Sem 001 sem-001

Security Basics Seminar Agenda
Start Time Title Presenter
8:30 AM Introduction Hugh Thompson
8:45 AM Security Industry and Trends Hugh Thompson
9:30 AM Viruses, Malware and Threats Uri Rivner
10:15 AM Break
10:30 AM Governance, Risk and Compliance Justin Peavey
11:15 AM Application Security Jason Rouse
12:00 PM Break
1:15 PM Crypto 101/Encryption Basics, SSL & Certificates Ben Jun
2:00 PM Mobile and Network Security
Paul Youn
Marc Blanchou
2:45 PM Break
3:00 PM Authentication Technologies Bill Duane
3:45 PM Firewalls and Perimeter Protection Bill Cheswick
4:30 PM Seminar Adjourns

Session ID:
Session Classification:
SEM-001
Introductory
Introduction
and a look at SecurityTrends
Hugh Thompson, Ph.D.
Program Committee Chairman, RSA Conference
Twitter: @DrHughThompson

Agenda
Intro to Information Security
Security Trends
Business of Information Security

www.plateaueffect.com
Background

Hacking a soda machine…
US $0.10 Value US $0.25
23.5mm Size 24.26mm
5.7 g Weight 5.67 g
Nickel Composition Cupro-Nickel
Bahamas 10¢ US 25¢

The Shifting IT Environment
(…or why security has become so
important)

► The business has to adhere to regulations, guidelines,
standards,…
► SAS 112 and SOX (U.S.) – have upped the ante on financial audits (and
supporting IT systems)
► PCI DSS – requirements on companies that process payment cards
► HIPAA, GLBA, BASEL II, …, many more
► Audits are changing the economics of risk and create an
“impending event”
Hackers may attack you but auditors will show up
► Disclosure laws mean that the consequences of failure have
increased
► Waves of disclosure legislation
Shift: Compliance and Consequences

• System communication is fundamentally changing – many
transaction occur over the web
• Network defenses are covering a shrinking portion of the
attack surface
• Cloud is changing our notion of a perimeter
• Worker mobility is redefining the IT landscape
• The security model has changed from good people vs. bad
people to enabling partial trust
– There are more“levels”of access: Extranets, partner access, customer
access, identity management, …
Shift: Technology

► Cyber criminals are becoming organized and profit-driven
► An entire underground economy exists to support cybercrime
► Attackers are shifting their methods to exploit both
technical and human weaknesses
► Attackers after much more than traditional monetizable data
(PII, etc.)
► Hacktivism
► State-sponsored attacks
► IP attacks/breaches
Shift: Attackers

► Customers, especially businesses, are starting to use
security as a discriminator
► In many ways security has become a non-
negotiable expectation of businesses
► Banks, photocopiers, pens, etc. are being sold based
on security…
► Security being woven into service level agreements
(SLAs)
Shift: Customer expectations

► How do you communicate the value of security to the
enterprise (and management)?
► How do you measure security?
► How do you rank risks?
► How do you reconcile security and compliance?
► How can you be proactive and not reactive?
► What does“security”mean? Where does our job begin and
end?
► What about big issues in the news like APT’s, hacktivism,
leaks, DDoS attacks, …? How should/can we adapt what we
do based on them?
Big Questions

Hackernomics (noun)
A social science concerned chiefly with
description and analysis of attacker
motivations, economics, and business risk.
Characterized by
5 fundamental immutable laws and 4
corollaries

Law 1
Most attackers aren’t evil or insane; they just
want something
Corollary 1.a.:
We don’t have the budget to protect against evil people but we can protect
against people that will look for weaker targets

Law 2
Security isn’t about security. It’s about
mitigating risk at some cost.
Corollary 2.a.:
In the absence of metrics, we tend to over focus on risks that are either
familiar or recent.

Law 3
Most costly breaches come from simple
failures, not from attacker ingenuity
Corollary 3.a.:
Bad guys can, however, be VERY creative if properly incentivized.

Law 4
In the absence of security education or
experience, people (employees, users,
customers, …) naturally make poor security
decisions with technology
Corollary 4.a.:
Systems needs to be easy to use securely and difficult to use insecurely

Law 5
Attackers usually don’t get in by cracking
some impenetrable security control, they
look for weak points like trusting
employees

A Visual Journey of
Security Trends

Enjoy the rest of the
conference!!

Session ID:
Uri Rivner | Head of Cyber Strategy
BioCatch
SEM-001
General Interest
Advanced CyberThreats

Technical
Infrastructure
Cash Out
Fraudster
Fraud Eco System
Harvesting
Fraudster
Operational
Infrastructure
Communication
Fraud forum / chat room
User Account
Tools Hosting Delivery Mules Drops Monetizing

6
Sinowal (proprietary)
Launched 2006

Sinowal (proprietary)
Launched 2006
Your
Online Banking Password…
And then some more.

Drive By Download still strong

InfectionServicesAreYourFriends
2.3 Cents per Hijacked PC

Zeus 2.0
Most popular Trojan Kit ($3,000)
Feature Zeus 2.0
Polymorphism
HTML Injections
MITB capability
Documentation
Customer Support

Trojan Infrastructure
Infection / Update Drop Zone
Command & Control

Lost your Carbon?
NimKey Trojan

Lost your Carbon?
NimKey Trojan
Nimkey
Command & Control
€23,000,000

Lost your Carbon?
NimKey Trojan
€18,700,000
€7,000,000

Advanced Persistent Threats
See anything in common?
Attack Targets Entry
Vector
Going After
Ghostnet Ministries, Embassies, Office of
Dalai Lama
Spear
Phishing
Sensitive
documents
Aurora 34 companies: Google, Adobe,
defense, internet, financial, critical
infrastructure
Spear
Phishing
Intellectual
property
Night Dragon Critical infrastructure Spear
Phishing
Intellectual
property
94% of attacks undetected by target

Advanced Persistent Threats
What’s New here?
1980‐2010
2010‐2020

Fighting Advanced Threats : Key Requirements
Resistance Detection Investigation Intelligence

Q&A
Got any questions? Send me a
LinkedIn invitation (Uri Rivner)

Session ID:
Governance,
Risk,
And Compliance
Governance, Risk, and Compliance
Justin S. Peavey
Omgeo

Introductions
Justin Peavey
SVP, Information Systems & Security, CISO
Omgeo, LLC
justin.peavey@omgeo.com

Agenda
3
What is GRC?
How to Get Started
Recommendations

GRC Defined
Risk
Compliance
Governance
5
Governance is the culture, policies,
processes, laws, and institutions that
define the structure by which
companies are directed and managed.
Compliance is the act of adhering to,
and demonstrating adherence to,
external laws and regulations as well
as corporate policies and
procedures.
Risk is the effect of uncertainty on
business objectives; risk management
is the coordinated activities to direct
and control an organization to realize
opportunities while managing
negative events.

