sicurezza più - plone site
TRANSCRIPT
ALMA MATER STUDIORUM – UNIVERSITA’ DI BOLOGNA
Sicurezza
Prof. Ozalp Babaoglu
© Babaoglu 2001-2011 Sicurezza 2
■ Illustrare teorie, metodi, tecniche e strumenti per rendere un sistema informatico più sicuro
■ Acquisire conoscenza tecnica per poter decidere in maniera informata
■ Acquisire intuizioni per poter utilizzare concetti e valutare tecnologie rilevanti
■ Acquisire scetticismo tecnologico
Obiettivi
© Babaoglu 2001-2011 Sicurezza 3
Informazioni Amministrative
■ Frequenza:● Fortemente consigliata
■ Valutazione:● Esame finale (30% del voto)● Laboratorio/Esercitazione (50% del voto)● Quiz (due su tre) durante il corso (20% del voto)
Modalità e attività di laboratorio saranno definite nelle pagine web
© Babaoglu 2001-2011 Sicurezza 4
Informazioni Amministrative
■ Home Page del corso● http://www.cs.unibo.it/babaoglu/courses/security
■ Home Page del docente● http://www.cs.unibo.it/babaoglu
■ Lezioni: Martedì, Mercoledì, Giovedì 11.30-13.30 (Ercolani E2)■ Ricevimento: Martedì 13.30-15.30 (Mura Anteo Zamboni 7)■ Tutore: Andrea Nuzzolese● [email protected]
© Babaoglu 2001-2011 Sicurezza 5
Libro di Testo
■ Introduction to Computer Security, Matt Bishop, Addison-Wesley, 2005
© Babaoglu 2001-2011 Sicurezza 6
Security Incidents Reported to CERT
0140002800042000
56000
70000
84000
98000
112000
126000
140000
20012002
2003
0306090120150
180
210
240
270
300
19881989
1990
© Babaoglu 2001-2011 Sicurezza 7
Some Numbers
■ Economic impact of viruses, worms and Trojan horses $17.1 billion in 2000 ($8.75 billion due to the “I Love You” virus alone)
■ In 2009, the cost of a data breach for companies has risen to $202 per lost record, up from $197 in 2007. For the 47 companies audited, those costs added up to $6.6 million per incident (Forbes.com, 2 February 2009)
■ In a 2009 study, 92% of 700 billion email messages examined were spam, 0.07% were infected
■ 4,501 documented software vulnerabilities were discovered in 2009, many of them in web-based programs
© Babaoglu 2001-2011 Sicurezza
Internet Domain Survey Host Count
8
0M
85M
170M
255M
340M
425M
510M
595M
680M
765M
850M8/198110/19921/19934/19937/199310/19931/19947/199410/19941/19957/19951/19967/19961/19977/19971/19987/19981/19997/19991/20007/20001/20017/20011/20027/20021/20031/20047/20041/20057/20051/20067/20067/20077/20081/20097/20091/20107/20101/20117/2011
Source: Internet S
ystems C
onsortium (w
ww
.isc.org/solutions/survey)
© Babaoglu 2001-2011 Sicurezza 9
(Lack Of) Security in the Media
■ “Computer Intruder Is Put on Probation And Fined $10,000”, NYT May 5, 1990● On November 2, 1988, Robert Morris had released the first computer
worm on the Internet infecting 6,000 Unix machines causing $10M-100M of damage
■ “Computer Hacker Invades Web Site of the Justice Department”, NYT, 18 August 1996
■ “Hacker Group Commandeers The New York Times Web Site”, NYT, 14 September 1998
■ “Yahoo Blames a Hacker Attack for a Lengthy Service Failure”, NYT, 8 February 2000
■ “Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal”, NYT, 17 January 2002
© Babaoglu 2001-2011 Sicurezza 10
(Lack Of) Security in the Media
■ And countless other incidents that are not publicized for fear of embarrassment
■ Yet when a public incident occurs, security experts and antivirus software vendors tend to exaggerate its costs
■ In 2002, US companies spent more than $4.3 billion on antivirus software products alone
© Babaoglu 2001-2011 Sicurezza
Changing Face of Attackers
■ Shift from large, multipurpose attacks on the network perimeter towards smaller, more targeted attacks to desktop computers
■ Shift from malicious “hacking” to criminal attacks with economic or political motives● Identity theft● Phishing● Denial-of-service● Cyberextortion● Cyberwarfare● Hactivisim
11 © Babaoglu 2001-2011 Sicurezza 12
Identity Theft
■ In August 2004, an intrusion had compromised 1.4 million records of personal information at UC Berkeley
■ In April 2005, an intrusion into its Seisint database of LexisNexis compromises personal information of about 310,000 persons
■ In August 2007, identity thieves who compromised Monster.com's database also made off with the personal information of 146,000 people who use USAJobs
© Babaoglu 2001-2011 Sicurezza
Identity Theft
The laptop contained personal information of some 98,369 individuals
