190 likes | 331 Views
Vulnerabilities of Contemporary Information and Communication Technologies and Impact on Societies Dr. Klaus Brunnstein, Professor for Application of Informatics, University Hamburg World Summit on Information Societies Geneva December 11, 2003.
E N D
Vulnerabilities of Contemporary Information and Communication Technologiesand Impact on SocietiesDr. Klaus Brunnstein, Professor for Application of Informatics, University HamburgWorld Summit on Information SocietiesGeneva December 11, 2003 • Perspectives: Industrial versus Information Society • Risks inherent in contemporary ICTs 3. Impacts: Towards a „Risk Society“?
Perspectives: Industrial versus Information Society1.1 From Industrial to Information Societies: Physical GoodsVirtual Goods Sector ASector BSector CSector DSector E Ressources Products Services Ressources Products Pre- Industrial Agriculture +++ Transport ++ KnowHow+ Books+ Manufacture ++ Organisation + Media+ Industry +++ Transport++ KnowHow ++ IPR+ Agriculture ++ Managemnt++ PublicInfo+ Media+ Industrial Industry ++I-Production/I-Commerce+++ I-Access+++ I-Bases+++ Agriculture + Transport ++ VirtualTransport+++ <================= Virtual Organisation I-Economy I-Society
Perspectives: Industrial versus Information Society1.2 Trends: Schumpeter/Kondratieff Cycles • Schumpeter, KondratieffModel for industrial development (international competition), for last (2) phases of Industrial Society (Supply-side of markets) • Model applied to Generic Technology and extended „backward“ to preceding phases (1-2): • Phase 1(1760+): Vapor driven stationary engine • Phase 2 (1810+): Vapor driven mobile engine • Phase 3 (1860+): Oil-driven engines • Phase 4 (1910+) Electricity-driven engines, networks • =Precondition for computing/networking! • Duration of cycles: about 40-50 (~45) years
Perspectives: Industrial versus Information Society1.3 Cycle Theory & Information Economies Assumption: „History repeats, though differently“ Adaptation of Schumpeter/Kondratieff Model: • Phase 1(1940+): Computer: Mainframe .. PC .. Chips • Stationary, local code/control; Computer- • companies support economic development • Phase 2(1985+): LAN ... WAN, mobile code/agents, • data searching&mining, value-added services • Network companies lead development • Phase 3 (2030+): ??? (Nano miniaturization: • Quantum/Optical Computing) ??? • Phase 4(2075+): ???
Perspectives: Industrial versus Information Society1.4 Trends: Changing Relations: „e-Relations“ G2B G2B B2B Organisations B2G G2G B2G Business Government B2O G2C E-Commerce E-Banking O2C H2B B2H B2C Citizen C2G E-Voting E-TaxDeclaration Customer H2H Electronic AGORA User Daily-Life Applications HealthCare E-Care Patient E-Fun, E-Gaming E-Learning Leisure I-Search Science Education Libraries
Perspectives: Industrial versus Information Society1.5) 2005: 100 Mio servers, 1000 mio clients, 10,000 smart devices Semi/InSecure Clients Next Generation Ubiquitous Computing (M-devices, wearware,..) Next Generation Ubiquitous Computing (M-devices, Wearware, ...) ? U.C. Local Area Networks (LAN) Secure LANs U.C. ..... ePDA Wide Area Network (WAN): TCP/IP-basiert Car managmt system ..... Secure LANs PDA= Personal Digital Assistant ePDA = enhanced PDA (communication, agents, ...) ..... Secure Clients
Perspectives: Industrial versus Information Society1.6 Trends: Daily life with smart devices Scenario: A daily-life application : „After a hard day of meetings, you are heading home, where you have invited several friends for a party. While you are activating your Car Management System (CMS) and starting your car, your Personal Electronic Transactor(PET ) which is included in your watch connects to your Household Management System(HMS) to analyse whether all your stored preferred ressources: red wine, cheese & sausage are readily available. As an update of the red wine bottles is needed, HMS informs CMS to show the route to your winehouse including a deviation due to some actual trafficjam, PET will display the itineray and requirements to you ......“ { More examples „nomadic distributed computing“ }
Risks inherent in contemporary ICTs2.1 Risk Classes Risk Class 1: IT Paradigms System Complexity: WYSIWIG and WYRIWIR dont apply Interoperability of incompatible systems: risky scripts Risk Class 2: Basic IT concepts e.g. Internet Protocol: „IP considered harmful“ Risk Class 3: Implementation (SW techniques, languages) No assuranceof functions & features Language dominatesperception of programmers (Java, script kiddies) Language weaknesses: malware easy to write Risk Class 4: Installation and Administration Difficult to audit, dependency upon experts Risk Class 5: User-induced risks Users canNOT understand what is going on in complex systems Ill-guided minds find easy ways to gain control over other systems and content of other users!
