0
The Security Economy James Hamilton Microsoft SQL Server Architect http://research.microsoft.com/~JamesRH [email_address] ...
Agenda <ul><li>Threat environment is worsening rapidly </li></ul><ul><li>Capitalism in play </li></ul><ul><ul><li>Personal...
Threat: Cracking not new Phenomena <ul><li>1981: Kevin Mitnick (Condor) cracks LA School System & PacBell </li></ul><ul><u...
Incidents Reported Industry-wide <ul><li>CERT/CC incident statistics 1988 through 2003 </li></ul><ul><li>Incident : single...
1 st  Gen: Fun and fame <ul><li>A new frontier for experimentation & learning </li></ul><ul><li>Many of the same folks who...
DB Attack: Data Thief  <ul><li>Cesar Cerrudo author </li></ul><ul><li>Originally produced as an SQL Injection Demonstratio...
2 nd  Gen: Revenue models emerge <ul><li>Selling bugs </li></ul><ul><ul><li>Vender provided bounties: Qmail  http:// cr.yp...
3 rd  Gen: Resources for hire <ul><li>Systems lying dormant waiting to be needed </li></ul><ul><ul><li>No indication they ...
3 rd  Gen: Resources for hire  (cont…) <ul><li>Mega-virus/worms most dangerous new trend </li></ul><ul><ul><li>Aggregate l...
Phatbot Feature List <ul><li>Polymorph on install to evade antivirus signatures as it spreads from system to system  </li>...
Phatbot Command Set <ul><li>bot.command   runs a command with system() </li></ul><ul><li>bot.unsecure  enable shares / ena...
What can be done? <ul><li>No single defense effective </li></ul><ul><li>Secure by default: </li></ul><ul><ul><li>Default f...
Microsoft
Upcoming SlideShare
Loading in...5
×

.ppt

2,140

Published on

1 Comment
0 Likes
Statistics
Notes
  • Try http://midphasehosting.blogspot.com for a good hosting
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total Views
2,140
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide
  • Year ‘88 &apos;89 &apos;90 &apos;91 &apos;92 &apos;93 &apos;94 &apos;95 &apos;96 &apos;97 &apos;98 &apos;99 &apos;00 ‘01 &apos;02 ’03 (Q1 and Q2) Incidents 6 132 252 406 773 1334 2340 2412 2573 2134 3734 9859 21756 52658 82094 76404 A vulnerability is a weakness that a person can exploit to accomplish something that is not authorized or intended as legitimate use of a network or system. When a vulnerability is exploited to compromise the security of systems or information on those systems, the result is a security incident. Vulnerabilities may be caused by engineering or design errors, or faulty implementation. In 1988, the ARPANET had its first automated network security incident, usually referred to as &amp;quot;the Morris worm&amp;quot;. A student at Cornell University (Ithaca, NY), Robert T. Morris, wrote a program that would connect to another computer, find and use one of several vulnerabilities to copy itself to that second computer, and begin to run the copy of itself at the new location. Both the original code and the copy would then repeat these actions in an infinite loop to other computers on the ARPANET. The Morris worm prompted the Defense Advanced Research Projects Agency (DARPA, the new name for ARPA) to fund a computer emergency response team , now the CERT® Coordination Center, to give experts a central point for coordinating responses to network emergencies Incident: activity that violates an explicit or implicit security policy
  • Transcript of ".ppt"

    1. 1. The Security Economy James Hamilton Microsoft SQL Server Architect http://research.microsoft.com/~JamesRH [email_address] 2004.06.17
    2. 2. Agenda <ul><li>Threat environment is worsening rapidly </li></ul><ul><li>Capitalism in play </li></ul><ul><ul><li>Personal/Financial advantage drives innovation </li></ul></ul><ul><li>The security Economy </li></ul><ul><ul><li>1 st Gen: Fun and fame </li></ul></ul><ul><ul><li>2 nd Gen: Revenue models emerge </li></ul></ul><ul><ul><li>3 rd Gen: Resources for hire </li></ul></ul><ul><li>What can be done? </li></ul>
