The Internet Threat Horizon - mirror.die.net · 2012-11-07 · The Internet Threat Horizon Roland...
Transcript of The Internet Threat Horizon - mirror.die.net · 2012-11-07 · The Internet Threat Horizon Roland...
The Internet Threat Horizon
Roland Dobbins <[email protected]> Solutions Architect +66-83-266-6344 BKK mobile +65-8396-3230 SIN mobile Arbor Public
“We cannot solve problems by using the same kind of thinking we used when we created them.”
- Albert Einstein
Page 3 - Arbor Public
Security Evolution Threats and Countermeasures through 2012
Page 4 - Arbor Public
Sophistication of Tools
DDoS
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Back Doors Hijacking Sessions
Scanners Sniffers
Stealth Diagnostics
Technical Knowledge Required
High
Low
Botnets
Blended Threats
Root Kits
Evolution of Threats and Exploits
Page 5 - Arbor Public
• Infections doubled every 8.5 seconds
• Infected 75,000 hosts in first 11 minutes
• Caused network outages that caused
…. cancellations of airline flights
…. closing of retail outlets at a large consumer electronics chain
…. transactional service delivery loss at commercial ATMs
At peak, scanned 55 million hosts per second
Threat Evolution: Acceleration Towards Day Zero Example: SQL Slammer (an oldie, but a goodie)
Page 6 - Arbor Public
The Miscreant Economy is Forever
Satellite Network
Home Control Network
Cable Network
Mobile Network
Broadband Network Provider
Internet
Mobile Network
Broadband Network Provider
Internet
Page 7 - Arbor Public
Threat Economy: Today
Writers Middle Men Second Stage Abusers
Bot-Net Management:
For Rent, for Lease, for Sale
Bot-Net Creation
Personal Information
Electronic IP Leakage
$$$ Flow of Money $$$
Worms
Tool and Toolkit Writers
Viruses
Trojans
Malware Writers
First Stage Abusers
Machine Harvesting
Information Harvesting
Hacker/Direct Attack
Internal Theft: Abuse of Privilege
Information Brokerage
Spammer
Phisher
Extortionist/ DDoS-for-Hire
Pharmer/DNS Poisoning
Identity Theft
Compromised Host and
Application
End Value
Financial Fraud
Commercial Sales
Fraudulent Sales
Click-Through Revenue
Espionage (Corporate/
Government)
Criminal Competition
Extorted Pay-Offs
Theft
Spyware
Page 8 - Arbor Public
Enduring Financial Opportunities
Enduring criminal financial opportunities: § DDoS § Extortion § Advertising click-through fraud § Fraudulent sales § Identity theft and financial fraud (phishing, stealing info from PCs, etc.) § Theft of goods/services § Espionage/theft of information § Spam-based stock-market manipulation
Postulate:
Strong, Enduring Criminal Financial Opportunities Will Motivate Participants in the Threat Economy to Innovate to Overcome New Technology Barriers Placed in Their Way
Page 9 - Arbor Public
Botnets - The #1 Online Security Threat
Botnets are the prime enablers of all these activities: § DDoS § Extortion § Advertising click-through fraud § Fraudulent sales § Identity theft and financial fraud (phishing, stealing info from PCs, etc.) § Theft of goods/services § Espionage/theft of information § Spam-based stock-market manipulation
Wikipedia on Botnets: . . . a collection of compromised computers (called zombie computers) [or bots] running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command
and control infrastructure.
Page 10 - Arbor Public
DDoS Background
What is a Distributed Denial of Service attack? • An attempt to consume finite resources, exploit
weaknesses in software design or implementation, or exploit lack of infrastructure capacity
• Targets the availability and utility of computing and network resources
• Attacks are almost always distributed for even more significant effect – i.e., DDoS
• The collateral damage caused by an attack can be as bad, if not worse, than the attack itself
• DDoS attacks are attacks against capacity and/or state
• DDoS attacks affect availability! No availability, no applications/services/data/Internet! No revenue!
Page 11 - Arbor Public
Confidentiality Integrity
Availability
Three Security Characteristics
§ The goal of security is to maintain these three characteristics
Page 12 - Arbor Public
Three Security Characteristics
§ Primary goal of DDoS defense is maintaining availability
Confidentiality Integrity
Availability
Page 13 - Arbor Public
Firewalls and IDS/’IPS’ don’t help!
