Скачать презентацию Speculating about Tomorrow s Threats Simson L Garfinkel MIT Скачать презентацию Speculating about Tomorrow s Threats Simson L Garfinkel MIT

a2015aaba2faf8ce6957bb5bdfc689fb.ppt

  • Количество слайдов: 82

Speculating about Tomorrow’s Threats Simson L. Garfinkel MIT CSAIL 1 Speculating about Tomorrow’s Threats Simson L. Garfinkel MIT CSAIL 1

? ? ? What’s the worst case scenario? ? 2 ? ? ? What’s the worst case scenario? ? 2

Worst Case Scenarios… • Turn off the electricity – Kills the computers • Turn Worst Case Scenarios… • Turn off the electricity – Kills the computers • Turn off the water – Kills the people • Shut down websites/routers/countries/Internet • Make the democrats win an election – (to effect US foreign policy…) • Surely we can do better… 3

Computer Virus Jumps to Humans! • “A quickly spreading computer virus is somehow jumping Computer Virus Jumps to Humans! • “A quickly spreading computer virus is somehow jumping from PCs to their human computer users --- and killing them!” 4

How would a computer make a human virus? • Nanometer-scale assemblers… ? Source: NASA How would a computer make a human virus? • Nanometer-scale assemblers… ? Source: NASA Source: John Milanski 5

Mail Order Polio First Synthetic Virus Created: July 11, 2002 • Researchers @ Stony Mail Order Polio First Synthetic Virus Created: July 11, 2002 • Researchers @ Stony Brook • Polio Virus sequence downloaded from Internet • DNA sequence sent to a “mail-order supplier” • Transcribed to RNA in lab • Injected into mice. • “The animals were paralyzed and died. ” 6 http: //www. sciencenews. org/20020713/fob 8. asp

MWG RNA & si. RNA synthesis How to order • Log in • Enter MWG RNA & si. RNA synthesis How to order • Log in • Enter Ship to, Bill to, and PO • Enter oligos in large quantities by pasting in columns of name and sequence pairs from Excel” • Display sequence • Enter comments • Check out (877) MWG-BTEC 7

8 8

Making this threat credible… • Distribution of “dangerous” information that could be easily misused. Making this threat credible… • Distribution of “dangerous” information that could be easily misused. • Computer viruses that become human viruses… • Hacking biological systems that makes products more dangerous than people suspect… 9

Take Home Point #1 Biology and IT are becoming the same thing. Viruses are Take Home Point #1 Biology and IT are becoming the same thing. Viruses are information. … gives a whole new meaning to “blended threats…” 10

? Can what’s on this disk kill you? 11 ? Can what’s on this disk kill you? 11

PGP was on that disk… • Back in the 1990 s, the FBI said PGP was on that disk… • Back in the 1990 s, the FBI said that encryption could kill us! • Encryption in the hands of: – – Drug dealers Terrorists Pedophiles Organized crime (The real threat was encryption in the hands of spammers…) 12

What if the disk just has an essay … or an article? 13 What if the disk just has an essay … or an article? 13

“The Riddle of the Universe and Its Solution” Professor Dizzard works on artificial intelligence “The Riddle of the Universe and Its Solution” Professor Dizzard works on artificial intelligence software. Dizzard is found staring deep into his screen at the end of an Easter vacation. . Some of Dizzard’s students follow his unfinished work…. The students pass into the coma. An epidemic begins to spread…. At a university, a whole class goes off into the “Riddle Coma. ” The coma is caused by: “The Gödel-sentence for the human Turing-machine – it causes the mind to jam. " “There is no way to solve the Riddle coma… but we can decrease further coma outbreaks. ” 14

Today’s Dangerous Ideas Distributed by networks; motivating people to violence “Leaderless Resistance” – Political Today’s Dangerous Ideas Distributed by networks; motivating people to violence “Leaderless Resistance” – Political violence without organization – Originated in America by Louis Beam for fight against US Government – Adopted by radical left. Abortion Doctor Killers – Nuremberg Files Website. SHAC (Stop Huntingdon Animal Cruelty) – Practically bankrupt Huntingdon Life Sciences. ELF (Earth Liberation Front) – arson training manual ELF Attacks: – August 1 st - $20 M fire in San Diego – August 22 nd – Attacks against SUVs – July 2 nd - $700, 000 against two new homes. 15

“If you build it --- we will burn it” 16 “If you build it --- we will burn it” 16

… we don’t believe in censorship … • Unless it is “hate speech” and … we don’t believe in censorship … • Unless it is “hate speech” and you are on a college campus • Unless it is “copyrighted music” (or samples of copyrighted music) and you are the RIAA • Unless it is “source code” and you are Diebold Election Systems Increasingly, the United States does believe in Censorship, and the Internet is making censorship harder… for many Americans, this is a worst case scenario! 17

