The More Things Change...
description
Transcript of The More Things Change...
![Page 1: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/1.jpg)
The More Things Change...
Steve RomigThe Ohio State University
July, 2004
![Page 2: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/2.jpg)
Game Plan
•I want to walk through a rough chronology of security events from the last 20 years
•What have we learned?
•What have we failed to learn?
![Page 3: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/3.jpg)
Me
•Graduated from Carnegie Mellon University, BS in Math, CS track in 1982
•First job: an internship at CompuServe (1981-1982)
•Started at OSU in January, 1983
•Learned security “the old fashioned way”
![Page 4: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/4.jpg)
•"A Weakness in the 4.2BSD UNIX TCP/IP Software", AT&T Bell Laboratories, by Robert Morris
•Describes TCP sequence number prediction
•Could be used to spoof trusted hosts
•More on this later...
1985 -TCP/IP Issues
![Page 5: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/5.jpg)
•One new virus/month reported
•Viruses are just a PC thing
•Internet has 60,000 hosts
In 1988...
![Page 6: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/6.jpg)
•Early response - patch binaries with adb!
•Much FUD
•Contained by November 5
•3000-6000 hosts infected (5-10%)
1988-11-02 - Morris Worm
![Page 7: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/7.jpg)
•Spafford's "Phage" list started
•CERT created
1988-11-02 - Morris Worm,
Aftermath
![Page 8: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/8.jpg)
•The miscreants
•The vendors
•The programmers
•The users
The Blame Game
![Page 9: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/9.jpg)
•Then: virus, worm, trojan horse
•Now: malware, rootkit, botnet
The Name Game
![Page 10: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/10.jpg)
•Then: 85% Unix
•Now: 96% Windows (desktops)
•Geer et al, 2003-09 - warnings about the monoculture
Homogeneity on the Internet
![Page 11: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/11.jpg)
•Buffer overflow in fingerd
•"Overlooked" debug option in sendmail
•Fingerd runs as root
•Password guessing
•Trusted hosts
Vulnerabilities
![Page 12: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/12.jpg)
•“Security Problems in the TCP/IP Protocol Suite”
•Steve Bellovin expands on the issues Morris brought up in 1985
•I read it, it seemed fairly obscure and "technical"
1989 - TCP/IP
![Page 13: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/13.jpg)
•Computer Security Incident Handling Workshops start in Pittsburgh
•Eventually leads (at least indirectly) to the formation of FIRST
•Many incident response teams form over the years
1989 - Security Workshops
![Page 14: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/14.jpg)
•Full disclosure debates abound
•alt.security and comp.security created
•1989-1991 - Zardoz "Security Digest"
•1990-1991 - core mailing list
•1990 - vsuite mailing list
1989ish - Mailing Lists Galore
![Page 15: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/15.jpg)
1989-1990
•1989: Cliff Stoll publishes “The Cuckoo’s Egg”
•1990: Sun security-alert mailing list begins
![Page 16: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/16.jpg)
•Various “LAN services”:
•ypserv, portmap, NFS (file handles, device files, general configuration issues)
•Available to the world
•Insecure default configuration
•Ring any bells?
1990 bugs
![Page 17: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/17.jpg)
•TCP/IP sequence guessing attacks
•Neptune (1994) has a nice user interface and error checking!
•This is the attack that I thought was too technical
•Writing the code (once) makes the technique widely available to the masses
1992 - Rbone, Neptune
![Page 18: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/18.jpg)
1995 - "NFS" Shell
•I mention this because we’re seeing this in use again in 2004
•There are still plenty of insecure NFS servers around
![Page 19: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/19.jpg)
•Replaces ls, du, find, ps...
•Pinsh/ponsh backdoor
•Finger daemon backdoor
•Primitive library rootkit components
1995ish - Program Level Rootkits
![Page 20: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/20.jpg)
•2004 - we see the same now
•Talked about 2-factor authentication then, talking about it again now
•Recognized need to get away from reusable passwords then (and now)
•Hubs, switches, ssh, ipsec, ssh trojans...
1995 - Much Password Cracking
& Sniffing
![Page 21: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/21.jpg)
•Monthly security awareness and training
•Instrumental in building a community that supports security initiatives at OSU
1995-01-25 - OSU SECWOG starts
![Page 22: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/22.jpg)
•Dan Farmer releases SATAN
•*Huge* furor over the release
•Dan loses his job at SGI over it
1995-04-03 - SATAN
![Page 23: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/23.jpg)
•They sniff passwords in our labs
•Use our dialup pool for free access
•Break into military and government sites
•No major dialup activity since then (apart from "usual" spam, viruses...)
