April
18, 2002
What
do we mean by cyber-security?
-
PCCIP
report would seem to say we mean everything:
“Security is dependent on electrical energy, communications &
computers”
-
A
listing of what I&S people thought were nightmares:
-
“Super-virus”
worse than LoveBug w/c can turn your computer into useless plastic.
-
European
Parliaments “Appraisal of Technologies of Political Control” (camera
technologies, surveillance technologies, etc)
-
Cyberstalking/threats
-
Storing
& distributing hardcore porn on Lawrence Livermore Lab server
-
Attempts
to compromise defense computers, etc
-
AOL
security breach
-
From
these samples - people don’t seem to be quaking in fear & if we are fearful
what should we do about it?
-
Martin
Lindner, CERT Coordination Center, w/c = the thin silicon line who’s here to
answer our questions.
-
He
works for Carnegie Melon & handles responses from all over the world in the
emergency response team 24 hours a day.
Monitors threats to individual computers & who’s responsible for
thinking about the global integrity of the internet (the bucket brigade w/c has
no one overseer of the security w/c has made it flexible has also made it not
so secure)
Martin
Lindner
-
CERT
Overview
-
Besides
research & operations there’s:
-
Vulnerability
group who’s supposed to track them & notify vendors & they give them 45
days to fix the problem. After 45 days
we decide if we let the public know about the problem (they haven’t done this
yet)
-
Incident
handling group: when there’s been an
incident we say how to defend ourselves.
Now the serious threat is the zero day threat when no one knows what’s
causing it. People can capture the
virus but don’t know what its doing.
-
Malicious
code group analyzes code to determine 1) if its related to something else or is
a zero-day threat.
-
Facts
& Figures:
-
52,658
incidents were handled last year (2x the year before); 24,000 vulnerabilities
& issued about 37 CERT Advisories (serious things that have happened w/c we
need to let the world know about)
-
Major
Event Response Times are declining (noted differences between viruses (needs
human intervention to propagate – email attachment that needs to be opened)
& worms (code red – doesn’t require any human intervention). Response to Melissa was 10 days à code red when the response was a matter of
minutes.
-
Example
of threat with the SNMP which was a big deal because the vulnerability was
embedded in the protocol.
-
Changing
Threats
-
Complexity
of Internet, protocols, etc are increasing along with our reliance on them
-
Internet
is a critical infrastructure of the US (major infrastructure issues are
dependent upon it – predominantly the financial market)
-
Who
are the attackers?
-
Script
Kiddies (teenagers) – Internet is their playground but they don’t want to
destroy it – just cause havoc for others
-
Industrial
spies – trying to get info about other companies
-
Foreign
Governments – the nation state is who we worry about wanting to take the
Internet down completely
-
Criminals
-
Insiders
– disgruntled employee doing bad stuff the day he’s fired
-
The
intruders are prepared & organized (share info about vulnerable sites, etc;
they unite at conferences like DEF CON & publications like 2600)
-
CERT
estimates that if people could pay attention to advisories patches, etc 95% of
the intrusions could be prevented.
-
Sophistication
of attacks is going up while the knowledge to do it is rapidly decreasing. Anyone can access that needed tools
-
Recent
Attacks & How they Work
-
Find
a vulnerability à development of crude tools
to take advantage of it à automated scanning/exploit tools
developed à widespread use of automated
scanning (just before this CERT tries to get their advisory out)
-
Vulnerabilities
eventually start overlapping & will sometimes have a resurgence after
McCaffee has determined that its ok.
-
Attacks
are more sophisticated & are coordinated to take advantage of multiple
vulnerabilities
-
The
number of people with security knowledge is increasing but not as fast as the
number of internet users.
-
Number
of security tools available are increasing but not at the rate of users
knowledge & may not be able to keep up w/ increasingly complex software
-
Increasing
targeting of home computers
-
CERT
is now tracking about 16 bot networks which may have 16,000 computers on it
& may even be controlled by more than one person.
