Network_Threats4
advertisement
Speculating about Tomorrow’s Threats Simson L. Garfinkel MIT CSAIL 1 ? What’s the worst case scenario? 2 Worst Case Scenarios… • Turn off the electricity – Kills the computers • Turn off the water – Kills the people • Shut down websites/routers/countries/Internet • Make the democrats win an election – (to effect US foreign policy…) • Surely we can do better… 3 Computer Virus Jumps to Humans! • “A quickly spreading computer virus is somehow jumping from PCs to their human computer users --- and killing them!” 4 How would a computer make a human virus? • Nanometer-scale assemblers… ? Source: NASA Source: John Milanski 5 Mail Order Polio First Synthetic Virus Created: July 11, 2002 • Researchers @ Stony Brook • Polio Virus sequence downloaded from Internet • DNA sequence sent to a “mail-order supplier” • Transcribed to RNA in lab • Injected into mice. • “The animals were paralyzed and died.” 6 http://www.sciencenews.org/20020713/fob8.asp MWG RNA & siRNA synthesis How to order • Log in • Enter Ship to, Bill to, and PO • Enter oligos in large quantities by pasting in columns of name and sequence pairs from Excel” • Display sequence • Enter comments • Check out (877) MWG-BTEC 7 8 Making this threat credible… • Distribution of “dangerous” information that could be easily misused. • Computer viruses that become human viruses… • Hacking biological systems that makes products more dangerous than people suspect… 9 Take Home Point #1 Biology and IT are becoming the same thing. Viruses are information. … gives a whole new meaning to “blended threats…” 10 ? Can what’s on this disk kill you? 11 PGP was on that disk… • Back in the 1990s, the FBI said that encryption could kill us! • Encryption in the hands of: – – – – Drug dealers Terrorists Pedophiles Organized crime (The real threat was encryption in the hands of spammers…) 12 What if the disk just has an essay … or an article? 13 “The Riddle of the Universe and Its Solution” Professor Dizzard works on artificial intelligence software. Dizzard is found staring deep into his screen at the end of an Easter vacation.. Some of Dizzard’s students follow his unfinished work…. The students pass into the coma. An epidemic begins to spread…. At a university, a whole class goes off into the “Riddle Coma.” The coma is caused by: “The Gödel-sentence for the human Turing-machine – it causes the mind to jam." “There is no way to solve the Riddle coma… but we can decrease further coma outbreaks.” 14 Today’s Dangerous Ideas Distributed by networks; motivating people to violence “Leaderless Resistance” – Political violence without organization – Originated in America by Louis Beam for fight against US Government – Adopted by radical left. Abortion Doctor Killers – Nuremberg Files Website. SHAC (Stop Huntingdon Animal Cruelty) – Practically bankrupt Huntingdon Life Sciences. ELF (Earth Liberation Front) – arson training manual ELF Attacks: – August 1st - $20M fire in San Diego – August 22nd – Attacks against SUVs – July 2nd - $700,000 against two new homes. 15 “If you build it --- we will burn it” 16 … we don’t believe in censorship … • Unless it is “hate speech” and you are on a college campus • Unless it is “copyrighted music” (or samples of copyrighted music) and you are the RIAA • Unless it is “source code” and you are Diebold Election Systems Increasingly, the United States does believe in Censorship, and the Internet is making censorship harder… for many Americans, this is a worst case scenario! 17 DMCA & Friends Making Computers Less Secure • Outlawing computer security research? • Criminalizing disclosure of vulnerabilities? • The Future: Mandating Computer Systems With Back Doors for the RIAA! 18 Back to Computers… 19 Computer Worms and Viruses • Strengths of Today’s Worms and Viruses: – Clog email systems – Send spam – Plant backdoors – Fast spreading • Weaknesses: – Buggy – Poorly Designed Bellovin: No Network is safe! 20 PC Viruses for Spamming • Wake up at 2am • Get a HotMail account • Send 10,000 messages to Yahoo / AOL • Go back to sleep OLD SLIDE! • Yahoo and HotMail now using Reverse Turing Tests to prevent automated sign-up • Spammers now manipulating BGP announcements… Manual today… Could be automated tomorrow 21 Viruses that Destroy Hardware CHI/Chernobyl Virus – “Erase entire hard drive and overwrite the system BIOS.” – BIOS chip or motherboard must be replaced April 26, 1999 – One million computers destroyed. – Korea: $300M – China: $291M May be an easy attack today with web-based BIOS upgrades. 