Tom Perrine, Manager, Workstation Services, San Diego Supercomputer Center
[the comments in '[]' are keys to the viewgraphs used during the presentation]
The indented comments in italics are background information that was not part of the presentation, but provides additional context
This transcript is still being annotated, expect a full html version in the next few weeks.
$Id: perrine.html,v 1.4 1995/08/22 21:16:23 tep Exp $
[TITLE SLIDE]
Good afternoon, I guess we will get started now, we are running about five minutes late. My name is Tom Perrine and I thought that I would have the session that would have five people in it. And then this funny thing happened... the first rule of computer security: if you are going to be on the front page of the New York Times, make sure your boss knows about it before he reads that Times on Monday morning. I don't know if any of you noticed the San Diego Supercomputer Center was mentioned several times in the New York Times in the last three days dealing with the security of the Internet. I have spent a large part of a lot of my weekends since Christmas addressing some of these issues. What I want to talk about today is how you can safely connect to the Internet. I'm not going to try to convince you that it is a good thing because hopefully you already believe that or you wouldn't be here. I'm not going to talk about all the benefits of connecting to the Internet. I'm going to talk about issues that you have to think about before you connect, the kinds of services that you might want to offer or make use of, risks and some strategies for taking care of those risks.
[Issues]
Here are some of the issues that you have to deal with if you are going to connect to the Internet.
You have to worry about protection of your company's information: information is becoming more valuable and more people are connecting really good stuff. If your entire corporate network is connected to the Internet, people are beginning to notice that nice confidential data. That data might give someone else a competitive edge that they might pay for.
Protection of your computing environment: if somebody gets in they can take down the entire network. How many people who have a business that depends on computers would really like to spend three or four days rebuilding that environment (or a week or a month). Can your business function without its computing resources?
Another thing you need to consider is privacy: you have to protect your users and your customers. For example, you need to protect your users from abuse, having their information stolen... having their information damaged. And your customers' must be protected, because if you are providing a service, whether you like it or not, you probably have a legal obligation to do "due diligence" to ensure the protection of your customers. You may be selling them a service in which case you are responsible for that service and if there is harm to it, well, I'm not a lawyer but you all know how that can go. The other thing is privacy. Even if you do not have what you would consider confidential information on a computer anywhere you may have information on that computer that is covered by the Electronics Communication Privacy Act (ECPA), electronic mail, benefits records, employee records. A lot of that stuff is covered by law and it is your responsibility to make sure that it is secure, not available to just anyone.
[service model]
Okay, this is a typical model for a company or an organization that wants to hook itself up to the Internet and why.
Maybe they just want to have a presence on the Net. I know that I would not be comfortable dealing with a company that is going to sell me networking services and products if I can not reach them through the Internet. I would not be willing to buy software from a company that claims to give me Internet access or make the Internet easy to use if I could not get to them over the Internet. Or at least get some information about their products. This presence might be something like a World Wide Web (WWW) page. Or e-mail.
You might want to reach a customer via electronic mail if you are in a support role or if you have a software product out there you might want to be able to send information and updates to your current customers. Or you might even like doing something really exotic like EDI electronic data interchange. Although the Internet is certainly not a good place for that - at least not this year. For example I get information from Sun Microsystems, Silicon Graphics and Hewlett Packard. Every other day I get a dump of their latest press releases and lots of technical information. I like that because I know what is going on with the people that I have to deal with.
You might want to make your software available through FTP. Did you know that if you deliver your software electronically there is no state sales tax.? It is also a very convenient way to get software updates in the hands of your customers. It is much easier to put up an Internet site with an appropriately protected FTP area to allow your customers to download that latest upgrade when they want to. And you can update that in a very timely fashion instead of having to generate 3 or 4 thousand CD-ROMS or 10 or 20 thousand floppy disks. Those are all services you might want to make available.
The other side of the coin is that you might want to allow your company and your employees to use the services of the Internet. Contact your customers. Contact your vendors. Find out the latest thing on Microsoft. You can get a Clarinet news feed which is the AP and UP wire delivered to you electronically. Things that can give your business an advantage.
