Presentation on theme: "Security - Network Security"— Presentation transcript:
1Security - Network Security CS3517 Distributed Systems and SecurityLecture 22
2Content Security issues in distributed systems Network attack and defenceReading:Anderson, chapters 6 and 21Viega, J. (2009). The myths of security: What the computer security industry doesn’t want you to know, O’Reilly
3Distributed Systems Issues Concurrency, distributed updatesHow to inform everyone of stolen credit card number?Fault toleranceWhat do we do if a credit card PIN cannot be verified due to network failureNaming / identity problemsE.g.: how do we know that is really Amazon and not a spam website?
4Attack: ConcurrencyWhen the same data is used worldwide and simultaneously, how can we keep it consistent?Propagate changes (in the right order)Avoid deadlocksThis is a classic distribution problemIt is much worse when malicious attackers attempt to exploit this need for data replication / synchronisation and information exchange
5Example: Stolen Credit Card A person reports a stolen credit cardThe bank must inform the credit card companyThe credit card company must inform all merchantsThis process takes timeWhat if the network is down?What if there are bureaucratic errors at the credit card company or the bank?Until all these information updates are distributed, a malicious person can use this stolen credit card (how small is the window of opportunity for the attacker?)
6Defence Insist on verifying credit card against a database Therefore This is acceptable for few large transactionsIt is unacceptable for many small transactions – too much network trafficAlso: the so-called “insult-cost” (annoyance to customer) is high because a network is down or a server time out occursThereforePropagate key data quicklyAccept some lossesAlways a trade off with security and operational ease
7Problems with Time in Networks If time on local computer is not set correctlyAttacker can fake timeExtend a “30-day trial” foreverTake down your firewall by convincing it that the license has expired (Cinderella attack)DefenceGet accurate time from the network using the network time protocol (NTP)
8Fault ToleranceWhat happens when the network or a resource (computer, database) becomes unavailable?E.g.: local caching of key information in credit card information systemsWhat happens if a person is wrongly accused of credit card fraud?See example in book by Anderson: a person was arrested for allegedly using a forged credit card. The credit card was genuine, the problem was a mechanical fault in the card readerFault-tolerance is also called graceful degradation.
9Fault Tolerance Suppose an e-prescription system crashes What should a chemist do when a person demands the sale of a prescription drug (maybe a “life or death” situation?)An attacker can deliberately crash the network so that e-prescription system is unavailableIf the prescription is dispensed and the customer was lying, who pays for the mistake – chemist, NHS, insurance?
10Defence: Redundancy Safeguarding services locally: Redundant arrays of storage media – duplication of data (RAID)Process group redundancy:Replication of servicesMultiple copies of the system run on multiple serversBackup:Store snapshots of data at regular intervalsAll these measures replicate data, which makes confidentiality much harder to maintain
11Defence: Fail-Stop Processors Process error-correction information along with dataStop processing information, when an inconsistency is detectedVulnerable to Denial-of-Service attacks
12Naming How can we trust and verify a particular name or URL? vs.vs.Do URL, DNS, certificate providers vet applications?Can anyone get an ID as “Microsoft” just by filling in a form and paying 100 Pounds?
13Distributed System Security Solution: careful design, good practice, policyConcurrency, fault tolerance, naming are all generic distributed system issuesUse established technology, models (best practice)Backup securityVet DNS / cert applicationsTake into account not only fraudulent users, but also faulty equipment (see wrong arrest in credit card case)
14Network Security Security concerns arise because Many people have access to your computerSome of them are thieves or hackersYou have access to many computers world wideSome / many of them are infected or otherwise dangerous
15Importance of Network Security Public standardsIntruders know more about the protocols, weaknesses are realised quicklyPervasiveNo need for specialist equipment for an attackWeb servers are extensibleCan be connected to other software systems and make them vulnerable to attackWeb clients are extensiblePlug-ins can have security flawsDependence of many interconnected elementsNo way to perform a ‘binding analysis’.
16Fundamental Threats Threats can be classified as Deliberate (e.g. Hacker intrusion)Passive (e.g. Wire-tapping)Active (e.g. changing value of a transaction)Accidental (e.g. secret message sent to wrong address)No universally agreed classification, but:Denial of service – the legitimate access to a resource is deliberately impededInformation leakage – information disclosed to unauthorised partiesIntegrity violation – data consistency is compromisedIllegitimate use – a resource is used by an unauthorised person in an unauthorised way
17Example Threats Packet Sniffing Denial of Service Spam Harvest personal data (e.g. username / password)Denial of ServiceAttempt to make a computer resource unavailable for other usersSpamSend out unwanted traffic to usersPhishing and PharmingAttempt to steal personal dataTrojans, viruses, worms, root kitsMalicious codeWe’ll have a look at these in the coming slides.
