1. How I Fixed
the
Internets
Mark Minasi Conference 2009
Roger A. Grimes
e: roger@banneretcs.com
2. Roger’s BIO
– CPA, CISSP, CEH, SSPP, CISA, TICSA, yada, yada
– 22-year Windows security consultant, instructor, and author
– Microsoft ACE Infosec Security Architect
– Author or co-author of eight books on computer security,
including:
• Network Security: The Complete Reference (McGraw-Hill, co-
author of chapters on Computer Defenses and IDSs)
• Windows Vista Security: Security Vista Against Malicious
Attacks (Wiley, 2007 co-author)
• Professional Windows Desktop and Server Hardening (Dec.
2005)
• Windows Server 2008 Security Resource Kit (contrib author)
• Honeypots for Windows (Apress, December 2004)
– Author of over 200 national magazine articles on computer
security
– Runs 8 honeypots tracking hacker and malware behavior
– InfoWorld security columnist and Blogger
4. The views expressed here are only my own,
and are not the views of my employer or
Mark Minasi
5. On the Bright Side...
Not everyone is hacked everyday
6. This presentation is based on my previous
work...
Fixing the Internet whitepaper and articles
http://weblog.infoworld.com/securityadviser/archives
/Fixing_the_Internet_Final.pdf
http://weblog.infoworld.com/securityadviser/archives
/2008/05/fixing_the_inte.html
http://weblog.infoworld.com/securityadviser/archives
/2008/05/defending_fixin.html
http://www.infoworld.com/d/security-
central/internet-fix-no-pipe-dream-452
7. How Bad Is It?
Each year, over 1-in-3 US adults gets their
identity information stolen over the Internet
1-in-9 have their identity stolen multiple
times a year
1-in-9 have their stolen identity used in a
given year
8. How Bad Is It?
An average hacker can break into any Internet
connected company relatively easy
There is little you can do to stop hackers
Break-ins are so common, than even when
tens of millions of identities are stolen or
millions of dollars are taken, it often doesn’t
make the news cycle anymore
9. Crimeware
99% of all malware exists to steal your money
The big criminal gangs make hundreds of
millions of dollars each year
McColo, Rockphish, Russian Business Network
Not a single person from any of the major
criminal gangs has been arrested or
prosecuted
10. Every Internet Browser Has Many Exploits
CanSecWest
3 top browsers exploited in an hour
Every “secure” browser is lucky to last a day
when it is released before it is exploited
11. How Bad Is It?
Firewalls don’t work
Antivirus software doesn’t work
Fully patching your software doesn’t work
Spam and phishing as bad as ever
Spam is 70-90% of all email traffic
10% or more of all Internet traffic is malicious
Why do we keep doing the same things and
expecting different results??
12. How Bad Is It?
Malware more sophisticated than ever
Not one attack vector, but 20 +
It’ hides now, doesn’t try to be cute
Fast-fluxing
Root-kit loading
USB infecting
Roving “mothership” web servers
13. Big Holes Still Being Found in the Internet
Kaminsky DNS exploit
Huge MPS/BGP exploit being announced at
the next BlackHat
Kinda kills the “many eyes” concept that
supposedly makes our software secure
Even DJBDNS’s software got hacked twice in a
year
14. Can’t Be Perfect Even If You’re Perfect
Even if all the software goes security
vulnerability free, it won’t stop hacking
Today, 99.999% of malicious hacking occurs
because an end-user is tricked into installing
trojan malware
Antivirus 2008 anyone??
15. How Bad Is It?
After everything every vendor has tried,
pushed, and promoted, computer security
has only gotten substantially worse over the
last 10 years...and even worse over the last 3
years
Nothing any vendor is doing appears likely to
significantly improve computer security over
the next 10 years
16. Problems with Current Solutions
Whack-a-mole solutions
Point-specific defenses (which hackers just
move around to the next weak link)
Security defenses develop slower than
malware
No one is trying to solve the underlying
systematic security problems
No single group dedicated to fixing Internet
security
17. Why Does It Matter?
Can’t we just live with the current state of
things?
I mean, we have survived so far without a
major disruption to our global Internet
society
18. Why Does It Matter?
Because the Internet is becoming more and
more mission critical for real-life
It isn’t just for email and ASCII porn anymore
Global society is becoming more reliant on
the Internet for basic and mission critical
services
19. Why Does It Matter?
SQL Slammer (2003) showed us that most of
the world’s most important, mission-critical
networks are on the Internet
Most major banks went down for multiple days
Foreign hackers are routinely breaking into
our most sensitive, secure, gov’t networks
20. Why Does It Matter?
Where do you buy your airplane tickets?
How did you buy your last concert tickets?
I use web sites to make stock trades, schedule
bulky garbage pick-ups, trip plans, pay college
tuition for my daughters, Skype to call, etc.
