Embed Size (px)
Citation preview
.
......
Internet security experiences1985-2000 and beyond
Karst Koymans
Informatics InstituteUniversity of Amsterdam
(version 4.5, 2014/09/04 11:11:24)
Friday, September 5, 2014
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 1 / 50
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 2 / 50
Context and background
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 3 / 50
Context and background
Origins
A personal view on security
Originally presented atSAFE-NLJune 14, 2002
But much of it still applies
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 4 / 50
Context and background
Contents
Some stories. . .
Some thoughts. . .
Some ideas. . .
Some warnings. . .
. . . out of my personal experience
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 5 / 50
General principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 6 / 50
General principles
Security is more than keeping (cr|h)ackers out
Malicious (internal) actions
Unintentional errors
Pure stupidity
NuisancesSPAM, UCE
. . . and much more
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 7 / 50
General principles
Security is strongly related to
Structure
Privacy
Identity
Robustness
Information
Trust
Usability
Anonymity
Laziness
Safety
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 8 / 50
General principles
Important frameworks
AAAWho? (Authentication, Identification)What? (Authorization)When? (Auditing, Accounting)
PKIPublic Key InfrastructureEncryption and privacyHoly grail, difficult to realise
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 9 / 50
Some real life examples
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 10 / 50
Some real life examples
Early days example (1985)
Netbooting on a class B broadcast network
Client machine named “pluto” asks for bootparameters
Talking to server machine named “plato”
Answer came from “outer space” without sensible content
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 11 / 50
Some real life examples
Users of all times (1985-today)
Passwords should satisfyIs at least six characters longContains non-alphanumeric character(s)Is not simple to guess
Choice made by user“John” (in fact it was “Joop”)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 12 / 50
Some real life examples
Conclusions about users
An easy, but probably wrong, conclusionUsers are stupid
A probably better conclusionUsers have other priorities
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 13 / 50
Some real life examples
Admins of all times (1988-today)
nVIR: early Macintosh virus
Admin comes to check for viruses. . .
Admin collects viruses for a hobby. . .
Before visit. . .
virus-free
After visit. . .
chaos
Source: http://xkcd.com/694/
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 14 / 50
Some real life examples
Xkcd illustration. . .
Source: http://xkcd.com/350/
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 15 / 50
Some real life examples
Conclusions about admins
An easy, but probably wrong, conclusionAdmins are stupid
A probably better conclusionAdmins also make mistakes
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 16 / 50
Some real life examples
Physical security (1992)
Separate servers from clients
Thieves can be very brutal
The case of the PC user. . .. . . behind a Sun workstation
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 17 / 50
Principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 18 / 50
Principles
Postel’s Law
.Definition (Postel’s Law or Robustness Principle)........Be liberal in what you accept, and conservative in what you send.
The exact wording is from RFC 1122 (October 1989)
It is already mentioned in other words in IEN1 111(August 1979)
Can you see the problems with this principle?
1Internet Experiment NoteKarst Koymans (UvA) Internet security experiences Friday, September 5, 2014 19 / 50
Principles
Correctness principle
.Definition (Correctness principle or Strictness principle)........Be strict in what you accept, and strict in what you send.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 20 / 50
Principles
The problem with software
Software is made by trial and error
C supports buffer overflows
Viruses, Worms, Trojan Horses
Community reactionsCERT/CC advisories (1988)BugTraq (1993)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 21 / 50
Insanity. . .
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 22 / 50
Insanity. . .
CERT/CC insanity (1)
CA-1988-01ftpd Vulnerability
. . . (alarming but “innocent”)
CA-1995-01IP spoofing Attacks and Hijacked Terminal Connections
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 23 / 50
Insanity. . .
CERT/CC insanity (2)
CA-1995-04NCSA HTTP Daemon for UNIX Vulnerability
CA-1995-18Widespread Attacks on Internet sites
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 24 / 50
Insanity. . .
CERT/CC insanity (3)
CA-1996-07Weaknesses in Java Bytecode Verifier
CA-1996-11Interpreters in CGI bin Directories
CA-1996-26Denial-of-Service Attack via ping (of death)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 25 / 50
Insanity. . .
CERT/CC insanity (4)
CA-1997-08Vulnerabilities in INND
CA-1997-09Vulnerabilities in IMAP and POP
CA-1997-20Javascript Vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 26 / 50
Insanity. . .
CERT/CC insanity (5)
CA-1997-28IP Denial-of-Service Attacks
CA-1998-01Smurf IP Denial-of-Service Attacks
CA-1998-08Buffer overflows in some POP servers
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 27 / 50
Insanity. . .
CERT/CC insanity (6)
CA-etc-etcBuffer overflows, Format string vulnerabilitiesTrojans, Misconfigurations, . . .
I just gave up. . .
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 28 / 50
Insanity. . .
A partial solution
Minimalisation of accessStart with the empty set of servicesOnly add the services you really needNo blacklists, only whitelists
Protect your coreMain serversNetwork equipment
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 29 / 50
Insanity. . .
But the world keeps spinning. . .
