Hello, My Name is Hello, My Name is Host NameHost NameEndgrainEndgrain

Dan KaminskyDan Kaminsky

Tiffany RadTiffany Rad

PresentersPresenters

EndgrainEndgrain Computer science student, University of Southern Computer science student, University of Southern

Maine, Portland, Maine.Maine, Portland, Maine.

Dan KaminskyDan Kaminsky Director of Pen Testing, IOActiveDirector of Pen Testing, IOActive

Tiffany Strauchs RadTiffany Strauchs Rad President, ELCnetworks, LLCPresident, ELCnetworks, LLC Part-time Adjunct Professor, University of Southern Part-time Adjunct Professor, University of Southern

Maine, Portland, Maine.Maine, Portland, Maine.

DiscoveryDiscovery

First connected to USM network in spring First connected to USM network in spring of 2008 via the wireless network on of 2008 via the wireless network on campuscampus Connected to IRCConnected to IRC

Magically, people began to address me with my Magically, people began to address me with my full namefull name

Quickly discovered that...Quickly discovered that... DHCP server leases Internet routable IP addressesDHCP server leases Internet routable IP addresses Domain names take the form of Domain names take the form of

firstname-lastname.wireless.usm.maine.edufirstname-lastname.wireless.usm.maine.edu

Confirmed same network configuration from dormitory Confirmed same network configuration from dormitory (fall 2008) and similar configuration for IT staff (fall 2008) and similar configuration for IT staff (summer 2009)(summer 2009) end-grain.dorm.usm.maine.eduend-grain.dorm.usm.maine.edu jcdoe.acs.usm.maine.edujcdoe.acs.usm.maine.edu

What does this mean?What does this mean? Sensitive information is now unnecessarily publicSensitive information is now unnecessarily public

Can be obtained with a simple reverse DNS Can be obtained with a simple reverse DNS lookuplookup

What information does a What information does a domain name divulge?domain name divulge?

The user is attending a Maine universityThe user is attending a Maine university The user is attending the University of Southern The user is attending the University of Southern

Maine in specificMaine in specific How the user is connected to the networkHow the user is connected to the network

WirelessWireless Wired (from dorms)Wired (from dorms)

Approximate physical locationApproximate physical location The user's FULL NAME!The user's FULL NAME!

Bottom line: The domain name configuration used by USM Bottom line: The domain name configuration used by USM reveals the user's physical location and full name, and is reveals the user's physical location and full name, and is clearly a huge violation of the user's implicit right to clearly a huge violation of the user's implicit right to privacy.privacy.

The VulnerabilityThe Vulnerability

Decided to further research USM network security Decided to further research USM network security and privacy as an educational project for Tiffany's and privacy as an educational project for Tiffany's computer ethics class (spring 2009).computer ethics class (spring 2009).

Access ControlAccess Control First time use – AuthenticationFirst time use – Authentication

Login with USM accountLogin with USM account MAC address of connecting device is paired with account in MAC address of connecting device is paired with account in

databasedatabase Also paired with semi-static PUBLIC IP addressAlso paired with semi-static PUBLIC IP address

Subsequent access to the network with Subsequent access to the network with samesame device device does not require authenticationdoes not require authentication

Network-wide “device registration” database that Network-wide “device registration” database that interfaces with DHCP serverinterfaces with DHCP server

WeaknessesWeaknesses

Complete trust is placed in MAC addresses as a Complete trust is placed in MAC addresses as a unique identifierunique identifier Can be spoofed! (old news right?)Can be spoofed! (old news right?) Part of protocols, can't really be fixedPart of protocols, can't really be fixed

Global IP addressesGlobal IP addresses Why???Why??? Puts users at unnecessary riskPuts users at unnecessary risk

No port based security on switched LANNo port based security on switched LAN Impossible at a college due to the mobile Impossible at a college due to the mobile

nature of most devicesnature of most devices

What if...What if...

Potential for abusePotential for abuse Impersonation by spoofing MAC addressImpersonation by spoofing MAC address

View questionable web contentView questionable web content File sharingFile sharing Any other suspicious network activity all under Any other suspicious network activity all under

the cover of another userthe cover of another user

Unanswered questionsUnanswered questions

How do the DHCP servers build user domain How do the DHCP servers build user domain names?names? Is the full-name-as-host-name feature part of a DHCP Is the full-name-as-host-name feature part of a DHCP

package or did the university create the system package or did the university create the system themselves?themselves? Pulling information from student databasePulling information from student database

Why is each device on the network given an Why is each device on the network given an Internet routable IP address?Internet routable IP address?

