1

Speculating about Tomorrow’s Threats

Simson L. Garfinkel

MIT CSAIL

2

What’s the worst case scenario?

???

?

3

Worst Case Scenarios…

• Turn off the electricity– Kills the computers

• Turn off the water– Kills the people

• Shut down websites/routers/countries/Internet

• Make the democrats win an election– (to effect US foreign policy…)

• Surely we can do better…

4

Computer Virus Jumps to Humans!

• “A quickly spreading computer virus is somehow jumping from PCs to their human computer users --- and killing them!”

5

How would a computer make a human virus?

• Nanometer-scale assemblers… ?

Source: NASA

Source: John Milanski

6

Mail Order PolioFirst Synthetic Virus Created: July 11, 2002

• Researchers @ Stony Brook

• Polio Virus sequence downloaded from Internet

• DNA sequence sent to a “mail-order supplier”

• Transcribed to RNA in lab• Injected into mice. • “The animals were

paralyzed and died.”

http://www.sciencenews.org/20020713/fob8.asp

7

MWG RNA & siRNA synthesis

How to order• Log in• Enter Ship to, Bill to, and PO• Enter oligos in large

quantities by pasting in columns of name and sequence pairs from Excel”

• Display sequence• Enter comments• Check out

(877) MWG-BTEC

8

9

Making this threat credible…

• Distribution of “dangerous” information that could be easily misused.

• Computer viruses that become human viruses…

• Hacking biological systems that makes products more dangerous than people suspect…

10

Take Home Point #1

Biology and IT are becoming the same thing.

Viruses are information.

… gives a whole new meaning to “blended threats…”

11

?

Can what’s on this disk kill you?

12

PGP was on that disk…

• Back in the 1990s, the FBI said that encryption could kill us!

• Encryption in the hands of:– Drug dealers– Terrorists – Pedophiles – Organized crime

(The real threat was encryption in the hands of spammers…)

13

What if the disk just has an essay … or an article?

14

“The Riddle of the Universe and Its Solution”

Professor Dizzard works on artificial intelligence software.

Dizzard is found staring deep into his screen at the end of an Easter vacation..

Some of Dizzard’s students follow his unfinished work…. The students pass into the coma.

An epidemic begins to spread…. At a university, a whole class goes off into the “Riddle Coma.”

The coma is caused by: “The Gödel-sentence for the human Turing-machine – it causes the mind to jam."

“There is no way to solve the Riddle coma… but we can decrease further coma outbreaks.”

15

Today’s Dangerous IdeasDistributed by networks; motivating people to violence

“Leaderless Resistance”– Political violence without organization– Originated in America by Louis Beam for fight

against US Government– Adopted by radical left.

Abortion Doctor Killers– Nuremberg Files Website.

SHAC (Stop Huntingdon Animal Cruelty)– Practically bankrupt Huntingdon Life Sciences.

ELF (Earth Liberation Front)– arson training manual

ELF Attacks:– August 1st - $20M fire in San Diego– August 22nd – Attacks against SUVs– July 2nd - $700,000 against two new homes.

16

“If you build it --- we will burn it”

17

… we don’t believe in censorship …

• Unless it is “hate speech” and you are on a college campus

• Unless it is “copyrighted music” (or samples of copyrighted music) and you are the RIAA

• Unless it is “source code” and you are Diebold Election Systems

Increasingly, the United States does believe in Censorship, and the Internet is making censorship harder… for many Americans, this is a worst case scenario!

18

DMCA & Friends Making Computers Less Secure

• Outlawing computer security research?

• Criminalizing disclosure of vulnerabilities?

• The Future: Mandating Computer Systems With Back Doors for the RIAA!

19

Back to Computers…

20

Computer Worms and Viruses

• Strengths of Today’s Worms and Viruses:– Clog email systems– Send spam– Plant backdoors– Fast spreading

• Weaknesses:– Buggy– Poorly Designed

Bellovin: No

Network is safe!

21

PC Viruses for Spamming

• Wake up at 2am• Get a HotMail account• Send 10,000 messages

to Yahoo / AOL• Go back to sleep

OLD SLIDE!• Yahoo and HotMail now

using Reverse Turing Tests to prevent automated sign-up

• Spammers now manipulating BGP announcements…

Manual today…Could be automated tomorrow

22

Viruses that Destroy Hardware

CHI/Chernobyl Virus– “Erase entire hard drive and

overwrite the system BIOS.”– BIOS chip or motherboard

must be replaced

April 26, 1999– One million computers

destroyed.– Korea: $300M– China: $291M

May be an easy attack today with web-based BIOS upgrades.

