dynamics of insecurity tum for print

7/31/2019 Dynamics of Insecurity TUM for Print

1/62

TuM, January 11, 2011

The Dynamics of Internet (In)Security

Prof. Dr. Bernhard Plattner, ETH Zrich, Switzerland

Acknowledgements: Dr. Stefan Frei, Secunia, Denmark Gunter Ollmann, Damballa Inc., USA


2/62

NSHS08H8353226

Bernhard Plattner, Stefan Frei TuM, January 11, 2011 2

Motivation

Today, information technology has

become a backbone of our industryand everyday life

Still, security incidents threatening

network operation, services or usershappen every day


3/62

NSHS08H8353226



4/62

NSHS08H8353226



5/62

NSHS08H8353226



6/62

NSHS08H8353226



7/62

NSHS08H8353226



8/62

NSHS08H8353226 Bernhard Plattner, Stefan Frei TuM, January 11, 2011 8

The role of botnets

Botnet: A collection of hacked home or officecomputers, arranged into a controlledinfrastructure

# of members: 10s to 100000s

Remotely controlled by its new owners - stealthcommand and control channels Offered for rent to cybercriminals

Shared infrastructure economies of scale

Service-based Scalable and elastic

Metered and paid according to usage Embedded in the Internet

Cloud

computing

for and byorganizedcrime


9/62


How to become a botnet member a

multi-level process

AttackSupport Youre hacked!

ExternalAttacks

PeerAttacks

IDTheft

LocalAttacks

IncomingAttack

anonymous personal

Starting point forall ID theft crimes:Direct loss through

Iillict credit-cards &bank transactions

Misuse of socialnetwork to attacknew targets:Target populationleverage

Misuse of physicalproximity to attacknew targets

Attack ExecutionEngineDirect use ofresources to conductattacks (SPAM, DoS,Injection, Virusspread, ..

MaliciousInfrastructureActive part in

support ofinfrastructure,hosting malware,proxying, ..

Youre abotnet

member!


10/62


11/62


Vulnerabilities

Vulnerability definition Refers to a weakness in a system allowing an

attacker to violate the confidentiality, integrity,availability of the system or the data and applications

it hosts. many similar definitions exist

The vendors position may be: its a feature, not a vulnerability! If you tell the public, well sue you!

The security landscape is defined byvulnerabilities: They are the door-openers forattackers


12/62


30000+ disclosures (CVEs) since 1996 ..

Vulnerability count ..

http://cve.mitre.org/
http://cve.mitre.org/http://cve.mitre.org/


13/62


Vendor - Vulnerabilities Distribution

Few vendors account for most vulnerabilities Share ofTop-Nvendors vulnerabilities


14/62


Top 10 Most Vulnerable Vendors

Well known vendors of business critical softwareconsistently occupy the Top-10 group

In 2008 these vendors account for ~20% of the totalvulnerabilities disclosed per year

Thus: everyone is affected, you cant hide!


15/62


Lifecycle of a Vulnerability

Method to measure the dynamics of (in)security the exact sequence of events varies between vulnerabilities


16/62


Lifecycle Times

Lifecycle event Remarks

Discovery by whom? the good the bad the ugly (radical full disclosure)

Disclosure by whom? coordinated disclosure? vendor/public taken by surprise?

Exploitation through the bad

Patching by vendor (originator)when is a patch available?when is it installed?


17/62


Risk Exposure

Pre-Disclosure Risk (exogenous) Time from discovery to disclosure Only a closed group is aware of the vulnerability. This

group could be anyone from hackers, organized crimeor responsible security researchers/vendors

Post-Disclosure Risk (exogenous) Time from disclosure to patch User waits for the vendor to issue a patch. Public is

aware of this risk but has not yet received remediation

from vendor

Post-Patch Risk (endogenous) The time from patch availability to patch installation


18/62


19/62


Security Information Providers (SIP)

CERT (Computer Emergency Response Team, USA)www.cert.org, started before 1996

Secunia (Secunia, Denmark)www.secunia.com, since 2002

FrSirt (French Security Incident Response Team,France)www.frsirt.com, since 2004

IBM X-Force (IBM Internet Security Systems, USA)www.iss.net, since 1996

Securityfocus (Symantec, USA)www.securityfocus.com, since 1996

Our database comprises data about some 30000vulnerabilities disclosed between 2000 and 2008
http://www.cert.org/http://www.secunia.com/http://www.frsirt.com/http://www.iss.net/http://www.securityfocus.com/http://www.securityfocus.com/http://www.iss.net/http://www.frsirt.com/http://www.secunia.com/http://www.cert.org/


20/62


The Dynamics of Insecurity


21/62


From Discovery to Disclosure

Measure for pre-disclosure risk 20% of vulns known to insiders 60 or more days before

disclosure (less-than-zero-day).

