csci 1800 cybersecurity and internaonal...
TRANSCRIPT
CSCI1800CybersecurityandInterna4onalRela4ons
A9ribu4onandPrivacyJohnE.Savage
BrownUniversity
Outline• Reviewoftypesofcybera9acks• A9ribu4onproblem• Methodstoavoida9ribu4on• Detec4nga9ribu4on• Alterna4vestoa9ribu4on• IntrotodeterrenceontheInternet• Theimpersona4onproblem• Basedon
– UntanglingA9ribu4on,ClarkandLandau,Procs.WorkshoponDeterringCybera9acks,Na4onalResearchCouncil,2010.
– ASurveyofChallengesinA9ribu4on,Boebert,Procs.WorkshoponDeterringCybera9acks,Na4onalResearchCouncil,2010.
Lect082/21/2018 ©JESavage 2
TypesofInternet-BasedA9acks
• Distributeddenialofservice(DDoS)–botnetbased– Goal:Overwhelmmachines/networkswithdata.
• Penetra4ona9acks–usesmaliciousfunc4onality– Goal:Controlthemachinethatisa9acked.
• Exploita4ona9acks–apenetra4ona9ack– Goal:Penetratetoextractvaluableinforma4on
• Destruc4vea9acks–apenetra4ona9ack– Goal:Destroy/disruptvaluablesystemcomponentora9achedresource,eithertemporarilyorpermanently.
Lect082/21/2018 ©JESavage 3
Lect082/21/2018 ©JESavage 4
“OntheInternet,nobodyknowsthatyou’readog.”
TheA9ribu4onProblem
TheA9ribu4onProblem
• A9ribu4onimportantindeterringa9acks.– Ifa9ribu4onofa9ackerwereknowntobeeasy,a9ackersmaybedeterredbythreatofretribu4on.
• A9ribu4onisknowntobehard.Whyisit?– Technicala9ribu4on
• Whoownsthea9ackingmachine?• Whereisthemachinelocated?• Isthea9ackerusingaproxy?
– Humana9ribu4on• Whoactuallylaunchedthea9ack?
Lect082/21/2018 ©JESavage 5
CopingwithA9acks
• DistributedDenialofService(DDoS)a9acks– Difficulttostop.A9ribu4onnotveryhelpfulgiventhatitmustbestoppedASAP.
– Retribu4onacerthefactnotagooddeterrent.A9ackerishardtofind.
• A9acksoncri4calinfrastructuresrequiresignificantreconnaissanceeffort.– Adiligentdefendermightcatchthea9ackerintheactand,possibly,stopthea9ack.
Lect082/21/2018 ©JESavage 6
BarrierstoTechnicalA9ribu4on• Botnets–thousandstomillionsofnodes.
– UsedforDDoS,spam,phishing,passworda9acks• Proxy
– Hostprovidesservices,e.g.filtering,authen4ca4on,etc.• Anonymousproxy
– Hidessource,e.g.NetworkAddressTranslators(NATs)• FastFlux–quickchangeinIPaddresses• Anonymousrou4ng–TheOnionRouter(Tor*)&Freegate**
– Defendagainstnetworksurveillance.• Covertcommunica4ons
– E.g.Steganography:messagehiddeninsideanothermessage
Lect082/21/2018 ©JESavage 7
*ForTorseeh9ps://www.torproject.org/
**ForFreegateseeh9ps://en.wikipedia.org/wiki/Freegate
TheOnionRouter(TOR)
• GoalistohideInternetcommunica4ons.
• Alicepicks3proxynodes.Messages&des4na4onsencrypted.Evecannotdeterminetheproxiesused.
• PKIused.Public/secretkeysPiandSiusedbyMi.• TordevelopedbyUSNavalResearchLabsforUSG.Lect082/21/2018 ©JESavage 8
OnionRou4ng• Alice’smessagegoesfromP1,toP2,toP3,toD.• Messageanddes4na4onsencryptedinsideout.
Lect082/21/2018 ©JESavage 9
MessageM Dest.D
EncryptwithkeyofP3 M3
Dest.P3 Dest.P2
EncryptwithkeyofP2 M2
EncryptwithkeyofP1 M1
OnionRou4ng• AlicesendsmessageM1toproxyP1.• ProxyP1decryptsM1,sendsresulttoP2whodecryptsM2,andsendsittoP3
Finally,P3decryptsM3(torevealMandD)andsendsresulttoD.• Generalizestomorethanthreeproxies.
Lect082/21/2018 ©JESavage 10
MessageM Dest.D Dest.P3
EncryptwithkeyofP3
EncryptwithkeyofP2
Dest.P2
EncryptwithkeyofP1 M1
M3
M2
Iden4tyontheInternet
• Securerealiden44esandpseudonymsarepossibleandneededontheInternet.
• Iden4tycanbeassuredviapublic-keyencryp4on– Messagescanbeencryptedwithone,decryptedwithother– Onlyusercandecryptwithprivatekey,whichassuresiden4ty
• Iden4tydefinedbysocialmediaaccountsisnotsecure• Securepseudonymsacquiredviatrustedthirdpar4es.– Personneedingpseudonymacquiresonefromathirdparty.– Ifpseudonymprovidersarefederated,thetrustboundaryextendstoallwhoacquireiden44esfromthefedera4on.
Lect082/21/2018 ©JESavage 11
Iden4tyThec
• USBureauofJus4ceSta4s4cssays15.4millionAmericanshadiden44esstolenin2016.
• Manytechniquesareusedtostealiden44es.• 2017worstyeareverforcyberincidents*• In2017Equifaxlostpersonalrecords,includingSSNs,driverslicenses,addresses,etc.,on145.5millionAmericans,thatis,mostadults.