23

Computers can start fires!

• HCF instruction joke• HP OfficeJet Printer fax

copiers– March 1995– 10,000 machines recalled– “generate internal

temperatures high enough to burn a wayward human hand and … even start a fire”

• Video Monitors?• SCADA systems have

failsafes, but consumer equipment may not.

24

++++++ATH0;M0:DT911ICMP Echo Request:“+++ATH0;M0;DT911”

Shut down the 911 System!

… ping 100,000 AOL or EarthLink subscribers

attacker

CluelessUsers

911

25

Shut down the Internet

• Most of the Internet is run by Cisco Routers• Lots of equipment is in inaccessible locations

– Equipment closets in unattended locations– Co-location facilities that are effectively

unattended (“warm hands” are over-rated).

26

Cisco: Realistic Risk?

Vulnerabilities and remote exploits have been found in Cisco’s operating system.

Bellovin said that the source code is available — but does it matter?

27

Cisco Router Virus: Design

• Phase 1: Penetrate• Phase 2:

– Set up a large-scale distributed hash table using Chord or similar technology.

– Distributed scanning for vulnerable machines.

– Coordinate penetration and propagation of new machines.

• Phase 3:– Simultaneously all infected routers

stop routing packets.– Erase router configuration.– Flood all network interfaces with

broadcast requests.

28

VoIP makes Router Attacks Better!

When the Internet breaks, we call other people

using the phone system.

When the phone system breaks, we send email!

With VoIP, the Internet is the phone system!!!

… bad idea.

29

VoIP• Advantages:

– A single wire for data & voice– Cuts cost of telecom

• Disadvantages:– A single wire for data & voice (no redundancy)– Cuts cost of telecom (so security stands out more)

• VoIP is growing fast:– Many home users are giving up on POTS– Increasingly, you may be using VoIP without knowing it!

• The “Phone System” is not a higher-priced alternative internet. It increasingly the same Internet, just at a higher price

30

How fast can a virus propagate?

• Code Red propagation statistics– Most hosts infected within 12 hours– Source: CAIDA (Cooperative Association for Internet Data Analysis)

31

Sapphire / Slammer

• Doubled every 8.5 seconds• Infected 90% of vulnerable

hosts in 30 minutes.– 74,855 hosts– Reasons:

• 1 packet infection• UDP, not TCP

32

Theoretical Minimum: 30 seconds?

• Flash Worm Paper– “Flash Worms: Thirty Seconds to Infect the Internet”– Stuart Staniford, Gary Grim, Roelof Jonkman– http://www.silicondefense.com/flash/– August 16, 2001

• Warhol Worms– “How to 0wn the Internet in your Spare Time”– Stuart Staniford, Vern Paxson, Nicholas Weaver– http://www.cs.berkeley.edu/~nweaver/cdc.web/– August 2002

33

Need for virus education!

• Virus-writers are not reading the academic literature.

• Perhaps that new “how to write a computer virus” course will help.

34

Perhaps “low and slow” is better

• Much less likely to be detected

• Less likely to attract media attention

• The real reason that most worms have been caught is that their scanning and propagation functions overwhelm our networks.

35

“Netgear Attack”

• Netgear hard-coded the address of WISC’s NTP server into its home router.

• NTP implementation flawed: – instead of backing off on no answer, it pinged

harder!

• WISC’s initial contacts to Netgear ignored. • http://www.cs.wisc.edu/~plonka/netgear-sntp/

36

Take Home Point #2

Computer/Network viruses can be far faster and more

destructive than they are today

Attacks might not even be intentional!

37

New Virus Platform #1: Cell phones?

• Previous SMS viruses were pathetic

– Fake ring tone?– Fake Java game?

• Nokia has recalled vulnerable handsets

38

SMS Virus

• A “really good” SMS Virus would:

– Receive as an SMS message.– Sends self to

• last 20 people who called phone• everybody in phone address book

– Lock phone with new PIN.– After 4 hours, floods cell phone network with repeated

phone calls and SMS message (DDOS)

• Results:– Everybody needs a new cell phone– Cell phone network rendered inoperable.

39

What’s Needed for that SMS Virus?

