Security%20Lessons%20from%20All%20Over - PowerPoint PPT Presentation

View by Category
About This Presentation
Title:

Security%20Lessons%20from%20All%20Over

Description:

... P ' ' F*jX* P8 ... 456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz GpSs tFTO ... – PowerPoint PPT presentation

Number of Views:29
Avg rating:3.0/5.0
Slides: 155
Provided by: billch
Learn more at: http://www.cheswick.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Security%20Lessons%20from%20All%20Over


1
Security Lessons from All Over
  • Bill Cheswick
  • Lumeta Corp
  • ches_at_lumeta.com
  • http//www.cheswick.com/

2
or Security People are Paid to Think Bad
Thoughts - Robert Morris
3
Its all the same stuff!
4
Caveats
  • A lot of the science in this talk is brand new
  • Experts do not fully understand, nor necessarily
    agree with these opinions
  • I am not an expert
  • just a science guy from Bell Labs

5
Perimeter Defenses
6
The Pretty Good Wall of China
7
The Great Wall
  • Built to keep out the barbarians of the north
  • and their economy
  • Formed from shorter segments
  • Ghengis Khan walked past the wall, unopposed, and
    into Beijing
  • A wall is a single layer

8
(No Transcript)
9
(No Transcript)
10
Incremental implementation
  • The Great Wall was built in segments, and
    eventually unified
  • They wouldnt have spent the energy if the
    prototype segments hadnt been useful

11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
Walls
  • Chinese palaces have many doors and walls
  • So do the temples
  • Many opportunities for defense. Also for
    charging further admission.
  • Trip walls for the spirits
  • pretty stupid spirits
  • stupid defenses will usually keep out only stupid
    attackers

18
Perimeter Defense of the US Capitol Building
19
Flower pots
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
Security doesnt have to be ugly
24
(No Transcript)
25
Delta barriers
26
(No Transcript)
27
Parliament entrance
28
Parliament exit
29
Scotland Yard
30
Perimeter defenses usually have leaks
  • postern n.
  • A small rear gate, especially one in a fort or
    castle.

31
The Crummy Wall of Lucent
  • firewalls gt5
  • IP addresses answering 266,000
  • extranets 200
  • needs balkanization

32
This is typical of most large company networks
33
Leaky intranet walls
  • Ive heard many private confessions from people
    who run modest to large intranets that viruses
    like Code Red managed to get into their networks
  • Code Red propagation modes are supposed to be
    blocked, according to most peoples security
    policies

34
Thermopile
  • 300 Spartans defended a narrow pass
  • A goat trail through the mountains gave the
    Persians a backdoor
  • The Spartans took a great toll, and delayed the
    advance of Xerxes armies
  • History actually records three instances of the
    same action

35
(No Transcript)
36
A cells plasma membrane is very much a wall
  • Lipid layer provides a safe environment for cell
    chemistry
  • Even protons cant get through the membrane
    itself
  • Membrane blocks out external threats
  • poisons
  • attackers
  • It has numerous firewalls

37
Firewalls in the plasma membrane
  • Packet level pumps
  • water, arsenic, sodium out
  • iron, molybdenum, selenium, etc., in
  • Application gateways
  • lets the signal, not the messenger, in
  • hormone signals, etc.
  • Invaders need special siege machines to breach
    the membrane

38
Edinburgh Castle
  • fell to siege in three years in 16th century
  • ran out of food and water
  • Unsuccessful attack by Bonnie Prince Charlie in
    1745
  • Devastated in 1544 by the Earl of Hertford

39
Edinburgh Castle Robert the Bruce
  • Taken from the English in March 1313
  • insider knowledge
  • security and convenience are usually at odds
  • climb the crag, and a short ladder
  • defenders were complacent

40
Backdoors in programs
  • Joshua
  • Sendmails DEBUG command
  • Fred Grampp and the rm(1) dual

41
The biological world has much to teach us
  • Its all the same stuff, mostly

42
(No Transcript)
43
Questions that need answering
  • How does it attack?
  • How does it spread?
  • How bad is it?
  • How can we treat a diseased host?
  • How can we immunize hosts?
  • Where did it come from
  • Usually, this is the hardest to answer