§ It’s time to put the firewall and IDS/’IPS’ myth to rest!
Firewalls are policy-enforcement devices – they can’t help with DDoS, and in most cases, the policies applied to the firewalls have been devised with no visibility into network traffic, so the firewall rules bear little relation to what should actually be permitted and denied. IDS/’IPS’ are by definition always behind the attackers – in order to have a signature for something, you must have seen it before. IDS/’IPS’ have proven to be totally ineffective at dealing with application-layer compromises, which is how most hosts are botted and used for DDoS, spam, corporate espionage, identity theft, theft of intellectual property, etc. Firewalls & IDS/’IPS’ output reams of syslog which lacks context, and which nobody analyzes. It is almost impossible to relate this syslog output to network behaviors. End-customers subscribe to traditional managed security services based on firewalls and IDS/’IPS’, and still get compromised! Firewall & IDS/’IPS’ deployments cause performance & usability problems, and don’t scale, shouldn’t be deployed in front of servers!
Page 14 - Arbor Public
Failure of Firewall and IPS in the IDC
§ Nearly half of all 2010 & 2011 WISR respondents have experienced a failure of their firewalls or IPS due to DDoS attack!
Page 15 - Arbor Public
Botnet-enabled DDoS § DDoS, both inbound and outbound - DDoS for hire is big business!
Multi-path DDoS attacks (miscreants learning about routeservers, distributed botnets helping). Multi-vector DDoS attacks - SYN-floods combined w/fragmented UDP, port 80 & port 22 (ssh), DNS reflection attacks (100gb/sec & higher!) DDoS/spam zombies being installed by Web- and email-delivered exploits Increased use of non-TCP/non-UDP protocols (IGMP, protocol 0, protocol 255) to bypass basic ACLs; miscreants learning about ToS bits, perform application-layer DDoS after prior reconnaissance of Web sites Spoofing used in a small fraction of attacks, but some of the more sophisticated/effective attacks are spoofed (Arbor TMS helps with this) Increased multi-path DDoS against network infrastructure devices (attempt to disrupt routing) Spammers launch DDoS attacks against anti-spam RBLs DDoS extortion commonplace, no longer against fringe businesses, but against online trading houses, banks, etc. Ideologically-motivated DDoS becoming more common, higher-profile. DDoS-enabled stock-market manipulation a reality – HKG Stock Exchange.
Page 16 - Arbor Public
Worms/Self-propagating Malware to Recruit More Bots
§ Worms with network side-effects before, worms without network side-effects now
SQL Slammer was intended to compromise Microsoft SQL Server, not DoS the network! Blaster and successors also intended to compromise Windows boxes - they succeeded! Nachi was a twisted/misguided attempt to clean up and patch; ‘cure’ was worse than the disease, in many cases. Nachi ICMP & HTTP caused many outages, was a problem until Nachi self-destructed (tried tracerouting to/through the Internet from Windows, since 2003?) Many vulnerabilities over TCP/80, TCP/445, etc. - cannot filter with extended ACLs or the Windows network breaks Remember, the goal is to compromise hosts and turn them into bots; miscreants have learned to be quiet on the network, no longer cause DoS via the propagation vector Web-, document-, image-, email-, video-delivered malware via application-layer exploits are the new way to compromise hosts and turn them into bots AJAX/Web 2.0/Twitter/DNS botnets in the wild. Mobile, MANET-enabled bonets now here for Android– modern mobile phones are computers!
Page 17 - Arbor Public
Subverting the Network Infrastructure
§ More emphasis on subverting the network itself (no longer just ‘black boxes’).
Cisco, Juniper, Huawei, Alcatel, etc. all of interest to the miscreants - routers can be used to launch DDoS, to act as VPN gateways for SPAM, to hijack traffic and perform MITM attacks As always, default/lame passwords like ‘cisco’ or ‘c1sc0’ lead to router compromise (many businesses and government agencies don’t use AAA). Miscreants love routers! They’re great DoS-generators! They’re great for tunneling miscreant traffic! They love switches for MITM! They love firewalls so that they can sniff traffic! There are hundreds of thousands of compromised network devices, from cablemodems to 12000s, on the Internet today - mainly not due to inherent security flaws (although we see this with some consumer-level devices), but because of poor administrative practices. DNS/name resolution a very popular target for DDoS, as a DDoS-enabler (open recursive nameservers as DDoS reflectors), to poison naming resolution in order to enable MITM attacks
Page 18 - Arbor Public
Bot-Enabled Espionage, Theft, and Extortion
§ More targeted information-gathering/espionage activities.