My InfoWorld column is only online
How do you think your electronic funds
transfer for your paycheck is transmitted?
21. Why Does It Matter?
What was yesterday’s “nice-to-have” web site
becomes today’s “use it or pay more” for a
regular human
Crackberries...anyone...
The Iloveyou worm shutdown phone
networks and delayed the delivery of
newspapers
22. Why Does It Matter?
The guy in charge of running the Whitehouse
is bragging about using Gmail and Googledocs
Your healthcare records are going online
Stuff that should never be on the Internet
(e.g. Nuclear power plants, electrical grids,
911 systems) are on the Internet!!
23. Why Does It Matter?
Even the mission critical stuff that all the
experts assure us isn’t on the Internet...is on
the Internet
Even if it isn’t “on the Internet”, it usually
shares the same physical telecom lines with
the Internet...so if the Internet implodes, so
too, does the non-Internet stuff
24. Why Does It
Matter?
Somewhere,
there is a
tipping point
event
waiting to
happen
25. So How Is the Internet Broken?
Ask yourself, “Why do malicious hackers
hack?”
26. So How Is the Internet Broken?
Answer: Because we can’t catch them
It’s low cost, low risk, and high return
Rob a bank, get $5,000 (maybe), and 10 years in
jail
Rob off the Internet, make hundreds of millions,
and never even get close to being caught
27. So How Is the Internet Broken?
Answer: Because we can’t catch them
I can’t think of a single Internet problem that
doesn’t boil down to problems of identity and
integrity
28. So How Is the Internet Broken?
There is pervasive anonymity
You really have no idea I am who I say I am
There is a lack of accountability
We can’t find the hackers to arrest them
We have a hard time prosecuting all the
companies that knowingly help criminals
There is no way to tell the good companies
from the bad
29. Summary
We have to rebuild all software and hardware
connected to the Internet to fix it
Replace pervasive anonymity with pervasive
identity
Hold people and companies accountable for
bad things and continued poor practices
30. Summary
Dream Team of Security Experts
Rebuild the Internet and everything
connected to it
New Internet-wide security services available
to everyone (think DNS, but for security)
31. Summary
Come up a global, open, group to provide
solutions
Will probably have to be gov’t sponsored
Companies are motivated by greed
There is no money in fixing the commons
Most companies are very risk adverse
It will take a “man-on-the-moon” project
32. Dream Team Executive Vendor/ Vendor/ Vendor/ Vendor/ Vendor/
Committee member member member member member
Director Director Director Director Director
(Strategic
Decisions)
Component Component Component Component Component Component
Tactical Tactical
Lead
Tactical
Lead
Tactical
Lead
Tactical
Lead
Tactical
Lead
Leads
Component Component Component Component Component
Technical Technical
Team
Technical
Team
Technical
Team
Technical
Team
Technical
Team
Teams Members Members Members Members Members
Public, End-User
Shared Committee
Participation
33. Dream Team (2 year max.)
Made up of global vendors, gov’t,
independent security experts, and public
No single entity controls outcome
One vote per member
Open meetings, open discussions
Any solutions are completely voluntary in
nature
Try to use more “carrot” and less “stick”
34. Dream Team
What can be agreed upon is tabled, but
majority rules
Global participating
Solutions are standard and protocols, not
products
Solutions are 100% open source, although
vendors are welcome to develop commercial
products and implementations
35. Dream Team - Challenges
Global, but also decisive (the UN problem)
How to convince vendors in their own self-
interests to participate?
How to make a global committee responsive?
How to avoid balkanization, standard splits?
36. Possible Internet Security Solutions
Global Security Service
End-to-End Trust
Using Existing Web Standards
37. Global Security Service
Build a global Internet infrastructure service
to provide coordination, advertising, and
publication of the various global security
initiatives
Internet
DNS UDDI IF-MAP Security
Service
38. Global Security Service
DNS-like - fault-tolerant, distributed “root” servers
dedicated to directing querying clients to the
appropriate security service server(s).
UDDI – like -Each participating global, sub-root server
would to serve up IP addresses to the corresponding
needed security services (and to advertise and publish
such services).
IF-MAP-like - in that the existing sub-root servers
would allow participating members to report and
respond in a global, holistic, multi-service manner.
39. Global Security Service
IF-MAP Standard
If you are not familiar with IF-MAP, in a nutshell, the
Trusted Computing Group’s
(www.trustedcomputingroup.org) IF-MAP standard
(https://www.trustedcomputinggroup.org/specs/TNC
/IFMAP_FAQ_april_28.pdf) allows participating
devices to report security events and receive
notifications from other security devices to be able to
respond in a coordinated fashion.
