dynamics of insecurity tum for print
TRANSCRIPT
-
7/31/2019 Dynamics of Insecurity TUM for Print
1/62
TuM, January 11, 2011
The Dynamics of Internet (In)Security
Prof. Dr. Bernhard Plattner, ETH Zrich, Switzerland
Acknowledgements: Dr. Stefan Frei, Secunia, Denmark Gunter Ollmann, Damballa Inc., USA
-
7/31/2019 Dynamics of Insecurity TUM for Print
2/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 2
Motivation
Today, information technology has
become a backbone of our industryand everyday life
Still, security incidents threatening
network operation, services or usershappen every day
-
7/31/2019 Dynamics of Insecurity TUM for Print
3/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 3
-
7/31/2019 Dynamics of Insecurity TUM for Print
4/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 4
-
7/31/2019 Dynamics of Insecurity TUM for Print
5/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 5
-
7/31/2019 Dynamics of Insecurity TUM for Print
6/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 6
-
7/31/2019 Dynamics of Insecurity TUM for Print
7/62
NSHS08H8353226
Bernhard Plattner, Stefan Frei TuM, January 11, 2011 7
-
7/31/2019 Dynamics of Insecurity TUM for Print
8/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 8
The role of botnets
Botnet: A collection of hacked home or officecomputers, arranged into a controlledinfrastructure
# of members: 10s to 100000s
Remotely controlled by its new owners - stealthcommand and control channels Offered for rent to cybercriminals
Shared infrastructure economies of scale
Service-based Scalable and elastic
Metered and paid according to usage Embedded in the Internet
Cloud
computing
for and byorganizedcrime
-
7/31/2019 Dynamics of Insecurity TUM for Print
9/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 9
How to become a botnet member a
multi-level process
AttackSupport Youre hacked!
ExternalAttacks
PeerAttacks
IDTheft
LocalAttacks
IncomingAttack
anonymous personal
Starting point forall ID theft crimes:Direct loss through
Iillict credit-cards &bank transactions
Misuse of socialnetwork to attacknew targets:Target populationleverage
Misuse of physicalproximity to attacknew targets
Attack ExecutionEngineDirect use ofresources to conductattacks (SPAM, DoS,Injection, Virusspread, ..
MaliciousInfrastructureActive part in
support ofinfrastructure,hosting malware,proxying, ..
Youre abotnet
member!
-
7/31/2019 Dynamics of Insecurity TUM for Print
10/62
-
7/31/2019 Dynamics of Insecurity TUM for Print
11/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 11
Vulnerabilities
Vulnerability definition Refers to a weakness in a system allowing an
attacker to violate the confidentiality, integrity,availability of the system or the data and applications
it hosts. many similar definitions exist
The vendors position may be: its a feature, not a vulnerability! If you tell the public, well sue you!
The security landscape is defined byvulnerabilities: They are the door-openers forattackers
-
7/31/2019 Dynamics of Insecurity TUM for Print
12/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 12
30000+ disclosures (CVEs) since 1996 ..
Vulnerability count ..
http://cve.mitre.org/
http://cve.mitre.org/http://cve.mitre.org/ -
7/31/2019 Dynamics of Insecurity TUM for Print
13/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 13
Vendor - Vulnerabilities Distribution
Few vendors account for most vulnerabilities Share ofTop-Nvendors vulnerabilities
-
7/31/2019 Dynamics of Insecurity TUM for Print
14/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 14
Top 10 Most Vulnerable Vendors
Well known vendors of business critical softwareconsistently occupy the Top-10 group
In 2008 these vendors account for ~20% of the totalvulnerabilities disclosed per year
Thus: everyone is affected, you cant hide!
-
7/31/2019 Dynamics of Insecurity TUM for Print
15/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 15
Lifecycle of a Vulnerability
Method to measure the dynamics of (in)security the exact sequence of events varies between vulnerabilities
-
7/31/2019 Dynamics of Insecurity TUM for Print
16/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 16
Lifecycle Times
Lifecycle event Remarks
Discovery by whom? the good the bad the ugly (radical full disclosure)
Disclosure by whom? coordinated disclosure? vendor/public taken by surprise?
Exploitation through the bad
Patching by vendor (originator)when is a patch available?when is it installed?
