
'59810 Tue Mar 12 090340 2002 ' '60673h4,dk/'
OK ches '59810 Tue Mar 12 090358 2002 '
'ju607493,l/' OK ches '00156 Tue Mar 12
124112 2002 ' '347 but not 10 or 4/2' OK ches
'00161 Fri Mar 15 094120 2002 '
'/.,kl9djfir' OK ches '00161 Fri Mar 15
094136 2002 ' '3' NO ches '00160 Mon Mar 25
085259 2002 ' '222' OK ches '00160 Mon Mar
25 085309 2002 ' '2272645' OK ches '29709
Mon Apr 1 113634 2002 ' '4' OK ches '87197
Mon Apr 1 114141 2002 ' 'x' NO ches '87197
Mon Apr 1 114149 2002 ' '234jkfd' OK ches
'00162 Wed Apr 3 104358 2002 ' 'zb' NO ches
'45303 Thu Apr 4 105206 2002 ' 'bn' NO cges
'45303 Thu Apr 4 105210 2002 ' '' NO ches
'45303 Thu Apr 4 105215 2002 ' ''zx' NO ches
'45303 Thu Apr 4 105219 2002 ' 'zx' NO ches
'41424 Mon Apr 8 094909 2002 ' 'ab3kdhf'
OK ches '85039 Tue Apr 9 094606 2002 '
'04' OK ches '00154 Tue Apr 9 114116 2002
' '07' OK ches '00160 Tue Apr 16 085829
2002 ' 'jdnfc8djd9dls'/' OK ches '00161 Thu
Apr 18 104910 2002 ' 'x' NO ches '00161 Thu
Apr 18 104914 2002 ' '898for/dklf7d' OK

42
Some principles and tools
  • Security 101, the slow part of the talk

43
Security strategies
  • Stay out of the game, if you can
  • Defense in depth if you have to be in the game
  • Always, always make it as simple as possible
  • Design security in from the start it is an
    attribute of the infrastructure, not a feature to
    be added later

44
Staying out of the game
  • Best block is not be there Karate Kid 1
  • Users password and PIN choices are less
    important if dictionary attacks are not possible
  • Mellissa at Lucent
  • The Unix V7 mailer
  • Avoiding the monoculture

45
Defense in depth
  • If you are dealing with imperfect systems,
    engineer redundancies to improve the reliability

46
(No Transcript)
47
Secure defaults are important
  • If you use 10 of the features 90 of the time,
    the other features can be disabled
  • This has long been a problem with Unix systems
  • Default network services include many dangerous
    ones
  • Most systems still need field-stripping
  • New Microsoft security initiatives include a
    close examination of defaults

48
Security doesnt need to be inconvenient
  • Modern hotel room keys
  • Modern car keys

49
Some solutionsHardware tokens
  • SecureID
  • time-based
  • S/Key
  • software or printout solution
  • Many others
  • usually proprietary server software
  • New USB dongles are just the ticket!

Digital Pathways SNK-004
50
One-time Passwords
RISC/os (inet) Authentication Server. Id?
ches Enter response code for 70202
04432234 Destination? cetus
51
Authentication
  • or use a USB or PCCard key
  • You need them for your hotel room and rental car,
    and you dont complain about that

52
Principles and tools encryption
  • Moores law fixed this
  • We won the crypto wars

53
Encryption is necessary, but not sufficient
  • Many (most?) attacks arent associated with
    wiretaps
  • IPsec is well-defined, and could be ubiquitous
  • Microsoft ought to make it the default for their
    clients
  • End-to-end encryption makes the wireless and
    Ethernet sniffing problem go away

54
Tools Trusted Computing Base
  • This is hard, but there are usable solutions out
    there
  • Its debatable whether Microsoft has produced
    software yet that deserves to be trusted
  • Their new security thrust is real, but it is a
    huge job

