Roger’s BIO– CPA, CISSP, CEH, SSPP, CISA, TICSA, yada, yada– 22-year Windows security consultant, instructor, and author– Microsoft ACE Infosec Security Architect– Author or co-author of eight books on computer security,
including:• Network Security: The Complete Reference (McGraw-Hill, co-
author of chapters on Computer Defenses and IDSs)• Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley, 2007 co-author)• Professional Windows Desktop and Server Hardening (Dec.
2005)• Windows Server 2008 Security Resource Kit (contrib author)• Honeypots for Windows (Apress, December 2004)
– Author of over 200 national magazine articles on computer security
– Runs 8 honeypots tracking hacker and malware behavior– InfoWorld security columnist and Blogger
Roger’s Books
DisclaimerThe views expressed here are only my own, and are not the views of my employer or Mark Minasi
ProblemOn the Bright Side...
Not everyone is hacked everyday
Fix the InternetsThis presentation is based on my previous
work...Fixing the Internet whitepaper and articles
http://weblog.infoworld.com/securityadviser/archives/Fixing_the_Internet_Final.pdfhttp://weblog.infoworld.com/securityadviser/archives/2008/05/fixing_the_inte.htmlhttp://weblog.infoworld.com/securityadviser/archives/2008/05/defending_fixin.htmlhttp://www.infoworld.com/d/security-central/internet-fix-no-pipe-dream-452
ProblemHow Bad Is It?
Each year, over 1-in-3 US adults gets their identity information stolen over the Internet1-in-9 have their identity stolen multiple times a year1-in-9 have their stolen identity used in a given year
ProblemHow Bad Is It?
An average hacker can break into any Internet connected company relatively easyThere is little you can do to stop hackers
Break-ins are so common, than even when tens of millions of identities are stolen or millions of dollars are taken, it often doesn’t make the news cycle anymore
ProblemCrimeware
99% of all malware exists to steal your moneyThe big criminal gangs make hundreds of millions of dollars each year
McColo, Rockphish, Russian Business Network
Not a single person from any of the major criminal gangs has been arrested or prosecuted
ProblemEvery Internet Browser Has Many Exploits
CanSecWest3 top browsers exploited in an hour
Every “secure” browser is lucky to last a day when it is released before it is exploited
ProblemHow Bad Is It?
Firewalls don’t workAntivirus software doesn’t workFully patching your software doesn’t workSpam and phishing as bad as ever
Spam is 70-90% of all email traffic10% or more of all Internet traffic is malicious
Why do we keep doing the same things and expecting different results??
ProblemHow Bad Is It?Malware more sophisticated than ever
Not one attack vector, but 20 +It’ hides now, doesn’t try to be cuteFast-fluxingRoot-kit loadingUSB infectingRoving “mothership” web servers
ProblemBig Holes Still Being Found in the Internet
Kaminsky DNS exploitHuge MPS/BGP exploit being announced at the next BlackHatKinda kills the “many eyes” concept that supposedly makes our software secureEven DJBDNS’s software got hacked twice in a year
ProblemCan’t Be Perfect Even If You’re Perfect
Even if all the software goes security vulnerability free, it won’t stop hackingToday, 99.999% of malicious hacking occurs because an end-user is tricked into installing trojan malware
Antivirus 2008 anyone??
ProblemHow Bad Is It?
After everything every vendor has tried, pushed, and promoted, computer security has only gotten substantially worse over the last 10 years...and even worse over the last 3 yearsNothing any vendor is doing appears likely to significantly improve computer security over the next 10 years
ProblemProblems with Current Solutions
Whack-a-mole solutionsPoint-specific defenses (which hackers just move around to the next weak link)Security defenses develop slower than malwareNo one is trying to solve the underlying systematic security problemsNo single group dedicated to fixing Internet security
ProblemWhy Does It Matter?
Can’t we just live with the current state of things?
I mean, we have survived so far without a major disruption to our global Internet society
ProblemWhy Does It Matter?
