1. Security - Network Security
CS3517 Distributed Systems and Security
Lecture 22

2. Content Security issues in distributed systems
Network attack and defence
Reading:
Anderson, chapters 6 and 21
Viega, J. (2009). The myths of security: What the computer security industry doesn’t want you to know, O’Reilly

3. Distributed Systems Issues
Concurrency, distributed updates
How to inform everyone of stolen credit card number?
Fault tolerance
What do we do if a credit card PIN cannot be verified due to network failure
Naming / identity problems
E.g.: how do we know that is really Amazon and not a spam website?

4. Attack: Concurrency
When the same data is used worldwide and simultaneously, how can we keep it consistent?
Propagate changes (in the right order)
Avoid deadlocks
This is a classic distribution problem
It is much worse when malicious attackers attempt to exploit this need for data replication / synchronisation and information exchange

5. Example: Stolen Credit Card
A person reports a stolen credit card
The bank must inform the credit card company
The credit card company must inform all merchants
This process takes time
What if the network is down?
What if there are bureaucratic errors at the credit card company or the bank?
Until all these information updates are distributed, a malicious person can use this stolen credit card (how small is the window of opportunity for the attacker?)

6. Defence Insist on verifying credit card against a database Therefore
This is acceptable for few large transactions
It is unacceptable for many small transactions – too much network traffic
Also: the so-called “insult-cost” (annoyance to customer) is high because a network is down or a server time out occurs
Therefore
Propagate key data quickly
Accept some losses
Always a trade off with security and operational ease

7. Problems with Time in Networks
If time on local computer is not set correctly
Attacker can fake time
Extend a “30-day trial” forever
Take down your firewall by convincing it that the license has expired (Cinderella attack)
Defence
Get accurate time from the network using the network time protocol (NTP)

8. Fault Tolerance
What happens when the network or a resource (computer, database) becomes unavailable?
E.g.: local caching of key information in credit card information systems
What happens if a person is wrongly accused of credit card fraud?
See example in book by Anderson: a person was arrested for allegedly using a forged credit card. The credit card was genuine, the problem was a mechanical fault in the card reader
Fault-tolerance is also called graceful degradation.

9. Fault Tolerance Suppose an e-prescription system crashes
What should a chemist do when a person demands the sale of a prescription drug (maybe a “life or death” situation?)
An attacker can deliberately crash the network so that e-prescription system is unavailable
If the prescription is dispensed and the customer was lying, who pays for the mistake – chemist, NHS, insurance?

10. Defence: Redundancy Safeguarding services locally:
Redundant arrays of storage media – duplication of data (RAID)
Process group redundancy:
Replication of services
Multiple copies of the system run on multiple servers
Backup:
Store snapshots of data at regular intervals
All these measures replicate data, which makes confidentiality much harder to maintain

11. Defence: Fail-Stop Processors
Process error-correction information along with data
Stop processing information, when an inconsistency is detected
Vulnerable to Denial-of-Service attacks

12. Naming How can we trust and verify a particular name or URL?
vs.
vs.
Do URL, DNS, certificate providers vet applications?
Can anyone get an ID as “Microsoft” just by filling in a form and paying 100 Pounds?

13. Distributed System Security
Solution: careful design, good practice, policy
Concurrency, fault tolerance, naming are all generic distributed system issues
Use established technology, models (best practice)
Backup security
Vet DNS / cert applications
Take into account not only fraudulent users, but also faulty equipment (see wrong arrest in credit card case)

14. Network Security Security concerns arise because
Many people have access to your computer
Some of them are thieves or hackers
You have access to many computers world wide
Some / many of them are infected or otherwise dangerous

15. Importance of Network Security
Public standards
Intruders know more about the protocols, weaknesses are realised quickly
Pervasive
No need for specialist equipment for an attack
Web servers are extensible
Can be connected to other software systems and make them vulnerable to attack
Web clients are extensible
Plug-ins can have security flaws
Dependence of many interconnected elements
No way to perform a ‘binding analysis’.