22 Computers can start fires! • HCF instruction joke • HP OfficeJet Printer fax copiers – March 1995 – 10,000 machines recalled – “generate internal temperatures high enough to burn a wayward human hand and … even start a fire” • Video Monitors? • SCADA systems have failsafes, but consumer equipment may not. 23 Shut down the 911 System! 911 ICMP Echo Request: +++ +++ATH0;M0:DT911 “+++ATH0;M0;DT911” attacker … ping 100,000 AOL or EarthLink subscribers Clueless Users 24 Shut down the Internet • Most of the Internet is run by Cisco Routers • Lots of equipment is in inaccessible locations – Equipment closets in unattended locations – Co-location facilities that are effectively unattended (“warm hands” are over-rated). 25 Cisco: Realistic Risk? Vulnerabilities and remote exploits have been found in Cisco’s operating system. Bellovin said that the source code is available — but does it matter? 26 Cisco Router Virus: Design • Phase 1: Penetrate • Phase 2: – Set up a large-scale distributed hash table using Chord or similar technology. – Distributed scanning for vulnerable machines. – Coordinate penetration and propagation of new machines. • Phase 3: – Simultaneously all infected routers stop routing packets. – Erase router configuration. – Flood all network interfaces with broadcast requests. 27 VoIP makes Router Attacks Better! When the Internet breaks, we call other people using the phone system. When the phone system breaks, we send email! With VoIP, the Internet is the phone system!!! … bad idea. 28 VoIP • Advantages: – A single wire for data & voice – Cuts cost of telecom • Disadvantages: – A single wire for data & voice (no redundancy) – Cuts cost of telecom (so security stands out more) • VoIP is growing fast: – Many home users are giving up on POTS – Increasingly, you may be using VoIP without knowing it! • The “Phone System” is not a higher-priced alternative internet. It increasingly the same Internet, just at a higher price 29 How fast can a virus propagate? • Code Red propagation statistics – Most hosts infected within 12 hours – Source: CAIDA (Cooperative Association for Internet Data Analysis) 30 Sapphire / Slammer • Doubled every 8.5 seconds • Infected 90% of vulnerable hosts in 30 minutes. – 74,855 hosts – Reasons: • 1 packet infection • UDP, not TCP 31 Theoretical Minimum: 30 seconds? • Flash Worm Paper – – – – “Flash Worms: Thirty Seconds to Infect the Internet” Stuart Staniford, Gary Grim, Roelof Jonkman http://www.silicondefense.com/flash/ August 16, 2001 • Warhol Worms – – – – “How to 0wn the Internet in your Spare Time” Stuart Staniford, Vern Paxson, Nicholas Weaver http://www.cs.berkeley.edu/~nweaver/cdc.web/ August 2002 32 Need for virus education! • Virus-writers are not reading the academic literature. • Perhaps that new “how to write a computer virus” course will help. 33 Perhaps “low and slow” is better • Much less likely to be detected • Less likely to attract media attention • The real reason that most worms have been caught is that their scanning and propagation functions overwhelm our networks. 34 “Netgear Attack” • Netgear hard-coded the address of WISC’s NTP server into its home router. • NTP implementation flawed: – instead of backing off on no answer, it pinged harder! • WISC’s initial contacts to Netgear ignored. • http://www.cs.wisc.edu/~plonka/netgear-sntp/ 35 Take Home Point #2 Computer/Network viruses can be far faster and more destructive than they are today Attacks might not even be intentional! 36 New Virus Platform #1: Cell phones? • Previous SMS viruses were pathetic – Fake ring tone? – Fake Java game? • Nokia has recalled vulnerable handsets 37 SMS Virus • A “really good” SMS Virus would: – Receive as an SMS message. – Sends self to • last 20 people who called phone • everybody in phone address book – Lock phone with new PIN. – After 4 hours, floods cell phone network with repeated phone calls and SMS message (DDOS) • Results: – Everybody needs a new cell phone – Cell phone network rendered inoperable. 