sem 001 sem-001
TRANSCRIPT
Security Basics Seminar Agenda Start Time Title Presenter
8:30 AM Introduction Hugh Thompson
8:45 AM Security Industry and Trends Hugh Thompson
9:30 AM Viruses, Malware and Threats Uri Rivner
10:15 AM Break
10:30 AM Governance, Risk and Compliance Justin Peavey
11:15 AM Application Security Jason Rouse
12:00 PM Break
1:15 PM Crypto 101/Encryption Basics, SSL & Certificates Ben Jun
2:00 PM Mobile and Network Security Paul Youn Marc Blanchou
2:45 PM Break
3:00 PM Authentication Technologies Bill Duane
3:45 PM Firewalls and Perimeter Protection Bill Cheswick
4:30 PM Seminar Adjourns
Session ID:
Session Classification:
SEM-001
Introductory
Introduction and a look at Security Trends
Hugh Thompson, Ph.D. Program Committee Chairman, RSA Conference Twitter: @DrHughThompson
Agenda Intro to Information Security
Security Trends
Business of Information Security
www.plateaueffect.com
Background
Intro to Information Security
Hacking a soda machine…
US $0.10 Value US $0.25 23.5mm Size 24.26mm 5.7 g Weight 5.67 g Nickel Composition Cupro-Nickel
Bahamas 10¢ US 25¢
The Shifting IT Environment (…or why security has become so
important)
► The business has to adhere to regulations, guidelines, standards,… ► SAS 112 and SOX (U.S.) – have upped the ante on financial audits (and
supporting IT systems) ► PCI DSS – requirements on companies that process payment cards ► HIPAA, GLBA, BASEL II, …, many more
► Audits are changing the economics of risk and create an “impending event”
Hackers may attack you but auditors will show up
► Disclosure laws mean that the consequences of failure have increased ► Waves of disclosure legislation
Shift: Compliance and Consequences
• System communication is fundamentally changing – many transaction occur over the web
• Network defenses are covering a shrinking portion of the attack surface
• Cloud is changing our notion of a perimeter • Worker mobility is redefining the IT landscape • The security model has changed from good people vs. bad
people to enabling partial trust – There are more “levels” of access: Extranets, partner access, customer
access, identity management, …
Shift: Technology
► Cyber criminals are becoming organized and profit-driven ► An entire underground economy exists to support cybercrime
► Attackers are shifting their methods to exploit both technical and human weaknesses
► Attackers after much more than traditional monetizable data (PII, etc.) ► Hacktivism ► State-sponsored attacks ► IP attacks/breaches
Shift: Attackers
► Customers, especially businesses, are starting to use security as a discriminator
► In many ways security has become a non-negotiable expectation of businesses
► Banks, photocopiers, pens, etc. are being sold based on security…
► Security being woven into service level agreements (SLAs)
Shift: Customer expectations
► How do you communicate the value of security to the enterprise (and management)?
► How do you measure security? ► How do you rank risks? ► How do you reconcile security and compliance? ► How can you be proactive and not reactive? ► What does “security” mean? Where does our job begin and
end? ► What about big issues in the news like APT’s, hacktivism,
leaks, DDoS attacks, …? How should/can we adapt what we do based on them?
Big Questions
The Economics of Security
Hackernomics (noun)
A social science concerned chiefly with
description and analysis of attacker motivations, economics, and business risk.
Characterized by 5 fundamental immutable laws and 4
corollaries
Law 1
Most attackers aren’t evil or insane; they just want something
Corollary 1.a.:
We don’t have the budget to protect against evil people but we can protect against people that will look for weaker targets
Law 2
Security isn’t about security. It’s about mitigating risk at some cost.
Corollary 2.a.:
In the absence of metrics, we tend to over focus on risks that are either familiar or recent.
Law 3
Most costly breaches come from simple failures, not from attacker ingenuity
Corollary 3.a.:
Bad guys can, however, be VERY creative if properly incentivized.
Law 4
In the absence of security education or experience, people (employees, users,
customers, …) naturally make poor security decisions with technology
Corollary 4.a.: Systems needs to be easy to use securely and difficult to use insecurely
Law 5
Attackers usually don’t get in by cracking some impenetrable security control, they
look for weak points like trusting employees
A Visual Journey of Security Trends
2008
2009
2010
2011
2012
2013
Enjoy the rest of the conference!!
Session ID:Session Classification:
Uri Rivner | Head of Cyber StrategyBioCatch
SEM-001General Interest
Advanced Cyber Threats
Join the Dark Economy
TechnicalInfrastructure
Cash OutFraudster
Fraud Eco System
HarvestingFraudster
OperationalInfrastructure
CommunicationFraud forum / chat room
User Account
Tools Hosting Delivery Mules Drops Monetizing
Gaining Credibility
Crimeware you can Afford
6
Sinowal (proprietary)Launched 2006
Sinowal (proprietary)Launched 2006
YourOnline Banking Password…And then some more.
Drive By Download still strong
Social Network Infection
InfectionServicesAreYourFriends
2.3 Cents per Hijacked PC
Seeing is Believing
ZeusiLeaks
Zeus 2.0Most popular Trojan Kit ($3,000)
Feature Zeus 2.0
Polymorphism
HTML Injections
MITB capability
Documentation
Customer Support
Trojan Infrastructure
Infection / Update Drop Zone Command & Control
Personal/Work Mix
The Executive Assistant
Foreign space agency
Particle Accelerator
The Treasurer
Laser Focused Trojans
Lost your Carbon?NimKey Trojan
Lost your Carbon?NimKey Trojan
NimkeyCommand & Control
€23,000,000
Lost your Carbon?NimKey Trojan
€18,700,000€7,000,000
Lost your Carbon?NimKey Trojan
Lost your Carbon?NimKey Trojan
Humans can’t be Patched
Advanced Persistent ThreatsSee anything in common?
Attack Targets Entry Vector
Going After
Ghostnet Ministries, Embassies, Office of Dalai Lama
Spear Phishing
Sensitive documents
Aurora 34 companies: Google, Adobe, defense, internet, financial, critical infrastructure
Spear Phishing
Intellectual property
Night Dragon Critical infrastructure Spear Phishing
Intellectual property
94% of attacks undetected by target
Advanced Persistent ThreatsWhat’s New here?
1980‐2010
2010‐2020
New Defense Doctrine
Fighting Advanced Threats : Key Requirements
Resistance Detection Investigation Intelligence
Q&A
Got any questions? Send me a LinkedIn invitation (Uri Rivner)
Session ID: Session Classification:
Governance, Risk, And Compliance
Governance, Risk, and Compliance
Justin S. Peavey Omgeo
Introductions
Justin Peavey SVP, Information Systems & Security, CISO Omgeo, LLC [email protected]
Agenda
3
What is GRC?
How to Get Started
Recommendations
What is GRC?
4
GRC Defined
Risk
Compliance
Governance
5
Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.
