<<  The hearing aid is great, now what about my cell phone 7   >>
Internet2 Security Update: Some Excerpts From the 2nd Data Driven
Internet2 Security Update: Some Excerpts From the 2nd Data Driven
Introduction: Were All Busy, But
Introduction: Were All Busy, But
We Need To Look For Leverage Opportunities
We Need To Look For Leverage Opportunities
The 2nd Internet2 Data Driven Collaborative Security Workshop
The 2nd Internet2 Data Driven Collaborative Security Workshop
Three Topics From DDCSW2
Three Topics From DDCSW2
1. Updates for PC Software OTHER THAN Windows Itself, Office, Internet
1. Updates for PC Software OTHER THAN Windows Itself, Office, Internet
The Proof Of The Pudding Is In The Eating
The Proof Of The Pudding Is In The Eating
Consider PDF Attacks Last Year
Consider PDF Attacks Last Year
Or Consider Java Today
Or Consider Java Today
Stefan Frei from Secunia at DDCSW2
Stefan Frei from Secunia at DDCSW2
Sample Secunia PSI Run Output
Sample Secunia PSI Run Output
Drilling Down on One of Those Programs
Drilling Down on One of Those Programs
Interested in Using PSI/CSI At Your Site
Interested in Using PSI/CSI At Your Site
BTW, Change Is Coming for Some 3rd Party Apps
BTW, Change Is Coming for Some 3rd Party Apps
2. Another Excerpt From DDCSW2: RPZ
2. Another Excerpt From DDCSW2: RPZ
Some RPZ Pragmatic Details
Some RPZ Pragmatic Details
3. The Dragon Research Group and DRG Pods (Including the DRG ssh
3. The Dragon Research Group and DRG Pods (Including the DRG ssh
DRG Pods
DRG Pods
The DRG ssh Project
The DRG ssh Project
Part of a Recent DRG ssh Password Auth Report
Part of a Recent DRG ssh Password Auth Report
DRG ssh Username/Password Tag Clouds
DRG ssh Username/Password Tag Clouds
An Aside on Ssh Scanning Tools
An Aside on Ssh Scanning Tools
DRG Will Be Doing More Cool Projects
DRG Will Be Doing More Cool Projects
Should We Continue Having DDCSW Meetings
Should We Continue Having DDCSW Meetings
Thats It For Our Brief Taste of DDCSW and Overview of A Few
Thats It For Our Brief Taste of DDCSW and Overview of A Few
Three Strategic Security Topics
Three Strategic Security Topics
4. IPv4 Runout and IPv6: IPv4 Runout Is Nigh
4. IPv4 Runout and IPv6: IPv4 Runout Is Nigh
Preparing for Imminent IPv4 Runout
Preparing for Imminent IPv4 Runout
Most Universities Have NOT Deployed IPv6
Most Universities Have NOT Deployed IPv6
30
30
Weve Intentionally Decided to NOT Do IPv6
Weve Intentionally Decided to NOT Do IPv6
Large Scale Network Address Translation
Large Scale Network Address Translation
Incident Handling in a Large Scale NAT World
Incident Handling in a Large Scale NAT World
Loss of Transparency (and Loss of Innovation, and Loss of Throughput,
Loss of Transparency (and Loss of Innovation, and Loss of Throughput,
There Are A Million Different Really Good Reasons Why We Just Cant
There Are A Million Different Really Good Reasons Why We Just Cant
5. Security of the Domain Name System (DNS) and DNSSEC
5. Security of the Domain Name System (DNS) and DNSSEC
Two DNSSEC Tasks: Signing and Checking
Two DNSSEC Tasks: Signing and Checking
Nonetheless, Deployment IS Beginning To Happen
Nonetheless, Deployment IS Beginning To Happen
2nd Level
2nd Level
Some Universities Are Now Validating DNSSEC Signatures, Too
Some Universities Are Now Validating DNSSEC Signatures, Too
For Example
For Example
Verifying DNSSEC Signatures Is Not Completely Without Risk
Verifying DNSSEC Signatures Is Not Completely Without Risk
Not Ready to Jump In
Not Ready to Jump In
6. Security of Mobile Internet Devices
6. Security of Mobile Internet Devices
Mobile Internet Devices Raise LOTS of Questions
Mobile Internet Devices Raise LOTS of Questions
A Few Mobile Internet Device Security Questions
A Few Mobile Internet Device Security Questions
Are We Seeing a Recapitulation Of the Old Managed vs
Are We Seeing a Recapitulation Of the Old Managed vs
An Example of One Simple Mobile Internet Device Policy Question:
An Example of One Simple Mobile Internet Device Policy Question:
Other Potential Local iPhone Policies Include
Other Potential Local iPhone Policies Include
Scalably Pushing Policies to the iPhone
Scalably Pushing Policies to the iPhone
Whats The Big Deal About Bad Config Files
Whats The Big Deal About Bad Config Files
We Need to Encourage Healthy Paranoia
We Need to Encourage Healthy Paranoia
What About Hardware Encryption
What About Hardware Encryption
Remotely Zapping Compromised Mobile Devices
Remotely Zapping Compromised Mobile Devices
Terminating Mobile Device-Equipped Workers
Terminating Mobile Device-Equipped Workers
Malware and A/V on the Non-Jailbroken iPhone
Malware and A/V on the Non-Jailbroken iPhone
And If Theres NOT A/V For Mobile Devices
And If Theres NOT A/V For Mobile Devices
What About Jailbroken iPhones
What About Jailbroken iPhones
Jailbroken iPhones and Upgrades
Jailbroken iPhones and Upgrades
Your Should Be Talking About These Issues
Your Should Be Talking About These Issues

: Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About. : joe st sauver. : Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About.ppt. zip-: 880 .

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About.ppt
1 Internet2 Security Update: Some Excerpts From the 2nd Data Driven

Internet2 Security Update: Some Excerpts From the 2nd Data Driven

Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About

Joe St Sauver, Ph.D. Internet2 Nationwide Security Programs Manager (joe@uoregon.edu or joe@internet2.edu) Internet2 Fall Members Meeting, Atlanta GA Thursday, November 4th, 2010 10:30-11:45AM Grand Ballroom III/IV http://pages.uoregon.edu/joe/sec-update-fall2010-mm/

1

2 Introduction: Were All Busy, But

Introduction: Were All Busy, But

Many of us may all be preoccupied with major broadband stimulus-related infrastructure projects, but security issues continue to demand the communitys attention: -- Unpatched or incompletely patched systems and applications continue to get cracked, potentially resulting in breaches of personally identifiable information (PII), -- Malware continues to outpace signature-based antivirus software, resulting in a steady supply of botted hosts -- Satisfying increasingly demanding compliance-related security requirements can also be daunting and time consuming. Given those pressures, it is pretty easy to fall into reactive mode, spending all our security related cycles just fighting fires and trying to satisfy the auditors.

2

3 We Need To Look For Leverage Opportunities

We Need To Look For Leverage Opportunities

The only way we can scale up to those day-to-day challenges is by looking for leverage opportunities. Think of leverage opportunities as times when we might be able to use technology to simultaneously fight the fires that break out (because we must continue to do that), while ALSO making substantive progress against vulnerabilities that are being actively targeted for exploitation. Doing this requires Data, Analysis, Collaboration and Action, the touchstones of the Data Driven Collaborative Security approach that weve been highlighting in the last couple Internet2 Data Driven Collaborative Security Workshops for High Performance Networks (DDCSW and DDCSW2).

3

4 The 2nd Internet2 Data Driven Collaborative Security Workshop

The 2nd Internet2 Data Driven Collaborative Security Workshop

Speaking of DDCSW2, we held the 2nd invitational Internet2 Data Driven Collaborative Security Workshop (DDCSW2) this summer from August 17th-18th, 2010 at the Knight Executive Education and Conference Center on the Washington University in St Louis campus. Thank you for sharing that facility with us! As was the case for the first DDCSW held at the University of Maryland Baltimore County, DDCSW2 included a mix of academic, corporate, non-profit and law-enforcement / government folks. Even if you did attend DDCSW2, unlike many closed cyber security meetings, you can check out some excellent presentations from that meeting online at security.internet2.edu/ddcsw2/

4

5 Three Topics From DDCSW2

Three Topics From DDCSW2

As a bit of a teaser to get you interested in learning more about DDCSW2, I wanted to highlight three immediately relevant tactical cyber security issues which were raised during that meeting, before covering some strategic cyber security issues. Three tactical cyber security issues from DDCSW2 included: 1) Updates for PC Software OTHER THAN MS Windows, MS Office, Internet Explorer, etc. 2) RPZ: DNS Response Policy Zones, and 3) Dragon Research Group and DRG Pods (including the DRG ssh project)

5

6 1. Updates for PC Software OTHER THAN Windows Itself, Office, Internet

1. Updates for PC Software OTHER THAN Windows Itself, Office, Internet

Explorer, etc.

Microsoft has done a great job of improving their softwares code quality and helping users to keep Microsofts own software (MS Windows, MS Office, Internet Explorer, etc) up-to-date. However, thats not the only software youve got on your PC. Most people also have third party applications installed such as: -- Acrobat or Acrobat Reader -- Flash Player -- Third party browsers such as Firefox or Opera -- Media helper applications such as QuickTime -- Music players such as iTunes -- Java -- etc. Unfortunately you and your users may not be keeping up when it comes to keeping all those other applications patched up-to-date.