18Be aware of Attacks!Mapping: attackers try to find out what services are implemented before an attackUse ping to identify hostsUse port scannerto establish TCP connectionsProbe for known weaknesses – e.g. very long passwords crash some FTP serversTools: nmap (nmap.org) mapper: “network exploration and security auditing”Legitimate use by sys admins for network managementIn system security design – port control is given particular attention. Checkpoint Endpoint.
19Be aware of Attacks! Mapping: Protection Record traffic entering networkLook for suspicious activityIP addresses being pingedPorts being scanned sequentiallyMany firewalls detect mapping activities
20Be aware of Attacks! Packet Sniffing Used by sys admin to detect bottlenecks and other problems in a networkThey work by catching particular sequences of data transmitted over the networkCould be used to siphon off sensitive data, e.g. detecting loginsExample: host B sniffs B’s packetsABCsrc:B dest:A payload
21Sniffers: ProtectionAll hosts in organisation run software that checks periodically if host interface in “promiscuous mode”How can we protect ourselves?SSH, not Telnet (but only if sys admin implements this service)HTTP over SSL (https)SFTP, not FTPUnless, you really don’t care about the password or dataPromiscuous mode causes the interface controller to pass all traffic it receives to the CPU, rather than passing only the frames that the controller is intended to receive.
22Denial of ServiceDesigned to prevent or degrade a host’s quality of a serviceIs done bySending TCP packets larger than bytes (maximum) to crash a host – “Ping of Death”Produce packets with contradictory TCP header information, which crash the host attempting to reassemble them (“Teardrop”)SYN floodingSMURFDistributed attacksSYN flooding, SMURF, Distributed attacks – see hidden slides!
23Denial of Service: SYN flooding Send a lot of SYN (synchronisation) packets with bogus source IP addressServer responds with SYN / ACK and keeps state about TCP half-open connectionAn ACK is expected back to establish the full connection, but never received (bogus source IP)The server becomes almost completely busy with the hostile client
24Denial of Service: SMURF Provoke pings and responses from unsuspecting sources to a particular serverA packet from a perpetrator contains an Internet Control Message Protocol (ICMP) ping message that appears to come from victim / target server, and is sent to the IP broadcast addressInternetPerpetratorVictimICMP echo (spoofed source address of victim) sent to IP broadcast addressICMP echo replyEnough pings & responses can flood the network
25Distributed Denial of Service Same techniques as regular DoS, but on a much larger scaleUse known vulnerability to infect a large number of machines with a “zombie”Zombie logs into an IRC channel and awaits commandsIRC bot command: “!p ”Results in: “ping.exe –I –n 10000k ping packets sent to host
26DDoS example: Code RedJuly 19th, 2001: over computers infected with Code Red in less than 14 hoursUsed a buffer exploit in MS IISDamages estimated in excess of $2.6 BillionCode Red launched a DDoS attack against www1.whitehouse.gov from the 20th to the 28th of every month!Spent the rest of its time infecting other hosts
27Denial of Service: Protection SYN:Use “SYN cookies”: in response to a SYN, create a special “cookie” for the connection, and forget everything elseThen, can recreate the forgotten information when the ACK comes in from a legitimate connectionMore general:Filter out flooded packets (e.g. SYN) before reaching a host: throw out good with badTrace back to source of floods (most likely an innocent, compromised machine)
28Denial of Service: Protection Ingress filteringNetwork ingress filtering is a packet filtering technique used by many Internet service providers to try to block network packets with spoofed sender IPAll connected networks are known, therefore also the range of possible source IP addressesIf the source IP of a packet is outside this range, then drop itStay on top of CERT advisories and the latest security patchesE.g. A fix for the Microsoft IIS buffer overflow was released 16 days before Code Red!The CERT Coordination Center (CERT/CC) is the coordination center of the Computer Emergency Response Team (CERT) for Internet security incidents.IIS - Internet Information Services, a set of Internet-based services for servers using Microsoft WindowsCode Red - Code Red was a computer worm observed on the Internet on July 13, It attacked computers running Microsoft's IIS web server.