44
Layered defenses Defense-in-depth
45
Defense should have layers
  • Belt-and-suspenders is safer
  • Its harder to get through
  • It takes longer to get through
  • The attackers may hit a layer they cant handle
  • Once they have passed the first layer, they
    should have had to show intent

46
Warsaw old city, layer 1
47
Warsaw old city, layer 2
48
(No Transcript)
49
Lorton Prison
50
Heidelberg Castle started in the 1300s
51
Heidelberg Castle
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
(No Transcript)
58
(No Transcript)
59
(No Transcript)
60
Heidelberg Castle failure modes
  • 1622 Tilly captured the castle after a two-month
    siege
  • 1689 Captured by 30,000 French in a few hours
  • insufficient number of defenders

61
You need to hire enough defenders
62
(No Transcript)
63
(No Transcript)
64
A plants layered defense it cant dodge an
attack
  • A plant cant dodge an attack
  • No claws or teeth
  • Cant run away from bugs, animals, fungi
  • Uses a nasty chemical soup for defense.
  • Every plant has 50--100 chemicals for defense
  • A mixture is harder to process (acquire immunity)
  • Single defenses tend to get exploited
  • e.g. eucalyptus oil is an insecticide

65
Some of the chemicals found in cabbage
  • isothiocyanates
  • allocyanates
  • phenolics (widespread)
  • cyanide
  • you eat about 1.5 grams of natural pesticides a
    day
  • organic farmers pick cultivars that are high in
    natural pesticides

66
Young oak leaves
  • First shoots of the season are relatively
    undefended
  • time-to-market is a factor in security
  • startups have limited resources

67
Oak leaves More defenses later
  • Older plants - more resources
  • Version 2 of leaves
  • be sure to deliver version 2!
  • More poisons
  • when under attack (stressed)
  • when neighbors are under attack
  • (do you keep up on CERT advisories? AUSCERT?)

68
Intimidation is a layer
69
Intimidation is a Layer
  • The best defense is never attacked at all
  • But how much do you over-design a defense?
  • Fort Knox

70
Often, your dignity and good name are your most
valuable assets
71
clark.research.att.com
  • Invaded before Thanksgiving one year by Internet
    Liberation Front
  • Somewhat secured but
  • old Ultrix host
  • wasnt watched
  • ran NFS

72
while 1 do mail root_at_cert.org lt
lib.msg sleep 1 mail root_at_wired.com lt
lib.msg sleep 1 mail root_at_newsday.com lt
lib.msg sleep 1 mail dateline_at_news.nbc.com lt
lib.msg sleep 1 mail root_at_apnews.com lt
lib.msg sleep 1 done
73
/usr/lib/sendmail Permission denied /usr/lib/send
mail Permission denied /usr/lib/sendmail
Permission denied /usr/lib/sendmail Permission
denied /usr/lib/sendmail Permission denied
ls -l /usr/lib/sendmail -rwSr--r-- 1 root 266240
Mar 19 1991
/usr/lib/sendmail
74
Obscurity is a layer
  • Often weak, and the only layer
  • An important reason for continuing classification
    of some DOE secrets
  • A password is (usually weak) obscurity
  • A random key is the essence of good obscurity

75
Access Hacking
Force attackers to show intent
76
Commitment is a layer
  • My old network attack sensors
  • 6 evil, 40 unknown per week
  • Force the attacker to show intent!
  • Forced entry needed for home insurance payment
  • Double fences with motion detectors
  • Mission Impossible and Quantico

77
Where not to get your security lessons from
  • TV and the movies

78
Security in entertainment
  • TV
  • Worf and Tasha Yar (Star Trek) were awful
    security officers
  • Garibaldi (Babylon V) is the best
  • Movies
  • Security lapses are often the main plot twist
  • Most Hollywood cops are dumb or corrupt
  • In Arlington Hill, the delta barrier to the FBI
    was installed backwards!