What is driving GRC
GRC
Security
Standards
Regulatory
Requirements
Risk
Management
Practices
Ethical and
Financial
Standards
New
Technologies
Transparency
and
Accountability
Demands
Demonstration
of Controls
6

Views of GRC
• GRC has traditionally been viewed as the structure and
actions in place to avoid negative consequences:
– Regulatory fines
– Costs/reputation loss due to security breach
– Costs associated with inefficiencies in operations
– Ethical or Financial Scandals
• Increasingly, GRC is being viewed as fundamental to
complex business operations
– Complex, multi-national legal and regulatory landscape
– Major highly-impactful events increasing the
consequences
7

Tangent: Why Regulation?
• Regulation is “controlling human or societal behavior by rules or restrictions”1
– Regulation attempts to produce outcomes or prevent outcomes which otherwise might not occur in
the desired manner.
• Schneier on Regulation2: “[it] is all about economics”
– In a capitalist system, companies make decisions on their own self interest. Normally this is a good
thing, but some effects of the decisions, externalities, are not borne by the companies.
– Regulation and Liability force the externalities to be part of the self-interest of the company and
become included factors in the decision making.
• Principle-based vs. Rules-based Regulation
– Principle-based is less proscriptive and generally weathers time better. It also generally leaves more
room for interpretation by both you and the regulators.
– Rules-based is more proscriptive and therefore generally more straightforward to ‘pass’, but the rules
can quickly be dated as new approaches emerge and the goal of the regulation can easily be lost
sight of.
• Key: Regulation is all about achieving a specific set of goals, understand what that goal is –
demonstrate to the regulator how your program achieves that goal.
1. ^ Bert-Jaap Koops et al. Starting Points for ICT Regulations, Deconstructing Prevalent Policy One-liners, Cambridge University Press, Cambridge: 2006, p. 81
2.Bruce Schneier. Do Federal Security Regulations Help?.
8

Getting Started (from within your security
program)
• Acknowledge that Information Security is a
Risk Management Discipline
• Acknowledge that fundamentally, you and
auditors are trying to achieve similar goals
• If you don’t already, begin integrating Risk
Management processes into security
operations
10

Information Security Risk Management
11
Image Available at: www.ossie-group.org

Developing a GRC Corporate Strategy:
The Strategy Roadmap
12
ANALYZE
Identify Process Dependencies,
Complexity and Priority
DISCOVER
Conduct Interviews and
Document GRC Processes
PLAN
Determine the Project Vision, Goals,
Scope and Stakeholders
ARCHITECT
Define a GRC Solution Architecture Based
on Process Analysis
PUBLISH
Deliver the Strategy Roadmap
Document and Application
SCHEDULE
Define the Project Approach,
Timeline and Resources

GRC Roadmap (yikes!)
13
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
13

Recommendations
• Identify areas and high sensitivity areas and assets to start with (examples):
– Information Security
• Applications, Sites, Key Functions
– Vendor Management
• High Dependency, High Risk, High Cost
– Regulatory & Legal Compliance
– Finance/Ethics
• Establish baseline of expected activities/controls to measure from and assess risk
• Refine your assessment models from real data, focus on qualitative, not
quantitative analysis. Goal should be to prioritize most significant risks and most
valuable actions.
• Identify actionable or indicative information. Establish metrics/dashboards and
vehicle for getting them reviewed
• As your process stabilizes, look at eGRC options that may map well to your
company’s needs.
15

Session ID:
Jason Rouse
Bloomberg LP
SEM-001
BEGINNER
INTRODUCTIONTO SOFTWARE SECURITY

► INTRODUCTION
► WHO CARES
► WAYS AHEAD
► APPLYING YOUR KNOWLEDGE
AGENDA

► What do wireless devices, cell phones, PDAs, browsers,
routers, operating systems, servers, personal computers,
public key infrastructure systems, smart meters, watches,
televisions, stereos, and firewalls have in common?
QUICK QUESTION
Software

“Seven years ago I wrote another book: Applied Cryptography. In it I described a
mathematical utopia: algorithms that would keep your deepest secrets safe for
millennia, protocols that could perform the most fantastical electronic
interactionsunregulated gambling, undetectable authentication, anonymous
cash safely and securely. In my vision cryptography was the great technological
equalizer; anyone with a cheap (and getting cheaper every year) computer could
have the same security as the largest government. In the second edition of the same
book, written two years later, I went so far as to write: ‘It is insufficient to protect
ourselves with laws; we need to protect ourselves with mathematics.’
It’s just not true. Cryptography can’t do any of that.”
--Bruce Schneier
MAGIC CRYPTO FAIRY DUST

SECURITY = NON-FUNCTIONAL GOALS
► Prevention
► Traceability and auditing
► Monitoring
► Privacy and confidentiality
► Multi-level security
► Anonymity
► Authentication
► Integrity
► A very good basic book is
Schneier’s“Secrets and Lies”

SOFTWARE SECURITY IS HARD
►Complexity never, ever goes down
libraries
languages
compilers
interpreters
scripts
hacks

►Users must not be involved in hard choices

►Who truly envisioned this?
►Organic Growth, Interdependence

MODERN SECURITY IS RISK
COST OF MITIGATION COST OF BREACHES
OPTIMAL SECURITY AT
MINIMUM COST
TOTAL COST
COST ($)
0%
SECURITY LEVEL
100%
► There is no such thing as 100%
secure
► Must make tradeoffs
► Should be BUSINESS DECISIONS
► Proactive security is about building
things right
► Security is not a“function”
► It’s all about SOFTWARE
► Most security problems are
cause by software bugs and
flaws
► We MUST build secure software

WE CARE BECAUSE…
$59.5B billion – security flaws, bugs and software
– National Institute of Standards and Technology ‐ 2004
$100M ‐ $200M cost of product recall
– Wireless Device Providers
Hundreds of Thousands of Mobile User’s infected with malware
– Fortune 100, 2012
Software is business-critical and causes
significant impact when it fails …
$500M in lost market value
‐ Fortune 500 Entertainment Company
75% of all attacks occur at the application layer
– Gartner
World‐wide denial of service to cellular telephones
–Mobile Network Operator

Defects at Each Stage of Software Development
Requirements
Design
Testing
Coding
Maintenance
0
10
20
30
40
50
60
PercentageofDefects
Source: TRW

Cost of Fixing Defects at Each Stage
of Software Development
Requirements
Design
Testing
Coding
Maintenance
0
$3,000
$6,000
$9,000
$12,000
$15,000
CostPerDefect
Source: TRW

► Perimeter security protects the LAN
► Network firewalls
► Intrusion detection
► Reactive
► Host security protects the machine
► Patching (operating systems and applications)
► Operational
► Software security protects ALL software
► (S)SDLC  Think about what this means for your organization!
► Constructive
► Data security protects digital assets
► Data Security requires understanding of
► AT REST, IN MOTION, and IN USE
NEVER FORGETTHE INSIDE

ExaminingThe Problem
(The“Uh-Hoh”Part)

EXAMINING the PROBLEM: PROGRAM INPUT

EXAMINING the PROBLEM: ERRORS and LOGGING

EXAMINING the PROBLEM: Auth & Auth

Keep these things in mind at all times!

► Determine your output context
► Identify control characters
► Ensure output conforms to proper format
OUTPUT ENCODING

ACTIONS: BOTTOM-UP
► A few relatively simple things can make a tangible difference
and can help you get started with software security
► Within the next 3 months, you should:
► Begin to develop a resource set (e.g., portal)
► Start small with simple architecture risk analyses
► Target high-risk or high-profile applications
► Develop and socialize business-case justifications
► Make friends in low places!
► Leverage, if applicable, code scanning tools (where available)
► Never underestimate the power of simple tools

ACTIONS:TOP-DOWN
Aim for a 6-12 month journey:
► Chart out a strategic course of action to get where you want
to be;
► Get help: have a gap analysis performed
► Make achievable, realistic milestones
► Think about measurements & metrics for success
► Use outside help as you need it
► Document, share, and learn from your experience!