DMCA & Friends Making Computers Less Secure • Outlawing computer security research? • Criminalizing DMCA & Friends Making Computers Less Secure • Outlawing computer security research? • Criminalizing disclosure of vulnerabilities? • The Future: Mandating Computer Systems With Back Doors for the RIAA! 18

Back to Computers… 19 Back to Computers… 19

Computer Worms and Viruses • Strengths of Today’s Worms and Viruses: – Clog email Computer Worms and Viruses • Strengths of Today’s Worms and Viruses: – Clog email systems – Send spam – Plant backdoors – Fast spreading • Weaknesses: – Buggy – Poorly Designed Bellovin: No Network is safe! 20

PC Viruses for Spamming • Wake up at 2 am • Get a Hot. PC Viruses for Spamming • Wake up at 2 am • Get a Hot. Mail account • Send 10, 000 messages to Yahoo / AOL • Go back to sleep OLD SLIDE! • Yahoo and Hot. Mail now using Reverse Turing Tests to prevent automated sign-up • Spammers now manipulating BGP announcements… Manual today… Could be automated tomorrow 21

Viruses that Destroy Hardware CHI/Chernobyl Virus – “Erase entire hard drive and overwrite the Viruses that Destroy Hardware CHI/Chernobyl Virus – “Erase entire hard drive and overwrite the system BIOS. ” – BIOS chip or motherboard must be replaced April 26, 1999 – One million computers destroyed. – Korea: $300 M – China: $291 M May be an easy attack today with web-based BIOS upgrades. 22

Computers can start fires! • HCF instruction joke • HP Office. Jet Printer fax Computers can start fires! • HCF instruction joke • HP Office. Jet Printer fax copiers – March 1995 – 10, 000 machines recalled – “generate internal temperatures high enough to burn a wayward human hand … even start a fire” • Video Monitors? • SCADA systems have failsafes, but consumer equipment may not. 23

Shut down the 911 System! 911 ICMP Echo Request: +++ATH 0; M 0: DT Shut down the 911 System! 911 ICMP Echo Request: +++ATH 0; M 0: DT 911 “+++ATH 0; M 0; DT 911” attacker … ping 100, 000 AOL or Earth. Link subscribers Clueless Users 24

Shut down the Internet • Most of the Internet is run by Cisco Routers Shut down the Internet • Most of the Internet is run by Cisco Routers • Lots of equipment is in inaccessible locations – Equipment closets in unattended locations – Co-location facilities that are effectively unattended (“warm hands” are over-rated). 25

Cisco: Realistic Risk? Vulnerabilities and remote exploits have been found in Cisco’s operating system. Cisco: Realistic Risk? Vulnerabilities and remote exploits have been found in Cisco’s operating system. Bellovin said that the source code is available — but does it matter? 26

Cisco Router Virus: Design • Phase 1: Penetrate • Phase 2: – Set up Cisco Router Virus: Design • Phase 1: Penetrate • Phase 2: – Set up a large-scale distributed hash table using Chord or similar technology. – Distributed scanning for vulnerable machines. – Coordinate penetration and propagation of new machines. • Phase 3: – Simultaneously all infected routers stop routing packets. – Erase router configuration. – Flood all network interfaces with broadcast requests. 27

Vo. IP makes Router Attacks Better! When the Internet breaks, we call other people Vo. IP makes Router Attacks Better! When the Internet breaks, we call other people using the phone system. When the phone system breaks, we send email! With Vo. IP, the Internet is the phone system!!! … bad idea. 28

Vo. IP • Advantages: – A single wire for data & voice – Cuts Vo. IP • Advantages: – A single wire for data & voice – Cuts cost of telecom • Disadvantages: – A single wire for data & voice (no redundancy) – Cuts cost of telecom (so security stands out more) • Vo. IP is growing fast: – Many home users are giving up on POTS – Increasingly, you may be using Vo. IP without knowing it! • The “Phone System” is not a higher-priced alternative internet. It increasingly the same Internet, just at a higher price 29

How fast can a virus propagate? • Code Red propagation statistics – Most hosts How fast can a virus propagate? • Code Red propagation statistics – Most hosts infected within 12 hours – Source: CAIDA (Cooperative Association for Internet Data Analysis) 30

Sapphire / Slammer • Doubled every 8. 5 seconds • Infected 90% of vulnerable Sapphire / Slammer • Doubled every 8. 5 seconds • Infected 90% of vulnerable hosts in 30 minutes. – 74, 855 hosts – Reasons: • 1 packet infection • UDP, not TCP 31

