Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Security Economy James Hamilton Microsoft SQL Server Architect

Similar presentations


Presentation on theme: "The Security Economy James Hamilton Microsoft SQL Server Architect"— Presentation transcript:

1 The Security Economy James Hamilton Microsoft SQL Server Architect http://research.microsoft.com/~JamesRH JamesRH@Microsoft.com2004.06.17

2 2 Agenda Threat environment is worsening rapidly Threat environment is worsening rapidly Capitalism in play Capitalism in play Personal/Financial advantage drives innovation Personal/Financial advantage drives innovation The security Economy The security Economy 1 st Gen: Fun and fame 1 st Gen: Fun and fame 2 nd Gen: Revenue models emerge 2 nd Gen: Revenue models emerge 3 rd Gen: Resources for hire 3 rd Gen: Resources for hire What can be done? What can be done?

3 3 Threat: Cracking not new Phenomena 1981: Kevin Mitnick (Condor) cracks LA School System & PacBell 1981: Kevin Mitnick (Condor) cracks LA School System & PacBell steals passwords steals passwords 1992: 414 Gang cracks Los Alamos & cancer center 1992: 414 Gang cracks Los Alamos & cancer center 1983: Mitnick (Condor) cracks Pentagon Computers 1983: Mitnick (Condor) cracks Pentagon Computers 1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet 1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet 1986: Pakistani Brain virus – 1 st malicious virus 1986: Pakistani Brain virus – 1 st malicious virus 1996: Chaos Computing Club hacks LBL 1996: Chaos Computing Club hacks LBL 1987: Jerusalem Virus – 1 st infecting files 1987: Jerusalem Virus – 1 st infecting files 1988: Robert Morris releases 1 st internet worm 1988: Robert Morris releases 1 st internet worm Sendmail buffer overrun -- over 6,000 systems infected Sendmail buffer overrun -- over 6,000 systems infected 1988: Mitnick cracks MCI DECnet 1988: Mitnick cracks MCI DECnet Steals VMS source code Steals VMS source code 1989: Fry Guy cracks McDonalds 1989: Fry Guy cracks McDonalds Credit cards and $6,000 in cash and product Credit cards and $6,000 in cash and product 1991: Michelangelo virus 1991: Michelangelo virus 1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds 1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds 1992: Morty Rosenfeld (Storm Shadow) cracks TRW 1992: Morty Rosenfeld (Storm Shadow) cracks TRW Credit card reports and numbers Credit card reports and numbers 1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,… 1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,… 1994: Vladimir Levin cracks CitBank network 1994: Vladimir Levin cracks CitBank network Source: Bill Wall, Harris computer Corp

4 4 Incidents Reported Industry-wide CERT/CC incident statistics 1988 through 2003 CERT/CC incident statistics 1988 through 2003 Incident: single security issue grouping together all impacts of that that issue Incident: single security issue grouping together all impacts of that that issue Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality Issue: disruption, DOS, loss of data, misuse, damage, loss of confidentiality Source: http://www.cert.org/stats/cert_stats.html

5 5 1 st Gen: Fun and fame A new frontier for experimentation & learning A new frontier for experimentation & learning Many of the same folks who phone phreaked when inband signaling was still employed Many of the same folks who phone phreaked when inband signaling was still employed Mostly non-destructive experimentation Mostly non-destructive experimentation Community learning & sharing Community learning & sharing Trade ideas & methods at security focused conferences Trade ideas & methods at security focused conferences e.g. Blackhat http://www.blackhat.com/ e.g. Blackhat http://www.blackhat.com/ http://www.blackhat.com/ Building on the ideas of others Building on the ideas of others Phrack ezine: http://www.phrack.org/show.php?p=49&a=14 Phrack ezine: http://www.phrack.org/show.php?p=49&a=14 http://www.phrack.org/show.php?p=49&a=14 29A: http://29a.host.sk/ 29A: http://29a.host.sk/ http://29a.host.sk/ Not all work from first principles Not all work from first principles Baseless loaders Baseless loaders Encryption & morphing engines Encryption & morphing engines Fun but clearly not a viable business Fun but clearly not a viable business

6 6 DB Attack: Data Thief Cesar Cerrudo author Cesar Cerrudo author Originally produced as an SQL Injection Demonstration Originally produced as an SQL Injection Demonstration UI driven: UI driven: use local database to store stolen data use local database to store stolen data You select target web page You select target web page Displays a menu of all tables available in database in UI Displays a menu of all tables available in database in UI Transfers contents of selected tables to local database Transfers contents of selected tables to local database No programming or IQ required No programming or IQ required Download: http://www.appsecinc.com/resources/freetools/ Download: http://www.appsecinc.com/resources/freetools/

