The Internet is Insecure and Will Likely Remain So - What n - Description
Henning Schulzrinne. FCC & Columbia University. Georgia Tech, November 2012. Who am I talking to?. 2. Overview. Security fallacies. Stop blaming (and “educating”) users. Reduce the value of targets. ID: 318927 Download Presentation
42K - views
The Internet is Insecure and Will Likely Remain So - What n
The Internet is Insecure and Will Likely Remain So - What n
Download Presentation - The PPT/PDF document "The Internet is Insecure and Will Likely..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Presentation on theme: "The Internet is Insecure and Will Likely Remain So - What n"— Presentation transcript:
The Internet is Insecure and Will Likely Remain So - What now?
Henning SchulzrinneFCC & Columbia University
Georgia Tech, November 2012
Who am I talking to?
Security fallaciesStop blaming (and “educating”) usersReduce the value of targetsAvoid “small mistake, huge cost”Secure key identifiersMake it hard to scale attacksMake it easy to detect lossDesign fraud-resistant systemsWorry about DOS attacks on humansRobo-calling and caller ID spoofing
Security approach: blame the victim
Run 10 anti-virus systems!
Choose passwords you can’t remember!
Choose another operating system!
Don’t click on that link!
Nobody cares about you!
Unless you have access to high-value informationsometimes for individualized identity theftYou are only valuable asa credit card number that can be resold in bulk ($2-$8)a machine usable for …DOS attacksemail spam88% of spam sent by botneta machine usable for advertising click fraudwatch highlighted links!$0.002-0.003/click $0.50-$2 CPM
You are (mostly) on your own
Credit cardliability limited to $50US: mag stripe vs. chip & PINDebit cardtwo days $50, otherwise $500Checksno, your bank does not check your signature (or your address)Consumer bank account Regulation Eno liability if reported within 60 days Small business accountNo protection, no loss boundACH fraud common
The ZeroAccess botnet infected 2.2 million home networks worldwide during Q3 , making it the most active botnet for the year thus far, said a malware report from security analysis firm Kindsight. The Alcatel-Lucent subsidiary's Security Labs team found ZeroAccess infected one in 125 home networks during the quarter. “Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud,” Kindsight Security Labs security architect Kevin McNamee said Tuesday in a news release. “With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud.” The botnet may be costing advertisers $900,000 per day in ad-click fraud, Kindsight said. About 13 percent of home networks in North America were infected in Q3, with 6.5 percent of all home networks having high-level threats like bots and banking Trojans, Kindsight said (http://xrl.us/bnww7h).
Identity theft is often analog
Password policies gone amuck
Strong passwords don’t work everywherePassword expirationand can’t use old oneDon’t re-use password across sites
Unless you’re the CIA director, writing down passwords is safeyou’ll pick safer ones if you doStop blaming users web sites need to tell us what they dobad: plain text, silly rulesnot much better: hashedgood: salted hash, single sign-onImpacts password recoverybad: your dog’s namenot great: send password to emailok: time-limited reset link
More password issues
With rainbow tables, only length matters12+ characters likely safeAlways next year: single sign on
Reduce value of goods
Particularly single-factor goodsif you can’t tell that they are gone
What about non-passwords?
Replacements have been suggested:Swipe pattern (Android)Voice patternFingerprintsKeyboard typing or swipingFace recognitionProblems:not generalizableonly works on some devicesnot precisely representabledoomed if you have a cold or are in a noisy airporthard to have different ones bad if clonableUseful as supplement for high-value transactions
The convergence to “what you have”
Two-factor authenticationAdvantages:easy to recognize when losthard to scale theft (but: see RSA)separate data pathvoice path vs. data pathpostal mailrelated: host recognition (e.g., via cookies)
Provide physical validation services
Goals:make scaling hard for bad guyincrease risk of arrestmake geography matterBut generally not integrated with digital processes!
Securing the Internet
We must make the Internet secure!
Securing the Internet – once and for all!
