Code Blue in the ICU! Thinking  about  network  safety  in  a  public  health  light  

©  Jeff  Moss  –  jm@defcon.org  

h@p://chrisharrison.net/  

1. NaEon  States  want  SECRETS  

1. NaEon  States  want  SECRETS  2. Organized  Criminals  want  MONEY  

1. NaEon  States  want  SECRETS  2. Organized  Criminals  want  MONEY  3. Protesters  want  ATTENTION  

1. NaEon  States  want  SECRETS  2. Organized  Criminals  want  MONEY  3. Protesters  want  ATTENTION  4. Hackers  &  researchers  want  KNOWLEDGE  

1. NaEon  States  want  SECRETS  2. Organized  Criminals  want  MONEY  3. Protesters  want  ATTENTION  4. Hackers  &  researchers  want  KNOWLEDGE  

That’s  you  guys!  

Hackers  &  Researchers  point  the  way!  

-­‐ Discover  new  classes  of  vulnerabiliEes  -­‐ Expose  poor  product  security  -­‐ Spur  public  debate  

Hackers  &  Researchers  point  the  way!  

-­‐ Discover  new  classes  of  vulnerabiliEes  -­‐ Expose  poor  product  security  -­‐ Spur  public  debate  

Criminals  and  Governments  don’t  do  this  It’s  not  in  their  interests  

All  these  groups  need  the  net  to  work  

Q:  What  if  there  is  a  5th  group  that  doesn’t?  

Denial of service is increasing

0  

100  

200  

300  

400  

500  

600  

700  

2010   2011   Mar-­‐12   Oct-­‐12   Apr-­‐13   Feb-­‐14   Sept-­‐14  ?  

DDoS  in  Gigabits  per  second  

Gps  flow  

?  

NTP  RAMP  CloudFlare  

DNS  RAMP  SpamHaus  

When  invesEng:  

Specialize  for  larger  risk  /  returns  

When  invesEng:  

Specialize  for  larger  risk  /  returns  

Diversify  to  reduce  risk  /  returns  

We  now  have  clouds  of  complexity  

We  have  virtual  clouds  of  complexity  

The  failure  modes  of  Complex  systems  are  impossible  to  predict  

I  like  the  Code  Blue  press  release  

“Code  Blue  is  a  hospital  emergency  code  that  indicates  a  paEent  in  need  of  immediate  medical  a@enEon,  or  that  calls  for  relevant  teams  to  respond  immediately.  We  named  the  conference  ajer  the  code  because  we  hope  to  save  the  world  by  combining  people’s  knowledge”  

h@p://japandailypress.com/white-­‐hat-­‐hackers-­‐to-­‐gather-­‐at-­‐code-­‐blue-­‐cybersecurity-­‐conference-­‐in-­‐tokyo-­‐1043926/  

Public  health  analogy  

• No  one  thinks  they  are  going  to  cure  cancer  

• Diseases  are  “managed”,  very  few  are  ever  eliminated  

•  It  is  possible  to  be  re-­‐infected  

Public  health  analogy  

• No  one  thinks  they  are  going  to  cure  cancer  • No  administrator  thinks  they  can  ever  be  perfectly  secure  • Diseases  are  “managed”,  very  few  are  ever  eliminated  

• Very  few  classes  of  vulnerabiliEes  are  ever  eliminated  •  It  is  possible  to  be  re-­‐infected  • A  new  variant  of  an  old  vulnerability  can  re-­‐infect  your  systems  

This  is  a  healthy  way  of  thinking  

Perimeter  security  

Involves:  Security  department  IT  department  ApplicaEon  teams  

German  arEst  Babis  Cloud  has  made  'hedonIsM(y)  trojaner',  an  installaEon  of  the  ancient  greek  trojan  horse  from  computer  keyboard  bu@ons.  