13 © Babaoglu 2001-2011 Sicurezza
Phishing
14
http://dmc.ajou.ac.kr/~qpid/zboard/fineco.it.html
© Babaoglu 2001-2011 Sicurezza
Phishing
■ During the first half of 2005 the volume of phishing e-mails grew from an average of about 3 million a day to about 5.7 million
■ One out of every 125 email messages is a phishing attempt
■ 1% of US households were victims of successful phishing attacks in 2004
15 © Babaoglu 2001-2011 Sicurezza
Cyberextortion
■ During the first half of 2005 Denial-of-Service (DoS) attacks increased from an average of 119 a day to 927
■ 17% of US businesses surveyed report having received shut-down threats by DoS attacks
■ One company refusing to pay extortion spends $100,000 annually to defend against DoS attacks
16
© Babaoglu 2001-2011 Sicurezza
“Botnets” and “Zombies”
■ SecurityFocus, 23 January 2006● In October 2005, Dutch authorities arrested three men in the
Netherlands who allegedly controlled a network of more than 1.5 million compromised computers
■ International Herald Tribune, 10 November 2007● A computer security consultant accused of installing malicious
software to create an army of up to 250,000 “zombie” computers so he could steal identities and access bank accounts will plead guilty to four federal charges
17 © Babaoglu 2001-2011 Sicurezza
Underground Economy
■ Symantec Report on the Underground Economy, July 2007 - June 2008
18
© Babaoglu 2001-2011 Sicurezza
Update
■ New York Times, 25 September 2006● ChoicePoint, CardSystems Solutions, Time Warner and dozens
of universities have collectively revealed 93,754,333 private records
■ USA Today, 23 January 2009● Heartland Payment Systems disclosed that intruders hacked into
the computers it uses to process 100 million payment card transactions per month for 175,000 merchants
■ Wired.com, 26 April 2011● Sony said it believes hackers have access to over 70 million
PlayStation Network customers’ vital information including names, birth dates, physical and email addresses, passwords and logins
19 © Babaoglu 2001-2011 Sicurezza
Update
■ Increasing use of social networks to send spam, distribute malicious code, run identity fraud● New York Times, 2 May 2010. “log-in data for 1.5 million
Facebook accounts for sale on several online criminal marketplaces”
● PCWorld, 7 August 2009. “The distributed denial of service attack that targeted Twitter, Facebook, LiveJournal, and several Google sites may have been politically motivated”
■ 18 July 2011● The Defense Department has revealed that 24,000 files
containing Pentagon data were stolen by a foreign government from a defense industry computer network in a single intrusion
20
© Babaoglu 2001-2011 Sicurezza
Cyberwarfare
■ In 2009, US Defense Secretary Robert Gates declared cyberspace to be the “fifth domain” of military operations, alongside land, sea, air and space
■ USCybercom went fully operational in October 2010 headed by General Keith Alexander
■ General Alexander: “Pentagon’s computer systems are probed 250,000 times an hour, up to six million times per day”, and that among those attempting to break in were “more than 140 foreign spy organizations trying to infiltrate US networks”
21 © Babaoglu 2001-2011 Sicurezza
Cyberwarfare
■ New York Times, 25 September 2010 ● “Iran Fights Malware Attacking Computers” The Iranian
government agency that runs the country’s nuclear facilities, including those the West suspects are part of a weapons program, has reported that its engineers are trying to protect their facilities from a sophisticated computer worm that has infected industrial plants across Iran
● Stuxnet is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites
22
© Babaoglu 2001-2011 Sicurezza
Hactivism
■ 2011 has seen a huge rise in cyber activity that has come to be know as “hactivism” — political, social activism through hacking
■ Groups like LulzSec and Anonymous have targeted governments and corporations through highly publicized attacks directed at● United States Senate● CIA● Citibank● MasterCard● PayPal● Sony Corporation
23 © Babaoglu 2001-2011 Sicurezza
Hactivism
24
© Babaoglu 2001-2011 Sicurezza 25
Security in Context
■ Security has to be custom tailored to individual needs, much like a suit or a dental prothesis
■ There is no “one-size-fits-all” solution■ Security is a complex and extensive area that permeates