[services offered]
Okay, services that you can offer... I talked about this a little bit earlier.
Information by request: a World Wide Web (WWW) page or server. One way to do this is to bring up your own computer on the 'Net; your own information server and then administer it yourself and worrying about all the data thats on it and worry about someone breaking into it Something else you might want to think about doing is that you can now go to your Internet service providers and they will put up a web page for you. And they will make it look like it comes from your "company name.com" and when a person references the world wide web service looking for your company it takes them to a home page on one of the machines that the Internet provider worries about.
You don't have to worry about it, which is very nice because now you can give your service provider a tape with the data, you don't even have to connect to the Internet. You just have to give them the information and pay them the appropriate amount of money and they will put up a very nice world wide web page for you. Your customers or potential customers still get information about you by accessing your world wide web page even if your company is completely disconnected from the Internet.
If you are doing customer support with electronic mail and FTP you can do the same thing. In any case if you don't want to bring up your own server and manage it and deal with it and worry about it being compromised you can talk to one of the providers to do this for you. You can also offer electronic mail only accounts where the only access you have to the Internet is electronic mail. Or you can put your information in their anonymous FTP area. Again it can be as close as you give them the information over the network they will put it up or you can give them the information on a tape and that way you are not connected to the net at all and you have zero risk as far as the net is concerned.
But if you really want to make use of external resources, if you want the employees in your company to make use of the Internet, you are going to have to have some more "direct" connection to the net. And that is where things get more dangerous.
[Risks]
I don't want anyone to get the idea that the Internet is too dangerous a place to be, but it's changed in the last few years.
[Internet Demographics have changed]
The Internet demographics have really changed. My parents grew up in a small town in West Virginia, population 800. I don't even know if they had locks on the doors. That is the way the ARPANET was when I got on it the first time, when I was in high school. There were about 40 or 50 computers, everybody knew everybody else, you could always log into any computer as a "guest" without a password, because it was a very small community and everyone trusted each other, everyone who was connected. The demographics have changed. Now it takes a computer or a terminal and a modem and $20 a month and anybody can be on the 'Net. There is a much wider audience. When you get a wider audience you have a larger number of people who might try to take advantage of you or the situation.
[Increasing Value of Information]
Consider the value of information that people used to have on the Internet. All that was there was research information; it had almost no commercial value at all. Why steal something that has no value? why go to the effort? Of course some people took it as an intellectual challenge and did it anyway. But if they stole it, big deal, it was being given away free - they were stealing information that was already being given away.
That is not happening any more. You are should think about how your business might function without information. It can't. That information is valuable to you. information about your company is valuable to you. It could be valuable to your competitors.
Along with this increase in value of information, people are connecting this information to the Internet whether they know it or not. Let's say you have a nice large network inside your company and somebody in some department that you have never heard of connects their department to the Internet. You may not even know it. Your central MIS staff doesn't know it. If you are large organization you might find out about it by happenstance. Whether people know it or not they are connecting valuable information to the Internet.
[Attack Methods]
Attack methods have changed dramatically in the last three years. We used to see lots of real low-level stuff, but very little sophisticated stuff. Remember Disneyland, "you must be this tall to ride"? Well you must be this tall to crack the Internet. You had to be able to write a program, compile it, do some really technical stuff. Then people started giving away the source code to these cracking tools. Now instead of having to be this tall (48") you must be this tall (36"). You must be able to figure out how to compile the source code that somebody gave you. Then you must be this tall (24") because somebody made a self installing package of the cracking tools. And now you don't even need to compile it you can be this tall (12") and still crack the Internet because so many people who are writing this software are essentially turning it into shrink wrap products and exchanging it for money, information, passwords. The level of sophistication of the attacks is constantly increasing and the people who can take advantage of those attack methods is a larger population because you don't have to be as smart and you don't have to know as much about the Internet to use this really "nice" cracking software. We are also seeing more professionals. It used to be "joy riders", just like cars. Twenty, thirty years ago if a car was stolen it was kids out for joy riding. Nowdays 70 or 80% of the cars that are stolen are parts before they are even reported. We have seen a couple of instances on the Internet, especially in the last two years, where someone was hired to find a specific piece of information.