Recent well-publicized university, bank, insurance-provider, government information compromises. Miscreants use this information for identity-theft - obtain credit cards, drain bank accounts, etc. Increasingly, DDoS/spam bots include formloggers/keyloggers, suss around for files to send back ‘home’, and so forth. They search documents and email for keywords (bank account info, credit card numbers, governmental ID numbers, etc.). ‘Spear-phishing’ on the rise - targeted SPAM with the aim of socially engineering specific enterprise employees to run malware, give up information, pay extortion money (customized death threats against employees and their families, anonymous email blackmail, bogus ‘subpoena’ service, etc.) There are ‘bots in the walls’
Page 19 - Arbor Public
GPRS/EDGE/3G/LTE/WiMAX Bots Here Now!
§ Botted hosts on a wireless network can wreak havoc!
Outbound DDoS from botted hosts with wireless modems consumes scarce radio spectrum, site backhaul capacity, backbone capacity DNS-based DDoS and/or aggressive DNS lookups related to C&C/other attack vectors can cause collateral damage to non-scaled mobile DNS infrastructure NAT, firewalls, ‘IPS’, other stateful devices in the network greatly increase DDoS impact – net loss of security posture! Scanning behaviors of botted mobile hosts can knock over fragile IP stacks on RAN, SGSN, GGSN – many mobile networks have grown organically, not architecturally hardened, BCPs not implemented. Scanning behaviors ‘wake up’ radios in handsets, cause battery drain – help-desk calls, RMAs!
Page 20 - Arbor Public
Background noise § Rise in ‘background noise’ (portscans, low-level DDoS, leftover Slammer traffic
and Nachi ICMP, etc.) makes detection more difficult
Botnets have ordinarily used IRC over standard or non-standard ports as C&C - this is changing. We saw P2P-enabled botnets with encrypted C&C emerge in 2003 - now, we see well-formed HTTP/HTTPS being used as decentralized, P2P botnet C&C, very hard to pick out from normal Web traffic. Makes botnets far more resilient! AJAX and Web 2.0-type technologies offer many possiblities for layer-7 C&C, an emerging threat as ‘software as a service’ becomes more popular – see Twitter botnet discovered by Arbor (http://asert.arbornetworks.com/2009/08/twitter-based-botnet-command-channel/) DNS also leveraged for C&C - DNS TXT records used to store botnet commands, bots query predefined TXT records periodically for instruction; bots code to look up nonsense-sounding domains which have not yet been registered, when the miscreant wants to activate the botnet, he registers the domain and sets up a C&C Web server to issue commands. Very sneaky! DNS ‘fast-flux’ used for agile botnet C&C Sometimes it’s hard to properly classify application-layer DDoS - can look like a legitimate ‘flash crowd’.
Page 21 - Arbor Public
What is ‘Web 2.0’?
Loosely speaking, the term ‘Web 2.0’ refers to various types of hosted applications which facilitate social networking, information interchange, content syndication, and which in many cases are substitutes/replacements for traditional desktop applications. This model is very attractive to enterprises - leverages Web browser as a ‘universal client’, reduces amount of admin overhead (no client upgrade cycles), leverages economies of scale with blade servers, virtualization technologies.
Page 22 - Arbor Public
Examples of Web 2.0 Applications
• TypePad, LiveJournal, Blogger - hosted weblogging
• Backpack, Campfire, Writeboard - hosted storage/chat/collaboration
• JotSpot, SocialText - hosted wikis
• YouTube - user-generated video content
• Flickr - photos, tagging
• MySpace, FaceBook, QQ - social networking
• Windows Live!, Google Write, etc. - hosted business software
• Second Life, MMORPGs - virtual worlds with virtual economies = real-world money!
• Twitter – real-time status updates/’micro-blogging’
Page 23 - Arbor Public
What is the problem?
To date, the ‘Web 2.0’ and online application communities have not generally been closely engaged with the traditional computer security community nor the network operational security community. This lack of engagement can have negative consequences for those who depend upon these applications - increasingly, this means enterprise users, not just consumers.
