internet security experiences · internet security experiences 1985-2000 and beyond karst koymans...
TRANSCRIPT
![Page 1: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/1.jpg)
.
......
Internet security experiences1985-2000 and beyond
Karst Koymans
Informatics InstituteUniversity of Amsterdam
(version 16.1, 2016/09/05 09:26:35)
Friday, September 9, 2016
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 1 / 52
![Page 2: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/2.jpg)
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 2 / 52
![Page 3: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/3.jpg)
Context and background
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 3 / 52
![Page 4: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/4.jpg)
Context and background
Origins
A personal view on security
Originally presented atSAFE-NLJune 14, 2002
But much of it still applies
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 4 / 52
![Page 5: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/5.jpg)
Context and background
Contents
Some stories. . .
Some thoughts. . .
Some ideas. . .
Some warnings. . .
. . . out of my personal experience
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 5 / 52
![Page 6: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/6.jpg)
General principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 6 / 52
![Page 7: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/7.jpg)
General principles
Security is more than keeping (cr|h)ackers out
Malicious (internal) actions
Unintentional errors
Pure stupidity
NuisancesSPAM, UCE
. . . and much more
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 7 / 52
![Page 8: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/8.jpg)
General principles
Security is strongly related to
Structure
Privacy
Identity
Robustness
Information
Trust
Usability
Anonymity
Laziness
Safety
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 8 / 52
![Page 9: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/9.jpg)
General principles
Important frameworks
AAAWho? (Authentication, Identification)What? (Authorization)When? (Auditing, Accounting)
PKIPublic Key InfrastructureEncryption and privacyHoly grail, difficult to realise
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 9 / 52
![Page 10: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/10.jpg)
Some real life examples
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 10 / 52
![Page 11: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/11.jpg)
Some real life examples
Early days example (1985)
Netbooting on a class B broadcast network
Client machine named “pluto” asks for bootparameters
Talking to server machine named “plato”
Answer came from “outer space” without sensible content
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 11 / 52
![Page 12: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/12.jpg)
Some real life examples
Users of all times (1985-today)
Passwords should satisfyIs at least six characters longContains non-alphanumeric character(s)Is not simple to guess
Choice made by user“John” (in fact it was “Joop”)
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 12 / 52
![Page 13: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/13.jpg)
Some real life examples
Conclusions about users
An easy, but probably wrong, conclusionUsers are stupid
A probably better conclusionUsers have other priorities
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 13 / 52
![Page 14: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/14.jpg)
Some real life examples
Admins of all times (1988-today)
nVIR: early Macintosh virus
Admin comes to check for viruses. . .
Admin collects viruses for a hobby. . .
Before visit. . .
virus-free
After visit. . .
chaos
Source: http://xkcd.com/694/
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 14 / 52
![Page 15: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/15.jpg)
Some real life examples
Xkcd illustration. . .
Source: http://xkcd.com/350/
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 15 / 52
![Page 16: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/16.jpg)
Some real life examples
Conclusions about admins
An easy, but probably wrong, conclusionAdmins are stupid
A probably better conclusionAdmins also make mistakes
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 16 / 52
![Page 17: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/17.jpg)
Some real life examples
Physical security (1992)
Separate servers from clients
Thieves can be very brutal
The case of the PC user. . .. . . behind a Sun workstation
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 17 / 52
![Page 18: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/18.jpg)
Principles
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 18 / 52
![Page 19: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/19.jpg)
Principles
Postel’s Law
.Definition (Postel’s Law or Robustness Principle)........Be liberal in what you accept, and conservative in what you send.
The exact wording is from RFC 1122 (October 1989)
It is already mentioned in other words in IEN1 111 (August 1979)
Can you see the problems with this principle?
1Internet Experiment NoteKarst Koymans (UvA) Internet security experiences Friday, September 9, 2016 19 / 52
![Page 20: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/20.jpg)
Principles
Correctness principle
.Definition (Correctness principle or Strictness principle)........Be strict in what you accept, and strict in what you send.
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 20 / 52
![Page 21: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/21.jpg)
Principles
The problem with software
Software is made by trial and error
C supports buffer overflows
Viruses, Worms, Trojan Horses
Community reactionsCERT/CC advisories (1988)BugTraq (1993)
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 21 / 52
![Page 22: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/22.jpg)
Insanity. . .
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 22 / 52
![Page 23: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/23.jpg)
Insanity. . .
CERT/CC insanity (1)
CA-1988-01ftpd Vulnerability
also about sendmail and the Morris wormand about passwordless alternative root accounts (uid == 0)and also about bad password choices
. . . (alarming but “innocent”)
CA-1995-01IP spoofing Attacks2 and Hijacked Terminal Connections
2BCP 38 is dated May 2000Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 23 / 52
![Page 24: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/24.jpg)
Insanity. . .