7 7 2 nd Gen: Revenue models emerge Selling bugs Selling bugs Vender provided bounties: Qmail http://cr.yp.to/qmail/guarantee.html Vender provided bounties: Qmail http://cr.yp.to/qmail/guarantee.html http://cr.yp.to/qmail/guarantee.html Third Party: IDefense http://idefense.com/poi/teams/vcp.jsp?flashstatus=true Third Party: IDefense http://idefense.com/poi/teams/vcp.jsp?flashstatus=true http://idefense.com/poi/teams/vcp.jsp?flashstatus=true Professional services feedback loop Professional services feedback loop Problem exists so opportunity for security services Problem exists so opportunity for security services When not billing time, crack products When not billing time, crack products Establish both the problem & credibility Establish both the problem & credibility More spent in patch application & more concern about security More spent in patch application & more concern about security More opportunity for security services More opportunity for security services New opportunity for 1 st gen fun and fame folks New opportunity for 1 st gen fun and fame folks Get known & join security services shop Get known & join security services shop Separation of virus creation from distribution Separation of virus creation from distribution Posted to web sites (research & freedom of speech defense) Posted to web sites (research & freedom of speech defense)

8 8 3 rd Gen: Resources for hire Systems lying dormant waiting to be needed Systems lying dormant waiting to be needed No indication they are infected No indication they are infected Theft of assets: Theft of assets: AOL PW, Paypal PW, credit card numbers, game and S/W keys, etc. AOL PW, Paypal PW, credit card numbers, game and S/W keys, etc. Zombies bot-nets: Zombies bot-nets: Spam distribution Spam distribution http://news.com.com/Mounties+charge+teenage+virus+suspect/2100-7349_3-5221785.html?tag=cd.top Copywrite or illegal media distribution Copywrite or illegal media distribution DDos attacks DDos attacks Anonymous or difficult to track actions Anonymous or difficult to track actions Zombie systems for sale Zombie systems for sale http://www.theregister.co.uk/2004/04/30/spam_biz 20 cents each: $500/10,000 http://www.theregister.com/2004/05/12/phatbot_zombie_trade/ 20 cents each: $500/10,000 http://www.theregister.com/2004/05/12/phatbot_zombie_trade/ http://www.theregister.com/2004/05/12/phatbot_zombie_trade/

9 9 3 rd Gen: Resources for hire (cont…) Mega-virus/worms most dangerous new trend Mega-virus/worms most dangerous new trend Aggregate large number of already found attacks into a single virus/worm Aggregate large number of already found attacks into a single virus/worm Polymorphic Polymorphic Attempt to evade signature searching Attempt to evade signature searching Disable anti-virus Disable anti-virus Could even simulate AV running (no known examples) Could even simulate AV running (no known examples) Consolidation in AV market would make this easier Consolidation in AV market would make this easier Disable competition for resources & control Disable competition for resources & control Remove other viruses, worms & bots Remove other viruses, worms & bots P2P command & control P2P command & control Phatbot first to go P2P rather than IRC Phatbot first to go P2P rather than IRC WASTE provides an (optionally) encrypted P2P channel http://waste.sourceforge.net/ WASTE provides an (optionally) encrypted P2P channel http://waste.sourceforge.net/ Phatbot uses Gnutella as directory service Phatbot uses Gnutella as directory service Infected systems can be efficiently found & controlled and therefore have value Infected systems can be efficiently found & controlled and therefore have value