Page 24 - Arbor Public
Blue Security vs. TypePad
During a large DDoS, BlueSecurity.com changed the DNS A record for their domain so that it pointed to their hosted TypePad weblog
Much excitement, significant (6-hour-plus) outage for all TypePad customers, including enterprises who use weblogs for customer communication, support, PR, etc.
Significant DDoS traffic for multiple SPs
Significant outages for literally millions of SOHO, small business, large enterprise customers worldwide
For hours, customers did not know what was happening or how to react - siloed communications channels.
Page 25 - Arbor Public
Samy vs. MySpace
• Samy wants to be a ‘hero’ to users on MySpace - after careful reflection, he determines that exploiting an XSS vulnerability on MySpace to create a browser-based ‘XSS worm’ is a good way to accomplish this goal.
• Within 5 hours, Samy has 1,000,000+ friend requests from MySpace users - about 1/35th of the total userbase
• Within 6 hours, MySpace is unreachable for most users
• Approximately 2.5 hour outage, some capabilities removed from user profiles (embedded music movies, etc.).
• Anecdotal reports of excessive traffic on broadband access networks help-desk calls (it’s kind of hard to call MySpace), etc.
• Businesses use MySpace for PR, advertising - not just for teenagers!
Page 26 - Arbor Public
Second Life, WoW ‘Virtual Worms’
• Various exploits in Second Life, WoW used to create self-replicating code objects on multiple occasions - your avatar touches the object (like a floating gold ring), your PC is then leveraged to reproduce the viral objects!
• First ones were stupid, simple ‘virtual DDoS’ - cost Linden Labs, Blizzard, their customers real-world time, effort, money!
• Later PoC ‘virtual worms’ copied/stole virtual world intellectual property and currency- custom-designed avatars a big business, now the work is stolen! Online gold, weapons, etc. a big business in WoW, ‘virtual worms’ steal these from users!
• Second Life is becoming a very important communications medium for PR, support, etc.; WoW is a game, but a big business in Asia (think ‘gold-farming’; people play WoW for a living, then sell characters, in-game gold, weapons, etc. to players).
Page 27 - Arbor Public
Twitter/LiveJournal/Facebook DDoS Attacks
• Apparently ideologically-motivated attacks (Russia/Abkhazia/Georgia) launched against weblogger recounting Russian/Georgian conflict on its one-year anniversary.
• Facebook, Twitter, LiveJournal affected – LiveJournal now owned by TypePad, they gained experience from the Blue Security incident and were able to work with the opsec community quickly. Facebook recovered relatively quickly; Twitter weren’t ‘hooked up’ and it took some time to establish operational contacts, implement BCPs in the middle of an attack.
• Twitter is a very popular mobile application! Handsets with Twitter clients doing lots of HTTP GETs, DNS queries, etc. trying to get to Twitter. Increased traffic, help-desk calls, etc.
• Twitter is increasingly at the center of various ideological conflicts in the physical world, used to organize political activity, etc. – any service used this way is a target (i.e., most Web 2.0/social nets).
Page 28 - Arbor Public
China Cascading DNS DDoS – May 2009
• Frustrated game developer hires botmaster to DDoS rival – botmaster chooses to attack DNS (DNS is often the weakest link!)
• DNS for target hosted by registrar without scalable DNS, no BCPs, no defense – hosts DNS for thousands of domains, including popular video-sharing application.
• DNS for target, for video-sharing application, and thousands of other domains goes down
• Video-sharing application written poorly – retries DNS queries at a high rate if no response received
• DNS infrastructure of multiple SPs, enterprises throughout China DDoSed by over-active DNS queries from video-sharing application which can’t resolve video-sharing directory DNS due to original attack
• No scalability, no BCPs, no defenses for broadband/enterprise DNS lead to widespread DNS outages across China!
Page 29 - Arbor Public
The Web 2.0 Universal Browser Botnet
<* IMG SRC=”http://www.example.com/” >
§ Cross-Site Request Forgery (CRSF), same class of browser & site vulnerability as Cross-Site Scripting (XSS).
§ Stick a few links like the above in popular Web forums, social networking sites.
§ Millions of uncompromised machines become the ‘botnet’, launching ongoing layer-7 DDoS, unbeknownst to their users.
§ Rinse, repeat.
Page 30 - Arbor Public
The Web 2.0 Universal Browser Botnet (continued)
§ Insert 10-15 instances of the HTML code per page, you get 10-15 connections/browser.