6

7 The Proof Of The Pudding Is In The Eating

The Proof Of The Pudding Is In The Eating

If you have a personally-owned Windows PC, try an experiment. Download Secunia PSI (free for personal use) from http://secunia.com/products/ and run it on your personally owned system. (Secunia CSI is the institutional analogue of Secunia PSI) When you run PSI I would be extremely surprised if that tool doesnt find at least one third party application that is either end-of-life or less than fully patched on any given system you may happen to check. The problem of unpatched third party applications is endemic, and it IS getting noticed (and targeted!) by cyber attackers.

7

8 Consider PDF Attacks Last Year

Consider PDF Attacks Last Year

8

9 Or Consider Java Today

Or Consider Java Today

9

10 Stefan Frei from Secunia at DDCSW2

Stefan Frei from Secunia at DDCSW2

Given the timeliness of this issue, we were delighted when Stefan Frei, Research Analyst Director at Secunia, was able to come to DDCSW2 to talk about their experience with Secunia PSI on 2.6 million PCs. See security.internet2.edu/ddcsw2/docs/sfrei.pdf Some highlights: -- half of all users have >66 programs from >22 vendors (dang!) -- The top-50 most common programs include 26 from Microsoft, plus 24 3rd party programs from 14 different vendors (with 14 different update mechanisms!) -- Eight programs from three vendors all have a > 80% user share -- All programs in the top-50 portfolio have a ? 24% user share -- In the 1st half of 2010, 3rd party programs in the top-50 portfolio had 275 vulnerabilities, 4.4X more than MS programs -- One exploitable vulnerability is all you need to 0wn a PC

10

11 Sample Secunia PSI Run Output

Sample Secunia PSI Run Output

11

12 Drilling Down on One of Those Programs

Drilling Down on One of Those Programs

IMPORTANT: Dont forget to check and fix ALL RED TABS!

12

13 Interested in Using PSI/CSI At Your Site

Interested in Using PSI/CSI At Your Site

13

14 BTW, Change Is Coming for Some 3rd Party Apps

BTW, Change Is Coming for Some 3rd Party Apps

I think were at something of a cusp when it comes to some third party software, at least when it comes to some vendors. For example, as of Mac OS X 10.6 update 3, the version of Java that is ported by Apple and ships with OS X will be deprecated. (see http://tinyurl.com/java-deprecated ). While it may be possible for a fully open source version of Java to be developed for OS X, it may be tricky to get the same seamless integration that the vendor supported version of Java currently provides. Apps using Java are also reportedly going to be rejected by the Apple iPhone App Store. Finally, it also appears that Apple will no longer be pre-installing Adobe Flash Player on Macs (although users can still download and install it themselves). Quoting Bob Dylan, You better start swimmin / Or youll sink like a stone / For the times, they are a-changin.

14

15 2. Another Excerpt From DDCSW2: RPZ

2. Another Excerpt From DDCSW2: RPZ

RPZ stands for DNS Response Policy Zones and Eric Ziegast of ISC was good enough to come to DDCSW2 and do two talk for us, with one of them covering RPZ. See http://security.internet2.edu/ddcsw2/docs/Ziegast-rpz.pdf RPZ stems from a seminal July 30th, 2010 article by Paul Vixie of ISC in CircleID entitled, Taking Back the DNS, see http://www.circleid.com/posts/20100728_taking_back_the_dns/ In a nutshell, Vixies insight was that its crazy for sites like ours to help the bad guys to commit their cyber crimes by providing trustworthy and reliable DNS service for evil purposes. For example, our name servers should NOT be docilely and dutifully resolving domain names known to lead to malware, thereby helping the bad guys to efficiently infect our systems. Think of RPZ as new real time block listing for DNS.

15

16 Some RPZ Pragmatic Details

Some RPZ Pragmatic Details

RPZ is currently available as a patch for BIND (see the links from Vixies CircleID article). ISC is NOT providing a data feed for RPZ, just the protocol spec and a reference implementation (patch) for BIND. You could build your own RPZ zone, or select one supplied by a third party. If you do implement RPZ for typical users, you may want to also make sure you offer an unfiltered recursive resolver for any campus malware researchers or security researchers (or at least do not block their ability to run their own unfiltered recursive resolver, or their ability to reach Googles intentionally open recursive resolvers at 8.8.8.8 and 8.8.4.4). Because of the dismal status of malware protection right now, I think that well be hearing a lot about RPZ in the future.

16

17 3. The Dragon Research Group and DRG Pods (Including the DRG ssh

3. The Dragon Research Group and DRG Pods (Including the DRG ssh

Project)

Many of you will already be familiar with Team Cymru (see http://www.team-cymru.org/ ) and the excellent work that Rob Thomas and his team do in furthering Internet security. You may not be as familiar with Dragon Research Group, the international all-volunteer research group offshoot of Team Cymru (even though they are available as a link from the top bar on the primary Team Cymru web site). We were fortunate to have Paul Tatarsky, Seth Hall and John Kristoff provide a briefing on the DRG for DDCSW2, see http://security.internet2.edu/ddcsw2/docs/tatarsky.pdf For todays update, well just highlight two things related to the that talk: volunteering to run a DRG pod, and an example of one project enabled by DRG pod data, the DRG ssh project.