Theoretical Minimum: 30 seconds? • Flash Worm Paper – – “Flash Worms: Thirty Seconds Theoretical Minimum: 30 seconds? • Flash Worm Paper – – “Flash Worms: Thirty Seconds to Infect the Internet” Stuart Staniford, Gary Grim, Roelof Jonkman http: //www. silicondefense. com/flash/ August 16, 2001 • Warhol Worms – – “How to 0 wn the Internet in your Spare Time” Stuart Staniford, Vern Paxson, Nicholas Weaver http: //www. cs. berkeley. edu/~nweaver/cdc. web/ August 2002 32

Need for virus education! • Virus-writers are not reading the academic literature. • Perhaps Need for virus education! • Virus-writers are not reading the academic literature. • Perhaps that new “how to write a computer virus” course will help. 33

Perhaps “low and slow” is better • Much less likely to be detected • Perhaps “low and slow” is better • Much less likely to be detected • Less likely to attract media attention • The real reason that most worms have been caught is that their scanning and propagation functions overwhelm our networks. 34

“Netgear Attack” • Netgear hard-coded the address of WISC’s NTP server into its home “Netgear Attack” • Netgear hard-coded the address of WISC’s NTP server into its home router. • NTP implementation flawed: – instead of backing off on no answer, it pinged harder! • WISC’s initial contacts to Netgear ignored. • http: //www. cs. wisc. edu/~plonka/netgear-sntp/ 35

Take Home Point #2 Computer/Network viruses can be far faster and more destructive than Take Home Point #2 Computer/Network viruses can be far faster and more destructive than they are today Attacks might not even be intentional! 36

New Virus Platform #1: Cell phones? • Previous SMS viruses were pathetic – Fake New Virus Platform #1: Cell phones? • Previous SMS viruses were pathetic – Fake ring tone? – Fake Java game? • Nokia has recalled vulnerable handsets 37

SMS Virus • A “really good” SMS Virus would: – Receive as an SMS SMS Virus • A “really good” SMS Virus would: – Receive as an SMS message. – Sends self to • last 20 people who called phone • everybody in phone address book – Lock phone with new PIN. – After 4 hours, floods cell phone network with repeated phone calls and SMS message (DDOS) • Results: – Everybody needs a new cell phone – Cell phone network rendered inoperable. 38

What’s Needed for that SMS Virus? • Way to execute code on cell phone: What’s Needed for that SMS Virus? • Way to execute code on cell phone: – Open programming environment, or someone with inside knowledge. – Bug in incoming SMS message handler – Longer SMS messages, or way to string SMS messages together, or way to download code from a website – Perhaps you could do it today with a Palm or Windows “smart phone” … but not enough market penetration. – Java phones!!! • Serious network vulnerability … when? 2004? 2007? 39

Cell Phone Virus Alternative Instead of distributing from cell phones, distributed using a PCbased Cell Phone Virus Alternative Instead of distributing from cell phones, distributed using a PCbased virus. Serious network vulnerability: today. 40

New Virus Platform #2: Car Computers (telematics) Radio-based: – Location monitoring – Position reporting New Virus Platform #2: Car Computers (telematics) Radio-based: – Location monitoring – Position reporting Remote control: – Door lock/unlock – Ignition Kill Next-generation system: – Two-way communication – Integration with entertainment system Questions: – Security? – Authentication? – Encryption? #1 Danger: companies deploying these systems have little experience with network security. 41

On. Star: Security? “All communications between the vehicle and On. Star call center are On. Star: Security? “All communications between the vehicle and On. Star call center are through the analog wireless network at this time. ” “On. Star uses a proprietary and confidential communication protocol (Air Interface) for transmitting and receiving data between the call center and the vehicle. ” “On. Star uses an authentication process similar to those used by the cellular industry to prevent unauthorized access to the On. Star system in the vehicle. ” 42

On. Star: Security? • 300 -baud analog modem with analog cell phone • PPP On. Star: Security? • 300 -baud analog modem with analog cell phone • PPP with CHAP authentication • No encryption • Real question: authenticating the caller! – (but that probably isn’t an automated attack. ) 43

Take Home Point #3 • New Platforms are opening up for attackers • Many Take Home Point #3 • New Platforms are opening up for attackers • Many opportunities for cross-platform attacks • Companies deploying new platforms have little experience with security issues. 44

Defending Against Tomorrow’s Threats… • Spyware… 45 Defending Against Tomorrow’s Threats… • Spyware… 45

