A 10,000 Foot View of Internet Security in Zakir Durumeric

Transcription

1 A 10,000 Foot View of Internet Security in 2017 Zakir Durumeric

2 Who am I? I am joining the Stanford CS Department in Fall 2018 My research primarily focuses on empirical security, particularly improving network security through large-scale measurement This includes building systems to perform large-scale data collection, uncovering vulnerabilities in how systems have been deployed in practice, designing more secure protocols and systems

3 Worsening Distributed Denial of Service (DSoS) Attacks

4 Devastating DDoS Attacks In October 2016, DDoS attacks took DNS provider Dyn offline Source: Dyn Largest denial of service attack on public record (>600gbps)

5 Mirai: IoT Devices to Blame Understanding the Mirai Botnet, USENIX Security 17

6 Mirai: IoT Devices to Blame 700, , , , ,000 Steady State: 2-300K Peak: 600K+ Infected Devices Total Mirai Scans TCP/23231 TCP/22 TCP/2222 TCP/37777 TCP/443 TCP/5555 TCP/6789 TCP/8080 TCP/80 TCP/23 TCP/2323 TCP/ , , /01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date Understanding the Mirai Botnet, USENIX Security 17

7 What Happened? It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by hacktivists. Or a foreign power that wanted to remind the United States of its vulnerability. Understanding the Mirai Botnet, USENIX Security 17

8 Embarrassingly Bad Security Mirai was possible because hundreds of thousands of devices used default logins and had trivial vulnerabilities Targeted IP rdns Passive DNS ns1.p05.dynect.net ns00.playstation.net ns2.p05.dynect.net ns01.playstation.net ns3.p05.dynect.net ns02.playstation.net ns4.p05.dynect.net ns03.playstation.net Nearly every aspect of Mirai was poorly orchestrated Used no modern malware techniques service.playstation.net ns05.playstation.net service.playstation.net ns06.playstation.net Dyn was taken offline by a handful of miscreants trying to attack a Playstation Game Server Understanding the Mirai Botnet, USENIX Security 17

