1 of 111 Cybersecurity Summit 2004 Some Thoughts on Network and Computer Security in an Academic...

1 of 111Cybersecurity Summit 2004

Some Thoughts on Network and Computer Security in an

Academic Environment

Bill CheswickLumeta Corp.

ches@lumeta.comhttp://www.cheswick.com/

• Some thoughts that might be relevant

• How do you secure things when you absolutely have to. (Intellink)

• Some (best?) practices I’ve seen or tried

• Suggest some research projects and directions that might help in the longer run

• Perhaps some keynote thoughts relevant for the panels

This is possibly the hardest problem in computer security

• Academic environment means free and open access

• Security generally engineers lack the clout to enforce security policies

• Clients access the major resources from client hosts around the world

• Some assembly required

72 slides 4 of 112Cybersecurity Summit 2004

What does it mean to win?

Threat models

What does it mean to win?

• Keeping the hacker out of critical systems?– What are your critical systems, anyway?

• Catching him/them?

• Nobody notices that everything is working?

• No mention on the front pages of major newspapers?

• No angry probing calls from your funding agency?

Threat models at supercomputer centers

• Embarrass system administrators

• Establish base for attacking other sites?

• Maximize downtime

• Attacks on science: corruption of data or programs– Scientists used to share ideas, now they

share programs– The dirty word nebula in the Virgo cluster

• Attack by a patient Luddite

Case studies

• Me– Limited user base– Highly compliant users– Low admin/machine ratio

• Intellink

This talk is mostly about *nix systems, except as noted

• Most big iron runs some *nix OS, proprietary or not

• Microsoft has their own problems…

Microsoft’s Augean Stables:a task for Hercules

• 3000 oxen, 30 years, that’s roughly one oxen-day per line of code in Windows

• It’s been getting worse since Windows 95

Network and Host security as I see it

Traditional view of host software

Kernel

User programs

This traditional view of host software is wrong

Kernel

User programs

User-level programs use the kernel to interface with the outside world

Kernel

User programs

Example: SYN packet attacks

Kernel

UserprogramsAttacking packets are never

seen at user level….

Example: SYN packet attacks

Kernel

UserprogramsAttacking packets are never

seen at user level….

…although user mode enablesthe kernel listener.

Direct attacks on the kernel are fairly rare

Kernel

Userprograms

TCP/IP

Direct attacks on the kernel are fairly rare

• Though the software is complex and hard to test, it’s hard to do more than break the kernel

• Used mostly for DOS attacks

• Ping ‘o death

• Random IP options game (crashme)

Kernel

Userprograms

TCP/IP

Some ways to break into a host:

1) subvert a privileged network daemon

Subvert a privileged network daemon

Kernel

Userprograms

TCP/IP

Networkdaemon

Rate a computer’s network security?

netstat –an | wc -l

Windows MEActive Connections - Win ME

Proto Local Address Foreign Address State TCP 127.0.0.1:1032 0.0.0.0:0 LISTENING TCP 223.223.223.10:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 *:* UDP 0.0.0.0:1026 *:* UDP 0.0.0.0:31337 *:* UDP 0.0.0.0:162 *:* UDP 223.223.223.10:137 *:* UDP 223.223.223.10:138 *:*

Windows 2000

Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING TCP 0.0.0.0:1036 0.0.0.0:0 LISTENING TCP 0.0.0.0:1078 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1086 0.0.0.0:0 LISTENING TCP 0.0.0.0:6515 0.0.0.0:0 LISTENING TCP 127.0.0.1:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:* UDP 0.0.0.0:1038 *:* UDP 0.0.0.0:6514 *:* UDP 0.0.0.0:6515 *:* UDP 127.0.0.1:1108 *:* UDP 223.223.223.96:500 *:* UDP 223.223.223.96:4500 *:*

