1 / 58

Security Networked Society, Networked Science

Erik Poll Digital Security Radboud University Nijmegen. Security Networked Society, Networked Science. Overview. Security problems in our networked digital society Root causes and drivers of security problems Mechanics how do security attacks work?

tovi
Download Presentation

Security Networked Society, Networked Science

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Erik Poll Digital Security Radboud University Nijmegen SecurityNetworked Society, Networked Science

  2. Overview • Security problems in our networked digital society • Root causes and drivers of security problems • Mechanics • how do security attacks work? • how does internet design fail to prevent this? • Privacy • in the face of the data explosion

  3. Computers • PC/laptops • mobile phones • smartcards: SIM, credit card, ov-chip, passport • car navigation systems • cars, trains, planes • embedded systems • control of industrial systems, power grid, ...

  4. The digital era Three stages • mainframes and PCs in companies • PCs & laptops everywhere – at home and the office – connected to internet forming one virtual digital world • mobile computers (smartphones, tablets, …) everywhere, merging physical and virtual worlds to one cyber-physical reality

  5. Power of computer networks • Computer networks – and the internet as prime example – offer huge possibilities • but also: • huge possibilities for abuse • our increasing reliance on it can make us vulnerable • and make abuse more interesting for the bad guys

  6. Security problems...

  7. Security problems to come?

  8. North east blackout August 14, 2003

  9. Two root causes of security problems • Software Computer programs are the most complicated artefacts produced by humans. We do not know how to build large computer programs without bugs. • Networks Problems can be exploited remotely and can spread quickly

  10. Software & security problems To get an impression of the scale of the problem, look at these websites for recent software security flaws http://www.us-cert.gov/cas/bulletins http://www.securitytracker.com/ http://www.securityfocus.com/vulnerabilities

  11. Software & security problems Computers are digital, discrete systems and not analogue, continuous systems • Paradox: absence of error margins and tolerances do not make digital systems easier to analyse if analogue car brakes work at 40 km/h, they work at 20 km/h and any value in between, but a digital brake could fail at – and only at - 32.767 km/h • The butterfly effect can cause chaotic behaviour in analogue systems over time, but a single bit change can cause chaos in digital systems straight away

  12. Network problems: Slammer Worm (5:29 am, Jan 25, 2003) Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver

  13. Network problems: Slammer Worm (6:00 am, 25 Jan, 2003) Pictures taken from The Spread of the Sapphire/Slammer Worm, by David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, Nicholas Weaver

  14. A third cause of security problems: humans • Humans make lousy security decisions, have a hard time assessing online risks, fall for silly scams, choose predictable and short passwords ... • eg. phishing, scareware A root cause: on the internet we lack the context that we use in the physical world to make security decisions

  15. Nigerian 419 scams • predates internet and email • named after article 419 of Nigerian criminal code • recent variant: email from friend on holiday abroad whose email account has been hijacked in internet cafe

  16. Phishing Variant: spear-phishing aka whaling: targeted phishing attack on one person (with personalised email) that is very rich (a whale)

  17. Scareware

  18. Scareware

  19. Scareware of course, the “free scan” will install malware

  20. Malware Some security attacks only need a gullible human user... • eg the phishing, scareware, etc Some security problems involve malware (malicious software) • worms, viruses, trojans, ...

  21. How does malware spread? • worm malware that spreads autonomously • virus malware in a file (pdf, word document, jpg, ...) that needs to be opened by a program to do damage; spreading requires human interaction • even if it is just opening attachment or visiting webpage • Trojan horse malware part of an apparently benign program that user will willingly download & install but with hidden malicious functionality • eg. free version of a game with a backdoor for remote login

  22. Malware growth 1986-2007

  23. What does malware do? • send out spam NB the vast majority of all email (> 80 - 90%) is spam • carry out Denial of Service (DoS) attacks • steal usernames with passwords, intercept internet banking, ... • rootkit hides deep in the operating system en waits for instructions as part of a botnet • eg to steal information, carry out Distributed Denial of Service (DDoS) attacks,...

  24. botnet example: Pobelka • Pobelka was an instance of the Citadel botnet • Citadel is software to create botnets, that you can buy or download • This botnet infected around 200,000 computers, mainly in Netherlands and Germany • It was taken down early 2013 • The command-and-control server collected 750Gbyte of data stolen from infected machines • including from Radboud University and UMC

  25. Who does this? • hobbyists and script kiddies • hacktivists • criminals • nation states

  26. Internetbanking fraud in the Netherlands by infected computers, fake websites of by phone NB this is serious branch of organised crime, not done by clever teenagers Cyber crime is highly organised and specialised, with different people selling different products & services: producing malware, selling or renting infected machines, selling credit card numbers, ... [Source: NVB]

  27. Security concepts

  28. Security goals Confidentiality, Integrity, Availability = CIA • Confidentiality • who can access which data? • a special case for personal data: privacy • Integrity • is the data genuine? • who can add or modify data? • Availability • is data or are services available?