10 10 Phatbot Feature List Polymorph on install to evade antivirus signatures as it spreads from system to system Polymorph on install to evade antivirus signatures as it spreads from system to system Checks to see if it is allowed to send mail to AOL, for spamming purposes Checks to see if it is allowed to send mail to AOL, for spamming purposes Can steal Windows Product Keys Can steal Windows Product Keys Can run an IDENT server on demand Can run an IDENT server on demand Starts an FTP server to deliver the trojan binary to exploited hosts Starts an FTP server to deliver the trojan binary to exploited hosts Can run a socks, HTTP or HTTPS proxy on demand Can run a socks, HTTP or HTTPS proxy on demand Can start a redirection service for GRE or TCP protocols Can start a redirection service for GRE or TCP protocols Can scan for and use the following exploits to spread itself to new victims: Can scan for and use the following exploits to spread itself to new victims: DCOM, DCOM2, MyDoom backdoor, DameWare, Locator Service, weak pw Shares, WebDav DCOM, DCOM2, MyDoom backdoor, DameWare, Locator Service, weak pw Shares, WebDav WKS - Windows Workstation Service WKS - Windows Workstation Service Newer versions of Agobot and Phatbot have added scanner modules for: Newer versions of Agobot and Phatbot have added scanner modules for: Bagle virus backdoor, CPanel resetpass vulnerability, UPnP vulnerability, Weak SQL admin PW Bagle virus backdoor, CPanel resetpass vulnerability, UPnP vulnerability, Weak SQL admin PW Attempts to kill instances of MSBlast, Welchia and Sobig.F Attempts to kill instances of MSBlast, Welchia and Sobig.F Sniffs IRC network traffic looking for logins to other botnets & IRC operator passwords Sniffs IRC network traffic looking for logins to other botnets & IRC operator passwords Can sniff FTP network traffic for usernames and passwords Can sniff FTP network traffic for usernames and passwords Can sniff HTTP network traffic for Paypal cookies Can sniff HTTP network traffic for Paypal cookies Contains a list of nearly 600 processes to kill if found on an infected system. Contains a list of nearly 600 processes to kill if found on an infected system. Antivirus software, others are competing viruses/trojans Antivirus software, others are competing viruses/trojans Tests available bandwidth by posting large amounts of data to the following websites: Tests available bandwidth by posting large amounts of data to the following websites: www.st.lib.keio.ac.jp, www.lib.nthu.edu.tw, www.stanford.edu, www.xo.net, …. www.st.lib.keio.ac.jp, www.lib.nthu.edu.tw, www.stanford.edu, www.xo.net, …. www.st.lib.keio.ac.jpwww.lib.nthu.edu.twwww.stanford.eduwww.xo.net www.st.lib.keio.ac.jpwww.lib.nthu.edu.twwww.stanford.eduwww.xo.net Can steal AOL account logins and passwords Can steal AOL account logins and passwords Can steal CD Keys for several popular games Can steal CD Keys for several popular games Can harvest emails from the web for spam purposes Can harvest emails from the web for spam purposes Can harvest emails from the local system for spam purposes Can harvest emails from the local system for spam purposes Source: http://www.lurhq.com/phatbot.html