•The OSU "review" software
1996 - OSU’s Local Miscreants
![Page 24: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/24.jpg)
•Started with SATAN
•Purchased ISS Internet Scanner in 1997
•Distributed to departments
•Run centrally
1997 - OSU Starts Scanning
![Page 25: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/25.jpg)
•Netbus, backorifice
•First primitive DDOS tools
1998
![Page 26: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/26.jpg)
•250? Unix hosts compromised
•Incoming DOS takes us out for 6-8 hours
•50 of the 250 used for outbound DOS, 6 more hours of downtime
•We start blocking hosts that are compromised
1999-07-04 - DDOS Attacks at OSU
![Page 27: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/27.jpg)
•TFN, Trinoo, Stacheldraht...
•Dsniff
1999 - Malware
![Page 28: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/28.jpg)
•tripwire
•cops
•ssh
•satan
•iss
1990's Security Tools
![Page 29: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/29.jpg)
•OSU firewall project starts
•ILoveYou hits
2000
![Page 30: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/30.jpg)
•Code Red
•NetStumbler
•War Driving
2001
![Page 31: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/31.jpg)
•Patching becomes a "big deal"
•10 minutes to infect most hosts
•34 OSU computers infected
•Infection rates: 1.4m/hr inbound, 26.6m/hr outbound
2003-01 - Slammer
![Page 32: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/32.jpg)
•We used ISS' scanslam to ID vulnerable computers
•We used Cisco netflow logs to ID infected computers
•Infected, vulnerable computers are blocked automatically
2003-01 - Slammer
![Page 33: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/33.jpg)
•Largely ignored (by us) until then
•Finally receiving attention now
•Commercial products
•Media attention
2003-06 - Adware and Spyware
![Page 34: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/34.jpg)
•Hard on the heels of password guessing attacks
•Many systems had been tightened down already
•More blocking of vulnerable, infected computers
•More incentive to patch things
2003-08 - Blaster
![Page 35: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/35.jpg)
•Lots of email!
•Many, many variants
•Bounce email is almost as bad as the virus email
2004-02 - Bagle, MyDoom, Netsky
![Page 36: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/36.jpg)
•Intruders sniffing, cracking passwords
•Local exploits to gain root, set up shop
•By hand - little/no automation
2004 - Full Circle
![Page 37: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/37.jpg)
•Bugs, design flaws in software
•The full-disclosure debate
•Default installs are insecure
Things That Haven't Changed
![Page 38: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/38.jpg)
•More incident response teams, abuse contacts
•Vendors seem responsive, sort of, after the fact
Things That Are Better
![Page 39: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/39.jpg)
Things That Are Worse
![Page 40: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/40.jpg)
Increasing Amounts1994 21995 111996 1021997 3081998 348
... ...2002 11452003 786/4039
![Page 41: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/41.jpg)
•Easy for them to infect 100's of thousands of hosts
•200,000 hosts picking up agobot from OSU in 3 days...
•On the other hand, we’re more automated also
Increased Automation
![Page 42: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/42.jpg)
•Better rootkits (HackerDefender)
•Encryption
•Agobot
Increasing Sophistication
![Page 43: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/43.jpg)
•Agobot - hard to analyze them all
Increasing Variations
![Page 44: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/44.jpg)
•Botnets for spam
•Industrial espionage
•Identity theft
•Extortion
Increased Economic Incentives
![Page 45: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/45.jpg)
•Internet isn't just a "cool toy" any more
•Our y2k survival plan: use paper
•In 2004, the paper doesn't exist
Stakes Are Higher
![Page 46: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/46.jpg)
Challenges
•10,000+ user-owned machines
•Network registration, vetting, self-remediation
•Remote access and reusable passwords
![Page 47: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/47.jpg)
Some Key Tools
•SCORE - our host information database
•SITAR - incident tracking
•IDB - intrusion detection
•Cisco NetFlow logs, flow-tools software
•Nmap, ISS, other scanners
•Snort
![Page 48: The More Things Change...](https://reader037.fdocuments.in/reader037/viewer/2022102819/56814710550346895db44759/html5/thumbnails/48.jpg)
•http://securitydigest.org
•http://www.net.ohio-state.edu/security/talks.shtml
References