79
Security choices always involve economics
80
Economic questions
  • How much is the attacker willing to spend in
    terms of money, time, and risk?
  • What level of defense will make attack not
    worthwhile?
  • KGB is cheap
  • 3,000 for the KH-11 operations manual!
  • It is harder to bribe someone with more to lose
  • bank officers have limits on check amounts they
    may sign

81
Tony Sale
Colossus (ver 2.0)
82
Enigma
  • The Germans correctly computed the complexity of
    the enigma machines
  • They did not believe it was economically feasible
    to break it
  • The Tunny cipher was considered so secure,
    Hitler was allowed to use it
  • Colossus found correlations twice as fast as an
    early Pentium can

83
There is no such thing as perfect security
  • Abscam - congressmen can be bought
  • Robert Morris can afford one (so can I).
  • Human immune system isnt perfect, its good
    enough
  • Attacker with similar key can hide
  • maybe precipitate an autoimmune attack
  • Frequent password changes can protect a
    biological invader malaria, HIV, etc. etc.

84
Tradeoff security vs. cost
  • Fast CPUs make strong encryption unnoticeable,
    and free

85
Security is usually at odds with convenience, but
good engineering can help
86
Convenience depends on user expectations
87
Modern authentication tokens that work
  • Car keys and hotel keys have become very good
  • Auto theft is by tow-truck now the teenagers are
    out of the loop
  • Replacement is expensive
  • Hotel keys are great you dont need to turn
    yours in, and the hotel can monitor the door
  • Replacement is easy

88
Hardware tokens
  • SecureID
  • time-based
  • S/Key
  • software or printout solution
  • Many others
  • usually proprietary server software

Digital Pathways SNK-004
89
Cheap defensive measures can frustrate
sophisticated attacks
90
Bob Morris said
  • A 40 item found in a hardware store can
    frustrate a 100,000,000 intelligence device

91
A gram of prevention
  • Remove network services you dont absolutely need
  • Turn off other services you dont absolutely need
  • Java, JavaScript, plug-ins, Internet connectivity

92
(No Transcript)
93
The Alamo failure
  • 189 defenders
  • some snuck in during the siege
  • Two week siege and periodic bombardment
  • Santa Anna and 2,000 attackers stormed the
    fortified mission

94
A good defense magnifies the cost of successful
attack
  • Final losses 189 Texans and about 1600
    Mexicans 16 women and children were spared

95
Insiders are a major source of security problems
96
You dont go through security, you go around it
97
Going around security
  • Cryptographers and will tell you this
  • Its the cryptology that counts, often more than
    the cryptography
  • Most CERT advisories over the past 15 years would
    not be fixed with crypto
  • Morriss three Bs
  • Blackmail
  • Bribery
  • Burglary

98
Berwick Castle
99
Berwick Castle Failure Modes
  • Edward I "Hammer of the Scots" led the English
  • Castle was ready for a long siege the Scots
    jeered the English
  • People in the nearby town were ruthlessly
    slaughtered
  • People in the castle surrendered
  • Grim social engineering

100
Mongols choice
  • Let our hoards into your city, or
  • We will come in any way and kill every man,
    woman, child, cat, dog, goldfish, goat,

101
Castle failure modes
  • Sieges
  • The ultimate Denial-of-service attacks!
  • Overwhelming force
  • Back doors are a major source of security failures

102
Users are easily deceived
103
Scarlet king snake
West coral Snake
104
(the west coral snake is venomous)
105
Click here to infect your computer.
106
(No Transcript)
107
Make programs with security choices default to
the strongest setting. Computer users lack the
time and information needed to make reasoned
choices
108
Arms races are ubiquitous
109
Arms races
  • Pick any from military history
  • Submarine vs. destroyers
  • Sonar/stealth
  • Leigh lights
  • Radar/stealth
  • Bullets/vests

110
Arms races computer viruses
  • At first, simple string matches could detect
    known viruses
  • Now detectors have to simulate the code
  • Virus writers try to frustrate emulation
  • Simulation will take longer
  • It is theoretically infeasible to tell what a
    program is doing (the halting problem.)
  • Prediction virus writers are going to win

111
When viruses can be detected
  • Cryptographically-signed programs
  • Better network hygiene, which we should have done
    in the first place

112
The Internet security arms race
  • Currently we are behind
  • We can control the battlefield
  • An uneasy truce may be good enough, if the
    business case can make usable predictions
  • Things will get worse
  • sniffing
  • spoofing
  • TCP hijacking
  • denial-of-service
  • routing infrastructure attacks
  • Virus definitions
  • See Bugtraq for the latest round

113
The Antibiotics Arms Race
  • Penicillin
  • Vancomycin
  • Single defenses v. multiple defenses
  • Starting in with antiviral agents
  • Acylovir
  • Some new ones

114
We are behind in the arms race against bacteria
  • Antibiotic research is down worldwide
  • The business case was not there
  • Vancomycin-resistant bugs are showing up
  • What is our next weapon?

