Erik Poll Digital Security Radboud University Nijmegen SecurityNetworked Society, Networked Science
Overview • Security problems in our networked digital society • Root causes and drivers of security problems • Mechanics • how do security attacks work? • how does internet design fail to prevent this? • Privacy • in the face of the data explosion
Computers • PC/laptops • mobile phones • smartcards: SIM, credit card, ov-chip, passport • car navigation systems • cars, trains, planes • embedded systems • control of industrial systems, power grid, ...
The digital era Three stages • mainframes and PCs in companies • PCs & laptops everywhere – at home and the office – connected to internet forming one virtual digital world • mobile computers (smartphones, tablets, …) everywhere, merging physical and virtual worlds to one cyber-physical reality
Power of computer networks • Computer networks – and the internet as prime example – offer huge possibilities • but also: • huge possibilities for abuse • our increasing reliance on it can make us vulnerable • and make abuse more interesting for the bad guys
North east blackout August 14, 2003
Two root causes of security problems • Software Computer programs are the most complicated artefacts produced by humans. We do not know how to build large computer programs without bugs. • Networks Problems can be exploited remotely and can spread quickly
Software & security problems To get an impression of the scale of the problem, look at these websites for recent software security flaws http://www.us-cert.gov/cas/bulletins http://www.securitytracker.com/ http://www.securityfocus.com/vulnerabilities
Software & security problems Computers are digital, discrete systems and not analogue, continuous systems • Paradox: absence of error margins and tolerances do not make digital systems easier to analyse if analogue car brakes work at 40 km/h, they work at 20 km/h and any value in between, but a digital brake could fail at – and only at - 32.767 km/h • The butterfly effect can cause chaotic behaviour in analogue systems over time, but a single bit change can cause chaos in digital systems straight away
Network problems: Slammer Worm (5:29 am, Jan 25, 2003) Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver
Network problems: Slammer Worm (6:00 am, 25 Jan, 2003) Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver
A third cause of security problems: humans • Humans make lousy security decisions, have a hard time assessing online risks, fall for silly scams, choose predictable and short passwords ... • eg. phishing, scareware A root cause: on the internet we lack the context that we use in the physical world to make security decisions
Nigerian 419 scams • predates internet and email • named after article 419 of Nigerian criminal code • recent variant: email from friend on holiday abroad whose email account has been hijacked in internet cafe
Phishing Variant: spear-phishing aka whaling: targeted phishing attack on one person (with personalised email) that is very rich (a whale)
Scareware of course, the “free scan” will install malware
Malware Some security attacks only need a gullible human user... • eg the phishing, scareware, etc Some security problems involve malware (malicious software) • worms, viruses, trojans, ...
How does malware spread? • worm malware that spreads autonomously • virus malware in a file (pdf, word document, jpg, ...) that needs to be opened by a program to do damage; spreading requires human interaction • even if it is just opening attachment or visiting webpage • Trojan horse malware part of an apparently benign program that user will willingly download & install but with hidden malicious functionality • eg. free version of a game with a backdoor for remote login
What does malware do? • send out spam NB the vast majority of all email (> 80 - 90%) is spam • carry out Denial of Service (DoS) attacks • steal usernames with passwords, intercept internet banking, ... • rootkit hides deep in the operating system en waits for instructions as part of a botnet • eg to steal information, carry out Distributed Denial of Service (DDoS) attacks,...
botnet example: Pobelka • Pobelka was an instance of the Citadel botnet • Citadel is software to create botnets, that you can buy or download • This botnet infected around 200,000 computers, mainly in Netherlands and Germany • It was taken down early 2013 • The command-and-control server collected 750Gbyte of data stolen from infected machines • including from Radboud University and UMC
Who does this? • hobbyists and script kiddies • hacktivists • criminals • nation states
Internetbanking fraud in the Netherlands by infected computers, fake websites of by phone NB this is serious branch of organised crime, not done by clever teenagers Cyber crime is highly organised and specialised, with different people selling different products & services: producing malware, selling or renting infected machines, selling credit card numbers, ... [Source: NVB]
Security goals Confidentiality, Integrity, Availability = CIA • Confidentiality • who can access which data? • a special case for personal data: privacy • Integrity • is the data genuine? • who can add or modify data? • Availability • is data or are services available?