17

18 DRG Pods

DRG Pods

Dragon Research Group makes available a customized Linux Live CD distribution that securely converts a system (or virtual machine) into a DRG data collection endpoint (or pod). A full description of the distribution and how you can sign up to participate is at www.dragonresearchgroup.org/drg-distro.html Because network activity policies vary from site to site, the DRG distribution intentionally provides substantial flexibility. Thus, for example, if your site will only permit passive measurement activities, the pod can be configured to carefully support that policy, while if your site allows active measurements, that more liberal framework can also be accommodated. All DRG pod locations are confidential. A nice example of the sort of work that the DRG pods can enable is the DRG ssh project, which well describe next.

18

19 The DRG ssh Project

The DRG ssh Project

ssh (secure shell, e.g., an encrypted version of telnet) is the preferred way that most security-conscious individuals remotely login to Unix boxes and other systems. On many hardened systems, sshd may be the only network service thats accessible. Because sshd may be the only service thats open, it gets a lot of attention from cyber criminals who scan the Internet looking for vulnerable hosts. Anyone running sshd is all too familiar with failed ssh login attempts from random sources in their syslogs. Wouldnt it be nice if you could see a list of all the IP addresses that have recently been seen ssh scanning? Wouldnt it be particularly nice to know if one of those actively scanning hosts is actually a (likely compromised) system on your campus? You can read more about the DRG ssh project at http://www.dragonresearchgroup.org/insight/

19

20 Part of a Recent DRG ssh Password Auth Report

Part of a Recent DRG ssh Password Auth Report

20

21 DRG ssh Username/Password Tag Clouds

DRG ssh Username/Password Tag Clouds

21

22 An Aside on Ssh Scanning Tools

An Aside on Ssh Scanning Tools

At least some of the hosts that are engaged in ssh scanning/brute forcing are likely infested with the dd_ssh brute forcing script. For more information about this attack tool, see: http://isc.sans.edu/diary.html?storyid=9370 Metasploit Framework 3.4.0 (released May 18th, 2010) also now includes strong support for brute forcing network protocols, including support for brute forcing ssh, see http://blog.metasploit.com/2010_05_01_archive.html These sort of brute forcing tools mean that brute forcing attacks are likely here to stay Many sites may want to consider deploying anti-brute forcing scripts as part of their system configuration. One such tool is fail2ban, see http://www.fail2ban.org/wiki/index.php/Main_Page however there are many others you might also try.

22

23 DRG Will Be Doing More Cool Projects

DRG Will Be Doing More Cool Projects

So as cool as the preceding ssh analyses are, they are really just an example, the tip of the proverbial iceberg, if you will. With your help, many further interesting projects may become possible. Wed encourage you to consider participating in the DRGs activities by hosting a pod at your site. If nothing else, youll at least want to keep an eye on their ssh scanner/ssh brute forcer report to make sure your ASN or ASNs used by your colleagues, dont show up as a source of abusive ssh brute force traffic!

23

24 Should We Continue Having DDCSW Meetings

Should We Continue Having DDCSW Meetings

So now you know a little about three of the great security-related presentations that were shared at the last DDCSW. An open question to those of you in the Internet2 community: Should we have further DDCSW events in the future? We think the quality of the material presented at both DDCSWs was outstanding, but we recognize that everyone in the security community is very busy. Some might go so far as to say that the biggest gift we could give the security community would be to REFRAIN from offering yet another security meeting competing for limited time and travel resources. So should we consider merging DDCSW with another meeting? Which one? Should we drop DDCSW entirely? Wed appreciate your feedback! (please send it to joe@internet2.edu) If we do decide to hold another DDCSW, would you be interested in attending and presenting at it? Or maybe hosting it?

24

25 Thats It For Our Brief Taste of DDCSW and Overview of A Few

Thats It For Our Brief Taste of DDCSW and Overview of A Few

Tactical Security Topics

Now lets move on and talk a little about some timely big picture or strategic security topics.

25

26 Three Strategic Security Topics

Three Strategic Security Topics

While there are many important strategic security topics we could talk about today, there are three strategic security challenges which have largely received short shrift at most of our sites: 4) IPv4 Exhaustion and IPv6 Deployment 5) Security of the Doman Name System and DNSSEC, and 6) The Security of Mobile Internet Devices Lets briefly talk about each of those topics.