CA-1999-02Trojan Horses
CA-1999-04Melissa Macro Virus
CA-1999-07IIS Buffer Overflow
CA-2000-04Love Letter Worm
CA-2002-16Multiple Vulnerabilities in Yahoo! Messenger
CA-. . . -. . .. . . . . . . . . . . . . . . . . . . . . . . .Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 30 / 50
The SNE era
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 31 / 50
The SNE era
The SNE era — an arbitrary example from 2003
CA-2003-26Multiple Vulnerabilities in SSL/TLS Implementations
OpenSSL ASN.1 parser insecure memory deallocationOpenSSL contains integer overflow handling ASN.1 tagsOpenSSL accepts unsolicited client certificate messages
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 32 / 50
The SNE era
The SNE era — an arbitrary example from 2004
CERT advisories become part of Technical Cyber Security Alertshttps://www.us-cert.gov/ncas/alerts/
Technical Cyber Security Alert TA04-293AMicrosoft Internet Explorer contains a buffer overflow in CSS parsingMicrosoft Internet Explorer Install Enginecontains a buffer overflow vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 33 / 50
The SNE era
The SNE era — an arbitrary example from 2005
Technical Cyber Security Alert TA05-292AOracle Products Contain Multiple Vulnerabilities
Various Oracle products and components are affectedby multiple vulnerabilitiesThe impacts of these vulnerabilities include unauthenticated,remote code execution, information disclosure, and denial of service
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 34 / 50
The SNE era
The SNE era — an arbitrary example from 2006
Technical Cyber Security Alert TA06-256AApple QuickTime Vulnerabilities
Apple QuickTime movie buffer overflow vulnerabilityApple QuickTime fails to properly handle FLC moviesApple QuickTime Player H.264 Codec contains an integer overflow
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 35 / 50
The SNE era
The SNE era — an arbitrary example from 2007
Technical Cyber Security Alert TA07-355AAdobe Updates for Multiple Vulnerabilities
Adobe Flash Player asfunction protocol may enable cross-site scriptingAdobe Flash Player may load arbitrary,malformed cross-domain policy filesFlash authoring tools create Flash files that containcross-site scripting vulnerabilities
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 36 / 50
The SNE era
The SNE era — an arbitrary example from 2008
Technical Cyber Security Alert TA08-190BMultiple DNS implementations vulnerable to cache poisoning
Insufficient transaction ID spaceMultiple outstanding requestsFixed source port for generating queries
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 37 / 50
The SNE era
The SNE era — an arbitrary example from 2009
Technical Cyber Security Alert TA09-088AConficker Worm Targets Microsoft Windows Systems
Widespread infection of the Conficker/Downadup wormA remote, unauthenticated attacker could executearbitrary code on a vulnerable system.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 38 / 50
The SNE era
The SNE era — an arbitrary example from 2010
Technical Cyber Security Alert TA10-348AMicrosoft Updates for Multiple VulnerabilitiesThere are multiple vulnerabilities in
Microsoft Windows,Internet Explorer,Office,Sharepoint,and Exchange.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 39 / 50
The SNE era
The SNE era — an arbitrary example from 2011
Technical Cyber Security Alert TA11-200ASecurity Recommendations to Prevent Cyber Intrusions
Almost infinite enumeration of how to eliminate bad habits
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 40 / 50
The SNE era
The SNE era — an arbitrary example from 2012
Technical Cyber Security Alert TA12-024A“Anonymous” DDoS Activity
Low Orbit Ion Cannon (LOIC) DoS-attackActivism
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 41 / 50
The SNE era
The SNE era — an arbitrary example from 2013
Technical Cyber Security Alert TA13-088ADNS Amplification Attacks
Open Recursive Nameserver problem
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 42 / 50
The SNE era
The SNE era — an arbitrary example from 2014
Technical Cyber Security Alert TA14-098AOpenSSL ’Heartbleed’ vulnerability
Bounds/input checking problem: private memory leakageOn servers, but also on clients!
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 43 / 50
Conclusions
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 44 / 50
Conclusions
Some misconceptions
Open source is bad for securityNo!. . .. . . proprietary software creates much bigger problems
Security through obscurity is badNot always. . .. . . “parameter obscurity” can be good
Performance is importantHardly ever true. . .. . . structure, modularisation and correctness proofsare much more important
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 45 / 50
Conclusions
Some advice
Avoid complicated, monolithic SWSendmail −→ postfix
Avoid legacyStart over now and then: ruu.nl −→ uu.nlIt is really time for a clean slate approach? It is!
Centralise at the right levelBut make sure that the central resources are at leastas good and knowledgeable as decentralised ones
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 46 / 50
Conclusions
A new era?
Improvements?IPsec, DNSSECSSL, SSHVPNTTP/CA
But alsoNSA, SnowdenGCHQ???
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 47 / 50
Conclusions
Fighting legacy
IPv6No addressing problems
But some routing challenges
End to end computing
No NATs
Autoconfiguration
Plug and play (+/-)
Integrated IPsec
Security from the start
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 48 / 50
Conclusions
But what happens?
Cisco introduces IPv6 in its routers without initial IPsec support. . .
Why?Because there is no user demand for it. . .. . . SIGH!
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 49 / 50
Conclusions
Legacy
Our biggest problem
No easy solutionsNot in everybody’s interestNeeds revolution, not evolutionScientific, non-commercial effort
Real clean slateBuild new system in parallelWithout transition mechanisms
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 50 / 50
