080806 dfwcug the internet threat horizon

© 2 0 0 6 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .d l o i 1

The Internet Threa t H o ri z o n


“ W e c a n n o t s o l v e p r o b l e m s b y u s i n g t h e s a m e k i n d o f t h i n k i n g w e u s e d w h e n w e c r e a t e d t h e m . ”

- A l b e r t E i n s t e i n


- A b e S i m p s o n

“I used to be with it, but then they c ha n g ed wha t it wa s. N ow wha t I' m with isn ' t it, a n d wha t' s it seem s weir d a n d sc a r y to m e. . . a n d it' l l ha p p en to y ou!


Cell Phone


F la t s c r een


Ca ll W a i t i ng


H i g h S p eed A c c es s


S ec u ri ty E v o l u ti o nT h r e a t s a n d C o u n t e r m e a s u r e s

t h r o u g h 2 0 0 8

999© 2 0 0 5 C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .P r e s e n t a t i o n _ I D


Sophistication of T ool s

DDoS

P a s s w or d G u e s s i n g

Se l f R e p l i c a t i n g C od e

P a s s w or d C r a c k i n g

E x p l oi t i n g K n ow n V u l n e r a b i l i t i e s

Di s a b l i n g A u d i t s

B a c k Door s H i j a c k i n g Se s s i on s

Sc a n n e r sSn i f f e r sSt e a l t h Di a g n os t i c s

T e chnical K now l e d g e R e q u ir e d

H ig h

L ow

Botnets

Bl end ed T h r ea ts

R oot K i ts

Evolution of Threats and Exploits


• I n f e c t i o n s d o u b l e d e v e r y 8 . 5 s e c o n d s• I n f e c t e d 7 5 , 0 0 0 h o s t s i n f i r s t 1 1 m i n u t e s• C a u s e d n e t w o r k o u t a g e s t h a t c a u s e d

…. cance l l ations of air l ine fl ig hts…. cl osing of r e tail ou tl e ts at a l ar g e consu m e r e l e ctr onics chain…. tr ansactional se r v ice d e l iv e r y l oss at com m e r cial A T M s

• I n f e c t i o n s d o u b l e d e v e r y 8 . 5 s e c o n d s• I n f e c t e d 7 5 , 0 0 0 h o s t s i n f i r s t 1 1 m i n u t e s• C a u s e d n e t w o r k o u t a g e s t h a t c a u s e d

…. cance l l ations of air l ine fl ig hts…. cl osing of r e tail ou tl e ts at a l ar g e consu m e r e l e ctr onics chain…. tr ansactional se r v ice d e l iv e r y l oss at com m e r cial A T M s

A t p e a k ,s c a n n e d 5 5 m i l l i o n h o s t s p e r s e c o n d

A t p e a k ,s c a n n e d 5 5 m i l l i o n h o s t s p e r s e c o n d

Threat Evolution: Acceleration Towards Day ZeroExample: SQL Slammer (an oldie, but a goodie)


The Miscreant Economy i s F o r ev er

SatelliteN etw o r k

H om e C on t r olN e t w or k

CableN et w o r k

M o bi leN et w o r k

B r o ad b and N etw o r k P r o v id er

I nte r ne tI nte r ne t

M o b ileN etw o r k

B r o ad b and N etw o r k P r o v id er

I nte r ne tI nte r ne t


P e a k

T r ou g h

R e c e s s i o nE x p a nsi on

C is c o ’s V a l u e A d dC is c o ’s V a l u e A d d

Incid

ents

time

C y c les in the M isc reant Ec onom yL o ts o f P r o b lem s& A ttac k s

C o m m u nityM itig atio n

M is c r eant & C r im inalR & D

N ew C r im inal R ev enu e

O p p o r tu nitiesR es o lv e th e P r o b lem

D r iv e th e P o s t M o r tem D r iv e th e

P r ep ar atio n

Su r v iv e th e N ex t A ttac k


Threat Ec onom y : TodayW r iter s M id d le M en Sec o nd Stag e A b u s er s

B o t -N e t M a n a g e m e n t :F o r R e n t , f o r L e a s e , f o r

S a l e

B o t -N e t C r e a t i o n

P e r s o n a l I n f o r m a t i o n

E l e c t r o n i c I P L e a k a g e

$ $ $ F l ow of M one y $ $ $

W o r m s

T o o l a n d T o o l k i t W r i t e r s

V i r u s e s

T r o j a n s

M a l w a r e W r i t e r s

F ir s t Stag e A b u s er s

M a c h i n e H a r v e s t i n g

I n f o r m a t i o n H a r v e s t i n g

H a c k e r / D i r e c t A t t a c k

I n t e r n a l T h e f t : A b u s e o f P r i v i l e g e

I n f o r m a t i o n B r o k e r a g e

S p a m m e r

P h i s h e r

E x t o r t i o n i s t / D D o S -f o r -H i r e

P h a r m e r / D N S P o i s o n i n g

I d e n t i t y T h e f t

C o m p r o m i s e d H o s t a n d

A p p l i c a t i o n

E nd V alu e

F i n a n c i a l F r a u d

C o m m e r c i a l S a l e s

F r a u d u l e n t S a l e s

C l i c k -T h r o u g h R e v e n u e

E s p i o n a g e( C o r p o r a t e /

G o v e r n m e n t )

C r i m i n a l C o m p e t i t i o n

E x t o r t e d P a y -O f f s

T h e f t

S p y w a r e


Enduring F inanc ial O pportunities

Enduring criminal f ina nc ia l o p p o rt unit ie s :� D D o S� E x to r tio n� A d v er tis ing c lic k -th r o u g h f r au d� F r au d u lent s ales� I d entity th ef t and f inanc ial f r au d ( p h is h ing , s tealing inf o f r o m P C s , etc .)� T h ef t o f g o o d s / s er v ic es� E s p io nag e/ th ef t o f inf o r m atio n� Sp am -b as ed s to c k -m ar k et m anip u latio n