40. Global Security Service
IF-MAP Example:
Your firewall detects an outbound email originating
from a regular end-user workstation that does not
typically use port 25 outbound
Firewall notifies antivirus software to scan machine
Antivirus software unable to clean computer or
unable to find anything, tells NAC/NAP client to
shutdown and 802.1x switch kills network port link
41. Global Security Service
New Security Service:
Be like local IF-MAP solution, but provide information
globally
42. Global Security Service
Global
Internet
Security
Infrastructure
Service
Protocol/
Protocol/ Application
Protocol/
Application specific
Application
global
specific
specific
servers
Network global
servers
global
servers
Network
Security Security
S
Boundary S
E
E
C
Boundary
C U
U R
R I
I
T Local
Internet/ T
Y
regulated Y Local
endpoints
IF-MAP
service
Network IF-MAP
D
regulated
D service
E Cloud E
F
endpoints
F E
E N
N S
S E
E S
S
43. Global Security Service
Examples:
Your network or web server comes under attack by a
DDoS attack. Your local IF-MAP security device could
connect to a root Internet security server and get
directed to one or more services to allow an efficient
response and defense to the attack. Your network
could get subscribed on-the-fly to an anti-DDoS
service, fire up additional availability resources on
new IP spaces, or lead all the other participating
networks into shunting off the offending bot-infected
computers.
44. Global Security Service
Examples:
Your company participates in a global
whitelist/blacklist of IP addresses. Your company’s
whitelist/blacklist servers/service could contact the
global root servers to get instantaneous updates of
the Russian Business Networks’ changing IP address
space.
45. Global Security Service
Examples:
Your anti-spam device or anti-phishing filter can learn
instantly when a massive new spam or phishing attack
occurs instead of waiting for a vendor update or
allowing only the already existing global email
servicers to learn about the attack.
46. Global Security Service
Examples:
Supposed a MySQL-based Slammer type, zero-day,
worm gets launched that can be successful against all
existing, contactable MySQL servers on the Internet.
Your firewall could be notified of the zero day attack
and shut down the port until a better remedy is
provided.
SQL Slammer infected most SQL servers on the Internet in
under 10 minutes. It went off at 1AM EST. By the time
sysadmins were alerted, it was over
47. Global Security Service
Global
Internet
Security
Infrastructure
Service
Global Global
Global Global
Global Early security
anti-malware phish list
Black-list Warning server, etc.
signatures
System
Internet, private
entities, etc.
48. End to End Trust Solution
Trust Components
Hardware
OS Boot Process and Loading
Device and User Identity
Network Stack and Protocols
Applications
Network Transmission Devices and Packets
Communication Sessions
49. End to End Trust Solution
Not Microsoft’s End-to-End Trust
Based originally on Trusted Computing Group’s work
50. End-to-End Trust
Make each Internet egress network responsible and
accountable for the security and trust of the endpoints in their
network.
This applies to corporate environments, as well as, ISPs being
responsible for the security of their end-user clients (to a
variable degree).
Each egress network access point would be known as a “trust
network”, and the management and technical teams
responsible and accountable for implementing improved
security trust mechanisms (e.g. egress filtering, two-factor
authentication, anti-malware, secure coding practices, etc.).
51. End-to-End Trust
A world-wide community consortium of computer security
experts would transparently decide what levels of trust are
assigned to the various trust components and how various
trust networks earn increasing levels of trust.
Egress points with poorly demonstrated levels of security will
be given a low trust rating, and that rating known to all
participants (e.g. world-wide trust rating list).
This should encourage trust networks to improve their security
to be rated higher, and at the same time hold accountable
questionable networks (e.g. Russian Business Network’s
malicious IP space).
52. End-to-End Trust
Trust Assurance Levels
Various trust assurance level values are
assigned to each trust component in the trust
pathway
Authentication +
Infrastructure Trust +
Identity Assurance =
Aggregate Trust Assurance Level
53. End-to-End Trust
Trust Assurance Levels
Authentication Type Trust Assurance Level Assignment
Simple user name and password Low
Username, PIN, and Biometric / Medium
Token
Smartcard, Biometric and PIN High
54. End-to-End Trust
Trust Assurance Levels
Infrastructure Example Scenarios Trust Assurance Level Assignment
Logon session originating from a known malicious IP Low
address space
Logon session originating from a trusted, classified High
government network
Smart card using “short” 1024-bit public key Medium
Questionable Service Provider who has been “warned” Low
about continued, past illegal activities
Network packet with “too many” hops, indicating Low
excessive routing
Logon session originating from a shared wireless Low
network available to the public or Internet cafe
Logon session originating from static, unchanging IP Medium
address
55. End-to-End Trust
Trust Assurance Levels
Aggregated Trust Level Example Scenarios Aggregated Trust Assurance Level Assignment
Anonymous identity, password only, coming from an Lowest
untrusted service provider
True Identity with compromised biometrics coming from Low
trusted service provider
rd
Anonymous identity with 3 party attestation, using Medium
password on trusted origination point
True identity of long-term, outstanding character, on High
highly trusted service provider, using Smartcard + PIN
56. header header
including crypto info including crypto info
End-to-End Trust Overall Trust Overall Trust
Ranking = 4 Ranking = 3
Trust Assurance Levels
Network Trust Network Trust
(at the packet level) Ranking = 3 Ranking = 2
Session Trust Session Trust
Ranking = 4 Ranking = 3
Identity Trust Identity Trust
Ranking =5 Ranking =2
Physical Trust Physical Trust
Ranking = 3 Ranking = 4
Signed & Signed &
Encrypted Data Encrypted Data
Payload Payload
57. End-to-End Trust
These global trust ratings would be sharable and
available to each communicating trust network.