Lect082/21/2018 ©JESavage 12
*Seeh9ps://www.iii.org/fact-sta4s4c/facts-sta4s4cs-iden4ty-thec-and-cybercrime
Star4ngPointsforTechnicalA9ribu4on
• Indicatorsofcompromise(IOCs)– Anomalousbehavior,unusualac4vityrecords– KnownIPaddresses,malware– Hashoflargepiecesofdata
• Tools– A9ackersdon’tchangetheirtoolsveryocen
• Behavior– Humansarecreaturesofhabit,sameworkinghours
• Language– Commentsinsocwarereflectna4onallanguage
Lect082/21/2018 ©JESavage 13
Detec4ngA9ribu4on
• SourceIPaddresseshelppoliceiden4fya9acker– Iden4fiesjurisdic4on,canleadtosearchwarrant.
• IPaddressescanbeusedforgeo-loca4on*– CanlocateIPaddresstowithinapostalcode
• Mul4stagea9acks–manyhoppointsbetweena9acker&vic4m.Hardtopeelbackbutdoable.
• Onionrouterscanobscurehopping,aswesaw– Buttrafficanalysismayrevealroutes
Lect082/21/2018 ©JESavage 14
*Seehttp://www.maxmind.com/
TheWillieSu9onPrinciple
• WillieSu9onwasanotoriousbankrobber– Whenaskedwhyherobbedbanks,heis(falsely)reportedtohavesaid“That’swherethemoneyis!”
• Su9on’sRuleistaughtinmedicalschools– Treattheobviousillnessfirst!
• Tofindcybercriminals,followthemoney!– Clientsofcriminalservicesmustpayforthem!– E.g.,fakedrugsfirmsmustprocesscreditcards
Lect082/21/2018 ©JESavage 15
A9ribu4onIsAlsoaPoli4calProblem
• In2004anITUofficialproposedthat– IPv6addressblocksbeallocatedbystates– Itwould“harden”thelinkagebetweenIPaddressesandotherinforma4on.
• Whatareadvantagesanddisadvantages?– Itwouldbeeasierforstatestoiden4fyandpunishci4zensforac4vitythattheydeclareillegal.
– Itwouldclearlyiden4fystateswithmaliciousac4vityandprovideotherstateswithalevertorequestac4on.
• Whatotherimplica4onsmightfollow?
Lect082/21/2018 ©JESavage 16
NatureoftheA9ribu4onProblem
• ClarkandLandau:– Itisprimarilyapolicyproblem,notatechnicalone.– A9ribu4onofforensicqualityinUSnotpossible.– Applica4onlevela9ribu4onviacryptographicmeansmaybepossible–breakthecypher
– Fine-graineda9ribu4oncanbethreattoprivacy– Mul4-stage(mult-hop)a9acksarehardesttosolve– Deterrencebestachievedthroughdiploma4cac4on,suchasnormsandtrea4es.
Lect082/21/2018 ©JESavage 17
DeterrenceAlterna4ves
• Hack-back*–a9ackthea9acker(viahistoolkit?)– AppearstobeillegalunderUSlaw.
• Mountcovertpreemp4vea9ackagainstsitessuspectedtobeplanningana9ack.
• Toiden4fyhumans,itmaybeusefultorecordandreplayintruderac4onstoiden4fyhim/herviakeystrokeanalysis,venue,4meofday,observanceofholidays,language,etc.
Lect082/21/2018 ©JESavage 18
*Seehttp://www.theregister.co.uk/2010/06/17/exploiting_online_attackers/
DeterrenceinGeneral• Individualsdeterredfromaggressiveac4onby– Likelihoodandseverityofretribu4on– Frustra4on
• Butac4onshaveunintendedconsequences– “blow-back”onfriendsandself
• Cybera9acksgenerallydonothavekine4ceffect– Anobstacletoa9ackislackofcertaintyofeffect
• Note:Responsetoa9ackneednotbeimmediate• USGovernmenthasusedsanc4onseffec4velyagainstimportantRussianoligarch,Chinesemilitary
Lect082/21/2018 ©JESavage 19
TheImpersona4onProblem
• NYThasreportedthat“followers”arebeingsoldonTwi9er,FacebookandLinkedIn*– Devumi(USbased)sellsthemtothoseseekingfame!– Crea4ngfolloweraccountsisprofitable!
• Afollowerisanimpersona4on,anearlyiden4calreplicaofarealperson– Millionsofimpersona4onsarecircula4ngonweb– Theyusedtoamplifyreal&fakenews
Lect082/21/2018 ©JESavage 20
*h9ps://www.ny4mes.com/interac4ve/2018/01/27/technology/social-media-bots.html
TheImpersona4onProblem
• Impersona4onsarecausinggrieftorealpeople†– Dozensofcomplaintshavefailedtoeliminatethem
• Apersoniseasilyconfusedwithimpersona4on– Reputa4onsarebeingdamaged
• Socialmediacompanieshavepoliciesagainstthis– Buttheydon’tenforcethem.– Theydorequireproofofiden4tytoshutthemdown
• Governmentsmayintervene– CompanieshavebecomeIDvalidators!
Lect082/21/2018 ©JESavage 21
†h9ps://www.ny4mes.com/2018/02/20/technology/social-media-impostor-accounts.html
ClickerQues4ons
• WillieSu9onwasacrimeinves4gatorA. YesB. No
Lect082/21/2018 ©JESavage 22
Review
• Reviewoftypesofcybera9acks• A9ribu4onproblem• Methodstoavoida9ribu4on• Detec4nga9ribu4on• Alterna4vestoa9ribu4on• IntrotodeterrenceontheInternet• Theimpersona4onproblem
Lect082/21/2018 ©JESavage 23