Windows XP: this laptop, pre-SP2 Proto Local Address Foreign Address State TCP ches-pc:epmap ches-pc:0 LISTENING TCP ches-pc:microsoft-ds ches-pc:0 LISTENING TCP ches-pc:1025 ches-pc:0 LISTENING TCP ches-pc:1036 ches-pc:0 LISTENING TCP ches-pc:3115 ches-pc:0 LISTENING TCP ches-pc:3118 ches-pc:0 LISTENING TCP ches-pc:3470 ches-pc:0 LISTENING TCP ches-pc:3477 ches-pc:0 LISTENING TCP ches-pc:5000 ches-pc:0 LISTENING TCP ches-pc:6515 ches-pc:0 LISTENING TCP ches-pc:netbios-ssn ches-pc:0 LISTENING TCP ches-pc:3001 ches-pc:0 LISTENING TCP ches-pc:3002 ches-pc:0 LISTENING TCP ches-pc:3003 ches-pc:0 LISTENING TCP ches-pc:5180 ches-pc:0 LISTENING UDP ches-pc:microsoft-ds *:* UDP ches-pc:isakmp *:* UDP ches-pc:1027 *:* UDP ches-pc:3008 *:* UDP ches-pc:3473 *:* UDP ches-pc:6514 *:* UDP ches-pc:6515 *:* UDP ches-pc:netbios-ns *:* UDP ches-pc:netbios-dgm *:* UDP ches-pc:1900 *:* UDP ches-pc:ntp *:* UDP ches-pc:1900 *:* UDP ches-pc:3471 *:*

It is easy to dump on Microsoft, but many others have made the

same mistakes before

ftp stream tcp nowait root /v/gate/ftpdtelnet stream tcp nowait root /usr/etc/telnetdshell stream tcp nowait root /usr/etc/rshdlogin stream tcp nowait root /usr/etc/rlogind exec stream tcp nowait root /usr/etc/rexecd finger stream tcp nowait guest /usr/etc/fingerd bootp dgram udp wait root /usr/etc/bootp tftp dgram udp wait guest /usr/etc/tftpd ntalk dgram udp wait root /usr/etc/talkd tcpmux stream tcp nowait root internalecho stream tcp nowait root internaldiscard stream tcp nowait root internalchargen stream tcp nowait root internaldaytime stream tcp nowait root internaltime stream tcp nowait root internalecho dgram udp wait root internaldiscard dgram udp wait root internalchargen dgram udp wait root internaldaytime dgram udp wait root internaltime dgram udp wait root internalsgi-dgl stream tcp nowait root/rcv dglduucp stream tcp nowait root /usr/lib/uucp/uucpd

Default servicesSGI workstation: mid 1990s

More default services

mountd/1 stream rpc/tcp wait/lc root rpc.mountdmountd/1 dgram rpc/udp wait/lc root rpc.mountdsgi_mountd/1 stream rpc/tcp wait/lc root rpc.mountdsgi_mountd/1 dgram rpc/udp wait/lc root rpc.mountdrstatd/1-3 dgram rpc/udp wait root rpc.rstatd walld/1 dgram rpc/udp wait root rpc.rwalld rusersd/1 dgram rpc/udp wait root rpc.rusersd rquotad/1 dgram rpc/udp wait root rpc.rquotad sprayd/1 dgram rpc/udp wait root rpc.sprayd bootparam/1 dgram rpc/udp wait root rpc.bootparamdsgi_videod/1 stream rpc/tcp wait root ?videod sgi_fam/1 stream rpc/tcp wait root ?fam sgi_snoopd/1 stream rpc/tcp wait root ?rpc.snoopd sgi_pcsd/1 dgram rpc/udp wait root ?cvpcsd sgi_pod/1 stream rpc/tcp wait root ?podd tcpmux/sgi_scanner stream tcp nowait root ?scan/net/scannerdtcpmux/sgi_printer stream tcp nowait root ?print/printerd webproxy stream tcp nowait root /usr/local/etc/webserv

FreeBSD partition, this laptop(getting out of the game)

Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address tcp4 0 0 *.22 tcp6 0 0 *.22

“Best block is not be there”