Risk is the effect of uncertainty on business objectives; risk management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
What is driving GRC
GRC
Security Standards
Regulatory Requirements
Risk Management
Practices
Ethical and Financial
Standards
New Technologies
Transparency and
Accountability Demands
Demonstration of Controls
6
Views of GRC
• GRC has traditionally been viewed as the structure and actions in place to avoid negative consequences: – Regulatory fines – Costs/reputation loss due to security breach – Costs associated with inefficiencies in operations – Ethical or Financial Scandals
• Increasingly, GRC is being viewed as fundamental to complex business operations – Complex, multi-national legal and regulatory landscape – Major highly-impactful events increasing the
consequences
7
Tangent: Why Regulation? • Regulation is “controlling human or societal behavior by rules or restrictions”1
– Regulation attempts to produce outcomes or prevent outcomes which otherwise might not occur in the desired manner.
• Schneier on Regulation2: “[it] is all about economics”
– In a capitalist system, companies make decisions on their own self interest. Normally this is a good thing, but some effects of the decisions, externalities, are not borne by the companies.
– Regulation and Liability force the externalities to be part of the self-interest of the company and become included factors in the decision making.
• Principle-based vs. Rules-based Regulation
– Principle-based is less proscriptive and generally weathers time better. It also generally leaves more room for interpretation by both you and the regulators.
– Rules-based is more proscriptive and therefore generally more straightforward to ‘pass’, but the rules can quickly be dated as new approaches emerge and the goal of the regulation can easily be lost sight of.
• Key: Regulation is all about achieving a specific set of goals, understand what that goal is – demonstrate to the regulator how your program achieves that goal.
1. ^ Bert-Jaap Koops et al. Starting Points for ICT Regulations, Deconstructing Prevalent Policy One-liners, Cambridge University Press, Cambridge: 2006, p. 81
2.Bruce Schneier. Do Federal Security Regulations Help?. 8
How to Get Started?
9
Getting Started (from within your security program)
• Acknowledge that Information Security is a Risk Management Discipline
• Acknowledge that fundamentally, you and auditors are trying to achieve similar goals
• If you don’t already, begin integrating Risk Management processes into security operations 10
Information Security Risk Management
11 Image Available at: www.ossie-group.org
Developing a GRC Corporate Strategy: The Strategy Roadmap
12
ANALYZE Identify Process Dependencies,
Complexity and Priority
DISCOVER Conduct Interviews and
Document GRC Processes
PLAN Determine the Project Vision, Goals,
Scope and Stakeholders
ARCHITECT Define a GRC Solution Architecture Based
on Process Analysis
PUBLISH Deliver the Strategy Roadmap
Document and Application
SCHEDULE Define the Project Approach,
Timeline and Resources
GRC Roadmap (yikes!)
13
Phase 1 Phase 2
Phase 3
Phase 4
Phase 5
13
Recommendations
14
Recommendations • Identify areas and high sensitivity areas and assets to start with (examples):
– Information Security • Applications, Sites, Key Functions
– Vendor Management • High Dependency, High Risk, High Cost
– Regulatory & Legal Compliance – Finance/Ethics
• Establish baseline of expected activities/controls to measure from and assess risk
• Refine your assessment models from real data, focus on qualitative, not quantitative analysis. Goal should be to prioritize most significant risks and most valuable actions.
• Identify actionable or indicative information. Establish metrics/dashboards and vehicle for getting them reviewed
• As your process stabilizes, look at eGRC options that may map well to your company’s needs.
15
Session ID:Session Classification:
Jason RouseBloomberg LP
SEM-001BEGINNER
INTRODUCTION TO SOFTWARE SECURITY
► INTRODUCTION
► WHO CARES
► WAYS AHEAD
► APPLYING YOUR KNOWLEDGE
AGENDA
INTRODUCTION
► What do wireless devices, cell phones, PDAs, browsers, routers, operating systems, servers, personal computers, public key infrastructure systems, smart meters, watches, televisions, stereos, and firewalls have in common?
QUICK QUESTION
Software
QUICK QUESTION #2
“Seven years ago I wrote another book: Applied Cryptography. In it I described a mathematical utopia: algorithms that would keep your deepest secrets safe for millennia, protocols that could perform the most fantastical electronic interactionsunregulated gambling, undetectable authentication, anonymous cash safely and securely. In my vision cryptography was the great technological equalizer; anyone with a cheap (and getting cheaper every year) computer could have the same security as the largest government. In the second edition of the same book, written two years later, I went so far as to write: ‘It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics.’
It’s just not true. Cryptography can’t do any of that.”
--Bruce Schneier
MAGIC CRYPTO FAIRY DUST
SECURITY = NON-FUNCTIONAL GOALS
► Prevention► Traceability and auditing► Monitoring► Privacy and confidentiality► Multi-level security► Anonymity► Authentication► Integrity
► A very good basic book is Schneier’s “Secrets and Lies”
SOFTWARE SECURITY IS HARD
►Complexity never, ever goes down
libraries languages compilersinterpretersscriptshacks
SOFTWARE SECURITY IS HARD►Users must not be involved in hard choices
SOFTWARE SECURITY IS HARD
►Who truly envisioned this?
►Organic Growth, Interdependence
WHO HAS ONE OF THESE?
MODERN SECURITY IS RISK
COST OF MITIGATION COST OF BREACHES
OPTIMAL SECURITY AT MINIMUM COST
TOTAL COST
COST ($)
0%
SECURITY LEVEL
100%
► There is no such thing as 100% secure► Must make tradeoffs► Should be BUSINESS DECISIONS
► Proactive security is about building things right
► Security is not a “function”
► It’s all about SOFTWARE► Most security problems are
cause by software bugs and flaws
► We MUST build secure software
Who Cares?
WE CARE BECAUSE…
$59.5B billion – security flaws, bugs and software– National Institute of Standards and Technology ‐ 2004
$100M ‐ $200M cost of product recall– Wireless Device Providers
Hundreds of Thousands of Mobile User’s infected with malware– Fortune 100, 2012
Software is business-critical and causes significant impact when it fails …
$500M in lost market value ‐ Fortune 500 Entertainment Company
75% of all attacks occur at the application layer– Gartner
World‐wide denial of service to cellular telephones–Mobile Network Operator
Defects at Each Stage of Software Development
Requirements
Design
Testing
Coding
Maintenance
0
10
20
30
40
50
60
Perc
enta
ge o
f D
efec
ts
Source: TRW
Cost of Fixing Defects at Each Stage of Software Development
Requirements
Design
Testing
Coding
Maintenance
0
$3,000
$6,000
$9,000
$12,000
$15,000
Cost
Per
Def
ect
Source: TRW
WHERE DOES SECURITY GO?
