Upload
luz
View
37
Download
0
Embed Size (px)
DESCRIPTION
Security Problems with Intermittently Connected Clients . Jesper M. Johansson Microsoft Corporation Matthew A. Bishop University of California, Davis. What are Intermittently Connected Clients?. - PowerPoint PPT Presentation
Citation preview
Security Problems with Security Problems with Intermittently Connected Clients Intermittently Connected Clients
Jesper M. JohanssonJesper M. JohanssonMicrosoft CorporationMicrosoft Corporation
Matthew A. BishopMatthew A. BishopUniversity of California, DavisUniversity of California, Davis
What are Intermittently Connected What are Intermittently Connected Clients?Clients?
An intermittently connected client (ICC) is a device An intermittently connected client (ICC) is a device that connects to the network for periods of time, that connects to the network for periods of time, after which it disconnects. Notebook and handheld after which it disconnects. Notebook and handheld computers, palmtops, PDAs, and cellular computers, palmtops, PDAs, and cellular telephones are common examples of ICCs. We telephones are common examples of ICCs. We also include computers that are not typically also include computers that are not typically designed for portability but that are intermittently designed for portability but that are intermittently connected to a network such as employee home connected to a network such as employee home computers connecting to the corporate network computers connecting to the corporate network over a modem or VPN. over a modem or VPN.
Examples of ICCsExamples of ICCs
Notebooks – the traditional exampleNotebooks – the traditional example PDAsPDAs
– Risk somewhat dependent on functionalityRisk somewhat dependent on functionality– Palm v. Windows CEPalm v. Windows CE
Employee home computersEmployee home computers KiosksKiosks Conference computing centerConference computing center Cellular phonesCellular phones
Organizational Security MeasuresOrganizational Security Measures
AuthenticationAuthentication– PasswordsPasswords– Pass phrasesPass phrases– SmartcardsSmartcards
Access controlAccess control FirewallsFirewalls Virtual Private Networks (VPN)Virtual Private Networks (VPN)
Purpose of ICCsPurpose of ICCs
Use organizational information away from Use organizational information away from the organizational networkthe organizational network– Download information and leave networkDownload information and leave network– Connect into network from the outsideConnect into network from the outside
Enabling mobile workEnabling mobile work Enabling world-wide connectivityEnabling world-wide connectivity
Types of Information Used on ICCsTypes of Information Used on ICCs
ContactsContacts CalendarsCalendars E-mailE-mail DocumentsDocuments DatabasesDatabases Organizational credentialsOrganizational credentials Connectivity informationConnectivity information
– Phone numbersPhone numbers– VPN server locationsVPN server locations
Types of Security Exposure in ICCsTypes of Security Exposure in ICCs
Hardware compromiseHardware compromise Data tamperingData tampering Data theftData theft AggregationAggregation Software tamperingSoftware tampering VectoringVectoring
Hardware CompromiseHardware Compromise
Someone steals the deviceSomeone steals the device Most thieves are interested in hardware, not Most thieves are interested in hardware, not
datadata Opportunistic criminalsOpportunistic criminals
Data TamperingData Tampering
Modification or destruction of data on the Modification or destruction of data on the clientclient
Modification may be more damaging than Modification may be more damaging than destructiondestruction– Modification may become vectoringModification may become vectoring
Important point: even if attacker cannot read Important point: even if attacker cannot read data, it may be possible to modify or destroy data, it may be possible to modify or destroy itit
Data TheftData Theft
Extreme end of data tamperingExtreme end of data tampering Attacker need not destroy data in a data Attacker need not destroy data in a data
theft attacktheft attack May be difficult to detectMay be difficult to detect Typically perpetrated by more sophisticated Typically perpetrated by more sophisticated
attackers than hardware theftattackers than hardware theft– Hence more serious than hardware theftHence more serious than hardware theft
Examples of Data TheftExamples of Data Theft RF interceptionRF interception
– TempestTempest Shoulder surfingShoulder surfing
– New TFTs inhibit viewing from anglesNew TFTs inhibit viewing from angles Browser frame domain verificationBrowser frame domain verification
– Update your browserUpdate your browser– Apply security settings and be carefulApply security settings and be careful
802.11b802.11b– Poorly implemented security algorithmsPoorly implemented security algorithms– Improvements on the way in standardImprovements on the way in standard– Use 802.1xUse 802.1x
Assume the network is hostileAssume the network is hostile
AggregationAggregation
Combine useless data from two or more Combine useless data from two or more sources to make valuable informationsources to make valuable information
Separation of privilege is criticalSeparation of privilege is critical Be careful about using code namesBe careful about using code names ICCs are more susceptible to this type of ICCs are more susceptible to this type of
attack because the lie outside the protection attack because the lie outside the protection of the corporate networkof the corporate network
Software TamperingSoftware Tampering
The software integrity is compromisedThe software integrity is compromised Viruses is the most well-known form of Viruses is the most well-known form of
software tamperingsoftware tampering You have SERIOUS problems!You have SERIOUS problems!