26

27 4. IPv4 Runout and IPv6: IPv4 Runout Is Nigh

4. IPv4 Runout and IPv6: IPv4 Runout Is Nigh

Only 5% of global IPv4 address space remains unallocated. The last large unallocated IPv4 netblocks (/8s, each 1/256 of the total IPv4 address space) will be allocated by IANA on or about 4 June 2011. The regional Internet registries (such as ARIN) will begin to exhaust their last IPv4 allocations on or about 27 January 2012. Neither of those dates are very far from now: 4 Nov 2010 --> 4 Jun 2011: 212 days 4 Nov 2010 --> 27 Jan 2012: 1 year, 2 months, 23 days

27

28 Preparing for Imminent IPv4 Runout

Preparing for Imminent IPv4 Runout

Between now and then, you should be doing three things: 1) If you have legacy IPv4 address space, review your records documenting that allocation (if you have any and if you can find them) and decide if youre going to sign the ARIN Legacy Registration Services Agreement. (See https://www.arin.net/resources/legacy/ ) 2) If you have a legitimate need for additional IPv4 address space for any pending projects, request that space NOW. If you wait six months to make that request, it may be too late. (Note: I am NOT suggesting that you request space you dont legitimately need PLEASE be reasonable and responsible) 3) Everyone should be proceeding with deployment of IPv6 on the networks and systems they operate.

28

29 Most Universities Have NOT Deployed IPv6

Most Universities Have NOT Deployed IPv6

Only a few universities have deployed IPv6 both throughout their infrastructure AND on all their public-facing servers. See IPv6 Status Survey, http://www.mrp.net/IPv6_Survey.html If your site isnt listed, you can check it using the form thats at: http://www.mrp.net/cgi-bin/ipv6-status.cgi Note: this test only checks public services for IPv6-accessibility. You should also check to see if your institution has enabled IPv6 throughout your local area network for use by end user workstations.

29

30 30

30

31 Weve Intentionally Decided to NOT Do IPv6

Weve Intentionally Decided to NOT Do IPv6

Some universities may be aware of IPv4 runout, AND may have made an intentional decision to NOT deploy native IPv6 for their users. You may even be from one of those universities. If so, I would urge you to reconsider that decision. If you do NOT deploy native IPv6, your users will (intentionally or inadvertently) end up transparently accessing IPv6 content via a variety of non-native transition mechanisms such as Teredo, 6to4, ad hoc manually configured tunnels, etc., whether you support native IPv6 or not. This will ultimately be a mess, and far less secure than just biting the bullet and doing native IPv6. See IPv6 and the Security of Your Network and Systems, pages.uoregon.edu/joe/i2mm-spring2009/i2mm-spring2009.pdf

31

32 Large Scale Network Address Translation

Large Scale Network Address Translation

If you do find yourself talking to those who arent planning to add IPv6, and you ask them How will you scale IPv4 addressing post-IPv4 runout? the most common answer youll hear is that they plan to do large scale NAT (you may also hear this called carrier grade NAT, although most large scale NAT solutions are not really carrier grade). Sites that try large scale NAT will be sharing a single public IPv4 address across dozens or sometimes even hundreds of users. Large scale NAT will pose many challenges, and after you think about them a little, we hope that you will reconsider your decision to go down that road. For example

32

33 Incident Handling in a Large Scale NAT World

Incident Handling in a Large Scale NAT World

Incident handlers and security staff know that abuse complaints involving dynamic addresses need both the address of the problematic host, AND the timestamp/time zone when the incident was observed in order to be actionable. As large scale NAT becomes more widely deployed, actionable abuse reports will now need to have THREE items: the address of the problematic host, the timestamp/time zone when the incident was observed, AND the source port number. Unfortunately, many abuse records do not currently include source port info. For example, if you look at Received: headers in mail messages, you will NOT see source port information listed. Many other sources of backtracking information are similarly bereft.

33

34 Loss of Transparency (and Loss of Innovation, and Loss of Throughput,

Loss of Transparency (and Loss of Innovation, and Loss of Throughput,

and)

Large scale NAT may work adequately well for users with simple mainstream needs (such as browsing the web, or sending email via a third party web email service), but those sort of applications should NOT be the epitome of advanced applications or high performance applications in our community! Innovative advanced applications and high performance data transfers almost always work better when Internet connected hosts have globally routed unique IP addresses. For that matter, even some pretty basic applications, such as video conferencing, often ONLY work if you have a public address.

34

35 There Are A Million Different Really Good Reasons Why We Just Cant

There Are A Million Different Really Good Reasons Why We Just Cant

Deploy IPv6!

There may be. Unfortunately, you really dont have any good alternative (as Iljitsch van Beijnum wrote in Ars Technica a month or so ago, There is No Plan B: Why The IPv4-to-IPv6 Transition Will Be Ugly, see arstechnica.com/business/news/2010/09/ there-is-no-plan-b-why-the-ipv4-to-ipv6-transition-will-be-ugly.ars ) The time has come to get IPv6 deployed on your campus, and on your servers, and on your regional networks.

