CSCI 1800 Cybersecurity and Internaonal Relaonscs.brown.edu/courses/csci1800/static/files/lectures/Lect08... · CSCI 1800 Cybersecurity and Internaonal Relaons ... The Onion Router

CSCI1800CybersecurityandInterna4onalRela4ons

A9ribu4onandPrivacyJohnE.Savage

BrownUniversity

Outline•  Reviewoftypesofcybera9acks•  A9ribu4onproblem•  Methodstoavoida9ribu4on•  Detec4nga9ribu4on•  Alterna4vestoa9ribu4on•  IntrotodeterrenceontheInternet•  Theimpersona4onproblem•  Basedon

–  UntanglingA9ribu4on,ClarkandLandau,Procs.WorkshoponDeterringCybera9acks,Na4onalResearchCouncil,2010.

–  ASurveyofChallengesinA9ribu4on,Boebert,Procs.WorkshoponDeterringCybera9acks,Na4onalResearchCouncil,2010.

Lect082/21/2018 ©JESavage 2

TypesofInternet-BasedA9acks

•  Distributeddenialofservice(DDoS)–botnetbased– Goal:Overwhelmmachines/networkswithdata.

•  Penetra4ona9acks–usesmaliciousfunc4onality– Goal:Controlthemachinethatisa9acked.

•  Exploita4ona9acks–apenetra4ona9ack– Goal:Penetratetoextractvaluableinforma4on

•  Destruc4vea9acks–apenetra4ona9ack– Goal:Destroy/disruptvaluablesystemcomponentora9achedresource,eithertemporarilyorpermanently.



“OntheInternet,nobodyknowsthatyou’readog.”

TheA9ribu4onProblem

TheA9ribu4onProblem

•  A9ribu4onimportantindeterringa9acks.–  Ifa9ribu4onofa9ackerwereknowntobeeasy,a9ackersmaybedeterredbythreatofretribu4on.

•  A9ribu4onisknowntobehard.Whyisit?–  Technicala9ribu4on

•  Whoownsthea9ackingmachine?•  Whereisthemachinelocated?•  Isthea9ackerusingaproxy?

– Humana9ribu4on•  Whoactuallylaunchedthea9ack?


CopingwithA9acks

•  DistributedDenialofService(DDoS)a9acks– Difficulttostop.A9ribu4onnotveryhelpfulgiventhatitmustbestoppedASAP.

– Retribu4onacerthefactnotagooddeterrent.A9ackerishardtofind.

•  A9acksoncri4calinfrastructuresrequiresignificantreconnaissanceeffort.– Adiligentdefendermightcatchthea9ackerintheactand,possibly,stopthea9ack.


BarrierstoTechnicalA9ribu4on•  Botnets–thousandstomillionsofnodes.

–  UsedforDDoS,spam,phishing,passworda9acks•  Proxy

–  Hostprovidesservices,e.g.filtering,authen4ca4on,etc.•  Anonymousproxy

–  Hidessource,e.g.NetworkAddressTranslators(NATs)•  FastFlux–quickchangeinIPaddresses•  Anonymousrou4ng–TheOnionRouter(Tor*)&Freegate**

–  Defendagainstnetworksurveillance.•  Covertcommunica4ons

–  E.g.Steganography:messagehiddeninsideanothermessage


*ForTorseeh9ps://www.torproject.org/

**ForFreegateseeh9ps://en.wikipedia.org/wiki/Freegate

TheOnionRouter(TOR)

•  GoalistohideInternetcommunica4ons.

•  Alicepicks3proxynodes.Messages&des4na4onsencrypted.Evecannotdeterminetheproxiesused.

•  PKIused.Public/secretkeysPiandSiusedbyMi.•  TordevelopedbyUSNavalResearchLabsforUSG.Lect082/21/2018 ©JESavage 8

OnionRou4ng•  Alice’smessagegoesfromP1,toP2,toP3,toD.•  Messageanddes4na4onsencryptedinsideout.


MessageM Dest.D

EncryptwithkeyofP3 M3

Dest.P3 Dest.P2



OnionRou4ng•  AlicesendsmessageM1toproxyP1.•  ProxyP1decryptsM1,sendsresulttoP2whodecryptsM2,andsendsittoP3

Finally,P3decryptsM3(torevealMandD)andsendsresulttoD.•  Generalizestomorethanthreeproxies.


MessageM Dest.D Dest.P3

EncryptwithkeyofP3

EncryptwithkeyofP2

Dest.P2


M3

M2

Iden4tyontheInternet

•  Securerealiden44esandpseudonymsarepossibleandneededontheInternet.

•  Iden4tycanbeassuredviapublic-keyencryp4on– Messagescanbeencryptedwithone,decryptedwithother–  Onlyusercandecryptwithprivatekey,whichassuresiden4ty

•  Iden4tydefinedbysocialmediaaccountsisnotsecure•  Securepseudonymsacquiredviatrustedthirdpar4es.–  Personneedingpseudonymacquiresonefromathirdparty.–  Ifpseudonymprovidersarefederated,thetrustboundaryextendstoallwhoacquireiden44esfromthefedera4on.


Iden4tyThec

•  USBureauofJus4ceSta4s4cssays15.4millionAmericanshadiden44esstolenin2016.

•  Manytechniquesareusedtostealiden44es.•  2017worstyeareverforcyberincidents*•  In2017Equifaxlostpersonalrecords,includingSSNs,driverslicenses,addresses,etc.,on145.5millionAmericans,thatis,mostadults.