Session ID:
Benjamin Jun, VP and CTO
Cryptography Research Inc.
SEM-001
Crypto101/Encryption, SSL & Certificates
Slides adapted from:
Ivan Ristic, Qualys (RSAC 2011)

Agenda
CRYPTOGRAPHY
VULNERABILITIES
SSL / TLS
CERTIFICATES

What is Cryptography?
Cryptology
Cryptography
Symmetric
encryption
Stream ciphers
Block ciphers
Asymmetric
encryption
Hash functions
Digital
signatures
Protocols
Cryptoanalysis
Cryptography is the art
and science of keeping
messages secure.

What Does Secure Mean?
Always required:
► Confidentiality
► Integrity
► Authentication
► Non-repudiation
Other criteria:
► Interoperability
► Performance

Good guys:
► Alice, Bob
Bad guys:
► Eve (passive, eavesdropper)
► Mallory, Oscar, Trudy (active, man in the middle)
Meet Alice and Bob

► Obfuscation that is fast when you know the secrets, but
impossible or slow when you don’t.
► Computational security means that something cannot be
broken with available resources, either now or in the future.
► Aspects of complexity:
► Amount of data
► Processing power
► Memory capacity
How Does EncryptionWork?

Convenient and fast:
► Common algorithms: RC4, 3DES, AES
► Secret key must be agreed on in advance
► Group communication requires secure
key distribution
► No authentication
Symmetric Encryption

Asymmetric encryption uses two keys; one private and one public. The keys
are related.
► RSA, Elliptic Curve, Diffie-Hellman key exchange, Elgamal encryption,
and DSA. Also ECDH and ECDSA.
► Enables authentication and secure key exchange.
► Significantly slower than symmetric encryption.
Asymmetric Encryption

Well-known algorithms:
► RSA
► Textbook approach – signing involves“encrypting”w/private key
► In practice, use standard digest and padding method
► DSA, ECDSA
Digital Signatures

► Random numbers are at the heart of cryptography.
► Used for key generation
► Weak keys equal weak encryption
► Types of random number generators:
► True random number generators (TRNG) – truly random
► Pseudorandom number generators (PRNG) – look random
► Cryptographically secure pseudorandom number generators
(CSPRNG) – look random and are unpredictable
Random Number Generation

► Hash functions are lossy one-way transformations that
output fixed-length data fingerprints. Usually used for:
► Digital signatures
► Integrity validation
► Tokenization (e.g., storing passwords)
► Desirable qualities of hash functions:
► Preimage resistance (one-wayness)
► Weak collision resistance (2nd preimage resistance)
► Strong collision resistance and the Birthday attack
Hash Functions

► Communicating securely requires more
effort than just putting the primitives
together
Protocols
Message
Digest
Message
Alice’s
certificate
Signature
Session
key
Encrypted
message,
certificate,
and
signature
Encrypted
session key
Encrypt with
session key
Sign with Alice’s
private key
Encrypt with
Bob’s public key

Attacks on Cryptography
Cryptoanalysis
Classical
cryptoanalysis
Mathematical
analysis
Brute-force
attacks
Implementation
attacks
Social
engineering

Example: BruteForce (Cryptanalysis)
DES Keysearch Machine, 1998
(Cryptography Research, AWT, EFF)
Tests over 90 billion keys per second,
taking an average of less than 5 days to
discover a DES key.
US Navy Bombe, 1943
Contains 16 four-rotor Enigma
equivalents to perform exhaustive
key search.

 Simple EM attack with a radio
 Usable signals even at 10 feet away
Devices Antennas
far field
near field
Receiver ($350)
Digitizer, GNU
Radio ($1000)
Signal Processing
(demodulation, filtering)
DPAWSTM side-channel
analysis software
Example: Sidechannel (Implementation)

► Focus on Mpdp mod p calculation (Mqdq mod q similar)
Example: Sidechannel (Implementation)
For each bit i of secret dp
perform “Square”
if (bit i == 1)
perform “Multiply”
endif
endfor
SM S S S S S S S SM S SM SM S S S SM SM S S S S S S S S S

► SSL is a hybrid protocol designed to turn an insecure
communication channel (regardless of protocol) into a
secure one
► Designed by Netscape in 1994, standardized in 1999 as TLS,
which is now at version 1.2 (2008, 2011)
► Protocol versions so far:
► SSL v2 - insecure
► SSL v3 - still secure
► TLS v1 - widely used, but not best
► TLS v1.1, v1.2 - not widely used
Introduction to SSL
SSL v2
49.85%
SSL v2
No
Suites
11.93%
No
support
38.22%

► The SSL standard packages our knowledge of security
protocols for reuse
► Key services:
► Discovery and authentication
► Session key(s) generation
► Communication integrity
► Interoperability
► Extensibility
► Performance
SSL Goals

► SSL cipher suites are a higher-level cryptographic construct,
consisting of:
► Key exchange and authentication
► Symmetric session cipher
► Message integrity algorithm
► Examples:
► TLS_DHE_RSA_WITH_AES_256_CBC_SHA
► TLS_RSA_WITH_AES_128_CBC_SHA
► TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
► TLS_RSA_WITH_RC4_128_SHA
SSL Cipher Suites

► The situation is good, overall
► But there are several issues:
► Problems with certificate authorities
► Browsers talk to the sites with broken certificates
► We’re not good at keeping up with protocol evolution: SSLv2 still
widely supported; TLS v1.1 and TLS v1.2 virtually not supported.
► Too many plain-text (HTTP) web sites
► Issues related to mixed content (HTTP/HTTPS)
State of SSL

► Digital identity often include a public/private keypair
► Usually exchanged at start of a session
► It is necessary to authenticate the keypair when faced with an active
man-in-the-middle attack
► We need third parties to help establish identity – generally a
certificate authority (CA)
► Digital certificates contain a public key, some identifying
information (e.g., name, address, etc.) and a signature
Digital Certificates

Certificate Authorities
► Estimated ~650 certificate authorities (EFF)
► Most browsers trust a small(ish) number of root certs, but the overall
number grows through chaining
► Any CA can issue certificate for any site
► Strong desire to keep certificates in DNS
(now that we are starting to implement DNSSEC)
The EFF SSL Observatory
https://www.eff.org/observatory

Resources
Understanding
Cryptography
Christof Paar and Jan
Pelzl
(Springer, 2009)
Applied Cryptography,
2ed
Bruce Schneier
(Wiley, 1996)
SSL and TLS
Eric Rescorla
(Addison Wesley,
2001)
SSL Labs
www.ssllabs.com
Qualys

► In the first three months, you should:
► Identify where cryptography is used in your organization
► Identify infrastructure required for cryptographic implementations
(key management, certificates)
► Within six months, you should:
► Know what crypto can do. Explain the different security properties.
► Know what crypto can’t do. Gain basic knowledge of
implementation security issues
ApplyingWhatYou Have Learned

Session ID:
Paul Youn
iSEC Partners
SEM-001
Mobile Security Introduction
Marc Blanchou
iSEC Partners

► Totally unnecessary introduction
► Threats
► Users have it hard
► Vendors have it hard
► Solution (attempts)
► Conclusion
Agenda

► Threats
► Conclusion
You’re on your phone right now

Mobile Platforms
Data from IDC Press Release
Millions
of
Smartphones
32%
0
200
400
600
800
1000
Q3 2011 Q3 2012

► Mobile applications here to stay
► More Line of Business apps will go mobile
► Modern phones are complex
► Complexity & attack surface often related
► Can’t stop Employee Liable Devices
MobileTrendTakeaways

► Threats
► Q&A
What could possibly go wrong?