    3. 3. Threat: Cracking not new Phenomena <ul><li>1981: Kevin Mitnick (Condor) cracks LA School System & PacBell </li></ul><ul><ul><li>steals passwords </li></ul></ul><ul><li>1992: 414 Gang cracks Los Alamos & cancer center </li></ul><ul><li>1983: Mitnick (Condor) cracks Pentagon Computers </li></ul><ul><li>1984: Kevin Poulsen (Dark Dante) cracks into ARPAnet </li></ul><ul><li>1986: Pakistani Brain virus – 1 st malicious virus </li></ul><ul><li>1996: Chaos Computing Club hacks LBL </li></ul><ul><li>1987: Jerusalem Virus – 1 st infecting files </li></ul><ul><li>1988: Robert Morris releases 1 st internet worm </li></ul><ul><ul><li>Sendmail buffer overrun -- over 6,000 systems infected </li></ul></ul><ul><li>1988: Mitnick cracks MCI DECnet </li></ul><ul><ul><li>Steals VMS source code </li></ul></ul><ul><li>1989: Fry Guy cracks McDonalds </li></ul><ul><ul><li>Credit cards and $6,000 in cash and product </li></ul></ul><ul><li>1991: Michelangelo virus </li></ul><ul><li>1991: Justin Petersen (Agent Steal) cracks bank computer & transfers funds </li></ul><ul><li>1992: Morty Rosenfeld (Storm Shadow) cracks TRW </li></ul><ul><ul><li>Credit card reports and numbers </li></ul></ul><ul><li>1994 Richard Pryce (DataStream Cowbow) cracks USAF Rome Lab,… </li></ul><ul><li>1994: Vladimir Levin cracks CitBank network </li></ul><ul><li>Source: Bill Wall, Harris computer Corp </li></ul>
    4. 4. Incidents Reported Industry-wide <ul><li>CERT/CC incident statistics 1988 through 2003 </li></ul><ul><li>Incident : single security issue grouping together all impacts of that that issue </li></ul><ul><li>Issue : disruption, DOS, loss of data, misuse, damage, loss of confidentiality </li></ul>Source: http://www.cert.org/stats/cert_stats.html
    5. 5. 1 st Gen: Fun and fame <ul><li>A new frontier for experimentation & learning </li></ul><ul><li>Many of the same folks who phone phreaked when inband signaling was still employed </li></ul><ul><li>Mostly non-destructive experimentation </li></ul><ul><li>Community learning & sharing </li></ul><ul><ul><li>Trade ideas & methods at security focused conferences </li></ul></ul><ul><ul><ul><li>e.g. Blackhat http:// www.blackhat.com / </li></ul></ul></ul><ul><ul><li>Building on the ideas of others </li></ul></ul><ul><ul><ul><li>Phrack ezine: http:// www.phrack.org/show.php?p =49&a=14 </li></ul></ul></ul><ul><ul><ul><li>29A: http://29a.host.sk/ </li></ul></ul></ul><ul><ul><li>Not all work from first principles </li></ul></ul><ul><ul><ul><li>Baseless loaders </li></ul></ul></ul><ul><ul><ul><li>Encryption & morphing engines </li></ul></ul></ul><ul><li>Fun but clearly not a viable business </li></ul>
    6. 6. DB Attack: Data Thief <ul><li>Cesar Cerrudo author </li></ul><ul><li>Originally produced as an SQL Injection Demonstration </li></ul><ul><li>UI driven: </li></ul><ul><ul><li>use local database to store stolen data </li></ul></ul><ul><ul><li>You select target web page </li></ul></ul><ul><li>Displays a menu of all tables available in database in UI </li></ul><ul><li>Transfers contents of selected tables to local database </li></ul><ul><li>No programming or IQ required </li></ul><ul><li>Download: http://www.appsecinc.com/resources/freetools/ </li></ul>
