81 slides
Thinking about security…
3 of 8140 Years of Internet Arms Races
Talk outline
• Intro
• Some thoughts on thinking bad thoughts
• Various races
• Predictions– You got that with the 40 years, right?
• Wishes–My dad’s computer, and Windows OK–Windows SP2
4 of 8140 Years of Internet Arms Races
Since some of you asked…
• Chief Scientist at Lumeta, a Bell Labs spin-off– Founded in 2000. 45 people in the
company
• We map large corporate and government networks, and find leaks in the network perimeter
• I am still figuring out what a chief scientist does
• Second edition of the firewalls book came out last year: Cheswick, Bellovin, Rubin
5 of 8140 Years of Internet Arms Races
6 of 8140 Years of Internet Arms Races
Before the whining and predicting, something useful
• Lost friends web page
• Cheap research web pages
• Please give me feedback if I get something wrong– I do get out much from my little Internet
startup (Lumeta)– You folks keep me honest.
81 slides
Security People are Paid to Think Bad
Thoughts
-Bob Morris
81 slides
Fred Cohen and me
9 of 8140 Years of Internet Arms Races
What do you do with bad thoughts?
• The world is full of threats
• One can get a bit pessimistic
• CIA asked a number of us for some of our bad thoughts
• Watch your ethics! Are you battling the forces of darkness?
10 of 8140 Years of Internet Arms Races
Questions about an evil idea
• Has it already been done? How would you detect it?
• If not, why hasn’t it happened yet?
• What are the strategic preparations needed?
• What are the tactical preparations needed just before the attack?
• Can we detect strategic preparations?
• Can we detect tactical preparations?
11 of 8140 Years of Internet Arms Races
Minor example: Internet mapping
12 of 8140 Years of Internet Arms Races
Minor example: Internet Mapping Project
• Hal Burch and me, since 1998
• AUCERT has corresponded (complained) to us a number of times
• Basic technology: 250,000 traceroutes/day
• Question: who else is doing this?
13 of 8140 Years of Internet Arms Races
10:45:42 udp 5 uma1.co.umatilla.or.us11:28:12 udp 1 64.d9b7d1.client.atlantech.net10:57:05 udp 43101:24@0+ omval.tednet.nl10:57:05 udp 43101:1456@24+ omval.tednet.nl10:57:05 udp 43101:625@1480 omval.tednet.nl11:30:59 udp 7 ns1.yamato.ibm.com
14 of 8140 Years of Internet Arms Races
Minor example: Internet Mapping Project
• Andrew Gross and rstatd
15 of 8140 Years of Internet Arms Races
Some thoughts on computing safety
• Morris worm at Bell Labs (1988)
• “Best block is not be there”– Karate Kid I
• “You got to get out of the game”– Fred Grampp
• I’ve never detected a virus or worm on one of my important systems.
16 of 8140 Years of Internet Arms Races
Don’t let opposition practice on you during an arms race
• Dictionary attacks on passwords
• Crashme tests on programs, protocols, and operating systems–Weakness using COTS!
17 of 8140 Years of Internet Arms Races
18 of 8140 Years of Internet Arms Races
The Internet security arms race
• Defenders can control the battlefield
• An uneasy truce may be good enough, if the business case can make usable predictions
19 of 8140 Years of Internet Arms Races
The Internet is a fine place to practice attacks
• Automated
• Anonymous
• Many “volunteers”
• Don’t give them a dictionary, “oracle”, or “cribs” to try automated attacks on
• Monoculture of software in hosts and routers
20 of 8140 Years of Internet Arms Races
The Internet is a fine place to practice defenses
• MILnet has been under attack since the mid-1980s
• That makes the threats much clearer
• It gives the defenders a chance to get good at their job
81 slides
Arms Races:Eavesdropping
22 of 8140 Years of Internet Arms Races
Arms race:Eavesdropping
• Ethernet, ftp, and telnet were poor starts
• WEP, POP3, IMAP, AIM added to the confusion– POP3 passwords are the most common I
sniff over the air at conferences like this
• Crypto wars of the mid-1990s tied our hands
• This race should be over, victory to the defenders
23 of 8140 Years of Internet Arms Races
Eavesdropping victories
• SSL ends direct credit card sniffing
• Ssh lets me access secure machines from anywhere
• IP/SEC is a bit of a pain to deploy, but that should get better– VPN products are very useful
• CPUs have plenty of spare power now.
• Check your work with dsniff
24 of 8140 Years of Internet Arms Races
Eavesdropping problems
• Casual web access and DNS queries still mostly in the clear.
• Most ISPs still offer or insist on POP3 and IMAP, not SSL versions of these
• Widespread use of client certificates could limit access to these possibly dangerous network services
25 of 8140 Years of Internet Arms Races
Eavesdropping arms races
• Attack patterns vs. snort
• Tcpdump/libpcap vs. killer packets
81 slides
Arms Race: Battle for control of the
computer and data
27 of 8140 Years of Internet Arms Races
The battle for control of the computer
• Who owns the software in your computer? Who should be allowed to add and run programs?– Microsoft has assumed this since DOS
• Viruses and worms
• Pop-overs and pop-unders
• Spyware
• Automatic update systems
• Same battle over data in computers controlling your car– Thermostat? Front door lock? Toaster?
