Roger Grimes How I Fixed The Internets

Roger A. Grimese: [email protected]

How I Fixed

the

InternetsMark Minasi Conference 2009

Roger’s BIO– CPA, CISSP, CEH, SSPP, CISA, TICSA, yada, yada– 22-year Windows security consultant, instructor, and author– Microsoft ACE Infosec Security Architect– Author or co-author of eight books on computer security,

including:• Network Security: The Complete Reference (McGraw-Hill, co-

author of chapters on Computer Defenses and IDSs)• Windows Vista Security: Security Vista Against Malicious

Attacks (Wiley, 2007 co-author)• Professional Windows Desktop and Server Hardening (Dec.

2005)• Windows Server 2008 Security Resource Kit (contrib author)• Honeypots for Windows (Apress, December 2004)

– Author of over 200 national magazine articles on computer security

– Runs 8 honeypots tracking hacker and malware behavior– InfoWorld security columnist and Blogger

Roger’s Books

DisclaimerThe views expressed here are only my own, and are not the views of my employer or Mark Minasi

ProblemOn the Bright Side...

Not everyone is hacked everyday

Fix the InternetsThis presentation is based on my previous

work...Fixing the Internet whitepaper and articles

http://weblog.infoworld.com/securityadviser/archives/Fixing_the_Internet_Final.pdfhttp://weblog.infoworld.com/securityadviser/archives/2008/05/fixing_the_inte.htmlhttp://weblog.infoworld.com/securityadviser/archives/2008/05/defending_fixin.htmlhttp://www.infoworld.com/d/security-central/internet-fix-no-pipe-dream-452

ProblemHow Bad Is It?

Each year, over 1-in-3 US adults gets their identity information stolen over the Internet1-in-9 have their identity stolen multiple times a year1-in-9 have their stolen identity used in a given year


An average hacker can break into any Internet connected company relatively easyThere is little you can do to stop hackers

Break-ins are so common, than even when tens of millions of identities are stolen or millions of dollars are taken, it often doesn’t make the news cycle anymore

ProblemCrimeware

99% of all malware exists to steal your moneyThe big criminal gangs make hundreds of millions of dollars each year

McColo, Rockphish, Russian Business Network

Not a single person from any of the major criminal gangs has been arrested or prosecuted

ProblemEvery Internet Browser Has Many Exploits

CanSecWest3 top browsers exploited in an hour

Every “secure” browser is lucky to last a day when it is released before it is exploited


Firewalls don’t workAntivirus software doesn’t workFully patching your software doesn’t workSpam and phishing as bad as ever

Spam is 70-90% of all email traffic10% or more of all Internet traffic is malicious

Why do we keep doing the same things and expecting different results??

ProblemHow Bad Is It?Malware more sophisticated than ever

Not one attack vector, but 20 +It’ hides now, doesn’t try to be cuteFast-fluxingRoot-kit loadingUSB infectingRoving “mothership” web servers

ProblemBig Holes Still Being Found in the Internet

Kaminsky DNS exploitHuge MPS/BGP exploit being announced at the next BlackHatKinda kills the “many eyes” concept that supposedly makes our software secureEven DJBDNS’s software got hacked twice in a year

ProblemCan’t Be Perfect Even If You’re Perfect

Even if all the software goes security vulnerability free, it won’t stop hackingToday, 99.999% of malicious hacking occurs because an end-user is tricked into installing trojan malware

Antivirus 2008 anyone??


After everything every vendor has tried, pushed, and promoted, computer security has only gotten substantially worse over the last 10 years...and even worse over the last 3 yearsNothing any vendor is doing appears likely to significantly improve computer security over the next 10 years

ProblemProblems with Current Solutions

Whack-a-mole solutionsPoint-specific defenses (which hackers just move around to the next weak link)Security defenses develop slower than malwareNo one is trying to solve the underlying systematic security problemsNo single group dedicated to fixing Internet security

ProblemWhy Does It Matter?

Can’t we just live with the current state of things?

I mean, we have survived so far without a major disruption to our global Internet society


Because the Internet is becoming more and more mission critical for real-life

It isn’t just for email and ASCII porn anymore

Global society is becoming more reliant on the Internet for basic and mission critical services


SQL Slammer (2003) showed us that most of the world’s most important, mission-critical networks are on the Internet

Most major banks went down for multiple days

Foreign hackers are routinely breaking into our most sensitive, secure, gov’t networks


Where do you buy your airplane tickets?How did you buy your last concert tickets?I use web sites to make stock trades, schedule bulky garbage pick-ups, trip plans, pay college tuition for my daughters, Skype to call, etc.My InfoWorld column is only onlineHow do you think your electronic funds transfer for your paycheck is transmitted?