Er… Castles…
Er… Castles…
Er… Castles…
► Perimeter security protects the LAN► Network firewalls► Intrusion detection► Reactive
► Host security protects the machine► Patching (operating systems and applications)► Operational
► Software security protects ALL software► (S)SDLC Think about what this means for your organization!► Constructive
► Data security protects digital assets► Data Security requires understanding of
► AT REST, IN MOTION, and IN USE
NEVER FORGET THE INSIDE
Ways Ahead
EVERYBODY, EVERYWHERE
A Wee Demonstration…
Examining The Problem
(The “Uh-Hoh” Part)
EXAMINING the PROBLEM: PROGRAM INPUT
EXAMINING the PROBLEM: ERRORS and LOGGING
EXAMINING the PROBLEM: Auth & Auth
Applying Your Knowledge
Keep these things in mind at all times!
INPUT VALIDATION IN THEORY
► Determine your output context
► Identify control characters► Ensure output conforms to proper format
OUTPUT ENCODING
ACTIONS: BOTTOM-UP
► A few relatively simple things can make a tangible difference and can help you get started with software security
► Within the next 3 months, you should:► Begin to develop a resource set (e.g., portal)► Start small with simple architecture risk analyses
► Target high-risk or high-profile applications
► Develop and socialize business-case justifications► Make friends in low places!
► Leverage, if applicable, code scanning tools (where available)► Never underestimate the power of simple tools
ACTIONS: TOP-DOWN
Aim for a 6-12 month journey:► Chart out a strategic course of action to get where you want
to be;► Get help: have a gap analysis performed► Make achievable, realistic milestones► Think about measurements & metrics for success
► Use outside help as you need it► Document, share, and learn from your experience!
Thank You!
Session ID:
Session Classification:
Benjamin Jun, VP and CTO Cryptography Research Inc.
SEM-001
Crypto 101/Encryption, SSL & Certificates
Slides adapted from: Ivan Ristic, Qualys (RSAC 2011)
Agenda
CRYPTOGRAPHY
VULNERABILITIES
SSL / TLS
CERTIFICATES
CRYPTOGRAPHY
What is Cryptography?
Cryptology
Cryptography
Symmetric encryption
Stream ciphers
Block ciphers
Asymmetric encryption Hash functions Digital
signatures Protocols
Cryptoanalysis
Cryptography is the art and science of keeping messages secure.
What Does Secure Mean?
Always required: ► Confidentiality
► Integrity
► Authentication
► Non-repudiation
Other criteria: ► Interoperability
► Performance
Good guys: ► Alice, Bob
Bad guys: ► Eve (passive, eavesdropper)
► Mallory, Oscar, Trudy (active, man in the middle)
Meet Alice and Bob
► Obfuscation that is fast when you know the secrets, but impossible or slow when you don’t.
► Computational security means that something cannot be broken with available resources, either now or in the future.
► Aspects of complexity: ► Amount of data
► Processing power
► Memory capacity
How Does Encryption Work?
Convenient and fast:
► Common algorithms: RC4, 3DES, AES
► Secret key must be agreed on in advance
► Group communication requires secure
key distribution
► No authentication
Symmetric Encryption
Asymmetric encryption uses two keys; one private and one public. The keys are related.
► RSA, Elliptic Curve, Diffie-Hellman key exchange, Elgamal encryption, and DSA. Also ECDH and ECDSA.
► Enables authentication and secure key exchange.
► Significantly slower than symmetric encryption.
Asymmetric Encryption
Well-known algorithms:
► RSA ► Textbook approach – signing involves “encrypting” w/private key ► In practice, use standard digest and padding method
► DSA, ECDSA
Digital Signatures
► Random numbers are at the heart of cryptography. ► Used for key generation
► Weak keys equal weak encryption
► Types of random number generators: ► True random number generators (TRNG) – truly random
► Pseudorandom number generators (PRNG) – look random
► Cryptographically secure pseudorandom number generators (CSPRNG) – look random and are unpredictable
Random Number Generation
► Hash functions are lossy one-way transformations that output fixed-length data fingerprints. Usually used for: ► Digital signatures
► Integrity validation
► Tokenization (e.g., storing passwords)
► Desirable qualities of hash functions: ► Preimage resistance (one-wayness)
► Weak collision resistance (2nd preimage resistance)
► Strong collision resistance and the Birthday attack
Hash Functions
► Communicating securely requires more effort than just putting the primitives together
Protocols
Message
Digest
Message
Alice’s certificate
Signature
Session key
Encrypted message,
certificate, and
signature
Encrypted session key
Encrypt with session key
Sign with Alice’s private key
Encrypt with Bob’s public key
VULNERABILITIES
Attacks on Cryptography
Cryptoanalysis
Classical cryptoanalysis
Mathematical analysis
Brute-force attacks
Implementation attacks
Social engineering
Example: Brute Force (Cryptanalysis)
DES Keysearch Machine, 1998 (Cryptography Research, AWT, EFF) Tests over 90 billion keys per second, taking an average of less than 5 days to discover a DES key.
US Navy Bombe, 1943 Contains 16 four-rotor Enigma equivalents to perform exhaustive key search.
Simple EM attack with a radio Usable signals even at 10 feet away
Devices Antennas
far field
near field
Receiver ($350) Digitizer, GNU Radio ($1000)
Signal Processing (demodulation, filtering)
DPAWSTM side-channel analysis software
Example: Side channel (Implementation)
► Focus on Mpdp mod p calculation (Mqdq mod q similar)
Example: Side channel (Implementation)
For each bit i of secret dp perform “Square” if (bit i == 1) perform “Multiply” endif endfor
SM S S S S S S S SM S SM SM S S S SM SM S S S S S S S S S
SSL/TLS
► SSL is a hybrid protocol designed to turn an insecure communication channel (regardless of protocol) into a secure one
► Designed by Netscape in 1994, standardized in 1999 as TLS, which is now at version 1.2 (2008, 2011)
► Protocol versions so far: ► SSL v2 - insecure ► SSL v3 - still secure ► TLS v1 - widely used, but not best ► TLS v1.1, v1.2 - not widely used
Introduction to SSL
SSL v2 49.85%
SSL v2 No
Suites 11.93%
No support 38.22%
► The SSL standard packages our knowledge of security protocols for reuse
► Key services: ► Discovery and authentication
► Session key(s) generation
► Communication integrity
► Interoperability
► Extensibility
► Performance
SSL Goals
► SSL cipher suites are a higher-level cryptographic construct, consisting of: ► Key exchange and authentication
► Symmetric session cipher
► Message integrity algorithm
► Examples: ► TLS_DHE_RSA_WITH_AES_256_CBC_SHA
► TLS_RSA_WITH_AES_128_CBC_SHA
► TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
► TLS_RSA_WITH_RC4_128_SHA
SSL Cipher Suites
► The situation is good, overall
► But there are several issues: ► Problems with certificate authorities
► Browsers talk to the sites with broken certificates
► We’re not good at keeping up with protocol evolution: SSLv2 still widely supported; TLS v1.1 and TLS v1.2 virtually not supported.