55
Default servicesSGI workstation
ftp stream tcp nowait root
/v/gate/ftpd telnet stream tcp nowait root
/usr/etc/telnetd shell stream tcp
nowait root /usr/etc/rshd login stream tcp
nowait root /usr/etc/rlogind exec
stream tcp nowait root /usr/etc/rexecd
finger stream tcp nowait guest
/usr/etc/fingerd bootp dgram udp wait
root /usr/etc/bootp tftp dgram udp
wait guest /usr/etc/tftpd ntalk dgram
udp wait root /usr/etc/talkd tcpmux
stream tcp nowait root internal echo
stream tcp nowait root internal discard
stream tcp nowait root internal chargen
stream tcp nowait root internal daytime
stream tcp nowait root internal time
stream tcp nowait root internal echo
dgram udp wait root internal discard
dgram udp wait root internal chargen
dgram udp wait root internal daytime
dgram udp wait root internal time
dgram udp wait root internal sgi-dgl
stream tcp nowait root/rcv dgld uucp
stream tcp nowait root
/usr/lib/uucp/uucpd
56
More default services
mountd/1 stream rpc/tcp wait/lc root
rpc.mountd mountd/1 dgram rpc/udp wait/lc
root rpc.mountd sgi_mountd/1 stream rpc/tcp
wait/lc root rpc.mountd sgi_mountd/1 dgram
rpc/udp wait/lc root rpc.mountd rstatd/1-3
dgram rpc/udp wait root rpc.rstatd
walld/1 dgram rpc/udp wait root
rpc.rwalld rusersd/1 dgram rpc/udp wait
root rpc.rusersd rquotad/1 dgram rpc/udp
wait root rpc.rquotad sprayd/1 dgram
rpc/udp wait root rpc.sprayd
bootparam/1 dgram rpc/udp wait root
rpc.bootparamd sgi_videod/1 stream rpc/tcp wait
root ?videod sgi_fam/1 stream
rpc/tcp wait root ?fam
sgi_snoopd/1 stream rpc/tcp wait root
?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait
root ?cvpcsd sgi_pod/1 stream rpc/tcp
wait root ?podd tcpmux/sgi_scanner
stream tcp nowait root ?scan/net/scannerd tcp
mux/sgi_printer stream tcp nowait root
?print/printerd 9fs stream tcp
nowait root /v/bin/u9fs u9fs webproxy
stream tcp nowait root
/usr/local/etc/webserv
57
If You Dont have a Trusted Computing Base
58
Firewalls Perimeter defenses
59
Firewalls have their uses
  • Medium-grade security
  • Personal firewalls are useful
  • Firewalls in cheap network equipment does a good
    job for simple, useful security policies

60
Firewalls Not a panacea
  • Backdoors usually diminish the effectiveness
  • Commercial firewalls are probably OK
  • May give community a false sense of security
  • The firewall is often the only secure part of a
    configuration
  • People go around them
  • People go through the bad ones
  • No protection from insiders

61
Anything large enough to be calledan intranet
is probably out of control
62
(No Transcript)
63
This was Supposed To be a VPN
64
Some intranet statisticsfrom Lumeta clients
65
Perimeter defenses dont work if the perimeter is
too big
  • Small enclaves are much safer
  • Implemented with
  • routing restrictions
  • Intranet firewalls
  • Encryptions
  • Most of my family is in an enclave, and that is
    about as large as Id like it to be

66
Example Life Without a Firewall
  • Trusting Your Computing Base, or Skinny-dipping
    on the Internet

67
It can be done
68
Life without a firewall
  • Its like skinny-dipping
  • For a security person, it keeps one focused
  • Extra layers of security built into network
    services
  • Belt-and-suspenders
  • net-rot (route-rot?) can be fatal
  • Confidence in the face of wide-spread network
    mayhem

69
We need to be able to trust our hosts
  • Secure software with good system management
  • Microsoft doesnt hack it, yet.
  • Long history of putting features over security
  • A huge software base to fix
  • Customers used to dangerous services Honey,
    Ill be home at six can have a virus!