35

36 5. Security of the Domain Name System (DNS) and DNSSEC

5. Security of the Domain Name System (DNS) and DNSSEC

Pretty much everything on the Internet relies on the ability of users to safely refer to sites by symbolic names (such as www.internet2.edu) rather than IP addresses (such as 207.75.165.151), trusting DNS to do that translation for them. If that translation process is untrustworthy, instead of going where you wanted to go, you might end up being taken to a site that will drop malware on your system, or you might be diverted from your bank or brokerage to a fake financial site run by some offshore cracker/hacker. It is absolutely critical that DNS be trustworthy. DNSSEC, a system of cryptographic signatures that can help insure that DNS results havent been tampered with, can help secure DNS results -- IF it gets used.

36

37 Two DNSSEC Tasks: Signing and Checking

Two DNSSEC Tasks: Signing and Checking

For DNSSEC to work, two things need to happen: -- sites need to cryptographically sign their own DNS records -- other sites need to check, or verify, that the DNSSEC-signed results they receive are valid Many sites have held off signing their sites DNS records because for a long time the DNS root (dot) and the EDU top level domain werent signed. Thats no longer a problem: both have now been signed. At the same time, many recursive resolvers havent bothered to check DNSSEC signatures because no one has bothered to sign their zones. DNSSEC thus formerly epitomized the classic Internet chicken and egg deployment problem.

37

38 Nonetheless, Deployment IS Beginning To Happen

Nonetheless, Deployment IS Beginning To Happen

38

39 2nd Level

2nd Level

edus Which ARE Signed (10/12/10)

merit.edu monmouth.edu penn.edu psc.edu suu.edu ucaid.edu upenn.edu weber.edu What about YOUR school??? Data from: http://secspider.cs.ucla.edu/

berkeley.edu cmu.edu desales.edu example.edu fhsu.edu indiana.edu internet2.edu iu.edu iub.edu iupui.edu k-state.edu ksu.edu lsu.edu

39

40 Some Universities Are Now Validating DNSSEC Signatures, Too

Some Universities Are Now Validating DNSSEC Signatures, Too

For example, the University of Oregon is now verifying DNSSEC signatures on its production recursive resolvers, and this has generally been going just fine. If you need a simple test to see whether your current recursive resolvers are verifying DNSSEC signatures, try the (somewhat irreverent but quite straightforward) thumbs up/eyes down DNSSEC validation tester thats available at: http://test.dnssec-or-not.org/

40

41 For Example

For Example

41

42 Verifying DNSSEC Signatures Is Not Completely Without Risk

Verifying DNSSEC Signatures Is Not Completely Without Risk

In many ways, the most serious risk you face when validating DNSSEC signatures is that DNSSEC will work as advertised. That is, a domain may accidentally end up with invalid DNSSEC signatures for a variety of reasons, and once theyve done that, their site will then (correctly) become inaccessible to those of us who are verifying DNSSEC signatures. Paradoxically, when that happens, the site will continue to work just fine for everyone who is NOT doing DNSSEC, and the DNSSEC problem may thus go unnoticed by the site. This may be an irritating experience for your users if a critical site ends up being inaccessible. http://dnsviz.net is a great resource for visualizing and debugging these sort of issues when they arise. If you want an intentionally broker domain to try testing, try using dnssec-failed.org

42

43 Not Ready to Jump In

Not Ready to Jump In

Try Taking Baby Steps

Maybe you can at least either: -- sign your own domain or at least -- begin to validate the signatures that others have added? You dont need to immediately do both simultaneously! Maybe you can sign just part of your domain (such as your cs or engineering subdomains), or you can just try signing a couple of less-important institutional test domains Maybe you can create additional opt-in validating resolvers, even if you dont enable DNSSEC by default on your production recursive resolvers?

43

44 6. Security of Mobile Internet Devices

6. Security of Mobile Internet Devices

Theres a huge temptation to just focus on traditional networks, servers, desktop workstations and laptops, but theres been a real revolution quietly going on: were entering an age where mobile Internet devices are becoming virtually ubiquitous. For example, the 2009 ECAR Study of Undergraduate Students and Information Technology (http://www.educause.edu/ers0906 ) reported that 51.2% of respondents owned an Internet capable handheld device, and another 11.8% indicated that they planned to purchase one in the next 12 months What about faculty/staff? While mobile Internet devices and cell phones have formerly been treated as listed property by the IRS, Section 2043 of H.R. 5297 (the Small Business Jobs Act of 2010) was signed into law Sept 27, 2010, fixing that. Because of that recent change, expect to see a lot more institutionally owned faculty/staff mobile Internet devices soon

44

45 Mobile Internet Devices Raise LOTS of Questions

Mobile Internet Devices Raise LOTS of Questions

Ive got a full 110 slide presentation discussing the security of mobile Internet devices that I recently gave as the closing session for the Northwest Academic Computing Consortium (NWACC) 2010 Network Security Workshop in Portland (see http://pages.uoregon.edu/joe/nwacc-mobile-security/ (PDF or PPT formats)). Given our limited time together today, Im obviously not going to be able to cover all that material. Recognizing how common mobile Internet devices have become, however, I do want to at least alert you to some of the security issues that you face from mobile devices, leaving you to see the full presentation for details and additional issues. To keep this simple, well largely focus on the Apple iPhone for the rest of this quick discussion.

