40 Years of Internet Arms Races

About This Presentation

Title:

40 Years of Internet Arms Races

Description:

Some thoughts on thinking bad thoughts. Various races. Predictions ... Toaster? 28 of 81. 40 Years of Internet Arms Races. Goals for this extraware ... – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 80

Provided by: billch

Category:

more less

Transcript and Presenter's Notes

Title: 40 Years of Internet Arms Races

1
40 Years of Internet Arms Races

Bill Cheswick
ches_at_lumeta.com
http//www.lumeta.com

2
Thinking about security
3
Talk outline

Intro
Some thoughts on thinking bad thoughts
Various races
Predictions
You got that with the 40 years, right?
Wishes
My dads computer, and Windows OK
Windows SP2

4
Since some of you asked

Chief Scientist at Lumeta, a Bell Labs spin-off
Founded in 2000. 45 people in the company
We map large corporate and government networks,
and find leaks in the network perimeter
I am still figuring out what a chief scientist
does
Second edition of the firewalls book came out
last year Cheswick, Bellovin, Rubin

5
(No Transcript)
6
Before the whining and predicting, something
useful

Lost friends web page
Cheap research web pages
Please give me feedback if I get something wrong
I do get out much from my little Internet startup
(Lumeta)
You folks keep me honest.

7
Security People are Paid to Think Bad Thoughts

-Bob Morris

8
Fred Cohen and me
9
What do you do with bad thoughts?

The world is full of threats
One can get a bit pessimistic
CIA asked a number of us for some of our bad
thoughts
Watch your ethics! Are you battling the forces
of darkness?

10
Questions about an evil idea

Has it already been done? How would you detect
it?
If not, why hasnt it happened yet?
What are the strategic preparations needed?
What are the tactical preparations needed just
before the attack?
Can we detect strategic preparations?
Can we detect tactical preparations?

11
Minor example Internet mapping
12
Minor example Internet Mapping Project

Hal Burch and me, since 1998
AUCERT has corresponded (complained) to us a
number of times
Basic technology 250,000 traceroutes/day
Question who else is doing this?

13
104542 udp 5 uma1.co.umatilla.or.us 112812
udp 1 64.d9b7d1.client.atlantech.net 105705
udp 4310124_at_0 omval.tednet.nl 105705
udp 431011456_at_24 omval.tednet.nl 105705
udp 43101625_at_1480 omval.tednet.nl 113059
udp 7 ns1.yamato.ibm.com
14
Minor example Internet Mapping Project

Andrew Gross and rstatd

15
Some thoughts on computing safety

Morris worm at Bell Labs (1988)
Best block is not be there
Karate Kid I
You got to get out of the game
Fred Grampp
Ive never detected a virus or worm on one of my
important systems.

16
Dont let opposition practice on you during an
arms race

Dictionary attacks on passwords
Crashme tests on programs, protocols, and
operating systems
Weakness using COTS!

17
(No Transcript)
18
The Internet security arms race

Defenders can control the battlefield
An uneasy truce may be good enough, if the
business case can make usable predictions

19
The Internet is a fine place to practice attacks

Automated
Anonymous
Many volunteers
Dont give them a dictionary, oracle, or
cribs to try automated attacks on
Monoculture of software in hosts and routers

20
The Internet is a fine place to practice defenses

MILnet has been under attack since the mid-1980s
That makes the threats much clearer
It gives the defenders a chance to get good at
their job

21
Arms RacesEavesdropping
22
Arms raceEavesdropping

Ethernet, ftp, and telnet were poor starts
WEP, POP3, IMAP, AIM added to the confusion
POP3 passwords are the most common I sniff over
the air at conferences like this
Crypto wars of the mid-1990s tied our hands
This race should be over, victory to the defenders

23
Eavesdropping victories

SSL ends direct credit card sniffing
Ssh lets me access secure machines from anywhere
IP/SEC is a bit of a pain to deploy, but that
should get better
VPN products are very useful
CPUs have plenty of spare power now.
Check your work with dsniff

24
Eavesdropping problems

Casual web access and DNS queries still mostly in
the clear.
Most ISPs still offer or insist on POP3 and IMAP,
not SSL versions of these
Widespread use of client certificates could limit
access to these possibly dangerous network
services

25
Eavesdropping arms races

Attack patterns vs. snort
Tcpdump/libpcap vs. killer packets

26
Arms Race Battle for control of the computer and
data
27
The battle for control of the computer

Who owns the software in your computer? Who
should be allowed to add and run programs?
Microsoft has assumed this since DOS
Viruses and worms
Pop-overs and pop-unders
Spyware
Automatic update systems
Same battle over data in computers controlling
your car
Thermostat? Front door lock? Toaster?