• Way to execute code on cell phone:– Open programming environment, or someone with inside

knowledge. – Bug in incoming SMS message handler– Longer SMS messages, or way to string SMS messages

together, or way to download code from a website– Perhaps you could do it today with a Palm or Windows

“smart phone” … but not enough market penetration.– Java phones!!!

• Serious network vulnerability … when? 2004? 2007?

40

Cell Phone Virus Alternative

Instead of distributing from cell phones, distributed using a PC-based virus.

Serious network vulnerability: today.

41

New Virus Platform #2:Car Computers (telematics)

Radio-based:– Location monitoring– Position reporting

Remote control:– Door lock/unlock– Ignition Kill

Next-generation system:– Two-way communication– Integration with entertainment system

Questions:– Security?– Authentication?– Encryption?

#1 Danger: companies deploying these systems have little experience with network security.

42

OnStar: Security?

“All communications between the vehicle and OnStar call center are through the analog wireless network at this time.” 

“OnStar uses a proprietary and confidential communication protocol (Air Interface) for transmitting and receiving data between the call center and the vehicle.”

“OnStar uses an authentication process similar to those used by the cellular industry to prevent unauthorized access to the OnStar system in the vehicle.”

43

OnStar: Security?

• 300-baud analog modem with analog cell phone

• PPP with CHAP authentication• No encryption

• Real question: authenticating the caller!– (but that probably isn’t an automated attack.)

44

Take Home Point #3

• New Platforms are opening up for attackers• Many opportunities for cross-platform attacks

• Companies deploying new platforms have little experience with security issues.

45

Defending Against Tomorrow’s Threats…

• Spyware…

46

Solution: Automatic Update…

1. Go to the Internet2. Download code3. Run it Keeps everybody’s

operating system patched and up-to-date!

Great for:1. Updating buggy software2. Adding bugs to reliable

software3. Taking over millions of

machines simultaneously

47

But what’s the problem?

• People don’t install patches?• Operating systems are buggy and overly complex?

• Need for a continued revenue stream?• Need to find and destroy pirate copies?

48

Subvert Automatic Update!

• Update from DNS name…

– He who controls the DNS, controls the Internet!

• Fortunately, most systems protected with digitally signed updates

• Unfortunately, certificate authorities can be hacked…

49

Certificates that come with IE6

Just buy yourself a certificate authority…

50

Solution: Notify People of Security Problems!

Seems like a good idea…

…Until you get 3,000 alerts in

one day!

From MAILER-DAEMON Wed Sep 10 16:37:13 2003Date: Wed, 10 Sep 2003 16:36:50 -0400From: "MailScanner" <postmaster@solucorp.qc.ca>To: simsong@acm.orgSubject: Warning: E-mail viruses detected

Our virus detector has just been triggered by a message you sent:- To: jack@localhost Subject: Re: Thank you! Date: Wed Sep 10 16:36:49 2003

One or more of the attachments (your_document.pif) are onthe list of unacceptable attachments for this site and will not havebeen delivered.

Consider renaming the files or putting them into a "zip" file to avoidthis constraint.

The virus detector said this about the message:Report: Shortcuts to MS-Dos programs are very dangerous in email (your_document.pif)

-- MailScannerEmail Virus Scannerwww.mailscanner.infoMailscanner thanks transtec Computers for their support

51

Solution: Just Secure the Stuff That Matters…

• Do you secure:– HTML rendering code?– JPEG display routines?– Keyboard drivers?– Macro engine?– File Load & Save routines?– XML parser?

• What software does not need to be secured?

52

Solution: Diversity and Redundancy

53

Diversity is hard!(and expensive)

• SNMP Vulnerability• OpenSSL Vulnerability• Sendmail vulnerabilities

• In all of these cases:– Common implementation

affected many platforms

54

Redundancy is hard!(and expensive)

We expect reliability, but we don’t want to pay for it….

Do you have a backup:laptop?car?spouse?California Power Grid?

Should you build 1 data center or 2?

(Even if the big companies learned from 9/11, many others didn’t.)

Alternative: have just one, but take care of it.

Does the future hold more redundancy, or less?

QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

55

“Genetic Diversity”

• The big take-home from yesterday was that Genetic Diversity is good!

• But that’s just because we don’t have it today!– “The grass is always greener…”

• Back in the 1980s, we had genetic diversity!– The reason that we standardized is that people

couldn’t properly administer a diverse system!

56

Take Home Point #4:

4. 1 We don’t know if diversity or uniformity promotes a more secure

computing environment

4.2 We don’t know how to build true diversity. (5 operating systems is not

genetic diversity.)

