The Internet is Insecure and Will Likely Remain So - What n

The Internet is Insecure and Will Likely Remain So - What n - Description

Henning Schulzrinne. FCC & Columbia University. Georgia Tech, November 2012. Who am I talking to?. 2. Overview. Security fallacies. Stop blaming (and “educating”) users. Reduce the value of targets. ID: 318927 Download Presentation

42K - views

The Internet is Insecure and Will Likely Remain So - What n

Henning Schulzrinne. FCC & Columbia University. Georgia Tech, November 2012. Who am I talking to?. 2. Overview. Security fallacies. Stop blaming (and “educating”) users. Reduce the value of targets.

Similar presentations


Download Presentation

The Internet is Insecure and Will Likely Remain So - What n




Download Presentation - The PPT/PDF document "The Internet is Insecure and Will Likely..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "The Internet is Insecure and Will Likely Remain So - What n"— Presentation transcript:

Slide1

The Internet is Insecure and Will Likely Remain So - What now?

Henning SchulzrinneFCC & Columbia University

Georgia Tech, November 2012

Slide2

Who am I talking to?

2

Slide3

Overview

Security fallaciesStop blaming (and “educating”) usersReduce the value of targetsAvoid “small mistake, huge cost”Secure key identifiersMake it hard to scale attacksMake it easy to detect lossDesign fraud-resistant systemsWorry about DOS attacks on humansRobo-calling and caller ID spoofing

3

Slide4

Security approach: blame the victim

4

Run 10 anti-virus systems!

Pay cash!

Choose passwords you can’t remember!

Choose another operating system!

Don’t click on that link!

Slide5

Nobody cares about you!

Unless you have access to high-value informationsometimes for individualized identity theftYou are only valuable asa credit card number that can be resold in bulk ($2-$8)a machine usable for …DOS attacksemail spam88% of spam sent by botneta machine usable for advertising click fraudwatch highlighted links!$0.002-0.003/click  $0.50-$2 CPM

5

Slide6

You are (mostly) on your own

Credit cardliability limited to $50US: mag stripe vs. chip & PINDebit cardtwo days  $50, otherwise $500Checksno, your bank does not check your signature (or your address)Consumer bank account  Regulation Eno liability if reported within 60 days Small business accountNo protection, no loss boundACH fraud common

6

Slide7

Example: ZeroAccess

The ZeroAccess botnet infected 2.2 million home networks worldwide during Q3 [2012], making it the most active botnet for the year thus far, said a malware report from security analysis firm Kindsight. The Alcatel-Lucent subsidiary's Security Labs team found ZeroAccess infected one in 125 home networks during the quarter. “Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud,” Kindsight Security Labs security architect Kevin McNamee said Tuesday in a news release. “With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud.” The botnet may be costing advertisers $900,000 per day in ad-click fraud, Kindsight said. About 13 percent of home networks in North America were infected in Q3, with 6.5 percent of all home networks having high-level threats like bots and banking Trojans, Kindsight said (http://xrl.us/bnww7h).

7

Slide8

Identity theft is often analog

http://

www.wired.com/threatlevel/2009/02/stolen-wallets/

8

Slide9

Authentication

9

Slide10

Traditional authentication

10

Slide11

Password policies gone amuck

Contradictory policies

Strong passwords don’t work everywherePassword expirationand can’t use old oneDon’t re-use password across sites

NY Times

, 11/07/2012

11

Slide12

Password advice

Unless you’re the CIA director, writing down passwords is safeyou’ll pick safer ones if you doStop blaming users  web sites need to tell us what they dobad: plain text, silly rulesnot much better: hashedgood: salted hash, single sign-onImpacts password recoverybad: your dog’s namenot great: send password to emailok: time-limited reset link

12

Slide13

More password issues

With rainbow tables, only length matters12+ characters likely safeAlways next year: single sign on

13

Slide14

Reduce value of goods

Particularly single-factor goodsif you can’t tell that they are gone

14

Slide15

What about non-passwords?