all levels of computing systems including their physical environment
■ Hardware-OS-Application-Network-Operator■ And like security in any other context, computer security is
as strong as its weakest link
© Babaoglu 2001-2011 Sicurezza 26
Security in Context
■ We will study the technical issues related to security in a non-technical context● “If you work with computer and network security long enough,
you realize that the biggest problem is people: the people who design the software, the people who deploy it, the people who use the systems, the people who abuse the systems, and sometimes the people who guard the systems. There are certainly many technological challenges to be met, but the biggest problems still come back to people.” Gene Spafford
© Babaoglu 2001-2011 Sicurezza 27
Network Information Systems
We will cast our study of security in the context of Network Information Systems
■ Networked Information Systems (NIS) integrate● computers,● communications, and● people (as users and as operators)
© Babaoglu 2001-2011 Sicurezza 28
Network Information Systems
These systems are increasingly pervasive in everyday life
■ Mobile and land-line telephone systems■ Electrical power grid■ Internet■ Banking and finance■ E-Business■ Ballistic missile defense
Yet they are not trustworthy
© Babaoglu 2001-2011 Sicurezza 29
Network Information Systems:Software Characteristics
■ Substantial legacy content● Documentation missing or incomplete● Difficult to modify or port
■ Grows by accretion and agglomeration● No master plan or architect● Nobody understands how/why the system works
■ Uses commercial off the shelf (COTS) components and COTS middleware
© Babaoglu 2001-2011 Sicurezza 30
Trustworthiness
■ NIS is trustworthy when it works correctly despite● Malicious/hostile attacks● Design and implementation errors (bugs)● Human user and operator errors● Environmental disruptions
(in increasing order of frequency)
■ Holistic and multidimensional problem● Property of system, not just components● Involves many interacting sub-properties
© Babaoglu 2001-2011 Sicurezza 31
Trustworthiness
■ Trustworthiness is an example of a nonfunctional requirement
■ Functional requirements specify what a system is supposed to do: inputs produce correct outputs
■ Nonfunctional requirements define how a system is supposed to be. Often called qualities of a system● Scalability● Performance● Efficiency● Operability● Interoperability● Testability
© Babaoglu 2001-2011 Sicurezza 32
Trustworthiness
■ By their nature, attacks/errors/bugs are unpredictable and cannot be formalized; to do so would rule out possible scenarios, and thus would be incorrect
■ Trustworthiness cannot be added to an existing system as an afterthought
© Babaoglu 2001-2011 Sicurezza 33
Real World Security
■ Security in the real world is based on● Value● Locks● Punishment
■ Bad guys who break in are caught and punished often enough to make crime unattractive
■ Ability to punish implies existence of a “police” force and a judiciary
■ Locks must add minimum interference to life
© Babaoglu 2001-2011 Sicurezza 34
Real World Security
■ All locks are not the same● Different keys● Different strengths● Environment dependent
■ Individual security needs based on perception■ Pay for what you believe you need■ Locks do not provide absolute security but prevent casual
intrusion by raising the threshold of for a break-in
© Babaoglu 2001-2011 Sicurezza 35
Real World Security
■ Perfect defense against theft: put all of your personal belongings in a safe deposit box
■ Problem: expensive and inconvenient■ Practical security balances cost of protection and risk of
loss (cost of recovery times probability of loss)■ If cost of protection is higher than the risk of loss, it is
better to accept it as “cost of doing business” (Auto insurance, Banks, credit card companies do this all the time)
© Babaoglu 2001-2011 Sicurezza 36
NIS Security
■ With computers, security is mainly about software, which is cheap to manufacture, never wears out, cannot be attacked with drills or explosives
■ Computer security ≡ Cryptography■ Since cryptography can be nearly perfect, so can
computer security
■ This reasoning is flawed for several reasons
© Babaoglu 2001-2011 Sicurezza 37
Why Trustworthy NIS do not Exist?