§ Get an application-layer amplification factor by abusing the victim’s search form - <* IMG SRC=”http://www.example.com/search?q=TERM1+AND+TERM2+AND+TERM3” >
§ Chew up the victim’s bandwidth by grabbing large files - <* IMG SRC=”http://www.example.com/bigimage.jpg” >
§ How does the victim defend against this? How does the SP defend the victim against this?
Page 31 - Arbor Public
Emerging Voice Security Threats
Page 32 - Arbor Public
§ 1957 – Joe Engressia (aka ‘Joybubbles’) realizes that whistling at 2600Hz allows him to send end-of-billing control signals to the telephone network.
§ 1969 - John Draper meets Dennie and Jemmie, who can obtain practically-free long-distance phone-calls by making creative use of the plastic whistle included in a box of Cap’n Crunch cereal. The whistle emits the same 2600Hz tone discovered by Joybubbles - after hearing the tone, the billing system no longer bills for call minutes even if the call is still active.
Draper was arrested in 1972 and again in 1975 for abusing the telephone network and for wire fraud, respectively.
Evolution of Voice Security Threats
Page 33 - Arbor Public
§ 1971 - Al Gilberston invents the ‘blue box’, is profiled in Esquire. The ‘blue box’ electronically mimics the 12 master tones which are used for control by the telephone switching network - generating various tones in sequence allows phreakers to make free phone calls, loop up local circuits, initiate party-line calls, etc.
Two early phreakers with the handles Berkeley Blue and Oak Toebark (they both share the same actual first name) were quite interested in ‘blue boxes’, too . . . .
Evolution of Voice Security Threats
Page 34 - Arbor Public
§ 1980 - Kevin Mitnick is remotely accessing landline and later early cellphone switching equipment. He impersonates telephone company personnel, Bellcore security managers, etc. and physically enters COs and other telco facilities to pilfer information about the telephone network. By the time he’s eventually caught (1987) , he has combined early computer network hacking with telco hacking and has manipulated phone switches in order to tap into the phone conversations of Secret Service agents and telco security personnel who are chasing him.
§ 1990 - Kevin Poulsen manipulates phone switches for fun and profit, rerouting callers to a KIIS - Los Angeles call-in contest so that he can call in and ‘win’ a $40K Porsche.
Evolution of Voice Security Threats
Page 35 - Arbor Public
§ 1990 - On January 15th,114 nodes of AT&T’s long-distance network are down for 9 hours due to a bug in newly-uploaded SS7 failure-recovery code. A misplaced break command caused nodes to crash themselves upon receipt of an out-of-service message and then propagate the crash by sending out-of-service messages to adjacent nodes.
Inadequate testing of the error-recovery path led to the faulty code being uploaded - at the time, the incident was investigated as a possible deliberate attack on the telephone system, and it was widely acknowledged by telco and law enforcement that such an attack was in fact feasible.
Evolution of Voice Security Threats
Page 36 - Arbor Public
§ From the 1980s onwards, key systems and PBXes have been prime targets for phone phreakers - outdials to commit toll-fraud, hacking voicemail systems accessible via WATS lines in order to build a ‘free’ message service, silent conferencing in order to eavesdrop, etc.
This has been a key enabler of both state-sponsored and corporate espionage.
Evolution of Voice Security Threats
Page 37 - Arbor Public
Evolution of Voice Security Threats
Page 38 - Arbor Public
What’s changed with TCP/IP?
§ Ubiquity § Interconnectivity § Mobility § Empowerment
Page 39 - Arbor Public
What’s changed with TCP/IP?
§ Security Capabilities There are far more effective security mechanisms available in the TCP/IP world than in the closed world of proprietary systems. The challenge we face is incorporating them effectively into architectures and toolkits we can use in order to design, deploy, and operate systems.
Page 40 - Arbor Public
Pervasive Security
§ Security is the heart of internetworking’s future; we have moved from an Internet of implicit trust to an Internet of pervasive distrust
§ Network design = security, security = network design
§ We can no longer differentiate network from security, they must be intertwined
What is security vs. network? QoS? Routing? Voice?