They  are  already  inside  your  perimeter  

Involves:  Security  department    Legal  department  IT  department      CommunicaEons  ApplicaEon  teams    Risk  Management  

           Public  RelaEons              Finance              R&D  

The  year  is  2014  

• You  sEll  can’t  send  secure  email  easily  • You  can’t  have  a  secure  mobile  phone  call  • Web  browsing  securely  is  essenEally  impossible  • Name  resoluEon  is  insecure,  but  geqng  be@er  

Why?  What  has  failed  us?  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

Consumers  can’t  make  informed  Security  product  decisions  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

2000s  

•  Insurance  Pressure  

Consumers  can’t  make  informed  Security  product  decisions  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

2000s  

•  Insurance  Pressure  

Consumers  can’t  make  informed  Security  product  decisions  

Lack  of  data  prevents  the  Crea>on  of  actuarial  tables  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

2000s  

•  Insurance  Pressure  

2010s  

• RegulaEons  

Consumers  can’t  make  informed  Security  product  decisions  

Lack  of  data  prevents  the  Crea>on  of  actuarial  tables  

We  are  running  out  of  opEons  

1990s  

• Consumer  SelecEon  

2000s  

•  Insurance  Pressure  

2010s  

• RegulaEons  

Consumers  can’t  make  informed  security  product  decisions  

Lack  of  data  prevents  the  crea>on  of  actuarial  tables  

Governments  are  reluctant  to  regulate  the  fast  moving  internet  

That  leaves  us  

We  must  provide  leadership  and  direcEon  where  and  when  we  can  

We  need  to  help  companies  do  the  right  thing  through  educaEon  and  configuraEon  

“First, Do No Harm” - Auguste François Chomel, 1847

Primum  non  nocere  “SomeEmes  it  may  be  be@er  to  not  do  something,  or  even  be@er  to  do  nothing,  than  to  risk  causing  more  harm  than  good.”  

“First, Do No Harm” - Auguste François Chomel, 1847

To  me  this  can  be  applied  to  informaEon  security  when  thought  of  as  a  public  safety  issue:  

• Do  no  harm  to  the  trust  of  users  –  be  open  about  your  policies  • Be  honest  about  the  risks  of  using  technology  • Do  not  let  wishful  thinking  influence  your  decisions  

Community Immunity (Also  known  as  Herd  Immunity  Theory)  

“A  form  of  immunity  that  occurs  when  the  vaccinaEon  of  a  significant  porEon  of  a  populaEon  provides  a  measure  of  protecEon  for  individuals  who  have  not  developed  immunity.”  

Three Modes of Immunity

Three Modes of Immunity

Three Modes of Immunity

Community Immunity only applies to diseases that are contagious

Disease    Transmission  Immunity  threshold  

Mumps    Airborne  droplet    75  -­‐  86%  

Pertussis    Airborne  droplet    92  -­‐  94%  Rubella    Airborne  droplet    80  -­‐  85%  Smallpox    Social  contact    83  -­‐  85%  

1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the  populaEon  

2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads  through  some  of  the  populaEon  

3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is  contained  

Three Modes of Immunity

1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the  populaEon  Networks  and  systems  are  not  maintained  –  Malware  spreads  through  networks  without  noEce  and  li@le  to  stop  them  

2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads  through  some  of  the  populaEon  

3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is  contained  

Three Modes of Immunity

1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the  populaEon  Networks  and  systems  are  not  maintained  –  Malware  spreads  through  networks  without  noEce  and  li@le  to  stop  them  

2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads  through  some  of  the  populaEon  Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes  noEced  and  removed,  and  spreads  through  some  of  the  populaEon  

3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is  contained  

Three Modes of Immunity

1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the  populaEon  Networks  and  systems  are  not  maintained  –  Malware  spreads  through  networks  without  noEce  and  li@le  to  stop  them  

2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads  through  some  of  the  populaEon  Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes  noEced  and  removed,  and  spreads  through  some  of  the  populaEon  

3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is  contained  Most  all  networks  and  systems  are  maintained  –  Malware  is  noEced  most  of  the  Eme  and  removed,  acEons  are  taken  to  protect  other  systems  besides  your  own.  