► Application Attack Vectors
► App – to – App
► App – to – OS
► App Installation Vectors
► Poorly policed markets
► 3rd party markets (Amazon, etc)
► SMS/Email
► Exploits
► Sideloading
Malicious Applications

► Plankton malware appeared:
► What did“Angry Birds Rio Unlock”do?
► Steal your browser history
► Have the ability to install and add shortcuts
Plankton

►OS vulns are valuable
►iOS: 100-200k
►Android: 30-60k
►Jailbreak research (jailbreakme)
►Zero days are out there
Mobile is a target

► Software-defined radio
► Text messages, voice, data is always readable by active
attacker
► Text, voice most likely readable by passive attacker
► Requires more complicated RF stage
Cellularinterception for all!

► SSL Observatory Project
► Jesse Burns (iSEC), Peter Eckersley (EFF)
► Data set available on Bittorrent
► Number of Trusted CAs
► Mozilla: 124 trust roots (~60 organizations)
► Microsoft: lists only 19 trust roots in Windows 7
► Silent on-demand updating!
► Can make this 300+ certs
► iOS and Android are close to Mozilla list
► They signed…. 1,482 CAs!
CertificateTrust

► Early 2011 (Comodo):
► DigiNotar:
► Late 2012/early 2013 (TurkTrust):
Oops

► Threats
► Conclusion
Users HateYou (don’t feel bad)

►Phone
►Corporate email
►2nd factor auth
►Payment data
►Angry birds
One password to rule them all

Limited Screen Size
*From RHanson

► Disabled SSL
CertificateValidation
Case Study: Incorrect cert validation

Users will always surprise you

►500k – 1M installs
►Permissions: run at startup, read/write
bookmarks and history, modify contents of
your SD card, full network access
What permissions?

►Still available
► Wall of text terms of service
►Served ads and modified browser
behavior
►Could steal your history
Invasive adware (legal Plankton)

► Physical security is a real problem
► Devices will be lost or stolen
The Airline Pocket

Sync Data Leakage
• Images
• Application Data
• E-Mail
• Contacts
• ETC…

► Multiple
Apps Affected
► 6 of 7 Stored
Data Locally
► Significant
Reputation Risk
Case Study – Local Data Storage

► Threats
► Conclusion
Hard to get it right

► Mobile applications are still on the Internet:
accept both PC and phone connections
► Common Real World Result:
► Primary website secured
► Mobile site unprotected
► Same credentials
► Issues can have worse results than on the
desktop
MobileWeb Attack Surface

►It’s packaged software!
►Indirect Customer Relationship
►Long update lag:
►Users choose not to install patches
►Carrier testing requirements
App. Distribution Challenges

►Inconsistent versions
►On older iOS devices
►More than half of Android devices
contain vulnerabilities
►Vendor specific OS and Software
OS and SoftwareVersions

► Threats
► Conclusion
What to do?

► Claim to
► Improve manageability
► Attempt to provide data segregation
► Encrypt sensitive data (emails, contacts, attachments)
► Usually protected by a PIN (separate from main PIN)
► Enforce strong policies on all compatible devices
► Isolate and improve application security
► Remote Lock and remote Wipe
► Jailbreak detection
MDM/ SecureContainer Products?

► Full Disk Encryption?
► Not enough
► Tamper resistant chip?
► iOS
► Data Protection API
► Android
► Difficult to do right
Can the data be secured?

► Certificate pinning means you only accept a hardcoded
certificate for SSL/TLS
► Can be configured in iOS and Android
► Implement testing
Pin certificates

► Jailbreak/root detection
► Easily circumvented
► Malware protection
► Application whitelisting on iOS
► Is isolating applications in a‘Container’a good idea?
The limits of safety

► Threats
► Conclusion
Don’t throw away your phone

► There are limits to security on a mobile device
► The more attack vectors the harder something is to secure
► Your phone has a very large threat surface compared to
most other devices
Be careful with your sensitive data!

► Turn off unnecessary attack surfaces (such as Bluetooth)
► Update and patch your applications
► Use MDM products, just don’t over rely on it
► Make it easy for users:
► Don’t store sensitive data on device (or limit what you cache, such as
only recent email)
► Consider using different mobile credentials for your apps
► Use strong credentials
Protectyourself

► Paul Youn
► Technical Director at iSEC Partners
► paul@isecpartners.com
► Marc Blanchou
► Senior Security Engineer at iSEC Partners
► marc@isecpartners.com
► Thanks to:
► Alex Stamos
► Mike Warner
ThankYou

UK Offices
Manchester - Head Ofﬁce
Cheltenham
Edinburgh
Leatherhead
London
Thame
North American Offices
San Francisco
Atlanta
New York
Seattle
Australian Offices
Sydney
European Offices
Amsterdam - Netherlands
Munich – Germany
Zurich - Switzerland

1
Session ID:
Bill Duane
RSA Security
Office of the CTO
Security Basics Seminar:
Authentication Technologies
SEM-001
Security Basics Seminar:
AuthenticationTechnologies

3
► That is the eternal question…
► It has been in existence as long as people have
existed.
► It is often followed by:
► “Have we met before?”
► “What is a beautiful person like you doing in a place like this?”
► And“Would you like to come up to my place to see my collection
of strong authentication devices???”
► It also happens to be a foundation question for
security.
Who AreYou?

5
► There has been a veritable explosion in consumer facing
Internet crime
► Phishing and Malware continue to grow at an alarming rate
► Fraud Attacks are also growing rapidly
► Pranksters and script kiddies have been replaced by professional
criminals, organized crime, and even governments
► In many cases the legal, ethical, and societal implications
have not kept pace with the crimes
► Well established concepts like jurisdiction, liability, and privacy begin
to crack when the crimes occur across the globe and traverse many
countries, political relationships, legal relationships and so on.
Phishing and Fraud

6
Growth of Phishing Attacks
The number of unique phishing
attacks was rising to a peak of 40K in
August 2009, and has now been
harovering ound 24-25K per month.
We clearly are at an inflection point
where Phishing is starting to decline,
and trojans are increasing.
Ref: http://www.antiphishing.org/
There was a roughly 20% increase
in trojans as % of malware between
H2 2010 and H1 2011; the latest split is
shown.
•Crimeware steals financial info
•Data Stealing/Trojans for system control
•Other is the rest including auto-replicating worms,
telephone dialer scams, …

7
► There is increasing concern about APTs in the industry,
especially in the defense contractors, the intelligence
community, and governments
► Low and slow; targeting specific people/organizations
► Often government sponsored
► APT= Advance Persistent Threat
► These situations show the organization, and sophistication
of the modern attacker
► Military in style
► Well funded
► Specific objectives/targeted
Growth of Attacks and Attack Methods

8
► During a visit, the Secret Service mentioned that in order to
attack 10 million email addresses costs the Phisher only
$160, and yields the attacker $124,840 profit
► This assumes 50% of the emails bounce, and that only .001% of the
remaining people are duped
► If www.antiphishing.org is correct, and there are about
25,000 new phishing attacks per month…
► Multiplied together you get a whopping possible phishing
profit of $3,121,00,000 per month worldwide !!!
► Even if the number are off by an entire order of magnitude (unlikely)
it is still a whopping $312million per month worldwide!
The Economics of Phishing

9
Strong authentication could help with many of these
problems, except…:
► The continues widespread use of passwords as
authenticators
► The fact that advanced authentication technologies have
not reached the price points needed to become
ubiquitous on the Internet
► The fact that advanced authentication technologies have
not reached an ease of use level where a child or my 90
year old grandmother can use them
► The fact that credit cards are static one-factor devices
► The fact that databases containing credit cards and
personal information are not encrypted
How does authentication factor in??