CERT/CC insanity (2)
CA-1995-04NCSA HTTP Daemon for UNIX Vulnerability
Buffer overflow
CA-1995-18Widespread Attacks on Internet sites
NFS, NIS, RPC, Trojans, IP spoofing, . . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 24 / 52
![Page 25: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/25.jpg)
Insanity. . .
CERT/CC insanity (3)
CA-1996-07Weaknesses in Java Bytecode Verifier
CA-1996-11Interpreters in CGI bin Directories
CA-1996-26Denial-of-Service Attack via ping (of death)
Oversized ICMP echo request packetNo length check before reassembly of fragmented packets
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 25 / 52
![Page 26: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/26.jpg)
Insanity. . .
CERT/CC insanity (4)
CA-1997-08Vulnerabilities in INND
Incomplete user input checking
CA-1997-09Vulnerabilities in IMAP and POP
Buffer overflow
CA-1997-20Javascript Vulnerability
Observing the URLs of visited documentsObserving data filled into HTML forms (including passwords)Observing the values of cookies
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 26 / 52
![Page 27: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/27.jpg)
Insanity. . .
CERT/CC insanity (5)
CA-1997-28IP Denial-of-Service Attacks
Teardrop (overlapping IP fragments)Land (spoofed source == destination)
CA-1998-01Smurf IP Denial-of-Service Attacks
Using spoofed ICMP echo requests
CA-1998-08Buffer overflows in some POP servers
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 27 / 52
![Page 28: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/28.jpg)
Insanity. . .
CERT/CC insanity (6)
CA-etc-etcBuffer overflows, Format string vulnerabilitiesTrojans, Misconfigurations, . . .
I just gave up. . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 28 / 52
![Page 29: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/29.jpg)
Insanity. . .
A partial solution
Minimalisation of accessStart with the empty set of servicesOnly add the services you really needNo blacklists, only whitelists
Protect your coreMain serversNetwork equipment
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 29 / 52
![Page 30: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/30.jpg)
Insanity. . .
But the world keeps spinning. . .
CA-1999-02Trojan Horses
CA-1999-04Melissa Macro Virus
CA-1999-07IIS Buffer Overflow
CA-2000-04Love Letter Worm
CA-2002-16Multiple Vulnerabilities in Yahoo! Messenger
CA-. . . -. . .. . . . . . . . . . . . . . . . . . . . . . . .Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 30 / 52
![Page 31: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/31.jpg)
The SNE era
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 31 / 52
![Page 32: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/32.jpg)
The SNE era
The SNE era — an arbitrary example from 2003
CA-2003-26Multiple Vulnerabilities in SSL/TLS Implementations
OpenSSL ASN.1 parser insecure memory deallocationOpenSSL contains integer overflow handling ASN.1 tagsOpenSSL accepts unsolicited client certificate messages
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 32 / 52
![Page 33: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/33.jpg)
The SNE era
The SNE era — an arbitrary example from 2004
CERT advisories become part of Technical Cyber Security Alertshttps://www.us-cert.gov/ncas/alerts/
Technical Cyber Security Alert TA04-293AMicrosoft Internet Explorer contains a buffer overflow in CSS parsingMicrosoft Internet Explorer Install Enginecontains a buffer overflow vulnerability
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 33 / 52
![Page 34: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/34.jpg)
The SNE era
The SNE era — an arbitrary example from 2005
Technical Cyber Security Alert TA05-292AOracle Products Contain Multiple Vulnerabilities
Various Oracle products and components are affectedby multiple vulnerabilitiesThe impacts of these vulnerabilities include unauthenticated,remote code execution, information disclosure, and denial of service
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 34 / 52
![Page 35: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/35.jpg)
The SNE era
The SNE era — an arbitrary example from 2006
Technical Cyber Security Alert TA06-256AApple QuickTime Vulnerabilities
Apple QuickTime movie buffer overflow vulnerabilityApple QuickTime fails to properly handle FLC moviesApple QuickTime Player H.264 Codec contains an integer overflow
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 35 / 52
![Page 36: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/36.jpg)
The SNE era
The SNE era — an arbitrary example from 2007
Technical Cyber Security Alert TA07-355AAdobe Updates for Multiple Vulnerabilities
Adobe Flash Player asfunction protocol may enable cross-site scriptingAdobe Flash Player may load arbitrary,malformed cross-domain policy filesFlash authoring tools create Flash files that containcross-site scripting vulnerabilities
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 36 / 52
![Page 37: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/37.jpg)
The SNE era
The SNE era — an arbitrary example from 2008
Technical Cyber Security Alert TA08-190BMultiple DNS implementations vulnerable to cache poisoning
Insufficient transaction ID spaceMultiple outstanding requestsFixed source port for generating queries
Also known as the (Dan) Kaminsky attack
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 37 / 52
![Page 38: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/38.jpg)
The SNE era
The SNE era — an arbitrary example from 2009
Technical Cyber Security Alert TA09-088AConficker Worm Targets Microsoft Windows Systems
Widespread infection of the Conficker/Downadup wormA remote, unauthenticated attacker could executearbitrary code on a vulnerable system.
