Security - Network Security CS3517 Distributed Systems and Security Lecture 22

Content Security issues in distributed systems Network attack and defence Reading: Anderson, chapters 6 and 21 Viega, J. (2009). The myths of security: What the computer security industry doesn’t want you to know, O’Reilly

Distributed Systems Issues Concurrency, distributed updates How to inform everyone of stolen credit card number? Fault tolerance What do we do if a credit card PIN cannot be verified due to network failure Naming / identity problems E.g.: how do we know that www.amazon.com is really Amazon and not a spam website?

Attack: Concurrency When the same data is used worldwide and simultaneously, how can we keep it consistent? Propagate changes (in the right order) Avoid deadlocks This is a classic distribution problem It is much worse when malicious attackers attempt to exploit this need for data replication / synchronisation and information exchange

Example: Stolen Credit Card A person reports a stolen credit card The bank must inform the credit card company The credit card company must inform all merchants This process takes time What if the network is down? What if there are bureaucratic errors at the credit card company or the bank? Until all these information updates are distributed, a malicious person can use this stolen credit card (how small is the window of opportunity for the attacker?)

Defence Insist on verifying credit card against a database Therefore This is acceptable for few large transactions It is unacceptable for many small transactions – too much network traffic Also: the so-called “insult-cost” (annoyance to customer) is high because a network is down or a server time out occurs Therefore Propagate key data quickly Accept some losses Always a trade off with security and operational ease

Problems with Time in Networks If time on local computer is not set correctly Attacker can fake time Extend a “30-day trial” forever Take down your firewall by convincing it that the license has expired (Cinderella attack) Defence Get accurate time from the network using the network time protocol (NTP)

Fault Tolerance What happens when the network or a resource (computer, database) becomes unavailable? E.g.: local caching of key information in credit card information systems What happens if a person is wrongly accused of credit card fraud? See example in book by Anderson: a person was arrested for allegedly using a forged credit card. The credit card was genuine, the problem was a mechanical fault in the card reader Fault-tolerance is also called graceful degradation.

Fault Tolerance Suppose an e-prescription system crashes What should a chemist do when a person demands the sale of a prescription drug (maybe a “life or death” situation?) An attacker can deliberately crash the network so that e-prescription system is unavailable If the prescription is dispensed and the customer was lying, who pays for the mistake – chemist, NHS, insurance?

Defence: Redundancy Safeguarding services locally: Redundant arrays of storage media – duplication of data (RAID) Process group redundancy: Replication of services Multiple copies of the system run on multiple servers Backup: Store snapshots of data at regular intervals All these measures replicate data, which makes confidentiality much harder to maintain

Defence: Fail-Stop Processors Process error-correction information along with data Stop processing information, when an inconsistency is detected Vulnerable to Denial-of-Service attacks

Naming How can we trust and verify a particular name or URL? www.pcworld.com vs. www.pcworld.co.uk www.pcworld.com vs. www.pcwor1d.com Do URL, DNS, certificate providers vet applications? Can anyone get an ID as “Microsoft” just by filling in a form and paying 100 Pounds?

Distributed System Security Solution: careful design, good practice, policy Concurrency, fault tolerance, naming are all generic distributed system issues Use established technology, models (best practice) Backup security Vet DNS / cert applications Take into account not only fraudulent users, but also faulty equipment (see wrong arrest in credit card case)

Network Security Security concerns arise because Many people have access to your computer Some of them are thieves or hackers You have access to many computers world wide Some / many of them are infected or otherwise dangerous

Importance of Network Security Public standards Intruders know more about the protocols, weaknesses are realised quickly Pervasive No need for specialist equipment for an attack Web servers are extensible Can be connected to other software systems and make them vulnerable to attack Web clients are extensible Plug-ins can have security flaws Dependence of many interconnected elements No way to perform a ‘binding analysis’.

Fundamental Threats Threats can be classified as Deliberate (e.g. Hacker intrusion) Passive (e.g. Wire-tapping) Active (e.g. changing value of a transaction) Accidental (e.g. secret message sent to wrong address) No universally agreed classification, but: Denial of service – the legitimate access to a resource is deliberately impeded Information leakage – information disclosed to unauthorised parties Integrity violation – data consistency is compromised Illegitimate use – a resource is used by an unauthorised person in an unauthorised way

Example Threats Packet Sniffing Denial of Service Spam Harvest personal data (e.g. username / password) Denial of Service Attempt to make a computer resource unavailable for other users Spam Send out unwanted traffic to users Phishing and Pharming Attempt to steal personal data Trojans, viruses, worms, root kits Malicious code We’ll have a look at these in the coming slides.