► Too many plain-text (HTTP) web sites
► Issues related to mixed content (HTTP/HTTPS)
State of SSL
CERTIFICATES
► Digital identity often include a public/private keypair ► Usually exchanged at start of a session
► It is necessary to authenticate the keypair when faced with an active man-in-the-middle attack
► We need third parties to help establish identity – generally a certificate authority (CA)
► Digital certificates contain a public key, some identifying information (e.g., name, address, etc.) and a signature
Digital Certificates
Certificate Contents
Certificate Chaining
Certificate Authorities
► Estimated ~650 certificate authorities (EFF) ► Most browsers trust a small(ish) number of root certs, but the overall
number grows through chaining
► Any CA can issue certificate for any site
► Strong desire to keep certificates in DNS (now that we are starting to implement DNSSEC)
The EFF SSL Observatory https://www.eff.org/observatory
CONCLUSIONS
Resources
Understanding Cryptography Christof Paar and Jan Pelzl (Springer, 2009)
Applied Cryptography, 2ed Bruce Schneier (Wiley, 1996)
SSL and TLS Eric Rescorla (Addison Wesley, 2001)
SSL Labs www.ssllabs.com Qualys
► In the first three months, you should: ► Identify where cryptography is used in your organization ► Identify infrastructure required for cryptographic implementations
(key management, certificates)
► Within six months, you should: ► Know what crypto can do. Explain the different security properties.
► Know what crypto can’t do. Gain basic knowledge of implementation security issues
Applying What You Have Learned
QUESTIONS?
Session ID:
Paul Youn iSEC Partners
SEM-001
Mobile Security Introduction
Marc Blanchou iSEC Partners
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
Agenda
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
You’re on your phone right now
Mobile Platforms
Data from IDC Press Release
Millions of
Smartphones
32%
0
200
400
600
800
1000
Q3 2011 Q3 2012
Attack Surface
► Mobile applications here to stay ► More Line of Business apps will go mobile ► Modern phones are complex ► Complexity & attack surface often related ► Can’t stop Employee Liable Devices
Mobile Trend Takeaways
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Q&A
What could possibly go wrong?
► Application Attack Vectors ► App – to – App ► App – to – OS
► App Installation Vectors ► Poorly policed markets ► 3rd party markets (Amazon, etc) ► SMS/Email ► Exploits ► Sideloading
Malicious Applications
Malicious Applications
► Plankton malware appeared:
► What did “Angry Birds Rio Unlock” do? ► Steal your browser history ► Have the ability to install and add shortcuts
Plankton
►OS vulns are valuable ► iOS: 100-200k
►Android: 30-60k
► Jailbreak research (jailbreakme) ►Zero days are out there
Mobile is a target
► Software-defined radio
► Text messages, voice, data is always readable by active attacker
► Text, voice most likely readable by passive attacker ► Requires more complicated RF stage
Cellular interception for all!
► SSL Observatory Project ► Jesse Burns (iSEC), Peter Eckersley (EFF) ► Data set available on Bittorrent
► Number of Trusted CAs ► Mozilla: 124 trust roots (~60 organizations) ► Microsoft: lists only 19 trust roots in Windows 7
► Silent on-demand updating! ► Can make this 300+ certs
► iOS and Android are close to Mozilla list
► They signed…. 1,482 CAs!
Certificate Trust
► Early 2011 (Comodo):
► DigiNotar:
► Late 2012/early 2013 (TurkTrust):
Oops
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
Users Hate You (don’t feel bad)
►Phone ►Corporate email ►2nd factor auth ►Payment data ►Angry birds
One password to rule them all
f # 2 M * p 4 a Z & k 1 %
Poor Keyboards
Limited Screen Size
*From RHanson
Details?
► Disabled SSL Certificate Validation
Case Study: Incorrect cert validation
Users will always surprise you
►500k – 1M installs ►Permissions: run at startup, read/write
bookmarks and history, modify contents of your SD card, full network access
What permissions?
► Still available ►Wall of text terms of service ► Served ads and modified browser
behavior ►Could steal your history
Invasive adware (legal Plankton)
► Physical security is a real problem ► Devices will be lost or stolen
The Airline Pocket
Sync Data Leakage
• Images • Application Data • E-Mail • Contacts • ETC…
► Multiple Apps Affected
► 6 of 7 Stored Data Locally
► Significant Reputation Risk
Case Study – Local Data Storage
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
Hard to get it right
► Mobile applications are still on the Internet: accept both PC and phone connections
► Common Real World Result: ►Primary website secured ►Mobile site unprotected ► Same credentials
► Issues can have worse results than on the
desktop
Mobile Web Attack Surface
► It’s packaged software! ► Indirect Customer Relationship ► Long update lag: ►Users choose not to install patches ►Carrier testing requirements
App. Distribution Challenges
► Inconsistent versions ►On older iOS devices ►More than half of Android devices
contain vulnerabilities
►Vendor specific OS and Software
OS and Software Versions
OS and Software Versions
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
What to do?
► Claim to ► Improve manageability ► Attempt to provide data segregation ► Encrypt sensitive data (emails, contacts, attachments) ► Usually protected by a PIN (separate from main PIN) ► Enforce strong policies on all compatible devices ► Isolate and improve application security ► Remote Lock and remote Wipe ► Jailbreak detection
MDM / Secure Container Products?
► Full Disk Encryption? ► Not enough
► Tamper resistant chip? ► iOS
► Data Protection API
► Android
► Difficult to do right
Can the data be secured?
► Certificate pinning means you only accept a hardcoded certificate for SSL/TLS
► Can be configured in iOS and Android
► Implement testing
Pin certificates
Remote lock and remote wipe?
► Jailbreak/root detection ► Easily circumvented
► Malware protection ► Application whitelisting on iOS
► Is isolating applications in a ‘Container’ a good idea?
The limits of safety
► Totally unnecessary introduction ► Threats ► Users have it hard ► Vendors have it hard ► Solution (attempts) ► Conclusion
Don’t throw away your phone
► There are limits to security on a mobile device
► The more attack vectors the harder something is to secure
► Your phone has a very large threat surface compared to most other devices
Be careful with your sensitive data!
► Turn off unnecessary attack surfaces (such as Bluetooth) ► Update and patch your applications ► Use MDM products, just don’t over rely on it ► Make it easy for users:
► Don’t store sensitive data on device (or limit what you cache, such as only recent email)
► Consider using different mobile credentials for your apps
► Use strong credentials
Protect yourself
► Paul Youn ► Technical Director at iSEC Partners ► [email protected]
► Marc Blanchou ► Senior Security Engineer at iSEC Partners ► [email protected]
► Thanks to: ► Alex Stamos ► Mike Warner
Thank You
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame
North American Offices San Francisco Atlanta New York Seattle
Australian Offices Sydney
European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland
1Session ID:Session Classification:
Bill DuaneRSA Security
Office of the CTO
Security Basics Seminar:Authentication Technologies
SEM-001
Security Basics Seminar:Authentication Technologies
2
Why Authentication?
3
► That is the eternal question…► It has been in existence as long as people have
existed.► It is often followed by:
► “Have we met before?”► “What is a beautiful person like you doing in a place like this?”► And “Would you like to come up to my place to see my collection
of strong authentication devices???”