28 of 8140 Years of Internet Arms Races
Goals for this extraware
• Zombie nets to assist with malfeasance, including forwarding of spam
• Collect marketing data
• Display advertisements
• Enforce licensing restrictions
29 of 8140 Years of Internet Arms Races
Solution: operating system only executes known programs
• Virus problem goes away
• Unix/Linux systems mostly do this already
• OS updates and auxiliary program installs a problem
• This feature not available on Microsoft operating systems (see below)
30 of 8140 Years of Internet Arms Races
Extraware problems
• Some business practices assume this ability is available
• Some web page writers assume that I am willing to use possibly dangerous features in my browser (or a particular browser)
31 of 8140 Years of Internet Arms Races
Virus arms race
• Early on, detectors used viral signatures
• Virus encryption and recompilation (!) has thwarted this
• Virus detectors now simulate the code, looking for signature actions
• Virus writers now detect emulation and behave differently
• Virus emulators are slowing down, even with Moore’s Law.
32 of 8140 Years of Internet Arms Races
Virus arms race
• I suspect that virus writers are going to win the detection battle, if they haven’t already– Emulation may become too slow– Even though we have the home-field advantage– Will we know if an undetectable virus is released?
• Best defense is to get out of the game.– Don’t run portable programs, or– Improve our sandbox technology
• People who really care about this worry about Ken Thompson’s attack– Read and understand “On Trusting Trust”
33 of 8140 Years of Internet Arms Races
The emulation arms race
• Vmware versus the real thing– 4tphi
• Honeypots vs. bulkers– http://www.sendsafe.com/honeypot-hunter
.php
81 slides
Arms Race:Authentication and
identification
35 of 8140 Years of Internet Arms Races
Password cracking
• Works 3% to 60% of the time using offline dictionary attacks–More, if the hashing is misdesigned
• This will never get better, so…
• We have to get out of the game
36 of 8140 Years of Internet Arms Races
Passwords sniffed at this conference
37 of 8140 Years of Internet Arms Races
Authentication/Identification Arms races
• Password/PIN selection vs. cracking
• Human-chosen passwords and PINs can be ok if guessing is limited, and obvious choices are suppressed
• Password cracking is getting better, thanks to Moore’s Law and perhaps even botnets
38 of 8140 Years of Internet Arms Races
Colossus(ver 2.0)
TonySale
39 of 8140 Years of Internet Arms Races
We don’t know how to leave the user in charge of security decisions, safely.
40 of 8140 Years of Internet Arms Races
Authentication solutions:two factor authentication
• In my laptop: ssh key unlocked by long passphrase
• Better: USB “key” unlocked by PIN. Five bad PINS, and it is gone.–We already carry a bunch of keys, so why
not one more
41 of 8140 Years of Internet Arms Races
Hardware tokens
• These need to be open source drivable, and cheap
• The business model has never been one for global adoption
• Challenge/response form factor is the safest, but not acceptable if humans are in the loop
42 of 8140 Years of Internet Arms Races
Authentication arms race:predictions
• We’ve already won this, from a business model standpoint–Web SSL plus password is good enough
for banking
• USA needs two factor authentication for social security number. (Something better than MMN or birth date.)
• I don’t see this improving much, but a global USB dongle would do it
• Don’t wait for world-wide PKI.
81 slides
Arms race (sort of):destructible hardware
44 of 8140 Years of Internet Arms Races
Arms race (sort of)hardware destruction
• IBM monochrome monitor
• Some more recent monitors– Current ones?
• Hard drives? Beat the heads up?
• EEPROM write limits– Viral attack on .cn and .kr PC
motherboards–Other equipment
• Anything that requires a hardware on-site service call
45 of 8140 Years of Internet Arms Races
Arms race (sort of)hardware destruction
• Rendering the firmware useless– This can be fixed (mostly) with a secure
trusted computing base.
46 of 8140 Years of Internet Arms Races
Software upgrade race: literally a race
• Patches are analyzed to determine the weakness
• Patch-to-exploit time is now down below 10 hours– NB: spammers have incentive to do this
work
• Now the good guys are trying to obfuscate code!
• Future difficult to say: dark side obscures everything.