Be aware of Attacks! Mapping: attackers try to find out what services are implemented before an attack Use ping to identify hosts Use port scanner to establish TCP connections Probe for known weaknesses – e.g. very long passwords crash some FTP servers Tools: nmap (nmap.org) mapper: “network exploration and security auditing” Legitimate use by sys admins for network management In system security design – port control is given particular attention. Checkpoint Endpoint.

Be aware of Attacks! Mapping: Protection Record traffic entering network Look for suspicious activity IP addresses being pinged Ports being scanned sequentially Many firewalls detect mapping activities

Be aware of Attacks! Packet Sniffing Used by sys admin to detect bottlenecks and other problems in a network They work by catching particular sequences of data transmitted over the network Could be used to siphon off sensitive data, e.g. detecting logins Example: host B sniffs B’s packets A B C src:B dest:A payload

Sniffers: Protection All hosts in organisation run software that checks periodically if host interface in “promiscuous mode” How can we protect ourselves? SSH, not Telnet (but only if sys admin implements this service) HTTP over SSL (https) SFTP, not FTP Unless, you really don’t care about the password or data Promiscuous mode causes the interface controller to pass all traffic it receives to the CPU, rather than passing only the frames that the controller is intended to receive.

Denial of Service Designed to prevent or degrade a host’s quality of a service Is done by Sending TCP packets larger than 65536 bytes (maximum) to crash a host – “Ping of Death” Produce packets with contradictory TCP header information, which crash the host attempting to reassemble them (“Teardrop”) SYN flooding SMURF Distributed attacks SYN flooding, SMURF, Distributed attacks – see hidden slides!

Denial of Service: SYN flooding Send a lot of SYN (synchronisation) packets with bogus source IP address Server responds with SYN / ACK and keeps state about TCP half-open connection An ACK is expected back to establish the full connection, but never received (bogus source IP) The server becomes almost completely busy with the hostile client

Denial of Service: SMURF Provoke pings and responses from unsuspecting sources to a particular server A packet from a perpetrator contains an Internet Control Message Protocol (ICMP) ping message that appears to come from victim / target server, and is sent to the IP broadcast address Internet Perpetrator Victim ICMP echo (spoofed source address of victim) sent to IP broadcast address ICMP echo reply Enough pings & responses can flood the network

Distributed Denial of Service Same techniques as regular DoS, but on a much larger scale Use known vulnerability to infect a large number of machines with a “zombie” Zombie logs into an IRC channel and awaits commands IRC bot command: “!p4 207.71.92.193” Results in: “ping.exe 207.71.92.193 –I 65500 –n 10000 10000 64k ping packets sent to host

DDoS example: Code Red July 19th, 2001: over 359000 computers infected with Code Red in less than 14 hours Used a buffer exploit in MS IIS Damages estimated in excess of $2.6 Billion Code Red launched a DDoS attack against www1.whitehouse.gov from the 20th to the 28th of every month! Spent the rest of its time infecting other hosts

Denial of Service: Protection SYN: Use “SYN cookies”: in response to a SYN, create a special “cookie” for the connection, and forget everything else Then, can recreate the forgotten information when the ACK comes in from a legitimate connection More general: Filter out flooded packets (e.g. SYN) before reaching a host: throw out good with bad Trace back to source of floods (most likely an innocent, compromised machine)

Denial of Service: Protection Ingress filtering Network ingress filtering is a packet filtering technique used by many Internet service providers to try to block network packets with spoofed sender IP All connected networks are known, therefore also the range of possible source IP addresses If the source IP of a packet is outside this range, then drop it Stay on top of CERT advisories and the latest security patches E.g. A fix for the Microsoft IIS buffer overflow was released 16 days before Code Red! The CERT Coordination Center (CERT/CC) is the coordination center of the Computer Emergency Response Team (CERT) for Internet security incidents. IIS - Internet Information Services, a set of Internet-based services for servers using Microsoft Windows Code Red - Code Red was a computer worm observed on the Internet on July 13, 2001. It attacked computers running Microsoft's IIS web server.