29SpoofingIP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing systemIntruder uses a computer to masquerade as another trusted host – e.g. the computer pretends to have the IP address of the hostExample:C pretends to be BABCsrc:B dest:A payload
30SpoofingIP spoofing is most frequently used in denial-of-service attacksIn such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks.IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses.users can log in without a username or password provided they are connecting from another machine on an internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machines without an authenticationSee hidden slides for more info on how spoofing works.DoS is common, because it’s easier just to break something then to do something more clever with it!
31Spoofing: How it works Defense against IP spoofing attacks: For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connectionSince the attacker normally can't see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted
32Spoofing: How it worksPut the trusted host out of action – e.g. through denial of service attackObtain the IP address of the trusted hostEstablish a connection to the server it wishes to attack through the standard IP handshakeAttempt to infer the sequence numbers that are used by the trusted host and server during a validated dialogue – e.g. through trial and errorThis is the most difficult part of this type of attack – the administrator will be alerted to the attack if the reply sequences from the intruder are not correct
33Spoofing: Protection Ingress filtering: Egress filtering: blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine.Egress filtering:blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network from launching IP spoofing attacks against external machinesrouters should not forward outgoing packets with invalid source addressesE.g. Datagram source address not in router’s network
34Intrusion Detection / Prevention Put a computer on the network that looks at all trafficIDS tells you that the network is being attackedIPS drops packets from attacker automaticallyNot just ingress filtering that can detect problems from compromised hosts within networkExamples:More than three failed logons from same IP addressA longer than six hour phone callCredit card expenditure of more than twice the moving average of the last three monthsIDS - Intrusion Detection SystemIPS - Intrusion Prevention System
35Detection TechniquesLook for likely behaviour (signature) of an intruderMaximum ATM withdrawal for several daysSudden use of sophisticated tools by naive usersLook for anomalous patterns of behaviour (data mining, machine learning)Detects attacks not previously recognised and cataloguedLegal problems if this ends up discriminating against people especially if you can’t explain what your system is looking for (neural nets)Off-the-shelf IDS typically gives ~1000 alerts per dayNot just lots of false positivesAny server with an authentication service will see many failed login attempts per day from those attempting to access the system by guessing passwords
36Intrusion Detection / Prevention Need up-front “tuning” of IDS/IPS to bring alerts down to reasonable levels (say ~30)Say each message takes 5mins to investigateCould cost company 20k per year of trained IT staff time to deal with alertsDoes not account for cleanup costs; IDS just brings problems to attention fasterIs it cost-effective? Maybe if your company has 40k employees, normally best to outsource
37Worms and Viruses Worm: self-propagating “malware”, can run itself Virus: worm that replicates by attaching itself to other programsData virus – e.g. a Word macro virus, which can affect the way the program operates and copy itself to new documentsviruses may use popular clients (e.g. MS) to propagate through the use of address books
38Trojan Horses A seemingly innocent application can hide a Trojan horse The application is supposed to perform a useful function – e.g. a file compression / decompression utilityIt actually does nasty things when installed – e.g. deletes essential Operating System filesMore likely not to be so obvious – e.g. installs a root kit to provide remote access to machine
39Root KitMalware (spyware, Trojans) that hides its presence from spyware blockers, antivirus and system management utilities“Root Kit”: comes from “root” (the administrator account under Unix) and “kit” (a set of software tools)Attackers try to get “root” access to a system in order to install a root kit, with that it gets full control of a systemRoot kit: set of admin tools replaced by malicious versionsContinues to operate in a hidden fashionHistory1986: First documented virus to operate in a cloaked fashion under DOS, redirection of the boot sector1990: root kit for SunOS1999: Windows NT2009: OSXExample of commercial use:2005: Sony BMG copy protection root kit scandal: published CD’s with a copy protection – on the CD was a music player that installed a root kit to control the user’s access to a CD
40Anti-Virus Designed to detect all kinds of malware Spyware, adware, bot net software, worms, etc.Consists of a generic engine that operates with DATs (data files)DATs contain signatures of binary files known to be malwareDetects suspected malware through fast pattern matchingDAT, as in .dat
41Problems with Antivirus Malware mutates, so the problem is to develop DATs that are sufficiently generic to detect may variants without false positivesHigh frequency of updates, best 24-48hrs before DAT distributed for new malwareIn reality, more likely to be 1-3 weeks, e.g. In 2007 McAfee needed 10 days to react to the Hearse root kit, Symantec 13 days
42Problems with Antivirus Time to serve the data to the Antivirus toolE.g.: drive can read 125Mb / sec, there is 40GB of data to be scannedMachine takes ~5min to serve data to the Antivirus toolTime to process DATs for each file servedAround 10,000 new pieces of malware are created each day, so over 3.5m per yearE.g.: if it takes 1 millionth of a second to process each – just over 3.5sec for each fileCan be made quicker (e.g. More generic DATs), but there are inherent scaling problems with the technology
43Pharming Attackers hijack or poison DNS servers Users are redirected to the attacker’s websiteUser thinks he is at but he is actually at the attackers’ web siteAttackers steal user personal data (e.g. bank details)
44Spam Named after a Monty Python sketch Something that is repeated and repeated to great annoyance: “Spam spam spam spam ... Wonderful spam!”A scam used to “help” the annual US green card lottery in 1994 led to the wide use of the term “spam”Other notorious scams“Advance fee fraud” (e.g. “419” Nigerian scam) – typically conducted by “spam gangs” throughout the worldMost spam is “direct marketing” with ~80% being pharmacy-related419 Eater turned the tables!