§ No packet can be trusted; all packets must earn that trust through a network device’s ability to inspect and enforce policy
Page 41 - Arbor Public
Your next-generation handsets
Page 42 - Arbor Public
Your next-generation handsets
Page 43 - Arbor Public
Your next-generation handsets
Page 44 - Arbor Public
Your next-generation handsets
Page 45 - Arbor Public
Your next-generation handsets
§ Will come from a variety of sources, running a variety of OSes
§ Will have multiple modes of operation - CDMA, GSM, LTE, WiMAX, WiFi, etc. They will cross/eliminate perimeters.
§ Will have multiple forms of personal network/mesh technologies, a la Bluetooth, etc.
§ Will have VPN capabilities § Will not necessarily be under the direct control of
carriers or IT departments (increasingly, these are personal devices)
§ Will be general-purpose computing devices, with all that entails
Page 46 - Arbor Public
The shape of things to come
§ We are faced with multivector penetration/subversion threats to the voice infrastructure - this is already happening with softphones, it will become the norm for hardware phones, as well.
§ Mobile-/softphone-aware malware is here. Mobile operators, SIP, Skype, Vonage, and the like are all targets, others will follow. Spread via phishing, worms, email, and potentially VoIP traffic itself.
§ Toll fraud, SPIT, eavesdropping/wiretapping, voicemail forgery, real-time MitM two-way call interception/corruption, access to phone-integrated directories . . .
§ Application-layer resource-exhaustion attacks against the voice infrastructure (SBCs, cell nodes, WiFi Aps, switches, routers), power-exhaustion attacks against handsets . . .
§ Only a matter of time until we see compromised mobiles show up in botnets.
Page 47 - Arbor Public
Convergence is a huge concern for SPs
§ For the first time, traditional router-jocks actually care
about the applications - “The voice service must stay up, no matter what!” This is a huge sea-change in the mindset of network operators
§ What happens to voice when it’s on the same network as DDoS attacks, and is potentially subject to them? What level of automation, scaling, clustering, virtualization is required to protect voice services in such an environment? How do we extend the ‘Clean Pipes’ paradigm to voice services?
Page 48 - Arbor Public
New Attacks
§ Identity Attacks § Power Drain Attacks § Instant Messenger § Bluejacking § Bluesnarfing § Bluebugging § NFC
Page 49 - Arbor Public
Identity Attacks
Voice Evolution
PSTN
Internet
IP Network
Page 50 - Arbor Public
Identity Attacks
Where?
§ Local Device Access § Network Access § Remote Device Access § Device to Device § User to Device § User to Application § Call Integrity (control data) § Call Integrity (Audio Data)
Identity (like security) must be addressed in layers
Page 51 - Arbor Public
Identity Attacks
Example Credentials
§ None § Tones § Unique Static ID § IP Address § PIN § Username/Password § Certificates § Biometrics
Page 52 - Arbor Public
Identity Attacks
Examples
Duplicating Cell Phone Unique ID (other rogue phones)
• Impersonating Police
Manipulating Caller ID
Valid Device (but compromised)
• Credit Card Theft Scam
Keyloggers
Attackers will attempt to creatively manipulate all credentials
Spyware Worms/Viruses
Collision attacks (MD5 & SHA1)
Page 53 - Arbor Public
New Attacks
Power Drain Attacks
Power drain attacks involve devices being put into constant high-power consumption mode. This power drain attack is
effective against wireless devices that are relying on battery power. The high-power consumption state causes the device
to quickly lose battery power and become useless without the battery being recharged.
Definition
Page 54 - Arbor Public
Power Drain Attacks
Effectiveness?
§ Just as easy to jam wireless signal § Could be used to discredit enterprise, Mobile
SP (reputation, SLAs, etc.), enhance physical attack.
§ We’ve seen these in the wild!
Page 55 - Arbor Public
Instant Messenger Attacks
§ Adds listening service Makes the devices a continuous target while instant messenger or other presence application is active
§ Indicates when system is active § Very prone to phishing/social engineering attacks § SPIM § Session Hijacking and impersonation
Accessibility and Identity
Page 56 - Arbor Public
Instant Messenger Attacks
§ More devices (such as phones,PDAs) built on more robust underlying OSes
§ Device complexity prone to more significant coding problems
More malware paths (potentially less virus scanning) Trojan delivery, botted endpoints
Functionality and Coding Issues
Page 57 - Arbor Public
Instant Messenger Attacks
§ Multi-function devices mean attacks can bridge network boundaries in new ways
§ Much larger number of potential zombies/bots
Blurring Network Boundaries
Page 58 - Arbor Public
Bluejacking
§ Despite the scary name, ‘bluejacking’ is merely the sending of unsolicited text messages from one Bluetooth-enabled device to another
§ The first person known to do this used the handle ‘ajack’ on esato.com . . . he was in a bank, used his phone to detect a visible Nokia phone owned by another patron and sent it a message, ‘Buy Ericsson’. The name stuck.