Conflicts • There is no clear and fixed meaning of what “secure” means • There can be trade-offs between CIA objectives • for instance, cloud services • using gmail for your mail rather than storing it locally on your computer • using flickr.com for you holiday photos can be good for availability, but may be bad for confidentiality
Security goal: Authentication Authentication = ensuring that some entity is who they say they are This pre-supposes some notion of identity (name, IP address,...) Authentication can be done using • passwords • cryptography • biometry: recognising physical characteristics, such as face, voice, fingerprints
How does internet work? • Security was not a design goal for the internet • surprising, as origin of internet are networks for military applications • resilience was a design goal
Fundamental problems on the internet • who are you ? • who is this website you talk to? internet internet bank
IP basics Home PC and website identified by IP address: unique address of individual computer Web browers requests webpage, web server returns webpage IP packet with source and destination IP address IP packet as reply back to source ID address home PC IP address 18.104.22.168 web site (web server) IP address 22.214.171.124
Third party content A web page returned by a website will usually contain content from other website, which the browser will immediately fetch www.nu.nl/pagina.html contains images from youtube.com, facebook like button, ... lots of other requests to other websites home PC IP address 126.96.36.199 web site (web server) IP address 188.8.131.52
(Lack of) anonymity in normal internet use • any website you visits knows your IP address • as do all websites that provide third-party content to this website • ISPs and telcos report which person uses which IP address & telephone number to a central point for law enforcement In Netherlands: Centraal Informatiepunt Onderzoek Telecommunicatie (CIOT); consulted 2.9 million times/year in 2009 [Source: Bits of Freedom, bof.nl]
reality myth Welcome user29. (IP address: 184.108.40.206) RU Nijmegen, NL; male german shepherd, 4 yrs old, neutered, interests: dogfood cats [Peter Steiner,1993]
Cookies Cookies installed by website in browser to • maintain a session after the user logs in • after logging in to gmail or facebook, a cookie stored on your machine to authenticate you, so that you don’t have to login for the next N hours • record user preferences • eg information in English or Dutch • track a user across many websites • eg for targetted aka behavourial advertising
Cookies After first visit to facebook.com to login you receive a cookie IP packet to login to facebook.com IP packet as reply, including cookie home PC will store the facebook cookie web site facebook.com
Cookies • Cookie is sent along to every subsequent IP request to facebook.com. • Also when you visit any page with a facebook like button • Viewing one website can mean getting & sending cookies from/to • many others! IP packet with cookie for facebook.com IP packet as reply home PC with cookies stored on it web site facebook.com
IP address spoofing • IP addresses are not trustworthy and can be spoofed: computer with IP address X can sent IP packets giving spoofed IP address Z as source instead of X • This can be abused in DDoS attacks • to hide the real origin • to amplify the attack
Abusing IP basics for DDoS: hiding origin many IP requests with spoofed source address to hide identity of the bots . . . botnet command and control centre DDoS target xxx.yyy.zzz.ww bots (ie infected computer)
Abusing IP basics for DDoS: amplification larger IP responses sent to target A small IP requests with target address as the spoofed source address . . . botnet command and control centre B DDoS target xxx.yyy.zzz.ww bots (ie infected computer)
Big data • What does Google know about you? • What does your internet provide know about you? • What does your telephone company know about you?
“Big data” • “Big data” : huge quantities of data kept by companies • NB ‘’free’ services diensten (gmail, facebook, ..) are paid with ads and collecting personal information for marketing if you are not paying for it, then you are the product being sold
Anonimity? • Even without IP adresses and cookies, your browser configuration may uniquely identify you, eg. • browser version • various settings in browsers • plugins installed • fonts installed • ...) Try it at http://panopticlick.eff.org