38 What’s Needed for that SMS Virus? • Way to execute code on cell phone: – Open programming environment, or someone with inside knowledge. – Bug in incoming SMS message handler – Longer SMS messages, or way to string SMS messages together, or way to download code from a website – Perhaps you could do it today with a Palm or Windows “smart phone” … but not enough market penetration. – Java phones!!! • Serious network vulnerability … when? 2004? 2007? 39 Cell Phone Virus Alternative Instead of distributing from cell phones, distributed using a PCbased virus. Serious network vulnerability: today. 40 New Virus Platform #2: Car Computers (telematics) Radio-based: – Location monitoring – Position reporting Remote control: – Door lock/unlock – Ignition Kill Next-generation system: – Two-way communication – Integration with entertainment system Questions: – Security? – Authentication? – Encryption? #1 Danger: companies deploying these systems have little experience with network security. 41 OnStar: Security? “All communications between the vehicle and OnStar call center are through the analog wireless network at this time.” “OnStar uses a proprietary and confidential communication protocol (Air Interface) for transmitting and receiving data between the call center and the vehicle.” “OnStar uses an authentication process similar to those used by the cellular industry to prevent unauthorized access to the OnStar system in the vehicle.” 42 OnStar: Security? • 300-baud analog modem with analog cell phone • PPP with CHAP authentication • No encryption • Real question: authenticating the caller! – (but that probably isn’t an automated attack.) 43 Take Home Point #3 • New Platforms are opening up for attackers • Many opportunities for cross-platform attacks • Companies deploying new platforms have little experience with security issues. 44 Defending Against Tomorrow’s Threats… • Spyware… 45 Solution: Automatic Update… 1. 2. 3. Go to the Internet Download code Run it Keeps everybody’s operating system patched and up-to-date! Great for: 1. Updating buggy software 2. Adding bugs to reliable software 3. Taking over millions of machines simultaneously 46 But what’s the problem? • People don’t install patches? • Operating systems are buggy and overly complex? • Need for a continued revenue stream? • Need to find and destroy pirate copies? 47 Subvert Automatic Update! • Update from DNS name… – He who controls the DNS, controls the Internet! • Fortunately, most systems protected with digitally signed updates • Unfortunately, certificate authorities can be hacked… 48 Certificates that come with IE6 49 Solution: Notify People of Security Problems! From MAILER-DAEMON Wed Sep 10 16:37:13 2003 Date: Wed, 10 Sep 2003 16:36:50 -0400 From: "MailScanner" <postmaster@solucorp.qc.ca> To: simsong@acm.org Subject: Warning: E-mail viruses detected Seems like a good idea… …Until you get 3,000 alerts in one day! Our virus detector has just been triggered by a message you sent:To: jack@localhost Subject: Re: Thank you! Date: Wed Sep 10 16:36:49 2003 One or more of the attachments (your_document.pif) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files or putting them into a "zip" file to avoid this constraint. The virus detector said this about the message: Report: Shortcuts to MS-Dos programs are very dangerous in email (your_document.pif) -MailScanner Email Virus Scanner www.mailscanner.info Mailscanner thanks transtec Computers for their support 50 Solution: Just Secure the Stuff That Matters… • Do you secure: – HTML rendering code? – JPEG display routines? – Keyboard drivers? – Macro engine? – File Load & Save routines? – XML parser? • What software does not need to be secured? 51 Solution: Diversity and Redundancy 52 Diversity is hard! (and expensive) • SNMP Vulnerability • OpenSSL Vulnerability • Sendmail vulnerabilities • In all of these cases: – Common implementation affected many platforms 53 Redundancy is hard! (and expensive) We expect reliability, but we don’t want to pay for it…. Do you have a backup: laptop? car? spouse? California Power Grid? QuickTi me™ and a TIFF (U ncompressed) decompressor are needed to see this picture. Should you build 1 data center or 2? (Even if the big companies learned from 9/11, many others didn’t.) Alternative: have just one, but take care of it. Does the future hold more redundancy, or less? 54 “Genetic Diversity” • The big take-home from yesterday was that Genetic Diversity is good! • But that’s just because we don’t have it today! – “The grass is always greener…” • Back in the 1980s, we had genetic diversity! – The reason that we standardized is that people couldn’t properly administer a diverse system! 