- Mr. Miyagi (Pat Morita)

Karate Kid

Secure network services for *nix

• Postfix

• Openssh– But if the call comes…

Properties of these services

• The authors cared very much about security from the first moment of design

• The code has a low rate of “improvements,” which gives the code a chance to stabilize

• The security record for these is excellent, though not perfect

• Careful efforts by a few have benefited us all

Some popular network services I don’t like

• NFS– Not Unix file system semantics– RPC implementation is complicated and

dangerous

• Still sniffable– POP3– SNMP– Instant messaging

Research/project/funding suggestion

• Rewrite or audit the software we rely on the most– This has been done to some extent…see

below– Libc, ASN.1 compiler, C compiler, kernel

calls (“Setuid demystified”)

• Perhaps Knuth would write a new inetd…

The Pretty GoodWall of China

Perimeter defenses don’t work…

• If the perimeter is too big, or

• If you have to let the barbarians in

2) subvert a user account and break into root or admin using setuid

programs

Subvert a user account and break into root or admin

Kernel

TCP/IP

Setuidprogram

“Unix is an administrative nightmare.”

-- Dennis Ritchie

“GUIs are not the answer to Unix’s administrative

nightmare.”

Rate a Unix systems host security?

find / -perm -4000 -user root -print | wc -l

/bin/rcp/sbin/ping/sbin/ping6/sbin/shutdown/usr/X11R6/bin/Xwrapper/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/keyinfo/usr/bin/keyinit/usr/bin/lock/usr/bin/crontab/usr/bin/opieinfo/usr/bin/opiepasswd/usr/bin/rlogin/usr/bin/quota/usr/bin/rsh/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/chpass/usr/bin/login

/usr/bin/passwd/usr/bin/at/usr/bin/ypchsh/usr/bin/ypchfn/usr/bin/ypchpass/usr/bin/chsh/usr/bin/chfn/usr/bin/yppasswd/usr/bin/batch/usr/bin/atrm/usr/bin/atq/usr/local/bin/screen/usr/local/bin/sudo/usr/local/bin/lppasswd/usr/sbin/mrinfo/usr/sbin/mtrace/usr/sbin/ppp/usr/sbin/pppd/usr/sbin/sliplogin/usr/sbin/timedc/usr/sbin/traceroute/usr/sbin/traceroute6

Remove the ones I never use

You should never be vulnerable to the weaknesses of a feature you do not use.

-- Microsoft security goal

/bin/rcp/sbin/ping/sbin/ping6/sbin/shutdown/usr/X11R6/bin/Xwrapper/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/keyinfo/usr/bin/keyinit/usr/bin/lock/usr/bin/crontab/usr/bin/opieinfo/usr/bin/opiepasswd/usr/bin/rlogin/usr/bin/quota/usr/bin/rsh/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/chpass/usr/bin/login

/usr/bin/passwd/usr/bin/at/usr/bin/ypchsh/usr/bin/ypchfn/usr/bin/ypchpass/usr/bin/chsh/usr/bin/chfn/usr/bin/yppasswd/usr/bin/batch/usr/bin/atrm/usr/bin/atq/usr/local/bin/screen/usr/local/bin/sudo/usr/local/bin/lppasswd/usr/sbin/mrinfo/usr/sbin/mtrace/usr/sbin/ppp/usr/sbin/pppd/usr/sbin/sliplogin/usr/sbin/timedc/usr/sbin/traceroute/usr/sbin/traceroute6

/sbin/ping/sbin/ping6/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/crontab/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/login/usr/bin/passwd/usr/bin/at/usr/bin/chsh/usr/bin/atrm/usr/bin/atq/usr/local/bin/sudo/usr/sbin/traceroute/usr/sbin/traceroute6

