Understanding the Risks Is Safe Computing Possible? Bob Cowles bob.cowles@slac.stanford.edu TERENA Conference 2005 – Poznań, Poland Work supported by U. S. Department of Energy contract DE-AC03-76SF00515 Final Thoughts (Spring 2004) Attacks coming faster; attackers getting smarter Complex attacks using multiple vulnerabilities No simple solution works Patching helps Firewalls help AV & attachment removal help Encrypted passwords/tunnels help You can’t be “secure”; only “more secure” We must share information better 7 June 2005 TNC 2005 2 Passwords captured on WiFi YM%lsd.512 severine n0mad cris1964 cms2wa97 luciole n0811a xxxx8769 & xxxx0255 7 June 2005 TNC 2005 3 Public Access Insecure Protocols Cleartext protocols http – sometimes difficult to tell smtp – visible emails as they are sent/received pop – visible email and possible passwords imap –visible email and possible passwords ftp & telnet – visible sessions and passwords Network file systems Faked service providers 7 June 2005 TNC 2005 4 Public Access Insecure Protocols Instant messaging aim yahoo messenger ICQ jabber Kiosks Vulnerable to worms on “local network” Blaster vulnerability discovered by local LSD group Passwords for coffee http://www.theregister.co.uk/2005/05/06/verisign_password_survey/ Lists of recent compromises http://www.emergentchaos.com/archives/cat_breaches.html 7 June 2005 TNC 2005 5 ssh and Other Compromises Attacker installs trojaned ssh w/ keylogger Later suspected tactics: Scan for open X sessions (xhost +) Windows compromises • hacker defender rootkit installed session hi-jacking http://www.cnn.com/2005/TECH/05/10/govt.computer.hacker/ http://www.sfgate.com/cgibin/article.cgi?file=/c/a/2005/05/10/MNGSCCMIJ21.DTL Replaced by ssh weak password scanning http://www.frsirt.com/exploits/08202004.brutessh2.c.php 7 June 2005 TNC 2005 6 On the Increase Phishing http://www.techworld.com/news/index.cfm?RSS&NewsID=3638 419 – Now job ads http://www.theregister.co.uk/2005/05/09/419_job_ads/ Pharming http://www.channelregister.co.uk/2005/04/08/dns_attacks_attempt_to _mislead_consumers/ Spyware (p2p) http://en.wikipedia.org/wiki/Spyware Google hacking http://johnny.ihackstuff.com/index.php?module=prodreviews 7 June 2005 TNC 2005 7 7 June 2005 TNC 2005 8 Where It Really Goes … http://scgi.ebay.com/verify_id=ebay &fraud alert id code=00937614 <http://210.95.98.124:81/aw-cgi/SignIn.php?mail=osgint@opensciencegrid.org> 7 June 2005 TNC 2005 9 Postbank Phishing (04 June) Courtesy of Vincent 'rastakid' van Scherpenseel http://www.syn-ack.org/papers/postbank.html Where it appears to go: http://www.postbank.nl/gRK6QnraG6FTLfFmTNNbX68U7rj8Q2 2oyqyIKv8qBXCeGv0TJYa0w9g6c6wih2g3 Where it goes: href="http://www.google.es/url?q=http://go.msn.com/HML/1/5.asp?target =http://%68k%73chf%09%6f%2E%64%%09a%2ER%%09U/" Where it REALLY goes: http://hkschfo.da.RU/ Login popup in front of real Postbank page 7 June 2005 TNC 2005 10 7 June 2005 TNC 2005 11 New Technologies bluetooth I 0wn your Lexus http://www.cryptonomicon.net (site being rebuilt) Hacking “secure” bluetooth devices http://www.newscientist.com/article.ns?id=dn7461 RFID http://www.rfidbuzz.com/news/2004/rfdump.html VoIP http://www.pcworld.com/resource/article/0,aid,120668,pg,1,RSS,RSS,00.asp 0wned by iPod http://md.hudora.de/presentations/firewire/PacSec2004.pdf 7 June 2005 TNC 2005 12 Collaborative Environments Organizations of resource consumers cross multiple resource providers Resource consumer organization manages user base and user not registered in advance with providers Authorization assertion from organization identifies valid users Many security implications Incident response Credential theft Adequacy / usability of audit information Maintenance of persistent resource (e. g. storage) ownership 7 June 2005 TNC 2005 13 UN on Fighting Cybercrime Create culture of cybersecurity Prevention & prosecution of cybercrime Address needs of developing countries too Coordinated efforts to facilitate practical research Global approaches to avert & mitigate impact on Critical infrastructure Sustainable development Privacy protection eCommerce, banking and trade http://www.crime-research.org/news/05.12.2005/1225/ 7 June 2005 TNC 2005 14 Late Breaking News Numerous versions of Mytob (125 in 3 mos) Turns off anti-virus Opens backdoor for further compromise 00 June 2005 – Apple Quicktime allows information theft Invisible – while playing a Quicktime movie Download version 7.0.1. (Macs only. Profile info only) 01 June 2005 – Coordinated malware attack Gleider – Eight variants. Opens backdoor Fantibag – Disables antivirus & Windows Update Mitglieder – Opens backdoor for control 06 June 2005 – Spybot worm variant Spreads through network shares or unpatched systems Opens backdoors for further compromise 7 June 2005 TNC 2005 15 Final Thoughts (June 2005) All operating systems are vulnerable http://www.theregister.co.uk/2005/05/05/apple_mega_patch/ All browsers are vulnerable (firefox vulnerability) http://www.theregister.co.uk/2005/05/09/firefox_0day_exploit/ No simple solution – security still to complex Patching helps Firewalls help AV & attachment removal & spam filters help Encrypted passwords/tunnels help – if used!! You can’t be “secure”; only “more secure” We must share information (100 best security web sites) http://www.uribe100.com/index100.htm 7 June 2005 TNC 2005 16