Replacements have been suggested:Swipe pattern (Android)Voice patternFingerprintsKeyboard typing or swipingFace recognitionProblems:not generalizableonly works on some devicesnot precisely representabledoomed if you have a cold or are in a noisy airporthard to have different ones  bad if clonableUseful as supplement for high-value transactions

15

Slide16

The convergence to “what you have”

Two-factor authenticationAdvantages:easy to recognize when losthard to scale theft (but: see RSA)separate data pathvoice path vs. data pathpostal mailrelated: host recognition (e.g., via cookies)

16

Slide17

Provide physical validation services

Goals:make scaling hard for bad guyincrease risk of arrestmake geography matterBut generally not integrated with digital processes!

17

Slide18

Securing the Internet

18

Slide19

We must make the Internet secure!

19

Slide20

Securing the Internet – once and for all!

Dream of a security layer that lets everybody else do nothingSuggested: “Internet passport”no more unauthenticated packets!what about compromised machines?Possible:“don’t talk to me unless I talked to you” permission-based sendingmost useful for small-group DOS attacksbut most are now trickle attackskeep out packets at coarse level“not interested in packets from Elbonia”but easily spoofed

20

Slide21

Cause of death for the next big thing

21

QoS

multi-

cast

mobile IP

active networks

IPsec

IPv6

not manageable across competing domains

not configurable by normal users (or apps writers)

no business model for ISPs

no initial gain

80% solution in existing system

(NAT)

increase system vulnerability

Slide22

Secure key identifiers

Security by:return routabilitycryptographic proof of ownershipkeeping them secret (SSN)

IdentifierProof of ownershipSpoofableCritical forIP addressRR, RPKI (?)egress filtering (RFC 3013)everything…AS numberRPKI?yes (BGP)routingdomain nameTLSTLS failures  DANEweb sitesemail addressRRmostlypassword recoveryphone numberRRcaller-ID spoofing2-factor authenticationlocation?yesauthentication

22

Slide23

Avoid single-failure = catastrophic failure

Download the wrong application  bank account goneAttacker advantage: one flaw, hundreds of thousands of victims Make it hard to scale attacksrequire access to physical worldmultiple paths that are unpredictable to far-away third partyHoney pots (e.g., trap spam senders)System design:separate systems for high-value transactionsseparate web browserseparate VMsingle-purpose computersecond independent path: SMS

23

Slide24

Securing end systems

24

Slide25

The old attack model

25

port 135

(DCE)

port 1433, 1434

(MS SQL)

port 137, 139

(NetBIOS)

Internet

Slide26

… and now

26

downloaded documents

Slide27

Vulnerabilities 2011

27

dubious metric?

Slide28

What can be done?

Harden key librariesprotocols (HTTP, IMAP, SIP, …)file type parsing fuzzingSeparate parsing & system access via pipee.g., Google ChromeSeparate VM for enterprise applicationsRestrict privilegesAndroid: each app has separate user IDPermission restrictionApp store, rather than browser, for installing softwareNo need to store files in system areasLimited system permissionsharder with HTML5, WebRTC, SVG, …

28

Slide29

Design pattern: process separation

29

Slide30

App permissions are not sufficient

30

Slide31

Infrastructure security

31

Slide32

32

Improving network infrastructure security

FCC + industry for six months  three critical threats to the Internet:Domain Name System securityRouting securityBotnetsSpecific voluntary recommendations approved by CSRIC in March 2011 to advance deployment of DNSSEC, BGPSEC, and a domestic ISP Code of Conduct to fight botnets.Nine of the largest ISPs, representing nearly 90% of the domestic user base, publicly announced their intent to deploy the recommendations.Next step: measure deployment & impact  Measuring Broadband America

32

Slide33

Anti-botnet ecosystem

33

Slide34

Security beyond viruses and Phishing: Fraud & Human DOS attacks

34

Slide35

Fraud in TRS (text relay service)

35

+1 201 555 1234

Slide36

DOS attacks on humans: 9-1-1

36

Slide37

Robocalls & Caller-ID spoofing

37

Slide38

The Telemarketing Sales Rule: Three Protections

38

FTC (Will

Maxson

, 2012)

Slide39

What calls are not covered?