10
► Without knowing with a high level of certainty who
you are dealing with:
► it is not possible to properly assign access control and
other rights
► it is not possible to trust a digital signature
► in many cases it makes no sense to encrypt data if you
don’t know who you are dealing with
► The basis for all security is authentication
The Need for Authentication

11
► Strong Authentication typically binds an individual to a
secret
► The system you are attempting to access has some
mechanism to validate that you have the secret
► Sometimes the system knows the actual secret
► Sometimes the system knows something derived from the secret
► The secret can take many forms
► Passwords
► Symmetric cryptographic secrets
► Asymmetric cryptographic secrets
► The trick is, some secrets are more secret than others…
Authentication

13
Authentication with password
Accessing
System
Accessed
System
Clear-Text
Password
Cryptographic
Hash
Digest
Match
Digest
Digest

14
Passwords using parallel cryptography
Accessing
System
Accessed
SystemClear-Text
Password
Copy of
Digest
Cryptographic
Hash
Digest
Response MatchResponse
Combine the
challenge and
the digest to
produce the
response
Hash
Run the same
computation on the
server using the copy of
the digest
Response’
Copy of
Digest
Hash
Challenge
Generate a
Random
Number
Challenge

15
► Test 1 (London)
► >70% revealed their
computer password for a
bar of chocolate
► 34% volunteered their
password when asked
without even needing to
be bribed
► 79% unwittingly gave
away information that
could be used to steal their
identity when questioned
► 33% share passwords
► On average, people have
to remember 4 passwords
The Problem with Passwords …
People!!!
► Test 3 (London)
► 81% revealed personal
information for chance to
win Easter chocolate
► 90% were willing to
give personal info in
2005 for the chance to
get theater tix
► People offered up identity
info like birth date, mothers
maiden name, first school
► 86% gave up pet’s name
► 90% gave up home phone
number
► After 2 minutes, enough info
was typically gathered to
allow an identity attack
► Test 1 (San Francisco)
► 67% turned over their
passwords for $3 coffee
coupons
► 70% of those who said“no
way”gave up significant
hints (wife’s name,
anniversary date, pet’s
name)
► 79% said they use the same
password for multiple Web
sites
► Nearly 60% have >=4
passwords
► One executive, too busy
to stop, sent his secretary
back with his password so
he could get the free
coffee (she gave up hers,
too)

16
The Problem with Passwords …
Source: www.unitedmedia.com/comics/dilbert
A more resistant password :
1. Pick a passphrase
2. Select the first letters of every
word
3. add non-alphanumerics
4. surrounded with special
characters:
“At 1, Bill presented an
Awesome talk on
authentication”
A1BpaAtoa
^#A1BpaAtoa#^
µ^#A1BpaAtoa#^µ
I’m sure my grandma
will comply…
Where are my yellow
stickies?

17
The Fundamental Problem:
Dawn of
Computing
Reality
TV
Now Future
Computer PowerBrain Power
Power

18
► Passwords have their good points:
► They are easy to use
► They are easy to remember
► They do not require external devices to operate
► They are Platform- independent
► They have no acquisition cost
► Minimal end-user training
The Benefits of Passwords

19
► They are‘1 static factor’devices - it’s only something you
‘know’
► yellow stickies on your monitor, notes under your keyboard
► replay attacks are common
► Can be compromised, without knowing
► Social attacks
► Inconsistent formats between applications (Provisioning,
synchronization necessary)
► Passwords are actually quite expensive (Operating costs)
► Password reset and admin is frequently over 40% of what help desks
do!
The Problems with Passwords

20
► Most passwords are poorly chosen
► Your dog’s name, your significant other’s pet name, the word
‘password’
► Most passwords are vulnerable to the widely available password
cracking programs
► Poorly chosen passwords significantly reduce the search
space for an attacker
► We are entering an age where passwords must be very
carefully used, and should not be used for controlling access
to critical accounts
The Problems with Passwords

22
► Authentication tokens are small devices which generate a
new“password”(tokencode) for every authentication.
► They contain a secret key (seed) which is shared by an
authentication server
► Tokens usually have an LCD display, a small microprocessor, and a
battery. Tokens may have a keypad, and a real-time clock
► Tokens do require that the user carry them around, but
provide authentication without desktop software
OneTime Passcode (OTP)Tokens

23
► Tokens are currently the most cost effective, and easiest to
use strong authentication solution
► They are common in the enterprise marketplace
► They are a proven technology
► They are easy to use
► There are a number of different types of token:
► Time-based
► Challenge-Response
► Counter-based
► Two of the biggest issues for the use of tokens in the
consumer Internet space include cost, and multi-site token
re-use
OTPTokens

24
Challenge-Response OTPTokens
Authentication
Server
Challenge-
Response
Token
Copy of
Seed
Internal
Seed Challenge Challenge
Generate a
Random
Number
User inputs Challenge
on the Token Keypad
Response
User reads Response
on LCD, and enters it at
the logon prompt
Combine the seed and
challenge, then hash it
Hash
MatchResponse
Truncate the result as
needed to produce the
correct length Response
Copy of
Seed
Response’
Hash
Run the same hash
computation on the server
using the copy of the seed
Truncate the result and
compare Response’ and
the received Response

25
Counter-Based OTPTokens
Authentication
Server
Counter-
Based
Token Copy of
Seed
Passcode
Combine the current time
and seed, then ‘hash’ it
Hash
Passcode
Copy of
Seed
Match
Run the same ‘hash’ on the
server using the time and the
copy of the seed
compare Passcode’ and
the received Passcode
Passcode’
Hash
Internal
Seed
The token has an
internal counter
incremented by button
presses
The server’s counter
increments for each
authentication

26
Time-Based OTPTokens
Authentication
Server
Time-
Based
Token Copy of
Seed
Passcode
Combine the current time
and seed, then ‘hash’ it
Hash
Passcode
Copy of
Seed
Match
Run the same ‘hash’ on the
server using the time and the
copy of the seed
compare Passcode’ and
the received Passcode
Passcode’
Hash
Internal
Seed
The token has it’s
own internal clock
The server’s clock runs
independently from the
token’s internal clock

27
► As we have seen, there are a variety of OTP tokens available
► In addition to the hardware tokens discussed, software
versions are available which run on PCs, notebooks, and
other mobile computers such as tablets and smart phones
► OTP tokens continue to be one of the most common strong
authentication methods, especially in the enterprise
OTPTokens

28
Public-Private Key Authentication

29
Public-Private Key Authentication
Random #
Random # Random #
Random #’
Match
Generate a
Random
Number
Random #
Client’s
Public
Key
Client’s
Private
Key
Server
Client