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 38 / 52
![Page 39: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/39.jpg)
The SNE era
The SNE era — an arbitrary example from 2010
Technical Cyber Security Alert TA10-348AMicrosoft Updates for Multiple VulnerabilitiesThere are multiple vulnerabilities in
Microsoft WindowsInternet ExplorerOfficeSharepointExchange
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 39 / 52
![Page 40: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/40.jpg)
The SNE era
The SNE era — an arbitrary example from 2011
Technical Cyber Security Alert TA11-200ASecurity Recommendations to Prevent Cyber Intrusions
Almost infinite enumeration of how to eliminate bad habits
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 40 / 52
![Page 41: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/41.jpg)
The SNE era
The SNE era — an arbitrary example from 2012
Technical Cyber Security Alert TA12-024A“Anonymous” DDoS Activity
Low Orbit Ion Cannon (LOIC) DoS-attackActivism
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 41 / 52
![Page 42: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/42.jpg)
The SNE era
The SNE era — an arbitrary example from 2013
Technical Cyber Security Alert TA13-088ADNS Amplification Attacks
Open Recursive Nameserver problem
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 42 / 52
![Page 43: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/43.jpg)
The SNE era
The SNE era — an arbitrary example from 2014
Technical Cyber Security Alert TA14-098AOpenSSL ’Heartbleed’ vulnerability
Bounds/input checking problem: private memory leakageOn servers, but also on clients!
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 43 / 52
![Page 44: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/44.jpg)
The SNE era
The SNE era — an arbitrary example from 2015
Technical Cyber Security Alert TA15-120ASecuring End-to-End Communications
TLS/SSL issuesPOODLE attackAlso applicable to RC4 attack, FREAK, Logjam, . . .
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 44 / 52
![Page 45: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/45.jpg)
The SNE era
The SNE era — an arbitrary example from 2016
Ransomware and Recent Variants TA16-091ADestructiveFound in healthcare systems and hospitalsLocky
Spreads through spam and Office documents or attachments
Samas
Spreads through vulnerable web servers
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 45 / 52
![Page 46: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/46.jpg)
Conclusions
Outline
...1 Context and background
...2 General principles
...3 Some real life examples
...4 Principles
...5 Insanity. . .
...6 The SNE era
...7 Conclusions
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 46 / 52
![Page 47: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/47.jpg)
Conclusions
Some misconceptions
Open source is bad for securityNo!. . .. . . proprietary software creates much bigger problems
Security through obscurity is badYes, but not always. . .. . . “parameter obscurity” can be good
Performance is importantOnly hardly ever true. . .. . . structure, modularisation and correctness proofsare much more important
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 47 / 52
![Page 48: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/48.jpg)
Conclusions
Some advice
Avoid complicated, monolithic SWsendmail −→ postfix
Avoid legacyStart over now and then: ruu.nl −→ uu.nlIt is really time for a clean slate approach? It is!
Centralise at the right levelBut make sure that the central resources are at leastas good and knowledgeable as decentralised ones
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 48 / 52
![Page 49: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/49.jpg)
Conclusions
A new era?
Improvements?IPsec, DNSSECSSL, SSHVPNTTP/CA
But alsoNSA, SnowdenGCHQ???
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 49 / 52
![Page 50: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/50.jpg)
Conclusions
Fighting legacy example
IPv6No addressing problems
But some routing challenges
End to end computing
No NATs
Autoconfiguration
Plug and play (+/-)
Integrated IPsec
Security from the start
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 50 / 52
![Page 51: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/51.jpg)
Conclusions
But what happens?
Cisco introduces IPv6 in its routers without initial IPsec support. . .
Why?Because there is no user demand for it. . .. . . SIGH!
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 51 / 52
![Page 52: Internet security experiences · Internet security experiences 1985-2000 and beyond Karst Koymans Informatics Institute University of Amsterdam (version 16.1, 2016/09/05 09:26:35)](https://reader034.vdocuments.us/reader034/viewer/2022042406/5f20409458986113316c593a/html5/thumbnails/52.jpg)
Conclusions
Fighting legacy
Our biggest problem
No easy solutionsNot in everybody’s interestNeeds revolution, not evolutionScientific, non-commercial effort
Real clean slateBuild new system in parallelIncompatible on purpose
without planned transition mechanisms
Karst Koymans (UvA) Internet security experiences Friday, September 9, 2016 52 / 52