The More Things Change...

Steve RomigThe Ohio State University

July, 2004

Game Plan

•I want to walk through a rough chronology of security events from the last 20 years

•What have we learned?

•What have we failed to learn?

Me

•Graduated from Carnegie Mellon University, BS in Math, CS track in 1982

•First job: an internship at CompuServe (1981-1982)

•Started at OSU in January, 1983

•Learned security “the old fashioned way”

•"A Weakness in the 4.2BSD UNIX TCP/IP Software", AT&T Bell Laboratories, by Robert Morris

•Describes TCP sequence number prediction

•Could be used to spoof trusted hosts

•More on this later...

1985 -TCP/IP Issues

•One new virus/month reported

•Viruses are just a PC thing

•Internet has 60,000 hosts

In 1988...

•Early response - patch binaries with adb!

•Much FUD

•Contained by November 5

•3000-6000 hosts infected (5-10%)

1988-11-02 - Morris Worm

•Spafford's "Phage" list started

•CERT created

1988-11-02 - Morris Worm,

Aftermath

•The miscreants

•The vendors

•The programmers

•The users

The Blame Game

•Then: virus, worm, trojan horse

•Now: malware, rootkit, botnet

The Name Game

•Then: 85% Unix

•Now: 96% Windows (desktops)

•Geer et al, 2003-09 - warnings about the monoculture

Homogeneity on the Internet

•Buffer overflow in fingerd

•"Overlooked" debug option in sendmail

•Fingerd runs as root

•Password guessing

•Trusted hosts

Vulnerabilities

•“Security Problems in the TCP/IP Protocol Suite”

•Steve Bellovin expands on the issues Morris brought up in 1985

•I read it, it seemed fairly obscure and "technical"

1989 - TCP/IP

•Computer Security Incident Handling Workshops start in Pittsburgh

•Eventually leads (at least indirectly) to the formation of FIRST

•Many incident response teams form over the years

1989 - Security Workshops

•Full disclosure debates abound

•alt.security and comp.security created

•1989-1991 - Zardoz "Security Digest"

•1990-1991 - core mailing list

•1990 - vsuite mailing list

1989ish - Mailing Lists Galore

1989-1990

•1989: Cliff Stoll publishes “The Cuckoo’s Egg”

•1990: Sun security-alert mailing list begins

•Various “LAN services”:

•ypserv, portmap, NFS (file handles, device files, general configuration issues)

•Available to the world

•Insecure default configuration

•Ring any bells?

1990 bugs

•TCP/IP sequence guessing attacks

•Neptune (1994) has a nice user interface and error checking!

•This is the attack that I thought was too technical

•Writing the code (once) makes the technique widely available to the masses

1992 - Rbone, Neptune

1995 - "NFS" Shell

•I mention this because we’re seeing this in use again in 2004

•There are still plenty of insecure NFS servers around

•Replaces ls, du, find, ps...

•Pinsh/ponsh backdoor

•Finger daemon backdoor

•Primitive library rootkit components

1995ish - Program Level Rootkits

•2004 - we see the same now

•Talked about 2-factor authentication then, talking about it again now

•Recognized need to get away from reusable passwords then (and now)

•Hubs, switches, ssh, ipsec, ssh trojans...

1995 - Much Password Cracking

& Sniffing

•Monthly security awareness and training

•Instrumental in building a community that supports security initiatives at OSU

1995-01-25 - OSU SECWOG starts

•Dan Farmer releases SATAN

•*Huge* furor over the release

•Dan loses his job at SGI over it

1995-04-03 - SATAN

•They sniff passwords in our labs

•Use our dialup pool for free access

•Break into military and government sites

•No major dialup activity since then (apart from "usual" spam, viruses...)

•The OSU "review" software

1996 - OSU’s Local Miscreants

•Started with SATAN

•Purchased ISS Internet Scanner in 1997

•Distributed to departments

•Run centrally

1997 - OSU Starts Scanning

•Netbus, backorifice

•First primitive DDOS tools

1998

•250? Unix hosts compromised

•Incoming DOS takes us out for 6-8 hours

•50 of the 250 used for outbound DOS, 6 more hours of downtime

•We start blocking hosts that are compromised

1999-07-04 - DDOS Attacks at OSU

•TFN, Trinoo, Stacheldraht...

•Dsniff

1999 - Malware

•tripwire

•cops

•ssh

•satan

•iss

1990's Security Tools

•OSU firewall project starts

•ILoveYou hits

2000

•Code Red

•NetStumbler

•War Driving

2001

•Patching becomes a "big deal"

•10 minutes to infect most hosts

•34 OSU computers infected

•Infection rates: 1.4m/hr inbound, 26.6m/hr outbound

2003-01 - Slammer

•We used ISS' scanslam to ID vulnerable computers

•We used Cisco netflow logs to ID infected computers

•Infected, vulnerable computers are blocked automatically

2003-01 - Slammer

•Largely ignored (by us) until then

•Finally receiving attention now

•Commercial products

•Media attention

2003-06 - Adware and Spyware

•Hard on the heels of password guessing attacks

•Many systems had been tightened down already

•More blocking of vulnerable, infected computers

•More incentive to patch things

2003-08 - Blaster

•Lots of email!

•Many, many variants

•Bounce email is almost as bad as the virus email

2004-02 - Bagle, MyDoom, Netsky

•Intruders sniffing, cracking passwords

•Local exploits to gain root, set up shop

•By hand - little/no automation

2004 - Full Circle

•Bugs, design flaws in software

•The full-disclosure debate

•Default installs are insecure

Things That Haven't Changed

•More incident response teams, abuse contacts

•Vendors seem responsive, sort of, after the fact

Things That Are Better

Things That Are Worse

Increasing Amounts1994 21995 111996 1021997 3081998 348

... ...2002 11452003 786/4039

•Easy for them to infect 100's of thousands of hosts

•200,000 hosts picking up agobot from OSU in 3 days...

•On the other hand, we’re more automated also

Increased Automation

•Better rootkits (HackerDefender)

•Encryption

•Agobot

Increasing Sophistication

•Agobot - hard to analyze them all

Increasing Variations

•Botnets for spam

•Industrial espionage

•Identity theft

•Extortion

Increased Economic Incentives

•Internet isn't just a "cool toy" any more

•Our y2k survival plan: use paper

•In 2004, the paper doesn't exist

Stakes Are Higher

Challenges

•10,000+ user-owned machines

•Network registration, vetting, self-remediation

•Remote access and reusable passwords

Some Key Tools

•SCORE - our host information database

•SITAR - incident tracking

•IDB - intrusion detection

•Cisco NetFlow logs, flow-tools software

•Nmap, ISS, other scanners

•Snort

•http://securitydigest.org

•http://www.net.ohio-state.edu/security/talks.shtml

References