Spoofing IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system Intruder uses a computer to masquerade as another trusted host – e.g. the computer pretends to have the IP address of the host Example: C pretends to be B A B C src:B dest:A payload

Spoofing IP spoofing is most frequently used in denial-of-service attacks In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. users can log in without a username or password provided they are connecting from another machine on an internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machines without an authentication See hidden slides for more info on how spoofing works. DoS is common, because it’s easier just to break something then to do something more clever with it!

Spoofing: How it works Defense against IP spoofing attacks: For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection Since the attacker normally can't see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted

Spoofing: How it works Put the trusted host out of action – e.g. through denial of service attack Obtain the IP address of the trusted host Establish a connection to the server it wishes to attack through the standard IP handshake Attempt to infer the sequence numbers that are used by the trusted host and server during a validated dialogue – e.g. through trial and error This is the most difficult part of this type of attack – the administrator will be alerted to the attack if the reply sequences from the intruder are not correct

Spoofing: Protection Ingress filtering: Egress filtering: blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine. Egress filtering: blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network from launching IP spoofing attacks against external machines routers should not forward outgoing packets with invalid source addresses E.g. Datagram source address not in router’s network

Intrusion Detection / Prevention Put a computer on the network that looks at all traffic IDS tells you that the network is being attacked IPS drops packets from attacker automatically Not just ingress filtering that can detect problems from compromised hosts within network Examples: More than three failed logons from same IP address A longer than six hour phone call Credit card expenditure of more than twice the moving average of the last three months IDS - Intrusion Detection System IPS - Intrusion Prevention System

Detection Techniques Look for likely behaviour (signature) of an intruder Maximum ATM withdrawal for several days Sudden use of sophisticated tools by naive users Look for anomalous patterns of behaviour (data mining, machine learning) Detects attacks not previously recognised and catalogued Legal problems if this ends up discriminating against people especially if you can’t explain what your system is looking for (neural nets) Off-the-shelf IDS typically gives ~1000 alerts per day Not just lots of false positives Any server with an authentication service will see many failed login attempts per day from those attempting to access the system by guessing passwords

Intrusion Detection / Prevention Need up-front “tuning” of IDS/IPS to bring alerts down to reasonable levels (say ~30) Say each message takes 5mins to investigate Could cost company 20k per year of trained IT staff time to deal with alerts Does not account for cleanup costs; IDS just brings problems to attention faster Is it cost-effective? Maybe if your company has 40k employees, normally best to outsource

Worms and Viruses Worm: self-propagating “malware”, can run itself Virus: worm that replicates by attaching itself to other programs Data virus – e.g. a Word macro virus, which can affect the way the program operates and copy itself to new documents Email viruses may use popular clients (e.g. MS) to propagate through the use of address books

Trojan Horses A seemingly innocent application can hide a Trojan horse The application is supposed to perform a useful function – e.g. a file compression / decompression utility It actually does nasty things when installed – e.g. deletes essential Operating System files More likely not to be so obvious – e.g. installs a root kit to provide remote access to machine

Root Kit Malware (spyware, Trojans) that hides its presence from spyware blockers, antivirus and system management utilities “Root Kit”: comes from “root” (the administrator account under Unix) and “kit” (a set of software tools) Attackers try to get “root” access to a system in order to install a root kit, with that it gets full control of a system Root kit: set of admin tools replaced by malicious versions Continues to operate in a hidden fashion History 1986: First documented virus to operate in a cloaked fashion under DOS, redirection of the boot sector 1990: root kit for SunOS 1999: Windows NT 2009: OSX Example of commercial use: 2005: Sony BMG copy protection root kit scandal: published CD’s with a copy protection – on the CD was a music player that installed a root kit to control the user’s access to a CD

Anti-Virus Designed to detect all kinds of malware Spyware, adware, bot net software, worms, etc. Consists of a generic engine that operates with DATs (data files) DATs contain signatures of binary files known to be malware Detects suspected malware through fast pattern matching DAT, as in .dat

Problems with Antivirus Malware mutates, so the problem is to develop DATs that are sufficiently generic to detect may variants without false positives High frequency of updates, best 24-48hrs before DAT distributed for new malware In reality, more likely to be 1-3 weeks, e.g. In 2007 McAfee needed 10 days to react to the Hearse root kit, Symantec 13 days