16. Fundamental Threats Threats can be classified as
Deliberate (e.g. Hacker intrusion)
Passive (e.g. Wire-tapping)
Active (e.g. changing value of a transaction)
Accidental (e.g. secret message sent to wrong address)
No universally agreed classification, but:
Denial of service – the legitimate access to a resource is deliberately impeded
Information leakage – information disclosed to unauthorised parties
Integrity violation – data consistency is compromised
Illegitimate use – a resource is used by an unauthorised person in an unauthorised way

17. Example Threats Packet Sniffing Denial of Service Spam
Harvest personal data (e.g. username / password)
Denial of Service
Attempt to make a computer resource unavailable for other users
Spam
Send out unwanted traffic to users
Phishing and Pharming
Attempt to steal personal data
Trojans, viruses, worms, root kits
Malicious code
We’ll have a look at these in the coming slides.

18. Be aware of Attacks!
Mapping: attackers try to find out what services are implemented before an attack
Use ping to identify hosts
Use port scanner
to establish TCP connections
Probe for known weaknesses – e.g. very long passwords crash some FTP servers
Tools: nmap (nmap.org) mapper: “network exploration and security auditing”
Legitimate use by sys admins for network management
In system security design – port control is given particular attention. Checkpoint Endpoint.

19. Be aware of Attacks! Mapping: Protection
Record traffic entering network
Look for suspicious activity
IP addresses being pinged
Ports being scanned sequentially
Many firewalls detect mapping activities

20. Be aware of Attacks! Packet Sniffing
Used by sys admin to detect bottlenecks and other problems in a network
They work by catching particular sequences of data transmitted over the network
Could be used to siphon off sensitive data, e.g. detecting logins
Example: host B sniffs B’s packets A B C
src:B dest:A payload

21. Sniffers: Protection
All hosts in organisation run software that checks periodically if host interface in “promiscuous mode”
How can we protect ourselves?
SSH, not Telnet (but only if sys admin implements this service)
HTTP over SSL (https)
SFTP, not FTP
Unless, you really don’t care about the password or data
Promiscuous mode causes the interface controller to pass all traffic it receives to the CPU, rather than passing only the frames that the controller is intended to receive.

22. Denial of Service
Designed to prevent or degrade a host’s quality of a service
Is done by
Sending TCP packets larger than bytes (maximum) to crash a host – “Ping of Death”
Produce packets with contradictory TCP header information, which crash the host attempting to reassemble them (“Teardrop”)
SYN flooding
SMURF
Distributed attacks
SYN flooding, SMURF, Distributed attacks – see hidden slides!

23. Denial of Service: SYN flooding
Send a lot of SYN (synchronisation) packets with bogus source IP address
Server responds with SYN / ACK and keeps state about TCP half-open connection
An ACK is expected back to establish the full connection, but never received (bogus source IP)
The server becomes almost completely busy with the hostile client

24. Denial of Service: SMURF
Provoke pings and responses from unsuspecting sources to a particular server
A packet from a perpetrator contains an Internet Control Message Protocol (ICMP) ping message that appears to come from victim / target server, and is sent to the IP broadcast address
Internet
Perpetrator
Victim
ICMP echo (spoofed source address of victim) sent to IP broadcast address
ICMP echo reply
Enough pings & responses can flood the network

25. Distributed Denial of Service
Same techniques as regular DoS, but on a much larger scale
Use known vulnerability to infect a large number of machines with a “zombie”
Zombie logs into an IRC channel and awaits commands
IRC bot command: “!p ”
Results in: “ping.exe –I –n 10000
k ping packets sent to host

26. DDoS example: Code Red
July 19th, 2001: over computers infected with Code Red in less than 14 hours
Used a buffer exploit in MS IIS
Damages estimated in excess of $2.6 Billion
Code Red launched a DDoS attack against www1.whitehouse.gov from the 20th to the 28th of every month!
Spent the rest of its time infecting other hosts