70
Secure host technology
  • Goes way back Multics, Burroughs
  • Current efforts in BSD systems (especially
    NetBSD) and Linux
  • Jailing servers, clients(!)
  • Chroot technologies have a lot of promise
  • Need solutions over several Unixoid operating
    systems
  • Microsofts security initiative appears to be real

71
Secure host technology
  • Digital Rights Management Palladium can help us
  • Load and run only approved software thats not
    all bad

72
Routes to root
start
73
root network services
  • In general, there are way too many of them

74
Setuid-root programs
  • Waaaaaay too many of these

75
Root the gateway to privilege
find / -perm -4000 -user root -print wc -l
76
Setuid-root
AIX 4.2 242 a staggering
number \\ BSD/OS 3.0 78\\ FreeBSD
4.3 42 someone's guard
machine\\ FreeBSD 4.3 47 2
appear to be third-party\\ FreeBSD 4.5
43 see text for closer analysis \\ HPUX
A.09.07 227 about half may be
special for this host \\ Linux (Mandrake 8.1)
39 3 appear to be third-party \\ Linux
(Red Hat 2.4.2-2) 39 2 third-party
programs \\ Linux (Red Hat 2.4.7-10) 31
2 third-party programs\\ Linux (Red Hat 5.0)
59\\ Linux (Red Hat 6.0) 38 2--4
third-party \\ Linux 2.0.36 26
approved distribution for one university \\ Linux
2.2.16-3 47 \\ Linux 7.2
42\\ NCR Intel 4.0v3.0 113 34
may be special to this host \\ NetBSD 1.6
35 \\ SGI Irix 5.3 83 \\ SGI
Irix 5.3 102 \\ Sinux 5.42c1002
60 2 third-party programs\\ Sun
Solaris 5.4 52 6 third-party
programs\\ Sun Solaris 5.6 74 11
third-party programs\\ Sun Solaris 5.8
70 6 third-party programs\\ Sun Solaris 5.8
82 6 third-party programs\\ Tru64
4.0r878 72 \\
77
So, dont have network services.
  • In general, there are way too many of them

78
So, dont have users
  • In general, there are way too many of them

79
Get rid of setuid programs if you do have users
  • In general, there are way too many of them

80
Minimize root network services
  • Use non-root services if at all possible

81
Three layers of defense we might have
  • Properly-programmed and configured server
    software, I.e. security bug-free
  • Operating system user name and file permissions
    providing some protection
  • Chroot and various jailing technologies
  • FreeBSD jail(1)
  • Various system call monitors
  • Alas, chroot is the only standard

82
Chroot
  • In V7 Unix. Maybe earlier
  • Restricts file system access only
  • User root mayHHHcan escape from chroot
  • Non-root users cannot invoke chroot
  • Many other attacks possible from chroot
  • Net access, cpu/file/swap exhaustion, system call
    probes

83
Awful stuff you have to do to jail a program
  • Make a static binary or
  • Include all the shared libraries in the chroot
    directory
  • Build a whole file system (a la jail(1)) or
  • Copy each file into the jail
  • /etc/hosts, /dev/null, /dev/zero, /etc/passwd,
    etc
  • Debug the startup
  • Put the logs somewhere

84
Example a web server highly-resistant to
defacement
85
Goal
  • A web server that cannot be defaced
  • Read-only content
  • Provisioned by ssh from trusted client
  • No active content
  • Limited capacity (20 queries/second)

86
Implementation
  • Inetd entry calls chroot for every HTTP query
  • Chroot jails apache web server
  • Server runs non-root, has write access only to
    logs and tmp directory
  • Therefore, compromised server can only serve bad
    pages to the attacker
  • Chroot doesnt limit everything, or course
  • Net access
  • Swap, disk, CPU exhaustion

87
Other software I have jailed
  • POP3 (simple email)
  • May lose email if compromised
  • Samba (windows SMB file system server)
  • May lose files if compromised
  • HTTPS SSL for the web server
  • May lose the private key if compromised
  • Simple services for web active content

