the more things change n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The More Things Change... PowerPoint Presentation
Download Presentation
The More Things Change...

Loading in 2 Seconds...

play fullscreen
1 / 48

The More Things Change... - PowerPoint PPT Presentation


  • 133 Views
  • Uploaded on

The More Things Change. Steve Romig The Ohio State University July, 2004. Game Plan. I want to walk through a rough chronology of security events from the last 20 years What have we learned? What have we failed to learn?. Me.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'The More Things Change...' - varuna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the more things change
The More Things Change...
  • Steve Romig
  • The Ohio State University
  • July, 2004
game plan
Game Plan
  • I want to walk through a rough chronology of security events from the last 20 years
  • What have we learned?
  • What have we failed to learn?
slide3
Me
  • Graduated from Carnegie Mellon University, BS in Math, CS track in 1982
  • First job: an internship at CompuServe (1981-1982)
  • Started at OSU in January, 1983
  • Learned security “the old fashioned way”
1985 tcp ip issues
1985 -TCP/IP Issues
  • "A Weakness in the 4.2BSD UNIX TCP/IP Software", AT&T Bell Laboratories, by Robert Morris
  • Describes TCP sequence number prediction
  • Could be used to spoof trusted hosts
  • More on this later...
in 1988
In 1988...
  • One new virus/month reported
  • Viruses are just a PC thing
  • Internet has 60,000 hosts
1988 11 02 morris worm
1988-11-02 - Morris Worm
  • Early response - patch binaries with adb!
  • Much FUD
  • Contained by November 5
  • 3000-6000 hosts infected (5-10%)
1988 11 02 morris worm aftermath
1988-11-02 - Morris Worm, Aftermath
  • Spafford's "Phage" list started
  • CERT created
the blame game
The Blame Game
  • The miscreants
  • The vendors
  • The programmers
  • The users
the name game
The Name Game
  • Then: virus, worm, trojan horse
  • Now: malware, rootkit, botnet
homogeneity on the internet
Homogeneity on the Internet
  • Then: 85% Unix
  • Now: 96% Windows (desktops)
  • Geer et al, 2003-09 - warnings about the monoculture
vulnerabilities
Vulnerabilities
  • Buffer overflow in fingerd
  • "Overlooked" debug option in sendmail
  • Fingerd runs as root
  • Password guessing
  • Trusted hosts
1989 tcp ip
1989 - TCP/IP
  • “Security Problems in the TCP/IP Protocol Suite”
  • Steve Bellovin expands on the issues Morris brought up in 1985
  • I read it, it seemed fairly obscure and "technical"
1989 security workshops
1989 - Security Workshops
  • Computer Security Incident Handling Workshops start in Pittsburgh
  • Eventually leads (at least indirectly) to the formation of FIRST
  • Many incident response teams form over the years
1989ish mailing lists galore
1989ish - Mailing Lists Galore
  • Full disclosure debates abound
  • alt.security and comp.security created
  • 1989-1991 - Zardoz "Security Digest"
  • 1990-1991 - core mailing list
  • 1990 - vsuite mailing list
1989 1990
1989-1990
  • 1989: Cliff Stoll publishes “The Cuckoo’s Egg”
  • 1990: Sun security-alert mailing list begins
1990 bugs
1990 bugs
  • Various “LAN services”:
    • ypserv, portmap, NFS (file handles, device files, general configuration issues)
  • Available to the world
  • Insecure default configuration
  • Ring any bells?
1992 rbone neptune
1992 - Rbone, Neptune
  • TCP/IP sequence guessing attacks
  • Neptune (1994) has a nice user interface and error checking!
  • This is the attack that I thought was too technical
  • Writing the code (once) makes the technique widely available to the masses
1995 nfs shell
1995 - "NFS" Shell
  • I mention this because we’re seeing this in use again in 2004
  • There are still plenty of insecure NFS servers around
1995ish program level rootkits
1995ish - Program Level Rootkits
  • Replaces ls, du, find, ps...
  • Pinsh/ponsh backdoor
  • Finger daemon backdoor
  • Primitive library rootkit components
1995 much password cracking sniffing
1995 - Much Password Cracking & Sniffing
  • 2004 - we see the same now
  • Talked about 2-factor authentication then, talking about it again now
  • Recognized need to get away from reusable passwords then (and now)
  • Hubs, switches, ssh, ipsec, ssh trojans...
1995 01 25 osu secwog starts
1995-01-25 - OSU SECWOG starts
  • Monthly security awareness and training
  • Instrumental in building a community that supports security initiatives at OSU
1995 04 03 satan
1995-04-03 - SATAN
  • Dan Farmer releases SATAN
  • *Huge* furor over the release
  • Dan loses his job at SGI over it
1996 osu s local miscreants
1996 - OSU’s Local Miscreants
  • They sniff passwords in our labs
  • Use our dialup pool for free access
  • Break into military and government sites
  • No major dialup activity since then (apart from "usual" spam, viruses...)
  • The OSU "review" software
1997 osu starts scanning
1997 - OSU Starts Scanning
  • Started with SATAN
  • Purchased ISS Internet Scanner in 1997
  • Distributed to departments
  • Run centrally
slide25
1998
  • Netbus, backorifice
  • First primitive DDOS tools
1999 07 04 ddos attacks at osu
1999-07-04 - DDOS Attacks at OSU
  • 250? Unix hosts compromised
  • Incoming DOS takes us out for 6-8 hours
  • 50 of the 250 used for outbound DOS, 6 more hours of downtime
  • We start blocking hosts that are compromised
1999 malware
1999 - Malware
  • TFN, Trinoo, Stacheldraht...
  • Dsniff
1990 s security tools
1990's Security Tools
  • tripwire
  • cops
  • ssh
  • satan
  • iss
slide29
2000
  • OSU firewall project starts
  • ILoveYou hits
slide30
2001
  • Code Red
  • NetStumbler
  • War Driving
2003 01 slammer
2003-01 - Slammer
  • Patching becomes a "big deal"
  • 10 minutes to infect most hosts
  • 34 OSU computers infected
  • Infection rates: 1.4m/hr inbound, 26.6m/hr outbound
2003 01 slammer1
2003-01 - Slammer
  • We used ISS' scanslam to ID vulnerable computers
  • We used Cisco netflow logs to ID infected computers
  • Infected, vulnerable computers are blocked automatically
2003 06 adware and spyware
2003-06 - Adware and Spyware
  • Largely ignored (by us) until then
  • Finally receiving attention now
    • Commercial products
    • Media attention
2003 08 blaster
2003-08 - Blaster
  • Hard on the heels of password guessing attacks
  • Many systems had been tightened down already
  • More blocking of vulnerable, infected computers
  • More incentive to patch things
2004 02 bagle mydoom netsky
2004-02 - Bagle, MyDoom, Netsky
  • Lots of email!
  • Many, many variants
  • Bounce email is almost as bad as the virus email
2004 full circle
2004 - Full Circle
  • Intruders sniffing, cracking passwords
  • Local exploits to gain root, set up shop
  • By hand - little/no automation
things that haven t changed
Things That Haven't Changed
  • Bugs, design flaws in software
  • The full-disclosure debate
  • Default installs are insecure
things that are better
Things That Are Better
  • More incident response teams, abuse contacts
  • Vendors seem responsive, sort of, after the fact
increasing amounts