27. Denial of Service: Protection
SYN:
Use “SYN cookies”: in response to a SYN, create a special “cookie” for the connection, and forget everything else
Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
More general:
Filter out flooded packets (e.g. SYN) before reaching a host: throw out good with bad
Trace back to source of floods (most likely an innocent, compromised machine)

28. Denial of Service: Protection
Ingress filtering
Network ingress filtering is a packet filtering technique used by many Internet service providers to try to block network packets with spoofed sender IP
All connected networks are known, therefore also the range of possible source IP addresses
If the source IP of a packet is outside this range, then drop it
Stay on top of CERT advisories and the latest security patches
E.g. A fix for the Microsoft IIS buffer overflow was released 16 days before Code Red!
The CERT Coordination Center (CERT/CC) is the coordination center of the Computer Emergency Response Team (CERT) for Internet security incidents.
IIS - Internet Information Services, a set of Internet-based services for servers using Microsoft Windows
Code Red - Code Red was a computer worm observed on the Internet on July 13, It attacked computers running Microsoft's IIS web server.

29. Spoofing
IP address spoofing or IP spoofing refers to the creation of Internet Protocol (IP) packets with a forged source IP address, called spoofing, with the purpose of concealing the identity of the sender or impersonating another computing system
Intruder uses a computer to masquerade as another trusted host – e.g. the computer pretends to have the IP address of the host
Example:
C pretends to be B A B C
src:B dest:A payload

30. Spoofing
IP spoofing is most frequently used in denial-of-service attacks
In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks.
IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses.
users can log in without a username or password provided they are connecting from another machine on an internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machines without an authentication
See hidden slides for more info on how spoofing works.
DoS is common, because it’s easier just to break something then to do something more clever with it!

31. Spoofing: How it works Defense against IP spoofing attacks:
For example, TCP uses sequence numbers negotiated with the remote machine to ensure that arriving packets are part of an established connection
Since the attacker normally can't see any reply packets, the sequence number must be guessed in order to hijack the connection. The poor implementation in many older operating systems and network devices, however, means that TCP sequence numbers can be predicted

32. Spoofing: How it works
Put the trusted host out of action – e.g. through denial of service attack
Obtain the IP address of the trusted host
Establish a connection to the server it wishes to attack through the standard IP handshake
Attempt to infer the sequence numbers that are used by the trusted host and server during a validated dialogue – e.g. through trial and error
This is the most difficult part of this type of attack – the administrator will be alerted to the attack if the reply sequences from the intruder are not correct

33. Spoofing: Protection Ingress filtering: Egress filtering:
blocking of packets from outside the network with a source address inside the network. This prevents an outside attacker spoofing the address of an internal machine.
Egress filtering:
blocking of packets from inside the network with a source address that is not inside. This prevents an attacker within the network from launching IP spoofing attacks against external machines
routers should not forward outgoing packets with invalid source addresses
E.g. Datagram source address not in router’s network

34. Intrusion Detection / Prevention
Put a computer on the network that looks at all traffic
IDS tells you that the network is being attacked
IPS drops packets from attacker automatically
Not just ingress filtering that can detect problems from compromised hosts within network
Examples:
More than three failed logons from same IP address
A longer than six hour phone call
Credit card expenditure of more than twice the moving average of the last three months
IDS - Intrusion Detection System
IPS - Intrusion Prevention System

35. Detection Techniques
Look for likely behaviour (signature) of an intruder
Maximum ATM withdrawal for several days
Sudden use of sophisticated tools by naive users
Look for anomalous patterns of behaviour (data mining, machine learning)
Detects attacks not previously recognised and catalogued
Legal problems if this ends up discriminating against people especially if you can’t explain what your system is looking for (neural nets)
Off-the-shelf IDS typically gives ~1000 alerts per day
Not just lots of false positives
Any server with an authentication service will see many failed login attempts per day from those attempting to access the system by guessing passwords