57

Four “Next Generation” attacks:

• Spam• Wi-Fi• RFID• MTM

58

Spam• The big problem.• How do we limit the use of a

free resource?

– Willingness to receive email?– Network bandwidth?– People’s attention?

• Spammers are becoming exquisite attackers

• Two kinds of solution:– Payment-based– Content analysis

59

Is this spam?

To: simsong@mit.eduFrom: XXXXXX <XXXXXXXX@aol.com>Subject: Hi old friend!

Dear Simson,We were best-friends back in forth grade. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http://www.iphoto.com/XXXXXXX/for_simson.html.

Take a look!

60

Is this spam?To: simsong@mit.eduFrom: CCCCCCCC <XXXXXXXX@yyyyyyyyyyyyy.com>Subject: Windowless Room

In your O'Reilly "history article, you wrote:

 > Many schools found that buying a few Apples and putting them > on a table in a windowless storage room was a cheap way to > add "computing" to their curriculum

I remember that room!    :)

XXXXXXXXXXXXXXXXXXXXXXXXXX@yyyyyyyyyy.comhttp://www.yyyyyyyy.com/~XXXXXXXXXXw

61

62

To: simsong@mit.eduFrom: XXXXXX <XXXXXXXX@aol.com>Subject: Hi old friend!

Dear Simson,We were best-friends back in forth grade at Haverford Friends. I saw your name the other day and remembered how we used to hang out together. Anyway, I hope that it’s okay for me to send you this email. I found some photos of you and uploaded to my web site at http://www.iphoto.com/XXXXXXX/for_simson.html.

Take a look!SPAM

“Windowless Room”

63

Wi-Fi (802.11)

• Key issues to date have been:

– Eavesdropping– User authentication

• New issue:– Access Point

authentication

64

?

65

- Hard (impossible) to detect

- Easy to implement

- Portable

This attack is

66

Monday Night, 8:34pm

67

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

68

Network Forensics

• Does “default” at 68.86.222.205 know what I was sending across their Internet Connection?

• Would it make sense for them to capture it?– 1/2 of a 60GB hard drive will hold 30 days of traffic for a

typical cable modem…

• Would it make sense for them to avoid capturing it?

69

RFID

• Radio tags…

70

RFID

http://www.namazu.org/~satoru/playstand/

Smaller than your fingernail…

71

RFID Everywhere…

72

RFID “Doomsday Scenario”

• Link all objects with identity• Track everything everywhere

• How do you tell legitimate readers?• How do you tell legitimate tags?

• The “privacy” problem is really a security problem.

73

995719268

MTM: The “Ultimate” attack…

74

Mind-to-Machine

http://bnb.spiritshigh.com/characters/traits/4831.html

75

76

Other approaches to M2M

“Neural Interfaces”

– Electrooculogram (EOG) (skin interface)

– Electromyogram (EMG) (muscle movement)

– Electroencephalogram (EEG) (brainwaves)

– Electrocardiogram (EKG) (heart )

– Neural electrode (directly from brain)

(source: betterhumans.com)

77

(source: DARPA)

78

M2M Applications“Reverend Ray Kurzweil”

• Mind Uploading & Backup– Staggering copyright issues

• Mind downloading– Keep the body; change the person– Better than the death penalty!

• Mind wiretapping– Do you need a warrant under

PATRIOT?

• Do you need a firewall for your brain?– Merri does

79

These attacks are all “spoofing attacks”

• Spam• Wi-Fi• RFID• MTM

• Use computers to attack people.

80

Take Home Point #5:

Spoofing attacks the human mind.

We don’t know how to make humans more secure.

81

5 Ways to Build A More Secure Network.

• Restrict the flow of dangerous code and information to prevent its misuse. (Polio Virus)

• Stop Researching how to make “better viruses.”

• Limit the extension and reach of computer technology: keep computers in their place.

• Standardize on one computing platform and make sure it is secure.

• Teach people how to recognize and avoid spoofing attacks.

• Celebrate the flow of dangerous information; actively research better defenses.

• Teach virus-writing and virus-cracking.

• Aggressively put advanced computer technology everywhere: the benefits outweigh the risks.

• Deploy many different architectures and operating systems.

• Automate decision making to eliminate the reliance on the human element. ?

??

?

82

Remember

• Napoleon didn’t want good generals, he wanted lucky generals