1994

2

1995

11

1996

102

1997

308

1998

348

...

...

2002

1145

2003

786/4039

Increasing Amounts
increased automation
Increased Automation
  • Easy for them to infect 100's of thousands of hosts
  • 200,000 hosts picking up agobot from OSU in 3 days...
  • On the other hand, we’re more automated also
increasing sophistication
Increasing Sophistication
  • Better rootkits (HackerDefender)
  • Encryption
  • Agobot
increasing variations
Increasing Variations
  • Agobot - hard to analyze them all
increased economic incentives
Increased Economic Incentives
  • Botnets for spam
  • Industrial espionage
  • Identity theft
  • Extortion
stakes are higher
Stakes Are Higher
  • Internet isn't just a "cool toy" any more
  • Our y2k survival plan: use paper
  • In 2004, the paper doesn't exist
challenges
Challenges
  • 10,000+ user-owned machines
    • Network registration, vetting, self-remediation
  • Remote access and reusable passwords
some key tools
Some Key Tools
  • SCORE - our host information database
  • SITAR - incident tracking
  • IDB - intrusion detection
  • Cisco NetFlow logs, flow-tools software
  • Nmap, ISS, other scanners
  • Snort
references
References
  • http://securitydigest.org
  • http://www.net.ohio-state.edu/security/talks.shtml