1 / 48

The More Things Change...

The More Things Change. Steve Romig The Ohio State University July, 2004. Game Plan. I want to walk through a rough chronology of security events from the last 20 years What have we learned? What have we failed to learn?. Me.

varuna
Download Presentation

The More Things Change...

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The More Things Change... • Steve Romig • The Ohio State University • July, 2004

  2. Game Plan • I want to walk through a rough chronology of security events from the last 20 years • What have we learned? • What have we failed to learn?

  3. Me • Graduated from Carnegie Mellon University, BS in Math, CS track in 1982 • First job: an internship at CompuServe (1981-1982) • Started at OSU in January, 1983 • Learned security “the old fashioned way”

  4. 1985 -TCP/IP Issues • "A Weakness in the 4.2BSD UNIX TCP/IP Software", AT&T Bell Laboratories, by Robert Morris • Describes TCP sequence number prediction • Could be used to spoof trusted hosts • More on this later...

  5. In 1988... • One new virus/month reported • Viruses are just a PC thing • Internet has 60,000 hosts

  6. 1988-11-02 - Morris Worm • Early response - patch binaries with adb! • Much FUD • Contained by November 5 • 3000-6000 hosts infected (5-10%)

  7. 1988-11-02 - Morris Worm, Aftermath • Spafford's "Phage" list started • CERT created

  8. The Blame Game • The miscreants • The vendors • The programmers • The users

  9. The Name Game • Then: virus, worm, trojan horse • Now: malware, rootkit, botnet

  10. Homogeneity on the Internet • Then: 85% Unix • Now: 96% Windows (desktops) • Geer et al, 2003-09 - warnings about the monoculture

  11. Vulnerabilities • Buffer overflow in fingerd • "Overlooked" debug option in sendmail • Fingerd runs as root • Password guessing • Trusted hosts

  12. 1989 - TCP/IP • “Security Problems in the TCP/IP Protocol Suite” • Steve Bellovin expands on the issues Morris brought up in 1985 • I read it, it seemed fairly obscure and "technical"

  13. 1989 - Security Workshops • Computer Security Incident Handling Workshops start in Pittsburgh • Eventually leads (at least indirectly) to the formation of FIRST • Many incident response teams form over the years

  14. 1989ish - Mailing Lists Galore • Full disclosure debates abound • alt.security and comp.security created • 1989-1991 - Zardoz "Security Digest" • 1990-1991 - core mailing list • 1990 - vsuite mailing list

  15. 1989-1990 • 1989: Cliff Stoll publishes “The Cuckoo’s Egg” • 1990: Sun security-alert mailing list begins

  16. 1990 bugs • Various “LAN services”: • ypserv, portmap, NFS (file handles, device files, general configuration issues) • Available to the world • Insecure default configuration • Ring any bells?

  17. 1992 - Rbone, Neptune • TCP/IP sequence guessing attacks • Neptune (1994) has a nice user interface and error checking! • This is the attack that I thought was too technical • Writing the code (once) makes the technique widely available to the masses

  18. 1995 - "NFS" Shell • I mention this because we’re seeing this in use again in 2004 • There are still plenty of insecure NFS servers around

  19. 1995ish - Program Level Rootkits • Replaces ls, du, find, ps... • Pinsh/ponsh backdoor • Finger daemon backdoor • Primitive library rootkit components

  20. 1995 - Much Password Cracking & Sniffing • 2004 - we see the same now • Talked about 2-factor authentication then, talking about it again now • Recognized need to get away from reusable passwords then (and now) • Hubs, switches, ssh, ipsec, ssh trojans...

  21. 1995-01-25 - OSU SECWOG starts • Monthly security awareness and training • Instrumental in building a community that supports security initiatives at OSU

  22. 1995-04-03 - SATAN • Dan Farmer releases SATAN • *Huge* furor over the release • Dan loses his job at SGI over it

  23. 1996 - OSU’s Local Miscreants • They sniff passwords in our labs • Use our dialup pool for free access • Break into military and government sites • No major dialup activity since then (apart from "usual" spam, viruses...) • The OSU "review" software

  24. 1997 - OSU Starts Scanning • Started with SATAN • Purchased ISS Internet Scanner in 1997 • Distributed to departments • Run centrally

  25. 1998 • Netbus, backorifice • First primitive DDOS tools

  26. 1999-07-04 - DDOS Attacks at OSU • 250? Unix hosts compromised • Incoming DOS takes us out for 6-8 hours • 50 of the 250 used for outbound DOS, 6 more hours of downtime • We start blocking hosts that are compromised

  27. 1999 - Malware • TFN, Trinoo, Stacheldraht... • Dsniff

  28. 1990's Security Tools • tripwire • cops • ssh • satan • iss

  29. 2000 • OSU firewall project starts • ILoveYou hits

  30. 2001 • Code Red • NetStumbler • War Driving

  31. 2003-01 - Slammer • Patching becomes a "big deal" • 10 minutes to infect most hosts • 34 OSU computers infected • Infection rates: 1.4m/hr inbound, 26.6m/hr outbound

  32. 2003-01 - Slammer • We used ISS' scanslam to ID vulnerable computers • We used Cisco netflow logs to ID infected computers • Infected, vulnerable computers are blocked automatically

  33. 2003-06 - Adware and Spyware • Largely ignored (by us) until then • Finally receiving attention now • Commercial products • Media attention

  34. 2003-08 - Blaster • Hard on the heels of password guessing attacks • Many systems had been tightened down already • More blocking of vulnerable, infected computers • More incentive to patch things

  35. 2004-02 - Bagle, MyDoom, Netsky • Lots of email! • Many, many variants • Bounce email is almost as bad as the virus email

  36. 2004 - Full Circle • Intruders sniffing, cracking passwords • Local exploits to gain root, set up shop • By hand - little/no automation

  37. Things That Haven't Changed • Bugs, design flaws in software • The full-disclosure debate • Default installs are insecure

  38. Things That Are Better • More incident response teams, abuse contacts • Vendors seem responsive, sort of, after the fact

  39. Things That Are Worse

  40. 1994 2 1995 11 1996 102 1997 308 1998 348 ... ... 2002 1145 2003 786/4039 Increasing Amounts

  41. Increased Automation • Easy for them to infect 100's of thousands of hosts • 200,000 hosts picking up agobot from OSU in 3 days... • On the other hand, we’re more automated also

  42. Increasing Sophistication • Better rootkits (HackerDefender) • Encryption • Agobot

  43. Increasing Variations • Agobot - hard to analyze them all

  44. Increased Economic Incentives • Botnets for spam • Industrial espionage • Identity theft • Extortion

  45. Stakes Are Higher • Internet isn't just a "cool toy" any more • Our y2k survival plan: use paper • In 2004, the paper doesn't exist

  46. Challenges • 10,000+ user-owned machines • Network registration, vetting, self-remediation • Remote access and reusable passwords

  47. Some Key Tools • SCORE - our host information database • SITAR - incident tracking • IDB - intrusion detection • Cisco NetFlow logs, flow-tools software • Nmap, ISS, other scanners • Snort

  48. References • http://securitydigest.org • http://www.net.ohio-state.edu/security/talks.shtml

More Related