Vulnerabilities of Contemporary Information and Communication Technologies
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Perspectives: Industrial versus Information Society Risks inherent in contemporary ICTs PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on
  • Presentation posted in: General

Vulnerabilities of Contemporary Information and Communication Technologies and Impact on Societies Dr. Klaus Brunnstein, Professor for Application of Informatics, University Hamburg World Summit on Information Societies Geneva December 11, 2003.

Download Presentation

Perspectives: Industrial versus Information Society Risks inherent in contemporary ICTs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Perspectives industrial versus information society risks inherent in contemporary icts

Vulnerabilities of Contemporary Information and Communication Technologiesand Impact on SocietiesDr. Klaus Brunnstein, Professor for Application of Informatics, University HamburgWorld Summit on Information SocietiesGeneva December 11, 2003

  • Perspectives: Industrial versus Information Society

  • Risks inherent in contemporary ICTs

    3.Impacts: Towards a „Risk Society“?


Perspectives industrial versus information society 1 1 from industrial to information societies

Perspectives: Industrial versus Information Society1.1 From Industrial to Information Societies:

Physical GoodsVirtual Goods

Sector ASector BSector CSector DSector E

Ressources Products Services Ressources Products

Pre-

Industrial

Agriculture +++ Transport ++ KnowHow+ Books+

Manufacture ++ Organisation + Media+

Industry +++ Transport++ KnowHow ++ IPR+ Agriculture ++ Managemnt++ PublicInfo+ Media+

Industrial

Industry ++I-Production/I-Commerce+++

I-Access+++ I-Bases+++

Agriculture + Transport ++ VirtualTransport+++

<================= Virtual Organisation

I-Economy

I-Society


Perspectives industrial versus information society 1 2 trends schumpeter kondratieff cycles

Perspectives: Industrial versus Information Society1.2 Trends: Schumpeter/Kondratieff Cycles

  • Schumpeter, KondratieffModel for industrial development (international competition), for last (2) phases of Industrial Society (Supply-side of markets)

  • Model applied to Generic Technology and extended „backward“ to preceding phases (1-2):

    • Phase 1(1760+): Vapor driven stationary engine

    • Phase 2 (1810+): Vapor driven mobile engine

    • Phase 3 (1860+): Oil-driven engines

    • Phase 4 (1910+) Electricity-driven engines, networks

    • =Precondition for computing/networking!

    • Duration of cycles: about 40-50 (~45) years


Perspectives industrial versus information society 1 3 cycle theory information economies

Perspectives: Industrial versus Information Society1.3 Cycle Theory & Information Economies

Assumption: „History repeats, though differently“

Adaptation of Schumpeter/Kondratieff Model:

  • Phase 1(1940+): Computer: Mainframe .. PC .. Chips

  • Stationary, local code/control; Computer-

  • companies support economic development

  • Phase 2(1985+): LAN ... WAN, mobile code/agents,

  • data searching&mining, value-added services

  • Network companies lead development

  • Phase 3 (2030+): ??? (Nano miniaturization:

  • Quantum/Optical Computing) ???

  • Phase 4(2075+): ???


Perspectives industrial versus information society 1 4 trends changing relations e relations

Perspectives: Industrial versus Information Society1.4 Trends: Changing Relations: „e-Relations“

G2B

G2B

B2B

Organisations

B2G

G2G

B2G

Business

Government

B2O

G2C

E-Commerce

E-Banking

O2C

H2B

B2H

B2C

Citizen

C2G

E-Voting

E-TaxDeclaration

Customer

H2H

Electronic AGORA

User

Daily-Life

Applications

HealthCare

E-Care

Patient

E-Fun, E-Gaming

E-Learning

Leisure

I-Search

Science

Education

Libraries


Perspectives industrial versus information society risks inherent in contemporary icts

Perspectives: Industrial versus Information Society1.5) 2005: 100 Mio servers, 1000 mio clients, 10,000 smart devices

Semi/InSecure

Clients

Next Generation

Ubiquitous Computing

(M-devices, wearware,..)

Next Generation

Ubiquitous Computing

(M-devices, Wearware, ...)

?

U.C.

Local Area Networks (LAN)

Secure LANs

U.C.

.....

ePDA

Wide Area Network (WAN):

TCP/IP-basiert

Car

managmt

system

.....

Secure

LANs

PDA= Personal Digital Assistant

ePDA = enhanced PDA

(communication, agents, ...)