Sophisticates are getting better. They are like me or a little big younger; they grew up on the 'Net and so it is very natural to them. Now they are giving these cracking tools away, to the "wannabees". We are seeing this because the sophisticates say "look what I've got, look what I've done. Isn't this amazing, I can even give you the tool that does it. I'm so smart, I've turned it into a program so that its not even a manual process anymore". Or maybe someone has broken into something and has collected some passwords. Some sophisticate might say, "well I don't really have time to crack those but why don't you give me the passwords and I'll give you my tools for cracking it". And they are sharing with the wannabes.
Information is becoming more valuable it's real information, it's information that your business depends on and it is attached to the Internet. And more people realize that that information is there. These are some of the things that we are seeing for attack methods.
The absolute lowest tech is human engineering. Does anyone know what human engineering is? There is this guy named Kevin Mitnick who claims to be the master of human engineering. This is when someone calls you up and says, "I'm so and so. I'm your bosses bosses bosses boss and I forgot my password and I need to get this data because I'm in New York and I have to present it to the board of directors tomorrow. You need to reset my password..." And if they call an operator at three in the morning that does not know them, does not know the sound of their voice, can be bullied into doing this.... "If you don't give me the password you're going to be fired when I get back on Monday." Going after company phone books, sending for literature, posing as someone, maybe a vendor whose going to sell to you, or posing as a customer trying to convince you that you should give them some information.
Password crackers: this is a technique where you acquire the password file from the Unix system (in the Unix system the user ID and the password are stored in a file and its readable by anyone). But the password is encrypted using a modification of the Data Encryption Standard (DES). It is known to be not possible to run this algorythm backwards in any finite amount of time. But what if you take all the words in a dictionary and just start encrypting them until they match. If my password is "cat" and if you start encrypting words from a dictionary, starting with aardvark, eventually you will encrypt the word "cat" and it will match the encrypted version that you stole from my system. There is a tool out there on the Internet called Crack. It was written by a systems administrator because "black hats" already had the tools and they were giving ithem away and he said why should the systems administrators have to go and do this on their own. He wrote a really nice DES implementation and it literally goes through and exhaustively checks all the possible passwords till it gets a match. Anything that is a dictionary word, dictionary words together, dictionary words separated by a digit or a special character like a dash... It tries just literally billions of combinations. That is password cracker.
Another issue: bugs and misconfigurations. This is a case where the crackers actually exploit software bugs, or the mistakes of a system administrator. The Internet worm from a few years ago exploited a bug in the UNIX sendmail program and it affected almost every machine connected to the Internet that was running Unix. That was either a bug or misconfiguration depending on who you believe. There have still been bugs on Sendmail as late as three months ago. There have been bugs in password authentication, bugs in remote procedure calls and errors in Internet protocols. This is where they actually attack the network interface and the network software of your computer. And they know a lot of tricks.
Trojan horses, this is a real good one. We had Trojan Horses long before we ever had viruses. A Trojan Horse is exactly what it sounds like. It is the classic Trojan horse attack where you give someone something that claims to be something useful but when they use it it actually mounts an attack on their system or opens the gates. There was a software company that discovered that someone was sending out free disks to media, government, and educational sites and some businesses that claimed to be the next version of their software. What it really turned out to be was the existing version of the software with a Trojan horse attached so that if you installed this software on your system and your system was connected to the Internet it opened the back door so they could come in later and break into the system - actually they didn't even have to break in they just had to type the magic password. Trojan Horse, it looks valuable, it looks like something that is useful, it looks like something you recognize and trust, but it isn't.
