Security Problems with Security Problems with Intermittently Connected Clients Intermittently Connected Clients

Jesper M. JohanssonJesper M. JohanssonMicrosoft CorporationMicrosoft Corporation

Matthew A. BishopMatthew A. BishopUniversity of California, DavisUniversity of California, Davis

What are Intermittently Connected What are Intermittently Connected Clients?Clients?

An intermittently connected client (ICC) is a device An intermittently connected client (ICC) is a device that connects to the network for periods of time, that connects to the network for periods of time, after which it disconnects. Notebook and handheld after which it disconnects. Notebook and handheld computers, palmtops, PDAs, and cellular computers, palmtops, PDAs, and cellular telephones are common examples of ICCs. We telephones are common examples of ICCs. We also include computers that are not typically also include computers that are not typically designed for portability but that are intermittently designed for portability but that are intermittently connected to a network such as employee home connected to a network such as employee home computers connecting to the corporate network computers connecting to the corporate network over a modem or VPN. over a modem or VPN.

Examples of ICCsExamples of ICCs

Notebooks – the traditional exampleNotebooks – the traditional example PDAsPDAs

– Risk somewhat dependent on functionalityRisk somewhat dependent on functionality– Palm v. Windows CEPalm v. Windows CE

Employee home computersEmployee home computers KiosksKiosks Conference computing centerConference computing center Cellular phonesCellular phones

Organizational Security MeasuresOrganizational Security Measures

AuthenticationAuthentication– PasswordsPasswords– Pass phrasesPass phrases– SmartcardsSmartcards

Access controlAccess control FirewallsFirewalls Virtual Private Networks (VPN)Virtual Private Networks (VPN)

Purpose of ICCsPurpose of ICCs

Use organizational information away from Use organizational information away from the organizational networkthe organizational network– Download information and leave networkDownload information and leave network– Connect into network from the outsideConnect into network from the outside

Enabling mobile workEnabling mobile work Enabling world-wide connectivityEnabling world-wide connectivity

Types of Information Used on ICCsTypes of Information Used on ICCs

ContactsContacts CalendarsCalendars E-mailE-mail DocumentsDocuments DatabasesDatabases Organizational credentialsOrganizational credentials Connectivity informationConnectivity information

– Phone numbersPhone numbers– VPN server locationsVPN server locations

Types of Security Exposure in ICCsTypes of Security Exposure in ICCs

Hardware compromiseHardware compromise Data tamperingData tampering Data theftData theft AggregationAggregation Software tamperingSoftware tampering VectoringVectoring

Hardware CompromiseHardware Compromise

Someone steals the deviceSomeone steals the device Most thieves are interested in hardware, not Most thieves are interested in hardware, not

datadata Opportunistic criminalsOpportunistic criminals

Data TamperingData Tampering

Modification or destruction of data on the Modification or destruction of data on the clientclient

Modification may be more damaging than Modification may be more damaging than destructiondestruction– Modification may become vectoringModification may become vectoring

Important point: even if attacker cannot read Important point: even if attacker cannot read data, it may be possible to modify or destroy data, it may be possible to modify or destroy itit

Data TheftData Theft

Extreme end of data tamperingExtreme end of data tampering Attacker need not destroy data in a data Attacker need not destroy data in a data

theft attacktheft attack May be difficult to detectMay be difficult to detect Typically perpetrated by more sophisticated Typically perpetrated by more sophisticated

attackers than hardware theftattackers than hardware theft– Hence more serious than hardware theftHence more serious than hardware theft

Examples of Data TheftExamples of Data Theft RF interceptionRF interception

– TempestTempest Shoulder surfingShoulder surfing

– New TFTs inhibit viewing from anglesNew TFTs inhibit viewing from angles Browser frame domain verificationBrowser frame domain verification

– Update your browserUpdate your browser– Apply security settings and be carefulApply security settings and be careful

802.11b802.11b– Poorly implemented security algorithmsPoorly implemented security algorithms– Improvements on the way in standardImprovements on the way in standard– Use 802.1xUse 802.1x

Assume the network is hostileAssume the network is hostile

AggregationAggregation

Combine useless data from two or more Combine useless data from two or more sources to make valuable informationsources to make valuable information

Separation of privilege is criticalSeparation of privilege is critical Be careful about using code namesBe careful about using code names ICCs are more susceptible to this type of ICCs are more susceptible to this type of

attack because the lie outside the protection attack because the lie outside the protection of the corporate networkof the corporate network

Software TamperingSoftware Tampering

The software integrity is compromisedThe software integrity is compromised Viruses is the most well-known form of Viruses is the most well-known form of

software tamperingsoftware tampering You have SERIOUS problems!You have SERIOUS problems!

