internet security experiences · internet security experiences 1985-2000 and beyond karst koymans...
TRANSCRIPT
.
......
Internet security experiences1985-2000 and beyond
Karst Koymans
Informatics InstituteUniversity of Amsterdam
(version 16.1, 2016/09/05 09:26:35)
Friday, September 9, 2016
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 1 / 52
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 2 / 52
Context and background
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 3 / 52
Context and background
Origins
A personal view on security
Originally presented atSAFE-NLJune 14, 2002
But much of it still applies
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 4 / 52
Context and background
Contents
Some stories. . .
Some thoughts. . .
Some ideas. . .
Some warnings. . .
. . . out of my personal experience
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 5 / 52
General principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 6 / 52
General principles
Security is more than keeping (cr|h)ackers out
Malicious (internal) actions
Unintentional errors
Pure stupidity
NuisancesSPAM, UCE
. . . and much more
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 7 / 52
General principles
Security is strongly related to
Structure
Privacy
Identity
Robustness
Information
Trust
Usability
Anonymity
Laziness
Safety
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 8 / 52
General principles
Important frameworks
AAAWho? (Authentication, Identification)What? (Authorization)When? (Auditing, Accounting)
PKIPublic Key InfrastructureEncryption and privacyHoly grail, difficult to realise
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 9 / 52
Some real life examples
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 10 / 52
Some real life examples
Early days example (1985)
Netbooting on a class B broadcast network
Client machine named “pluto” asks for bootparameters
Talking to server machine named “plato”
Answer came from “outer space” without sensible content
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 11 / 52
Some real life examples
Users of all times (1985-today)
Passwords should satisfyIs at least six characters longContains non-alphanumeric character(s)Is not simple to guess
Choice made by user“John” (in fact it was “Joop”)
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 12 / 52
Some real life examples
Conclusions about users
An easy, but probably wrong, conclusionUsers are stupid
A probably better conclusionUsers have other priorities
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 13 / 52
Some real life examples
Admins of all times (1988-today)
nVIR: early Macintosh virus
Admin comes to check for viruses. . .
Admin collects viruses for a hobby. . .
Before visit. . .
virus-free
After visit. . .
chaos
Source: http://xkcd.com/694/
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 14 / 52
Some real life examples
Xkcd illustration. . .
Source: http://xkcd.com/350/
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 15 / 52
Some real life examples
Conclusions about admins
An easy, but probably wrong, conclusionAdmins are stupid
A probably better conclusionAdmins also make mistakes
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 16 / 52
Some real life examples
Physical security (1992)
Separate servers from clients
Thieves can be very brutal
The case of the PC user. . .. . . behind a Sun workstation
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 17 / 52
Principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 18 / 52
Principles
Postel’s Law
.Definition (Postel’s Law or Robustness Principle)........Be liberal in what you accept, and conservative in what you send.
The exact wording is from RFC 1122 (October 1989)
It is already mentioned in other words in IEN1 111 (August 1979)
Can you see the problems with this principle?
1Internet Experiment NoteKarst Koymans (UvA) Internet security experiences Friday, September 9, 2016 19 / 52
Principles
Correctness principle
.Definition (Correctness principle or Strictness principle)........Be strict in what you accept, and strict in what you send.
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 20 / 52
Principles
The problem with software
Software is made by trial and error
C supports buffer overflows
Viruses, Worms, Trojan Horses
Community reactionsCERT/CC advisories (1988)BugTraq (1993)
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 21 / 52
Insanity. . .
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 22 / 52
Insanity. . .
CERT/CC insanity (1)
CA-1988-01ftpd Vulnerability
also about sendmail and the Morris wormand about passwordless alternative root accounts (uid == 0)and also about bad password choices
. . . (alarming but “innocent”)
CA-1995-01IP spoofing Attacks2 and Hijacked Terminal Connections
2BCP 38 is dated May 2000Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 23 / 52
Insanity. . .