► It also happens to be a foundation question for security.
Who Are You?
4
How do you know??
5
► There has been a veritable explosion in consumer facing Internet crime► Phishing and Malware continue to grow at an alarming rate► Fraud Attacks are also growing rapidly► Pranksters and script kiddies have been replaced by professional
criminals, organized crime, and even governments
► In many cases the legal, ethical, and societal implications have not kept pace with the crimes► Well established concepts like jurisdiction, liability, and privacy begin
to crack when the crimes occur across the globe and traverse many countries, political relationships, legal relationships and so on.
Phishing and Fraud
6
Growth of Phishing Attacks
The number of unique phishing attacks was rising to a peak of 40K in August 2009, and has now been harovering ound 24-25K per month.
We clearly are at an inflection point where Phishing is starting to decline, and trojans are increasing.
Ref: http://www.antiphishing.org/
There was a roughly 20% increasein trojans as % of malware betweenH2 2010 and H1 2011; the latest split isshown.•Crimeware steals financial info•Data Stealing/Trojans for system control•Other is the rest including auto-replicating worms, telephone dialer scams, …
7
► There is increasing concern about APTs in the industry, especially in the defense contractors, the intelligence community, and governments► Low and slow; targeting specific people/organizations► Often government sponsored► APT= Advance Persistent Threat
► These situations show the organization, and sophistication of the modern attacker► Military in style► Well funded► Specific objectives/targeted
Growth of Attacks and Attack Methods
8
► During a visit, the Secret Service mentioned that in order to attack 10 million email addresses costs the Phisher only $160, and yields the attacker $124,840 profit► This assumes 50% of the emails bounce, and that only .001% of the
remaining people are duped
► If www.antiphishing.org is correct, and there are about 25,000 new phishing attacks per month…
► Multiplied together you get a whopping possible phishing profit of $3,121,00,000 per month worldwide !!!► Even if the number are off by an entire order of magnitude (unlikely)
it is still a whopping $312million per month worldwide!
The Economics of Phishing
9
Strong authentication could help with many of these problems, except…:► The continues widespread use of passwords as
authenticators► The fact that advanced authentication technologies have
not reached the price points needed to become ubiquitous on the Internet
► The fact that advanced authentication technologies have not reached an ease of use level where a child or my 90 year old grandmother can use them
► The fact that credit cards are static one-factor devices► The fact that databases containing credit cards and
personal information are not encrypted
How does authentication factor in??
10
► Without knowing with a high level of certainty who you are dealing with:► it is not possible to properly assign access control and
other rights► it is not possible to trust a digital signature► in many cases it makes no sense to encrypt data if you
don’t know who you are dealing with
► The basis for all security is authentication
The Need for Authentication
11
► Strong Authentication typically binds an individual to a secret
► The system you are attempting to access has some mechanism to validate that you have the secret► Sometimes the system knows the actual secret► Sometimes the system knows something derived from the secret
► The secret can take many forms► Passwords► Symmetric cryptographic secrets► Asymmetric cryptographic secrets
► The trick is, some secrets are more secret than others…
Authentication
12
Passwords
12
13
Authentication with password
AccessingSystem
Accessed System
Clear-TextPassword
CryptographicHash
Digest
Match
Digest
Digest
14
Passwords using parallel cryptography
AccessingSystem
Accessed SystemClear-Text
Password
Copy of Digest
CryptographicHash
Digest
Response MatchResponse
Combine thechallenge and the digest to produce the
response
Hash
Run the same computation on the
server using the copy of the digest
Response’
Copy of Digest
Hash
Challenge
Generate aRandomNumber
Challenge
15
► Test 1 (London)► >70% revealed their
computer password for a bar of chocolate
► 34% volunteered their password when asked without even needing to be bribed
► 79% unwittingly gave away information that could be used to steal their identity when questioned
► 33% share passwords► On average, people have
to remember 4 passwords
The Problem with Passwords …People!!!
► Test 3 (London)► 81% revealed personal
information for chance to win Easter chocolate► 90% were willing to
give personal info in 2005 for the chance to get theater tix
► People offered up identity info like birth date, mothers maiden name, first school
► 86% gave up pet’s name► 90% gave up home phone
number► After 2 minutes, enough info
was typically gathered to allow an identity attack
► Test 1 (San Francisco)► 67% turned over their
passwords for $3 coffee coupons
► 70% of those who said “no way” gave up significant hints (wife’s name, anniversary date, pet’s name)
► 79% said they use the same password for multiple Web sites
► Nearly 60% have >=4 passwords
► One executive, too busy to stop, sent his secretary back with his password so he could get the free coffee (she gave up hers, too)
16
The Problem with Passwords …
Source: www.unitedmedia.com/comics/dilbert
A more resistant password :1. Pick a passphrase2. Select the first letters of every
word3. add non-alphanumerics4. surrounded with special
characters:
“At 1, Bill presented an Awesome talk on authentication”
A1BpaAtoa^#A1BpaAtoa#^
µ^#A1BpaAtoa#^µ
I’m sure my grandmawill comply…
Where are my yellow stickies?
17
The Fundamental Problem:
Dawn ofComputing
RealityTV
Now Future
Computer PowerBrain PowerPow
er
18
► Passwords have their good points:► They are easy to use► They are easy to remember► They do not require external devices to operate► They are Platform- independent► They have no acquisition cost►Minimal end-user training
The Benefits of Passwords
19
► They are ‘1 static factor’ devices - it’s only something you ‘know’► yellow stickies on your monitor, notes under your keyboard► replay attacks are common
► Can be compromised, without knowing► Social attacks
► Inconsistent formats between applications (Provisioning, synchronization necessary)
► Passwords are actually quite expensive (Operating costs)► Password reset and admin is frequently over 40% of what help desks
do!
The Problems with Passwords
20
► Most passwords are poorly chosen► Your dog’s name, your significant other’s pet name, the word
‘password’► Most passwords are vulnerable to the widely available password
cracking programs
► Poorly chosen passwords significantly reduce the search space for an attacker
► We are entering an age where passwords must be very carefully used, and should not be used for controlling access to critical accounts
The Problems with Passwords
21
One Time Passcodes
21
22
► Authentication tokens are small devices which generate a new “password” (tokencode) for every authentication.