45

46 A Few Mobile Internet Device Security Questions

A Few Mobile Internet Device Security Questions

What type(s) of mobile Internet devices should we support? Blackberries? iPhones? Android devices? Does it matter? Is cellular wireless connectivity secure enough to protect PCI-DSS or HIPAA or FERPA data that may be transmitted? Should we centrally manage our mobile devices? If so, how? Is there PII on our users mobile Internet devices? Do those devices have hardware whole device encryption to protect that data? What if one of these mobile devices get lost or stolen? Can we send the device a remote wipe or kill code? Do we need antivirus protection for mobile devices? What if users want to jailbreak their device? Is that okay? And there are many more security questions, but few people are talking about these issues in our community. Why?

46

47 Are We Seeing a Recapitulation Of the Old Managed vs

Are We Seeing a Recapitulation Of the Old Managed vs

Unmanaged PC Wars?

For a long time, way back in the bad old days, traditional IT management simply pretended that PCs didnt exist. While they were in denial, people bought whatever PCs they wanted and administered them themselves. Sometimes that worked well, other times chaos reigned. Today's more closely managed enterprise model was the result of that anarchy. At some sites, standardized PC configurations are purchased and tightly locked down and are then centrally administered. While Im not a fan of this paradigm, I recognize that it is increasingly common. Are we re-experiencing that same evolutionary process for mobile Internet devices? What might we be able to do if we did use a managed model?

47

48 An Example of One Simple Mobile Internet Device Policy Question:

An Example of One Simple Mobile Internet Device Policy Question:

Device Passwords

If a mobile Internet device is lost or stolen, a primary technical control preventing access to/use of the device is the devices password. Users hate passwords, but left to their own devices (so to speak), if they use one at all, they might just use a short (and easily overcome) one such as 1234 You and your school might prefer that users use a longer and more complex password, particularly if that mobile Internet device has sensitive PII on it. You might even require the device to wipe itself if it detects that it is the target of an in-person password brute force attack. If the device is managed, you can require these things but are your mobile Internet devices managed? Many arent.

48

49 Other Potential Local iPhone Policies Include

Other Potential Local iPhone Policies Include

Adding or removing root certs Configuring WiFi including trusted SSIDs, passwords, etc. Configuring VPN settings and usage Blocking installation of additional apps from the AppStore Blocking Safari (e.g., blocking general web browsing) Blocking use of the iPhones camera Blocking screen captures Blocking use of the iTunes Music Store Blocking use of YouTube Blocking explicit content Some of these settings may be less applicable or less important to higher ed folks than to corp/gov users.

49

50 Scalably Pushing Policies to the iPhone

Scalably Pushing Policies to the iPhone

To configure policies such as those just mentioned on the iPhone, you can use configuration profiles created via the iPhone Configuration Utility (downloadable from http://www.apple.com/support/iphone/enterprise/ ) Those configuration files can be downloaded directly to an iPhone which is physically connected to a PC or Mac running iTunes -- but that's not a particularly scalable approach. The configuration files can also be emailed to your users iPhones, or downloaded from the web per chapter two of the Apple Enterprise Deployment Guide. While those configuration files need to be signed (and can be encrypted), there have been reports of flaws with the security of this process; see iPhone PKI handling flaws at cryptopath.wordpress.com/2010/01/

50

51 Whats The Big Deal About Bad Config Files

Whats The Big Deal About Bad Config Files

If I can feed an iPhone user a bad config file and convince that user to actually install it, I can: -- change their name servers (and if I can change their name servers, I can totally control where they go) -- add my own root certs (allowing me to MITM their supposedly secure connections) -- change email, WiFi or VPN settings, thereby allowing me to sniff their connections and credentials -- conduct denial of service attacks against the user, including blocking their access to email or the web These config files also can be made non-removable (except through wiping and restoring the device).

51

52 We Need to Encourage Healthy Paranoia

We Need to Encourage Healthy Paranoia

Because of the risks associated with bad config files, and because the config files be set up with attributes which increase the likelihood that users may accept and load a malicious configuration file, iPhone users should be told to NEVER, EVER under any circumstances install a config file received by email or from a web site. Of course, this sort of absolute prohibition potentially reduces your ability to scalably and securely push mobile Internet device security configurations to iPhones, but This issue also underscores the importance of users routinely syncing/backing up their mobile devices so that if they have to wipe their device and restore it from scratch, they can do so without losing critical content.