28
Goals for this extraware

Zombie nets to assist with malfeasance, including
forwarding of spam
Collect marketing data
Display advertisements
Enforce licensing restrictions

29
Solution operating system only executes known
programs

Virus problem goes away
Unix/Linux systems mostly do this already
OS updates and auxiliary program installs a
problem
This feature not available on Microsoft operating
systems (see below)

30
Extraware problems

Some business practices assume this ability is
available
Some web page writers assume that I am willing to
use possibly dangerous features in my browser (or
a particular browser)

31
Virus arms race

Early on, detectors used viral signatures
Virus encryption and recompilation (!) has
thwarted this
Virus detectors now simulate the code, looking
for signature actions
Virus writers now detect emulation and behave
differently
Virus emulators are slowing down, even with
Moores Law.

32
Virus arms race

I suspect that virus writers are going to win the
detection battle, if they havent already
Emulation may become too slow
Even though we have the home-field advantage
Will we know if an undetectable virus is
released?
Best defense is to get out of the game.
Dont run portable programs, or
Improve our sandbox technology
People who really care about this worry about Ken
Thompsons attack
Read and understand On Trusting Trust

33
The emulation arms race

Vmware versus the real thing
4tphi
Honeypots vs. bulkers
http//www.sendsafe.com/honeypot-hunter.php

34
Arms RaceAuthentication and identification
35
Password cracking

Works 3 to 60 of the time using offline
dictionary attacks
More, if the hashing is misdesigned
This will never get better, so
We have to get out of the game

36
Passwords sniffed at this conference
37
Authentication/Identification Arms races

Password/PIN selection vs. cracking
Human-chosen passwords and PINs can be ok if
guessing is limited, and obvious choices are
suppressed
Password cracking is getting better, thanks to
Moores Law and perhaps even botnets

38
Tony Sale
Colossus (ver 2.0)
39
We dont know how to leave the user in charge of
security decisions, safely.
40
Authentication solutionstwo factor
authentication

In my laptop ssh key unlocked by long passphrase
Better USB key unlocked by PIN. Five bad
PINS, and it is gone.
We already carry a bunch of keys, so why not one
more

41
Hardware tokens

These need to be open source drivable, and cheap
The business model has never been one for global
adoption
Challenge/response form factor is the safest, but
not acceptable if humans are in the loop

42
Authentication arms racepredictions

Weve already won this, from a business model
standpoint
Web SSL plus password is good enough for banking
USA needs two factor authentication for social
security number. (Something better than MMN or
birth date.)
I dont see this improving much, but a global USB
dongle would do it
Dont wait for world-wide PKI.

43
Arms race (sort of)destructible hardware
44
Arms race (sort of)hardware destruction

IBM monochrome monitor
Some more recent monitors
Current ones?
Hard drives? Beat the heads up?
EEPROM write limits
Viral attack on .cn and .kr PC motherboards
Other equipment
Anything that requires a hardware on-site service
call

45
Arms race (sort of)hardware destruction

Rendering the firmware useless
This can be fixed (mostly) with a secure trusted
computing base.

46
Software upgrade race literally a race

Patches are analyzed to determine the weakness
Patch-to-exploit time is now down below 10 hours
NB spammers have incentive to do this work
Now the good guys are trying to obfuscate code!
Future difficult to say dark side obscures
everything.

47
Arms Racesfirewalls

IP blocking
Ip aware (stateful)
More dangerous
Permits firewalking
Ultimately, firewalls are a hack, and should go
away

48
Arms Racesdeception
49
Scarlet king snake
West coral Snake
50
(the west coral snake is venomous)
51
Arms Races deception

Jails
Cliff Stoll and SDInet
Honeypots
Honeynet
honeyd
The deception toolkit---Fred Cohen

52
Bulkers vs honeypots

http//www.send-safe.com/honeypothunter.php

53
User education vs. user deception

We will continue losing this one
Even experts sometimes dont understand the
ramifications of choices they are offered

54
Historic Arms races

SYN packet attacks
TCP sequence number guessing

55
My Dads computer

Skinny-dipping with Microsoft

56
Case studyMy Dads computer

Windows XP, plenty of horsepower, two screens
Applications
Email (Outlook)
Bridge a fancy stock market monitoring system
AIM
Cable access, dynamic IP address, no NAT, no
firewall, outdated virus software, no spyware
checker

57
This computer was a software toxic waste dump

It was burning a liter of oil every 500 km
The popups seemed darned distracting to me
But he thought it was fine
Got his work done
Didnt want a system administrator to break his
user interface somehow

58
A proposalWindows OK
59
Windows OK

Thin client implemented with Windows
It would be fine for maybe half the Windows users
Students, consumers, many corporate and
government users
It would be reasonable to skinny dip with this
client
Without firewall or virus checking software

60
Windows OK

No network listeners
None of those services are needed, except admin
access for centrally-administered hosts
Default security settings
All security controls in one or two places
Security settings can be locked

61
Windows OK (cont)

There should be nothing you can click on, in
email or a web page, that can hurt your computer
No portable programs are executed ever, except
ActiveX from approved parties
MSFT and one or two others. List is lockable

62
Windows OK

Reduce privileges in servers and all programs
Sandbox programs
Belt and suspenders

63
Office OK

No macros in Word or PowerPoint. No executable
code in PowerPoint files
The only macros allowed in Excel perform
arithmetic. They cannot create files, etc.