Because the Internet is becoming more and more mission critical for real-life
It isn’t just for email and ASCII porn anymore
Global society is becoming more reliant on the Internet for basic and mission critical services
ProblemWhy Does It Matter?
SQL Slammer (2003) showed us that most of the world’s most important, mission-critical networks are on the Internet
Most major banks went down for multiple days
Foreign hackers are routinely breaking into our most sensitive, secure, gov’t networks
ProblemWhy Does It Matter?
Where do you buy your airplane tickets?How did you buy your last concert tickets?I use web sites to make stock trades, schedule bulky garbage pick-ups, trip plans, pay college tuition for my daughters, Skype to call, etc.My InfoWorld column is only onlineHow do you think your electronic funds transfer for your paycheck is transmitted?
ProblemWhy Does It Matter?
What was yesterday’s “nice-to-have” web site becomes today’s “use it or pay more” for a regular humanCrackberries...anyone...The Iloveyou worm shutdown phone networks and delayed the delivery of newspapers
ProblemWhy Does It Matter?
The guy in charge of running the Whitehouse is bragging about using Gmail and GoogledocsYour healthcare records are going onlineStuff that should never be on the Internet (e.g. Nuclear power plants, electrical grids, 911 systems) are on the Internet!!
ProblemWhy Does It Matter?
Even the mission critical stuff that all the experts assure us isn’t on the Internet...is on the Internet Even if it isn’t “on the Internet”, it usually shares the same physical telecom lines with the Internet...so if the Internet implodes, so too, does the non-Internet stuff
ProblemWhy Does It
Matter? Somewhere,
there is a tipping point event waiting to happen
The Overall ProblemSo How Is the Internet Broken?
Ask yourself, “Why do malicious hackers hack?”
The Overall ProblemSo How Is the Internet Broken?
Answer: Because we can’t catch them
It’s low cost, low risk, and high returnRob a bank, get $5,000 (maybe), and 10 years in jailRob off the Internet, make hundreds of millions, and never even get close to being caught
The Overall ProblemSo How Is the Internet Broken?
Answer: Because we can’t catch them
I can’t think of a single Internet problem that doesn’t boil down to problems of identity and integrity
The Overall ProblemSo How Is the Internet Broken?
There is pervasive anonymityYou really have no idea I am who I say I am
There is a lack of accountabilityWe can’t find the hackers to arrest themWe have a hard time prosecuting all the companies that knowingly help criminalsThere is no way to tell the good companies from the bad
How to Fix the InternetSummary
We have to rebuild all software and hardware connected to the Internet to fix itReplace pervasive anonymity with pervasive identityHold people and companies accountable for bad things and continued poor practices
How to Fix the InternetSummary
Dream Team of Security ExpertsRebuild the Internet and everything connected to itNew Internet-wide security services available to everyone (think DNS, but for security)
How to Fix the InternetSummary
Come up a global, open, group to provide solutionsWill probably have to be gov’t sponsored
Companies are motivated by greedThere is no money in fixing the commonsMost companies are very risk adverseIt will take a “man-on-the-moon” project
How to Fix the InternetDream Team
Vendor/memberDirector
Vendor/memberDirector
Vendor/memberDirector
Vendor/memberDirector
Vendor/memberDirector
Executive Committee(StrategicDecisions)
ComponentTactical
Lead
ComponentTactical
Lead
ComponentTactical
Lead
ComponentTactical
Lead
ComponentTactical
Lead
ComponentTacticalLeads
ComponentTechnical
TeamMembers
ComponentTechnical
TeamMembers
ComponentTechnical
TeamMembers
ComponentTechnical
TeamMembers
ComponentTechnical
TeamMembers
Technical Teams
Public, End-UserShared Committee
Participation
How to Fix the InternetDream Team (2 year max.)