115
Antibiotics and public policy
  • Low levels of antibiotics, including vancomycin,
    are being added to animal feed!
  • Increases yield by 10 or so
  • The bugs learn resistance here, and in hospitals
  • Policy proposal do not permit the sales or
    importation of meat that is grown using
    antibiotics
  • This is much more serious than hormones, GM,
    pesticides, etc.

116
The bad guys share their tricks
  • Bacteria trade plasmids
  • for defense
  • for infectivity
  • even trade with other species
  • Phrack, 2600, FAQs

117
Chemotherapy - the arms race against errant
cancer cells
  • Same resistance problems as antibiotics
  • Recent finding the same compound for resistance
    as in bacteria
  • pumps evil chemicals out of the cell
  • Aggressive chemotherapy may deny the cells a
    chance to learn defenses
  • Cocktail of drugs are used to fight HIV

118
Dont let the enemy practice on you
119
Dont give the opposition a chance to practice
during an arms race
  • Dictionary attacks on passwords
  • Crashme tests on programs, protocols, and
    operating systems
  • Weakness using COTS!
  • Vancomycin in animal feed

120
The Internet is a fine place to practice attacks
  • Automated
  • Anonymous
  • Many volunteers
  • Dont give them a dictionary, oracle, or
    cribs to try automated attacks on
  • Monoculture of software in hosts and routers

121
The Internet is a fine place to practice defenses
  • MILnet has been under attack since the mid-1980s
  • That makes the threats much clearer
  • It gives the defenders a chance to get good at
    their job
  • Andrew Gross and rstatd

122
Given the opportunity, at least a small number of
individuals in a large population will misbehave
123
Monocultures are dangerous
  • monoculture   n.
  • The cultivation of a single crop on a farm or in
    a region or country.
  • A single, homogeneous culture without diversity
    or dissension.

124
Monocultures
  • Vast number of targets with the same properties
  • Strains of wheat
  • Roots for vineyards
  • Operating system and applications
  • Experience shows that exponential attacks
    (disease) spread quickly through a monoculture
  • A Common Off The Shelf (COTS) product is
    another description of a monoculture

125
Some popular computer and networking monocultures
  • Operating systems (Microsoft, linux, Mac)
  • Word processors (Word)
  • Mail readers (Outlook)
  • Web servers (ISS, Apache)
  • DNS servers (bind)
  • Time servers (ntp)
  • Browsers (IE, Netscape)
  • Etc.

126
Policy suggestion
  • Make vaccines available to the public, for
    charge, on a voluntary basis.
  • Reduces the monoculture threat
  • Less susceptible population
  • Concerned citizens become a willing and informed
    testing ground
  • Risk and price born by those who accept a
    variation on the official cost/benefit analysis
  • Increases freedom

127
The Power of Exponential Growth
128
Exponential growth
129
Exponential growth
  • Its all about the vat
  • The curve always looks the same
  • Human population
  • Hosts on the Internet, 1982-1999
  • Ciscos corporate earnings (1990-1999)
  • Growth is actually quite slow at the beginning

130
Exponential growth
  • Is a major tool of biological systems
  • Your body has 50-100 trillion (million million)
    cells
  • Trial-and-error on a grand scale
  • Bacterial resistance
  • Teaching the acquired immune system
  • These are deposable nano-machines

131
http//www.caida.org/dynamic/analysis/security/cod
e-red/
132
Can you control exponential growth with
exponential defenses?
  • The biological world says yes

133
Fighting exponential attacks with exponential
defenses
  • It is essential to our personal survival
  • Bugs vs. the immune system
  • Constant battles in seawater between bacteria and
    viruses

134
Exponential growth is very hard to control
135
Telomeres
136
The Hayflick limit the cellular TTL field
  • human cells limited to about 50 divisions
  • Human telomeres shorten in replication
  • cells at the limit become senescent
  • senescent cells show up in some aging problems
  • telomerase extends telomeres
  • found in 90 of all cancers
  • other telomerase activity uncertain
  • germ cells, stem cells
  • how long are Dollys telomeres?