-
7/31/2019 Dynamics of Insecurity TUM for Print
17/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 17
Risk Exposure
Pre-Disclosure Risk (exogenous) Time from discovery to disclosure Only a closed group is aware of the vulnerability. This
group could be anyone from hackers, organized crimeor responsible security researchers/vendors
Post-Disclosure Risk (exogenous) Time from disclosure to patch User waits for the vendor to issue a patch. Public is
aware of this risk but has not yet received remediation
from vendor
Post-Patch Risk (endogenous) The time from patch availability to patch installation
-
7/31/2019 Dynamics of Insecurity TUM for Print
18/62
-
7/31/2019 Dynamics of Insecurity TUM for Print
19/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 19
Security Information Providers (SIP)
CERT (Computer Emergency Response Team, USA)www.cert.org, started before 1996
Secunia (Secunia, Denmark)www.secunia.com, since 2002
FrSirt (French Security Incident Response Team,France)www.frsirt.com, since 2004
IBM X-Force (IBM Internet Security Systems, USA)www.iss.net, since 1996
Securityfocus (Symantec, USA)www.securityfocus.com, since 1996
Our database comprises data about some 30000vulnerabilities disclosed between 2000 and 2008
http://www.cert.org/http://www.secunia.com/http://www.frsirt.com/http://www.iss.net/http://www.securityfocus.com/http://www.securityfocus.com/http://www.iss.net/http://www.frsirt.com/http://www.secunia.com/http://www.cert.org/ -
7/31/2019 Dynamics of Insecurity TUM for Print
20/62
TuM, January 11, 2011
The Dynamics of Insecurity
-
7/31/2019 Dynamics of Insecurity TUM for Print
21/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 21
From Discovery to Disclosure
Measure for pre-disclosure risk 20% of vulns known to insiders 60 or more days before
disclosure (less-than-zero-day).
100%
77%
20% >
-
7/31/2019 Dynamics of Insecurity TUM for Print
22/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 22
From Disclosure to Exploit
High dynamics at the disclosure date (zero-day) Exploit availability jumps from 15% to 78% at disclosure New exploits are readily assessed by advisory providers
-
7/31/2019 Dynamics of Insecurity TUM for Print
23/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 23
From Disclosure to Patch
Measure for post-disclosure risk At disclosure, only ~45% of vulns have a patch A month after disclosure, still 30% unpatched vulns
-
7/31/2019 Dynamics of Insecurity TUM for Print
24/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 24
Dynamics of (In)security
Difference between the exploit (red) and patch (green)curves shows a consitent imbalance in favor of insecurity
The bad are consistently faster than the good Demonstrated need for security information (to manage
risk until a patch is available)
-
7/31/2019 Dynamics of Insecurity TUM for Print
25/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 25
Exploit and Patch availability: Global
Trends 2003-2007 Availability of exploits (after disclosure) increased steadily over the lastfew years good for cybercriminals, bad for CIOs!
Availability of patches also increased, but exploit availability trumpspatch availability
-
7/31/2019 Dynamics of Insecurity TUM for Print
26/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 26
How can we use such measurements?
Assess the performance of the industrydeveloping commodity software (# ofvulnerabilities, rate and timeliness of patches) of the industry as a whole
of individual vendors Assess the performance of the organized crime
(# of exploits) Absolute values may not be so relevant, but
yearly trends are of importance
-
7/31/2019 Dynamics of Insecurity TUM for Print
27/62
TuM, January 11, 2011
Can we assess the security-related QAprocesses of a software vendor?