30
► If you have a certain Public Key, as shown it
can be used to verify that the other system
has the matching Private Key
► To complete the process of PPK
Authentication:
► You need to trust that the Public Key is the right
one for an individual
► You need to secure the storage of the Private Key
PPK Authentication

31
Trusting the Public Key
X.509 Digital Certificate
“I officially notarize the
association between this
particular User, and this
particular Public Key”
Serial Number: xxxxx
Validity: Nov.08,2003 - 08,2005
User Organization
CA - Ref.,LIAB.LTD(c)96
Organizational Unit = Digital ID Class 2 -
Chelmsford
Public Key:
ie86502hhd009dkias736ed55ewf
gk98dszbcvcqm85k309nviidywt
oofkkr2834kl
Signed By: RSA Security
Status:

32
It’s all aboutTrust:
Serial Number xxxxx:
Validity: Nov.08,1997 - Nov.08,1998
User
Organization
CA - Ref.,LIAB.LTD(c)96
Organizational Unit = Digital ID Class 2 -
Chelmsford
Status:
Public Key:
ie86502hhd009dkias736ed55ewfg
k98dszbcvcqm85k309nviidywtoof
kkr2834kl
Signed By: VeriSign, Inc.:
Public Key
Certificate
Authority
Private Key

33
► The private key must be securely stored
► Smart Cards are ideal
► Token protected storage is also very good
► Password protected storage is less ideal
► The whole trust of PPK systems comes down
to the trust of Certificates and Private Key
Storage
► And how you verify that the correct person is the
owner of the private key!
Trusting the Private Key

35
► Alternative to passwords and smartcards
► Determine your identity by measuring your personal characteristics
► User friendly
► Nothing to remember, nothing to enter
► Hard to mess up
► No token to drop or give away
► No password to forget, write down or tell a friend
► They can be 2 or 3 factor authenticators
► Something you are plus something you have or know
► They are cool
Biometrics

36
► A large number have been proposed
► Fingerprints
► Retina scan, iris scan
► Facial Recognition
► Hand shape
► Blood vessels
► Voice
► Body Odor
► DNA (no commercial systems)
► Different characteristics
► Cost, convenience, stability, security, spoofing
Different biometrics

37
► Advantages
► Some types support cheap sensors
► Non-intrusive
► Small form factor
► Simple to use
► Disadvantages
► Identification is not unique
► Best have an error of 1:100 000 (that’s only 17 bits)
► Does not work in all environments
► Gloves, worn down fingertips
► Can be stolen without direct contact with user
Example: Fingerprints

38
► Over the last couple of years
there have been some
interesting biometric
developments
► Biometrics have entered the
consumer market in a
reasonably large way
► Large numbers of
notebooks
now contain a biometric
fingerprint sensor
► Match on device
functionality is becoming
technically reasonable
Biometrics Update

39
► Where do you store the Biometric patterns, and how is that
protected?
► You use the same fingerprint everywhere
► You leave your fingerprint everywhere
► How much‘training’is require to get a good template?
► There is some part of the population where the Biometric
does not work, for example:
► Masonry and other construction workers who have worn down their
fingerprints
► The fingerprint of senior citizens cannot be read in many cases
► Master criminals or spies who etched their fingerprints off with acids
The issues with Biometrics

40
► For me, perhaps the biggest problem with
biometrics is theft of identity, and the related
problem of revocation:
► Unlike other security credentials, a biometric is you!
► If some evil-doer gets your biometric template, they can
impersonate you personally
► How do you deal with the theft of your template?
► Lobbing off digits hardly seems appropriate
► You only have one voice, two eyes, one body odor, … so
invalidating the compromised biometric is of limited use
The issues with Biometrics

41
Revocable BiometricTemplates
The original image
is not used as a template
It is first morphed with
a master ‘key’
The resulting horrific
morphed image becomes
the master template
In all subsequent authentications, the raw image is morphed using
the same master key before the biometric authentication is performed
If the morphed template is ever compromised, the original image is not revealed.
The master key can then be destroyed and a new one used.

43
► In many cases RFID is Identification, not Authentication
► The RFID tag asserts it’s identity by broadcasting a unique identifier,
but does not perform a cryptographic operation to prove that it is
the authentic tag
► However, sophisticated tags exist, and more are being
developed, and as a result, I can see a time where tags will
assert identity, then be able to perform something like a
challenge-response validation of a symmetric or asymmetric
key.
► As a result, they are worth talking about in the context of
authentication…
Is RFID Authentication??

44
► Since RFID tags transmit their identity, they can leak privacy
information; even when their intended use is over.
► Steamboat Mountain & hospitals are well thought out RFID apps
► Benefits thoroughly explained in advance / opt-in
► Some RFID privacy advancements are happening
► Kill tags/blocker tags
► The RFID devices must be built on
strong cryptography
► Data must be encrypted, and should not
be static
► Algorithms should be peer reviewed
► TI/Speedpass –Cracked/cloned by RSAlabs
and John Hopkins
► ISO14443/EMV (encrypted/dynamic)
► New RFID technologies to watch:
► Near-Field Comms
► RuBee (Long Wave ID- LWID)
RFID and Privacy

45
► 2006 World Cup Football (Soccer) in Germany
► RFID based admission tickets
► China Olympics RFID based tickets
► NIST publishes a report warning about the dangers of RFID
► Report recommends careful application
► Growth in food tracking area: meat and poultry in Norway;
Thai rice; Malaysia livestock; Spanish meat;
► Amish farmers resist RFID tagging of livestock
on religious grounds
► Some religious groups resist biometrics
as the‘mark of the beast’
► Viagra bottles will now have RFID tags to prevent
counterfeiting!
► Publicized attacks on MiFare based transit cards
Some Noteworthy Recent RFID Events

46
► Saguaro National Part in Tuscon, AZ to tag cacti with
RFID tags to thwart thieves (a Cactus is about $2k
each, the tags are $4); following similar program in
Las Vegas.
A few of my favorite RFID news items
Johnathan Oxer
Melbourne, Australia
“Australia’s geekiest geek!”
RFID Tag was implanted tag left arm
Used to unlock his car and home
Cool but possibly dangerous…

47
Composite Authentication
47

48
How do humans authenticate?
Looks like John
He’s at John’s House
John has a dog which
hates to be washed
John likes short hair
John has a son
That’s John’s wife
It is John!

49
► We authenticate by combining a set of lower confidence
authentications into an aggregate authentication
► The process is not mathematically exact
► There is error and low confidence in many of the individual pieces of
data
► However, taken in total, our confidence in the authentication
is increased to a level above which we have confidence in
the authentication
Human Authentication

50
► This technique is emerging as the new model for electronic
authentication
► Composite authentications first started to emerge in the
area of on-line banking
► Composite authentications combine a number of weak
authentications into a stronger authentication
► While it may be possible to intercept or replay some of the
composite parts, it is very difficult to simulate all the parts of
a well designed composite
Composite Authentications

51
Is it really Sally? She knew Sally’s password
She is connecting via
Sally’s ISP
She is using the same
browser Sally uses
This is the same computer
which Sally used before
She is connected at
the same time Sally
typically connects
She is doing the same
operations which Sally
typically does
It’s Sally!!
She interacts with the
computer like Sally

52
► Typically these authentications perform a risk scoring based
upon all the data
► If the score is too low, the authentication fails
► If the score is above a threshold, then the authentication succeeds
► If the score between the two:
► The end user may be prompted for more information
► Mother’s maiden name, color of first car, …
► Or the user may be contacted through some other out of band method
► Calling the end user cell phone
► By their nature, composite authentications are difficult to
mathematically compute an effective bit strength for
► And this would miss some of their inherent strengths

53
► I think this is one of the most interesting evolutions in
authentication technology to have occurred over the last
few years
► The composite mix must be kept fresh, or the attackers will
compromise enough of the composite to make it weak
► A good composite is diverse, and changes over time
► Watch to see composite authentication branch into the
enterprise and other non-banking consumer settings.
► Various frameworks for comparing authentication methods
(such as NIST 800-63) have not caught up with this trend yet,
so be careful.