100%

77%

20% >


22/62


From Disclosure to Exploit

High dynamics at the disclosure date (zero-day) Exploit availability jumps from 15% to 78% at disclosure New exploits are readily assessed by advisory providers


23/62


From Disclosure to Patch

Measure for post-disclosure risk At disclosure, only ~45% of vulns have a patch A month after disclosure, still 30% unpatched vulns


24/62


Dynamics of (In)security

Difference between the exploit (red) and patch (green)curves shows a consitent imbalance in favor of insecurity

The bad are consistently faster than the good Demonstrated need for security information (to manage

risk until a patch is available)


25/62


Exploit and Patch availability: Global

Trends 2003-2007 Availability of exploits (after disclosure) increased steadily over the lastfew years good for cybercriminals, bad for CIOs!

Availability of patches also increased, but exploit availability trumpspatch availability


26/62


How can we use such measurements?

Assess the performance of the industrydeveloping commodity software (# ofvulnerabilities, rate and timeliness of patches) of the industry as a whole

of individual vendors Assess the performance of the organized crime

(# of exploits) Absolute values may not be so relevant, but

yearly trends are of importance


27/62


Can we assess the security-related QAprocesses of a software vendor?


28/62


29/62


Microsoft vs. Apple

0-day patch share between 40-80% MS, 0-70% Apple considerable variation within 5 years correlation with development of new OS or service pack


30/62


0-Day Patch: Microsoft

WinXP SP1(2002-09-09)

WinSrv 2003(2003-04-24)

WinXP SP2(2004-08-06)

WinSrv 2003 SP1(2005-03-30)

WinSrv 2003 R2(2005-12-05)

Win Vista(2007-01-30)

WinSrv 2003 SP2(2007-03-13)

180 days90 days30 days0 day


31/62


0-Day Patch: Apple

OS X 10.2 Jaguar(2002-08-02)

OS X 10.3 Panther(2003-10-24)

OS X 10.4 Tiger(2005-04-29)

iPhone(2007-06-29)

OS X 10.5 Leopard(2007-10-26)

180 days

90 days30 days0 day


32/62


#Unpatched Vulnerabilities: Apple vs. Microsoft

Apple

# UnpatchedVulnerabilitiesTrend:Apple: increasingMicrosoft: stable

Microsoft

20

20


33/62


What does this mean?

Microsoft seems to have a better security QAprocess in place than Apple Patch development takes time (weeks-months)

To be able to produce a 0-day-patch, a company

needs advance notice about vulnerabilities Good cooperation with security community helps a lot!

What does it not mean?

Apple software is less secure than Microsoft software


34/62


Applying patches

Availability of patches at the 0-day is a goodthing but when are patches applied by users?

Difficult to find out With user queries?

Can we find out remotely?

Idea: Mine the patch levels of web browsers, asseen in the net! Analyze server logs of highly frequented web servers


35/62


Applying patches

Mining the logs of popular webservers may yielda lot of information about browser patch levels


36/62


Are web browsers security-critical?

Yes: Increasingly targets of attacks Complex programs lead to vulnerabilities Extension mechanisms (plug-ins) embed

functionality beyond control of the browser

manufacturer Browsers are Internet-connected by design

Possibility of remote exploitation of vulnerabilities

Lure user to visit a malicious server (spam, create ahot site)

Indirect infection with drive-by download viacompromised highly frequented web server


37/62


Trustworthy web sites may infect

users browsers10s of thousand

unsuspectingusers may be

affected!