36. Intrusion Detection / Prevention
Need up-front “tuning” of IDS/IPS to bring alerts down to reasonable levels (say ~30)
Say each message takes 5mins to investigate
Could cost company 20k per year of trained IT staff time to deal with alerts
Does not account for cleanup costs; IDS just brings problems to attention faster
Is it cost-effective? Maybe if your company has 40k employees, normally best to outsource

37. Worms and Viruses Worm: self-propagating “malware”, can run itself
Virus: worm that replicates by attaching itself to other programs
Data virus – e.g. a Word macro virus, which can affect the way the program operates and copy itself to new documents
viruses may use popular clients (e.g. MS) to propagate through the use of address books

38. Trojan Horses A seemingly innocent application can hide a Trojan horse
The application is supposed to perform a useful function – e.g. a file compression / decompression utility
It actually does nasty things when installed – e.g. deletes essential Operating System files
More likely not to be so obvious – e.g. installs a root kit to provide remote access to machine

39. Root Kit
Malware (spyware, Trojans) that hides its presence from spyware blockers, antivirus and system management utilities
“Root Kit”: comes from “root” (the administrator account under Unix) and “kit” (a set of software tools)
Attackers try to get “root” access to a system in order to install a root kit, with that it gets full control of a system
Root kit: set of admin tools replaced by malicious versions
Continues to operate in a hidden fashion
History
1986: First documented virus to operate in a cloaked fashion under DOS, redirection of the boot sector
1990: root kit for SunOS
1999: Windows NT
2009: OSX
Example of commercial use:
2005: Sony BMG copy protection root kit scandal: published CD’s with a copy protection – on the CD was a music player that installed a root kit to control the user’s access to a CD

40. Anti-Virus Designed to detect all kinds of malware
Spyware, adware, bot net software, worms, etc.
Consists of a generic engine that operates with DATs (data files)
DATs contain signatures of binary files known to be malware
Detects suspected malware through fast pattern matching
DAT, as in .dat

41. Problems with Antivirus
Malware mutates, so the problem is to develop DATs that are sufficiently generic to detect may variants without false positives
High frequency of updates, best 24-48hrs before DAT distributed for new malware
In reality, more likely to be 1-3 weeks, e.g. In 2007 McAfee needed 10 days to react to the Hearse root kit, Symantec 13 days

42. Problems with Antivirus
Time to serve the data to the Antivirus tool
E.g.: drive can read 125Mb / sec, there is 40GB of data to be scanned
Machine takes ~5min to serve data to the Antivirus tool
Time to process DATs for each file served
Around 10,000 new pieces of malware are created each day, so over 3.5m per year
E.g.: if it takes 1 millionth of a second to process each – just over 3.5sec for each file
Can be made quicker (e.g. More generic DATs), but there are inherent scaling problems with the technology

43. Pharming Attackers hijack or poison DNS servers
Users are redirected to the attacker’s website
User thinks he is at but he is actually at the attackers’ web site
Attackers steal user personal data (e.g. bank details)

44. Spam Named after a Monty Python sketch
Something that is repeated and repeated to great annoyance: “Spam spam spam spam ... Wonderful spam!”
A scam used to “help” the annual US green card lottery in 1994 led to the wide use of the term “spam”
Other notorious scams
“Advance fee fraud” (e.g. “419” Nigerian scam) – typically conducted by “spam gangs” throughout the world
Most spam is “direct marketing” with ~80% being pharmacy-related
419 Eater turned the tables!