Problems with Antivirus Time to serve the data to the Antivirus tool E.g.: drive can read 125Mb / sec, there is 40GB of data to be scanned Machine takes ~5min to serve data to the Antivirus tool Time to process DATs for each file served Around 10,000 new pieces of malware are created each day, so over 3.5m per year E.g.: if it takes 1 millionth of a second to process each – just over 3.5sec for each file Can be made quicker (e.g. More generic DATs), but there are inherent scaling problems with the technology

Pharming Attackers hijack or poison DNS servers Users are redirected to the attacker’s website User thinks he is at www.lloydstsb.com, but he is actually at the attackers’ web site Attackers steal user personal data (e.g. bank details)

Spam Named after a Monty Python sketch Something that is repeated and repeated to great annoyance: “Spam spam spam spam ... Wonderful spam!” A scam used to “help” the annual US green card lottery in 1994 led to the wide use of the term “spam” Other notorious scams “Advance fee fraud” (e.g. “419” Nigerian scam) – typically conducted by “spam gangs” throughout the world Most email spam is “direct marketing” with ~80% being pharmacy-related 419 Eater turned the tables!

Spam Around 88-92% of all email messages in first half of 2010 was spam Some spam is blank – “automatic failure to deliver”, used to distinguish real from non-existent addresses Feb/Mar 2011 all UK Universities received “Freedom of Information” requests to disclose all email addresses of staff This came from a source known to be associated with spam-based direct marketing Some institutions complied, some challenged this (some successfully, some unsuccessfully – information commissioner works on a case-by-case basis, also depends on the form of the challenge) List of confirmed “live” email addresses are valuable, spammers pay good money for them

Phishing Definition: attempting to steal passwords or other sensitive information by posing as a trustworthy website Around 2.3% of spam relates to phishing attacks Probably the biggest concern for security industry today Banks are typical targets Phishing analogous to fishing C. Herley and D. Florencio. (2008). A profitless endeavour: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on new security paradigms Why such a big concern? Circumvents technological security measures and targets the users / customers themselves See hidden slides for more details, and an example attack

Phishing: Attack and Defence The number of phishing victims does not grow very fast Once people have been phished, not many will be phished again (hopefully!) to compare it to “fishing” – they are not “thrown back into the pond” In order to get more phishing results, more attempts have to be made, each such attempt will make less money on average At the same time, more sophisticated defences are developed

Phishing: Attack and Defence Phishers will expect to make less and less money Successful phishers will be those who come up with new techniques Example from Viega (2009, chapter 15): Amazon.com / co.uk customer get lots of marketing email No obvious way to authenticate such emails Amazon not known for phishing attempts Amazon does force you to type in your password frequently, so this would not be suspicious How would a Phisher exploit this?

Example: Phishing Attack Attacker obtains a domain name with “amazon” in it Attacker sends out email that looks like it comes for amazon.co.uk – just an advert When victim clicks on a link in the message, attacker sends a page that looks like the Amazon login page Once user types in username / password, attacker tries to log them into amazon.co.uk (password is now known) Attacker acts now as a “man-in-the-middle” and forwards all requests of user to Amazon and all replies (web pages) from Amazon to user

Example: Phishing Attack Attacker may log everything, e.g. Credit card details of user Attacker can also log into Amazon and look for recently placed orders of this user Can be used to send user a bogus email if order has just been placed, Amazon needs time to process order, unlikely to contact user with email Attacker can send bogus email to user telling them that credit card was rejected Provide a link to attacker’s own web site with input fields, where the unsuspecting user can enter credit card details again

Routers and Internet Security Organisations are keen to use the Internet – how can they protect themselves from such attacks? Routers, being gateways, play a central role in internet security Gates can be locked and guarded A router can be configured to allow specific connection requests to pass, while blocking all others Such a router is configured as a firewall

Firewalls Capabilities are to allow / block Example: connections via specific ports The use of specific protocols Connections from specific domains Example: Organisations commonly employ firewalls to allow HTTP access on port 80, but block telnet access on port 23 Companies such as 3Com and Cisco market internet technology to organisations, emphasising security features Connections from specific domains – white listing.