54
A couple of Authentication related
topics…

55
► Publically, I expressed dismay with the RFID passport proposals
► Lack of privacy, lack of encryption, …
► Some progress has been made
► Shielded passport cases
► Data is encrypted
► Auth via open passport data
► There still are problems:
► The RFID chips have been cloned
► The encryption appears to have been cracked
► Some sites have discussed putting your new passport in a microwave to disable
the RFID chip
► I don’t recommend that!
Electronic Passports

56
► A US form of government ID is emerging with Real ID
► Federal standard for drivers licenses
► Digimarc is the leader in this effort
► Mandates validation of person
before issuance
► Cryptographic security features
► Biometric quality image
► Scan of database done for
facial match during issuance
► Can be used for Real-Time
► Other features such as ghost image
and micro-fine art; holograms; …
► Enhanced versions (RFID) of this card act as the Western Hemisphere Travel Initiative PASS card
► Some groups are against Real ID on privacy grounds
► Tracking individuals, keeping copies of produced documents, centralized database
► It is moving forward, currently 25+ states have pass legislation to adopt Real ID
► Current plans are that by 2014 most people will be required to have a Real ID document – most
likely a drivers license
Real ID

57
► Many of the same ideas we have talked about apply to credit cards
► Like passwords, credit cards are static authenticators
► In many ways, credit card numbers are *worse* than passwords:
► Their lifetime is extremely long
► Credit Card information is often stored in the clear on merchant systems
► Unlike all modern password systems which do not store clear passwords
► The frustrating part is that many security and authentication technologies could be applied to
credit cards today
► OTCC – One Time Credit Card
► Encryption of merchant databases
► Dynamic second factors (like CCV codes)
► Unfortunately these changes will come
about slowly
► EMV and some of the new Mastercard and
Visa initiatives are very good starts
► Canada and Mexico are going to EMV
► Will this push fraud into the US??
► In the US, real-time authorization with RBA
Credit Card Fraud

59
How do they compare?
Cost of Authenticator
RelativeSecurity

60
Type Is Key
Secret?
Strength Portability Ease of
use
Cost
Password Maybe Weak High Easy Very High
OTP Yes Strong High Medium Medium
Smart Card
&Certificate
Yes Strong Low Medium High
Biometric No Weak –
static
Low Very Easy Medium
RFID No Weak -
static
Low Very Easy Low
Composite Typically
not
Hard to
quantify
Low Easy Low
Credit Card No Weak -
static
High Easy Low
How do they compare?

61
Authentication Factors: Something You _____
Know Have Are Do
Text PIN IP Address
Scratch-off /
Bingo Card
Fingerprint
Keystroke
Dynamics
Visual PIN Browser Type
Phone / PDA
w/OTP
Hand
Geometry
Voice Print
Text
Password
Cookie OTP Token
Face
Recognition
Access
Pattern
Life
Questions
Certificate USB Device Iris Scan
Toolbar / Agent
Proximity /
Smart Card
Retina Scan
AuthenticationTiers
Authentication Tiers:
Likely combinations
of factors
Low end to high
#1: Composite +
Password
#2: Soft Token +
Password
#4: Hard Token + PIN
#3: Soft Token + Biometric #5: Hard Token +
Biometric

62
There are a few recommendations I can give:
► Static Passwords must not be used to protect anything with value
► OTP will continue to be strong in the enterprise, but new technologies
like RFID and Biometrics are making inroads
► That said, there have been recent significant attacks on the core
algorithms which underlie some OTP tokens – choose wisely.
► The first active MITM attacks have appeared
► The emergence of composite authentications, especially when
combined with other forms of authentication represent an important
new branch on the tree of authentication methods.
► Most importantly, do not standardize on one technique or algorithm!
► This is a dynamic environment, and you will need diversity and flexibility to choose the
best authentication solution to meet your needs.
Flexibility and Diversity

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
FIREWALLS AND PERIMETER
DEFENSES
William Cheswick
cheswick.com
http://www.cheswick.com/ches
1
Sunday, February 24, 13

▶ Slide▶ of 76
Perimeter
Defenses allow
one to focus
defensive
expertise and
efforts on a small
area
2

▶ Presenter
Logo
▶ Slide▶ of 77
Where do you put them?
How many do you need?
How do you get through them?
How do you test them?
3
Perimeter defenses

▶ Presenter
Logo
▶ Slide▶ of 764

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
INSERT YOUR SESSION TITLE HERE,
MYRIAD PRO CONDENSED, 32PT
CAPITALIZE EACH LETTER
CAN BE UP TO
FIVE LINES
Presenter’s Name
Presenter’s Company / Organization
Co-Presenter’s Name
Co-Presenter’s Company / Organization
5

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
6

▶ Presenter
Logo
▶ Slide▶ of 77
•1622: Tilly captured the castle
after a two-month siege
•1689: Captured by 30,000
French in a few hours
–insufficient number of defenders
7
Heidelberg Castle:
failure modes

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
▶Scotland Yard
8

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
▶Edinburgh castle
9

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
10

▶ Presenter
Logo
▶ Slide▶ of 76
Flower Pots!
11

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
12

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
13

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
14

▶ Presenter
Logo
▶ Slide▶ of 76
Security
Doesn’t Have
To Be Ugly.
Does it have
to be
inconvenient?
No.
15

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
16

▶ Presenter
Logo
▶ Slide▶ of 76
Delta
barriers
17

▶ Presenter
Logo
▶ Slide▶ of 7618

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
19

▶ Presenter
Logo
▶ Slide▶ of 76
A ﬁrewall
against
demons
20

▶ Slide▶ of 76
We Use Layers to
Achieve Higher
Security
21

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
23

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
Warsaw old city, layer 2
24

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
Intimidation is a layer
25

▶ Slide▶ of 76
Perimeter
Defenses don’t
scale
26

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
▶The Pretty Good Wall of China
27

▶ Presenter
Logo
▶ Slide▶ of 77
Built to keep out the barbarians of the north
and their economy
Formed from shorter segments
Ghengis Khan walked past the wall,
unopposed, and into Beijing
A wall is a single layer
28
The Great Wall

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
29

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
30

▶ Presenter
Logo

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
▶Parliament: entrance
32

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
▶Parliament: exit
33

▶ Slide▶ of 76
Intranets
34

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
CAN BE UP TO
FIVE LINES
Presenter’s Name
35

▶ Presenter
Logo
▶ Slide▶ of 76
Allentown
Murray
Hill
Columbus
Holmdel
SLIP
PPP
ISDN
X.25
cable
...
Lucent - 130,000, 266K IP
addresses, 3000 nets ann.
Murray
Hill
The Internet
~200 business partners
thousands of
telecommuters
36

▶ Slide▶ of 76
Anything large
enough to be called
an intranet is probably
out of control
40

▶ Presenter
Logo
▶ Slide▶ of 77
“All of [the gateway’s] protection
has, by design, left the internal
AT&T machines untested---a
sort of crunchy shell around a
soft, chewy center.”
▶ The Design of a Secure Internet Gateway,
W.Cheswick, Proc. of Winter Usenix, Anaheim, 1990
41
A simile for the ages?