§ Bluetooth devices have a ‘visible’ and a ‘hidden’ mode. Visible mode is similar to a WiFi broadcast SSID; this is the default setting for most Bluetooth devices.
§ Implementation deficiencies make it trivial to detect devices running in hidden mode . . .
§ Due to vulnerabilities in device OSes (not just phones - PDAs, laptops, etc.), this is a vector for worms and other forms of self-propagating malware.
Page 59 - Arbor Public
Bluesnarfing
§ More insidious - bluesnarfing entails the use of tools to grab the phonebook, addressbook, and in some cases the entire memory contents of a Bluetooth-enabled device.
§ While the focus has been on phones, PDAs and general-purpose computers -i.e., laptops - may be vulnerable, as well.
§ What do people store in these devices - passwords, confidential information, access codes? What can be deduced from grabbing the entire memory contents of a device running an active VPN session?
§ This begs the question - if you can read, can you also potentially write?
§ In too many cases, the answer is. “Yes!”
Page 60 - Arbor Public
Bluebugging
§ Bluebugging is the term used to describe ‘0wn1ng’ another Bluetooth-enabled device, particularly (but not limited to) a mobile phone.
§ The miscreants can send and receive SMS messages, place calls, receive calls, eavesdrop on calls, forward calls to other numbers, read and write address book and other information, gather files accessible via the device in question (VPN + SMB shares, anyone?), and potentially execute code of the attacker’s choice.
§ So far, this has been limited to mobile phones, but PDAs and general-purpose computers may also be vulnerable.
§ The implications are obvious . . . mobile botnets, anyone?
Page 61 - Arbor Public
Not just Bluetooth
§ Buffer overflows, DoS vulnerabilities, weak IP stacks, etc. are issues on WiFi, wired interfaces.
§ All these attacks, and more, are of concern via other methods
§ Even though Bluetooth has an ostensible range of 10 meters, exploits using various types of antennas and amplifiers have been demonstrated at distances of over one mile (1.6km).
§ Again, the implications are obvious . . .
Page 62 - Arbor Public
This isn’t speculation . . .
“The risk has arrived.” -- Ted Seely, SprintLink
Page 63 - Arbor Public
Are We Doomed?
§ No! 80% of the security risks associated with VoIP are common to all forms of IP traffic . . . we have architectures, features, solutions, and BCP which apply. SP networking, security and voice teams need to learn, understand, and put this innovation into practice, as well as proactively collaborating, moving forward.
Page 64 - Arbor Public
Architecture
Page 65 - Arbor Public
Current Security Posture
Page 66 - Arbor Public
GPRS/EDGE, WiMAX, 3G, LTE
Page 67 - Arbor Public
Risks of Current Security Posture
Page 68 - Arbor Public
Risks of Current Security Posture (cont.)
Page 69 - Arbor Public
Network Visibility Can Help Improve the User Experience
Page 70 - Arbor Public
The Right Tools for the Right Job
Page 71 - Arbor Public
What’s Required to Do All This?
§ Dedicated headcount - OPEX to form an OPSEC team. Hire more good people ($$$) required; send existing personnel to training (Arbor offers courses on building SOCs). Cannot get around these requirements.
§ CAPEX commitment (not high for initial stages, leverage F/OSS tools, mainly).
§ Commitment from management to support and empower the OPSEC team and make it a viable career choice within the organization.
§ Goals for measurable improvement (SLAs, outages, ATLAS, etc.) within the first six months.
§ Hard work – i.e., ‘elbow-grease’.
Page 72 - Arbor Public
The Right People for the Right Job
Page 73 - Arbor Public
OPSEC Team Skill Requirements
§ The OPSEC Team needs to know …. – Everything a Backbone Engineer knows – Everything a Network Management Engineer knows – Everything a Hosting/Content Engineer knows – Everything an email postmaster knows – Everything a DNS/DHCP/Addressing Engineer knows – Everything a CERT Engineer knows – Everything an Enterprise Infosec specialist knows
§ In essence – you are looking for super-engineers who are hybrid Backbone/Security Engineers!