45SpamAround 88-92% of all messages in first half of 2010 was spamSome spam is blank – “automatic failure to deliver”, used to distinguish real from non-existent addressesFeb/Mar 2011 all UK Universities received “Freedom of Information” requests to disclose all addresses of staffThis came from a source known to be associated with spam-based direct marketingSome institutions complied, some challenged this (some successfully, some unsuccessfully – information commissioner works on a case-by-case basis, also depends on the form of the challenge)List of confirmed “live” addresses are valuable, spammers pay good money for them
46PhishingDefinition: attempting to steal passwords or other sensitive information by posing as a trustworthy websiteAround 2.3% of spam relates to phishing attacksProbably the biggest concern for security industry todayBanks are typical targetsPhishing analogous to fishingC. Herley and D. Florencio. (2008). A profitless endeavour: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on new security paradigmsWhy such a big concern? Circumvents technological security measures and targets the users / customers themselvesSee hidden slides for more details, and an example attack
47Phishing: Attack and Defence The number of phishing victims does not grow very fastOnce people have been phished, not many will be phished again (hopefully!)to compare it to “fishing” – they are not “thrown back into the pond”In order to get more phishing results, more attempts have to be made, each such attempt will make less money on averageAt the same time, more sophisticated defences are developed
48Phishing: Attack and Defence Phishers will expect to make less and less moneySuccessful phishers will be those who come up with new techniquesExample from Viega (2009, chapter 15):Amazon.com / co.uk customer get lots of marketingNo obvious way to authenticate such sAmazon not known for phishing attemptsAmazon does force you to type in your password frequently, so this would not be suspiciousHow would a Phisher exploit this?
49Example: Phishing Attack Attacker obtains a domain name with “amazon” in itAttacker sends out that looks like it comes for amazon.co.uk – just an advertWhen victim clicks on a link in the message, attacker sends a page that looks like the Amazon login pageOnce user types in username / password, attacker tries to log them into amazon.co.uk (password is now known)Attacker acts now as a “man-in-the-middle” and forwards all requests of user to Amazon and all replies (web pages) from Amazon to user
50Example: Phishing Attack Attacker may log everything, e.g. Credit card details of userAttacker can also log into Amazon and look for recently placed orders of this userCan be used to send user a bogusif order has just been placed, Amazon needs time to process order, unlikely to contact user withAttacker can send bogus to user telling them that credit card was rejectedProvide a link to attacker’s own web site with input fields, where the unsuspecting user can enter credit card details again
51Routers and Internet Security Organisations are keen to use the Internet – how can they protect themselves from such attacks?Routers, being gateways, play a central role in internet securityGates can be locked and guardedA router can be configured to allow specific connection requests to pass, while blocking all othersSuch a router is configured as a firewall
52Firewalls Capabilities are to allow / block Example: connections via specific portsThe use of specific protocolsConnections from specific domainsExample:Organisations commonly employ firewalls to allow HTTP access on port 80, but block telnet access on port 23Companies such as 3Com and Cisco market internet technology to organisations, emphasising security featuresConnections from specific domains – white listing.