► They contain a secret key (seed) which is shared by an authentication server► Tokens usually have an LCD display, a small microprocessor, and a
battery. Tokens may have a keypad, and a real-time clock
► Tokens do require that the user carry them around, but provide authentication without desktop software
One Time Passcode (OTP) Tokens
23
► Tokens are currently the most cost effective, and easiest to use strong authentication solution► They are common in the enterprise marketplace► They are a proven technology► They are easy to use► There are a number of different types of token:
► Time-based► Challenge-Response► Counter-based
► Two of the biggest issues for the use of tokens in the consumer Internet space include cost, and multi-site token re-use
OTP Tokens
24
Challenge-Response OTP Tokens
Authentication Server
Challenge-ResponseToken
Copy ofSeed
InternalSeed Challenge Challenge
Generate aRandomNumber
User inputs Challengeon the Token Keypad
ResponseUser reads Response
on LCD, and enters it at the logon prompt
Combine the seed and challenge, then hash it
Hash
MatchResponse
Truncate the result as needed to produce the
correct length Response
Copy ofSeed
Response’
Hash
Run the same hash computation on the server using the copy of the seed
Truncate the result and compare Response’ and the received Response
25
Counter-Based OTP Tokens
Authentication Server
Counter-BasedToken Copy of
Seed
Passcode
Combine the current time and seed, then ‘hash’ it
Hash
Passcode
Truncate the result as needed to produce the
correct length Response
Copy ofSeed
Match
Run the same ‘hash’ on the server using the time and the
copy of the seed
Truncate the result and compare Passcode’ and the received Passcode
Passcode’
Hash
InternalSeed
The token has an internal counter
incremented by button presses
The server’s counter increments for each
authentication
26
Time-Based OTP Tokens
Authentication Server
Time-BasedToken Copy of
Seed
Passcode
Combine the current time and seed, then ‘hash’ it
Hash
Passcode
Truncate the result as needed to produce the
correct length Response
Copy ofSeed
Match
Run the same ‘hash’ on the server using the time and the
copy of the seed
Truncate the result and compare Passcode’ and the received Passcode
Passcode’
Hash
InternalSeed
The token has it’s own internal clock
The server’s clock runs independently from the token’s internal clock
27
► As we have seen, there are a variety of OTP tokens available► In addition to the hardware tokens discussed, software
versions are available which run on PCs, notebooks, and other mobile computers such as tablets and smart phones
► OTP tokens continue to be one of the most common strong authentication methods, especially in the enterprise
OTP Tokens
28
Public-Private Key Authentication
29
Public-Private Key Authentication
Random #
Random # Random #
Random #’
Match Generate aRandomNumber
Random #
Client’sPublicKey
Client’sPrivateKey
Server
Client
30
► If you have a certain Public Key, as shown it can be used to verify that the other system has the matching Private Key
► To complete the process of PPK Authentication:► You need to trust that the Public Key is the right
one for an individual► You need to secure the storage of the Private Key
PPK Authentication
31
Trusting the Public Key
X.509 Digital Certificate
“I officially notarize the association between this particular User, and this particular Public Key”
Serial Number: xxxxx
Validity: Nov.08,2003 - 08,2005
User OrganizationCA - Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 -Chelmsford
Public Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: RSA Security
Status:
32
It’s all about Trust:
Serial Number xxxxx:
Validity: Nov.08,1997 - Nov.08,1998
UserOrganizationCA - Ref.,LIAB.LTD(c)96Organizational Unit = Digital ID Class 2 -Chelmsford
Status:
Public Key:ie86502hhd009dkias736ed55ewfgk98dszbcvcqm85k309nviidywtoofkkr2834kl
Signed By: VeriSign, Inc.:
Public Key
Certificate Authority
Private Key
33
► The private key must be securely stored► Smart Cards are ideal► Token protected storage is also very good► Password protected storage is less ideal
► The whole trust of PPK systems comes down to the trust of Certificates and Private Key Storage► And how you verify that the correct person is the
owner of the private key!
Trusting the Private Key
34
Biometrics
34
35
► Alternative to passwords and smartcards► Determine your identity by measuring your personal characteristics
► User friendly► Nothing to remember, nothing to enter
► Hard to mess up► No token to drop or give away► No password to forget, write down or tell a friend
► They can be 2 or 3 factor authenticators► Something you are plus something you have or know
► They are cool
Biometrics
36
► A large number have been proposed► Fingerprints► Retina scan, iris scan ► Facial Recognition► Hand shape► Blood vessels► Voice► Body Odor► DNA (no commercial systems)
► Different characteristics► Cost, convenience, stability, security, spoofing
Different biometrics
37
► Advantages► Some types support cheap sensors► Non-intrusive► Small form factor► Simple to use
► Disadvantages► Identification is not unique
► Best have an error of 1:100 000 (that’s only 17 bits)
► Does not work in all environments► Gloves, worn down fingertips
► Can be stolen without direct contact with user
Example: Fingerprints
38
► Over the last couple of years there have been some interesting biometric developments ► Biometrics have entered the
consumer market in a reasonably large way
► Large numbers of notebooksnow contain a biometric fingerprint sensor
► Match on device functionality is becoming technically reasonable
Biometrics Update
39
► Where do you store the Biometric patterns, and how is that protected?► You use the same fingerprint everywhere► You leave your fingerprint everywhere
► How much ‘training’ is require to get a good template?► There is some part of the population where the Biometric
does not work, for example:► Masonry and other construction workers who have worn down their
fingerprints► The fingerprint of senior citizens cannot be read in many cases► Master criminals or spies who etched their fingerprints off with acids
The issues with Biometrics
40
► For me, perhaps the biggest problem with biometrics is theft of identity, and the related problem of revocation:► Unlike other security credentials, a biometric is you!
► If some evil-doer gets your biometric template, they can impersonate you personally
► How do you deal with the theft of your template?► Lobbing off digits hardly seems appropriate► You only have one voice, two eyes, one body odor, … so
invalidating the compromised biometric is of limited use
The issues with Biometrics
41
Revocable Biometric Templates
The original imageis not used as a template
It is first morphed witha master ‘key’
The resulting horrific morphed image becomes
the master templateIn all subsequent authentications, the raw image is morphed using
the same master key before the biometric authentication is performed
If the morphed template is ever compromised, the original image is not revealed.The master key can then be destroyed and a new one used.
42
RFID
42
43
► In many cases RFID is Identification, not Authentication► The RFID tag asserts it’s identity by broadcasting a unique identifier,
but does not perform a cryptographic operation to prove that it is the authentic tag
► However, sophisticated tags exist, and more are being developed, and as a result, I can see a time where tags will assert identity, then be able to perform something like a challenge-response validation of a symmetric or asymmetric key.
► As a result, they are worth talking about in the context of authentication…
Is RFID Authentication??
44
► Since RFID tags transmit their identity, they can leak privacy information; even when their intended use is over.
► Steamboat Mountain & hospitals are well thought out RFID apps► Benefits thoroughly explained in advance / opt-in
► Some RFID privacy advancements are happening► Kill tags/blocker tags
► The RFID devices must be built on strong cryptography► Data must be encrypted, and should not
be static► Algorithms should be peer reviewed
► TI/Speedpass –Cracked/cloned by RSAlabsand John Hopkins
► ISO14443/EMV (encrypted/dynamic)
► New RFID technologies to watch:► Near-Field Comms► RuBee (Long Wave ID- LWID)
RFID and Privacy
45
► 2006 World Cup Football (Soccer) in Germany► RFID based admission tickets► China Olympics RFID based tickets
► NIST publishes a report warning about the dangers of RFID► Report recommends careful application
► Growth in food tracking area: meat and poultry in Norway; Thai rice; Malaysia livestock; Spanish meat; ► Amish farmers resist RFID tagging of livestock
on religious grounds► Some religious groups resist biometrics
as the ‘mark of the beast’
► Viagra bottles will now have RFID tags to prevent counterfeiting!