Some should not need root, or shouldn’t be

setuidLeast privilege

/sbin/ping/sbin/ping6/usr/X11R6/bin/xterm/usr/X11R6/bin/Xwrapper-4/usr/bin/crontab/usr/bin/su/usr/bin/lpq/usr/bin/lpr/usr/bin/lprm/usr/bin/login/usr/bin/passwd/usr/bin/at/usr/bin/chsh/usr/bin/atrm/usr/bin/atq/usr/local/bin/sudo/usr/sbin/traceroute/usr/sbin/traceroute6

/usr/X11R6/bin/Xwrapper-4/usr/bin/su/usr/bin/passwd/usr/bin/chsh/usr/local/bin/sudo

• Re-engineer these programs to lower their privilege requirements– (you’ve been complaining about this in

Microsoft software!)• (and justifiably so)

• Extra funding for reducing the size of the programs

• Must be done on many *nix distributions, not just your favorite one

AIX 4.2 & 242 & a staggering number \\BSD/OS 3.0 & 78 \\FreeBSD 4.3 & 42 & someone's guard machine\\FreeBSD 4.3 & 47 & 2 appear to be third-party\\FreeBSD 4.5 & 43 & see text for closer analysis \\HPUX A.09.07 & 227 & about half may be special for this host \\Linux (Mandrake 8.1) & 39 & 3 appear to be third-party \\Linux (Red Hat 2.4.2-2) & 39 & 2 third-party programs \\Linux (Red Hat 2.4.7-10) & 31 & 2 third-party programs\\Linux (Red Hat 5.0) & 59 \\Linux (Red Hat 6.0) & 38 & 2--4 third-party \\Linux 2.0.36 & 26 & approved distribution for one university \\Linux 2.2.16-3 & 47 \\Linux 7.2 & 42 \\NCR Intel 4.0v3.0 & 113 & 34 may be special to this host \\NetBSD 1.6 & 35 \\SGI Irix 5.3 & 83 \\SGI Irix 5.3 & 102 \\Sinux 5.42c1002 & 60 & 2 third-party programs\\ Sun Solaris 5.4 & 52 & 6 third-party programs\\Sun Solaris 5.6 & 74 & 11 third-party programs\\Sun Solaris 5.8 & 70 & 6 third-party programs\\Sun Solaris 5.8 & 82 & 6 third-party programs\\Tru64 4.0r878 & 72 & \\

Setuid-root

3) Fool a user (system administrator?) into executing your code while privileged

Modified versions of ssh client in user’s /bin directory

• Why was this ever executed. Did the bad guys change the PATH data

• Stuff like this can be checked regularly with an updated version of something like COPS.

• User’s are going to get this wrong (i.e. not notice it), and we are going to have to live with it

If the bad guys get a user account on your Unix system, they can

root the machine.

Game over.

Network security

Engineering secure systems from insecure parts?

Some assembly required

Secure computing requirements

• Secure client

• Secure communications

• Secure server

Client host(in Molvania)

Secure client

• You don’t have that

• You probably can’t have that

• It would be expensive and inconvenient if you do have it

Secure communications

• Got it! We won the crypto wars

• In June 2003, NSA said that a properly implemented and vetted version of AES is suitable for Type 1 cryptography!

• Ssh is not perfect, but it is holding up pretty well

• Formal methods for protocol design and verification

• This has been on some lists for a long time

• It is hard

Secure servers

• That’s your job

• Potentially doable

• You must mistrust all clients, even with strong authentication!

Review of security checkpoints

Front end

Big Iron

Front end

Big Iron

File server/File backup

Front end

Big Iron

Hacker

Front end

Big Iron

Hacker

Front end

Big Iron

Hacker

Front end

Big Iron

Hacker

It is poor engineering to rely on the security savvy of the user base

Users are not going to pick passwords that are resistant to dictionary attacks. Period.