Page 74 - Arbor Public
Tips on Hiring OPSEC Team Talent
§ Hire experienced, certified people § Document and verify processes § Maintain latest infrastructure information § Establish SLAs with customers and peers § Test the continuity of operations regularly § Maintain vendor support contracts § Leverage analysis tools § Create incentives for analyst development § Plan and prepare for incident response § Evaluate and measure for process improvement
Page 75 - Arbor Public
PREPARATION Prep the network Create tools Test tools Prep procedures Train team Practice
IDENTIFICATION How do you know about the attack? What tools can you use? What’s your process for communication?
CLASSIFICATION What kind of attack is it? TRACEBACK
Where is the attack coming from? Where and how is it affecting the network?
REACTION What options do you have to remedy? Which option is the best under the circumstances?
POST MORTEM What was done? Can anything be done to prevent it? How can it be less painful in the future?
Six Phases of Incident Response
Page 76 - Arbor Public
Goals You Can Achieve - Today!
§ Increase Network-Wide Visibility – Pulling data from variety of sources – Aggregation of data for further analysis &
baselining/trending § Expedited Correlation Capabilities – Ability to respond quickly; relatively real-time – Device and system coverage – Forensic capabilities
§ Enabling of Timely Reaction – Reduction of incident impact on customers,
business – Resulting improvement to service availability/
assurance
Page 77 - Arbor Public
How to Achieve These Goals:
§ Perform real-time management and monitoring of network infrastructure with historical trending/baselining and real-time alerting
§ Enhance your information security posture through continuous monitoring and management, expert analysis of network telemetry and immediate response to potential security threats
§ Provide rapid resolution of security problems § Offer a real-time view of your security posture § Ensure optimal protection of mission-critical assets by
providing analysis and commentary needed to adjust defenses against emerging attacks
§ Protect your customers, infrastructure, and technology/resource investments
Page 78 - Arbor Public
Must-Have Deliverables
§ Security monitoring for risk management § Security posture risk analysis
§ Secure role-based portal access Real-time monitoring and status of incidents/tickets
§ Reports Security policy reports Security incident reports
Real-time on per-incident basis as well as weekly/monthly Information required to prepare a compliance-related audit
Service Level Agreement reports Monitoring for AUP Compliance Trends of security incidents and events Service-compliance reports for customers, management
Page 79 - Arbor Public
Security Operations Center (SOC)
Management:
Incident, Problem, Change
§ Reports - Periodic
§ Monitoring SLA
Security policy
Plan for risk management
Establish SLA
Build Baseline
Process and tools
Assess security posture
Incident handling
Security Monitoring
Security Monitoring
For Risk Management
§ Compliance audits
§ Risk mitigation
§ Improvement analysis
Business Assets Complexity of Security Solutions
Analysis and Correlations
Security Experts
Security Deliverables
Risk Mitigation
Vulnerability Assessments
Reports Real-time and Periodic – Incident, Compliance, SLA
§ Portal with secure access
Visibility
Page 80 - Arbor Public
The Ability to Answer These Types of Questions Equates to Success:
§ Are these traffic patterns normal for our
network? § What is using up all of our bandwidth? § Angry customers are calling - what happened? § Why can’t we reach that server, network or AS? § Has someone hijacked our routes? § Are we peered with the right SPs? § Should we change these BGP attributes or
policies? § What’s the average packet size on our network?
Page 81 - Arbor Public
The most important tools you have.
Architecture, Cross-functional Teamwork & Open Communications Across the Organization.
Security is not a product. Security is not a box which can be bolted onto the network. Security must be designed into the architecture at all 7 layers. There are no ‘silver bullets’; defense-in-depth is required. Every security professional must be a competent voice professional, networking engineering, and know a great deal about layer-7. Every voice professional must be a competent security professional, networking engineer, and know a great deal about layer-7. Every layer-7 professional must be a competent networking engineer, and know a great deal about voice, as well. Voice and security and layer-7 professionals must interact on an ongoing basis in the normal course of their day-to-day duties, including planning, development, and operations.
Page 82 - Arbor Public
Moving forward together into the 1960s!
Page 83 - Arbor Public
Q&A
Thank You!
Roland Dobbins <[email protected]> Solutions Architect +66-83-266-6344 BKK mobile +65-8396-3230 SIN mobile