*Seeh9ps://www.iii.org/fact-sta4s4c/facts-sta4s4cs-iden4ty-thec-and-cybercrime

Star4ngPointsforTechnicalA9ribu4on

•  Indicatorsofcompromise(IOCs)– Anomalousbehavior,unusualac4vityrecords–  KnownIPaddresses,malware– Hashoflargepiecesofdata

•  Tools– A9ackersdon’tchangetheirtoolsveryocen

•  Behavior– Humansarecreaturesofhabit,sameworkinghours

•  Language–  Commentsinsocwarereflectna4onallanguage


Detec4ngA9ribu4on

•  SourceIPaddresseshelppoliceiden4fya9acker–  Iden4fiesjurisdic4on,canleadtosearchwarrant.

•  IPaddressescanbeusedforgeo-loca4on*– CanlocateIPaddresstowithinapostalcode

•  Mul4stagea9acks–manyhoppointsbetweena9acker&vic4m.Hardtopeelbackbutdoable.

•  Onionrouterscanobscurehopping,aswesaw– Buttrafficanalysismayrevealroutes


*Seehttp://www.maxmind.com/

TheWillieSu9onPrinciple

•  WillieSu9onwasanotoriousbankrobber– Whenaskedwhyherobbedbanks,heis(falsely)reportedtohavesaid“That’swherethemoneyis!”

•  Su9on’sRuleistaughtinmedicalschools– Treattheobviousillnessfirst!

•  Tofindcybercriminals,followthemoney!– Clientsofcriminalservicesmustpayforthem!– E.g.,fakedrugsfirmsmustprocesscreditcards


A9ribu4onIsAlsoaPoli4calProblem

•  In2004anITUofficialproposedthat–  IPv6addressblocksbeallocatedbystates–  Itwould“harden”thelinkagebetweenIPaddressesandotherinforma4on.

•  Whatareadvantagesanddisadvantages?–  Itwouldbeeasierforstatestoiden4fyandpunishci4zensforac4vitythattheydeclareillegal.

–  Itwouldclearlyiden4fystateswithmaliciousac4vityandprovideotherstateswithalevertorequestac4on.

•  Whatotherimplica4onsmightfollow?


NatureoftheA9ribu4onProblem

•  ClarkandLandau:–  Itisprimarilyapolicyproblem,notatechnicalone.– A9ribu4onofforensicqualityinUSnotpossible.– Applica4onlevela9ribu4onviacryptographicmeansmaybepossible–breakthecypher

– Fine-graineda9ribu4oncanbethreattoprivacy– Mul4-stage(mult-hop)a9acksarehardesttosolve– Deterrencebestachievedthroughdiploma4cac4on,suchasnormsandtrea4es.


DeterrenceAlterna4ves

•  Hack-back*–a9ackthea9acker(viahistoolkit?)– AppearstobeillegalunderUSlaw.

•  Mountcovertpreemp4vea9ackagainstsitessuspectedtobeplanningana9ack.

•  Toiden4fyhumans,itmaybeusefultorecordandreplayintruderac4onstoiden4fyhim/herviakeystrokeanalysis,venue,4meofday,observanceofholidays,language,etc.


*Seehttp://www.theregister.co.uk/2010/06/17/exploiting_online_attackers/

DeterrenceinGeneral•  Individualsdeterredfromaggressiveac4onby–  Likelihoodandseverityofretribu4on–  Frustra4on

•  Butac4onshaveunintendedconsequences–  “blow-back”onfriendsandself

•  Cybera9acksgenerallydonothavekine4ceffect– Anobstacletoa9ackislackofcertaintyofeffect

•  Note:Responsetoa9ackneednotbeimmediate•  USGovernmenthasusedsanc4onseffec4velyagainstimportantRussianoligarch,Chinesemilitary


TheImpersona4onProblem

•  NYThasreportedthat“followers”arebeingsoldonTwi9er,FacebookandLinkedIn*– Devumi(USbased)sellsthemtothoseseekingfame!– Crea4ngfolloweraccountsisprofitable!

•  Afollowerisanimpersona4on,anearlyiden4calreplicaofarealperson– Millionsofimpersona4onsarecircula4ngonweb– Theyusedtoamplifyreal&fakenews


*h9ps://www.ny4mes.com/interac4ve/2018/01/27/technology/social-media-bots.html

TheImpersona4onProblem

•  Impersona4onsarecausinggrieftorealpeople†– Dozensofcomplaintshavefailedtoeliminatethem

•  Apersoniseasilyconfusedwithimpersona4on– Reputa4onsarebeingdamaged

•  Socialmediacompanieshavepoliciesagainstthis– Buttheydon’tenforcethem.– Theydorequireproofofiden4tytoshutthemdown

•  Governmentsmayintervene– CompanieshavebecomeIDvalidators!


†h9ps://www.ny4mes.com/2018/02/20/technology/social-media-impostor-accounts.html

ClickerQues4ons

•  WillieSu9onwasacrimeinves4gatorA.  YesB.  No


Review

•  Reviewoftypesofcybera9acks•  A9ribu4onproblem•  Methodstoavoida9ribu4on•  Detec4nga9ribu4on•  Alterna4vestoa9ribu4on•  IntrotodeterrenceontheInternet•  Theimpersona4onproblem


Documents

CSCI 1800 Cybersecurity and Internaonal Relaonscs.brown.edu/courses/csci1800/static/files/lectures/Lect08... · CSCI 1800 Cybersecurity and Internaonal Relaons ... The Onion Router