• Either don’t let them pick passwords– Inconvenient for the users– Not a panacea (see below)

• Or don’t give the bad guys a chance to run dictionary attacks---get out of the game– That means passwords are validated on

the server, not the client– Ssh agent keys get this wrong– Bank ATM cards get this right

Don’t let users pick passwords

• Machine can choose them. Then they get written down and/or forgotten. Not good, though post-it passwords don’t involve the usual threat models. Bad idea.– Password aging is a bad idea. Good

passwords are hard to think up and remember

• Use multifactor authentication, i.e. hardware tokens or one-time passwords

Hardware tokens

• It would be nice if the server end is open source

• The business model has never been one for global adoption

• Challenge/response form factor is the safest, but not accepted

OTPs are not a cure-all perfect

• I installed these at Bell Labs in the early 1990s

• “We never had an undetected break-in” – me

• “Yes, you did.” – Steve Branigan

Front end

Big Iron

Hacker

Case Study

My little home network

User base

• Me

• My family– (family members are like employees, from

a security standpoint)

• Easy experimentation on the Internet– No firewall for secure clients and servers

• Support for family computing– Shared file system– 140GB of family photos– Digital house support

• Experimentation with strong host security– Is it too hard to trade off convenience for

security? Skinny-dipping on the Internet

• Protect family databases

Threats

• Loss of data

• Loss of Saturdays

• Loss of face

• Very few network services

• Moderately-well understood OS (FreeBSD)

• Unsafe network services in chroot jails– Belt and suspenders

• End-to-end encryption, always– No kiosks for reading mail…– WAP and sniffed Ethernets not a problem

• Two factor authentication

More tools

• Network and host monitors for alien packets and changes to important files

• Lots of disk space (>1TB at home)– Onsite and offsite backups with rsync

over ssh

My home network

Family web serverShared files

File backup

Access rules

• Ssh only for non-web access

• Other services tunneled through ssh– With Unix or MSFT client

• Backup hosts unreachable from the outside, and from the server host

• I win if the backed up machines remain unhacked, and the file contents remain intact

Results

• Almost ten-year old experiment– No viruses, no break-ins– Was a mail relay for a few weeks

• Working quite well

• Daughter away at school has to follow same rules for home access– My email service for her was substandard

• Still need a good POP3S service for me Treo

• Cooperative user population makes all the difference

Case Study

Intellink

Caveat

• I have no current clearance

• I have received no briefings on Intellink

Intellink

• Described in James Banford’s Body of Secrets

• Imagine a distribution system for top secret information using search engines and Internet technology

• Given the known security “successes” of the Internet, how the hell would you implement such a thing with a reasonable expectation of security?!!

Some of my list

• Sealed client hardware– Client required to access the secrets– On-board crypto, that zeroizes when the

box is opened, or movement or light is detected inside the box

– No software updates or changes available in the field

– Virtual machines for different levels of classification. Linux implementation?

• Probably external hardware crypto as well

Client software

• Pick a browser, and spend a lot of money…– Ripping out unneeded features– Vetting the SSL implementation– Vetting the C compiler and libraries used

Server hosts

• Every server is registered

• Only registered servers allowed

• Network is scanned constantly for alien hosts and servers

Very strong user authentication

• Also, PKI and protected databases of who is authorized for what– Database is distributed among the

servers, no central repository

• Revocation lists, tight policies with employment office to kill dead accounts

Access only from within the intranet

• Perimeter security, tightly patrolled

• Firewalls (“guards”) to other networks, intensely engineered and constantly watched

• Intranet is wired with packet sniffers, IDS, etc.– Every anomaly is chased down– There is enough funding to do that

• If a virus appears, there is enough instrumentation to find out where it came from, and how far it got

Policy support

• A big mallet to use on non-compliant users– Spooks are generally little better than

normal users

• Mallet (which exists, for classified data) includes:– Official reprimand– Disconnection from the network– Dismissal– Criminal charges

• Accountability story at the NSA web site

I’ve talked to some spooks

• Obviously, this is an incomplete list

• Not all safeguards are implemented as well as I might hope

• These guesses, and others, are pretty close to the mark– They’ve spent hundreds of thousands of

dollars vetting software….Hmmm

Linux SE

• Mods came from the NSA

• Quickly implemented in public Linux systems

• This is a nice model, could we have more, please?