Intranet The term intranet refers to internal protected organisation-wide internets Protected from the public internet by firewalls, or not connected at all Many large organisations use them (e.g. to screen against email virus attacks) Firewall Gateway Public Internet Private Intranet

Extranets Companies wish to create secure internet links with partner companies – suppliers & customers – essentially to connect their intranets and allow secure electronic data interchange (EDI) This leads to a new marketing term: extranet – an “internet of intranets” with the key feature that specific EDI, transaction and security standards are used

Web Services Recent Development: XML-based standards for electronic data interchange within extranets have emerged E.g.: company sells car parts to automobile manufacture, uses XML schema or OWL to represent ontology for the specification of those parts Web Services allow Remote Method Invocation (RMI) over HTTP Use SOAP messaging, WSDL specs for describing remote methods Usually port 80 is open on firewalls – web service calls use HTTP protocol RMI - Java Remote Method Invocation (Java RMI) enables the programmer to create distributed Java technology-based to Java technology-based applications, in which the methods of remote Java objects can be invoked from other Java virtual machines, possibly on different hosts. SOAP - Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. WSDL - The Web Services Description Language is an XML-based interface description language that is used for describing the functionality offered by a web service.

Cloud Computing Outsourcing of the Intranet / Extranet Local management overhead (with coordination and establishment of exchange protocols) can be managed by a third-party provider Has led to the use of Cloud Computing to provide various services: Software: email, document sharing, word processing Infrastructure: workflow among companies Platforms: develop infrastructure / software for others SaaS, PaaS, IaaS – Software, Platform, Infrastructure as a Service.

Infrastructure With outsourcing, there is decreasing need for complex infrastructures to be developed / maintained in-house But do you trust your service provider ? FTP Server Internet Traffic Safe Traffic External Gateway Mail Server Internal Gateway Web Server Internet Intranet

Information Privacy Regardless of what you need, you need to think about the security of information Customer credit card details Patient records Seismic / drilling data Theft of intellectual property

Theft Insiders are the biggest threat Defence: good access control Most organisations do not properly vet staff Defence: good access control Access to computing systems Physical access Defence: properly vet staff! Security policies for staff: are they enforceable? E.g.: encrypted laptops / USB drives Wikileaks information smuggled out on a rewrite-able CD

Loss of Sensitive Data Credit card numbers, patient information, etc. Contractual implications Credit card company may refuse you unless you use specific protocols Legal risks (getting sued) Legal defence: due diligence Use of best practice within organisation Checking on best practice of service providers Public disclosure of policies

Example: Credit Card Check Procedure

Other Procedures Internal procedures help to mitigate risks and cost to retailer Credit card security checks consider Email addresses that don’t work Orders placed in middle of night Unusual purchase patterns Some can be checked with software Ecommerce transactions 20 times more likely to be disputed than high-street face-to-face purchases

Defence Strategy For sys admin, these are things to consider Management: keep your systems up-to-date and configured in ways that will minimise the attack surface Understanding: understand your systems (e.g. use mapping software); understand your users (e.g. need for remote logins?) Training: train staff (technical / non-technical) on how not to expose systems or their personal information Filtering: use appropriately configured firewalls, NAT (Network Address Translation) routers, and other such devices Intrusion detection: monitoring your networks for signs of suspicious behaviour (but consider whether / how this is viable) Encryption: require the use of protocols such as SSH, SFTP (and turn off telnet, ftp)

Configuration Management Install security patches Know what is in configuration files Disable default passwords Disable unneeded features Auditing and logging Properly set up firewalls, virus checkers, etc Use vulnerability checking tools Disable unneeded features – apply a clampdown

Learn about Vulnerabilities Monitor websites US-CERT advisory (us-cert.gov), McAfee, etc. Operating system updates (often automated) Microsoft, Apple, Linux Don’t let hackers find out about vulnerabilities and develop exploits before you have mitigated the risks!

Defence in Depth A combination of layers is much more effective than single layer Attacker has to penetrate all of them Relying on a single layer (e.g. Firewall) exceedingly dangerous Especially since you know it will have some weaknesses! Tend to use dissimilar firewalls in your (tightly secure) system design such that an attacker has to defeat two separate pieces of technology to successfully bypass, for example, an internet-facing server.

Defence in Depth First layer: filtering traffic using firewall Second layer: good sys admin Only enable / install what is needed Avoid to be too restrictive – people will find ways around unreasonably constrained environment Third layer: good access control Minimise damage if hacker gets in Fourth layer: secure applications Secure programming: well designed, well tested, worse-case scenarios, etc. Fifth layer: intrusion detection Who decides what ‘good’ means? Standards compliance would help. Remember – how much security is enough?