53IntranetThe term intranet refers to internal protected organisation-wide internetsProtected from the public internet by firewalls, or not connected at allMany large organisations use them (e.g. to screen against virus attacks)Firewall GatewayPublicInternetPrivateIntranet
54ExtranetsCompanies wish to create secure internet links with partner companies – suppliers & customers – essentially to connect their intranets and allow secure electronic data interchange (EDI)This leads to a new marketing term: extranet – an “internet of intranets” with the key feature that specific EDI, transaction and security standards are used
55Web ServicesRecent Development: XML-based standards for electronic data interchange within extranets have emergedE.g.: company sells car parts to automobile manufacture, uses XML schema or OWL to represent ontology for the specification of those partsWeb Services allow Remote Method Invocation (RMI) over HTTPUse SOAP messaging, WSDL specs for describing remote methodsUsually port 80 is open on firewalls – web service calls use HTTP protocolRMI - Java Remote Method Invocation (Java RMI) enables the programmer to create distributed Java technology-based to Java technology-based applications, in which the methods of remote Java objects can be invoked from other Java virtual machines, possibly on different hosts.SOAP - Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks.WSDL - The Web Services Description Language is an XML-based interface description language that is used for describing the functionality offered by a web service.
56Cloud Computing Outsourcing of the Intranet / Extranet Local management overhead (with coordination and establishment of exchange protocols) can be managed by a third-party providerHas led to the use of Cloud Computing to provide various services:Software: , document sharing, word processingInfrastructure: workflow among companiesPlatforms: develop infrastructure / software for othersSaaS, PaaS, IaaS – Software, Platform, Infrastructure as a Service.
57InfrastructureWith outsourcing, there is decreasing need for complex infrastructures to be developed / maintained in-houseBut do you trust your service provider ?FTPServerInternetTrafficSafeTrafficExternalGatewayMailServerInternalGatewayWebServerInternetIntranet
58Information PrivacyRegardless of what you need, you need to think about the security of informationCustomer credit card detailsPatient recordsSeismic / drilling dataTheft of intellectual property
59Theft Insiders are the biggest threat Defence: good access control Most organisations do not properly vet staffDefence: good access controlAccess to computing systemsPhysical accessDefence: properly vet staff!Security policies for staff: are they enforceable?E.g.: encrypted laptops / USB drivesWikileaks information smuggled out on a rewrite-able CD
60Loss of Sensitive Data Credit card numbers, patient information, etc. Contractual implicationsCredit card company may refuse you unless you use specific protocolsLegal risks (getting sued)Legal defence: due diligenceUse of best practice within organisationChecking on best practice of service providersPublic disclosure of policies
62Other ProceduresInternal procedures help to mitigate risks and cost to retailerCredit card security checks consideraddresses that don’t workOrders placed in middle of nightUnusual purchase patternsSome can be checked with softwareEcommerce transactions 20 times more likely to be disputed than high-street face-to-face purchases
63Defence Strategy For sys admin, these are things to consider Management: keep your systems up-to-date and configured in ways that will minimise the attack surfaceUnderstanding: understand your systems (e.g. use mapping software); understand your users (e.g. need for remote logins?)Training: train staff (technical / non-technical) on how not to expose systems or their personal informationFiltering: use appropriately configured firewalls, NAT (Network Address Translation) routers, and other such devicesIntrusion detection: monitoring your networks for signs of suspicious behaviour (but consider whether / how this is viable)Encryption: require the use of protocols such as SSH, SFTP (and turn off telnet, ftp)
64Configuration Management Install security patchesKnow what is in configuration filesDisable default passwordsDisable unneeded featuresAuditing and loggingProperly set up firewalls, virus checkers, etcUse vulnerability checking toolsDisable unneeded features – apply a clampdown
65Learn about Vulnerabilities Monitor websitesUS-CERT advisory (us-cert.gov), McAfee, etc.Operating system updates (often automated)Microsoft, Apple, LinuxDon’t let hackers find out about vulnerabilities and develop exploits before you have mitigated the risks!
66Defence in DepthA combination of layers is much more effective than single layerAttacker has to penetrate all of themRelying on a single layer (e.g. Firewall) exceedingly dangerousEspecially since you know it will have some weaknesses!Tend to use dissimilar firewalls in your (tightly secure) system design such that an attacker has to defeat two separate pieces of technology to successfully bypass, for example, an internet-facing server.
67Defence in Depth First layer: filtering traffic using firewall Second layer: good sys adminOnly enable / install what is neededAvoid to be too restrictive – people will find ways around unreasonably constrained environmentThird layer: good access controlMinimise damage if hacker gets inFourth layer: secure applicationsSecure programming: well designed, well tested, worse-case scenarios, etc.Fifth layer: intrusion detectionWho decides what ‘good’ means? Standards compliance would help.Remember – how much security is enough?