45. Spam
Around 88-92% of all messages in first half of 2010 was spam
Some spam is blank – “automatic failure to deliver”, used to distinguish real from non-existent addresses
Feb/Mar 2011 all UK Universities received “Freedom of Information” requests to disclose all addresses of staff
This came from a source known to be associated with spam-based direct marketing
Some institutions complied, some challenged this (some successfully, some unsuccessfully – information commissioner works on a case-by-case basis, also depends on the form of the challenge)
List of confirmed “live” addresses are valuable, spammers pay good money for them

46. Phishing
Definition: attempting to steal passwords or other sensitive information by posing as a trustworthy website
Around 2.3% of spam relates to phishing attacks
Probably the biggest concern for security industry today
Banks are typical targets
Phishing analogous to fishing
C. Herley and D. Florencio. (2008). A profitless endeavour: Phishing as tragedy of the commons. In Proceedings of the 2008 Workshop on new security paradigms
Why such a big concern? Circumvents technological security measures and targets the users / customers themselves
See hidden slides for more details, and an example attack

47. Phishing: Attack and Defence
The number of phishing victims does not grow very fast
Once people have been phished, not many will be phished again (hopefully!)
to compare it to “fishing” – they are not “thrown back into the pond”
In order to get more phishing results, more attempts have to be made, each such attempt will make less money on average
At the same time, more sophisticated defences are developed

48. Phishing: Attack and Defence
Phishers will expect to make less and less money
Successful phishers will be those who come up with new techniques
Example from Viega (2009, chapter 15):
Amazon.com / co.uk customer get lots of marketing
No obvious way to authenticate such s
Amazon not known for phishing attempts
Amazon does force you to type in your password frequently, so this would not be suspicious
How would a Phisher exploit this?

49. Example: Phishing Attack
Attacker obtains a domain name with “amazon” in it
Attacker sends out that looks like it comes for amazon.co.uk – just an advert
When victim clicks on a link in the message, attacker sends a page that looks like the Amazon login page
Once user types in username / password, attacker tries to log them into amazon.co.uk (password is now known)
Attacker acts now as a “man-in-the-middle” and forwards all requests of user to Amazon and all replies (web pages) from Amazon to user

50. Example: Phishing Attack
Attacker may log everything, e.g. Credit card details of user
Attacker can also log into Amazon and look for recently placed orders of this user
Can be used to send user a bogus
if order has just been placed, Amazon needs time to process order, unlikely to contact user with
Attacker can send bogus to user telling them that credit card was rejected
Provide a link to attacker’s own web site with input fields, where the unsuspecting user can enter credit card details again

51. Routers and Internet Security
Organisations are keen to use the Internet – how can they protect themselves from such attacks?
Routers, being gateways, play a central role in internet security
Gates can be locked and guarded
A router can be configured to allow specific connection requests to pass, while blocking all others
Such a router is configured as a firewall

52. Firewalls Capabilities are to allow / block Example:
connections via specific ports
The use of specific protocols
Connections from specific domains
Example:
Organisations commonly employ firewalls to allow HTTP access on port 80, but block telnet access on port 23
Companies such as 3Com and Cisco market internet technology to organisations, emphasising security features
Connections from specific domains – white listing.

53. Intranet
The term intranet refers to internal protected organisation-wide internets
Protected from the public internet by firewalls, or not connected at all
Many large organisations use them (e.g. to screen against virus attacks)
Firewall Gateway
Public
Internet
Private
Intranet

54. Extranets
Companies wish to create secure internet links with partner companies – suppliers & customers – essentially to connect their intranets and allow secure electronic data interchange (EDI)
This leads to a new marketing term: extranet – an “internet of intranets” with the key feature that specific EDI, transaction and security standards are used

55. Web Services
Recent Development: XML-based standards for electronic data interchange within extranets have emerged
E.g.: company sells car parts to automobile manufacture, uses XML schema or OWL to represent ontology for the specification of those parts
Web Services allow Remote Method Invocation (RMI) over HTTP
Use SOAP messaging, WSDL specs for describing remote methods
Usually port 80 is open on firewalls – web service calls use HTTP protocol
RMI - Java Remote Method Invocation (Java RMI) enables the programmer to create distributed Java technology-based to Java technology-based applications, in which the methods of remote Java objects can be invoked from other Java virtual machines, possibly on different hosts.
SOAP - Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks.
WSDL - The Web Services Description Language is an XML-based interface description language that is used for describing the functionality offered by a web service.

