Internet security experiences › _media › 2014-2015 › courses › cia ›...
Transcript of Internet security experiences › _media › 2014-2015 › courses › cia ›...
![Page 1: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/1.jpg)
.
......
Internet security experiences1985-2000 and beyond
Karst Koymans
Informatics InstituteUniversity of Amsterdam
(version 4.5, 2014/09/04 11:11:24)
Friday, September 5, 2014
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 1 / 50
![Page 2: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/2.jpg)
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 2 / 50
![Page 3: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/3.jpg)
Context and background
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 3 / 50
![Page 4: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/4.jpg)
Context and background
Origins
A personal view on security
Originally presented atSAFE-NLJune 14, 2002
But much of it still applies
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 4 / 50
![Page 5: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/5.jpg)
Context and background
Contents
Some stories. . .
Some thoughts. . .
Some ideas. . .
Some warnings. . .
. . . out of my personal experience
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 5 / 50
![Page 6: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/6.jpg)
General principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 6 / 50
![Page 7: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/7.jpg)
General principles
Security is more than keeping (cr|h)ackers out
Malicious (internal) actions
Unintentional errors
Pure stupidity
NuisancesSPAM, UCE
. . . and much more
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 7 / 50
![Page 8: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/8.jpg)
General principles
Security is strongly related to
Structure
Privacy
Identity
Robustness
Information
Trust
Usability
Anonymity
Laziness
Safety
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 8 / 50
![Page 9: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/9.jpg)
General principles
Important frameworks
AAAWho? (Authentication, Identification)What? (Authorization)When? (Auditing, Accounting)
PKIPublic Key InfrastructureEncryption and privacyHoly grail, difficult to realise
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 9 / 50
![Page 10: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/10.jpg)
Some real life examples
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 10 / 50
![Page 11: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/11.jpg)
Some real life examples
Early days example (1985)
Netbooting on a class B broadcast network
Client machine named “pluto” asks for bootparameters
Talking to server machine named “plato”
Answer came from “outer space” without sensible content
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 11 / 50
![Page 12: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/12.jpg)
Some real life examples
Users of all times (1985-today)
Passwords should satisfyIs at least six characters longContains non-alphanumeric character(s)Is not simple to guess
Choice made by user“John” (in fact it was “Joop”)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 12 / 50
![Page 13: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/13.jpg)
Some real life examples
Conclusions about users
An easy, but probably wrong, conclusionUsers are stupid
A probably better conclusionUsers have other priorities
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 13 / 50
![Page 14: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/14.jpg)
Some real life examples
Admins of all times (1988-today)
nVIR: early Macintosh virus
Admin comes to check for viruses. . .
Admin collects viruses for a hobby. . .
Before visit. . .
virus-free
After visit. . .
chaos
Source: http://xkcd.com/694/
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 14 / 50
![Page 15: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/15.jpg)
Some real life examples
Xkcd illustration. . .
Source: http://xkcd.com/350/
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 15 / 50
![Page 16: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/16.jpg)
Some real life examples
Conclusions about admins
An easy, but probably wrong, conclusionAdmins are stupid
A probably better conclusionAdmins also make mistakes
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 16 / 50
![Page 17: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/17.jpg)
Some real life examples
Physical security (1992)
Separate servers from clients
Thieves can be very brutal
The case of the PC user. . .. . . behind a Sun workstation
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 17 / 50
![Page 18: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/18.jpg)
Principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 18 / 50
![Page 19: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/19.jpg)
Principles
Postel’s Law
.Definition (Postel’s Law or Robustness Principle)........Be liberal in what you accept, and conservative in what you send.
The exact wording is from RFC 1122 (October 1989)
It is already mentioned in other words in IEN1 111(August 1979)
Can you see the problems with this principle?
1Internet Experiment NoteKarst Koymans (UvA) Internet security experiences Friday, September 5, 2014 19 / 50
![Page 20: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/20.jpg)
Principles
Correctness principle
.Definition (Correctness principle or Strictness principle)........Be strict in what you accept, and strict in what you send.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 20 / 50
![Page 21: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/21.jpg)
Principles
The problem with software
Software is made by trial and error
C supports buffer overflows
Viruses, Worms, Trojan Horses
Community reactionsCERT/CC advisories (1988)BugTraq (1993)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 21 / 50
![Page 22: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/22.jpg)
Insanity. . .