-
7/31/2019 Dynamics of Insecurity TUM for Print
28/62
-
7/31/2019 Dynamics of Insecurity TUM for Print
29/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 29
Microsoft vs. Apple
0-day patch share between 40-80% MS, 0-70% Apple considerable variation within 5 years correlation with development of new OS or service pack
-
7/31/2019 Dynamics of Insecurity TUM for Print
30/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 30
0-Day Patch: Microsoft
WinXP SP1(2002-09-09)
WinSrv 2003(2003-04-24)
WinXP SP2(2004-08-06)
WinSrv 2003 SP1(2005-03-30)
WinSrv 2003 R2(2005-12-05)
Win Vista(2007-01-30)
WinSrv 2003 SP2(2007-03-13)
180 days90 days30 days0 day
-
7/31/2019 Dynamics of Insecurity TUM for Print
31/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 31
0-Day Patch: Apple
OS X 10.2 Jaguar(2002-08-02)
OS X 10.3 Panther(2003-10-24)
OS X 10.4 Tiger(2005-04-29)
iPhone(2007-06-29)
OS X 10.5 Leopard(2007-10-26)
180 days
90 days30 days0 day
-
7/31/2019 Dynamics of Insecurity TUM for Print
32/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 32
#Unpatched Vulnerabilities: Apple vs. Microsoft
Apple
# UnpatchedVulnerabilitiesTrend:Apple: increasingMicrosoft: stable
Microsoft
20
20
-
7/31/2019 Dynamics of Insecurity TUM for Print
33/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 33
What does this mean?
Microsoft seems to have a better security QAprocess in place than Apple Patch development takes time (weeks-months)
To be able to produce a 0-day-patch, a company
needs advance notice about vulnerabilities Good cooperation with security community helps a lot!
What does it not mean?
Apple software is less secure than Microsoft software
-
7/31/2019 Dynamics of Insecurity TUM for Print
34/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 34
Applying patches
Availability of patches at the 0-day is a goodthing but when are patches applied by users?
Difficult to find out With user queries?
Can we find out remotely?
Idea: Mine the patch levels of web browsers, asseen in the net! Analyze server logs of highly frequented web servers
-
7/31/2019 Dynamics of Insecurity TUM for Print
35/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 35
Applying patches
Mining the logs of popular webservers may yielda lot of information about browser patch levels
-
7/31/2019 Dynamics of Insecurity TUM for Print
36/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 36
Are web browsers security-critical?
Yes: Increasingly targets of attacks Complex programs lead to vulnerabilities Extension mechanisms (plug-ins) embed
functionality beyond control of the browser
manufacturer Browsers are Internet-connected by design
Possibility of remote exploitation of vulnerabilities
Lure user to visit a malicious server (spam, create ahot site)
Indirect infection with drive-by download viacompromised highly frequented web server
-
7/31/2019 Dynamics of Insecurity TUM for Print
37/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 37
Trustworthy web sites may infect
users browsers10s of thousand
unsuspectingusers may be
affected!
-
7/31/2019 Dynamics of Insecurity TUM for Print
38/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 38
Browser vulnerabilities
Present in popular browser code
Present in extensions and plug-ins
Periodically fixed by patches and new versions
-
7/31/2019 Dynamics of Insecurity TUM for Print
39/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 39
Research questions
Can we quantify the proportion of vulnerablebrowsers, where vulnerabilities are due to vulnerabilities in the browser code? Yes.
due to vulnerabilities in plug-ins? Not so far.
Are there differences between the variousbrowsers used in the field (IE, Firefox, Opera,Safari)?
Can we give recommendations about how tomake browsers more secure? Considering the patch behavior of users
-
7/31/2019 Dynamics of Insecurity TUM for Print
40/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 40
Methodology
We mine the USER-AGENT strings logged byGoogles search and application servers, eachday between Jan 2007 - June 2008
We saw 75% of all worldwide users unique
global scope and significance Only non-personally identifiable data used http USER-AGENT header field identifies
browser version:
-
7/31/2019 Dynamics of Insecurity TUM for Print
41/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 41
Methodology
We mine the USER-AGENT strings logged byGoogles search and application servers, eachday between Jan 2007 - June 2008
We saw 75% of all worldwide users unique
global scope and significance Only non-personally identifiable data used http USER-AGENT header field identifies
browser version:
-
7/31/2019 Dynamics of Insecurity TUM for Print
42/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 42
Methodology contd
Each browser counted once per host per day(Google cookie used as id tag)
Week-day statistics (week-end statistics differ) Dynamics of major and minor version numbers
Correlation with Secunias Personal SoftwareInspector data
-
7/31/2019 Dynamics of Insecurity TUM for Print
43/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 43
Estimated # of daily users by browser
type (in millions)
Total: 1408 million
-
7/31/2019 Dynamics of Insecurity TUM for Print
44/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 44
Upgrade dynamics: major versions
2007-10-26
June 2006
Oct. 2006
Oct. 2006
Released:
~832 millionusers uselatest majorversion
-
7/31/2019 Dynamics of Insecurity TUM for Print
45/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 45
What is the most secure browser
version available? IE: USER-AGENT string does not identify patch
level differentiation only by major version (IE6 /IE7) IE6 not considered most secure
# of IE7 users with latest patch installed extrapolatedfrom Secunia data
Firefox, Safari, Opera: can be identified by patchlevel in U-A string.