Now lets talk about network sniffers. When logging into a system you have to present the user ID which identifies you and the password which authenticates you. Now, let's say that I'm here in San Diego and I want to log into a machine over the Internet. I fire up my telnet or rlogin program and connect to the remote machine. The remote machine prints some kind of login prompt and then asks for my password. I type my password ...What happened to my password? It just went shooting across the Internet as clear text. If there was a person who planted a network analyzer or some sniffer software on a computer that they had broken into they can watch the beginnings of network connections. They grab the first 1k or 2K bytes of the connection and they will get the user ID and the password. In the last two years every single attack we have seen has either begun or ended or both with the black hats using some kind of password sniffing software. Once they break in a common goal is to put a sniffer on a network backbone and then they will collect user IDs and password. Thousands upon thousands of passwords, depending on how long that sniffer is in place. By the way, once a password is compromised, the crackers can just walk into your computer system; as far as the system is concerned, they *are* that valid user.
[Connection Strategies]
Strategies: these are some ways to reduce your risk. Make your presence on the Internet with someone else. Electriciti and CTSnet and CERFNet and lots of other Internet Service Providers (ISPs) will give or sell you space on their computer to hold your information. Then they can put up a web page for your company even though your company has no connection to the Internet at all. This is about as safe as it gets. It appears that you are on the Internet, people can get information about your company and find out about you and contact you and yet your internal network or your internal computers are not connected to the Net at all. Somebody else has to deal with the risk and besides you don't put anything out there that your not trying to give away right? Customer support: If you are supporting your customers via electronic mail it is hard to steal things from your site. It can be done but it is hard. You might also do customer support via E-mail and anonymous FTP and some other services. In that area it is a coin toss as to whether or not your presence is on some one else's computer or on your own. And then if you want to use external resources depending on what resources you want to use it depends on what kind of access it might be E-mail only, it might be PPP at 14,400 bits per second, or it might be a full blown T3 (155 Mbps) Internet connection with every machine in your organization connected.
Another possibility that a lot of people don't think about is full time versus on demand. A full time connection is up 24 hours a day, 7 days a week whether anybody is using it or not. This kind of connection is real popular with people who have high bandwidth needs. Now the only problem with a dedicated connection is that when your not there, and nobody else is there at three in the morning you are still connected to the Internet. An on-demand connection connects us to the Internet Only when we choose to be connected, only when we are using the services are we actually connected and that's the only time we are at risk. For example, my home machine has an on demand connection to the Internet . The only time my modem actually dials into the Supercomputer center and establishes an IP connection is when I'm trying to send mail or I'm using Mosaic or I'm searching the Internet. When I'm not using it the phone connection is dropped so no one has access to it, unless I'm using the computer and I'm there to watch it.
(Someone asked a question here that could not be heard on the recorder)_____________________________________________sure, there are a couple of ways to examine the network traffic. You can use a network analyzer, that is a real low-level techie idea. You can seal up every incoming network port on your computer or your gateway with some free software called TCP wrappers. The TCP wrappers monitor and log every incoming connection to your computer. This is what I do at home. There are other tools that are available, most of these tools are free but may require a fair amount of sophistication to set them up and use them correctly.
[Protection Strategies]
Some protection strategies.
Essential services only. For example, my home machine does electronic mail and telnet only from my desktop machine at work. It rejects and logs any and all other connection attempts. I allow no incoming remote procedure calls, no NFS file systems, no incoming email, no incoming Web. I just turned off everything except the services that I use. That is a real good strategy in conjunction with all the others.
Protecting your electronic mail requires another completely different strategy. When you send electronic mail over the Internet it is completely in the clear. For one thing that means that anybody that can sniff any network that your E-mail traverses can read your electronic mail. I have never sent a credit card number over the Internet, although there are some tools coming that will make that quite useful. So your electronic mail is at risk to be read. The other part is that do to the design of the Internet protocols. There is no 100% guaranteed authentication of who really sent the message. So there are some packages out there that use "public-key" encryption. One of the real good ones is PGP, which stands for pretty good privacy. O'Reilly and Associates has a good book and Stallings has a book on PGP. These books are available at Bookstar and just about everywhere else. The software is free.