52

53 What About Hardware Encryption

What About Hardware Encryption

Another example of a common security control designed to protect PII from unauthorized access is hardware encryption. Many sites require whole disk encryption on all institutional devices containing PII. Some mobile Internet devices (such as earlier versions of the iPhone) didnt offer hardware encryption; 3GS and 4G iPhones now do. However, folks have demonstrated that at least for the 3Gs (and at least for some versions of iOS) was less-than-completely bullet proof; see for example Mr NerveGas (aka Jonathan Zdziarskis) demo Removing iPhone 3G[s] Passcode and Encryption, www.youtube.com/watch?v=5wS3AMbXRLs This may be a consideration if you are planning to use certain types of iPhones for PII or other sensitive data.

53

54 Remotely Zapping Compromised Mobile Devices

Remotely Zapping Compromised Mobile Devices

Strong device passwords and hardware encryption are primary protections against PII getting compromised, but another potentially important option is being able to remotely wipe the hardware with a magic kill code. Both iPhones and BlackBerry devices support this option. Important notes: -- If a device is taken off the air (e.g., the SIM card has been removed, or the device has been put into a electromagnetic isolation bag), a device kill code may not be able to be received and processed. -- Some devices (including BlackBerries) acknowledge receipt and execution of the kill code, others may not. -- Pre-3GS versions of the iPhone may take an hour per 8GB of storage to wipe (3GSs wipe instantaneously).

54

55 Terminating Mobile Device-Equipped Workers

Terminating Mobile Device-Equipped Workers

A reviewer who looked at an earlier draft of some of these slides pointed out an interesting corner case for remote zapping: -- Zap codes are usually transmitted via Exchange Active Sync when the mobile device connects to the sites Exchange Server, and the users device authenticates -- HR departments in many high tech companies will routinely kill network access and email accounts when an employee is being discharged to prevent incidents -- If HR gets network access and email access killed before the zap code gets collected, the device may not be able to login (and get zapped), leaving the now ex-employee with the complete contents of the device See: http://tinyurl.com/zap-then-fire Of course, complete user level device backups may also exist

55

56 Malware and A/V on the Non-Jailbroken iPhone

Malware and A/V on the Non-Jailbroken iPhone

Because earlier versions of the iPhone disallowed applications running in the background, it was difficult for traditional antivirus products to be successfully ported to the iPhone. To the best of my knowledge, your options for antivirus software on the iPhone are still quite limited, with no offering from traditional market leaders such as Symantec and McAfee at that time. On the other hand, since the iPhone used/uses a sandbox-and-cryptographically "signed app" model, it was hard for the iPhone to get infected. Will you allow users to jail break that security model?

56

57 And If Theres NOT A/V For Mobile Devices

And If Theres NOT A/V For Mobile Devices

Some sites may accidentally adopt an overly broad policy when it comes to deploying antivirus, perhaps decreeing that If it cant run antivirus, it cant run. As you might expect, I believe this is a mistake when there are compensating controls (such as use of a signed-app model in the case of the iPhone), or cases where the demand for A/V on a platform is so minimal theres not even a commercial A/V product available. There are ways to avoid malware besides just running antivirus software! Remember compensating controls!

57

58 What About Jailbroken iPhones

What About Jailbroken iPhones

Normally only Apple-approved applications run on the iPhone. However, some users have developed hacks (NOT blessed by Apple!) that will allow users to break out of that jail and run whatever applications they want. Jailbreaking your iPhone violates the license agreement and voids its warranty, but it is estimated that 5-10% of all iPhone users have done so. Q: Is jailbreaking my iPhone legal? A: I am not a lawyer and this is not legal advice, but see: EFF Wins New Legal Protections for Video Artists, Cell Phone Jailbreakers, and Unlockers, July 26, 2010, http://www.eff.org/press/archives/2010/07/26

58

59 Jailbroken iPhones and Upgrades

Jailbroken iPhones and Upgrades

When a jail broken iPhones gets an OS upgrade, the jailbreak gets reversed and would typically need to be redone. This may cause some users of jail broken iPhones to be reluctant to apply upgrades (even upgrades with critical security patches!), until the newly released version of iOS also gets jailbroken. Thats obviously a security issue and cause for concern. If you do successfully jailbreak your iPhone, your exposure to malware will increase.

59

60 Your Should Be Talking About These Issues

Your Should Be Talking About These Issues

If your user support and security staff arent talking about these sort of issues at your site, youre likely not ready to address the security issues that will arise in conjunction with mobile devices. Id urge you to review the full talk about mobile Internet device security that I mentioned on slide 45, and to initiate local conversations about mobile Internet device security as soon as you can reasonably do so. Thats all Ive got for you for you today for my part of the security update session. I assume well hold questions till the end of the session. Thanks!

60

Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About
http://900igr.net/prezentacija/anglijskij-jazyk/internet2-securiy-update-some-excerpts-from-the-2nd-data-driven-collaborative-security-workshop-and-some-timely-strategic-security-area-you-should-be-thinking-about-218232.html
c

11

29
900igr.net > > > Internet2 Securiy Update: Some Excerpts From the 2nd Data Driven Collaborative Security Workshop and Some Timely Strategic Security Area You Should Be Thinking About