    7. 7. 2 nd Gen: Revenue models emerge <ul><li>Selling bugs </li></ul><ul><ul><li>Vender provided bounties: Qmail http:// cr.yp.to/qmail/guarantee.html </li></ul></ul><ul><ul><li>Third Party: IDefense http:// idefense.com/poi/teams/vcp.jsp?flashstatus =true </li></ul></ul><ul><li>Professional services feedback loop </li></ul><ul><ul><ul><li>Problem exists so opportunity for security services </li></ul></ul></ul><ul><ul><ul><li>When not billing time, crack products </li></ul></ul></ul><ul><ul><ul><li>Establish both the problem & credibility </li></ul></ul></ul><ul><ul><ul><li>More spent in patch application & more concern about security </li></ul></ul></ul><ul><ul><ul><li>More opportunity for security services </li></ul></ul></ul><ul><li>New opportunity for 1 st gen fun and fame folks </li></ul><ul><ul><li>Get known & join security services shop </li></ul></ul><ul><li>Separation of virus creation from distribution </li></ul><ul><ul><li>Posted to web sites (research & freedom of speech defense) </li></ul></ul>
    8. 8. 3 rd Gen: Resources for hire <ul><li>Systems lying dormant waiting to be needed </li></ul><ul><ul><li>No indication they are infected </li></ul></ul><ul><li>Theft of assets: </li></ul><ul><ul><li>AOL PW, Paypal PW, credit card numbers, game and S/W keys, etc. </li></ul></ul><ul><li>Zombies bot-nets: </li></ul><ul><ul><li>Spam distribution </li></ul></ul><ul><ul><ul><li>http://news.com.com/Mounties+charge+teenage+virus+suspect/2100-7349_3-5221785.html?tag= cd.top </li></ul></ul></ul><ul><ul><li>Copywrite or illegal media distribution </li></ul></ul><ul><ul><li>DDos attacks </li></ul></ul><ul><ul><li>Anonymous or difficult to track actions </li></ul></ul><ul><ul><li>Zombie systems for sale </li></ul></ul><ul><ul><ul><li>http://www.theregister.co.uk/2004/04/30/spam_biz </li></ul></ul></ul><ul><ul><ul><li>20 cents each: $500/10,000 http://www.theregister.com/2004/05/12/phatbot_zombie_trade/ </li></ul></ul></ul>
    9. 9. 3 rd Gen: Resources for hire (cont…) <ul><li>Mega-virus/worms most dangerous new trend </li></ul><ul><ul><li>Aggregate large number of already found attacks into a single virus/worm </li></ul></ul><ul><li>Polymorphic </li></ul><ul><ul><li>Attempt to evade signature searching </li></ul></ul><ul><li>Disable anti-virus </li></ul><ul><ul><li>Could even simulate AV running (no known examples) </li></ul></ul><ul><ul><li>Consolidation in AV market would make this easier </li></ul></ul><ul><li>Disable competition for resources & control </li></ul><ul><ul><li>Remove other viruses, worms & bots </li></ul></ul><ul><li>P2P command & control </li></ul><ul><ul><li>Phatbot first to go P2P rather than IRC </li></ul></ul><ul><ul><ul><li>WASTE provides an (optionally) encrypted P2P channel http://waste.sourceforge.net/ </li></ul></ul></ul><ul><ul><li>Phatbot uses Gnutella as directory service </li></ul></ul><ul><li>Infected systems can be efficiently found & controlled and therefore have value </li></ul>
    10. 10. Phatbot Feature List <ul><li>Polymorph on install to evade antivirus signatures as it spreads from system to system </li></ul><ul><li>Checks to see if it is allowed to send mail to AOL, for spamming purposes </li></ul><ul><li>Can steal Windows Product Keys </li></ul><ul><li>Can run an IDENT server on demand </li></ul><ul><li>Starts an FTP server to deliver the trojan binary to exploited hosts </li></ul><ul><li>Can run a socks, HTTP or HTTPS proxy on demand </li></ul><ul><li>Can start a redirection service for GRE or TCP protocols </li></ul><ul><li>Can scan for and use the following exploits to spread itself to new victims: </li></ul><ul><ul><li>DCOM, DCOM2, MyDoom backdoor, DameWare, Locator Service, weak pw Shares, WebDav </li></ul></ul><ul><li>WKS - Windows Workstation Service </li></ul><ul><li>Newer versions of Agobot and Phatbot have added scanner modules for: </li></ul><ul><ul><li>Bagle virus backdoor, CPanel resetpass vulnerability, UPnP vulnerability, Weak SQL admin PW </li></ul></ul><ul><li>Attempts to kill instances of MSBlast, Welchia and Sobig.F </li></ul><ul><li>Sniffs IRC network traffic looking for logins to other