64
Vulnerabilities in OK

Buffer overflows in processing of data (not from
the network)
Stop adding new features and focus on bug fixes
Programmers can clean up bugs, if they dont have
a moving target
It converges, to some extent

65
Microsoft client security

It has been getting worse can they skinny-dip
safely?

66
Windows ME
Active Connections - Win ME Proto Local
Address Foreign Address State
TCP 127.0.0.11032 0.0.0.00
LISTENING TCP 223.223.223.10139
0.0.0.00 LISTENING UDP
0.0.0.01025
UDP 0.0.0.01026
UDP 0.0.0.031337
UDP 0.0.0.0162
UDP 223.223.223.10137
UDP
223.223.223.10138
67
Windows 2000
Proto Local Address Foreign Address
State TCP 0.0.0.0135
0.0.0.00 LISTENING TCP
0.0.0.0445 0.0.0.00
LISTENING TCP 0.0.0.01029
0.0.0.00 LISTENING TCP
0.0.0.01036 0.0.0.00
LISTENING TCP 0.0.0.01078
0.0.0.00 LISTENING TCP
0.0.0.01080 0.0.0.00
LISTENING TCP 0.0.0.01086
0.0.0.00 LISTENING TCP
0.0.0.06515 0.0.0.00
LISTENING TCP 127.0.0.1139
0.0.0.00 LISTENING UDP
0.0.0.0445
UDP 0.0.0.01038
UDP 0.0.0.06514
UDP 0.0.0.06515
UDP 127.0.0.11108
UDP
223.223.223.96500
UDP 223.223.223.964500

68
Windows XP, this laptop
Proto Local Address Foreign Address
State TCP ches-pcepmap
ches-pc0 LISTENING TCP
ches-pcmicrosoft-ds ches-pc0
LISTENING TCP ches-pc1025
ches-pc0 LISTENING TCP
ches-pc1036 ches-pc0
LISTENING TCP ches-pc3115
ches-pc0 LISTENING TCP
ches-pc3118 ches-pc0
LISTENING TCP ches-pc3470
ches-pc0 LISTENING TCP
ches-pc3477 ches-pc0
LISTENING TCP ches-pc5000
ches-pc0 LISTENING TCP
ches-pc6515 ches-pc0
LISTENING TCP ches-pcnetbios-ssn
ches-pc0 LISTENING TCP
ches-pc3001 ches-pc0
LISTENING TCP ches-pc3002
ches-pc0 LISTENING TCP
ches-pc3003 ches-pc0
LISTENING TCP ches-pc5180
ches-pc0 LISTENING UDP
ches-pcmicrosoft-ds
UDP ches-pcisakmp
UDP ches-pc1027
UDP ches-pc3008
UDP ches-pc3473
UDP ches-pc6514
UDP
ches-pc6515
UDP ches-pcnetbios-ns
UDP ches-pcnetbios-dgm
UDP ches-pc1900
UDP ches-pcntp
UDP ches-pc1900
UDP
ches-pc3471
69
FreeBSD partition, this laptop
Active Internet connections (including
servers) Proto Recv-Q Send-Q Local Address
Foreign Address (state) tcp4 0
0 .22 .
LISTEN tcp6 0 0 .22
. LISTEN
70
XP SP2

Bill Gets It

71
Microsofts Augean Stablesa task for Hercules

3000 oxen, 30 years, thats roughly one oxen-day
per line of code in Windows
Its been getting worse since Windows 95

72
XP SP2 Bill gets it

a feature you dont use should not be a security
problem for you.
Security by design
Too late for that, its all retrofitting now
Security by default
No network services on by default
Security control panel
Many things missing from it
Speaker could not find ActiveX security settings
There are a lot of details that remain to be seen.

73
Microsoft really means it about improving their
security

Their security commitment appears to be real
It is a huge job
Opposing forces are unclear to me
Its been a long time coming, and frustrating

74
Microsoft secure client arms race

We are likely to win, but it is going to be a
while

75
Chess wish list

browsersandbox.org
Uses a .conf file, supplied with browser
Same .conf file for any major OS
Sandbox is impenetrable, no matter what
I know people have offered solutions for ten
years
I need portability Linux, FreeBSD, maybe even
MSFT, which needs sand boxing in their OS.

76
Chess wish list(cont.)