.....

Secure Clients


Perspectives industrial versus information society 1 6 trends daily life with smart devices

Perspectives: Industrial versus Information Society1.6 Trends: Daily life with smart devices

Scenario: A daily-life application :

„After a hard day of meetings, you are heading home, where you have invited several friends for a party. While you are activating your Car Management System (CMS) and starting your car, your Personal Electronic Transactor(PET ) which is included in your watch connects to your Household Management System(HMS) to analyse whether all your stored preferred ressources: red wine, cheese & sausage are readily available. As an update of the red wine bottles is needed, HMS informs CMS to show the route to your winehouse including a deviation due to some actual trafficjam, PET will display the itineray and requirements to you ......“

{ More examples  „nomadic distributed computing“ }


Risks inherent in contemporary icts 2 1 risk classes

Risks inherent in contemporary ICTs2.1 Risk Classes

Risk Class 1: IT Paradigms

System Complexity: WYSIWIG and WYRIWIR dont apply

Interoperability of incompatible systems: risky scripts

Risk Class 2: Basic IT concepts

e.g. Internet Protocol: „IP considered harmful“

Risk Class 3: Implementation (SW techniques, languages)

No assuranceof functions & features

Language dominatesperception of programmers (Java, script kiddies)

Language weaknesses: malware easy to write

Risk Class 4: Installation and Administration

Difficult to audit, dependency upon experts

Risk Class 5: User-induced risks

Users canNOT understand what is going on in complex systems

Ill-guided minds find easy ways to gain control over

other systems and content of other users!


Risks inherent in contemporary icts 2 2 complex systems can not be controlled

Risks inherent in contemporary ICTs2.2 Complex Systems can not be controlled

Presentation layer: WYSIWIG

(What You See is What You)

O(100 MB)

Survey of architecture of contemporary systems

Application layer

O(GB-TB)

System Layer: Organisation of resources

(storage, processor, devices); problem

solving (deadlocks etc); security services

process support

O(1 GB)

Firmware, drivers

Bus

Hardware layer: processor, storage,

bus; connections to devices and network

Net

WYSIWYG principle does NOT hold (even for experts


Risks inherent in contemporary icts 2 3a software bugs cert cc reports 11 2002 03 2003

Risks inherent in contemporary ICTs2.3A Software Bugs: CERT/CC reports 11/2002..03/2003

CERT Summary CS-2003-01

March 21, 2003

Source: CERT/CC Current Activity

http://www.cert.org/current/current_activity.html

1. Buffer Overflow Vulnerability in Core Windows DLL

2. Remote Buffer Overflow in Sendmail

3. Increased Activity Targeting Windows Shares

4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment

Reassembly Code

5. MS-SQL Server Worm

6. Multiple Vulnerabilities in Implementations of the Session

Initiation Protocol (SIP)

7. Multiple Vulnerabilities in SSH Implementations

8. Buffer Overflow in Microsoft Windows Shell

9. Double-Free Bug in CVS Server

10. Buffer Overflow in Windows Locator Service

Colour code:vulnerabilities related to Microsoft / other software manufacturers

vulnerabilities with serious impact (enterprises ...)


Risks inherent in contemporary icts 2 3b software bugs cert cc reports 04 2003 06 2003

Risks inherent in contemporary ICTs2.3BSoftware Bugs: CERT/CC reports 04/2003..06/2003

CERT Summary CS-2003-02

June 3, 2003

1. Integer overflow in Sun RPC XDR library routines

2. Multiple Vulnerabilities in Lotus Notes and Domino

3. Buffer Overflow in Sendmail

4. Multiple Vulnerabilities in Snort Preprocessors


Risks inherent in contemporary icts 2 3c software bugs cert cc reports 07 2003 09 2003

Risks inherent in contemporary ICTs2.3CSoftware Bugs: CERT/CC reports 07/2003..09/2003

CERT Summary CS-2003-03

September 8, 2003

1. W32/Sobig.F Worm

2. Exploitation of Vulnerabilities in Microsoft RPC Interface

a. W32/Blaster Worm

b. W32/Welchia

3. Cisco IOS Interface Blocked by IPv4 Packet

4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer

a. Buffer Overflow in Microsoft Windows HTML Conversion Library

b. Integer Overflows in Microsoft Windows DirectX MIDI Library

c. Multiple Vulnerabilities in Microsoft Internet Explorer

5.Malicious Code Propagation and Antivirus Software Updates

Colour code:vulnerabilities related to Microsoftrelated application software


Risks inherent in contemporary icts 2 3d software bugs cert cc reports 10 2003 11 2003

