Transcript The Rapid Evolution of Information Security: A Game of Spy

The Rapid Evolution of the
Internet – and Related Dangers
KOCSEA 13th Annual Technical Symposium
Dec. 15, 2012 – Atlanta, GA.
John A. Copeland
Electrical and Computer Engineering
Georgia Institute of Technology
Updated 1/9/2015
1960's -Computers come into widespread use in
government and companies.
Attacks
The "Logic Bomb" - program installed by computer
technician that would wipe out memory after a time
period (if not reset).
This may be retaliation for a firing. In one case the
culprit called the company and said he heard about
their disaster, and said that fortunately he had
backup tapes at home that he would sell (he went to
prison).
Defenses
Better off-site data backup systems.
2
1970's -Computers became accessible from remote
terminals.
Attacks (Insiders only, or Burglars)
Guess other user's passwords, or write "Trojan Horse"
programs for others to use which would write
passwords and other information into the hacker's file.
Defense
Better passwords (educate users - still an ongoing
battle today).
Trojan Horse programs are still a problem today. Only
install programs from trusted sources. Government
"Trusted” computers" check permissions on every read
and write.
3
1980's -Computers became accessible
from telephone voice lines by using a
modem.
"Bulletin Board" servers downloaded files,
mostly text files for printout.
Attacks
Demon Dialers - rapidly dialed telephone
numbers in sequence to find lines with a
modem. Then password guessing, if a
password was even needed.
1983 Movie, Teen
hacks into US Air
Defense Command
computer WOPR,
and almost starts
World War 3 .
Defenses
Better passwords and challenge-response
authentication. [RSA, Inc. dongles provide one-time
passwords, but their basic code was temporarily stolen by
hackers in 2010].
4
Thanks to the movies, computer hacking
(breaking in) becomes a sport for highschool age males. They can find "exploit"
programs on the Internet from "hacker"
Bulletin Boards, and instructions on how
to use them.
Many of these young men claim they are
doing good by exposing weak security in
corporate and government computers.
They did damage, even without meaning
too, by deleting files and crashing
mainframes.
1982, Computer
innards portrayed
as a virtual world
where protagonists
compete.
Who writes the exploit programs? Could it be professional
hackers who want the network noise to cover their own
tracks?
5
In the mid 1980’s, private data networks joined with the
NSFNET (nee ARPAnet) to form the Internet, joining
government organizations, universities, and
corporations. Internet Service Providers began
connecting individuals to file download sites such as
America on Line.
1990's - The World Wide Web is born.
Web servers, which work with Web Browsers using the
HTTP protocol and HTML formatted pages, download all
manner of files: email, images, articles, music.
Attacks
Email messages encouraged people to download
executable files, that would install root kits and back
doors. "Viruses" (computer programs that replicate and
spread) have different payloads.
Defenses: “Do not ‘click’ on attachments.” Anti-virus
software. Software and operating system updates were
continually coming more often and becoming larger.
7
The Dawn of the Worm.
In Nov. 1988, the Morris "Worm" (a Virus that
spreads through network connections) spread
through email servers. Not intended to be
malicious, it infected servers multiple times,
crashing the Internet email service.
In 2001, the "Anna Kournikova" spreads as an
email attachment ("click here"). "Code Red"
attacks 360,000 PC's over the Internet. The
infected number doubled every 37 minutes. The
Sapphire worm later spread 100 times faster,
infecting almost every computer that was susceptible
worldwide within 10 minutes.
Code Red
spread
In 2004, the "Witty" worm is targeted at certain network
security products: ISS "Black Ice" and "Real Secure." Every
available system worldwide was infected within 45 minutes.
8
A “worm” is a malicious program that spreads through network
connections.
Computer “viruses” were spread by content in floppy-disk files. Later
they were spread mainly by email. The line between a virus and a
worm blurred.
Spread of
Sapphire
virus, after
38 minutes.
Late 2000's - The Worm Evolves into the
"Bot" (for Robot).
A Botnet is a sparse network of compromised
computers. They communicate with only a
few other members to hide the "Command
and Control" points. These could be Web
servers whose URL belongs to the Bot
Master. The Bot Master can provide services
such as Spam mailing, phishing email, Denial
of Service flooding attacks (for extortion or
damage to competitors). Botnets are
sometimes controlled by criminal
organizations (e.g., Russian Mafia).
In Nov. 2008, the "Conficker" bot infected
over 10 million computers. It could send over
10 billion spam and phishing emails a day.
10
2010's - Wireless Networks are Everywhere
Cell phones will become the primary
access to the Internet (shopping and
banking), and a way to access shortrange networks like point-of-sale
payment systems and auto access.
Wireless Networks have a checkered
history. Early AMPS cell phones were
cloned. WiFi cryptographic methods WEP
and WPA were broken very quickly.
Attacks - All previous, and spoofing.
Defense - Using network characteristics
to "fingerprint" wireless nodes to detect
intruders. Use “challenge authentication.”
Ref. 3
11
The “Advanced Persistent Treat” APT
In a Nov. 28, 2007, a confidential report
from Homeland Security's U.S. CERT
obtained by BusinessWeek:
"Cyber Incidents Suspected of
Impacting Private Sector Networks,"
the federal cyber watchdog warned U.S.
corporate information technology staff to
update security software to block Internet
traffic from a dozen Web addresses after
spear-phishing attacks. "The level of
sophistication and scope of these cyber
security incidents indicates they are
coordinated and targeted at private-sector
systems," says the report.