Kerberos - remember we talked about how if I log into a machine at MIT my password goes across the network in clear text, meaning it's unencrypted and anyone can sniff it? Kerberos removes that clear text password from all networks. You and the Kerberos server exchange cryptographic information in such a way that someone who monitors the traffic has no way to see what your password really is. That comes out of MIT Project Athena. They have about a decade of experience and they have never had an intrusion that was due to the failure of the Kerberos protocols. I know some of the people who have worked on it and it's good.
Question: What is it called, and where can I get it?
Answer: Kerberos. Its available from MIT as free software. Its available from some software vendors they ship it as part of Unix. It may also be called DCE. One of the DCE protocols for encryption in the next version of DCE will be Kerberos. Kerberos version 4 has been deployed for about five or six years. Version 5 is in beta test right now, also from MIT. I have some pointers on information also on the net. Configuration management, ah another question?
Question: If I use Kerberos, can I still talk to a machine that doesn't use Kerberos?
Answer: Yes. You can always open untrusted connections to each other. If you want the features of Kerberos you both have to use it. Some people run Kerberos for their internal network but they let people in from the outside that aren't using Kerberos in a very limited fashion. Everybody has to use Kerberos to use all the features of Kerberos. Configuration management.... (question I can not hear?) You can tailor the level of protection against the risks and the value of information involved.
Configuration management.: we have 120 workstations and servers. If we believe that one of our machines has been broken into how do we prove that none of the other machines have been broken into? You can answer this question by having every single machine from the same vendor run exactly the same operating system. We then compute cryptographic check sums of every file on that system before we install it and if we ever believe that we have been broken into we can go back and compare what is on the disk now to what was on the disk before it was ever connected to the network. That gives us a level of assurance that a machine has not been compromised.
[Protection Strategies]
And now on to fire walls, which is a way to build a gap between you and the network. This is a simple fire wall [diagram]. There are two really good books that I recommend and I saw both of them on the book-seller's table out there. One is Internet Firewalls or it is often called the Cheswick and Bellovin Book. Its white with blue letters. If you want to know about firewalls that is the book those are the guys that did the one for Bell Research. They describe how to build and configure a firewall. [Simple Firewall]
This is sort of a halfway step between having every machine in your inside network on the net and having this sort of external service provider. The way the firewall router works is the only thing that an external person connect to is the gateway. This is where you put your world wide web and your external electronic mail and all kinds of things like this. This router will not let anyone come in anywhere except to here. This internal router over here, is the connection between your internal nets and the intermediate net. This is what we call a DMZ (demilitarized zone). You don't really trust anything that is out here. And here is your internal router over here and it connects to all of the inside nets of your company. And it will only allow things from within the company to connect to the gateway. So people from outside can come in and connect to the gateway and people from the inside can come out and connect to the gateway but nothing will flow from the internal router to the firewall router.
The way you would use this is you would have a special telnet client inside and the person if they wanted to access something outside the company they would telnet to the gateway, log in and authenticate themselves there and then from there they could telnet or FTP out into the real world. If somebody wants to come in they have to come in and do the same thing. They can't open a direct connection to anything which you consider within your security perimeter (inside the fence). You have to go through this check point called a gateway first. This is not a home project. Most of the companies that sell firewall software only sell it in conjunction with their systems and support because it really is very important that you get that thing configured properly, because if the firewall is not configured properly it might as well not be there. All it would do is give you a false sense of security. ANS-CORE has a firewall, IBM has a firewall, DEC has one, Internet Products here in San Diego has a firewall product. There is a firewall tool kit from Trusted Information Systems. And most of these companies really want to sell you the service of setting it up and configuring it so that you are safe.
Question: How does the filtering work?
Answer: Every network has a network number, and the address of a machine on that network contains that network number. This firewall router is configured to do filtering. Every packet that goes across the net has a source (where it came from) address and a destination (where it is going) address.
What this firewall router does is first of all any packet that comes in from the outside that has a return (source) address of an inside network you know has to be a lie. O.K. so that is the first way you guard against it. The second one is it takes a look at every destination address and if the destination address is not this gateway it throws it away. What this router [firewall router] does is, it says you may only send packets through me and go to the gateway. The internal router is doing the same thing: you may only send packets through me that are either from the inside to the gateway or from the gateway to the inside.