P o s t u l a t e : S t r o n g , E n d u r i n g C r i m i n a l F i n a n c i a l O p p o r t u n i t i e s W i l l M o t i v a t e P a r t i c i p a n t s i n t h e T h r e a t E c o n o m y t o I n n o v a t e t o O v e r c o m e N e w T e c h n o l o g y

B a r r i e r s P l a c e d i n T h e i r W a y


B otnets - The # 1 O nline S ec urity Threat

B o t ne t s a re t h e p rim e e na b l e rs o f a l l t h e s e a c t iv it ie s :� D D o S� E x to r tio n� A d v er tis ing c lic k -th r o u g h f r au d� F r au d u lent s ales� I d entity th ef t and f inanc ial f r au d ( p h is h ing , s tealing inf o f r o m P C s , etc .)� T h ef t o f g o o d s / s er v ic es� E s p io nag e/ th ef t o f inf o r m atio n� Sp am -b as ed s to c k -m ar k et m anip u latio n

W i k i p e d i a o n B o t n e t s : . . . a c o l l e c t i o n o f c o m p r o m i s e d c o m p u t e r s ( c a l l e d z o m b i e c o m p u t e r s ) [ o r b o t s ] r u n n i n g

p r o g r a m s , u s u a l l y r e f e r r e d t o a s w o r m s , T r o j a n h o r s e s , o r b a c k d o o r s , u n d e r a c o m m o n c o m m a n d a n d c o n t r o l

i n f r a s t r u c t u r e .


B otnet-enab led D D oS� DDoS, b ot h inbound a n d out bound - D D oS f or h ir e is big bus ine s s !

M u lti-p ath D D o S attac k s ( m is c r eants lear ning ab o u t r o u tes er v er s , d is tr ib u ted b o tnetsh elp ing ) .M u lti-v ec to r D D o S attac k s - SY N -f lo o d s c o m b ined w / f r ag m ented U D P , p o r t 8 0 & p o r t 2 2 ( s s h ) , D N S r ef lec tio n attac k s ( 2 5 g b / s ec & h ig h er ! )D D o S/ s p am z o m b ies b eing ins talled b y W eb - and em ail-d eliv er ed ex p lo itsI nc r eas ed u s e o f no n-T C P / no n-U D P p r o to c o ls ( I G M P , p r o to c o l 0 , p r o to c o l 2 5 5 ) to b yp as s b as ic A C L s ; m is c r eants lear ning ab o u t T o S b its , p er f o r m ap p lic atio n-layer D D o S af ter p r io r r ec o nnais s anc e o f W eb s itesSp o o f ing u s ed in a s m all f r ac tio n o f attac k s , b u t s o m e o f th e m o r e s o p h is tic ated / ef f ec tiv e attac k s ar e s p o o f ed ( C is c o G u ar d h elp s w ith th is )I nc r eas ed m u lti-p ath D D o S ag ains t netw o r k inf r as tr u c tu r e d ev ic es ( attem p t to d is r u p t r o u ting )Sp am m er s lau nc h D D o S attac k s ag ains t anti-s p am R B L sD D o S ex to r tio n c o m m o np lac e, no lo ng er ag ains t f r ing e b u s ines s es , b u t ag ains t o nline tr ad ing h o u s es , b ank s , etc .I t’s o nly a m atter o f tim e b ef o r e w e s ee D D o S-enab led s t o c k -m a r k e t m a n i p u l a t i o n .


W orm s/ S elf-propag ating M alw are to R ec ruit M ore B ots

� W or m s w i t h n e t w or k s i d e -e f f e c t s b e f or e , w or m s w i t h ou t n e t w or k s i d e -e f f e c t s n owSQ L Slam m er w as intend ed to c o m p r o m is e M ic r o s o f t SQ L Ser v er , no t D o S th e netw o r k !B las ter and s u c c es s o r s als o intend ed to c o m p r o m is e W ind o w s b o x es - th ey s u c c eed ed !N ac h i w as a tw is ted / m is g u id ed attem p t to c lean u p and p atc h ; ‘c u r e’ w as w o r s e th an th e d is eas e, in m any c as es .N ac h i I C M P & H T T P c au s ed m any o u tag es , w as a p r o b lem u ntil N ac h i s elf -d es tr u c ted ( tr ied tr ac er o u ting to / th r o u g h th e I nter net f r o m W ind o w s , s inc e 2 0 0 3 ? )M any v u lner ab ilities o v er T C P / 8 0 , T C P / 4 4 5 , etc . - c anno t f ilter w ith ex tend ed A C L s o r th e W ind o w s netw o r k b r eak sR em em b er , th e g o al is to c o m p r o m is e h o s ts and tu r n th em into b o ts ; m is c r eants h av e lear ned to b e q u iet o n th e netw o r k , no lo ng er c au s e D o S v ia th e p r o p ag atio n v ec to rW eb -, d o c u m ent-, im ag e-, em ail-, v id eo -d eliv er ed m alw ar e v ia ap p lic atio n-layer ex p lo its ar e th e new w ay to c o m p r o m is e h o s ts and tu r n th em into b o tsF eas ib ility o f A J A X / W eb 2 .0 b o tnets alr ead y d em o ns tr atedM o b ile, M A N E T -enab led b o nets c o m ing – m o d er n m o b ile p h o nes ar e c o m p u t e r s