  29. Conflicts • There is no clear and fixed meaning of what “secure” means • There can be trade-offs between CIA objectives • for instance, cloud services • using gmail for your mail rather than storing it locally on your computer • using flickr.com for you holiday photos can be good for availability, but may be bad for confidentiality

  30. Security goal: Authentication Authentication = ensuring that some entity is who they say they are This pre-supposes some notion of identity (name, IP address,...) Authentication can be done using • passwords • cryptography • biometry: recognising physical characteristics, such as face, voice, fingerprints

  31. Internet mechanics:how does this allow or facilitate problems?

  32. How does internet work? • Security was not a design goal for the internet • surprising, as origin of internet are networks for military applications • resilience was a design goal

  33. Fundamental problems on the internet • who are you ? • who is this website you talk to? internet internet bank

  34. IP basics Home PC and website identified by IP address: unique address of individual computer Web browers requests webpage, web server returns webpage IP packet with source and destination IP address IP packet as reply back to source ID address home PC IP address 123.123.123.45 web site (web server) IP address 234.234.234.56

  35. Third party content A web page returned by a website will usually contain content from other website, which the browser will immediately fetch www.nu.nl/pagina.html contains images from youtube.com, facebook like button, ... lots of other requests to other websites home PC IP address 123.123.123.45 web site (web server) IP address 234.234.234.56

  36. (Lack of) anonymity in normal internet use • any website you visits knows your IP address • as do all websites that provide third-party content to this website • ISPs and telcos report which person uses which IP address & telephone number to a central point for law enforcement In Netherlands: Centraal Informatiepunt Onderzoek Telecommunicatie (CIOT); consulted 2.9 million times/year in 2009 [Source: Bits of Freedom, bof.nl]

  37. reality myth Welcome user29. (IP address: 131.174.16.131) RU Nijmegen, NL; male german shepherd, 4 yrs old, neutered, interests: dogfood cats [Peter Steiner,1993]

  38. Cookies Cookies installed by website in browser to • maintain a session after the user logs in • after logging in to gmail or facebook, a cookie stored on your machine to authenticate you, so that you don’t have to login for the next N hours • record user preferences • eg information in English or Dutch • track a user across many websites • eg for targetted aka behavourial advertising

  39. Cookies After first visit to facebook.com to login you receive a cookie IP packet to login to facebook.com IP packet as reply, including cookie home PC will store the facebook cookie web site facebook.com

  40. Cookies • Cookie is sent along to every subsequent IP request to facebook.com. • Also when you visit any page with a facebook like button • Viewing one website can mean getting & sending cookies from/to • many others! IP packet with cookie for facebook.com IP packet as reply home PC with cookies stored on it web site facebook.com

  41. Cookies vs IP addresses Why use cookies instead of IP addresses to track users? • Cookies allow sites to track users across different IP addresses • connecting to different Wifi points with your smartphone or laptop will result in different IP addresses • Legally, an IP address is personal information, and there are legal restrictions on what you can do with this • personal information = information that can be related to one human individual

  42. Faking it...

  43. IP address spoofing • IP addresses are not trustworthy and can be spoofed: computer with IP address X can sent IP packets giving spoofed IP address Z as source instead of X • This can be abused in DDoS attacks • to hide the real origin • to amplify the attack

  44. Abusing IP basics for DDoS: hiding origin many IP requests with spoofed source address to hide identity of the bots . . . botnet command and control centre DDoS target xxx.yyy.zzz.ww bots (ie infected computer)

  45. Abusing IP basics for DDoS: amplification larger IP responses sent to target A small IP requests with target address as the spoofed source address . . . botnet command and control centre B DDoS target xxx.yyy.zzz.ww bots (ie infected computer)

  46. The information explosion

  47. Big data • What does Google know about you? • What does your internet provide know about you? • What does your telephone company know about you?

  48. “Big data” • “Big data” : huge quantities of data kept by companies • NB ‘’free’ services diensten (gmail, facebook, ..) are paid with ads and collecting personal information for marketing if you are not paying for it, then you are the product being sold

  49. Anonimity? • Even without IP adresses and cookies, your browser configuration may uniquely identify you, eg. • browser version • various settings in browsers • plugins installed • fonts installed • ...) Try it at http://panopticlick.eff.org

More Related