Risks inherent in contemporary ICTs2.3D Software Bugs:CERT/CC reports 10/2003..11/2003

CERT Summary CS-2003-04

November 24, 2003

1. W32/Mimail Variants (added: plus Paylap variants)

2. Buffer Overflow in Windows Workstation Service

3. Multiple Vulnerabilities in Microsoft Windows and Exchange

4. Multiple Vulnerabilities in SSL/TLS Implementations

5. Exploitation of Internet Explorer Vulnerability

6. W32/Swen.A Worm

7. Buffer Overflow in Sendmail

8. Buffer Management Vulnerability in OpenSSH

9. RPCSS Vulnerabilities in Microsoft Windows


Risks inherent in contemporary icts 2 4 distributed denial of service attacks ddos

Risks inherent in contemporary ICTs2.4 Distributed Denial-of-Service Attacks (DDoS)

Experienced DDoS attacks of February 2000:

Known victims:

Amazon,eBay,Yahoo,...

Business LAN

Server

Attacker

„Zombie“ code:

attack programs

waiting for signal

to attack

Mafiaboy (15 yr)

Canada

using TRINOO

Attacker: deploys TRINOO, triggers attack


Risks inherent in contemporary icts 2 5 attacks on internet rootdns attacks

Risks inherent in contemporary ICTs2.5 Attacks on Internet: RootDNS Attacks

Domain Name Server:

bank1.com = IP adress1

Govt2.org = IP adress2

User3.edu = IP adress3

..... .....

Top Level Domain:

com, org, edu...

ch, de, tv, ...

InterNICDNS

Root Server „A“

A

Europe:

Asia:

M

H

I

J

H

E

F

G

B

D

L

C

USA East

USA West

IntraNet

eg Bank2.ch

C.

?

Attack: Oct.21,2002

23:00 / 1 hour

?

?

?

~ 6000 attack sites

IntraNet

Bank1.com

?

?

?

C.

?

?

?


Risks inherent in contemporary icts 2 6 pandora box viruses worms trojan sypware

Risks inherent in contemporary ICTs2.6 Pandora Box: Viruses,Worms,Trojan, Sypware

Trojan

Horses...

  • Application Programs Processing Valuable Information

Valuable

Information

Assets

Supporting Systems:

Operating/Database Systems

Script-Language Interpretation

Language Processing

Local

Access

Trojan Horses,

Backdoors, Traps

Trojan

Horses...

Spoofing, Sniffing,

Data Hijacking, DDOS ...

NetOS

Viruses

Webmail etc

Worms


Impacts towards a risk society 3 1 options for handling risks

Impacts: Towards a „Risk Society“?3.1 Options for handling risks

Option 1: Deliberate decision: Dont use!

Option 2:Dont care! Enjoy!

Preferred mode of young users

Option 3: „Educated user“:Learn to understand the risks, try to reduce and act in cases of emergency.

Option 4: Try to anticipate and avoid risks!

Presently NOT POSSIBLE!


Impacts towards a risk society 3 2 impact of insecurity under dont care

Impacts: Towards a „Risk Society“?3.2 Impact of Insecurity under „Dont Care!“

Impact of Insecure Systems: Towards a „risk society“

Loss of Control

 Loss of Productivity (e-jobs) & Connectivity

Loss of Trust

Loss of Confidentiality

Loss of Privacy


Impacts towards a risk society 3 3 educated users and ict risks

Impacts: Towards a „Risk Society“?3.3 Educated users and ICT risks:

Learning to understand threats of contemporary ICTs, and how to protect against such threats:

3A) Software bugs, critical software update („patching“)

3B) Integrity threats: computer viruses, worms; trojan horses, spyware; countermeasures: AntiMalware

3C) (Hacker) Attacks from Networks, filtering adresses and services (ports): Firewalls

3D) Loss of authenticity: spoofing, man-in-the-middle attacks, protection of authenticity: passwords vs. biometrics

3E) Loss of confidentiality, protection through encryption (symmetric, asymetric)

3F) Loss of function in networks: Denial-of-Service attacks,

solution through redundant architecture

3G) Distinguish between useful and useless (SPAM) email


  • Login