S ub verting the N etw ork I nfrastruc ture� More emphasis on subverting the network itself (no longer just ‘blac k

box es’) .C is c o , J unip e r, H ua w e i, A l c a t e l , e t c . a l l o f int e re s t t o t h e m is c re a nt s -ro ut e rs c a n b e us e d t o l a unc h D D o S , t o a c t a s V P N ga t e w a y s f o r S P A M , t o h ij a c k t ra f f ic a nd p e rf o rm M I T M a t t a c k sA s a l w a y s , de f a ul t / l a m e p a s s w o rds l ik e ‘c is c o ’ o r ‘c 1 s c 0 ’ l e a d t o ro ut e r c o m p ro m is e ( m a ny b us ine s s e s a nd go v e rnm e nt a ge nc ie s do n’t us e A A A ) .M is c re a nt s l o v e ro ut e rs ! T h e y ’re gre a t D o S -ge ne ra t o rs ! T h e y ’re gre a t f o r t unne l ing m is c re a nt t ra f f ic ! T h e y l o v e s w it c h e s f o r M I T M ! T h e y l o v e f ire w a l l s s o t h a t t h e y c a n s nif f t ra f f ic !T h e re a re h u nd re d s o f t h o u s and s o f c o m p ro m is e d ne t w o rk de v ic e s , f ro m c a b l e m o de m s t o 1 2 0 0 0 s , o n t h e I nt e rne t t o da y - m a inl y no t due t o inh e re nt s e c urit y f l a w s ( a l t h o ugh w e s e e t h is w it h s o m e c o ns um e r-l e v e l de v ic e s ) , b ut b e c a us e o f p o o r a dm inis t ra t iv e p ra c t ic e s .D N S / na m e re s o l ut io n a v e ry p o p ul a r t a rge t f o r D D o S , a s a D D o S -e na b l e r ( o p e n re c urs iv e na m e s e rv e rs a s D D o S re f l e c t o rs ) , t o p o is o n na m ing re s o l ut io n in o rde r t o e na b l e M I T M a t t a c k s


B ot-Enab led Espionag e, Theft, and Extortion

� More targeted information-gath ering/ es p ionage ac tiv ities .R e ce nt w e l l -pu b l iciz e d u niv e r sity , b ank , insu r ance -pr ov id e r , g ov e r nm e nt infor m ation com pr om ise s.M iscr e ants u se this infor m ation for id e ntity -the ft - ob tain cr e d it car d s, d r ain b ank accou nts, e tc.I ncr e asing l y , D D oS/ spam b ots incl u d e for m l og g e r s/ k e y l og g e r s, su ss ar ou nd for fil e s to se nd b ack ‘hom e ’, and so for th. T he y se ar ch d ocu m e nts and e m ail for k e y w or d s ( b ank accou nt info, cr e d it car d nu m b e r s, g ov e r nm e ntal I D nu m b e r s, e tc.) .‘Spe ar -phishing ’ on the r ise - tar g e te d SP A M w ith the aim of social l y e ng ine e r ing spe cific e nte r pr ise e m pl oy e e s to r u n m al w ar e , g iv e u p infor m ation, pay e x tor tion m one y ( cu stom iz e d d e ath thr e ats ag ainst e m pl oy e e s and the ir fam il ie s, anony m ou s e m ail b l ack m ail , b og u s ‘su b poe na’ se r v ice , e tc.)T he r e ar e ‘b ots in the w al l s’


B ac k g round noise� R ise in ‘bac kground noise’ (portsc ans, low-level D D oS , leftover S lammer

traffic and N ac hi I C MP etc . ) makes d etec tion more d iffic ultB o t ne t s h a v e o rdina ril y us e d I R C o v e r s t a nda rd o r no n-s t a nda rd p o rt s a s C & C - t h is is c h a nging. W e s a w P 2 P -e na b l e d b o t ne t s w it h e nc ry p t e d C & C e m e rge in 2 0 0 3 - no w , w e s e e w e l l -f o rm e d H T T P / H T T P S b e ing us e d a s de c e nt ra l iz e d, P 2 P b o t ne t C & C , v e ry h a rd t o p ic k o ut f ro m no rm a l W e b t ra f f ic . M a k e s b o t ne t sf a r m o re re s il ie nt !A J A X a nd W e b 2 .0 -t y p e t e c h no l o gie s o f f e r m a ny p o s s ib l it ie s f o r l a y e r-7 C & C , a n e m e rging t h re a t a s ‘s o f t w a re a s a s e rv ic e ’ b e c o m e s m o re p o p ul a r.D N S a l s o l e v e ra ge d f o r C & C - D N S T X T re c o rds us e d t o s t o re b o t ne tc o m m a nds , b o t s q ue ry p re de f ine d T X T re c o rds p e rio dic a l l y f o r ins t ruc t io n; b o t s c o de t o l o o k up no ns e ns e -s o unding do m a ins w h ic h h a v e no t y e t b e e n re gis t e re d, w h e n t h e m is c re a nt w a nt s t o a c t iv a t e t h e b o t ne t , h e re gis t e rs t h e do m a in a nd s e t s up a C & C W e b s e rv e r t o is s ue c o m m a nds . V e rys ne a k y !D N S ‘f a s t -f l ux ’ us e d f o r a gil e b o t ne t C & CS o m e t im e s it ’s h a rd t o p ro p e rl y c l a s s if y a p p l ic a t io n-l a y e r D D o S - c a n l o o k l ik e a l e git im a t e ‘f l a s h c ro w d’.


W hat is ‘W eb 2 . 0 ’?

L o o s e l y s p e a k i n g , t h e t e r m ‘W e b 2 . 0 ’ r e f e r s t o v a r i o u s t y p e s o f h o s t e d a p p l i c a t i o n s w h i c h f a c i l i t a t e s o c i a l n e t w o r k i n g , i n f o r m a t i o n i n t e r c h a n g e , c o n t e n t

s y n d i c a t i o n , a n d w h i c h i n m a n y c a s e s a r e s u b s t i t u t e s / r e p l a c e m e n t s f o r t r a d i t i o n a l d e s k t o p

a p p l i c a t i o n s .T h i s m o d e l i s v e r y a t t r a c t i v e t o e n t e r p r i s e s - l e v e r a g e s W e b b r o w s e r a s a ‘u n i v e r s a l c l i e n t ’, r e d u c e s a m o u n t o f a d m i n o v e r h e a d ( n o c l i e n t u p g r a d e c y c l e s ) , l e v e r a g e s e c o n o m i e s o f s c a l e w i t h b l a d e s e r v e r s , v i r t u a l i z a t i o n t e c h n o l o g i e s .