Most business to businesses telemarketingDebt collection callsCustomer service or customer satisfaction callsMarket research/survey calls (only if no sales pitch)Polling/political calls (get out the vote, contribution requests)Calls made by companies subject to special federal /state regulation (banks, phone companies, insurance companies)Robocalls delivering a healthcare message made by or for a covered entity, as defined by the HIPAA Privacy Rule

39

FTC (Will

Maxson

, 2012)

Slide40

How do robocalls work?

40

FTC

2012

Slide41

The geography of robo-calling

41

FTC

2012

Slide42

Robocall eco system

42

FTC

2012

Slide43

What you can do when robo-called

43

Slide44

The enablers

44

Slide45

Law enforcement vs. robocallers

Agile numbering

Automated customer acquisition

Transnational

One faxed subpoena at a time

Manual trace-backLargely domestic

45

Slide46

What has changed?

customer

local exchange carrier

one assigned

number

can’t tell end user from provider

 can use any number

46

Slide47

Caller ID Act of 2009: Prohibit any person or entity for transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.

47

Caller ID spoofing

Slide48

enhances theft and sale customer information through pretextingharass and intimidate (bomb threats, disconnecting services)enables identity theft and theft of servicescompromises and can give access to voice mail boxescan result in free calls over toll free dial-around servicesfacilitates identification of the name (CNAM) for unlisted numbersactivate stolen credit cardscauses incorrect billing because the jurisdiction is incorrectimpairs assistance to law enforcement in criminal and anti-terrorist investigations

48

Caller ID spoofing

A.

Panagia

, AT&T

Slide49

Switch

A

SPOOFER

SPOOFEE

Switch

B

STP

CNAM

VoIP Application

IP

PSTN

A.

Panagia

, AT&T

VoIP spoofing

49

Slide50

Why not use email spam filtering techniques?

EmailPhone callsName spaceinfiniterelatively smallContent inspectioncommonnot possibleAddressesIP address – non-spoofable for TCPEmail address – easily spoofablePhone number -- spoofableDeliveryfiltered by provider:block lists (e.g., Spamhaus)SPF, DKIMinterconnection and delivery obligationsDelivery traceReceived-by headersVia headers – only for end-to-end VoIP callsLimited-use address easy (e.g., web mail)not feasibleConsent-basedCAPTCHA systems (not common)likely too annoying

see also RFC 5039

50

Slide51

Future, part 1: trustable phone numbers

previous contact

51

Slide52

IP-based PSTN: build in security!

Via: SIP/2.0/TLS client.biloxi.example.com:5061;branch=z9hG4bKnashds7 ;received=192.0.2.201

trace call route

automatically route subpoena

§

§

§

VoIP provider A

VoIP provider B

52

Slide53

53

Caller identification

name unimportant

bank

credit card office

known caller

previous calls

sent her emails

can you recommend student X?

name unimportant

IEEE

✔known university ✔

what’s your SSN?

Slide54

For unknown callers, care about attributes, not nameSIP address-of-record (AOR)  attributesemployment (bank, registered 501c3)membership (professional)age (e.g., for mail order of restricted items)geographic locationPrivacy selective disclosureno need to disclose identity

54

Attribute validation

Slide55

55

Attribute Validation Service

Attribute Validation Server (AVS): Issuer

e.g., members.ieee.org

Caller: Principal

Alice

Student member in ieee.org

tel:+12345678

Callee: Relying PartyBobAccepts calls from members in ieee.org; does not know Alice’s phone numbersips:bob@example.com

2. Makes a call with the ARID and

part of access code

HTTP over TLS

SIP over TLS

3. Establishes the validity of the

ARID with

access code

and retrieves

selected attributes e.g., Alice’s role

{Alice

’s username, credentials, user ID, role}

1. Requests an ARID

,

selecting attributes to disclose

Attribute Reference ID

(ARID) e.g., https://members.ieee.org/arid/4163c78e9b8d1ad58eb3f4b5344a4c0d5a35a023

55

Slide56

Conclusion

Internet security is a systems problem, not (primarily) a crypto or protocol problemTreat security as system failures  redundancy, time-to-repairDon’t wait for the Internet to be secureGlobal optimization:change processesencourage transparency and informed consumer choice

56

Slide57

Slide58

Slide59

Slide60

Slide61