► Publicized attacks on MiFare based transit cards
Some Noteworthy Recent RFID Events
46
► Saguaro National Part in Tuscon, AZ to tag cacti withRFID tags to thwart thieves (a Cactus is about $2k
each, the tags are $4); following similar program in Las Vegas.
A few of my favorite RFID news items
Johnathan OxerMelbourne, Australia“Australia’s geekiest geek!”
RFID Tag was implanted tag left armUsed to unlock his car and home
Cool but possibly dangerous…
47
Composite Authentication
47
48
How do humans authenticate?
Looks like John
He’s at John’s House
John has a dog whichhates to be washed
John likes short hair
John has a son
That’s John’s wife
It is John!
49
► We authenticate by combining a set of lower confidence authentications into an aggregate authentication
► The process is not mathematically exact► There is error and low confidence in many of the individual pieces of
data
► However, taken in total, our confidence in the authentication is increased to a level above which we have confidence in the authentication
Human Authentication
50
► This technique is emerging as the new model for electronic authentication
► Composite authentications first started to emerge in the area of on-line banking
► Composite authentications combine a number of weak authentications into a stronger authentication
► While it may be possible to intercept or replay some of the composite parts, it is very difficult to simulate all the parts of a well designed composite
Composite Authentications
51
Composite Authentications
Is it really Sally? She knew Sally’s password
She is connecting viaSally’s ISP
She is using the samebrowser Sally uses
This is the same computerwhich Sally used before
She is connected at the same time Sally typically connects
She is doing the same operations which Sally typically does
It’s Sally!!
She interacts with thecomputer like Sally
52
► Typically these authentications perform a risk scoring based upon all the data► If the score is too low, the authentication fails► If the score is above a threshold, then the authentication succeeds► If the score between the two:
► The end user may be prompted for more information► Mother’s maiden name, color of first car, …
► Or the user may be contacted through some other out of band method► Calling the end user cell phone
► By their nature, composite authentications are difficult to mathematically compute an effective bit strength for
► And this would miss some of their inherent strengths
Composite Authentications
53
► I think this is one of the most interesting evolutions in authentication technology to have occurred over the last few years
► The composite mix must be kept fresh, or the attackers will compromise enough of the composite to make it weak► A good composite is diverse, and changes over time
► Watch to see composite authentication branch into the enterprise and other non-banking consumer settings.
► Various frameworks for comparing authentication methods (such as NIST 800-63) have not caught up with this trend yet, so be careful.
Composite Authentications
54
A couple of Authentication related topics…
55
► Publically, I expressed dismay with the RFID passport proposals► Lack of privacy, lack of encryption, …► Some progress has been made
► Shielded passport cases► Data is encrypted► Auth via open passport data► There still are problems:
► The RFID chips have been cloned► The encryption appears to have been cracked
► Some sites have discussed putting your new passport in a microwave to disable the RFID chip► I don’t recommend that!
Electronic Passports
56
► A US form of government ID is emerging with Real ID► Federal standard for drivers licenses► Digimarc is the leader in this effort► Mandates validation of person
before issuance► Cryptographic security features
► Biometric quality image► Scan of database done for
facial match during issuance► Can be used for Real-Time
► Other features such as ghost imageand micro-fine art; holograms; …
► Enhanced versions (RFID) of this card act as the Western Hemisphere Travel Initiative PASS card
► Some groups are against Real ID on privacy grounds► Tracking individuals, keeping copies of produced documents, centralized database► It is moving forward, currently 25+ states have pass legislation to adopt Real ID► Current plans are that by 2014 most people will be required to have a Real ID document – most
likely a drivers license
Real ID
57
► Many of the same ideas we have talked about apply to credit cards► Like passwords, credit cards are static authenticators► In many ways, credit card numbers are *worse* than passwords:
► Their lifetime is extremely long► Credit Card information is often stored in the clear on merchant systems
► Unlike all modern password systems which do not store clear passwords► The frustrating part is that many security and authentication technologies could be applied to
credit cards today► OTCC – One Time Credit Card► Encryption of merchant databases► Dynamic second factors (like CCV codes)
► Unfortunately these changes will comeabout slowly► EMV and some of the new Mastercard and
Visa initiatives are very good starts► Canada and Mexico are going to EMV
► Will this push fraud into the US??► In the US, real-time authorization with RBA
Credit Card Fraud
58
Wrapping it up….
58
59
How do they compare?
Cost of Authenticator
Rel
ativ
e Se
curi
ty
60
Type Is Key Secret?
Strength Portability Ease of use
Cost
Password Maybe Weak High Easy Very High
OTP Yes Strong High Medium Medium
Smart Card &Certificate
Yes Strong Low Medium High
Biometric No Weak –static
Low Very Easy Medium
RFID No Weak -static
Low Very Easy Low
Composite Typically not
Hard to quantify
Low Easy Low
Credit Card No Weak -static
High Easy Low
How do they compare?
61
Authentication Factors: Something You _____Know Have Are Do
Text PIN IP Address Scratch-off / Bingo Card Fingerprint Keystroke
Dynamics
Visual PIN Browser Type Phone / PDA w/OTP
Hand Geometry Voice Print
Text Password Cookie OTP Token Face
RecognitionAccess Pattern
Life Questions Certificate USB Device Iris Scan
Toolbar / Agent Proximity / Smart Card Retina Scan
Authentication Tiers
Authentication Tiers:
Likely combinations of factors
Low end to high
#1: Composite + Password
#2: Soft Token + Password
#4: Hard Token + PIN
#3: Soft Token + Biometric #5: Hard Token + Biometric
62
There are a few recommendations I can give:► Static Passwords must not be used to protect anything with value► OTP will continue to be strong in the enterprise, but new technologies
like RFID and Biometrics are making inroads► That said, there have been recent significant attacks on the core
algorithms which underlie some OTP tokens – choose wisely.► The first active MITM attacks have appeared
► The emergence of composite authentications, especially when combined with other forms of authentication represent an important new branch on the tree of authentication methods.
► Most importantly, do not standardize on one technique or algorithm!► This is a dynamic environment, and you will need diversity and flexibility to choose the
best authentication solution to meet your needs.
Flexibility and Diversity
63
Thank You…
Questions?
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
FIREWALLS AND PERIMETERDEFENSES
William Cheswickcheswick.comhttp://www.cheswick.com/ches
1
Sunday, February 24, 13
▶ Slide ▶ of 76
Perimeter Defenses allow one to focus defensive expertise and efforts on a small area
2
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Where do you put them?How many do you need?How do you get through them?How do you test them?
