NANOG 69: Security Track · NANOG 69: Security Track Need for a rearchitected, purpose-built...
Transcript of NANOG 69: Security Track · NANOG 69: Security Track Need for a rearchitected, purpose-built...
NANOG 69: Security Track
NANOG 69: Security Track Embedded devices (aka IoT) as a community problem
Moderator: Krassimir Tzvetanov
NANOG 69: Security Track
• In order to foster an open discussion all of the presenters are going to share their personal opinion which may not be the one of their current employer • This is not a Mirai talk
Disclaimer
NANOG 69: Security Track
● Ongoing issues with embedded devices - CPE, IoT, etc.
● Numbers of infected devices? Potential for new infections?
Mutations?
● What are the security vendors doing to improve the situation? Do
we see discrepancy in the response between different vendors?
● What are the service providers doing?
● What should be the government/regulator's involvement?
Agenda
NANOG 69: Security Track
● Ongoing issues with embedded devices - CPE, IoT, etc.
● Why do we keep on seeing the lack of best practices?
● Why do we keep on seeing poor vendor response or no response?
● What are the CPE/IoT vendors doing to improve the situation?
● Do we see discrepancy in the response between different vendors?
Vendors
NANOG 69: Security Track
● What are the service providers doing?
● Methods of mitigation of active attacks?
● Proactive approaches?
● Working with the vendors?
Service providers
NANOG 69: Security Track
● What should be the government/regulator's involvement?
● Can this be resolved through regulatory means? If yes,
why? If not, why?
Regulators and government
NANOG 69: Security Track
● Tim April
● Ron Winward
● Paul Ebersman
● Allan Friedman
● Christian Dawson
● Jesse Sowell
Presenters
NANOG 69: Security Track
● Sr. Security Architect @ Akamai
● [email protected] ● Researches and Responds to threats against Akamai
and the Internet
Tim April
NANOG 69: Security Track
The S in IoT is for Security. [1]
1: https://arsechnica.com/security/2017/02/how-google-fought-back-against-a-crippling-iot-powered-botnet-and-won/?comments=1&post=32754617
NANOG 69: Security Track
● BASHLITE (Gafgyt, Lizkebab, Torlus and
LizardStresser) [1]
● Internet Census of 2012 [2]
● Linksys 2009 (CVE-2010-1573, default user/password)
● Many others
Nothing new
NANOG 69: Security Track
• “D-Link failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras.”
• D-Link promoted security: “Easy to secure” & “Advance network Security”
• D-Link did not address well-known security flaws: – Hard-coded credentials (guest/guest) – Command injection software flaw – Mishandling of private key to sign D-Link software
• Key left openly available on public website for 6 months
– D-Link mobile app leaves users’ login credentials unsecured in clear, readable text on the device
FTC Takes D-Link to Court – Jan 5, 2017
NANOG 69: Security Track
Need for a rearchitected, purpose-built embedded IoT software platform with: • Robust and easy OTA (Over The Air) updates
• Require (at least allow) user to change default admin username & pass
• Disable unnecessary services by default (telnet, SSH, smb, FTP)
• Do not run webserver as root, run it chrooted
• Do not keep hidden backdoors – they will be discovered!
• Avoid UPnP-IGD (Internet Gateway Device) Protocol
• Enforce strong password and use strong cryptographic hashes to store them
• Hardening of OS and all communications stacks (IP, Bluetooth)
Create a vulnerability disclosure program, consider bug bounty program
IoT Manufacturer Security Recommendations
NANOG 69: Security Track
• ISPs can’t mandate
• Lowest price wins
• Simple over secure
• Lousy default configs and passwords
• Not auto-update
Challenges
NANOG 69: Security Track
• Bugs (time-b.netgear.com anyone?)
• ID’ing w/NAT: Who’s got the penny?
• Malware/infection
• Amplification attacks
• Can’t ACL against yourself
• Can’t upgrade or patch
Issues with IoT devices
NANOG 69: Security Track
• BCP 38/84, DOCSIS SAV on
customer links/peering points
• Filter customer ports ala: https://customer.xfinity.com/help-and-support/
internet/list-of-blocked-ports/
• Clean up DNS, SNMP, NTP,
etc. reflectors
What can ISPs do?
• Beat on vendors
• Name and shame?
• Discounts for vetted gear?
• 1st Tier and customer
education
• UUCP? ☺
NANOG 69: Security Track
• National Telecommunications & Information Administration (Dept. of Commerce)
• Failed cryptographer, failed economist, failed professor, current technocrat. How can we use voluntary, industry-led practices to address botnets and network-based risks?
Allan Friedman
NANOG 69: Security Track
• The vast majority of security work has been industry-led. • Government can play some role:
– 2012 Industry Botnet Group, led by the White House – NTIA’s Multistakeholder work
• Government as the catalyst, bridging across sectors • Vulnerability Research Disclosure • IoT Patching Transparency
• Is there further work we can do to bring different parts of the ecosystem
Building on Existing Work
NANOG 69: Security Track
• Executive Director, Internet Infrastructure Coalition (i2Coalition)
• Former President of web hosting company ServInt, which operates three data centers How important is it to be part of the discussion of how governments set network cybersecurity requirements?
Christian Dawson
NANOG 69: Security Track
• have mostly been derived from partnership with industry.
• are based on voluntary adherence to policy frameworks, notably the NIST Cybersecurity Framework (NIST CSF).
• are based on existing standards, guidelines, and practices.
• require regular interaction with legislative officials to maintain, and to steer clear of disruptive alternatives.
Today’s Cybersecurity Standards…
NANOG 69: Security Track
Organization affiliations: – Postdoctoral Cybersecurity Fellow, Stanford University Center for International Security and Cooperation
– Senior Advisor, M3AAWG
Problem: – Like Internet security, IoT security requires both technical and coordination (governance) mechanisms to effectively incent changes in the market for not only functional, but secure, devices
– Who can contribute to creating these incentives?
Jesse Sowell
NANOG 69: Security Track
Emerging state of IoT manufacturing – high clockspeed industry + commodity components + low margin – market failure for IoT security features
Easy to blame IoT manufacturers, but responsibility is distributed – collective action problem, notoriously difficult in any context – who are the broader market participants? – components, assembly, distribution, wholesale, resale, deployment
Questions (for the panel and audience): Where along this value network can we incent better security features? Who in the broader market can create economic pressure on which points in the value network?
IoT Security and Governance
NANOG 69: Security Track
1. Approach a microphone 2. State your name 3. If you a representing an organization, please, announce
its name as well
Open discussion