Solution: Automatic Update… 1. 2. 3. è Go to the Internet Download code Run Solution: Automatic Update… 1. 2. 3. è Go to the Internet Download code Run it Keeps everybody’s operating system patched and up-to-date! Great for: 1. Updating buggy software 2. Adding bugs to reliable software 3. Taking over millions of machines simultaneously 46

But what’s the problem? • People don’t install patches? • Operating systems are buggy But what’s the problem? • People don’t install patches? • Operating systems are buggy and overly complex? • Need for a continued revenue stream? • Need to find and destroy pirate copies? 47

Subvert Automatic Update! • Update from DNS name… – He who controls the DNS, Subvert Automatic Update! • Update from DNS name… – He who controls the DNS, controls the Internet! • Fortunately, most systems protected with digitally signed updates • Unfortunately, certificate authorities can be hacked… 48

Certificates that come with IE 6 … y orit auth e t a tific Certificates that come with IE 6 … y orit auth e t a tific er t Jus y yo bu fac rsel u 49

Solution: Notify People of Security Problems! From MAILER-DAEMON Wed Sep 10 16: 37: 13 Solution: Notify People of Security Problems! From MAILER-DAEMON Wed Sep 10 16: 37: 13 2003 Date: Wed, 10 Sep 2003 16: 36: 50 -0400 From: "Mail. Scanner" To: [email protected] org Subject: Warning: E-mail viruses detected Seems like a good idea… …Until you get 3, 000 alerts in one day! Our virus detector has just been triggered by a message you sent: To: [email protected] Subject: Re: Thank you! Date: Wed Sep 10 16: 36: 49 2003 One or more of the attachments (your_document. pif) are on the list of unacceptable attachments for this site and will not have been delivered. Consider renaming the files or putting them into a "zip" file to avoid this constraint. The virus detector said this about the message: Report: Shortcuts to MS-Dos programs are very dangerous in email (your_document. pif) -- Mail. Scanner Email Virus Scanner www. mailscanner. info Mailscanner thanks transtec Computers for their support 50

Solution: Just Secure the Stuff That Matters… • Do you secure: – HTML rendering Solution: Just Secure the Stuff That Matters… • Do you secure: – HTML rendering code? – JPEG display routines? – Keyboard drivers? – Macro engine? – File Load & Save routines? – XML parser? • What software does not need to be secured? 51

Solution: Diversity and Redundancy 52 Solution: Diversity and Redundancy 52

Diversity is hard! (and expensive) • SNMP Vulnerability • Open. SSL Vulnerability • Sendmail Diversity is hard! (and expensive) • SNMP Vulnerability • Open. SSL Vulnerability • Sendmail vulnerabilities • In all of these cases: – Common implementation affected many platforms 53

Redundancy is hard! (and expensive) We expect reliability, but we don’t want to pay Redundancy is hard! (and expensive) We expect reliability, but we don’t want to pay for it…. Do you have a backup: laptop? car? spouse? California Power Grid? Should you build 1 data center or 2? (Even if the big companies learned from 9/11, many others didn’t. ) Alternative: have just one, but take care of it. Does the future hold more redundancy, or less? 54

“Genetic Diversity” • The big take-home from yesterday was that Genetic Diversity is good! “Genetic Diversity” • The big take-home from yesterday was that Genetic Diversity is good! • But that’s just because we don’t have it today! – “The grass is always greener…” • Back in the 1980 s, we had genetic diversity! – The reason that we standardized is that people couldn’t properly administer a diverse system! 55

Take Home Point #4: 4. 1 We don’t know if diversity or uniformity promotes Take Home Point #4: 4. 1 We don’t know if diversity or uniformity promotes a more secure computing environment 4. 2 We don’t know how to build true diversity. (5 operating systems is not genetic diversity. ) 56

Four “Next Generation” attacks: • Spam • Wi-Fi • RFID • MTM 57 Four “Next Generation” attacks: • Spam • Wi-Fi • RFID • MTM 57

Spam • The big problem. • How do we limit the use of a Spam • The big problem. • How do we limit the use of a free resource? – Willingness to receive email? – Network bandwidth? – People’s attention? • Spammers are becoming exquisite attackers • Two kinds of solution: – Payment-based – Content analysis 58

Is this spam? To: simsong@mit. edu From: XXXXXX <XXXX@aol. com> Subject: Hi old friend! Is this spam? To: [email protected] edu From: XXXXXX Subject: Hi old friend! Dear Simson, We were best-friends back in forth grade. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http: //www. iphoto. com/XXXXXXX/for_simson. html. Take a look! 59