Made up of global vendors, gov’t, independent security experts, and publicNo single entity controls outcomeOne vote per memberOpen meetings, open discussionsAny solutions are completely voluntary in nature
Try to use more “carrot” and less “stick”
How to Fix the InternetDream Team
What can be agreed upon is tabled, but majority rulesGlobal participatingSolutions are standard and protocols, not productsSolutions are 100% open source, although vendors are welcome to develop commercial products and implementations
How to Fix the InternetDream Team - Challenges
Global, but also decisive (the UN problem)How to convince vendors in their own self-interests to participate?How to make a global committee responsive?How to avoid balkanization, standard splits?
How to Fix the InternetPossible Internet Security Solutions
Global Security ServiceEnd-to-End TrustUsing Existing Web Standards
How to Fix the InternetGlobal Security Service
Build a global Internet infrastructure service to provide coordination, advertising, and publication of the various global security initiatives
DNS UDDI IF-MAPInternetSecurityService
How to Fix the InternetGlobal Security Service
DNS-like - fault-tolerant, distributed “root” servers dedicated to directing querying clients to the appropriate security service server(s).
UDDI – like -Each participating global, sub-root server would to serve up IP addresses to the corresponding needed security services (and to advertise and publish such services).
IF-MAP-like - in that the existing sub-root servers would allow participating members to report and respond in a global, holistic, multi-service manner.
How to Fix the InternetGlobal Security ServiceIF-MAP Standard
If you are not familiar with IF-MAP, in a nutshell, the Trusted Computing Group’s (www.trustedcomputingroup.org) IF-MAP standard (https://www.trustedcomputinggroup.org/specs/TNC/IFMAP_FAQ_april_28.pdf) allows participating devices to report security events and receive notifications from other security devices to be able to respond in a coordinated fashion.
How to Fix the InternetGlobal Security ServiceIF-MAP Example:
Your firewall detects an outbound email originating from a regular end-user workstation that does not typically use port 25 outbound
Firewall notifies antivirus software to scan machine
Antivirus software unable to clean computer or unable to find anything, tells NAC/NAP client to shutdown and 802.1x switch kills network port link
How to Fix the InternetGlobal Security ServiceNew Security Service:
Be like local IF-MAP solution, but provide information globally
How to Fix the InternetGlobal Security Service
LocalIF-MAPservice
Internet/Network
Cloud
LocalIF-MAPservice
SECURITY
DEFENSES
SECURITY
DEFENSES
NetworkSecurity
Boundary
regulatedendpoints
NetworkSecurity
Boundary
regulatedendpoints
Protocol/Application
specific global
servers
GlobalInternetSecurity
InfrastructureService
Protocol/Application
specific global
servers
Protocol/Application
specific global
servers
How to Fix the InternetGlobal Security ServiceExamples:
Your network or web server comes under attack by a DDoS attack. Your local IF-MAP security device could connect to a root Internet security server and get directed to one or more services to allow an efficient response and defense to the attack. Your network could get subscribed on-the-fly to an anti-DDoS service, fire up additional availability resources on new IP spaces, or lead all the other participating networks into shunting off the offending bot-infected computers.
How to Fix the InternetGlobal Security ServiceExamples:
Your company participates in a global whitelist/blacklist of IP addresses. Your company’s whitelist/blacklist servers/service could contact the global root servers to get instantaneous updates of the Russian Business Networks’ changing IP address space.
How to Fix the InternetGlobal Security ServiceExamples:
Your anti-spam device or anti-phishing filter can learn instantly when a massive new spam or phishing attack occurs instead of waiting for a vendor update or allowing only the already existing global email servicers to learn about the attack.
How to Fix the InternetGlobal Security ServiceExamples:
Supposed a MySQL-based Slammer type, zero-day, worm gets launched that can be successful against all existing, contactable MySQL servers on the Internet. Your firewall could be notified of the zero day attack and shut down the port until a better remedy is provided.
SQL Slammer infected most SQL servers on the Internet in under 10 minutes. It went off at 1AM EST. By the time sysadmins were alerted, it was over
How to Fix the InternetGlobal Security Service
GlobalEarly
WarningSystem
GlobalInternetSecurity
InfrastructureService
Globalanti-malware
signatures
GlobalBlack-list
Globalphish list
Globalsecurity
server, etc.