55 Take Home Point #4: 4. 1 We don’t know if diversity or uniformity promotes a more secure computing environment 4.2 We don’t know how to build true diversity. (5 operating systems is not genetic diversity.) 56 Four “Next Generation” attacks: • Spam • Wi-Fi • RFID • MTM 57 Spam • The big problem. • How do we limit the use of a free resource? – Willingness to receive email? – Network bandwidth? – People’s attention? • Spammers are becoming exquisite attackers • Two kinds of solution: – Payment-based – Content analysis 58 Is this spam? To: simsong@mit.edu From: XXXXXX <XXXXXXXX@aol.com> Subject: Hi old friend! Dear Simson, We were best-friends back in forth grade. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http://www.iphoto.com/XXXXXXX/for_simson.html. Take a look! 59 Is this spam? To: simsong@mit.edu From: CCCCCCCC <XXXXXXXX@yyyyyyyyyyyyy.com> Subject: Windowless Room In your O'Reilly "history article, you wrote: > Many schools found that buying a few Apples and putting them > on a table in a windowless storage room was a cheap way to > add "computing" to their curriculum I remember that room! :) XXXXXXXXXXXXXXXXXX XXXXXXXX@yyyyyyyyyy.com http://www.yyyyyyyy.com/~XXXXXXXXXXw 60 61 To: simsong@mit.edu From: XXXXXX <XXXXXXXX@aol.com> Subject: Hi old friend! Dear Simson, We were best-friends back in forth grade at Haverford Friends. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http://www.iphoto.com/XXXXXXX/for_sim son.html. Take a look! “Windowless Room” 62 Wi-Fi (802.11) • Key issues to date have been: – Eavesdropping – User authentication • New issue: – Access Point authentication 63 ? 64 This attack is - Hard (impossible) to detect - Easy to implement - Portable 65 Monday Night, 8:34pm 66 QuickTime™ and a TIFF (LZW) decompressor are needed to see this picture. 67 Network Forensics • Does “default” at 68.86.222.205 know what I was sending across their Internet Connection? • Would it make sense for them to capture it? – 1/2 of a 60GB hard drive will hold 30 days of traffic for a typical cable modem… • Would it make sense for them to avoid capturing it? 68 RFID • Radio tags… 69 RFID Smaller than your fingernail… http://www.namazu.org/~satoru/playstand/ 70 RFID Everywhere… 71 RFID “Doomsday Scenario” • Link all objects with identity • Track everything everywhere • How do you tell legitimate readers? • How do you tell legitimate tags? • The “privacy” problem is really a security problem. 72 MTM: The “Ultimate” attack… 995719268 73 Mind-to-Machine http://bnb.spiritshigh.com/characters/traits/4831.html 74 75 Other approaches to M2M “Neural Interfaces” – Electrooculogram (EOG) (skin interface) – Electromyogram (EMG) (muscle movement) – Electroencephalogram (EEG) (brainwaves) – Electrocardiogram (EKG) (heart ) – Neural electrode (directly from brain) (source: betterhumans.com) 76 (source: DARPA) 77 M2M Applications “Reverend Ray Kurzweil” • Mind Uploading & Backup – Staggering copyright issues • Mind downloading – Keep the body; change the person – Better than the death penalty! • Mind wiretapping – Do you need a warrant under PATRIOT? • Do you need a firewall for your brain? – Merri does 78 These attacks are all “spoofing attacks” • Spam • Wi-Fi • RFID • MTM • Use computers to attack people. 79 Take Home Point #5: Spoofing attacks the human mind. We don’t know how to make humans more secure. 80 5 Ways to Build A More Secure Network. • Restrict the flow of dangerous code and information to prevent its misuse. (Polio Virus) • Stop Researching how to make “better viruses.” • Limit the extension and reach of computer technology: keep computers in their place. • Standardize on one computing platform and make sure it is secure. • Teach people how to recognize and avoid spoofing attacks. ? • Celebrate the flow of dangerous information; actively research better defenses. • Teach virus-writing and viruscracking. • Aggressively put advanced computer technology everywhere: the benefits outweigh the risks. • Deploy many different architectures and operating systems. • Automate decision making to eliminate the reliance on the human element. 81 Remember • Napoleon didn’t want good generals, he wanted lucky generals 82
