Embed Size (px)
DESCRIPTION
The More Things Change. Steve Romig The Ohio State University July, 2004. Game Plan. I want to walk through a rough chronology of security events from the last 20 years What have we learned? What have we failed to learn?. Me. - PowerPoint PPT Presentation
Citation preview
The More Things Change...
Steve RomigThe Ohio State University
July, 2004
Game Plan
•I want to walk through a rough chronology of security events from the last 20 years
•What have we learned?
•What have we failed to learn?
Me
•Graduated from Carnegie Mellon University, BS in Math, CS track in 1982
•First job: an internship at CompuServe (1981-1982)
•Started at OSU in January, 1983
•Learned security “the old fashioned way”
•"A Weakness in the 4.2BSD UNIX TCP/IP Software", AT&T Bell Laboratories, by Robert Morris
•Describes TCP sequence number prediction
•Could be used to spoof trusted hosts
•More on this later...
1985 -TCP/IP Issues
•One new virus/month reported
•Viruses are just a PC thing
•Internet has 60,000 hosts
In 1988...
•Early response - patch binaries with adb!
•Much FUD
•Contained by November 5
•3000-6000 hosts infected (5-10%)
1988-11-02 - Morris Worm
•Spafford's "Phage" list started
•CERT created
1988-11-02 - Morris Worm,
Aftermath
•The miscreants
•The vendors
•The programmers
•The users
The Blame Game
•Then: virus, worm, trojan horse
•Now: malware, rootkit, botnet
The Name Game
•Then: 85% Unix
•Now: 96% Windows (desktops)
•Geer et al, 2003-09 - warnings about the monoculture
Homogeneity on the Internet
•Buffer overflow in fingerd
•"Overlooked" debug option in sendmail
•Fingerd runs as root
•Password guessing
•Trusted hosts
Vulnerabilities
•“Security Problems in the TCP/IP Protocol Suite”
•Steve Bellovin expands on the issues Morris brought up in 1985
•I read it, it seemed fairly obscure and "technical"
1989 - TCP/IP
•Computer Security Incident Handling Workshops start in Pittsburgh
•Eventually leads (at least indirectly) to the formation of FIRST
•Many incident response teams form over the years
1989 - Security Workshops
•Full disclosure debates abound
•alt.security and comp.security created
•1989-1991 - Zardoz "Security Digest"
•1990-1991 - core mailing list
•1990 - vsuite mailing list
1989ish - Mailing Lists Galore
1989-1990
•1989: Cliff Stoll publishes “The Cuckoo’s Egg”
•1990: Sun security-alert mailing list begins
•Various “LAN services”:
•ypserv, portmap, NFS (file handles, device files, general configuration issues)
•Available to the world
•Insecure default configuration
•Ring any bells?
1990 bugs
•TCP/IP sequence guessing attacks
•Neptune (1994) has a nice user interface and error checking!
•This is the attack that I thought was too technical
•Writing the code (once) makes the technique widely available to the masses
1992 - Rbone, Neptune
1995 - "NFS" Shell
•I mention this because we’re seeing this in use again in 2004
•There are still plenty of insecure NFS servers around
•Replaces ls, du, find, ps...
•Pinsh/ponsh backdoor
•Finger daemon backdoor
•Primitive library rootkit components
1995ish - Program Level Rootkits
•2004 - we see the same now
•Talked about 2-factor authentication then, talking about it again now
•Recognized need to get away from reusable passwords then (and now)
•Hubs, switches, ssh, ipsec, ssh trojans...
1995 - Much Password Cracking
& Sniffing
•Monthly security awareness and training
•Instrumental in building a community that supports security initiatives at OSU
1995-01-25 - OSU SECWOG starts
•Dan Farmer releases SATAN
•*Huge* furor over the release
•Dan loses his job at SGI over it
1995-04-03 - SATAN
•They sniff passwords in our labs
•Use our dialup pool for free access
•Break into military and government sites
•No major dialup activity since then (apart from "usual" spam, viruses...)
•The OSU "review" software
1996 - OSU’s Local Miscreants
•Started with SATAN
•Purchased ISS Internet Scanner in 1997
•Distributed to departments
•Run centrally
1997 - OSU Starts Scanning
•Netbus, backorifice
•First primitive DDOS tools
1998
•250? Unix hosts compromised
•Incoming DOS takes us out for 6-8 hours
•50 of the 250 used for outbound DOS, 6 more hours of downtime
•We start blocking hosts that are compromised
1999-07-04 - DDOS Attacks at OSU
•TFN, Trinoo, Stacheldraht...
•Dsniff
1999 - Malware
•tripwire
•cops
•ssh
•satan
•iss
1990's Security Tools
•OSU firewall project starts
•ILoveYou hits
2000
•Code Red
•NetStumbler
•War Driving
2001
•Patching becomes a "big deal"
•10 minutes to infect most hosts
•34 OSU computers infected
•Infection rates: 1.4m/hr inbound, 26.6m/hr outbound
2003-01 - Slammer
•We used ISS' scanslam to ID vulnerable computers
•We used Cisco netflow logs to ID infected computers
•Infected, vulnerable computers are blocked automatically
2003-01 - Slammer
•Largely ignored (by us) until then
•Finally receiving attention now
•Commercial products
•Media attention
2003-06 - Adware and Spyware
•Hard on the heels of password guessing attacks
•Many systems had been tightened down already
•More blocking of vulnerable, infected computers
•More incentive to patch things
2003-08 - Blaster
•Lots of email!
•Many, many variants
•Bounce email is almost as bad as the virus email
2004-02 - Bagle, MyDoom, Netsky
•Intruders sniffing, cracking passwords
•Local exploits to gain root, set up shop
•By hand - little/no automation
2004 - Full Circle
•Bugs, design flaws in software
•The full-disclosure debate
•Default installs are insecure
Things That Haven't Changed
•More incident response teams, abuse contacts
•Vendors seem responsive, sort of, after the fact
Things That Are Better
Things That Are Worse
Increasing Amounts1994 21995 111996 1021997 3081998 348
... ...2002 11452003 786/4039
•Easy for them to infect 100's of thousands of hosts
•200,000 hosts picking up agobot from OSU in 3 days...
•On the other hand, we’re more automated also
Increased Automation
•Better rootkits (HackerDefender)
•Encryption
•Agobot
Increasing Sophistication
•Agobot - hard to analyze them all
Increasing Variations
•Botnets for spam
•Industrial espionage
•Identity theft
•Extortion
Increased Economic Incentives
•Internet isn't just a "cool toy" any more
•Our y2k survival plan: use paper
•In 2004, the paper doesn't exist
Stakes Are Higher
Challenges
•10,000+ user-owned machines
•Network registration, vetting, self-remediation
•Remote access and reusable passwords
Some Key Tools
•SCORE - our host information database
•SITAR - incident tracking
•IDB - intrusion detection
•Cisco NetFlow logs, flow-tools software
•Nmap, ISS, other scanners
•Snort
•http://securitydigest.org
•http://www.net.ohio-state.edu/security/talks.shtml
References