What was yesterday’s “nice-to-have” web site becomes today’s “use it or pay more” for a regular humanCrackberries...anyone...The Iloveyou worm shutdown phone networks and delayed the delivery of newspapers


The guy in charge of running the Whitehouse is bragging about using Gmail and GoogledocsYour healthcare records are going onlineStuff that should never be on the Internet (e.g. Nuclear power plants, electrical grids, 911 systems) are on the Internet!!


Even the mission critical stuff that all the experts assure us isn’t on the Internet...is on the Internet Even if it isn’t “on the Internet”, it usually shares the same physical telecom lines with the Internet...so if the Internet implodes, so too, does the non-Internet stuff

ProblemWhy Does It

Matter? Somewhere,

there is a tipping point event waiting to happen

The Overall ProblemSo How Is the Internet Broken?

Ask yourself, “Why do malicious hackers hack?”


Answer: Because we can’t catch them

It’s low cost, low risk, and high returnRob a bank, get $5,000 (maybe), and 10 years in jailRob off the Internet, make hundreds of millions, and never even get close to being caught


Answer: Because we can’t catch them

I can’t think of a single Internet problem that doesn’t boil down to problems of identity and integrity


There is pervasive anonymityYou really have no idea I am who I say I am

There is a lack of accountabilityWe can’t find the hackers to arrest themWe have a hard time prosecuting all the companies that knowingly help criminalsThere is no way to tell the good companies from the bad

How to Fix the InternetSummary

We have to rebuild all software and hardware connected to the Internet to fix itReplace pervasive anonymity with pervasive identityHold people and companies accountable for bad things and continued poor practices


Dream Team of Security ExpertsRebuild the Internet and everything connected to itNew Internet-wide security services available to everyone (think DNS, but for security)


Come up a global, open, group to provide solutionsWill probably have to be gov’t sponsored

Companies are motivated by greedThere is no money in fixing the commonsMost companies are very risk adverseIt will take a “man-on-the-moon” project

How to Fix the InternetDream Team

Vendor/memberDirector





Executive Committee(StrategicDecisions)

ComponentTactical

Lead

ComponentTactical

Lead

ComponentTactical

Lead

ComponentTactical

Lead

ComponentTactical

Lead

ComponentTacticalLeads

ComponentTechnical

TeamMembers

ComponentTechnical

TeamMembers

ComponentTechnical

TeamMembers

ComponentTechnical

TeamMembers

ComponentTechnical

TeamMembers

Technical Teams

Public, End-UserShared Committee

Participation

How to Fix the InternetDream Team (2 year max.)

Made up of global vendors, gov’t, independent security experts, and publicNo single entity controls outcomeOne vote per memberOpen meetings, open discussionsAny solutions are completely voluntary in nature

Try to use more “carrot” and less “stick”

How to Fix the InternetDream Team

What can be agreed upon is tabled, but majority rulesGlobal participatingSolutions are standard and protocols, not productsSolutions are 100% open source, although vendors are welcome to develop commercial products and implementations

How to Fix the InternetDream Team - Challenges

Global, but also decisive (the UN problem)How to convince vendors in their own self-interests to participate?How to make a global committee responsive?How to avoid balkanization, standard splits?

How to Fix the InternetPossible Internet Security Solutions

Global Security ServiceEnd-to-End TrustUsing Existing Web Standards

How to Fix the InternetGlobal Security Service

Build a global Internet infrastructure service to provide coordination, advertising, and publication of the various global security initiatives

DNS UDDI IF-MAPInternetSecurityService


DNS-like - fault-tolerant, distributed “root” servers dedicated to directing querying clients to the appropriate security service server(s).

UDDI – like -Each participating global, sub-root server would to serve up IP addresses to the corresponding needed security services (and to advertise and publish such services).

IF-MAP-like - in that the existing sub-root servers would allow participating members to report and respond in a global, holistic, multi-service manner.

How to Fix the InternetGlobal Security ServiceIF-MAP Standard

If you are not familiar with IF-MAP, in a nutshell, the Trusted Computing Group’s (www.trustedcomputingroup.org) IF-MAP standard (https://www.trustedcomputinggroup.org/specs/TNC/IFMAP_FAQ_april_28.pdf) allows participating devices to report security events and receive notifications from other security devices to be able to respond in a coordinated fashion.