Is this spam? To: simsong@mit. edu From: CCCC <XXXX@yyyyyyy. com> Subject: Windowless Room In Is this spam? To: [email protected] edu From: CCCC Subject: Windowless Room In your O'Reilly "history article, you wrote: > Many schools found that buying a few Apples and putting them > on a table in a windowless storage room was a cheap way to > add "computing" to their curriculum I remember that room! : ) [email protected] com http: //www. yyyy. com/~XXXXXw 60

61 61

To: simsong@mit. edu From: XXXXXX <XXXX@aol. com> Subject: Hi old friend! Dear Simson, We To: [email protected] edu From: XXXXXX Subject: Hi old friend! Dear Simson, We were best-friends back in forth grade at Haverford Friends. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http: //www. iphoto. com/XXXXXXX/for_sim son. html. M A P S Take a look! “Windowless Room” 62

Wi-Fi (802. 11) • Key issues to date have been: – Eavesdropping – User Wi-Fi (802. 11) • Key issues to date have been: – Eavesdropping – User authentication • New issue: – Access Point authentication 63

? 64 ? 64

This attack is - Hard (impossible) to detect - Easy to implement - Portable This attack is - Hard (impossible) to detect - Easy to implement - Portable 65

Monday Night, 8: 34 pm 66 Monday Night, 8: 34 pm 66

67 67

Network Forensics • Does “default” at 68. 86. 222. 205 know what I was Network Forensics • Does “default” at 68. 86. 222. 205 know what I was sending across their Internet Connection? • Would it make sense for them to capture it? – 1/2 of a 60 GB hard drive will hold 30 days of traffic for a typical cable modem… • Would it make sense for them to avoid capturing it? 68

RFID • Radio tags… 69 RFID • Radio tags… 69

RFID Smaller than your fingernail… http: //www. namazu. org/~satoru/playstand/ 70 RFID Smaller than your fingernail… http: //www. namazu. org/~satoru/playstand/ 70

RFID Everywhere… 71 RFID Everywhere… 71

RFID “Doomsday Scenario” • Link all objects with identity • Track everything everywhere • RFID “Doomsday Scenario” • Link all objects with identity • Track everything everywhere • How do you tell legitimate readers? • How do you tell legitimate tags? • The “privacy” problem is really a security problem. 72

MTM: The “Ultimate” attack… 995719268 73 MTM: The “Ultimate” attack… 995719268 73

Mind-to-Machine http: //bnb. spiritshigh. com/characters/traits/4831. html 74 Mind-to-Machine http: //bnb. spiritshigh. com/characters/traits/4831. html 74

75 75

Other approaches to M 2 M “Neural Interfaces” – Electrooculogram (EOG) (skin interface) – Other approaches to M 2 M “Neural Interfaces” – Electrooculogram (EOG) (skin interface) – Electromyogram (EMG) (muscle movement) – Electroencephalogram (EEG) (brainwaves) – Electrocardiogram (EKG) (heart ) – Neural electrode (directly from brain) (source: betterhumans. com) 76

(source: DARPA) 77 (source: DARPA) 77

M 2 M Applications “Reverend Ray Kurzweil” • Mind Uploading & Backup – Staggering M 2 M Applications “Reverend Ray Kurzweil” • Mind Uploading & Backup – Staggering copyright issues • Mind downloading – Keep the body; change the person – Better than the death penalty! • Mind wiretapping – Do you need a warrant under PATRIOT? • Do you need a firewall for your brain? – Merri does 78

These attacks are all “spoofing attacks” • Spam • Wi-Fi • RFID • MTM These attacks are all “spoofing attacks” • Spam • Wi-Fi • RFID • MTM • Use computers to attack people. 79

Take Home Point #5: Spoofing attacks the human mind. We don’t know how to Take Home Point #5: Spoofing attacks the human mind. We don’t know how to make humans more secure. 80

5 Ways to Build A More Secure Network. ? ? • Restrict the flow 5 Ways to Build A More Secure Network. ? ? • Restrict the flow of dangerous code and information to prevent its misuse. (Polio Virus) • Stop Researching how to make “better viruses. ” • Limit the extension and reach of computer technology: keep computers in their place. • Standardize on one computing platform and make sure it is secure. • Teach people how to recognize and avoid spoofing attacks. ? • Celebrate the flow of dangerous information; actively research better defenses. • Teach virus-writing and viruscracking. • Aggressively put advanced computer technology everywhere: the benefits outweigh the risks. • Deploy many different architectures and operating systems. • Automate decision making to eliminate the reliance on the human element. ? 81

Remember • Napoleon didn’t want good generals, he wanted lucky generals 82 Remember • Napoleon didn’t want good generals, he wanted lucky generals 82