Dream of a security layer that lets everybody else do nothingSuggested: “Internet passport”no more unauthenticated packets!what about compromised machines?Possible:“don’t talk to me unless I talked to you” permission-based sendingmost useful for small-group DOS attacksbut most are now trickle attackskeep out packets at coarse level“not interested in packets from Elbonia”but easily spoofed
Cause of death for the next big thing
not manageable across competing domains
not configurable by normal users (or apps writers)
no business model for ISPs
no initial gain
80% solution in existing system
increase system vulnerability
Secure key identifiers
Security by:return routabilitycryptographic proof of ownershipkeeping them secret (SSN)
Download the wrong application bank account goneAttacker advantage: one flaw, hundreds of thousands of victims Make it hard to scale attacksrequire access to physical worldmultiple paths that are unpredictable to far-away third partyHoney pots (e.g., trap spam senders)System design:separate systems for high-value transactionsseparate web browserseparate VMsingle-purpose computersecond independent path: SMS
Securing end systems
The old attack model
port 1433, 1434
port 137, 139
… and now
What can be done?
Harden key librariesprotocols (HTTP, IMAP, SIP, …)file type parsing fuzzingSeparate parsing & system access via pipee.g., Google ChromeSeparate VM for enterprise applicationsRestrict privilegesAndroid: each app has separate user IDPermission restrictionApp store, rather than browser, for installing softwareNo need to store files in system areasLimited system permissionsharder with HTML5, WebRTC, SVG, …
Design pattern: process separation
App permissions are not sufficient
Improving network infrastructure security
FCC + industry for six months three critical threats to the Internet:Domain Name System securityRouting securityBotnetsSpecific voluntary recommendations approved by CSRIC in March 2011 to advance deployment of DNSSEC, BGPSEC, and a domestic ISP Code of Conduct to fight botnets.Nine of the largest ISPs, representing nearly 90% of the domestic user base, publicly announced their intent to deploy the recommendations.Next step: measure deployment & impact Measuring Broadband America
Security beyond viruses and Phishing: Fraud & Human DOS attacks
Fraud in TRS (text relay service)
+1 201 555 1234
DOS attacks on humans: 9-1-1
Robocalls & Caller-ID spoofing
The Telemarketing Sales Rule: Three Protections
What calls are not covered?
Most business to businesses telemarketingDebt collection callsCustomer service or customer satisfaction callsMarket research/survey calls (only if no sales pitch)Polling/political calls (get out the vote, contribution requests)Calls made by companies subject to special federal /state regulation (banks, phone companies, insurance companies)Robocalls delivering a healthcare message made by or for a covered entity, as defined by the HIPAA Privacy Rule
How do robocalls work?
The geography of robo-calling
Robocall eco system
What you can do when robo-called
Law enforcement vs. robocallers
Automated customer acquisition
One faxed subpoena at a time
Manual trace-backLargely domestic
What has changed?
local exchange carrier
can’t tell end user from provider
can use any number
Caller ID Act of 2009: Prohibit any person or entity for transmitting misleading or inaccurate caller ID information with the intent to defraud, cause harm, or wrongfully obtain anything of value.
Caller ID spoofing
enhances theft and sale customer information through pretextingharass and intimidate (bomb threats, disconnecting services)enables identity theft and theft of servicescompromises and can give access to voice mail boxescan result in free calls over toll free dial-around servicesfacilitates identification of the name (CNAM) for unlisted numbersactivate stolen credit cardscauses incorrect billing because the jurisdiction is incorrectimpairs assistance to law enforcement in criminal and anti-terrorist investigations
Caller ID spoofing
Why not use email spam filtering techniques?
EmailPhone callsName spaceinfiniterelatively smallContent inspectioncommonnot possibleAddressesIP address – non-spoofable for TCPEmail address – easily spoofablePhone number -- spoofableDeliveryfiltered by provider:block lists (e.g., Spamhaus)SPF, DKIMinterconnection and delivery obligationsDelivery traceReceived-by headersVia headers – only for end-to-end VoIP callsLimited-use address easy (e.g., web mail)not feasibleConsent-basedCAPTCHA systems (not common)likely too annoying
For unknown callers, care about attributes, not nameSIP address-of-record (AOR) attributesemployment (bank, registered 501c3)membership (professional)age (e.g., for mail order of restricted items)geographic locationPrivacy selective disclosureno need to disclose identity
Attribute Validation Service
Attribute Validation Server (AVS): Issuer
Student member in ieee.org
Callee: Relying PartyBobAccepts calls from members in ieee.org; does not know Alice’s phone numbersips:email@example.com
Internet security is a systems problem, not (primarily) a crypto or protocol problemTreat security as system failures redundancy, time-to-repairDon’t wait for the Internet to be secureGlobal optimization:change processesencourage transparency and informed consumer choice