Only browser with latest patch installed consideredmost secure
-
7/31/2019 Dynamics of Insecurity TUM for Print
46/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 46
Estimated # of users not using the most
secure browser version
[million users]
-
7/31/2019 Dynamics of Insecurity TUM for Print
47/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 47
Share of the most secure browser
version
-
7/31/2019 Dynamics of Insecurity TUM for Print
48/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 48
Results: The Insecurity Iceberg
-
7/31/2019 Dynamics of Insecurity TUM for Print
49/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 49
One-click, fast, browser-internal auto-update(example: Firefox)
Perimeter URL filtering All web requests from a company go through a
managed proxy URLs pointing to servers known as malicious are
blocked
Major vendors offer URL filtering information
Best before date not just for yoghurt, but also
for Internet applications Internet services may warn or even block users
of non up-to-date applications
What can be done?
-
7/31/2019 Dynamics of Insecurity TUM for Print
50/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 50
What can be done?
-
7/31/2019 Dynamics of Insecurity TUM for Print
51/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 51
What can be done?
Browser warns user that it is outdated
-
7/31/2019 Dynamics of Insecurity TUM for Print
52/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 52
Web service will not serve outdated browsers
What can be done?
-
7/31/2019 Dynamics of Insecurity TUM for Print
53/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 53
Conclusions
Browser-related security problems are a seriousthreat, now quantified Many compromised servers drive-by downloads More than 600 million vulnerable browser instances tip of the iceberg, visible
A problem-concious industry could counter thisthreat by better software and update process design rendering user aware of the problem meeting auxiliary measures (URL filtering)
Vulnerabilities due to extensions and plug-insare below the water line, not visible, their effectnot quantified
-
7/31/2019 Dynamics of Insecurity TUM for Print
54/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 54
Cybercrime
Cybercrime Landscape professional, well organized
operates internationally, with sophisticated division oflabor
operation resulty in huge collateral damages
Botnets .. are the cybercriminals primary infrastructure
cybercriminals are in constant need for newvulnerabilities - and ready to pay for it!
Web browsers are vulnerable and are the mainentrance door for attackers. One vulnerability is enough to build a botnet!
-
7/31/2019 Dynamics of Insecurity TUM for Print
55/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 55
Cyberwarfare the worlds next top threat
Attack on Estonias IT infrastructure (2007)
-
7/31/2019 Dynamics of Insecurity TUM for Print
56/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 56
Cyberwarfare the worlds next top threat
Stuxnet has thepotential of
attacking criticalinfrastructures, evenif their controlsystems are not
connected to theInternet
-
7/31/2019 Dynamics of Insecurity TUM for Print
57/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 57
Cyberwarfare the worlds next top threat
Wikileaks: Operation payback
-
7/31/2019 Dynamics of Insecurity TUM for Print
58/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 58
Cyberwarfare the worlds next top threat
Download your own high-tech weapon
-
7/31/2019 Dynamics of Insecurity TUM for Print
59/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 59
Cyberwarfare the worlds next top threat
and the handbook
-
7/31/2019 Dynamics of Insecurity TUM for Print
60/62
NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 60
From a bird's eye view
Innovation lifecycle Were still in a very early stage of adopting Internet
technologies Processes are still evolving, were learning from each
other, as a society, industry, and as customers
+40 years +100 yearsinvention ofcars Security belts
AirbagsCrunching zonesABS
InsuranceTraffic ManagementCertification
Drivers license
High tech by then
time
-
7/31/2019 Dynamics of Insecurity TUM for Print
61/62
TuM, January 11, 2011
To probe further
Detailed White Paper is available atwww.techzoom.net/risk, related pub in ACM-CCR
Newest white paper compares Firefox, Chrome, Safari,Opera
http://www.techzoom.net/riskhttp://www.techzoom.net/risk -
7/31/2019 Dynamics of Insecurity TUM for Print
62/62
Thank you for your attention!