CERT/CC insanity (2)
CA-1995-04NCSA HTTP Daemon for UNIX Vulnerability
Buffer overflow
CA-1995-18Widespread Attacks on Internet sites
NFS, NIS, RPC, Trojans, IP spoofing, . . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 24 / 52
Insanity. . .
CERT/CC insanity (3)
CA-1996-07Weaknesses in Java Bytecode Verifier
CA-1996-11Interpreters in CGI bin Directories
CA-1996-26Denial-of-Service Attack via ping (of death)
Oversized ICMP echo request packetNo length check before reassembly of fragmented packets
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 25 / 52
Insanity. . .
CERT/CC insanity (4)
CA-1997-08Vulnerabilities in INND
Incomplete user input checking
CA-1997-09Vulnerabilities in IMAP and POP
Buffer overflow
CA-1997-20Javascript Vulnerability
Observing the URLs of visited documentsObserving data filled into HTML forms (including passwords)Observing the values of cookies
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 26 / 52
Insanity. . .
CERT/CC insanity (5)
CA-1997-28IP Denial-of-Service Attacks
Teardrop (overlapping IP fragments)Land (spoofed source == destination)
CA-1998-01Smurf IP Denial-of-Service Attacks
Using spoofed ICMP echo requests
CA-1998-08Buffer overflows in some POP servers
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 27 / 52
Insanity. . .
CERT/CC insanity (6)
CA-etc-etcBuffer overflows, Format string vulnerabilitiesTrojans, Misconfigurations, . . .
I just gave up. . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 28 / 52
Insanity. . .
A partial solution
Minimalisation of accessStart with the empty set of servicesOnly add the services you really needNo blacklists, only whitelists
Protect your coreMain serversNetwork equipment
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 29 / 52
Insanity. . .
But the world keeps spinning. . .
CA-1999-02Trojan Horses
CA-1999-04Melissa Macro Virus
CA-1999-07IIS Buffer Overflow
CA-2000-04Love Letter Worm
CA-2002-16Multiple Vulnerabilities in Yahoo! Messenger
CA-. . . -. . .. . . . . . . . . . . . . . . . . . . . . . . .Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 30 / 52
The SNE era
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 31 / 52
The SNE era
The SNE era — an arbitrary example from 2003
CA-2003-26Multiple Vulnerabilities in SSL/TLS Implementations
OpenSSL ASN.1 parser insecure memory deallocationOpenSSL contains integer overflow handling ASN.1 tagsOpenSSL accepts unsolicited client certificate messages
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 32 / 52
The SNE era
The SNE era — an arbitrary example from 2004
CERT advisories become part of Technical Cyber Security Alertshttps://www.us-cert.gov/ncas/alerts/
Technical Cyber Security Alert TA04-293AMicrosoft Internet Explorer contains a buffer overflow in CSS parsingMicrosoft Internet Explorer Install Enginecontains a buffer overflow vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 33 / 52
The SNE era
The SNE era — an arbitrary example from 2005
Technical Cyber Security Alert TA05-292AOracle Products Contain Multiple Vulnerabilities
Various Oracle products and components are affectedby multiple vulnerabilitiesThe impacts of these vulnerabilities include unauthenticated,remote code execution, information disclosure, and denial of service
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 34 / 52
The SNE era
The SNE era — an arbitrary example from 2006
Technical Cyber Security Alert TA06-256AApple QuickTime Vulnerabilities
Apple QuickTime movie buffer overflow vulnerabilityApple QuickTime fails to properly handle FLC moviesApple QuickTime Player H.264 Codec contains an integer overflow
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 35 / 52
The SNE era
The SNE era — an arbitrary example from 2007
Technical Cyber Security Alert TA07-355AAdobe Updates for Multiple Vulnerabilities
Adobe Flash Player asfunction protocol may enable cross-site scriptingAdobe Flash Player may load arbitrary,malformed cross-domain policy filesFlash authoring tools create Flash files that containcross-site scripting vulnerabilities
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 36 / 52
The SNE era
The SNE era — an arbitrary example from 2008
Technical Cyber Security Alert TA08-190BMultiple DNS implementations vulnerable to cache poisoning
Insufficient transaction ID spaceMultiple outstanding requestsFixed source port for generating queries
Also known as the (Dan) Kaminsky attack
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 37 / 52
The SNE era
The SNE era — an arbitrary example from 2009
Technical Cyber Security Alert TA09-088AConficker Worm Targets Microsoft Windows Systems
Widespread infection of the Conficker/Downadup wormA remote, unauthenticated attacker could executearbitrary code on a vulnerable system.