How to Fix the InternetGlobal Security ServiceIF-MAP Example:

Your firewall detects an outbound email originating from a regular end-user workstation that does not typically use port 25 outbound

Firewall notifies antivirus software to scan machine

Antivirus software unable to clean computer or unable to find anything, tells NAC/NAP client to shutdown and 802.1x switch kills network port link

How to Fix the InternetGlobal Security ServiceNew Security Service:

Be like local IF-MAP solution, but provide information globally


LocalIF-MAPservice

Internet/Network

Cloud

LocalIF-MAPservice

SECURITY

DEFENSES

SECURITY

DEFENSES

NetworkSecurity

Boundary

regulatedendpoints

NetworkSecurity

Boundary

regulatedendpoints

Protocol/Application

specific global

servers

GlobalInternetSecurity

InfrastructureService


specific global

servers


specific global

servers

How to Fix the InternetGlobal Security ServiceExamples:

Your network or web server comes under attack by a DDoS attack. Your local IF-MAP security device could connect to a root Internet security server and get directed to one or more services to allow an efficient response and defense to the attack. Your network could get subscribed on-the-fly to an anti-DDoS service, fire up additional availability resources on new IP spaces, or lead all the other participating networks into shunting off the offending bot-infected computers.


Your company participates in a global whitelist/blacklist of IP addresses. Your company’s whitelist/blacklist servers/service could contact the global root servers to get instantaneous updates of the Russian Business Networks’ changing IP address space.


Your anti-spam device or anti-phishing filter can learn instantly when a massive new spam or phishing attack occurs instead of waiting for a vendor update or allowing only the already existing global email servicers to learn about the attack.


Supposed a MySQL-based Slammer type, zero-day, worm gets launched that can be successful against all existing, contactable MySQL servers on the Internet. Your firewall could be notified of the zero day attack and shut down the port until a better remedy is provided.

SQL Slammer infected most SQL servers on the Internet in under 10 minutes. It went off at 1AM EST. By the time sysadmins were alerted, it was over


GlobalEarly

WarningSystem



Globalanti-malware

signatures

GlobalBlack-list

Globalphish list

Globalsecurity

server, etc.

Internet, private entities, etc.

How to Fix the InternetEnd to End Trust SolutionTrust Components

Hardware

OS Boot Process and Loading

Device and User Identity

Network Stack and Protocols

Applications

Network Transmission Devices and Packets

Communication Sessions

How to Fix the InternetEnd to End Trust SolutionNot Microsoft’s End-to-End Trust

Based originally on Trusted Computing Group’s work

How to Fix the InternetEnd-to-End Trust

Make each Internet egress network responsible and accountable for the security and trust of the endpoints in their network.

This applies to corporate environments, as well as, ISPs being responsible for the security of their end-user clients (to a variable degree).

Each egress network access point would be known as a “trust network”, and the management and technical teams responsible and accountable for implementing improved security trust mechanisms (e.g. egress filtering, two-factor authentication, anti-malware, secure coding practices, etc.).


A world-wide community consortium of computer security experts would transparently decide what levels of trust are assigned to the various trust components and how various trust networks earn increasing levels of trust.

Egress points with poorly demonstrated levels of security will be given a low trust rating, and that rating known to all participants (e.g. world-wide trust rating list).

This should encourage trust networks to improve their security to be rated higher, and at the same time hold accountable questionable networks (e.g. Russian Business Network’s malicious IP space).

How to Fix the InternetEnd-to-End TrustTrust Assurance Levels

Various trust assurance level values are assigned to each trust component in the trust pathway

Authentication + Infrastructure Trust + Identity Assurance =

Aggregate Trust Assurance Level


Trust Assurance Levels

Authentication Type Trust Assurance Level Assignment

Simple user name and password Low

Username, PIN, and Biometric / Token

Medium

Smartcard, Biometric and PIN High


Trust Assurance LevelsInfrastructure Example Scenarios Trust Assurance Level Assignment

Logon session originating from a known malicious IP address space

Low

Logon session originating from a trusted, classified government network

High

Smart card using “short” 1024-bit public key Medium

Questionable Service Provider who has been “warned” about continued, past illegal activities

Low

Network packet with “too many” hops, indicating excessive routing

Low

Logon session originating from a shared wireless network available to the public or Internet cafe

Low

Logon session originating from static, unchanging IP address

Medium


Trust Assurance LevelsAggregated Trust Level Example Scenarios Aggregated Trust Assurance Level Assignment

Anonymous identity, password only, coming from an untrusted service provider

Lowest

True Identity with compromised biometrics coming from trusted service provider

Low

Anonymous identity with 3rd party attestation, using password on trusted origination point