Most importantly – why does my host name Most importantly – why does my host name contain my full name?contain my full name?

Network Analysis ToolNetwork Analysis Tool

Logs MAC addresses and domain namesLogs MAC addresses and domain names ARP scans network and lists offline hostsARP scans network and lists offline hosts

http://endgrain.ath.cx/http://endgrain.ath.cx/

How Host Names are Used How Host Names are Used at Many Universities at Many Universities

Some schools offer a procedure to Some schools offer a procedure to change host name by filling out change host name by filling out FERPA privacy formFERPA privacy form

More than 60 Higher Educational More than 60 Higher Educational Institutions Use Real Name = Institutions Use Real Name = Host NameHost Name

Legal Issues: Privacy, Legal Issues: Privacy, Personal and Online Personal and Online SecuritySecurity

Big Question: Why do some educational Big Question: Why do some educational institutions use real names as host institutions use real names as host names? names? Not a good idea for privacy and Not a good idea for privacy and

security concernssecurity concerns Secondary Questions: Why would they Secondary Questions: Why would they

want to use real names as host want to use real names as host names?names?

Pressure from Anti-Piracy Pressure from Anti-Piracy Counter-measures?Counter-measures?

Facilitates DMCA take-down notices and Facilitates DMCA take-down notices and cease and desist RIAA legal threatscease and desist RIAA legal threats

Do patterns of RIAA law suits surround Do patterns of RIAA law suits surround college campuses because of this built-college campuses because of this built-in ability to easily retrieve legal names?in ability to easily retrieve legal names?

Privacy and Personal Privacy and Personal Safety ConcernsSafety Concerns

PrivacyPrivacyBroadcasting real names on IRC and other online Broadcasting real names on IRC and other online

forums creates privacy and personal safety forums creates privacy and personal safety issues.issues.

What rights you have to protect your Internet What rights you have to protect your Internet searches—differences between society at searches—differences between society at large and on college campuses.large and on college campuses.

When students use IRC or visit websites, search When students use IRC or visit websites, search the web, privacy FAILthe web, privacy FAIL

DMCA and RIAA DMCA and RIAA Influences?Influences?

RIAARIAA Driven a lot of need for ease of identifying Driven a lot of need for ease of identifying

usersusers Attempted to pass legislation in 2007 Attempted to pass legislation in 2007

requiring educational institutions to install requiring educational institutions to install filers on their networks if the RIAA deemed filers on their networks if the RIAA deemed that school to have many infringers.that school to have many infringers.

Digital Millennium Digital Millennium Copyright ActCopyright Act

DMCA DMCA Take-down notices under Section 512Take-down notices under Section 512

Requires ISPs or college networks to take down Requires ISPs or college networks to take down allegedly infringing materials or they loose their allegedly infringing materials or they loose their “safe harbor” protections“safe harbor” protections

Strict wording in the statute and steep penalties Strict wording in the statute and steep penalties for loss of safe harbor protections encourage less for loss of safe harbor protections encourage less analysis of legitimate take-down notices and analysis of legitimate take-down notices and results in little or no analysis of legitimacy of results in little or no analysis of legitimacy of claims.claims.

Vitiates Fair UseVitiates Fair Use

Privacy of Personally Privacy of Personally Identifying InformationIdentifying Information

FERPA-protects student informationFERPA-protects student information If school has a form to allegedly If school has a form to allegedly

change host name that's connected change host name that's connected with a FERPA form, they have with a FERPA form, they have knowledge that current IT practice knowledge that current IT practice of assigning host name may violate of assigning host name may violate FERPAFERPA

Why isn't it opt in instead of opt out Why isn't it opt in instead of opt out if PII?if PII?

Have the RIAA Legal Threats Have the RIAA Legal Threats Encouraged These Security Encouraged These Security and Privacy Vulnerabilities?and Privacy Vulnerabilities?

Statistical AnalysisStatistical Analysis Found 60 schools though Westlaw and news Found 60 schools though Westlaw and news

article searches and put together a list of article searches and put together a list of most schools (students) targeted by the most schools (students) targeted by the RIAARIAA

Dan's team did reverse DNS look-ups on Dan's team did reverse DNS look-ups on those schools to determine if real name = those schools to determine if real name = host namehost name

Correlation? Correlation?

ContactContact

• endgrain00@gmail.comendgrain00@gmail.com• dan@doxpara.comdan@doxpara.com• tiffany@elcnetworks.comtiffany@elcnetworks.com