3
Perimeter defenses
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 4
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
5
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
6
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
•1622: Tilly captured the castle after a two-month siege
•1689: Captured by 30,000 French in a few hours
–insufficient number of defenders
7
Heidelberg Castle: failure modes
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
▶Scotland Yard
8
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
▶Edinburgh castle
9
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
10
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
Flower Pots!
11
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
12
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
13
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
14
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
SecurityDoesn’t HaveTo Be Ugly.
Does it haveto be inconvenient?
No.15
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
16
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
Deltabarriers
17
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 18
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
19
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
A firewallagainstdemons
20
Sunday, February 24, 13
▶ Slide ▶ of 76
We Use Layers to Achieve Higher Security
21
Sunday, February 24, 13
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
23
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
Warsaw old city, layer 2
24
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
Intimidation is a layer
25
Sunday, February 24, 13
▶ Slide ▶ of 76
Perimeter Defenses don’t scale
26
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
▶The Pretty Good Wall of China
27
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Built to keep out the barbarians of the northand their economy
Formed from shorter segmentsGhengis Khan walked past the wall, unopposed, and into Beijing
A wall is a single layer
28
The Great Wall
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
29
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
30
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 31
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
▶Parliament: entrance
32
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
▶Parliament: exit
33
Sunday, February 24, 13
▶ Slide ▶ of 76
Intranets
34
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,MYRIAD PRO CONDENSED, 32PTCAPITALIZE EACH LETTERCAN BE UP TOFIVE LINES
Presenter’s NamePresenter’s Company / Organization
Co-Presenter’s NameCo-Presenter’s Company / Organization
35
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
AllentownMurray
HillColumbus
Holmdel
SLIPPPPISDNX.25cable
...
Lucent - 130,000, 266K IPaddresses, 3000 nets ann.
MurrayHill
The Internet
~200 business partnersthousands oftelecommuters
36
Sunday, February 24, 13
Sunday, February 24, 13
Sunday, February 24, 13
Sunday, February 24, 13
▶ Slide ▶ of 76
Anything large enough to be called an intranet is probably out of control
40
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
“All of [the gateway’s] protection has, by design, left the internal AT&T machines untested---a sort of crunchy shell around a soft, chewy center.”
▶ The Design of a Secure Internet Gateway, W.Cheswick, Proc. of Winter Usenix, Anaheim, 1990
41
A simile for the ages?
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
The largest is probably NIPRNET, ~2 million hostsA high tech company has about two active IP addresses per employeeLow tech is around one per employeeSmall ones are enclaves.
42
Fun intranet facts
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
For wusses with hosts that can’t hack it on the real InternetA gateway fascist decides which traffic is good and badCheaper than deploying firewalls in every hostBut we do that, too
43
Perimeter Defenses
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
They are hard to doThey look easy to doThey provide a false sense of securityThey don’t scaleEverybody scales them
44
Problems with PDs
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Dangerous services are attacked from the outsideWe import trouble, like Buffy’s vampires
emailUSB sticksalien devices
45
How Does Trouble Arrive?
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Network services may have exploitable security holesBest answer: remove servicesPD answer: get out of the game
46
Attack from the outside
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 47
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 48
“Best block is not be there”-- Mr. Miyagi, Karate Kid
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Firewalls block the bad stuff, and let in the good stuffRouting and addressing tricks also get you out of the game
RFC 1918 addressesIPv6 FD address range
49
Getting out of the game
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 ▶to Internet
▶router
▶“inside” hosts (192.168.0.0/16)
▶outside hosts
50
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Indirectly-connected hosts can be scanned by intermediaries
if they are compromised orif spoofed packets are possible
Important: block spoofed packets
51
Key Points to hiding networks
Sunday, February 24, 13
▶ Slide ▶ of 76
Internet Firewalls
52
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
Original firewall
53
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
“inside” and “outside”the weakest part: thinking of “the inside” as being secure. It mostly isn’t.
54
Firewalls tend to be directional
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Standard servers are too dangerous to expose to outside accessTCP/IP packets are too dangerous
No IP connectivity to outside
55
Behind firewalls
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
My (Safer!) Firewall
56
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76
Referee’s suggestion
57
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Avoids Denial of Service Attacks (DOS) attacks on important hosts
This is a network-level, not host-level problem
Walled garden makes intruders easy to spot, by definitionThey keep a lot of the chaff out
58
Two benefits
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Generally centralized defense against attacksCheaper to focus your smarts in one locationHost-based firewalls blend into host-based security
59
Firewalls
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Packet: usually “packet filter”Circuit: c.f. socksApplication level“Deep packet inspection” (DPI): packet-level analysis of deeper data
60
Levels of firewalls
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Generally fast and cheapGenerally stupid: use tricks to enhance
stateful: keep track of sessions
61
Packet filters
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
“Computer acting as a wire”SOCKSSpecific TCP connections copied by a relay programNot used much any more, but can be a convenient tool
62
Circuit level
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Understands the service it is filteringE.g. mailer receives and scans email before forwarding
63
Application level
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Relatively cheap and easy to doCan be done at network speedsNote: not new technology
64
Benefits of DPI
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
It is impossible to do correctly, so
good enough has to be good enough
Why? Doing it right requires packet normalization.
65
Problems with DPI
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Fragmented packetsTCP overlap interpretationPacket distance hacksSee Vern Paxson’s work for gory details
66
Packet Normalization Problems
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Block everything by defaultAllow safe stuff throughOutgoing is generally okayUDP is generally not okay
but what about DNS, voice?
67
General Filtering Rules
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
RFC1918 addressing insideOutgoing stuff onlyCheap from Costco, etc.You can patch your Windows system in relative safety
68
NAT is a close match for these
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Much harder to filter with firewallsSandboxing seems to be the most promising technologyIt is getting harder to cruise the web safely, even at “safe” sites. (Thank advertising)
69
Invited Attacks
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Alternative to Firewalls and Perimeter Defenses
70
Internet Skinny Dipping
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
It can be doneMany services are too dangerous to runRequires some user forbearanceCan defend nicely against insider attacks
71
Strong Host Security
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
browsers, etc. are full-featuredfull-featured is a technical term for “full of security bugs”This is an open security problem: better OSes, sandboxing, VMs, etc.iPhone might be leading this!
72
Inviting trouble in
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Does not scaleMedium-level defense at bestNo protection from insider attacks
73
Summary - perimeters
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
Useful medium-level defenseLittle protection from invited troubleOne of many tools
74
Summary - firewalls
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 77
We are losing the virus detection warSupply chain attacks are comingThe bad guys only have to find one weaknessPatch analysis reveals weaknesses
75
Many Bad Things are Out There
Sunday, February 24, 13
Session ID:
Session Classification:
▶ Slide ▶ of 77 SEM-0001
xxxxxxxxxxxx
FIREWALLS AND PERIMETERDEFENSES
William Cheswickcheswick.comhttp://www.cheswick.com/ches
76
Sunday, February 24, 13
▶ Presenter Logo
▶ Slide ▶ of 76 77
Sunday, February 24, 13