Exam ples of W eb 2 . 0 A pplic ations• T y pe P ad , L iv e J ou r nal , B l og g e r - hoste d w e b l og g ing• B ack pack , C am pfir e , W r ite b oar d - hoste d stor ag e / chat/ col l ab or ation• G oog l e Site s, Social T e x t - hoste d w ik is• Y ou T u b e - u se r -g e ne r ate d v id e o conte nt• F l ick r - photos, tag g ing• M y Space , F ace B ook , T r ib e .ne t - social ne tw or k ing• W ind ow s L iv e ! , G oog l e W r ite , e tc. - hoste d b u sine ss softw ar e• Se cond L ife , M M O R P G s - v ir tu al w or l d s w ith v ir tu al e conom ie s =

r e al -w or l d m one y !


W hat is the prob lem ?

T o d a t e , t h e ‘W e b 2 . 0 ’ a n d o n l i n e a p p l i c a t i o n c o m m u n i t i e s h a v e n o t g e n e r a l l y b e e n c l o s e l y e n g a g e d w i t h t h e t r a d i t i o n a l c o m p u t e r s e c u r i t y c o m m u n i t y n o r t h e n e t w o r k o p e r a t i o n a l s e c u r i t y

c o m m u n i t y .T h i s l a c k o f e n g a g e m e n t c a n h a v e n e g a t i v e

c o n s e q u e n c e s f o r t h o s e w h o d e p e n d u p o n t h e s e a p p l i c a t i o n s - i n c r e a s i n g l y , t h i s m e a n s e n t e r p r i s e s .


B lue S ec urity vs. Ty peP adD u r ing a l ar g e D D oS B l u e Se cu r ity .com chang e d the D N S A r e cor d for the ir d om ain so that it pointe d to the ir hoste d T y pe P ad w e b l ogM u ch e x cite m e nt, sig nificant ( 6 -hou r -pl u s) ou tag e for al l T y pe P adcu stom e r s, incl u d ing e nte r pr ise s w ho u se w e b l og s for cu stom e r

com m u nication, su ppor t, P R , e tc.Sig nificant D D oS tr affic for m u l tipl e SP s

Sig nficant ou tag e s for l ite r al l y m il l ions of SO H O , sm al l b u sine ss, l ar g e e nte r pr ise cu stom e r s w or l d w id e

F or hou r s, cu stom e r s d id not k now w hat w as happe ning or how to stop it - sil oe d com m u nications channe l s.


S am y vs. M y S pac e• S a m y w a nt s t o b e a ‘h e ro ’ t o us e rs o n M y S p a c e - a f t e r c a re f ul re f l e c t io n, h e

de t e rm ine s t h a t e x p o l it ing a n X S S v ul ne ra b il it y o n M y S p a c e t o c re a t e a b ro w s e r-b a s e d ‘X S S w o rm ’ is a go o d w a y t o a c c o m p l is h t h is go a l .

• W it h in 5 h o urs , S a m y h a s 1 , 0 0 0 , 0 0 0 + f rie nd re q ue s t s f ro m M y S p a c e us e rs -a b o ut 1 / 3 5 t h o f t h e t o t a l us e rb a s e

• W it h in 6 h o urs , M y S p a c e is unre a c h a b l e f o r m o s t us e rs• A p p ro x im a t e l y 2 .5 h o ur o ut a ge , s o m e c a p a b il it ie s re m o v e d f ro m us e r

p ro f il e s ( e m b e dde d m us ic m o v ie s , e t c .) .• A ne c do t a l re p o rt s o f e x c e s s iv e t ra f f ic o n b ro a db a nd a c c e s s ne t w o rk s h e l p -

de s k c a l l s ( it ’s k ind o f h a rd t o c a l l M y S p a c e ) , e t c .• B us ine s s e s us e M y S p a c e f o r P R , a dv e rt is ing - no t j us t f o r t e e na ge rs !


S ec ond L ife, W oW ‘V irtual W orm s’• V a rio us e x p l o it s in S e c o nd L if e , W o W us e d t o c re a t e s e l f -re p l ic a t ing c o de

o b j e c t s o n m ul t ip l e o c c a s io ns - y o ur a v a t a r t o uc h e s t h e o b j e c t ( l ik e a f l o a t ing go l d ring) , y o ur P C is t h e n l e v e ra ge d t o re p ro duc e t h e v ira l o b j e c t s !

• F irs t o ne s w e re s t up id, s im p l e ‘v irt ua l D D o S ’ - c o s t L inde n L a b s , B l iz z a rd, t h e ir c us t o m e rs re a l -w o rl d t im e , e f f o rt , m o ne y !

• L a t e r P o C ‘v irt ua l w o rm s ’ c o p ie d/ s t o l e v irt ua l w o rl d int e l l e c t ua l p ro p e rt y a nd c urre nc y - c us t o m -de s igne d a v a t a rs a b ig b us ine s s , no w t h e w o rk is s t o l e n! O nl ine go l d, w e a p o ns , e t c . a b ig b us ine s s in W o W , ‘v irt ua l w o rm s ’ s t e a l t h e s e f ro m us e rs !

• S e c o nd L if e is b e c o m ing a v e ry im p o rt a nt c o m m unic a t io ns m e dium f o r P R , s up p o rt , e t c .; W o W is a ga m e , b ut a b ig b us ine s s in A s ia ( t h ink ‘go l d-f a rm ing’; p e o p l e p l a y W o W f o r a l iv ing, t h e n s e l l c h a ra c t e rs , in-ga m e go l d, w e a p o ns , e t c . t o p l a y e rs ) .