-
What
do you think about Kazaa – which makes it possible to use computing cycles
while you’re downloading music
-
ML
– this is a serious scary problem & you need to educate the public
-
CERT
hasn’t yet given an advisory about it & there’s debate about it. Its something they’re concerned with but how
to say something so that the average home-user.
-
Its
like if you go buy appliances & put them in the kitchen that’s the end of
the maintenance cycle but most people don’t know what the maintenance cycle
should be on a home computer. à JZ isnt this all about a
fundamental problem about how the internet works & the appliances connected
to it
-
We
can start building software that has a security component to it will help
improve anything à but what else can we do
does Congress need to pass some new law, etc
-
It’s
a global problem & legislation will only help the machines that live in the
United States (suppose MS is required by law to make completely secure SW then
MS may incorporate in another country or the price becomes so high, etc. Fine line between reasonable security &
the law). Companies are learning that
its cheaper to build more secure SW from the beginning then to deal with the
customer service.
-
Are
things basically ok or will be?
-
Internet
wont crash tomorrow though its technically possible there are enough people
watching for it that they can disconnect the problem areas. You can take it out of service with very
little effort if you know a few things (get a couple of backhoes & dig it
up from under the RR tracks!)
-
What’s
your worst security nightmare? Zero-day
threat from a nation state which tries to take down the internet à Q of whether we can reboot the
Internet. ½ of ISPs think that after a
massive power failure you could reboot it.
We want the Internet to be segmented when things get bad…when 2nd
part of Code Red hit it was an attack on the White House (4MB data coming from
40,000 computers but a list of calls to big ISPs to drop all emails to this
address)
Did
we answer our question of how scared should we be & if we are scared what
should we do about it?
-
we
didn’t really discuss attacks
-
Taxonomy
of threats: propagation of a virus/worm
that trashes data; attacks on specific servers (CD Universe example); DDoS
attacks using the network to send traffic that was initially welcomed but en
mass annoys à huge slowdown; embedded
elements of the Internet itself – attacking routers themselves (telephone
companies have discovered that don’t want the channel of control to be the same
as the channel of communication but the Internet uses the same channel which
creates an opportunity to do bad)
1994-1995
Consent decree & allocution w/ Judge Stanley Sporkin which was rejected by
DC Circuit and sent to J. Jackson to rubber stamp it.
1997-1998
the contempt case (MS violating the consent decree by forcing OEM’s to include
IE if they wanted Windows 95 on the computer.
This was deemed to be against the contract in the same way as forcing
OEM’s to take DOS was) (this was in front of Jackson)
1998
the contempt, contempt case: (MS letter to OEM about the “legal issue” saying
they can keep bundling if you want & if you don’t do it you need to delete
certain files w/c effectively make the computer not work. J Jackson hit the roof when he saw the
letter & he felt they’d questioned the judicial power of the US) This all led to an argument of fact about
how closely IE was tied to the computer & not.
The
current case: J. Jackson was reversed
by the DC Circuit which said this may be an integrated product & vacated
his holding that they violated the contract which means your order is out
too. The DC Circuit even went so far as
to basically say the government may just want to give it up. After that the government dropped the
contract case & filed the current case.
Forget the contract. Now just
filing an action under the Sherman Anti-Trust act of requiring IE w/ Windows is
violative of the act?
-
Vertical
Leverage: the original case was about
tying to get a monopoly over browsers but now they’re arguing this is monopoly
maintenance to keep the Windows monopoly going. It ends up being all about JAVA
-
J.
Jackson agreed with all this & says you lose, break up, etc. MS appeals & they toss it back but takes
Jackson off the case & now its w/ a new DC District Judge. Govt decides to settle & so do most of
the states
Why
should we care about this at all?
-
Market
reasons – monopolists overcharge
-
Ripples
in the Architecture of cyberspace – there’s such a benefit to compatibility –
the next OS might be better but if no one has it then its really hard to change
(QWERTY theory) Its the rut of path
dependence. Anything that enhances this
problem through bullying behavior is especially distrusted because its already
so hard to level the playing field