▶ Presenter
Logo
▶ Slide▶ of 77
The largest is probably NIPRNET,
~2 million hosts
A high tech company has about two
active IP addresses per employee
Low tech is around one per
employee
Small ones are enclaves.
42
Fun intranet facts

▶ Presenter
Logo
▶ Slide▶ of 77
For wusses with hosts that can’t
hack it on the real Internet
A gateway fascist decides which
traffic is good and bad
Cheaper than deploying ﬁrewalls in
every host
But we do that, too
43
Perimeter Defenses

▶ Presenter
Logo
▶ Slide▶ of 77
They are hard to do
They look easy to do
They provide a false sense of
security
They don’t scale
Everybody scales them
44
Problems with PDs

▶ Presenter
Logo
▶ Slide▶ of 77
Dangerous services are
attacked from the outside
We import trouble, like
Buffy’s vampires
email
USB sticks
alien devices
45
How Does Trouble Arrive?

▶ Presenter
Logo
▶ Slide▶ of 77
Network services may have
exploitable security holes
Best answer: remove services
PD answer: get out of the game
46
Attack from the outside

▶ Presenter
Logo

▶ Presenter
Logo
“Best block is not be there”
-- Mr. Miyagi, Karate Kid

▶ Presenter
Logo
▶ Slide▶ of 77
Firewalls block the bad stuff, and
let in the good stuff
Routing and addressing tricks
also get you out of the game
RFC 1918 addresses
IPv6 FD address range
49
Getting out of the game

▶ Presenter
Logo
▶ Slide▶ of 76
▶to Internet
▶router
▶“inside” hosts (192.168.0.0/16)
▶outside hosts
50

▶ Presenter
Logo
▶ Slide▶ of 77
Indirectly-connected hosts can
be scanned by intermediaries
if they are compromised or
if spoofed packets are possible
Important: block spoofed packets
51
Key Points to hiding networks

▶ Slide▶ of 76
Internet Firewalls
52

▶ Presenter
Logo
▶ Slide▶ of 76
Original ﬁrewall
53

▶ Presenter
Logo
▶ Slide▶ of 77
“inside” and “outside”
the weakest part: thinking of “the
inside” as being secure. It
mostly isn’t.
54
Firewalls tend to be
directional

▶ Presenter
Logo
▶ Slide▶ of 77
Standard servers are too
dangerous to expose to outside
access
TCP/IP packets are too
dangerous
No IP connectivity to outside
55
Behind ﬁrewalls

▶ Presenter
Logo
▶ Slide▶ of 76
My (Safer!) Firewall
56

▶ Presenter
Logo
▶ Slide▶ of 76
Referee’s suggestion
57

▶ Presenter
Logo
▶ Slide▶ of 77
Avoids Denial of Service Attacks
(DOS) attacks on important hosts
This is a network-level, not host-level
problem
Walled garden makes intruders
easy to spot, by deﬁnition
They keep a lot of the chaff out
58
Two beneﬁts

▶ Presenter
Logo
▶ Slide▶ of 77
Generally centralized defense
against attacks
Cheaper to focus your smarts in
one location
Host-based ﬁrewalls blend into
host-based security
59
Firewalls

▶ Presenter
Logo
▶ Slide▶ of 77
Packet: usually “packet ﬁlter”
Circuit: c.f. socks
Application level
“Deep packet inspection” (DPI):
packet-level analysis of deeper
data
60
Levels of ﬁrewalls


▶ Presenter
Logo
▶ Slide▶ of 77
Generally fast and cheap
Generally stupid: use tricks to
enhance
stateful: keep track of sessions
61
Packet ﬁlters

▶ Presenter
Logo
▶ Slide▶ of 77
“Computer acting as a wire”
SOCKS
Speciﬁc TCP connections copied
by a relay program
Not used much any more, but
can be a convenient tool
62
Circuit level

▶ Presenter
Logo
▶ Slide▶ of 77
Understands the service it is
ﬁltering
E.g. mailer receives and scans
email before forwarding
63
Application level

▶ Presenter
Logo
▶ Slide▶ of 77
Relatively cheap and easy to do
Can be done at network speeds
Note: not new technology
64
Beneﬁts of DPI

▶ Presenter
Logo
▶ Slide▶ of 77
It is impossible to do correctly,
so
good enough has to be good enough
Why? Doing it right requires
packet normalization.
65
Problems with DPI

▶ Presenter
Logo
▶ Slide▶ of 77
Fragmented packets
TCP overlap interpretation
Packet distance hacks
See Vern Paxson’s work for gory
details
66
Packet Normalization
Problems

▶ Presenter
Logo
▶ Slide▶ of 77
Block everything by default
Allow safe stuff through
Outgoing is generally okay
UDP is generally not okay
but what about DNS, voice?
67
General Filtering Rules

▶ Presenter
Logo
▶ Slide▶ of 77
RFC1918 addressing inside
Outgoing stuff only
Cheap from Costco, etc.
You can patch your Windows
system in relative safety
68
NAT is a close match for
these

▶ Presenter
Logo
▶ Slide▶ of 77
Much harder to ﬁlter with
ﬁrewalls
Sandboxing seems to be the
most promising technology
It is getting harder to cruise the
web safely, even at “safe” sites.
(Thank advertising)
69
Invited Attacks

▶ Presenter
Logo
▶ Slide▶ of 77
Alternative to Firewalls and
Perimeter Defenses
70
Internet Skinny Dipping

▶ Presenter
Logo
▶ Slide▶ of 77
It can be done
Many services are too dangerous
to run
Requires some user forbearance
Can defend nicely against insider
attacks
71
Strong Host Security

▶ Presenter
Logo
▶ Slide▶ of 77
browsers, etc. are full-featured
full-featured is a technical term
for “full of security bugs”
This is an open security problem:
better OSes, sandboxing, VMs,
etc.
iPhone might be leading this!
72
Inviting trouble in

▶ Presenter
Logo
▶ Slide▶ of 77
Does not scale
Medium-level defense at best
No protection from insider
attacks
73
Summary - perimeters

▶ Presenter
Logo
▶ Slide▶ of 77
Useful medium-level defense
Little protection from invited
trouble
One of many tools
74
Summary - ﬁrewalls

▶ Presenter
Logo
▶ Slide▶ of 77
We are losing the virus detection
war
Supply chain attacks are coming
The bad guys only have to ﬁnd
one weakness
Patch analysis reveals
weaknesses
75
Many Bad Things are Out
There

Session ID:
▶ Slide▶ of 77
SEM-0001
xxxxxxxxxxxx
FIREWALLS AND PERIMETER
DEFENSES
William Cheswick
cheswick.com
http://www.cheswick.com/ches
76

▶ Presenter
Logo

Sem 001 sem-001

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Sem 001 sem-001

Similaire à Sem 001 sem-001 (20)

Plus de SelectedPresentations

Plus de SelectedPresentations (20)

Sem 001 sem-001