Medium

True identity of long-term, outstanding character, on highly trusted service provider, using Smartcard + PIN

High

How to Fix the Internet

End-to-End TrustTrust Assurance Levels

(at the packet level)

headerincluding crypto info

Physical Trust Ranking = 3

Overall Trust Ranking = 4

Network Trust Ranking = 3

Session Trust Ranking = 4

Signed & Encrypted Data

Payload

Identity Trust Ranking =5

headerincluding crypto info

Physical Trust Ranking = 4

Overall Trust Ranking = 3

Network Trust Ranking = 2

Session Trust Ranking = 3

Signed & Encrypted Data

Payload

Identity Trust Ranking =2


These global trust ratings would be sharable and available to each communicating trust network.

Each receiving trust network can decide how to treat incoming traffic based on the originator’s trust rating; and even provide custom trust ratings to trusted private trading partners (regardless of the packet’s tagged trust).

Traffic with higher ratings of trust should be inspected less and be delivered faster to end-points.


Trust GatewaysEach trusted network should implement a trust gateway device (which can be a separate component or integrated into other egress/ingress point devices and software

The trust gateway device is responsible for tagging egress traffic with a community decided upon trust rating, and appropriately handling (and handing off) incoming traffic based upon the trust rating with which it is marked.


TrustGateway

Internet/Network

Cloud

TrustGateway

SECURITY

DEFENSES

SECURITY

DEFENSES

NetworkTrust

Boundary

regulatedendpoints

NetworkTrust

Boundary

CommunityTrust

RatingServer



CommunityTrust

RatingServer

CommunityTrust

RatingServer

How to Fix the InternetEnd-to-End Trust - In Conclusion

Thus, a roving malware network, with constantly changing IP addresses could be tracked and identified by the global trust servers. No longer could malware writers hide behind fast-fluxing IP and DNS domain name changes.


Another example, could be a previously highly trusted network or web site becomes infiltrated by malware. During the active attack, the compromised network or host could be assigned a lower trust rating, and that lower trust rating communicated to all participating parties.

Once the malware was cleaned up and the network or host running clean again, its trust rating could be improved, maybe slowly at first. But certainly after a set period of time, it could regain its original trust rating, or actually improve it beyond the original if newer, more secure practices were used.


Currently, there is no way for the Internet community, globally, to be aware that a particular, popular host or network is compromised.

With more and more legitimate sites being used to host malware, we need some sort of warning system.

How to Fix the InternetUse Existing Web Standards

The Best Part??

All of the previously mentioned stuff can be implemented using web service standards that exist today!

We need only agree upon a solution


IPv6DNSSecx.500 Directoriesx.509 digital certificatesTrusted Network ConnectTrusted Platform Module (TPM) chipNetwork Access Control (e.g. NAP, etc.)


WS-* (Web Service Extensions)WS-SecurityWS-FederationWS-TrustOpenIDRADIUSSAML 2.0


Basic Components

AuthenticationProviders (AP)

CloudServices

End-User

Content Providerwebsite


You, your company, your client...can be all three components at some point

How to Fix the InternetBasic Layers

AuthenticationProvider



Content Provider Content Provider Content Provider

End-User End-User End-User

Auditors

APLayer

CPLayer

End-UserLayer


Your company can provide the authentication serviceYou can run an authentication/trust gateway deviceOr you can buy into an authentication service that does all the heavy lifting

How to Fix the InternetBasic Layers



Content Provider Content Provider Content Provider

End-User

APLayer

CPLayer

AuthenticationGatewayService

AuthenticationGatewayServer

LegacyPasswordSystem

Non-CompliantAuthentication

System

How to Fix the InternetNot a Pipe DreamMany national/regional infrastructures are already

headed down this path modelSingapore’s National Authentication FrameworkItalian Inter-Regional Identity Federation (ICAR-INF3)European STORK project (http://www.eid-stork.eu)United States Federal Bridge Certification Authority (http://www.cio.gov/fpkia)

* But none focused global, none focusing purely on security and how to “fix” the Internet

How to Fix the InternetLikelihood For Internet Fix To Happen?

Not likely until a tipping point event happensThen we’ll collectively run around with our heads in the sand and wonder how we could have let this happen(See global financial crisis, 9-11, etc.)We are not very good at proactive defenses until the big damage has occurred

Fixing the Internet

It’s just that easy.

Or if you don’t like my plan, how would you fix it?

Questions?

The End

Roger Grimes How I Fixed The Internets

Documents

Transcript of Roger Grimes How I Fixed The Internets