56. Cloud Computing Outsourcing of the Intranet / Extranet
Local management overhead (with coordination and establishment of exchange protocols) can be managed by a third-party provider
Has led to the use of Cloud Computing to provide various services:
Software: , document sharing, word processing
Infrastructure: workflow among companies
Platforms: develop infrastructure / software for others
SaaS, PaaS, IaaS – Software, Platform, Infrastructure as a Service.

57. Infrastructure
With outsourcing, there is decreasing need for complex infrastructures to be developed / maintained in-house
But do you trust your service provider ?
FTP
Server
Internet
Traffic
Safe
Traffic
External
Gateway
Mail
Server
Internal
Gateway
Web
Server
Internet
Intranet

58. Information Privacy
Regardless of what you need, you need to think about the security of information
Customer credit card details
Patient records
Seismic / drilling data
Theft of intellectual property

59. Theft Insiders are the biggest threat Defence: good access control
Most organisations do not properly vet staff
Defence: good access control
Access to computing systems
Physical access
Defence: properly vet staff!
Security policies for staff: are they enforceable?
E.g.: encrypted laptops / USB drives
Wikileaks information smuggled out on a rewrite-able CD

60. Loss of Sensitive Data Credit card numbers, patient information, etc.
Contractual implications
Credit card company may refuse you unless you use specific protocols
Legal risks (getting sued)
Legal defence: due diligence
Use of best practice within organisation
Checking on best practice of service providers
Public disclosure of policies

61. Example: Credit Card Check Procedure

62. Other Procedures
Internal procedures help to mitigate risks and cost to retailer
Credit card security checks consider
addresses that don’t work
Orders placed in middle of night
Unusual purchase patterns
Some can be checked with software
Ecommerce transactions 20 times more likely to be disputed than high-street face-to-face purchases

63. Defence Strategy For sys admin, these are things to consider
Management: keep your systems up-to-date and configured in ways that will minimise the attack surface
Understanding: understand your systems (e.g. use mapping software); understand your users (e.g. need for remote logins?)
Training: train staff (technical / non-technical) on how not to expose systems or their personal information
Filtering: use appropriately configured firewalls, NAT (Network Address Translation) routers, and other such devices
Intrusion detection: monitoring your networks for signs of suspicious behaviour (but consider whether / how this is viable)
Encryption: require the use of protocols such as SSH, SFTP (and turn off telnet, ftp)

64. Configuration Management
Install security patches
Know what is in configuration files
Disable default passwords
Disable unneeded features
Auditing and logging
Properly set up firewalls, virus checkers, etc
Use vulnerability checking tools
Disable unneeded features – apply a clampdown

65. Learn about Vulnerabilities
Monitor websites
US-CERT advisory (us-cert.gov), McAfee, etc.
Operating system updates (often automated)
Microsoft, Apple, Linux
Don’t let hackers find out about vulnerabilities and develop exploits before you have mitigated the risks!

66. Defence in Depth
A combination of layers is much more effective than single layer
Attacker has to penetrate all of them
Relying on a single layer (e.g. Firewall) exceedingly dangerous
Especially since you know it will have some weaknesses!
Tend to use dissimilar firewalls in your (tightly secure) system design such that an attacker has to defeat two separate pieces of technology to successfully bypass, for example, an internet-facing server.

67. Defence in Depth First layer: filtering traffic using firewall
Second layer: good sys admin
Only enable / install what is needed
Avoid to be too restrictive – people will find ways around unreasonably constrained environment
Third layer: good access control
Minimise damage if hacker gets in
Fourth layer: secure applications
Secure programming: well designed, well tested, worse-case scenarios, etc.
Fifth layer: intrusion detection
Who decides what ‘good’ means? Standards compliance would help.
Remember – how much security is enough?