Internet, private entities, etc.
How to Fix the InternetEnd to End Trust SolutionTrust Components
Hardware
OS Boot Process and Loading
Device and User Identity
Network Stack and Protocols
Applications
Network Transmission Devices and Packets
Communication Sessions
How to Fix the InternetEnd to End Trust SolutionNot Microsoft’s End-to-End Trust
Based originally on Trusted Computing Group’s work
How to Fix the InternetEnd-to-End Trust
Make each Internet egress network responsible and accountable for the security and trust of the endpoints in their network.
This applies to corporate environments, as well as, ISPs being responsible for the security of their end-user clients (to a variable degree).
Each egress network access point would be known as a “trust network”, and the management and technical teams responsible and accountable for implementing improved security trust mechanisms (e.g. egress filtering, two-factor authentication, anti-malware, secure coding practices, etc.).
How to Fix the InternetEnd-to-End Trust
A world-wide community consortium of computer security experts would transparently decide what levels of trust are assigned to the various trust components and how various trust networks earn increasing levels of trust.
Egress points with poorly demonstrated levels of security will be given a low trust rating, and that rating known to all participants (e.g. world-wide trust rating list).
This should encourage trust networks to improve their security to be rated higher, and at the same time hold accountable questionable networks (e.g. Russian Business Network’s malicious IP space).
How to Fix the InternetEnd-to-End TrustTrust Assurance Levels
Various trust assurance level values are assigned to each trust component in the trust pathway
Authentication + Infrastructure Trust + Identity Assurance =
Aggregate Trust Assurance Level
How to Fix the InternetEnd-to-End Trust
Trust Assurance Levels
Authentication Type Trust Assurance Level Assignment
Simple user name and password Low
Username, PIN, and Biometric / Token
Medium
Smartcard, Biometric and PIN High
How to Fix the InternetEnd-to-End Trust
Trust Assurance LevelsInfrastructure Example Scenarios Trust Assurance Level Assignment
Logon session originating from a known malicious IP address space
Low
Logon session originating from a trusted, classified government network
High
Smart card using “short” 1024-bit public key Medium
Questionable Service Provider who has been “warned” about continued, past illegal activities
Low
Network packet with “too many” hops, indicating excessive routing
Low
Logon session originating from a shared wireless network available to the public or Internet cafe
Low
Logon session originating from static, unchanging IP address
Medium
How to Fix the InternetEnd-to-End Trust
Trust Assurance LevelsAggregated Trust Level Example Scenarios Aggregated Trust Assurance Level Assignment
Anonymous identity, password only, coming from an untrusted service provider
Lowest
True Identity with compromised biometrics coming from trusted service provider
Low
Anonymous identity with 3rd party attestation, using password on trusted origination point
Medium
True identity of long-term, outstanding character, on highly trusted service provider, using Smartcard + PIN
High
How to Fix the Internet
End-to-End TrustTrust Assurance Levels
(at the packet level)
headerincluding crypto info
Physical Trust Ranking = 3
Overall Trust Ranking = 4
Network Trust Ranking = 3
Session Trust Ranking = 4
Signed & Encrypted Data
Payload
Identity Trust Ranking =5
headerincluding crypto info
Physical Trust Ranking = 4
Overall Trust Ranking = 3
Network Trust Ranking = 2
Session Trust Ranking = 3
Signed & Encrypted Data
Payload
Identity Trust Ranking =2
How to Fix the InternetEnd-to-End Trust
These global trust ratings would be sharable and available to each communicating trust network.
Each receiving trust network can decide how to treat incoming traffic based on the originator’s trust rating; and even provide custom trust ratings to trusted private trading partners (regardless of the packet’s tagged trust).
Traffic with higher ratings of trust should be inspected less and be delivered faster to end-points.