Each receiving trust network can decide how to treat
incoming traffic based on the originator’s trust rating;
and even provide custom trust ratings to trusted
private trading partners (regardless of the packet’s
tagged trust).
Traffic with higher ratings of trust should be inspected
less and be delivered faster to end-points.
58. End-to-End Trust
Trust Gateways
Each trusted network should implement a trust
gateway device (which can be a separate component
or integrated into other egress/ingress point devices
and software
The trust gateway device is responsible for tagging
egress traffic with a community decided upon trust
rating, and appropriately handling (and handing off)
incoming traffic based upon the trust rating with
which it is marked.
59. End-to-End Trust
Global
Internet
Security
Infrastructure
Service
Community
Community Trust
Community
Rating
Trust
Rating Server Trust
Network Server
Rating
Server Network
Trust Trust
S
Boundary S
E
E
C
Boundary
C U
U R
R I
I
T Internet/ T
Y
Y Trust
Gateway Network Trust
Gateway D
regulated
D
E Cloud E
F
endpoints
F E
E N
N S
S E
E S
S
60. End-to-End Trust - In Conclusion
Thus, a roving malware network, with constantly
changing IP addresses could be tracked and identified
by the global trust servers. No longer could malware
writers hide behind fast-fluxing IP and DNS domain
name changes.
61. End-to-End Trust - In Conclusion
Another example, could be a previously highly trusted
network or web site becomes infiltrated by malware.
During the active attack, the compromised network or
host could be assigned a lower trust rating, and that lower
trust rating communicated to all participating parties.
Once the malware was cleaned up and the network or
host running clean again, its trust rating could be
improved, maybe slowly at first. But certainly after a set
period of time, it could regain its original trust rating, or
actually improve it beyond the original if newer, more
secure practices were used.
62. End-to-End Trust - In Conclusion
Currently, there is no way for the Internet community,
globally, to be aware that a particular, popular host or
network is compromised.
With more and more legitimate sites being used to
host malware, we need some sort of warning system.
63. Use Existing Web Standards
The Best Part??
All of the previously mentioned stuff can be
implemented using web service standards
that exist today!
We need only agree upon a solution
64. Use Existing Web Standards
IPv6
DNSSec
x.500 Directories
x.509 digital certificates
Trusted Network Connect
Trusted Platform Module (TPM) chip
Network Access Control (e.g. NAP, etc.)
65. Use Existing Web Standards
WS-* (Web Service Extensions)
WS-Security
WS-Federation
WS-Trust
OpenID
RADIUS
SAML 2.0
66. Use Existing Web Standards
Basic Components
Content
Provider Authentication
website Providers (AP)
Cloud
Services
End-User
67. Use Existing Web Standards
You, your company, your client...can be all
three components at some point
69. Use Existing Web Standards
Your company can provide the authentication
service
You can run an authentication/trust gateway
device
Or you can buy into an authentication service
that does all the heavy lifting
70. Basic Layers
Legacy Non-Compliant
Password Authentication
System System
AP Authentication Authentication
Layer Authentication Authentication Gateway Gateway
Provider Provider Service Server
Content Provider Content Provider Content Provider CP
Layer
End-User
71. Not a Pipe Dream
Many national/regional infrastructures are already
headed down this path model
Singapore’s National Authentication Framework
Italian Inter-Regional Identity Federation (ICAR-INF3)
European STORK project (http://www.eid-stork.eu)
United States Federal Bridge Certification Authority
(http://www.cio.gov/fpkia)
* But none focused global, none focusing purely on
security and how to “fix” the Internet
72. Likelihood For Internet Fix To Happen?
Not likely until a tipping point event happens
Then we’ll collectively run around with our heads in
the sand and wonder how we could have let this
happen
(See global financial crisis, 9-11, etc.)
We are not very good at proactive defenses until the
big damage has occurred
73. The End
Fixing the Internet
It’s just that easy.
Or if you don’t like my plan, how would you fix it?
Questions?