March 21, 2008
Spear Phishing – the Most Common Attack
"Phishing," one technique used in many attacks,
allows cyber spies to steal information by posing
as a trustworthy entity in an online
communication. The term was coined in the mid1990s when hackers began "fishing" for
information (and tweaked the spelling).
The e-mail attacks on government agencies and
defense contractors are called "spear-phishing"
because they target specific individuals. They are
the Web version of laser-guided missiles. Spearphish creators gather information about people's
jobs and social networks, often from publicly
available information and data stolen from other
infected computers, and then trick them into
opening an e-mail [which the installs a “root kit” or
“bot”].
BusinessWeek, March 21,2008
Kimi Werner, 2008 Women’s National
Spearfishing Champion
Denial of Service
Flood Attack – Overwhelms victim’s connection to Internet.
Used for extortion, and political statements.
Year
Strength
(Gbps)
2003
1
2005
10
2007
24
2009
46
2011
60
2013
309
2014
329
Stuxnet - The first computer worm aimed at destroying
specific physical facilities (Iran's uranium-purifying
centrifuges). The attack by the U.S. and Israel started in
2007 and may have slowed the Iranian program by as
much as two years [2].
Stuxnet spread around the world by accident in 2010,
and was detected. It did no harm except to a specific
combination of Siemens controllers and P-1
centrifuges found only in Iranian uranium processors.
It contained five previously unknown (Day-0)
vulnerabilities in Windows worth $250,000 each on the
hacker market.
Defense against new bots with Day-0 exploits: none.
Air-gap did not work.
15
Cyber Warfare – Attacking Physical Infrastructure
2008 – Oil Pipeline in Turkey exploded by cyber attack.
2012 – Attack on Saudi Aramco that wiped out 30,000 of the
oil company’s computers (Iran ?)
“China and "one or two" other countries are capable of
mounting cyber attacks that would shut down the electric
grid and other critical systems in parts of the U.S.” -Adm.
Michael Rogers, head of NSA and U.S. Cyber Command.
11/20/14
Cyber War
The commercial Internet in Estonia
was disrupted for several days by
Russian hackers unhappy because a
WW2 monument was moved.
Thousands of computers in South
Korea were destroyed in what was
thought to be a test by North Korea.
The U.S. government has developed
thresholds for a Cyber Attack that
would warrant a counter Cyber-War
attack, or a conventional military
response.
BW, July 25, 2011
Defense: None, not even MAD*.
* Mutually Assured Destruction
17
Current Defensive Strategies – 1
Identifying Known Enemies
“Honey Pots” are computers that have unpatched
operating systems or applications and appear ripe for
compromising. They are used to capture the attacker’s
“exploit” software.
Exploit software is analyzed to discover what
vulnerabilities being used, particularly “day zero”
vulnerabilities. Also to try to attribute responsibility for
the malicious activity.
Signatures are developed when possible, to allow future
detection. Clearing houses for collecting and codifying
elements of attack code have been set up, to update
email-server filters and analysis of Web-server
downloads.
18
Current Defensive Strategies - 2
Identifying Abnormal Behavior
When a computer is compromised, a root kit can hide
indications of the problem from users – but network
activity is necessary (other than for a “logic bomb”).
A network Intrusion Detection System can look for:
Signatures - known patterns of behavior or bit patterns,
or
Abnormal Network Behavior (e.g., StealthWatch),
or
New devices on the network, detected by timing or
protocol variations*.
*”GTID: A Technique for Physical Device and Device Type Fingerprinting,”
Raheem Beyah, this afternoon at this conference.
19
Current Defensive Strategies - 3
Monitoring infrastructure Control Systems
Everything’s
OK
Faster,
Faster,
Controller
Computer
Supervisor’s
Computer
ALARM !
Passive
Monitor
20
What Does the Future Hold?
There is no doubt that the Internet has become critical to
our economy, and our way of life. >75% of the world’s
population is connected. It carries >90% of e-information.
There was an effort in 2012 to get congress to pass a law
requiring privately-owned critical infrastructure companies
to meet network security standards. The power industry
successfully lobbied to keep self-regulation.
Will losses reach the point that all users and all servers
will be required to have “Certificates,” like those used by
the large e-commerce servers today? This would require
a trustworthy “Certificate Authority,” perhaps better than
those built into browser software today, and governed by
global regulations.
21
References
[1] Joseph Menn, “Fatal System Error: The Hunt for the New Crime
Lords Who Are Bringing Down the Internet,” Public Affairs, 2010.
[2] David E. Sanger, “Confront and Conceal,” Crown, New York,
2012.
[3] "Cyberwar: Countdown to Day Zero: Stuxnet and the Launch of
the World's First Digital Weapon," Kim Zetter, (Nov. 2014).
Author Contact Information
John A. Copeland, Weitnauer Prof, GRA Eminent Scholar
Georgia Tech, Elec. & Computer Eng. – 0765
Atlanta, GA 30332-0765
office 404 894-5177, cell 404 786-5804
Home Page: http://www.csc.gatech.edu/copeland/
PGP Public Key: http://www.csc.gatech.edu/copeland/jac/PGP_Key.html
Dir., Communications Systems Center,
Home page: http://www.csc.gatech.edu/
22