– Many ICCs have no concept of users, Many ICCs have no concept of users, privileges, and process isolationprivileges, and process isolation

– The machine can be much more easily The machine can be much more easily compromised while disconnectedcompromised while disconnected

– Eventually, it will be reconnected…Eventually, it will be reconnected…

VectoringVectoring Using the device to attack more valuable Using the device to attack more valuable

organizational assetsorganizational assets– Gain access to the organizational networkGain access to the organizational network– Elevate privileges on the organizational networkElevate privileges on the organizational network– Read/modify/destroy data on the organizational networkRead/modify/destroy data on the organizational network

As the devices get more powerful, the As the devices get more powerful, the opportunities for vectoring increaseopportunities for vectoring increase– You can now run industrial strength database systems You can now run industrial strength database systems

on PDAson PDAs– Many home computers can route Internet traffic via the Many home computers can route Internet traffic via the

VPN connectionVPN connection

Networking Capabilities Increase Networking Capabilities Increase Potential for VectoringPotential for Vectoring

VPNs are additional entry points into organizationVPNs are additional entry points into organization Many ICCs have no firewalls, or the firewalls are limitedMany ICCs have no firewalls, or the firewalls are limited Many ICCs can be used for Internet connection sharing Many ICCs can be used for Internet connection sharing

(ICS)(ICS)– Is your VPN client using ICS?Is your VPN client using ICS?

Read your e-mail on a PDA or cell phoneRead your e-mail on a PDA or cell phone Rogue modemsRogue modems Peer-to-peer networkingPeer-to-peer networking What is the organizational network boundary?What is the organizational network boundary?

– Are your employees’ kids’ home computers clients on your Are your employees’ kids’ home computers clients on your network?network?

Protecting ICCsProtecting ICCs

There is no complete answerThere is no complete answer Better authenticationBetter authentication More security awareness on the ICC platformsMore security awareness on the ICC platforms

– AuthenticationAuthentication– Access controlAccess control

Better authentication control at entry pointsBetter authentication control at entry points– Smart cards for dial-inSmart cards for dial-in– Use war-dialers to detect rogue entry pointsUse war-dialers to detect rogue entry points– Control direct Internet tapsControl direct Internet taps

Hardware Compromise ProtectionHardware Compromise Protection

Locking devicesLocking devices Tracking devicesTracking devices DisguiseDisguise

– Put a high-end notebook in a beat-up backpack, not an Put a high-end notebook in a beat-up backpack, not an expensive leather attachéexpensive leather attaché

VigilanceVigilance– Do not leave devices unattendedDo not leave devices unattended– Do not send your notebook through the X-ray until you Do not send your notebook through the X-ray until you

are ready to go throughare ready to go through Once your notebook is traveling through, do not let anyone Once your notebook is traveling through, do not let anyone

crowd before youcrowd before you

Conventional ProtectionConventional Protection Traditional security controlsTraditional security controls

– Access control listsAccess control lists– Personal firewallsPersonal firewalls– Physical securityPhysical security

AuthenticationAuthentication– Industrial strength user identification in more powerful Industrial strength user identification in more powerful

systemssystems Windows and Unix notebooksWindows and Unix notebooks

– Weak password protection in PDAsWeak password protection in PDAs Palm and Windows CEPalm and Windows CE

– Pass codes in cellular phonesPass codes in cellular phones

Value of InformationValue of Information

Consider stock quotesConsider stock quotes– The quote for MSFT stock on March 29, 2002 The quote for MSFT stock on March 29, 2002

would be really useful to have todaywould be really useful to have today– On April 1, it is not all that interesting any moreOn April 1, it is not all that interesting any more

Can we introduce this kind of decay on Can we introduce this kind of decay on data?data?

Data DecayData Decay

Protect data by introducing decayProtect data by introducing decay ““The value of information diminishes with The value of information diminishes with

time or use“time or use“ Key to protecting data on ICCs is extrinsic Key to protecting data on ICCs is extrinsic

decaydecay– Introduced on the data by a controlling authorityIntroduced on the data by a controlling authority

SQL Server could define that when this data SQL Server could define that when this data is downloaded to a client it can be used for n is downloaded to a client it can be used for n days, or read x timesdays, or read x times

How Do We Operationalize Decay?How Do We Operationalize Decay?

Data must be available and usable to ICC Data must be available and usable to ICC only through a well-defined channelonly through a well-defined channel

Channel encrypts data with a symmetric key Channel encrypts data with a symmetric key (DEK) as it is replicated onto device(DEK) as it is replicated onto device

A public key is used to encrypt the DEK and A public key is used to encrypt the DEK and the encrypted DEK and the private key (PK) the encrypted DEK and the private key (PK) are stored on the deviceare stored on the device

Data owner specifies acceptable use policyData owner specifies acceptable use policy

How Do We Operationalize Decay?How Do We Operationalize Decay?

When user accesses data on device, the When user accesses data on device, the data access mechanism decrypts the DEK data access mechanism decrypts the DEK and checks whether data is still accessibleand checks whether data is still accessible

If data is no longer accessible, the PK is If data is no longer accessible, the PK is deleteddeleted

ICC must reconnect to the server to renew ICC must reconnect to the server to renew the lease on the datathe lease on the data

Operationalizing Data DecayOperationalizing Data Decay

DEKPublic Key

PK

Encrypted Data

Encrypted DEK

ConclusionConclusion

Intermittently Connected Clients present a Intermittently Connected Clients present a new and serious security problemnew and serious security problem

Mobile computing is not going awayMobile computing is not going away We need to develop tools to protect our We need to develop tools to protect our

organizational assets from compromise from organizational assets from compromise from and through these devicesand through these devices

We have outlined one mechanism to afford We have outlined one mechanism to afford some additional protection to data replicated some additional protection to data replicated onto ICCsonto ICCs