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 38 / 52
The SNE era
The SNE era — an arbitrary example from 2010
Technical Cyber Security Alert TA10-348AMicrosoft Updates for Multiple VulnerabilitiesThere are multiple vulnerabilities in
Microsoft WindowsInternet ExplorerOfficeSharepointExchange
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 39 / 52
The SNE era
The SNE era — an arbitrary example from 2011
Technical Cyber Security Alert TA11-200ASecurity Recommendations to Prevent Cyber Intrusions
Almost infinite enumeration of how to eliminate bad habits
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 40 / 52
The SNE era
The SNE era — an arbitrary example from 2012
Technical Cyber Security Alert TA12-024A“Anonymous” DDoS Activity
Low Orbit Ion Cannon (LOIC) DoS-attackActivism
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 41 / 52
The SNE era
The SNE era — an arbitrary example from 2013
Technical Cyber Security Alert TA13-088ADNS Amplification Attacks
Open Recursive Nameserver problem
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 42 / 52
The SNE era
The SNE era — an arbitrary example from 2014
Technical Cyber Security Alert TA14-098AOpenSSL ’Heartbleed’ vulnerability
Bounds/input checking problem: private memory leakageOn servers, but also on clients!
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 43 / 52
The SNE era
The SNE era — an arbitrary example from 2015
Technical Cyber Security Alert TA15-120ASecuring End-to-End Communications
TLS/SSL issuesPOODLE attackAlso applicable to RC4 attack, FREAK, Logjam, . . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 44 / 52
The SNE era
The SNE era — an arbitrary example from 2016
Ransomware and Recent Variants TA16-091ADestructiveFound in healthcare systems and hospitalsLocky
Spreads through spam and Office documents or attachments
Samas
Spreads through vulnerable web servers
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 45 / 52
Conclusions
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 46 / 52
Conclusions
Some misconceptions
Open source is bad for securityNo!. . .. . . proprietary software creates much bigger problems
Security through obscurity is badYes, but not always. . .. . . “parameter obscurity” can be good
Performance is importantOnly hardly ever true. . .. . . structure, modularisation and correctness proofsare much more important
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 47 / 52
Conclusions
Some advice
Avoid complicated, monolithic SWsendmail −→ postfix
Avoid legacyStart over now and then: ruu.nl −→ uu.nlIt is really time for a clean slate approach? It is!
Centralise at the right levelBut make sure that the central resources are at leastas good and knowledgeable as decentralised ones
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 48 / 52
Conclusions
A new era?
Improvements?IPsec, DNSSECSSL, SSHVPNTTP/CA
But alsoNSA, SnowdenGCHQ???
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 49 / 52
Conclusions
Fighting legacy example
IPv6No addressing problems
But some routing challenges
End to end computing
No NATs
Autoconfiguration
Plug and play (+/-)
Integrated IPsec
Security from the start
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 50 / 52
Conclusions
But what happens?
Cisco introduces IPv6 in its routers without initial IPsec support. . .
Why?Because there is no user demand for it. . .. . . SIGH!
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 51 / 52
Conclusions
Fighting legacy
Our biggest problem
No easy solutionsNot in everybody’s interestNeeds revolution, not evolutionScientific, non-commercial effort
Real clean slateBuild new system in parallelIncompatible on purpose
without planned transition mechanisms
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 52 / 52