– Many ICCs have no concept of users, Many ICCs have no concept of users, privileges, and process isolationprivileges, and process isolation
– The machine can be much more easily The machine can be much more easily compromised while disconnectedcompromised while disconnected
– Eventually, it will be reconnected…Eventually, it will be reconnected…
VectoringVectoring Using the device to attack more valuable Using the device to attack more valuable
organizational assetsorganizational assets– Gain access to the organizational networkGain access to the organizational network– Elevate privileges on the organizational networkElevate privileges on the organizational network– Read/modify/destroy data on the organizational networkRead/modify/destroy data on the organizational network
As the devices get more powerful, the As the devices get more powerful, the opportunities for vectoring increaseopportunities for vectoring increase– You can now run industrial strength database systems You can now run industrial strength database systems
on PDAson PDAs– Many home computers can route Internet traffic via the Many home computers can route Internet traffic via the
VPN connectionVPN connection
Networking Capabilities Increase Networking Capabilities Increase Potential for VectoringPotential for Vectoring
VPNs are additional entry points into organizationVPNs are additional entry points into organization Many ICCs have no firewalls, or the firewalls are limitedMany ICCs have no firewalls, or the firewalls are limited Many ICCs can be used for Internet connection sharing Many ICCs can be used for Internet connection sharing
(ICS)(ICS)– Is your VPN client using ICS?Is your VPN client using ICS?
Read your e-mail on a PDA or cell phoneRead your e-mail on a PDA or cell phone Rogue modemsRogue modems Peer-to-peer networkingPeer-to-peer networking What is the organizational network boundary?What is the organizational network boundary?
– Are your employees’ kids’ home computers clients on your Are your employees’ kids’ home computers clients on your network?network?
Protecting ICCsProtecting ICCs
There is no complete answerThere is no complete answer Better authenticationBetter authentication More security awareness on the ICC platformsMore security awareness on the ICC platforms
– AuthenticationAuthentication– Access controlAccess control
Better authentication control at entry pointsBetter authentication control at entry points– Smart cards for dial-inSmart cards for dial-in– Use war-dialers to detect rogue entry pointsUse war-dialers to detect rogue entry points– Control direct Internet tapsControl direct Internet taps
Hardware Compromise ProtectionHardware Compromise Protection
Locking devicesLocking devices Tracking devicesTracking devices DisguiseDisguise
– Put a high-end notebook in a beat-up backpack, not an Put a high-end notebook in a beat-up backpack, not an expensive leather attachéexpensive leather attaché
VigilanceVigilance– Do not leave devices unattendedDo not leave devices unattended– Do not send your notebook through the X-ray until you Do not send your notebook through the X-ray until you
are ready to go throughare ready to go through Once your notebook is traveling through, do not let anyone Once your notebook is traveling through, do not let anyone
crowd before youcrowd before you
Conventional ProtectionConventional Protection Traditional security controlsTraditional security controls
– Access control listsAccess control lists– Personal firewallsPersonal firewalls– Physical securityPhysical security
AuthenticationAuthentication– Industrial strength user identification in more powerful Industrial strength user identification in more powerful
systemssystems Windows and Unix notebooksWindows and Unix notebooks
– Weak password protection in PDAsWeak password protection in PDAs Palm and Windows CEPalm and Windows CE
– Pass codes in cellular phonesPass codes in cellular phones
Value of InformationValue of Information
Consider stock quotesConsider stock quotes– The quote for MSFT stock on March 29, 2002 The quote for MSFT stock on March 29, 2002
would be really useful to have todaywould be really useful to have today– On April 1, it is not all that interesting any moreOn April 1, it is not all that interesting any more
Can we introduce this kind of decay on Can we introduce this kind of decay on data?data?
Data DecayData Decay
Protect data by introducing decayProtect data by introducing decay ““The value of information diminishes with The value of information diminishes with
time or use“time or use“ Key to protecting data on ICCs is extrinsic Key to protecting data on ICCs is extrinsic
decaydecay– Introduced on the data by a controlling authorityIntroduced on the data by a controlling authority
SQL Server could define that when this data SQL Server could define that when this data is downloaded to a client it can be used for n is downloaded to a client it can be used for n days, or read x timesdays, or read x times
How Do We Operationalize Decay?How Do We Operationalize Decay?
Data must be available and usable to ICC Data must be available and usable to ICC only through a well-defined channelonly through a well-defined channel
Channel encrypts data with a symmetric key Channel encrypts data with a symmetric key (DEK) as it is replicated onto device(DEK) as it is replicated onto device
A public key is used to encrypt the DEK and A public key is used to encrypt the DEK and the encrypted DEK and the private key (PK) the encrypted DEK and the private key (PK) are stored on the deviceare stored on the device
Data owner specifies acceptable use policyData owner specifies acceptable use policy
How Do We Operationalize Decay?How Do We Operationalize Decay?
When user accesses data on device, the When user accesses data on device, the data access mechanism decrypts the DEK data access mechanism decrypts the DEK and checks whether data is still accessibleand checks whether data is still accessible
If data is no longer accessible, the PK is If data is no longer accessible, the PK is deleteddeleted
ICC must reconnect to the server to renew ICC must reconnect to the server to renew the lease on the datathe lease on the data
Operationalizing Data DecayOperationalizing Data Decay
DEKPublic Key
PK
Encrypted Data
Encrypted DEK
ConclusionConclusion
Intermittently Connected Clients present a Intermittently Connected Clients present a new and serious security problemnew and serious security problem
Mobile computing is not going awayMobile computing is not going away We need to develop tools to protect our We need to develop tools to protect our
organizational assets from compromise from organizational assets from compromise from and through these devicesand through these devices
We have outlined one mechanism to afford We have outlined one mechanism to afford some additional protection to data replicated some additional protection to data replicated onto ICCsonto ICCs