38/62


Browser vulnerabilities

Present in popular browser code

Present in extensions and plug-ins

Periodically fixed by patches and new versions


39/62


Research questions

Can we quantify the proportion of vulnerablebrowsers, where vulnerabilities are due to vulnerabilities in the browser code? Yes.

due to vulnerabilities in plug-ins? Not so far.

Are there differences between the variousbrowsers used in the field (IE, Firefox, Opera,Safari)?

Can we give recommendations about how tomake browsers more secure? Considering the patch behavior of users


40/62


Methodology

We mine the USER-AGENT strings logged byGoogles search and application servers, eachday between Jan 2007 - June 2008

We saw 75% of all worldwide users unique

global scope and significance Only non-personally identifiable data used http USER-AGENT header field identifies

browser version:


41/62


Methodology

We mine the USER-AGENT strings logged byGoogles search and application servers, eachday between Jan 2007 - June 2008

We saw 75% of all worldwide users unique

global scope and significance Only non-personally identifiable data used http USER-AGENT header field identifies

browser version:


42/62


Methodology contd

Each browser counted once per host per day(Google cookie used as id tag)

Week-day statistics (week-end statistics differ) Dynamics of major and minor version numbers

Correlation with Secunias Personal SoftwareInspector data


43/62


Estimated # of daily users by browser

type (in millions)

Total: 1408 million


44/62


Upgrade dynamics: major versions

2007-10-26

June 2006

Oct. 2006

Oct. 2006

Released:

~832 millionusers uselatest majorversion


45/62


What is the most secure browser

version available? IE: USER-AGENT string does not identify patch

level differentiation only by major version (IE6 /IE7) IE6 not considered most secure

# of IE7 users with latest patch installed extrapolatedfrom Secunia data

Firefox, Safari, Opera: can be identified by patchlevel in U-A string.

Only browser with latest patch installed consideredmost secure


46/62


Estimated # of users not using the most

secure browser version

[million users]


47/62


Share of the most secure browser

version


48/62


Results: The Insecurity Iceberg


49/62


One-click, fast, browser-internal auto-update(example: Firefox)

Perimeter URL filtering All web requests from a company go through a

managed proxy URLs pointing to servers known as malicious are

blocked

Major vendors offer URL filtering information

Best before date not just for yoghurt, but also

for Internet applications Internet services may warn or even block users

of non up-to-date applications

What can be done?


50/62


What can be done?


51/62


What can be done?

Browser warns user that it is outdated


52/62


Web service will not serve outdated browsers

What can be done?


53/62


Conclusions

Browser-related security problems are a seriousthreat, now quantified Many compromised servers drive-by downloads More than 600 million vulnerable browser instances tip of the iceberg, visible

A problem-concious industry could counter thisthreat by better software and update process design rendering user aware of the problem meeting auxiliary measures (URL filtering)

Vulnerabilities due to extensions and plug-insare below the water line, not visible, their effectnot quantified


54/62


Cybercrime

Cybercrime Landscape professional, well organized

operates internationally, with sophisticated division oflabor

operation resulty in huge collateral damages

Botnets .. are the cybercriminals primary infrastructure

cybercriminals are in constant need for newvulnerabilities - and ready to pay for it!

Web browsers are vulnerable and are the mainentrance door for attackers. One vulnerability is enough to build a botnet!


55/62


Cyberwarfare the worlds next top threat

Attack on Estonias IT infrastructure (2007)


56/62



Stuxnet has thepotential of

attacking criticalinfrastructures, evenif their controlsystems are not

connected to theInternet


57/62



Wikileaks: Operation payback


58/62



Download your own high-tech weapon


59/62



and the handbook


60/62


From a bird's eye view

Innovation lifecycle Were still in a very early stage of adopting Internet

technologies Processes are still evolving, were learning from each

other, as a society, industry, and as customers

+40 years +100 yearsinvention ofcars Security belts

AirbagsCrunching zonesABS

InsuranceTraffic ManagementCertification

Drivers license

High tech by then

time


61/62


To probe further

Detailed White Paper is available atwww.techzoom.net/risk, related pub in ACM-CCR

Newest white paper compares Firefox, Chrome, Safari,Opera
http://www.techzoom.net/riskhttp://www.techzoom.net/risk


62/62

Thank you for your attention!

dynamics of insecurity tum for print

Documents