And these two routers watch every packet that goes through this entire network and they filter out anything that is not going to or coming from the right place. And then the gateway as a host can actually do authentication with a password or Kerberos or S/key or hand held token or anything like that.
Remember, networks don't do authentication, hosts do. So that is why you put this host in the middle to do some authentication. You can even allow some trusted subset of your people to have an account on the gateway and only those people who can log into the gateway can get out of your company. It is really nice to keep somebody who is a temp or someone who is a disgruntled employee from using FTP and cranking it up and sending your entire computer contents out over the Internet. If they don't have a level of trust so that they have an account on the gateway, then they are not going to be able to push anything out either. Yeah?
Question: What about Clipper?
Answer: Clipper has almost nothing to do with Internet security, it was intended for telephone and other limited forms of security. For those of you who don't know, Clipper is the government's "escrowed" encryption standard. It is built on top of something that looks a lot like public encryption with the added hook that you must escrow (give) the key with two organizations which are both part of the government - how interesting. Other than that it has almost no relationship to this at all and I believe at this point that Clipper is a dead issue.
PGP is now a licensed implementation of the RSA public encryption which is available from Public Key Partners and RSA Associates. It does not have any key escrow, there is no central authority that holds all the keys. I can give you my public key you can give me your public key and we can talk to each other and we have not extended trust to anyone else. With Clipper as soon as we start using it we are extending trust to the government or anyone who can afford to buy a key. Yeah?
Question: Who is pushing Clipper?
Answer: I have been following computer privacy since I was in high school. There have been two people who have been proponents of Clipper. One is Dorothy Denning and she is a very fine lady and I respect her very much but she has more confidence in our government and less belief in personal privacy than I do. And there is someone else on the Internet whose name I don't even remember who is saying law enforcement is the over riding concern. There is nothing magical about encryption and we are getting into politics and personal beliefs but it appears to be a non issue at this point. Are we out of time.
[Case Studies]
Four quick cases: an East Coast University. They had no centralized control of their networks or computers. They had 4000-5000 computers and they were being overrun so badly that the crackers were fighting over subnets of computers. They kept turning everything off, reloading software from CD roms and rebuilding every machine on campus, but the cracker would get back in through the as-yet un-rebuilt machines.
Password sniffer at a conference: we had a person who visited a user group conference and he logged into his desktop machine from the conference public terminal area to read his mail. Before he even got back to San Diego somebody was logged into his desktop from the Netherlands. They had put a sniffer on the conference network and grabbed his userid and password.
Sniffer on a network access point - last year on the Milnet. There was a network access point on the Milnet and somebody had a sniffer running there for (supposedly) eight months. There were more than a million log-in sessions that went over that network backbone during the time that the sniffer was active.
Looking for commercial information. We have seen two cases in the last four months, one was human engineering and one was a flat out break-in. In this case, we believe somebody was paid to find a specific item of commercial information and then went after it in a very sophisticated way. So it is beginning to happen.
The spoof attack was an attack on Tsutomu Shimomura and others that was mentioned in the New York Times.
[Costs]
Yes, there is some cost involved in securing your hosts and networks, but you must ask, "how much is your business worth?"
[Resources]
How can you find out more about computer and network security? Who do you call when you've had a break-in? Here are some organizations, books, articles, etc. that you should look into.
[Organizations]
CERT - this is a good one to know if you've been broken into. Call CERT and they will try to put you in touch with the right people. USENIX and the System Administrator's Guild (SAGE) are people that can help you find consultants who are qualified to do this kind of work.
[Books]
All of these should be readily available in any large book store, such as Bookstar or Barnes and Noble. The New Hackers Dictionary, well you might need to order that.
[Articles]
Here is a sample set of recent articles, the last one at the bottom is Data Network Found Open to New Threat which describes the network spoofing attack I mentioned before. One of our researcher's home machine was broken into and we were the first people to discover this new technique that the crackers are using.
And since we are out of time I guess there is no time for questions but I will be around for the rest of the day. Feel free to ask me about security. Thank you very much.