Three Modes of Immunity

1.  No  one  is  immunized  –  Contagious  disease  spreads  through  the  populaEon  Networks  and  systems  are  not  maintained  –  Malware  spreads  through  networks  without  noEce  and  li@le  to  stop  them  

2.  Some  of  the  populaEon  gets  immunized  –  Contagious  disease  spreads  through  some  of  the  populaEon  Some  networks  and  systems  are  not  maintained  –  Malware  is  someEmes  noEced  and  removed,  and  spreads  through  some  of  the  populaEon  

3.  Most  of  the  populaEon  is  immunized  –  Spread  of  contagious  disease  is  contained  Most  all  networks  and  systems  are  maintained  –  Malware  is  noEced  most  of  the  Eme  and  removed,  acEons  are  taken  to  protect  other  systems  besides  your  own.  

Three Modes of Immunity

Firewall  as  VaccinaEon?  

Vaccinate  yourself  and  others  

Can  protecEng  your  network  and  systems  with  a  firewall  or  router  act  as  a  “virtual  vaccine”?  

Can  your  network  peers  get  a  conferred  benefit?  

Don’t  do  anything  addiEonal  on  your  network  Don’t  go  out  of  your  way  to  monitor  your  systems  Don’t  stay  up  to  date  on  patches  or  applicaEon  updates  

Do  Nothing  or  “Not  Immunized”  

Do  Nothing  or  “Not  Immunized”  

PRO:  • Least  expensive  opEon,  no  training  or  changes  necessary  • Requires  no  network  or  applicaEon  modificaEons  

CON:  • You  are  part  of  the  problem  and  possibly  causing  harm  • There  might  be  legal  consequences  

Protect  your  systems  and  applicaEons,  but  not  those  of  others  

Protect  only  yourself  or  “ParEally  Immunized”  

Protect  your  systems  and  applicaEons,  but  not  those  of  others  

Examples:  •  Secure  your  systems  by  patching,  updaEng,  selecEng  good  sojware  •  Filter  spoofed  inbound  traffic  to  your  network,  but  not  outbound  

•  Enable  DNSSEC  validaEon  on  your  DNS,  but  do  not  sign  your  zones  •  Limit  spam  by  checking  for  SPF  records  and  using  DNS  blackholes,  but  not  publishing  your  own  SPF  records  

Protect  only  yourself  or  “ParEally  Immunized”  

Protect only yourself or “Partially Immunized”

PRO:  •  Lower  cost  that  being  fully  immunized  •  You  are  be@er  protecEng  your  systems  against  misuse  by  others  

CON:  •  You  only  take  acEons  that  protect  your  systems  –  not  those  of  others  • Higher  management  and  configuraEon  overhead  

Same  as  “ParEally  Immunized”  but  you  take  addiEonal  acEons    to  protect  those  around  you.  

Protect yourself and others or “Fully Immunized”

Same  as  “ParEally  Immunized”  but  you  take  addiEonal  acEons  to  protect  those  around  you.  

Examples:  • Prevent  source  address  spoofing  from  leaving  your  network  • DNSSEC  sign  your  zone  files  so  others  can  rely  on  the  data  • Disable  recursion  on  your  name  servers  to  limit  AMP  a@acks  • Publish  an  SPF  record  to  reduce  spam  by  telling  other  networks  about  your  mail  server  

Protect yourself and others or “Fully Immunized”

Protect yourself and others or “Fully Immunized”

PRO:  •  You  are  “conferring  an  immunity”  to  some  degree  to  others  •   Most  beneficial  to  all  users  of  the  internet  

•   Best  security  stance  for  yourself  and  those  around  you  

CON:  •   Most  expensive  to  maintain  due  to  configuraEon  maintenance  

•   You  need  be@er  trained  staff  to  stay  current  on  best  pracEces  

DNSSEC  is  available  to  the  majority  of  internet  users    

https://www.dnssec-deployment.org/

What  if  you  don’t  own  or  operate  a  network?  

Donate  Resources  

Donate resources

Donate resources

h?p://folding.stanford.edu/  

Different communities

Companies  Governments  Individuals  

Think  of  the  Future  

Next  GeneraEon  technologies  are  starEng  to  be  deployed  

Can  we  use  them  to  help  protect  ourselves  and  others?  

DNSSEC  =  You  can  trust  the  answers  from  DNS  DANE  =  Risk  of  rogue  SSL  CAs  virtually  eliminated  IPv6  =  IPSEC  support,  less  NAT,  be@er  a@ribuEon,  future  growth  

Has  thinking  about  network  heath  in  a  public  safety  light  helped?