Network Security slides are modified from Dave Hollinger

CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 2 by Peter Steiner, New York, July 5, 1993

Early Hacking – Phreaking r In1957, a blind seven-year old, Joe Engressia Joybubbles, discovered a whistling tone that resets trunk lines m Blow into receiver – free phone calls CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 3 Cap’n Crunch cereal prize Giveaway whistle produces 2600 MHz tone

The Seventies r John Draper m a.k.a. Captain Crunch m “If I do what I do, it is only to explore a system” r In 1971, built Bluebox r Pranksters, free calls m Mark Bernay and Al Bernay m Steve Jobs and Steve Wozniak CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 4

The Eighties r Robert Morris worm m Developed to measure the size of the Internet However, a computer could be infected multiple times m Brought down a large fraction of the Internet ~ 6K computers m Academic interest in network security CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 5

The Nineties r Kevin Mitnick m First hacker on FBI’s Most Wanted list m Hacked into many networks including FBI m Stole intellectual property including 20K credit card numbers m In 1995, caught 2 nd time served five years in prison CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 6

Code-Red Worm r On July 19, 2001, more than 359,000 computers connected to the Internet were infected in less than 14 hours r Spread CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 7

Sapphire Worm r was the fastest computer worm in history m doubled in size every 8.5 seconds m infected more than 90 percent of vulnerable hosts within 10 minutes. CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 8

DoS attack on SCO r On Dec 11, 2003 m Attack on web and FTP servers of SCO a software company focusing on UNIX systems m SYN flood of 50K packet-per-second m SCO responded to more than 700 million attack packets over 32 hours CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 9

Witty Worm r 25 March 2004 m reached its peak activity after approximately 45 minutes m at which point the majority of vulnerable hosts had been infected r World r USA USA CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 10

Nyxem Virus  Jan 15, 2006: infected about 1M computers within two weeks – At least 45K of the infected computers were also compromised by other forms of spyware or botware Spread CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 11

12

Security Trends CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 13 (Computer Emergency Readiness Team)

Top Security Threats 14 Computing Technology Industry Association, 2009 survey

Changes on the technology landscape affecting security 15

Concern for Security r Explosive growth of desktops started in ‘80s m No emphasis on security Who wants military security, I just want to run my spreadsheet! r Internet was originally designed for a group of mutually trusting users m By definition, no need for security m Users can send a packet to any other user m Identity (source IP address) taken by default to be true r Explosive growth of Internet in mid ’90s m Security was not a priority until recently Only a research network, who will attack it? CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 16

Concern for Security r Explosive growth of desktops started in ‘80s m No emphasis on security Who wants military security, I just want to run my spreadsheet! r Internet was originally designed for a group of mutually trusting users m By definition, no need for security m Users can send a packet to any other user m Identity (source IP address) taken by default to be true r Explosive growth of Internet in mid ’90s m Security was not a priority until recently Only a research network, who will attack it? CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 17

Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice want to communicate “securely” r Trudy (intruder) may intercept, delete, add messages secure sender secure receiver channel data, control messages data Alice Bob Trudy

Who might Bob, Alice be? r … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e.g., on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates r other examples?

There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: A lot! m eavesdrop: intercept messages m actively insert messages into connection m impersonation: can fake (spoof) source address in packet (or any field in packet) m hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place m denial of service: prevent service from being used by others (e.g., by overloading resources)

Alice’s Online Bank r Alice opens Alice’s Online Bank (AOB) r What are Alice’s security concerns? r If Bob is a customer of AOB, what are his security concerns? r How are Alice and Bob concerns similar? How are they different? r How does Trudy view the situation? CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 21

Alice’s Online Bank r AOB must prevent Trudy from learning Bob’s balance  Confidentiality (prevent unauthorized reading of information) r Trudy must not be able to change Bob’s balance r Bob must not be able to improperly change his own account balance  Integrity (prevent unauthorized writing of information) r AOB’s info must be available when needed  Availability (data is available in a timely manner when needed CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 22

Alice’s Online Bank r How does Bob’s computer know that “Bob” is really Bob and not Trudy? r When Bob logs into AOB, how does AOB know that “Bob” is really Bob?  Authentication (assurance that other party is the claimed one) r Bob can’t view someone else’s account info r Bob can’t install new software, etc.  Authorization (allowing access only to permitted resources) CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 23

Think Like Trudy r Good guys must think like bad guys! r A police detective m Must study and understand criminals r In network security m We must try to think like Trudy m We must study Trudy’s methods m We can admire Trudy’s cleverness m Often, we can’t help but laugh at Alice and Bob’s carelessness m But, we cannot act like Trudy CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 24

Aspects of Security r Security Services m Enhance the security of data processing systems and information transfers of an organization. m Counter security attacks. r Security Attack m Action that compromises the security of information owned by an organization. r Security Mechanisms m Designed to prevent, detect or recover from a security attack. CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 25

Security Services r Enhance security of data processing systems and information transfers r Authentication m Assurance that the communicating entity is the one claimed r Authorization m Prevention of the unauthorized use of a resource r Availability m Data is available in a timely manner when needed CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 26

Security Services r Confidentiality m Protection of data from unauthorized disclosure r Integrity m Assurance that data received is as sent by an authorized entity r Non-Repudiation m Protection against denial by one of the parties in a communication CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 27

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 28 Information source Information destination Normal Flow

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 29 Information source Information destination Interruption Attack on availability (ability to use desired information or resources)

Denial of Service CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 30 Internet Perpetrator Victim ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply ICMP = Internet Control Message Protocol Innocent reflector sites Smurf Attack 1 SYN 10,000 SYN/ACKs – Victim is dead

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 31 Information source Information destination Interception Attack on confidentiality (concealment of information)

Packet Sniffing CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 32 Packet Sniffer Client Server Network Interface Card allows only packets for this MAC address Every network interface card has a unique 48-bit Media Access Control (MAC) address, e.g. 00:0D:84:F6:3A:10 24 bits assigned by IEEE; 24 by card vendor Packet sniffer sets his card to promiscuous mode to allow all packets

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 33 Information source Information destination Fabrication Attack on authenticity (identification and assurance of origin of information)

IP Address Spoofing r IP addresses are filled in by the originating host r Using source address for authentication m r-utilities (rlogin, rsh, rhosts etc..) CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 34 Can A claim it is B to the server S? ARP Spoofing Can C claim it is B to the server S? Source Routing Internet C A B S

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 35 Information source Information destination Modification Attack on integrity (prevention of unauthorized changes)

TCP Session Hijack r When is a TCP packet valid? m Address / Port / Sequence Number in window r How to get sequence number? m Sniff traffic m Guess it Many earlier systems had predictable Initial Sequence Number r Inject arbitrary data to the connection CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 36

Security Attacks CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 37 Message interception Traffic analysis eavesdropping, monitoring transmissions Passive attacks MasqueradeDenial of service some modification of the data stream Active attacks ReplayModification of message contents

Model for Network Security CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 38

Security Mechanism r Feature designed to m Prevent attackers from violating security policy m Detect attackers’ violation of security policy m Recover, continue to function correctly even if attack succeeds. r No single mechanism that will support all services m Authentication, authorization, availability, confidentiality, integrity, non-repudiation CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 39

What is network security about ? r It is about secure communication m Everything is connected by the Internet r There are eavesdroppers that can listen on the communication channels r Information is forwarded through packet switches which can be reprogrammed to listen to or modify data in transit r Tradeoff between security and performance CP E 401/ 601 Lect ure 17: Net wor k Sec urit y 40