The W eb 2 . 0 U niversal B row ser B otnet<* IMG SRC=”h t t p : //w w w . e x a m p l e . c o m /” >

� C r o s s -S i t e R e q u e s t F o r g e r y ( C R S F ) , s a m e c l a s s o f b r o w s e r & s i t e v u l n e r a b i l i t y a s C r o s s -S i t e S c r i p t i n g ( X S S ) .

� S t i c k a f e w l i n k s l i k e t h e a b o v e i n p o p u l a r W e b f o r u m s , s o c i a l n e t w o r k i n g s i t e s .

� M i l l i o n s o f uncompromised m a c h i n e s b e c o m e t h e ‘b o t n e t ’, l a u n c h i n g o n g o i n g l a y e r -7 D D o S , u n b e k n o w n s t t o t h e i r u s e r s .

� R i n s e , r e p e a t .


The W eb 2 . 0 U niversal B row ser B otnet( c ontinued)

� I n s e r t 1 0 -1 5 i n s t a n c e s o f t h e H T M L c o d e p e r p a g e , y o u g e t 1 0 -1 5 c o n n e c t i o n s / b r o w s e r .

� G e t a n a p p l i c a t i o n -l a y e r a m p l i f i c a t i o n f a c t o r b y a b u s i n g t h e v i c t i m ’s s e a r c h f o r m - < * I M G S R C = ”h t t p : / / w w w . e x a m p l e . c o m / s e a r c h ? q = T E R M 1 + A N D + TE R M 2 + A N D + T E R M 3 ” >

� C h e w u p t h e v i c t i m ’s b a n d w i d t h b y g r a b b i n g l a r g e f i l e s -< * I M G S R C = ”h t t p : / / w w w . e x a m p l e . c o m / b i g i m a g e . j p g ” >

� H o w d o e s t h e v i c t i m d e f e n d a g a i n s t t h i s ? H o w d o e s t h e S P d e f e n d t h e v i c t i m a g a i n s t t h i s ?


E m e r g i n g V o i c e S e c u r i t y T h r e a t s

303030© 2 0 0 5 , C i s c o S y s t e m s , I n c . A l l r i g h t s r e s e r v e d .


� 1 9 6 9 - J o h n D r ap er m eets D ennie and J em m ie, w h o c an o b tain p r ac tic ally-f r ee lo ng -d is tanc e p h o ne-c alls b y m ak ing c r eativ e u s e o f th e p las tic w h is tle inc lu d ed in a b o x o f C ap ’n C r u nc h c er eal. T h e w h is tle em its th e s am e 2 6 0 0 H z to ne u s ed b y th e telep h o ne netw o r k to s ig nif y end -o f -c h ar g es - af ter h ear ing th e to ne, th e b illing s ys tem no lo ng er b ills f o r c all m inu tes e v e n i f t h e c a l l i s s t i l l a c t i v e .

D r ap er w as ar r es ted in 1 9 7 2 and ag ain in 1 9 7 5 f o r ab u s ing th e telep h o ne netw o r k and f o r w ir e f r au d , r es p ec tiv ely.

Evolution of V oic e S ec urity Threats


� 1 9 7 1 - A l G ilb er s to n inv ents th e ‘b lu e b o x ’, is p r o f iled in E s q u ir e. T h e ‘b lu e b o x ’elec tr o nic ally m im ic s th e 1 2 m as ter to nes w h ic h ar e u s ed f o r c o ntr o l b y th e telep h o ne s w itc h ing netw o r k - g ener ating v ar io u s to nes in s eq u enc e allo w s p h r eak er s to m ak e f r ee p h o ne c alls , lo o p u p lo c al c ir c u its , initiate p ar ty-line c alls , etc .

T w o ear ly p h r eak er s w ith th e h and les B er k eley B lu e and O ak T o eb ar k ( th ey b o th s h ar e th e s am e ac tu al f ir s t nam e) w er e q u ite inter es ted in ‘b lu e b o x es ’, to o . . . .



� 1 9 8 0 - K ev in M itnic k is r em o tely ac c es s ing land line and later ear ly c ellp h o nes w itc h ing eq u ip m ent. H e im p er s o nates telep h o ne c o m p any p er s o nnel, B ellc o r es ec u r ity m anag er s , etc . and p h ys ic ally enter s C O s and o th er telc o f ac ilities to p ilf er inf o r m atio n ab o u t th e telep h o ne netw o r k . B y th e tim e h e’s ev entu ally c au g h t ( 1 9 8 7 ) , h e h as c o m b ined ear ly c o m p u ter netw o r k h ac k ing w ith telc o h ac k ing and h as m anip u lated p h o ne s w itc h es in o r d er to tap into th e p h o ne c o nv er s atio ns o f Sec r et Ser v ic e ag ents and telc o s ec u r ity p er s o nnel w h o ar e c h as ing h im .

� 1 9 9 0 - K ev in P o u ls en m anip u lates p h o ne s w itc h es f o r f u n and p r o f it, r er o u ting c aller s to a K I I S - L o s A ng eles c all-in c o ntes t s o th at h e c an c all in and ‘w in’ a $ 4 0 K P o r s c h e.



� 1 9 9 0 - O n J anu ar y 1 5 th , 1 1 4 no d es o f A T & T ’s lo ng -d is tanc e netw o r k ar e d o w n f o r 9 h o u r s d u e to a b u g in new ly-u p lo ad ed SS7 f ailu r e-r ec o v er y c o d e. A m is p lac ed b r eak c o m m and c au s ed no d es to c r as h th em s elv es u p o n r ec eip t o f an o u t-o f -s er v ic e m es s ag e and th en p r o p ag ate th e c r as h b y s end ing o u t-o f -s er v ic e m es s ag es to ad j ac ent no d es .