■ Most security problems due to buggy code● Cryptography won’t help this at all● Reported bugs are in cryptographic modules
■ Security is complex and difficult to get right and set up correctly
■ Security is a pain and gets in the way of doing things■ Since the danger is small, people prefer to buy features
over security■ Software and system market dominated by commercial
off-the-shelf (COTS) components● Leverage huge economies of scale, interoperability, reduced
time-to-market but inherit lack of trustworthiness
© Babaoglu 2001-2011 Sicurezza 38
Why Trustworthy NIS do not Exist?
■ Patent restrictions■ Government regulations (restrictions on export of
cryptography technologies)■ Reliance on existing communication infrastructures
(Internet)■ Everything is interconnected● Telephone and power companies use Internet technology● Their operational systems are linked to their corporate systems,
which are linked to the Internet● And the Internet requires power, and is largely built on top of
Telephone circuits
© Babaoglu 2001-2011 Sicurezza 39
Overview of NIS Security
Like any system, we can study security with respect to■ Specification: What is it supposed to do?■ Implementation: How does it do it?■ Correctness: Does it really work?
In security, these are called■ Policy (Specification)■ Mechanism (Implementation)■ Assurance (Correctness)
© Babaoglu 2001-2011 Sicurezza 40
Definitions
■ Vulnerability: A weakness that can be exploited to cause damage
■ Attack: A method of exploiting a vulnerability■ Threat: A motivated, capable adversary that mounts an
attackStrategies:■ Identify and fix each vulnerability (bug)■ Identify threats and eliminate those vulnerabilities that
those threats exploit
© Babaoglu 2001-2011 Sicurezza 41
Shrinking Vulnerability-to-Attack Time
Source: Network Computing (www.nwc.com), April 2004
© Babaoglu 2001-2011 Sicurezza
Shrinking Vulnerability-to-Attack Time
■ In 2005, the mean time between the disclosure of a vulnerability and the release of associated exploit code is 6.0 days
■ In 2005, an average of 54 days elapsed between the appearance of a vulnerability and the release of an associated patch by the affected vendor — vulnerability window
■ Zero-day attack: occur during the vulnerability window
42
© Babaoglu 2001-2011 Sicurezza 43
Knowledge vs Damage
Severity of a threat is related to the resources available for the attack■ Knowledge is a resource■ Money can buy anything, including knowledge■ Easy access to “packaged” knowledge (e.g., SATAN for
Unix systems) results in a discontinuity between the technical expertise of a particular threat and the severity of the damage
© Babaoglu 2001-2011 Sicurezza
Knowledge vs Damage
44
Today 1980’s
Amount of DamageLe
vel o
f Kno
wle
dge
© Babaoglu 2001-2011 Sicurezza
Google Hacking
■ International Herald Tribune, 28 September 2006. “Hacking made easy: 'Secret' data just a Google search away”:● One widespread vulnerability can be exploited through a practice
that has come to be known as Google hacking. These hacks require no special tools and little skill. All that is needed is a Web-connected PC and a few keywords to look for, like "filetype:sqlpassword" or "index.of.password."
45 © Babaoglu 2001-2011 Sicurezza 46
Security Policies
NIS security needs typically worry about■ Secrecy (confidentiality): controlling who gets to read
information■ Integrity: controlling how information changes or resources
are used■ Availability: providing prompt access to information and
resources■ Accountability: knowing who has had access to
information or resources
© Babaoglu 2001-2011 Sicurezza 47
Security Policies
What do locks, keys, values and the police have to do with computer security?■ Locks: authorization, access control mechanisms■ Keys: authentication required to open a lock. Can be
something the user knows, has or is■ Police: same as the real world. Since attacks can be
launched remotely, equivalents of video cameras are needed for convicting offenders
© Babaoglu 2001-2011 Sicurezza 48
Gold Standard of Security
Any system claiming to be secure must contain mechanisms for
■ Authentication■ Authorization■ Auditing
© Babaoglu 2001-2011 Sicurezza 49
Assurance vs Functionality
■ Assurance is the ability to convince ourselves that a system is trustworthy
■ Increased functionality implies increased complexity and complexity is the worst enemy of security
Functionality
Assu
ranc
e
© Babaoglu 2001-2011 Sicurezza 50
Assurance vs Functionality
Two general principles to promote higher assurance■ Economy of Mechanism: small and simple mechanisms
whenever possible■ Open Design: security of a mechanism should not
depend on attacker’s ignorance of how the mechanism works or is built● No “security through obscurity”● Makes security harder but is necessary for increased assurance