Risks inherent in contemporary ICTs2.2 Complex Systems can not be controlled Presentation layer: WYSIWIG (What You See is What You) O(100 MB) Survey of architecture of contemporary systems Application layer O(GB-TB) System Layer: Organisation of resources (storage, processor, devices); problem solving (deadlocks etc); security services process support O(1 GB) Firmware, drivers Bus Hardware layer: processor, storage, bus; connections to devices and network Net WYSIWYG principle does NOT hold (even for experts
Risks inherent in contemporary ICTs2.3A Software Bugs: CERT/CC reports 11/2002..03/2003 CERT Summary CS-2003-01 March 21, 2003 Source: CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Buffer Overflow Vulnerability in Core Windows DLL 2. Remote Buffer Overflow in Sendmail 3. Increased Activity Targeting Windows Shares 4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment Reassembly Code 5. MS-SQL Server Worm 6. Multiple Vulnerabilities in Implementations of the Session Initiation Protocol (SIP) 7. Multiple Vulnerabilities in SSH Implementations 8. Buffer Overflow in Microsoft Windows Shell 9. Double-Free Bug in CVS Server 10. Buffer Overflow in Windows Locator Service Colour code:vulnerabilities related to Microsoft / other software manufacturers vulnerabilities with serious impact (enterprises ...)
Risks inherent in contemporary ICTs2.3BSoftware Bugs: CERT/CC reports 04/2003..06/2003 CERT Summary CS-2003-02 June 3, 2003 1. Integer overflow in Sun RPC XDR library routines 2. Multiple Vulnerabilities in Lotus Notes and Domino 3. Buffer Overflow in Sendmail 4. Multiple Vulnerabilities in Snort Preprocessors
Risks inherent in contemporary ICTs2.3CSoftware Bugs: CERT/CC reports 07/2003..09/2003 CERT Summary CS-2003-03 September 8, 2003 1. W32/Sobig.F Worm 2. Exploitation of Vulnerabilities in Microsoft RPC Interface a. W32/Blaster Worm b. W32/Welchia 3. Cisco IOS Interface Blocked by IPv4 Packet 4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer a. Buffer Overflow in Microsoft Windows HTML Conversion Library b. Integer Overflows in Microsoft Windows DirectX MIDI Library c. Multiple Vulnerabilities in Microsoft Internet Explorer 5.Malicious Code Propagation and Antivirus Software Updates Colour code:vulnerabilities related to Microsoftrelated application software
Risks inherent in contemporary ICTs2.3D Software Bugs:CERT/CC reports 10/2003..11/2003 CERT Summary CS-2003-04 November 24, 2003 1. W32/Mimail Variants (added: plus Paylap variants) 2. Buffer Overflow in Windows Workstation Service 3. Multiple Vulnerabilities in Microsoft Windows and Exchange 4. Multiple Vulnerabilities in SSL/TLS Implementations 5. Exploitation of Internet Explorer Vulnerability 6. W32/Swen.A Worm 7. Buffer Overflow in Sendmail 8. Buffer Management Vulnerability in OpenSSH 9. RPCSS Vulnerabilities in Microsoft Windows
Risks inherent in contemporary ICTs2.4 Distributed Denial-of-Service Attacks (DDoS) Experienced DDoS attacks of February 2000: Known victims: Amazon,eBay,Yahoo,... Business LAN Server Attacker „Zombie“ code: attack programs waiting for signal to attack Mafiaboy (15 yr) Canada using TRINOO Attacker: deploys TRINOO, triggers attack
Risks inherent in contemporary ICTs2.5 Attacks on Internet: RootDNS Attacks Domain Name Server: bank1.com = IP adress1 Govt2.org = IP adress2 User3.edu = IP adress3 ..... ..... Top Level Domain: com, org, edu... ch, de, tv, ... InterNICDNS Root Server „A“ A Europe: Asia: M H I J H E F G B D L C USA East USA West IntraNet eg Bank2.ch C. ? Attack: Oct.21,2002 23:00 / 1 hour ? ? ? ~ 6000 attack sites IntraNet Bank1.com ? ? ? C. ? ? ?
Risks inherent in contemporary ICTs2.6 Pandora Box: Viruses,Worms,Trojan, Sypware Trojan Horses... • Application Programs Processing Valuable Information Valuable Information Assets Supporting Systems: Operating/Database Systems Script-Language Interpretation Language Processing Local Access Trojan Horses, Backdoors, Traps Trojan Horses... Spoofing, Sniffing, Data Hijacking, DDOS ... NetOS Viruses Webmail etc Worms
Impacts: Towards a „Risk Society“?3.1 Options for handling risks Option 1: Deliberate decision: Dont use! Option 2: Dont care! Enjoy! Preferred mode of young users Option 3: „Educated user“:Learn to understand the risks, try to reduce and act in cases of emergency. Option 4: Try to anticipate and avoid risks! Presently NOT POSSIBLE!
Impacts: Towards a „Risk Society“?3.2 Impact of Insecurity under „Dont Care!“ Impact of Insecure Systems: Towards a „risk society“ Loss of Control Loss of Productivity (e-jobs) & Connectivity Loss of Trust Loss of Confidentiality Loss of Privacy
Impacts: Towards a „Risk Society“?3.3 Educated users and ICT risks: Learning to understand threats of contemporary ICTs, and how to protect against such threats: 3A) Software bugs, critical software update („patching“) 3B) Integrity threats: computer viruses, worms; trojan horses, spyware; countermeasures: AntiMalware 3C) (Hacker) Attacks from Networks, filtering adresses and services (ports): Firewalls 3D) Loss of authenticity: spoofing, man-in-the-middle attacks, protection of authenticity: passwords vs. biometrics 3E) Loss of confidentiality, protection through encryption (symmetric, asymetric) 3F) Loss of function in networks: Denial-of-Service attacks, solution through redundant architecture 3G) Distinguish between useful and useless (SPAM) email