I nad eq u ate tes ting o f th e er r o r -r ec o v er y p ath led to th e f au lty c o d e b eing u p lo ad ed -at th e tim e, th e inc id ent w as inv es tig ated as a p o s s ib le d elib er ate attac k o n th e telep h o ne s ys tem , and it w as w id ely ac k no w led g ed b y telc o and law enf o r c em ent th at s u c h an attac k w as in f ac t f eas ib le.



� F r o m th e 1 9 8 0 s o nw ar d s , k ey s ys tem s and P B X es h av e b een p r im e tar g ets f o r p h o ne p h r eak er s - o u td ials to c o m m it to ll-f r au d , h ac k ing v o ic em ail s ys tem s ac c es s ib le v ia W A T S lines in o r d er to b u ild a ‘f r ee’ m es s ag e s er v ic e, s ilent c o nf er enc ing in o r d er to eav es d r o p , etc .

T h is h as b een a k ey enab ler o f b o th s tate-s p o ns o r ed and c o r p o r ate es p io nag e.



W hat’s c hang ed w ith TC P / I P ?

�Ubiquity� I n te r c o n n e c tiv ity� M o bil ity� E m p o w e r m e n t


W hat’s c hang ed w ith TC P / I P ?� Security CapabilitiesT h e r e a r e f a r m o r e e f f e c t i v e s e c u r i t y m e c h a n i s m s a v a i l a b l e i n t h e T C P / I P w o r l d t h a n i n t h e c l o s e d w o r l d o f p r o p r i e t a r y s y s t e m s . T h e c h a l l e n g e w e f a c e i s i n c o r p o r a t i n g t h e m e f f e c t i v e l y i n t o a r c h i t e c t u r e s a n d t o o l k i t s w e c a n u s e i n o r d e r t o d e s i g n , d e p l o y , a n d o p e r a t es y s t e m s .


P ervasive S ec urity

� S e c u r i t y i s t h e h e a r t o f i n t e r n e t w o r k i n g ’s f u t u r e ; w e h a v e m o v e d f r o m a n I n t e r n e t o f i m p l i c i t t r u s t t o a n I n t e r n e t o f p e r v a s i v e d i s t r u s t

� N e t w o r k d e s i g n = s e c u r i t y , s e c u r i t y = n e t w o r k d e s i g n� W e c a n n o l o n g e r d i f f e r e n t i a t e n e t w o r k f r o m s e c u r i t y , t h e y m u s t b e i n t e r t w i n e dW h a t i s s e c u r i t y v s . n e t w o r k ? Q o S ? R o u t i n g ? V o i c e ?

� N o p a c k e t c a n b e t r u s t e d ; a l l p a c k e t s m u s t e a r n t h a t t r u s t t h r o u g h a n e t w o r k d e v i c e ’s a b i l i t y t o i n s p e c t a n d e n f o r c e p o l i c y


Y our next-g eneration handsets


Y our next-g eneration handsets� W i l l c o m e f r o m a v a r i e t y o f s o u r c e s , r u n n i n g a v a r i e t y o f O S e s

� W i l l h a v e m u l t i p l e m o d e s o f o p e r a t i o n - C D M A , G S M , W i F i , e t c . T h e y w i l l c r o s s / e l i m i n a t e p e r i m e t e r s .

� W i l l h a v e m u l t i p l e f o r m s o f p e r s o n a l n e t w o r k / m e s h t e c h n o l o g i e s , a l a B l u e t o o t h , e t c .

� W i l l h a v e V P N c a p a b i l i t i e s� W i l l n o t n e c e s s a r i l y b e u n d e r t h e d i r e c t c o n t r o l o f c a r r i e r s o r I T d e p a r t m e n t s ( i n c r e a s i n g l y , t h e s e a r e p e r s o n a l d e v i c e s )

� W i l l b e g e n e r a l -p u r p o s e c o m p u t i n g d e v i c e s , w it h a l l t h a t ent a il s


The shape of thing s to c om e� W e w il l b e face d w ith m u l tiv e ctor pe ne tr ation/ su b v e r sion thr e ats to the v oice infr astr u ctu r e - this is al r e ad y happe ning w ith softphone s, it w il l b e com e the nor m for har d w ar e phone s, as w e l l .

� Softphone -aw ar e m al w ar e is ar ou nd the cor ne r . Sk y pe , V onag e , and the l ik e w il l pr ob ab l y b e the fir st tar g e ts, othe r s w il l fol l ow . W il l b e spr e ad v ia phishing , w or m s, e m ail , and pote ntial l y V o I P tr a f f ic its el f .

� T ol l fr au d , SP I T , e av e sd r opping / w ir e tapping , v oice m ail for g e r y , r e al -tim e M itM tw o-w ay cal l inte r ce ption/ cor r u ption, acce ss to phone -inte g r ate d d ir e ctor ie s . . .

� A ppl ication-l ay e r r e sou r ce -e x hau stion attack s ag ainst the v oice infr astr u ctu r e ( C om m u nication M anag e r , ce l l nod e s, W iF i A pps, s w itc h es , r o u ter s ) , pow e r -e x hau stion attack s ag ainst hand se ts . . .

� O nl y a m atte r of tim e u ntil w e se e com pr om ise d m ob il e s show u p in b otne ts.