11 11 Phatbot Command Set Phatbot Command Set bot.command runs a command with system() bot.command runs a command with system() bot.unsecure enable shares / enable dcom bot.unsecure enable shares / enable dcom bot.secure delete shares / disable dcom bot.secure delete shares / disable dcom bot.flushdns flushes the bots dns cache bot.flushdns flushes the bots dns cache bot.quit quits the bot bot.quit quits the bot bot.longuptime If uptime > 7 days then bot will respond bot.longuptime If uptime > 7 days then bot will respond bot.sysinfo displays the system info bot.sysinfo displays the system info bot.status gives status bot.status gives status bot.rndnick makes the bot generate a new random nick bot.rndnick makes the bot generate a new random nick bot.removeallbut removes the bot if id does not match bot.removeallbut removes the bot if id does not match bot.remove removes the bot bot.remove removes the bot bot.open opens a file (whatever) bot.open opens a file (whatever) bot.nick changes the nickname of the bot bot.nick changes the nickname of the bot bot.id displays the id of the current code bot.id displays the id of the current code bot.execute makes the bot execute a.exe bot.execute makes the bot execute a.exe bot.dns resolves ip/hostname by dns bot.dns resolves ip/hostname by dns bot.die terminates the bot bot.die terminates the bot bot.about displays the info the author wants you to see bot.about displays the info the author wants you to see shell.disable Disable shell handler shell.disable Disable shell handler shell.enable Enable shell handler shell.enable Enable shell handler shell.handler FallBack handler for shell shell.handler FallBack handler for shell commands.list Lists all available commands commands.list Lists all available commands plugin.unload unloads a plugin (not supported yet) plugin.unload unloads a plugin (not supported yet) plugin.load loads a plugin plugin.load loads a plugin cvar.saveconfig saves config to a file cvar.saveconfig saves config to a file cvar.loadconfig loads config from a file cvar.loadconfig loads config from a file cvar.set sets the content of a cvar cvar.set sets the content of a cvar cvar.get gets the content of a cvar cvar.get gets the content of a cvar cvar.list prints a list of all cvars cvar.list prints a list of all cvars inst.svcdel deletes a service from scm inst.svcdel deletes a service from scm inst.svcadd adds a service to scm inst.svcadd adds a service to scm inst.asdel deletes an autostart entry inst.asdel deletes an autostart entry inst.asadd adds an autostart entry inst.asadd adds an autostart entry logic.ifuptime exec command if uptime is bigger than X logic.ifuptime exec command if uptime is bigger than X mac.login logs the user in mac.login logs the user in mac.logout logs the user out mac.logout logs the user out ftp.update executes a file from a ftp url ftp.update executes a file from a ftp url ftp.execute updates the bot from a ftp url ftp.execute updates the bot from a ftp url ftp.download downloads a file from ftp ftp.download downloads a file from ftp http.visit visits an url with a specified referrer http.visit visits an url with a specified referrer http.update executes a file from a http url http.update executes a file from a http url http.execute updates the bot from a http url http.execute updates the bot from a http url http.download downloads a file from http http.download downloads a file from http rsl.logoff logs the user off rsl.logoff logs the user off rsl.shutdown shuts the computer down rsl.shutdown shuts the computer down rsl.reboot reboots the computer rsl.reboot reboots the computer pctrl.kill kills a process pctrl.kill kills a process pctrl.list lists all processes pctrl.list lists all processes scan.stop signal stop to child threads scan.stop signal stop to child threads scan.start signal start to child threads scan.start signal start to child threads scan.disable disables a scanner module scan.disable disables a scanner module scan.enable enables a scanner module scan.enable enables a scanner module scan.clearnetranges clears all netranges registered scan.clearnetranges clears all netranges registered scan.resetnetranges resets netranges to the localhost scan.resetnetranges resets netranges to the localhost scan.listnetranges lists all netranges registered scan.listnetranges lists all netranges registered scan.delnetrange deletes a netrange from the scanner scan.delnetrange deletes a netrange from the scanner scan.addnetrange adds a netrange to the scanner scan.addnetrange adds a netrange to the scanner ddos.phatwonk starts phatwonk flood ddos.phatwonk starts phatwonk flood ddos.phaticmp starts phaticmp flood ddos.phaticmp starts phaticmp flood ddos.phatsyn starts phatsyn flood ddos.phatsyn starts phatsyn flood ddos.stop stops all floods ddos.stop stops all floods ddos.httpflood starts a HTTP flood ddos.httpflood starts a HTTP flood ddos.synflood starts an SYN flood ddos.synflood starts an SYN flood ddos.udpflood starts a UDP flood ddos.udpflood starts a UDP flood redirect.stop stops all redirects running redirect.stop stops all redirects running redirect.socks starts a socks4 proxy redirect.socks starts a socks4 proxy redirect.https starts a https proxy redirect.https starts a https proxy redirect.http starts a http proxy redirect.http starts a http proxy redirect.gre starts a gre redirect redirect.gre starts a gre redirect redirect.tcp starts a tcp port redirect redirect.tcp starts a tcp port redirect harvest.aol makes the bot get aol stuff harvest.aol makes the bot get aol stuff harvest.cdkeys makes the bot get a list of cdkeys harvest.cdkeys makes the bot get a list of cdkeys harvest.emailshttp makes the bot get a list of emails via http harvest.emailshttp makes the bot get a list of emails via http harvest.emails makes the bot get a list of emails harvest.emails makes the bot get a list of emails waste.server changes the server the bot connects to waste.server changes the server the bot connects to waste.reconnect reconnects to the server waste.reconnect reconnects to the server waste.raw sends a raw message to the waste server waste.raw sends a raw message to the waste server waste.quit disconnect waste waste.quit disconnect waste waste.privmsg sends a privmsg waste.privmsg sends a privmsg waste.part makes the bot part a channel waste.part makes the bot part a channel waste.netinfo prints netinfo waste.netinfo prints netinfo waste.mode lets the bot perform a mode change waste.mode lets the bot perform a mode change waste.join makes the bot join a channel waste.join makes the bot join a channel waste.gethost prints netinfo when host matches waste.gethost prints netinfo when host matches waste.getedu prints netinfo when the bot is.edu waste.getedu prints netinfo when the bot is.edu waste.action lets the bot perform an action waste.action lets the bot perform an action waste.disconnect disconnects the bot from waste waste.disconnect disconnects the bot from waste Source: http://www.lurhq.com/phatbot.html

12 12 What can be done? No single defense effective No single defense effective Secure by default: Secure by default: Default features secure Default features secure If less than 80% use, then off-by-default If less than 80% use, then off-by-default Security focused design & development process Security focused design & development process Simple security features Simple security features Threat models, targeted testing, attack teams, accountable code reviews, security audit, … Threat models, targeted testing, attack teams, accountable code reviews, security audit, … Fundamental architectural change: Fundamental architectural change: More redundancy, many layers of defense, rigidly enforced fault containment domains, restartable components, low trust between components, limited communications allowed between components, limited communications external to components… More redundancy, many layers of defense, rigidly enforced fault containment domains, restartable components, low trust between components, limited communications allowed between components, limited communications external to components… Innovative security focused tools Innovative security focused tools /GS, /SafeEH, NX (no execute),.. /GS, /SafeEH, NX (no execute),.. Static analysis with source annotations & more constrained prog langs Static analysis with source annotations & more constrained prog langs Statistical attack detection with auto defense Statistical attack detection with auto defense Tight feedback loop Tight feedback loop Customers system state sent home (with approval) Customers system state sent home (with approval) Auto-patching & configuration checkers Auto-patching & configuration checkers Black hat forums & other sources constantly monitored Black hat forums & other sources constantly monitored Security Communications: Security Communications: Customer education Customer education

13 Microsoft


Download ppt "The Security Economy James Hamilton Microsoft SQL Server Architect"

Similar presentations


Ads by Google