88
FOR THE FINAL APPROVAL IS THE FUND TO COMMENCE
THIS TRANSACTION WHILE 80 WOULD BE INVESTED AND
YOU HAVE ABSOLUTE CONTROL OVER THIS IS WHAT IS
CALLED TOPPING(ADDITION/LOADING OF EXTRA
QUANTITIES/BARRELS ON TO THE SON OF THE FUND FROM
HIS ACCOUNT UNLESS SOMEONE APPLIES FOR CLAIM AS
THE NEXT OF KIN. I AM OPEN TO ADVICE. PLAESE DO
GET BACK TO ME AS SOON AS BE REST ASSURED THAT
THERE IS ABSOLUTELY NO RISK INVOLVED IN ANY
FINANCIAL TRANSACTION WHATSOEVER, THE NETHERLANDS
WHO WILL ASSIST ME IN THE NETHERLANDS PROHIBIT A
REFUGEE (ASSYLUM SEEKER) TO OPEN ACCOUNT OR TO BE
AGREED UPON WHEN WE COME DOWN OVER THERE BECAUSE
WE CANNOT RELEASE THE TOTAL SUM 15.5 MILLION USD
IN A PLACE OF YOUR INTEREST BY A RETURN E-MAIL
AND ENCLOSE YOUR PRIVATE CONTACT TELEPHONE NUMBER
FAX NUMBER FULL NAME AND ADDRESS OR YOUR COMPANY
NAME ADDRESS AND ENDEAVOUR TO FURNISH ME WITH
YOUR FULL THIS TRANSACTION AND CLAIM THE BOXES
FROM THE DESK OF MR IBE OKONDU ECO BANK PLC
LAGOS-NIGERIA 234012902565
89
Generic Viagra is a trademark of the receipt of
your country, who used to work with you based on
trust as the funds you will remain honest to me
till the end of the Petroleum Resources (NNPC) by
a foreigncontracting firm, which we wish to enter
into a safe foreigners account abroad before the
rest.But I don't know any foreigner,I am only
contacting you because the management is ready to
give you reasonable share of the Nigerian
National Petroleum Corporation. On completion of
our present situation I cannot do it all by It is
from the company. For onward sfer to your home
within 14 working days of commencement after
receipt of the funds .You know my father I happen
to be used in settling taxation and all local and
foreign exchange departments. At the conclusion
of this letter using the above e-mail address. I
will give to you I await your response. Yours
sincerely Taofeek Savimbi. Please click here
90
Some jail themselves, or should
  • DNS/bind
  • Maybe apache someday
  • NTP should, and needs least-privilege time
    setting permissions. Write permission on
    /dev/time?
  • PAM service?

91
Example Amazon, Fedex,
92
Things are getting better we have business models
  • We know a bit about hacking and loss rates
  • Insurance companies are starting to write hacking
    insurance
  • Question what does hurricane Andrew look like on
    the Internet?

93
Example Spook networks
94
Talk to spooks they have security experience
  • Dont try to get their secrets, get their
    security advice
  • A number of secret networks appear to be well-run
  • Slammer-free
  • Rare virus sightings
  • They do all the stuff we all know about, and
  • Management uses a big hammer for compliance
  • Bigger problem than spies morons

95
Spooks
  • Use enclaves
  • Run their own compilers
  • Buy off-the-shelf hardware
  • Restrict client software
  • Spend a lot of money testing things like openssl
  • The public could use this research

96
Spooks
  • Watch their networks closely
  • Make IP addresses useful
  • No RFC 1918, they need accountability

97
Chess wish list
  • (incomplete)

98
Chess wish list
  • More work on chroot/jail
  • Implement on BSD and Linux, or the jobs not
    done
  • Plan 9 has some nice ideas to check out
  • Better user file system access model than
    NFS-based solutions
  • Revisit the DFS wars of the mid-80s
  • More tiny, tested servers with limited
    capabilities
  • Operating system security enhancements, and
    installation scripts that make them useful
  • Sandboxes and similar technologies in Windows

99
More wishes
  • Rigorous formal cryptographic protocol design and
    verification
  • Rigorous TCB in modern kernels, compilers, etc
  • If this were easy, it would have been done by now
  • Of course, it has been done
  • Hardware support for non-executable stack, etc.
  • Dreams of Burroughs machines?

100
Chess wish list
  • Sandboxes for browsers!
  • I want to be able to run Java and Javascript and
    even plug-ins without fear
  • Why is this hard? Operating systems have done
    stuff like this for decades?
  • Better firmware in routers

101
Still theoretical
  • Major BGP hijacking
  • Successful root DNS DoS
  • Dual-boot infections
  • Major router/IOS worm
  • Attacks that damage actual hardware

102
Conclusion
  • I think things can get better
  • But it is going to take work and diligence

103
Questions
  • http//research.lumeta.com/ches/
  • ches_at_lumeta.com
  • Yes, Id love to sign your book
Write a Comment
User Comments (0)
About PowerShow.com