47 of 8140 Years of Internet Arms Races
Arms Races:firewalls
• IP blocking
• Ip aware (stateful)–More dangerous– Permits firewalking
• Ultimately, firewalls are a hack, and should go away
81 slides
Arms Races:deception
49 of 8140 Years of Internet Arms Races
West coralSnake
Scarlet king snake
81 slides
(the west coral snake is venomous)
51 of 8140 Years of Internet Arms Races
Arms Races: deception
• Jails– Cliff Stoll and SDInet
• Honeypots– Honeynet– honeyd
• The deception toolkit---Fred Cohen
52 of 8140 Years of Internet Arms Races
Bulkers vs honeypots
• http://www.send-safe.com/honeypothunter.php
53 of 8140 Years of Internet Arms Races
User education vs. user deception
• We will continue losing this one
• Even experts sometimes don’t understand the ramifications of choices they are offered
54 of 8140 Years of Internet Arms Races
Historic Arms races
• SYN packet attacks
• TCP sequence number guessing
81 slides
My Dad’s computer
Skinny-dipping with Microsoft
56 of 8140 Years of Internet Arms Races
Case study:My Dad’s computer
• Windows XP, plenty of horsepower, two screens
• Applications:– Email (Outlook)– “Bridge:” a fancy stock market monitoring
system– AIM
• Cable access, dynamic IP address, no NAT, no firewall, outdated virus software, no spyware checker
57 of 8140 Years of Internet Arms Races
This computer was a software toxic waste dump
• It was burning a liter of oil every 500 km
• The popups seemed darned distracting to me
• But he thought it was fine–Got his work done– Didn’t want a system administrator to
break his user interface somehow
81 slides
A proposal:Windows OK
59 of 8140 Years of Internet Arms Races
Windows OK
• Thin client implemented with Windows
• It would be fine for maybe half the Windows users– Students, consumers, many corporate
and government users
• It would be reasonable to skinny dip with this client–Without firewall or virus checking
software
60 of 8140 Years of Internet Arms Races
Windows OK
• No network listeners– None of those services are needed, except
admin access for centrally-administered hosts
• Default security settings
• All security controls in one or two places
• Security settings can be locked
61 of 8140 Years of Internet Arms Races
Windows OK (cont)
• There should be nothing you can click on, in email or a web page, that can hurt your computer– No portable programs are executed ever,
except…
• ActiveX from approved parties–MSFT and one or two others. List is
lockable
62 of 8140 Years of Internet Arms Races
Windows OK
• Reduce privileges in servers and all programs
• Sandbox programs– Belt and suspenders
63 of 8140 Years of Internet Arms Races
Office OK
• No macros in Word or PowerPoint. No executable code in PowerPoint files
• The only macros allowed in Excel perform arithmetic. They cannot create files, etc.
64 of 8140 Years of Internet Arms Races
Vulnerabilities in OK
• Buffer overflows in processing of data (not from the network)
• Stop adding new features and focus on bug fixes
• Programmers can clean up bugs, if they don’t have a moving target– It converges, to some extent
81 slides
Microsoft client security
It has been getting worse: can they skinny-dip safely?
66 of 8140 Years of Internet Arms Races
Windows MEActive Connections - Win ME
Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*
67 of 8140 Years of Internet Arms Races
Windows 2000
Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*
68 of 8140 Years of Internet Arms Races
Windows XP, this laptop Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*
69 of 8140 Years of Internet Arms Races
FreeBSD partition, this laptop
Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state)tcp4 0 0 *.22 *.* LISTENtcp6 0 0 *.22 *.* LISTEN
81 slides
XP SP2
Bill Gets It
71 of 8140 Years of Internet Arms Races
Microsoft’s Augean Stables:a task for Hercules
• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows
• It’s been getting worse since Windows 95
72 of 8140 Years of Internet Arms Races
XP SP2: Bill gets it
• “a feature you don’t use should not be a security problem for you.”
• “Security by design”– Too late for that, its all retrofitting now
• “Security by default”– No network services on by default
• Security control panel– Many things missing from it– Speaker could not find ActiveX security settings
• There are a lot of details that remain to be seen.
73 of 8140 Years of Internet Arms Races
Microsoft really means it about improving their security
• Their security commitment appears to be real
• It is a huge job
• Opposing forces are unclear to me
• It’s been a long time coming, and frustrating
74 of 8140 Years of Internet Arms Races
Microsoft secure client arms race
• We are likely to win, but it is going to be a while
75 of 8140 Years of Internet Arms Races
Ches’s wish list
• browsersandbox.org– Uses a .conf file, supplied with browser– Same .conf file for any major OS– Sandbox is impenetrable, no matter what
• I know people have offered solutions for ten years
• I need portability: Linux, FreeBSD, maybe even MSFT, which needs sand boxing in their OS.
76 of 8140 Years of Internet Arms Races
Ches’s wish list(cont.)
• Self-jailing samba
• Self-jailing apache
77 of 8140 Years of Internet Arms Races
Ches’s wish list(cont.)
• USB “key” for every computer
• No big investment for centralized servers
• Open source interface
• Business model: the dongle hardware, not the servers and software– Atalla had this in 1988!
• Different key for system administrator
• Software that doesn’t abuse admin permission– I.e. least privilege
78 of 8140 Years of Internet Arms Races
Conclusions
• Computers are still like my Olds ’88
• They ought to stay that way, to foster creativity and alternatives
• I think we will be getting better, over all