Convergence is a huge concern of large S P s

� F o r t h e f i r s t t i m e , t r a d i t i o n a l r o u t e r -j o c k s a c t u a l l y c a r e a b o u t t h e a p p l i c a t i o n s - “T h e v o i c e s e r v i c e m u s t s t a y u p , n o m a t t e r w h a t ! ” T h i s i s a h u g e s e a -c h a n g e i n t h e m i n d s e t o f n e t w o r k o p e r a t o r s

� W h a t h a p p e n s t o v o i c e w h e n i t ’s o n t h e s a m e n e t w o r k a s D D o S a t t a c k s , a n d i s p o t e n t i a l l y s u b j e c t t o t h e m ? W h a t l e v e l o f a u t o m a t i o n , s c a l i n g , c l u s t e r i n g , v i r t u a l i z a t i o n i s r e q u i r e d t o p r o t e c t v o i c e s e r v i c e s i n s u c h a n e n v i r o n m e n t ? H o w d o w e e x t e n d t h e ‘C l e a n P i p e s ’ p a r a d i g m t o v o i c e s e r v i c e s ?


N ew A ttac k s

� I d e n t i t y A t t a c k s� P o w e r D r a i n A t t a c k s� I n s t a n t M e s s e n g e r� B l u e j a c k i n g� B l u e s n a r f i n g� B l u e b u g g i n g


I dentity A ttac k sV o i c e E v o l u t i o n

P S T N

I nt e rne t

I P N etw o r k


I dentity A ttac k sW h e r e ?

� L ocal D e v ice A cce ss� N e tw or k A cce ss� R e m ote D e v ice A cce ss� D e v ice to D e v ice� U se r to D e v ice� U se r to A ppl ication� C al l I nte g r ity ( contr ol d ata)� C al l I nte g r ity ( A u d io D ata)

I de nt it y ( l ik e s e c urit y ) m us t b e a ddre s s e d in l a y e rs


I dentity A ttac k sE x a m p l e C r e d e n t i a l s

� N o n e� T o n e s� U n i q u e S t a t i c I D� I P A d d r e s s� P I N� U s e r n a m e / P a s s w o r d� C e r t i f i c a t e s� B i o m e t r i c s


I dentity A ttac k sE x a m p l e s

D up l ic a t ing C e l l P h o ne U niq ue I D ( o t h e r ro gue p h o ne s )

•I m p er s o nating P o lic eM a nip ul a t ing C a l l e r I D

V a l id D e v ic e ( b ut c o m p ro m is e d)

•C r ed it C ar d T h ef t Sc am

K eylo g g er s

A t t a c k e rs w il l a t t e m p t t o c re a t iv e l y m a nip ul a t e a l l c re de nt ia l s

Sp yw ar eW o r m s / V ir u s es

C o l l is io n a t t a c k s ( M D 5 & S H A 1 )


N ew A ttac k sP o w e r D r a i n A t t a c k s

P o w e r dra in a t t a c k s inv o l v e de v ic e s b e ing p ut int o c o ns t a nt h igh -p o w e r c o ns um p t io n m o de . T h is p o w e r dra in a t t a c k is e f f e c t iv e a ga ins t w ire l e s s de v ic e s t h a t a re re l y ing o n b a t t e ry p o w e r. T h e h igh -p o w e r c o ns um p t io n s t a t e c a us e s t h e de v ic e t o q uic k l y l o s e b a t t e ry p o w e r a nd b e c o m e us e l e s s w it h o ut t h e b a t t e ry b e ing

re c h a rge d.

D e f init io n


P ow er D rain A ttac k sE f f e c t i v e n e s s ?

� J u s t a s e a s y t o j a m w i r e l e s s s i g n a l� C o u l d b e u s e d t o d i s c r e d i t e n t e r p r i s e , S P ( r e p u t a t i o n , S L A s , e t c . )

� T h e y ’v e b e e n s e e n i n t h e w i l d !


I nstant M esseng er A ttac k s

� A d d s l i s t e n i n g s e r v i c eM ak e s the d e v ice s a continu ou s tar g e t w hil e instant m e sse ng e r orothe r pr e se nce appl ication is activ e

� I n d i c a t e s w h e n s y s t e m i s a c t i v e� V e r y p r o n e t o p h i s h i n g / s o c i a l e n g i n e e r i n g a t t a c k s� S P I M� S e s s i o n H i j a c k i n g a n d i m p e r s o n a t i o n

A c c e s s i b i l i t y a n d I d e n t i t y



� M o r e d e v i c e s ( s u c h a s p h o n e s , P D A s ) b u i l t o n m o r e r o b u s t u n d e r l y i n g O S e s

� D e v i c e c o m p l e x i t y p r o n e t o m o r e s i g n i f i c a n t c o d i n g p r o b l e m sM o r e m a l w a r e p a t h s ( p o t e n t i a l l y l e s s v i r u s s c a n n i n g )T r o j a n d e l i v e r y , b o t t e d e n d p o i n t s

F u n c t i o n a l i t y a n d C o d i n g I s s u e s



�Multi-f un c tio n d e v ic e s m e a n a tta c k s c a n b r id g e n e tw o r k b o un d a r ie s in n e w w a y s

�Muc h la r g e r n um b e r o f p o te n tia l z o m b ie s / b o ts

B l u r r i n g N e t w o r k B o u n d a r i e s


B luej ac k ing� D e spite the scar y nam e , ‘b l u e j ack ing ’ is m e r e l y the se nd ing of u nsol icite d te x t m e ssag e s fr om one B l u e tooth-e nab l e d d e v ice to anothe r

� T he fir st pe r son k now n to d o this u se d the hand l e ‘aj ack ’ on e sato.com . . . he w as in a b ank , u se d his phone to d e te ct a v isib l e N ok ia phone ow ne d b y anothe r patr on and se nt it a m e ssag e , ‘B u y E r icsson’. T he nam e stu ck .

� B l u e tooth d e v ice s hav e a ‘v isib l e ’ and a ‘hid d e n’ m od e . V isib l e m od e is sim il ar to a W iF i b r oad cast SSI D ; this is the d e fau l t se tting for m any B l u e tooth d e v ice s.