9 Embarrassingly Bad Security Understanding the Mirai Botnet, USENIX Security 17

10 dmim.ir bklan.ru angoshtarkhatam.ir youporn.wf dibamovie.biz dibamovie.site ip eu xex-pass.com diamondhax.com piratetorrents.net anabolika.bz elektro-engel.de strongconnection.cc moreoverus.com namlimxanh.net.vn kleverfood.vn tamthat.com amgauto.vn ngot.net dacsanthitchua.com herokids.vn santasbigcandycane.cx irisstudio.vn joomlavision.com alexander-block.ru lr-top.ru infonta.ru avtotyn.ru sert-cgb.ru igm-shop.ru osinniki-tatu.ru food-syst.ru taylor-lautner.ru upfarm.ru dardiwaterjet.ru general-city.ru titata.ru video-girle.ru hotelkhiva.ru firstclaz-shop.ru pornopokrovitel.ru sl22.ru childrens-health.ru poliklinikasp.ru videostrannik.ru domisto.ru pavelsigal.ru russianpotatoes.ru wwrf.ru sims-4.ru daf-razbor.ru tomlive.ru stt-spb.ru mp3impulse.ru securityupdates.us kia-moskva.ru kiditema.ru avtoatelie-at.ru dom-italia39.ru shokwave.ru vkladpodprocenti.ru ru hyrokumata.com polycracks.com absentvodka.com mufoscam.org analianus.com rutrax.ru voxility.org voxility.com voxility.ro voxility.net voxility.mobi investor-review.com xf0.pw gramtu.pl q5f2k0evy7go2rax9m4g.ru bebux.net ip eu 69speak.eu apkmarket.mobi steamcoin24.ru keycoins.ru keygolds.ru skincoin.ru walletzone.ru playerstore.ru skinplat.ru skincoin24.ru keyzet.ru muplay.ru tradewallet24.ru gamewallet.ru keydealer.ru steamon.ru gowars.ru boatnetswootnet.xyz tradewallet.ru teamcoin.ru gameshoper.ru gamegolds.ru sillycatmouth.us kernelorg.download disabled.racing lateto.work occurelay.net dopegame.su sipa.be bitcoinstats.com bluematt.me bitnodes.io elyricsworld.com emp3world.com boost-factory.com infoyarsk.ru aodxhb.ru qlrzb.ru zogrm.ru zosjoupf.ru txocxs.ru nrzkobn.ru mehinso.ru fastgg.net alexandramoore.co.uk infobusiness-eto-prosto.ru timeserver.host party-bar66.ru aaliya.ru jealousyworld.ru sony-s.ru agrohim33.ru wapud.ru kinosibay.ru gam-mon.ru svoibuhgalter.ru udalenievmiatin.ru kopernick.ru 5d-xsite-cinema.ru bocciatime.ru kvartplata1.ru receptprigotovlenia.ru kunathemes.com chiviti.com intervideo.top intervideo.online smsall.pk dyndn-web.com checkforupdates.online myfootbalgamestoday.xyz srrys.pw tr069.online novotele.online soplya.com tr069.support kciap.pw kedbuffigfjs.online mziep.pw binpt.pw jgop.org xpknpxmywqsrhe.online zugzwang.me nuvomarine.com gettwrrnty.us rippr.club netwxrk.org servdiscount-customer.com layerjet.com proht.us middlechildink.com zeldalife.com playkenogamesonline.com brendasaviationplans.xyz thcrcz.top stbenedictschoolbx.org hexacooperation.com e3ybt.top grotekleinekerkstraat.nl critical-damage.org zvezdogram.com com ipeb.biz blockquadrat.de my2016mobileapplications.tech nerafashion.com centurystyleantiques.com madlamhockeyleague.com realsaunasuit.com cloudtechaz.net dumpsterrentalwestpalmbeachfl... ok6666.net happy-hack.ru germanfernandez.cl kcgraphics.co.uk thqaf.com addsow.top semazen.com.tr doki.co kentalmanis.info rencontreadopoursitedetours.xyz nextorrent.net 2ws.com.br geroncioribeiro.com gideonneto.com drogamedic.com.br pontobreventos.com.br expertscompany.com woodpallet.com.br pontobreventos.com acessando.com.br 2world.com.br escolavitoria.com.br controluz.com.br sistematitanium.com bigdealsfinder.online megadealsdiscounter.online superpriceshopper.online bestpricecastle.online bestsavingfinder.online starpricediscounted.online greatdealninja.online megadealsfinder.online topdealdiscounted.online superpriceshopping.online eduk-central.net hightechcrime.club cheapkittensspecial.win yellowpuppyspecial.pw cheapestdogspecial.pw 33catspecials.pw finddogdeal.win yellowcatdeal.win cheapestdoggyspecial.pw findcatspecial.win 33puppiesspecials.win yellowpetsspecials.pw greendoggyspecial.pw 33catsdeal.pw cheapestdogspecials.win 33kittensspecials.pw bluepuppiesdeals.pw greenbirdsspecials.win greenkittensdeal.pw bluepuppyspecial.pw findbirdsspecials.pw nfoservers.com icmp.online xn----7sbhguokj.xn--p1ai transfer.club admin-vk.ru favy.club xn--b1acdqjrfck3b7e.xn--p1ai xn--80aac5cct.xn--80aswg ta-bao.com dopegame.ru dolgoprud.top ocalhost.host alcvid.com ousquadrant.com protopal.club tr069.pw 6969max.com serverhost.name as62454.net spevat.net mwcluster.com edhelppro.bid secure-limited-accounts.com mediaforetak.com lottobooker.ru postrader.eu robositer.com postrader.it siterhunter.com postrader.org secure-payment.online secure-support.services ssldomainerrordisp2003.com clearsignal.com ip eu avac.io ip eu Cluster 2 Cluster 6 Cluster 23 Cluster 7 Cluster 1 Cluster 0 Moving Forward Mirai hasn t gone away fractured control could easily return It will return unless there s significant change Understanding the Mirai Botnet, USENIX Security 17

11 IoT Security Beyond Mirai Mirai is one example of poor security in a worrisome trend Second Example: Hundreds of thousands of embedded devices serve user data to the public over anonymous FTP Data ranges from clinical medical records to HR and financial data are publicly available Typically due to poor user interfaces, default credentials, and easy-to-find vulnerabilities FTP: The Forgotten Cloud, DSN 16