137
Controlling exponential growth Apoptosis
  • Controlled cell death
  • Important in development and cancer mitigation
  • takes a cell apart without leaving an unsightly
    and alarming mess
  • sync sync sync
  • Maybe not a bad idea for computer systems under
    attack to shut themselves off
  • But anthrax (and many others) induce apoptosis!

138
Cancer is exponential growth
  • Cancer needs long telomeres
  • Most cancers activate telomerase
  • P53 controls cell fate, based on the state of the
    cells software
  • Cell division delay until the DNA is fixed
  • Apoptosis if things are getting out of hand
  • Extra, strong P53 suppresses cancers, but makes
    cells senile earlier

139
Replicating programs face the TTL problem
  • early Internet packets
  • broadcast storms
  • Morris worm
  • Telescript
  • the teleclick problem
  • Any user agent idea
  • Morris worm got it wrong

140
General Magic Telescript
  • Mail messages were programs
  • Executing programs deliver mail and return
    receipts
  • To prevent exponential growth, teleclicks were
    added
  • All the processors must be trusted
  • How many teleclicks are enough?

141
Controlling exponential growth is a hard
programming problem
  • Morris worm tried to limit growth rate, but had
    bugs
  • Many PC viruses have bugs
  • Tempting remedy for Code Red et. al.

142
Sentries and response
143
The cellular intrusion detection system
  • Chunks of disassembled proteins are escorted and
    displayed on the cell surface, to passing
    macrophages
  • Passing killer cells will destroy the cell if the
    wrong protein pieces are shown
  • For most cells, drug testing is mandatory

144
Macrophages are sentries
  • Sprawling web of cells throughout the skin
  • Sensitive for bacterial presence
  • This web is not well-understood
  • When bad stuff is detected, they call for help
  • Helps attack with histamines, hydrogen peroxide,
    bleach

145
Sentries CDC
  • Highly capable
  • Alarming diseases are reportable
  • Malaria, polio, syphilis, etc.
  • flu-like symptoms are not reportable
  • The radio announcer has my cold!
  • We need to report most diseases
  • We need to implement cheap, thorough disease
    recognition technology

146
Sentries NEST
  • Nuclear Emergence Search Team
  • I am not cleared to know enough information to
    guess if we have reasonable, layered defense
    against these threats
  • The physics would suggest that you can do a good
    job on this

147
Public health needs much better sentries
  • CDC and WHO only track a couple dozen diseases
    regularly
  • New diseases, natural or induced, need early
    detection
  • Research needed better fast, wideband, cheap
    diagnostics, like the strep test x 16000

148
Should we automate counterattacks?
  • Can be misused DOS attacks on systems that
    shutdown automatically, intentionally or
    otherwise
  • Anthrax and many other organisms use apoptosis to
    kill the cell and create food

149
It is useful to rate security, but it is very
hard (impossible?) with complex systems
150
Rating security
  • Safes are measured by time and equipment needed
    to break into them
  • Nuclear weapons have similar designs and ratings
  • (This is very hard to do with computer systems
    and networks they are too complex)
  • You need to respond to the attack within the
    rated time

151
Network Intrusion Detection Systems
  • Vital part of defense-in-depth
  • Need to be watched and responded to
  • Bruce Schneiers example of the rating of safes
  • Not a panacea
  • False positives cry wolf too much

152
Old viruses seldom die
  • Old PC viruses are still around
  • We have only conquered two viral diseases
  • smallpox and (soon) polio
  • smallpox in a mummy?
  • we thought we had consumption licked
  • Our DNA has the remains of many old retroviruses
  • This might be a good thing

153
Transitive closure attacking through an
intermediate
  • This is common in attacking computer systems
  • Attacks are laundered through intermediates
  • The Influenza virus often does this
  • Ducks transport the flu
  • Swine get it from ducks
  • It mutates to infect people
  • H5N1

154
Conclusions security engineering
  • The same lessons apply in most places
  • Clearly, we are amateurs compared to the
    biological world
  • There isnt much new in security, just different
    implementation.

155
Security Lessons from All Over
  • Bill Cheswick
  • Lumeta Corp
  • ches_at_lumeta.com
  • http//www.cheswick.com/
About PowerShow.com