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 22 / 50
![Page 23: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/23.jpg)
Insanity. . .
CERT/CC insanity (1)
CA-1988-01ftpd Vulnerability
. . . (alarming but “innocent”)
CA-1995-01IP spoofing Attacks and Hijacked Terminal Connections
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 23 / 50
![Page 24: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/24.jpg)
Insanity. . .
CERT/CC insanity (2)
CA-1995-04NCSA HTTP Daemon for UNIX Vulnerability
CA-1995-18Widespread Attacks on Internet sites
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 24 / 50
![Page 25: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/25.jpg)
Insanity. . .
CERT/CC insanity (3)
CA-1996-07Weaknesses in Java Bytecode Verifier
CA-1996-11Interpreters in CGI bin Directories
CA-1996-26Denial-of-Service Attack via ping (of death)
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 25 / 50
![Page 26: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/26.jpg)
Insanity. . .
CERT/CC insanity (4)
CA-1997-08Vulnerabilities in INND
CA-1997-09Vulnerabilities in IMAP and POP
CA-1997-20Javascript Vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 26 / 50
![Page 27: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/27.jpg)
Insanity. . .
CERT/CC insanity (5)
CA-1997-28IP Denial-of-Service Attacks
CA-1998-01Smurf IP Denial-of-Service Attacks
CA-1998-08Buffer overflows in some POP servers
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 27 / 50
![Page 28: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/28.jpg)
Insanity. . .
CERT/CC insanity (6)
CA-etc-etcBuffer overflows, Format string vulnerabilitiesTrojans, Misconfigurations, . . .
I just gave up. . .
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 28 / 50
![Page 29: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/29.jpg)
Insanity. . .
A partial solution
Minimalisation of accessStart with the empty set of servicesOnly add the services you really needNo blacklists, only whitelists
Protect your coreMain serversNetwork equipment
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 29 / 50
![Page 30: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/30.jpg)
Insanity. . .
But the world keeps spinning. . .
CA-1999-02Trojan Horses
CA-1999-04Melissa Macro Virus
CA-1999-07IIS Buffer Overflow
CA-2000-04Love Letter Worm
CA-2002-16Multiple Vulnerabilities in Yahoo! Messenger
CA-. . . -. . .. . . . . . . . . . . . . . . . . . . . . . . .Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 30 / 50
![Page 31: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/31.jpg)
The SNE era
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 31 / 50
![Page 32: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/32.jpg)
The SNE era
The SNE era — an arbitrary example from 2003
CA-2003-26Multiple Vulnerabilities in SSL/TLS Implementations
OpenSSL ASN.1 parser insecure memory deallocationOpenSSL contains integer overflow handling ASN.1 tagsOpenSSL accepts unsolicited client certificate messages
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 32 / 50
![Page 33: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/33.jpg)
The SNE era
The SNE era — an arbitrary example from 2004
CERT advisories become part of Technical Cyber Security Alertshttps://www.us-cert.gov/ncas/alerts/
Technical Cyber Security Alert TA04-293AMicrosoft Internet Explorer contains a buffer overflow in CSS parsingMicrosoft Internet Explorer Install Enginecontains a buffer overflow vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 33 / 50
![Page 34: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/34.jpg)
The SNE era
The SNE era — an arbitrary example from 2005
Technical Cyber Security Alert TA05-292AOracle Products Contain Multiple Vulnerabilities
Various Oracle products and components are affectedby multiple vulnerabilitiesThe impacts of these vulnerabilities include unauthenticated,remote code execution, information disclosure, and denial of service
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 34 / 50
![Page 35: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/35.jpg)
The SNE era
The SNE era — an arbitrary example from 2006
Technical Cyber Security Alert TA06-256AApple QuickTime Vulnerabilities
Apple QuickTime movie buffer overflow vulnerabilityApple QuickTime fails to properly handle FLC moviesApple QuickTime Player H.264 Codec contains an integer overflow
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 35 / 50
![Page 36: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/36.jpg)
The SNE era
The SNE era — an arbitrary example from 2007
Technical Cyber Security Alert TA07-355AAdobe Updates for Multiple Vulnerabilities
Adobe Flash Player asfunction protocol may enable cross-site scriptingAdobe Flash Player may load arbitrary,malformed cross-domain policy filesFlash authoring tools create Flash files that containcross-site scripting vulnerabilities
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 36 / 50
![Page 37: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/37.jpg)
The SNE era
The SNE era — an arbitrary example from 2008
Technical Cyber Security Alert TA08-190BMultiple DNS implementations vulnerable to cache poisoning
Insufficient transaction ID spaceMultiple outstanding requestsFixed source port for generating queries
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 37 / 50
![Page 38: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/38.jpg)
The SNE era
The SNE era — an arbitrary example from 2009
Technical Cyber Security Alert TA09-088AConficker Worm Targets Microsoft Windows Systems
Widespread infection of the Conficker/Downadup wormA remote, unauthenticated attacker could executearbitrary code on a vulnerable system.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 38 / 50
![Page 39: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/39.jpg)
The SNE era
The SNE era — an arbitrary example from 2010
Technical Cyber Security Alert TA10-348AMicrosoft Updates for Multiple VulnerabilitiesThere are multiple vulnerabilities in
Microsoft Windows,Internet Explorer,Office,Sharepoint,and Exchange.