• See if some of the vetted software can be declassified and distributed

• Win-win funding situation for the public and the spooks

• Open source means you can trust the NSA!

How I Would Fix This*

* Given some money and a lot of clout

Secure servers and big iron, and

• Only allow connections from special client hardware

• Yes, I know this is probably not going to fly, but it is the only solution that would greatly improve the situation

A custom client computer is required

• Turnkey system

• No shell prompts, no root access, no network services

• USB key fob with PIN to login– Requires reinsertion now and then if

terminal is idle

• Tamper-resistant key/chip zeroizes if case is opened– Contact || light || motion detected

1 of 111 Cybersecurity Summit 2004 Some Thoughts on Network and Computer Security in an Academic...

Documents

Firewall - mybogi.files.wordpress.com · Firewalls History Third generation - application layer Publications by Gene Spafford of Purdue University, Bill Cheswick at AT&T Laboratories

72 slides1 of 104 My Dad's Computer My Dad’s Computer, Microsoft, and the Future of Internet Security Bill Cheswick ches@lumeta.com

Slide 1 of 172 Internet Attacks: The Gory Details Bill Cheswick ches@lumeta.com

4.4 Shortest Paths - Computer Science Department at ... Shortest outgoing routes on the Internet from Lumeta headquarters map by Lumeta Corporation, March 8, 2006 Lumeta mapping host

Lumeta IPsonar Aligned to ITIL v3

Cheswick Village Welcome - Amazon S3 · 2016. 9. 21. · March 2013 1 Welcome Welcome to existing and new residents of Cheswick Village. Cheswick is a new development with approximately

72 slides TBA Emergency Holographic Speaker. 72 slides My Dad’s Computer, Microsoft, and the Future of Internet Security Bill Cheswick ches@lumeta.com

1 of 137Internet Mapping, Columbia. 137 slides Clear and Present Dangers Bill Cheswick Lumeta Corp. ches@lumeta.comhes@lumeta.com

100 slides Pondering and Patrolling Network Perimeters Bill Cheswick ches@lumeta.com

105 slides Identifying and Patrolling your True Network Perimeter Bill Cheswick ches@lumeta.com

Mining Billion-node Graphs: Patterns and Toolschristos/TALKS/11-Facebook/FOILS/...CMU SCS C. Faloutsos (CMU) 5 Graphs - why should we care? Internet Map [lumeta.com] Food Web [Martinez

Development Layout - OnTheMarket...Th eE ar ls wod2 bm ung B romf dL ivng Bl orH mes Development Layout Cheswick Place Tanworth Lane, Cheswick Green, Shirley, Solihull, BF= AJE > Exchange

CONTACT INFORMATIONgasp-pgh.org/wp-content/uploads/NRG-Cheswick-tvopr.… · · 2017-12-18Bituminous Coal; Synfuel N/A Ash Handling, Processing, and Storage Fabric Filters; Wet

William Cheswick Presentation - CSO Perspectives Roadshow 2015

The Wired World and Cyber Security Steven Branigan & Bill Cheswick June 21, 2001

News Bulletin from the Neighbourhood Management Team ...€¦ · Web viewPolice have been patrolling and speaking to parents after a Cheswick Green school girl was reportedly offered

110 slides Defending Your Network: Identifying and Patrolling Your True Network Perimeter Bill Cheswick Chief Scientist, Lumeta Corp

Product Book - Stover & Co. · product book 1101 russellton road p.o. box 188 cheswick, ... chvlbn van leer bel noir - (30#) 30 54% cacao semi-sweet wafers chvud van leer ultimate

Deception Defence 101...October 2016. • Bill Cheswick. An Evening with Berferd In Which a Cracker is Lured, Endured, and Studied. 1991. • Greg Hoglund et. al. Rootkits: Subverting

IEEE TRANSACTIONS ON NETWORK AND SERVICE …€¦ · Algosec Firewall Analyzer is a commercial closed-source tool that is based on Lumeta and Fang engines. It allows administration