12 Malware, Infection, and Ransomware

13 A Thriving Underground Economy Pay Per Install : Compromised machines are a purchasable commodity Allows multi-tenancy of machines for denial of service attacks, malicious hosting, spam, PII theft, ad fraud Fill out web form with the number of machines you need and payment, then upload your malware binary: U.S./Western Europe Installs: $ Less Popular Installs (mostly Asia): $7-8 Large providers see abusive traffic from tens of millions of abusive IPs on a daily basis Source: The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges

14 DDoS For Hire: Booter/Stresser Services DDoS has been commoditized: Enables non-sophisticated subscribers to extort, harass, and censor First major Mirai attack was taking down Brian Kreb s blog Popular services carry out of 100Ks of attacks from 1Ks of subscribers Accept PayPal, Bitcoin. $ based on duration/intensity Primarily amplification attacks that use misconfigured NTP, DNS, SIP Source: Understanding and Undermining the Business of DDoS Services

15 The Rise of Ransomware Ransomware has become extremely popular dwarfs other types of malware attacks Little change in distribution: Phishing s, social media scams Largest 2017 Family (Cerber): ~7M USD - Expansive affiliate program Source: Unmasking the Ransomware Kingpins

16 Data Breaches and Mismanagement

17 Data Breaches Constantly hearing about data breaches Equifax, Anthem, ebay, Home Depot, Target, Adobe, Sony, Adult Friend Finder, OMB, Hard to detect root cause, but a few major problems: - Network mismanagement - Phishing - Out of date software - 20% of Flash installs are vulnerable - 25% of browsers out of date Source: Duo Trusted Access Report

18 Patching Behavior Vulnerable Percentage of HTTPS Hosts Alexa Top 1 Million Sites Public IPv4 Address Space 04/12 04/19 04/26 05/03 05/10 05/17 05/24 Heartbleed OpenSSL vulnerability allowed remote attackers to dump memory Massive publicity likely best case patching scenario Patching plateaued with 30% of IPv4 hosts remaining vulnerable Today, 100K+ hosts remain vulnerable. Most are IoT devices Date The Matter of Heartbleed, IMC 14

19 Increased Data Collection Many of the headlines are about financial data leaks - Primary worry: Identity theft Hospitals, insurance providers are also commonly. Earlier this year, Uber. Worrisome trend of collecting and store all data - IoT devices will continue to have access to more sensitive information

20 Encrypting Data in Transit

21 Increasing HTTPS Deployment For the first time, 50% of Chrome and Firefox page loads use HTTPS Chrome more restrictive on loading HTTP content Firefox only releasing new features for HTTPS connections Percent of page loads over HTTPS in Google Chrome [Source: Google Chrome Team]

22 TLS 1.3 Nearing Completion We ve seen quite a few TLS 1.2 protocol vulnerabilities the last few years: POODLE, FREAK, Logjam + Weak Diffie-Hellman Keys, DROWN, [ ] TLS 1.3: A simpler protocol built on lessons from the last few years: - Simpler construction with formal analysis before finalization - Removes many insecure options - Increased Performance Current Impediment: Poorly constructed middle boxes are holding back deployment

23 Trustworthy PKI <2011: Little visibility into the certificate authorities that support HTTPS : Uncovered rampant abuse through Internet-Wide Scanning : Web browsers taking more proactive role policing CAs 2018: Browsers requiring trusted certificates to be in public logs (CT) 2018: Proactive, programmatic detection of authority mismanagement Analysis of the HTTPS Certificate Ecosystem, IMC 13 Tracking Certificate Misissuance in the Wild, S&P 18

24 Delivery Security Gmail Messages Delivered over TLS Inbound Outbound 90% 68% 45% 23% 0% security has historically lagged behind HTTPS November 2017: ~90% of is encrypted in transit 230% increase in the last four years IETF is finalizing Strict Transport Security to protect against attacks uncovered in 2014 Details: An Empirical Analysis of Delivery Security, IMC 15

25 A 10,000 Foot View of Internet Security in 2017 Zakir Durumeric Stanford University