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 39 / 50
![Page 40: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/40.jpg)
The SNE era
The SNE era — an arbitrary example from 2011
Technical Cyber Security Alert TA11-200ASecurity Recommendations to Prevent Cyber Intrusions
Almost infinite enumeration of how to eliminate bad habits
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 40 / 50
![Page 41: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/41.jpg)
The SNE era
The SNE era — an arbitrary example from 2012
Technical Cyber Security Alert TA12-024A“Anonymous” DDoS Activity
Low Orbit Ion Cannon (LOIC) DoS-attackActivism
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 41 / 50
![Page 42: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/42.jpg)
The SNE era
The SNE era — an arbitrary example from 2013
Technical Cyber Security Alert TA13-088ADNS Amplification Attacks
Open Recursive Nameserver problem
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 42 / 50
![Page 43: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/43.jpg)
The SNE era
The SNE era — an arbitrary example from 2014
Technical Cyber Security Alert TA14-098AOpenSSL ’Heartbleed’ vulnerability
Bounds/input checking problem: private memory leakageOn servers, but also on clients!
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 43 / 50
![Page 44: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/44.jpg)
Conclusions
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 44 / 50
![Page 45: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/45.jpg)
Conclusions
Some misconceptions
Open source is bad for securityNo!. . .. . . proprietary software creates much bigger problems
Security through obscurity is badNot always. . .. . . “parameter obscurity” can be good
Performance is importantHardly ever true. . .. . . structure, modularisation and correctness proofsare much more important
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 45 / 50
![Page 46: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/46.jpg)
Conclusions
Some advice
Avoid complicated, monolithic SWSendmail −→ postfix
Avoid legacyStart over now and then: ruu.nl −→ uu.nlIt is really time for a clean slate approach? It is!
Centralise at the right levelBut make sure that the central resources are at leastas good and knowledgeable as decentralised ones
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 46 / 50
![Page 47: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/47.jpg)
Conclusions
A new era?
Improvements?IPsec, DNSSECSSL, SSHVPNTTP/CA
But alsoNSA, SnowdenGCHQ???
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 47 / 50
![Page 48: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/48.jpg)
Conclusions
Fighting legacy
IPv6No addressing problems
But some routing challenges
End to end computing
No NATs
Autoconfiguration
Plug and play (+/-)
Integrated IPsec
Security from the start
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 48 / 50
![Page 49: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/49.jpg)
Conclusions
But what happens?
Cisco introduces IPv6 in its routers without initial IPsec support. . .
Why?Because there is no user demand for it. . .. . . SIGH!
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 49 / 50
![Page 50: Internet security experiences › _media › 2014-2015 › courses › cia › history_security.pdfInternet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute](https://reader034.fdocuments.net/reader034/viewer/2022042406/5f20409458986113316c593b/html5/thumbnails/50.jpg)
Conclusions
Legacy
Our biggest problem
No easy solutionsNot in everybody’s interestNeeds revolution, not evolutionScientific, non-commercial effort
Real clean slateBuild new system in parallelWithout transition mechanisms
Karst Koymans (UvA) Internet security experiences Friday, September 5, 2014 50 / 50