Internet Security:Are You at Risk? Dan Massey Colorado State University November 10, 2004
Some Motivation The asking price for use of a network of 20,000 zombie PCs: $2,000 to $3,000. Such networks typically are used to broadcast spam and phishing scams and to spread e-mail viruses designed mainly to create yet more zombies.
Vulnerabilities and Counter Measures • Vulnerabilities: Why Should You Care • You Receive The Resulting Spam Email • An annoyance if you simply filter or delete the email • A real problem if you believe it and reveal private data. • You May Be The Owner of a Zombie PC • Essentially a PC where attackers have gained access. • Thriving market exists for compromised network PCs • You Rely on Network Based Services • Bank ATMs, airlines, utilities, etc. all make use of networks • Compromised PCs can be used to disrupt networks • or conceal the identity of attackers. • Counter Measures: What features help protect you?
Historical Development • Internet Originally a Small Research Project • Few computers at research centers • Connected via slow (by today’s standard) links • All users are experts on the system • First real “killer application”: email • Planned for Some “Security” Concerns • The main “threat” was that computers or network links might stop working.
Early “Security” Problems • Rare Cases of Malfunctioning Computers • Computer at MIT malfunctioned and most east coast computers could no longer reach the west coast. • Solution: user community teamed up to find and fix the problem. • Rare Cases of Application Misuse • Someone sent an email message announcing a new product that was for sale. • Solution: community instructed the sender to never again send “spam” email and the sender apologized
Spam Email Today From: PowerSafe@citibank.com We recently noticed one or more attempts to log in to your Citibank account from a foreign IP address and we have reasons to believe that your account was used by a third party without your authorization. If you recently accessed your account while traveling to Brasil, the unusual login attempts may have been initiated by you. …<visit some website that will ask for account data>… If you choose to ignore our request, you leave us no choice but to temporally suspend your account.
Countering This Attack • Solution 1: Block Email Before It Enters the Network • Great Deal of Ad Hoc Work In This Area • But hard to control all access points • and often block valid email as collateral damage. • Solution 2: Drop Email Before It Reaches Receiver • Hard to determine valid vs. invalid senders • Solution 3: Drop or Ignore the Message at Receiver • The only defense that will save me in this case. • But fortunately we have a solid solution…
Cryptographic Counter Measures • The Solution:Cryptographic Magic Happens • Citibank establishes a key pair • Private key is known only by Citibank • Public key is published and known by all • Enables Secure Communication with Citibank • I encrypt my account number using the Citibank public key. • Send encrypted data to the requestor • Only someone with the private key can decrypt. • Result: Attacker just gets an encrypted mess • No need for you or Citibank to worry about this email.
Does This Work in Practice? • Do You Encrypt Confidential Data Using Public Key Cryptography? From My Bank’s Website: At (BigBank), ensuring the security of your online information is important to us, and that's why you can rest assured that no one but Wells Fargo has access to your information. Signing on to view your accounts from the (BigBank) Home Page is safe. The moment you click the Sign On button, your username and password are encrypted using Secure Sockets Layer (SSL) technology, keeping your information secure.
Your Role in the System • In theory, we have fixed the problem…. • The Problem:Cryptographic Magic Happens • Several Important Assumptions About You • You will only send data over encrypted channels. • You will obtain the correct Public Key for Citibank • You will encrypt data with the correct key. • No point encrypting your data with the attacker’s key! • In practice, the system really relies on you ignoring the email message. • Otherwise Citibank and you share the damages.
Internet Risks So Far • Attackers Seek Your Private Data • Your job is to protect this information • Defense 1: I’m smart enough to ignore spam email • Ideally because you know the attacker doesn’t have the right x509 certificate. • Defense 2:I pick hard to crack passwords and change them. • Defense 3:I’m a student and my bank account is already empty. • You are probably more valuable as a Zombie!
Compromised PCs • Network PCs are a valuable commodity • Provides attackers with resources (cpu, disk) • Makes tracking attackers difficult • Enable Distributed Denial of Service Attacks • Real and Thriving Market in Hacked PCs • Network Security Discussion from NANOG:One problem hackers face: “Botnets (compromised PC collections) contain too many government computers”
How Can this Happen • From “Secrets and Lies” by Schneier (all old issues so don’t try them!) • Under certain conditions, a malformed clip art file can let arbitrary code execute on the users computer. • MS Explorer 5.0 allows an attacker to setup a Web page giving him the ability to execute any program on a visitor’s machine. • Vulnerabilities in complex software an unavoidable. System Relies on You to Install Updates
Impact of Compromised PCs A visit from the FBI By Scott Granneman, SecurityFocus Posted: 28/01/2004 at 13:02 GMT A favorite trick is to surreptitiously turn on the Webcam of an owned computer in order to watch the dupe at work, or watch what he's typing on screen. This part isn't surprising. But Dave had countless screenshots, captured from impounded machines or acquired online from hacker hangouts, where the script kiddie, after watching for a while, just can't help himself any longer, and starts to insult or mock or screw with the duped owner. <snip> A man was working a crossword puzzle online when the hacker helpfully suggested a word for 14 Down
Impact of Compromised PCs • More Serious (non-webcam) Consequences • Attacker has access to your files • Logs your keystrokes • Gains data about you • Real Goal is Likely Something Larger • Your PC provides the attacker a hiding place • Provides resources • Provides bandwidth
Distributed Denial of Service • Attackers Control Massive Resources • Networks of 100,000+ compromised PCs • Each PC can send thousands of messages/sec • What if one directs all messages at singe site? • Example: • attacker selects www.colostate.edu as target • Direct all zombies to send data to target as fast as possible • Consumes all available resources at target • No bandwidth, no CPU, etc to handel valid requests. • How Do You Defend Against This? • Answer today: largely ad hoc filtering
DDoS Remains a Real Threat Akamai DDoS Attack Whacks Web Traffic, Sites ByChris Gonsalves June 15, 2004 An apparent DDoS (distributed denial of service) attack on the DNS run by Akamai Technologies Inc. slowed traffic across the Internet early Tuesday and brought the sites of the firm's major customers to a screeching halt for roughly two hours.
Worms and Network Design • Assumed there is some important purpose for the communication • Ex: data and resources used in calculations to find a cure for cancer. • Resource Identification Success • Found and made use of 75K computers on 6 continents • Located 90% of available resources in 10 minutes • Routing and Transport Success • UDP transport provided successful simple best effort delivery • Network routing delivered packets from one end of globe to another • Of Course Some Challenges Still Remain…. • Unforeseen interactions resulted in canceled airline flights, ATM failures… to exploit a known microsoft security hole these 75K did not want to provide resources!
Network Security Today • Designed a Robust Network That Finds a Way to Deliver Data • Now recognize some data shouldn’t be delivered. • Strong Theoretical Models To Block Attacks • But typically assume expert configuration and informed users. • Open Research Challenge:Build Robust and Secure Networks That Survive Both Failures and Attacks
Challenges To You • Network Security Depends On You • Use security models when possible • Update and patch your PC • Help Us Build the Necessary Systems • Need approaches the apply state of the art mathematics and computer science. • But must also assume human errors and lack of expertise. • Many open challenges…