How to Fix the InternetEnd-to-End Trust
Trust GatewaysEach trusted network should implement a trust gateway device (which can be a separate component or integrated into other egress/ingress point devices and software
The trust gateway device is responsible for tagging egress traffic with a community decided upon trust rating, and appropriately handling (and handing off) incoming traffic based upon the trust rating with which it is marked.
How to Fix the InternetEnd-to-End Trust
TrustGateway
Internet/Network
Cloud
TrustGateway
SECURITY
DEFENSES
SECURITY
DEFENSES
NetworkTrust
Boundary
regulatedendpoints
NetworkTrust
Boundary
CommunityTrust
RatingServer
GlobalInternetSecurity
InfrastructureService
CommunityTrust
RatingServer
CommunityTrust
RatingServer
How to Fix the InternetEnd-to-End Trust - In Conclusion
Thus, a roving malware network, with constantly changing IP addresses could be tracked and identified by the global trust servers. No longer could malware writers hide behind fast-fluxing IP and DNS domain name changes.
How to Fix the InternetEnd-to-End Trust - In Conclusion
Another example, could be a previously highly trusted network or web site becomes infiltrated by malware. During the active attack, the compromised network or host could be assigned a lower trust rating, and that lower trust rating communicated to all participating parties.
Once the malware was cleaned up and the network or host running clean again, its trust rating could be improved, maybe slowly at first. But certainly after a set period of time, it could regain its original trust rating, or actually improve it beyond the original if newer, more secure practices were used.
How to Fix the InternetEnd-to-End Trust - In Conclusion
Currently, there is no way for the Internet community, globally, to be aware that a particular, popular host or network is compromised.
With more and more legitimate sites being used to host malware, we need some sort of warning system.
How to Fix the InternetUse Existing Web Standards
The Best Part??
All of the previously mentioned stuff can be implemented using web service standards that exist today!
We need only agree upon a solution
How to Fix the InternetUse Existing Web Standards
IPv6DNSSecx.500 Directoriesx.509 digital certificatesTrusted Network ConnectTrusted Platform Module (TPM) chipNetwork Access Control (e.g. NAP, etc.)
How to Fix the InternetUse Existing Web Standards
WS-* (Web Service Extensions)WS-SecurityWS-FederationWS-TrustOpenIDRADIUSSAML 2.0
How to Fix the InternetUse Existing Web Standards
Basic Components
AuthenticationProviders (AP)
CloudServices
End-User
Content Providerwebsite
How to Fix the InternetUse Existing Web Standards
You, your company, your client...can be all three components at some point
How to Fix the InternetBasic Layers
AuthenticationProvider
AuthenticationProvider
AuthenticationProvider
Content Provider Content Provider Content Provider
End-User End-User End-User
Auditors
APLayer
CPLayer
End-UserLayer
How to Fix the InternetUse Existing Web Standards
Your company can provide the authentication serviceYou can run an authentication/trust gateway deviceOr you can buy into an authentication service that does all the heavy lifting
How to Fix the InternetBasic Layers
AuthenticationProvider
AuthenticationProvider
Content Provider Content Provider Content Provider
End-User
APLayer
CPLayer
AuthenticationGatewayService
AuthenticationGatewayServer
LegacyPasswordSystem
Non-CompliantAuthentication
System
How to Fix the InternetNot a Pipe DreamMany national/regional infrastructures are already
headed down this path modelSingapore’s National Authentication FrameworkItalian Inter-Regional Identity Federation (ICAR-INF3)European STORK project (http://www.eid-stork.eu)United States Federal Bridge Certification Authority (http://www.cio.gov/fpkia)
* But none focused global, none focusing purely on security and how to “fix” the Internet
How to Fix the InternetLikelihood For Internet Fix To Happen?
Not likely until a tipping point event happensThen we’ll collectively run around with our heads in the sand and wonder how we could have let this happen(See global financial crisis, 9-11, etc.)We are not very good at proactive defenses until the big damage has occurred
Fixing the Internet
It’s just that easy.
Or if you don’t like my plan, how would you fix it?
Questions?
The End