botnets & IRC operator passwords </li></ul><ul><li>Can sniff FTP network traffic for usernames and passwords </li></ul><ul><li>Can sniff HTTP network traffic for Paypal cookies </li></ul><ul><li>Contains a list of nearly 600 processes to kill if found on an infected system. </li></ul><ul><ul><li>Antivirus software, others are competing viruses/trojans </li></ul></ul><ul><li>Tests available bandwidth by posting large amounts of data to the following websites: </li></ul><ul><ul><li>www.st.lib.keio.ac.jp , www.lib.nthu.edu.tw , www.stanford.edu , www.xo.net , …. </li></ul></ul><ul><li>Can steal AOL account logins and passwords </li></ul><ul><li>Can steal CD Keys for several popular games </li></ul><ul><li>Can harvest emails from the web for spam purposes </li></ul><ul><li>Can harvest emails from the local system for spam purposes </li></ul>Source: http://www.lurhq.com/phatbot.html
    11. 11. Phatbot Command Set <ul><li>bot.command runs a command with system() </li></ul><ul><li>bot.unsecure enable shares / enable dcom </li></ul><ul><li>bot.secure delete shares / disable dcom </li></ul><ul><li>bot.flushdns flushes the bots dns cache </li></ul><ul><li>bot.quit quits the bot </li></ul><ul><li>bot.longuptime If uptime > 7 days then bot will respond </li></ul><ul><li>bot.sysinfo displays the system info </li></ul><ul><li>bot.status gives status </li></ul><ul><li>bot.rndnick makes the bot generate a new random nick </li></ul><ul><li>bot.removeallbut removes the bot if id does not match </li></ul><ul><li>bot.remove removes the bot </li></ul><ul><li>bot.open opens a file (whatever) </li></ul><ul><li>bot.nick changes the nickname of the bot </li></ul><ul><li>bot.id displays the id of the current code </li></ul><ul><li>bot.execute makes the bot execute a .exe </li></ul><ul><li>bot.dns resolves ip/hostname by dns </li></ul><ul><li>bot.die terminates the bot </li></ul><ul><li>bot.about displays the info the author wants you to see </li></ul><ul><li>shell.disable Disable shell handler </li></ul><ul><li>shell.enable Enable shell handler </li></ul><ul><li>shell.handler FallBack handler for shell </li></ul><ul><li>commands.list Lists all available commands </li></ul><ul><li>plugin.unload unloads a plugin (not supported yet) </li></ul><ul><li>plugin.load loads a plugin </li></ul><ul><li>cvar.saveconfig saves config to a file </li></ul><ul><li>cvar.loadconfig loads config from a file </li></ul><ul><li>cvar.set sets the content of a cvar </li></ul><ul><li>cvar.get gets the content of a cvar </li></ul><ul><li>cvar.list prints a list of all cvars </li></ul><ul><li>inst.svcdel deletes a service from scm </li></ul><ul><li>inst.svcadd adds a service to scm </li></ul><ul><li>inst.asdel deletes an autostart entry </li></ul><ul><li>inst.asadd adds an autostart entry </li></ul><ul><li>logic.ifuptime exec command if uptime is bigger than X </li></ul><ul><li>mac.login logs the user in </li></ul><ul><li>mac.logout logs the user out </li></ul><ul><li>ftp.update executes a file from a ftp url </li></ul><ul><li>ftp.execute updates the bot from a ftp url </li></ul><ul><li>ftp.download downloads a file from ftp </li></ul><ul><li>http.visit visits an url with a specified referrer </li></ul><ul><li>http.update executes a file from a http url </li></ul><ul><li>http.execute updates the bot from a http url </li></ul><ul><li>http.download downloads a file from http </li></ul><ul><li>rsl.logoff logs the user off </li></ul><ul><li>rsl.shutdown shuts the computer down </li></ul><ul><li>rsl.reboot reboots the computer </li></ul><ul><li>pctrl.kill kills a process </li></ul><ul><li>pctrl.list lists all processes </li></ul><ul><li>scan.stop signal stop to child threads </li></ul><ul><li>scan.start signal start to child threads </li></ul><ul><li>scan.disable disables a scanner module </li></ul><ul><li>scan.enable enables a scanner module </li></ul><ul><li>scan.clearnetranges clears all netranges registered </li></ul><ul><li>scan.resetnetranges resets netranges to the localhost </li></ul><ul><li>scan.listnetranges lists all netranges registered </li></ul><ul><li>scan.delnetrange deletes a netrange from the scanner </li></ul><ul><li>scan.addnetrange adds a netrange to the scanner </li></ul><ul><li>ddos.phatwonk starts phatwonk flood </li></ul><ul><li>ddos.phaticmp starts phaticmp flood </li></ul><ul><li>ddos.phatsyn starts phatsyn flood </li></ul><ul><li>ddos.stop stops all floods </li></ul><ul><li>ddos.httpflood starts a HTTP flood </li></ul><ul><li>ddos.synflood starts an SYN flood </li></ul><ul><li>ddos.udpflood starts a UDP flood </li></ul><ul><li>redirect.stop stops all redirects running </li></ul><ul><li>redirect.socks starts a socks4 proxy </li></ul><ul><li>redirect.https starts a https proxy </li></ul><ul><li>redirect.http starts a http proxy </li></ul><ul><li>redirect.gre starts a gre redirect </li></ul><ul><li>redirect.tcp starts a tcp port redirect </li></ul><ul><li>harvest.aol makes the bot get aol stuff </li></ul><ul><li>harvest.cdkeys makes the bot get a list of cdkeys </li></ul><ul><li>harvest.emailshttp makes the bot get a list of emails via http </li></ul><ul><li>harvest.emails makes the bot get a list of emails </li></ul><ul><li>waste.server changes the server the bot connects to </li></ul><ul><li>waste.reconnect reconnects to the server </li></ul><ul><li>waste.raw sends a raw message to the waste server </li></ul><ul><li>waste.quit disconnect waste </li></ul><ul><li>waste.privmsg sends a privmsg </li></ul><ul><li>waste.part makes the bot part a channel </li></ul><ul><li>waste.netinfo prints netinfo </li></ul><ul><li>waste.mode lets the bot perform a mode change </li></ul><ul><li>waste.join makes the bot join a channel </li></ul><ul><li>waste.gethost prints netinfo when host matches </li></ul><ul><li>waste.getedu prints netinfo when the bot is .edu </li></ul><ul><li>waste.action lets the bot perform an action </li></ul><ul><li>waste.disconnect disconnects the bot from waste </li></ul>Source: http://www.lurhq.com/phatbot.html
    12. 12. What can be done? <ul><li>No single defense effective </li></ul><ul><li>Secure by default: </li></ul><ul><ul><li>Default features secure </li></ul></ul><ul><ul><li>If less than 80% use, then off-by-default </li></ul></ul><ul><li>Security focused design & development process </li></ul><ul><ul><li>Simple security features </li></ul></ul><ul><ul><li>Threat models, targeted testing, attack teams, accountable code reviews, security audit, … </li></ul></ul><ul><li>Fundamental architectural change: </li></ul><ul><ul><li>More redundancy, many layers of defense, rigidly enforced fault containment domains, restartable components, low trust between components, limited communications allowed between components, limited communications external to components… </li></ul></ul><ul><li>Innovative security focused tools </li></ul><ul><ul><li>/GS, /SafeEH, NX (no execute), .. </li></ul></ul><ul><ul><li>Static analysis with source annotations & more constrained prog langs </li></ul></ul><ul><ul><li>Statistical attack detection with auto defense </li></ul></ul><ul><li>Tight feedback loop </li></ul><ul><ul><li>Customers system state sent “home” (with approval) </li></ul></ul><ul><ul><li>Auto-patching & configuration checkers </li></ul></ul><ul><ul><li>Black hat forums & other sources constantly monitored </li></ul></ul><ul><li>Security Communications: </li></ul><ul><ul><li>Customer education </li></ul></ul>
    13. 13. Microsoft
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×