� I m pl e m e ntation d e ficie ncie s can m ak e it tr iv ial to d e te ct d e v ice s r u nning in hid d e n m od e . . .

� D u e to v u l ne r ab il itie s in d e v ice O Se s ( not j u st phone s - P D A s, l aptops, e tc.) , this is a v e ctor for w or m s and othe r for m s of se l f-pr opag ating m al w ar e .


B luesnarfing� M or e insid iou s - b l u e snar fing e ntail s the u se of tool s to g r ab the phone b ook , ad d r e ssb ook , and in som e case s the en tir e memo r y c o n ten ts of a B l u e tooth-e nab l e d d e v ice .

� W hil e the focu s has b e e n on phone s, P D A s and g e ne r al -pu r pose com pu te r s -i.e ., l aptops - m ay b e v u l ne r ab l e , as w e l l .

� W hat d o pe opl e stor e in the se d e v ice s - passw or d s, confid e ntial infor m ation, acce ss cod e s? W hat can b e d e d u ce d fr om g r ab b ing the e ntir e m e m or y conte nts of a d e v ice r u nning an activ e V P N se ssion?

� T his b e g s the q u e stion - if y ou can r e ad , can y ou al so pote ntial l y w r ite?

� I n too m any case s, the answ e r is. “Y e s! ”


B lueb ug g ing� B l u e b u g g i n g i s t h e t e r m u s e d t o d e s c r i b e ‘0 w n 1 n g ’a n o t h e r B l u e t o o t h -e n a b l e d d e v i c e , p a r t i c u l a r l y ( b u t n o t l i m i t e d t o ) a m o b i l e p h o n e .

� T h e m i s c r e a n t s c a n s e n d a n d r e c e i v e S M S m e s s a g e s , p l a c e c a l l s , r e c e i v e c a l l s , e a v e s d r o p o n c a l l s , f o r w a r d c a l l s t o o t h e r n u m b e r s , r e a d a n d w r i t e a d d r e s s b o o k a n d o t h e r i n f o r m a t i o n , g a t h e r f i l e s a c c e s s i b l e v i a t h e d e v i c e i n q u e s t i o n ( V P N + S M B s h a r e s , a n y o n e ? ) , a n d p o t e n t i a l l y e x e c u t e c o d e o f t h e a t t a c k e r ’s c h o i c e .

� S o f a r , t h i s h a s b e e n l i m i t e d t o m o b i l e p h o n e s , b u t P D A sa n d g e n e r a l -p u r p o s e c o m p u t e r s m a y a l s o b e v u l n e r a b l e .

� T h e i m p l i c a t i o n s a r e o b v i o u s . . . m o b i l e b o t n e t s , a n y o n e ?


N ot j ust B luetooth� B u f f e r o v e r f l o w s , D o S v u l n e r a b i l i t i e s , w e a k I P s t a c k s , e t c . a r e i s s u e s o n W i F i , w i r e d i n t e r f a c e s .

� A l l t h e s e a t t a c k s , a n d m o r e , a r e o f c o n c e r n v i a o t h e r m e t h o d s

� E v e n t h o u g h B l u e t o o t h h a s a n o s t e n s i b l e r a n g e o f 1 0 m e t e r s , e x p l o i t s u s i n g v a r i o u s t y p e s o f a n t e n n a s a n d a m p l i f i e r s h a v e b e e n d e m o n s t r a t e d a t d i s t a n c e s o f o v e r o n e m i l e ( 1 . 6 k m ) .

� A g a i n , t h e i m p l i c a t i o n s a r e o b v i o u s . . .


This isn’t spec ulation . . .

“T he r isk has ar r iv e d .”-- T e d S e e l y , S p rint L ink


A re W e D oom ed?� No! 80% of the security risks associated with V oI P are com m on to al l form s of I P traffic . . . we hav e architectures, features, an d sol ution s which ap p l y. E n terp rise n etworkin g , security an d v oice team s n eed to l earn , un derstan d, an d p ut this in n ov ation in to p ractice, as wel l as p roactiv el y col l ab oratin g , m ov in g forward.


The m ost im portant tools w e have.Architecture, CrossArchitecture, Cross--f un ction a l T ea m w ork & O p en Com m un ica tion s f un ction a l T ea m w ork & O p en Com m un ica tion s

Across the O rg a n iz a tion .Across the O rg a n iz a tion .S e c urit y is not a p ro duc t .S e c urit y is not a b o x w h ic h c a n b e b o l t e d o nt o t h e ne t w o rk .S e c urit y m us t b e d e s i g ne d i nto t h e a rc h it e c t ure a t a l l 7 l a y e rs .T h e re a re no ‘s il v e r b ul l e t s ’; de f e ns e -in-de p t h is re q uire d.Ev e ry s e c urit y p ro f e s s io na l m u s t b e a c o m p e t e nt v o ic e p ro f e s s io na l , ne t w o rk ing e ngine e ring, a nd k no w a gre a t de a l a b o ut l a y e r-7 .Ev e ry v o ic e p ro f e s s io na l m u s t b e a c o m p e t e nt s e c urit y p ro f e s s io na l , ne t w o rk ing e ngine e r, a nd k no w a gre a t de a l a b o ut l a y e r-7 .Ev e ry l a y e r-7 p ro f e s s io na l m u s t b e a c o m p e t e nt ne t w o rk ing e ngine e r, a nd k no w a gre a t de a l a b o ut v o ic e , a s w e l l .V o ic e a nd s e c urit y a nd l a y e r-7 p ro f e s s io na l s m us t int e ra c t o n a n o ngo ing b a s is in t h e no rm a l c o urs e o f t h e ir da y -t o -da y dut ie s , i nc l u d i ng p l a nni ng , d e v e l op m e nt, a nd op e r a ti ons .


M oving forw ard tog ether into the 1 9 6 0 s!

080806 dfwcug the internet threat horizon

Documents