|
1
|
- Ron Nelson, Productive Online
- ron.nelson@productiveonline.com
- http://productiveonline.com/
|
|
2
|
- Excellent tutorial sessions
- Very security oriented networking opportunities.
- Most research papers are academic, invited talks covered practical…
- http://www.usenix.org/events/sec03/
- Any errors in this presentation are probably due to my weak
transcription ability. Check out
the actual proceedings!
|
|
3
|
- Longitudinal study of administrator response
- In response to an announced vulnerability
- OpenSSL buffer overflows of July 2002
- Main findings
- Many people don’ t deploy fixes
- Most fixing happens almost immediately
- With a second round after the worm was released
- Some weak predictors
- HSPs are more responsive
- Current software version
|
|
4
|
|
|
5
|
- Widely believed that users don’ t upgrade
- Anecdotal evidence
- A lot of malware exploits “ fixed” bugs
- Lots of old versions of IE floating around
- Netcraft: Many Apache users haven’ t upgraded
- Little hard data
- Bellovin, Provos -- measured version number
- Moore -- measured response to Code Red
|
|
6
|
- Policy Implications
- The window of vulnerability is really long
- But the marginal window is short
- Don’ t delay full disclosure by > 1 month
- Everyone who is going to upgrade already has
- Full disclosure before fixes is bad
- Marginal cost to attentive admins is very high
- How can we get people to upgrade?
|
|
7
|
- Conclusions
- The situation is not good
- A lot of machines are vulnerable
- Response to security bugs is bimodal
- About a third of admins upgrade after the advisory
- Another third after a worm is released
- The rest not at all
- We need more research on why people do or do not fix
- And how to motivate them to do so
|
|
8
|
- Timing attacks are usually used to attack weak computing devices such as
smartcards.
- They show that timing attacks apply to general software systems.
- They showed that they could extract private keys from an OpenSSL-based
web server running on a machine in the local network.
- The results demonstrate that timing attacks against network servers are
practical
|
|
9
|
- Andy Ellis, Akamai
- Problem with traditional 3-tier architecture with firewalls between
tiers with IDS is that it is not scalable and usually not redundant
(especially db)
- They do it with 30 systems admins for 6 operating systems. 100
applications 2400 locations.
Mostly Debian (moved from RedHat) 1 and 2 U Intel hardware
|
|
10
|
- System Protection
- • Software Installation: configure once, deploy often. Network deploy OS
and apps. When in doubt, reinstall.
- • Troubleshooting: how to give SysAdmin rights to do job without risk.
Access management similar to implementation described in O'Reilly SSH
book. Tier 1 access similar, but executes commands via SSL
- • Event Management: Collect data then analyse then display. Each of
these are separate problems with unique solutions.
|
|
11
|
- Internet protection
- Mapping: Identify normal topology and behavior (BGP feed) Akami breaks
down the Internet as 10,000 economic entities and 50,000 core points
- Mitigation: Avoid problems by using their own network to avoid using BGP
routes (Can reduce intercontinental transit time by 40%)
- Monitoring: "Wall of Data" is for engineers and architects,
not NOC staff. Watch bandwidth, link failures
|
|
12
|
- Lessons
- Plan for link and server failure
- Automation and minimize problem diagnosis (reload or replace server).
Mitigation rather than resolution
- Make decisions in advance
|
|
13
|
- Bill Cheswick, Lumeta
- http://www.usenix.org/events/sec03/tech/cheswick/
- Bill reviews the current security landscape, lessons and strategies, and
his wish list.
|
|
14
|
- Most common question from the press:
- “Is Internet security getting better or worse?”
- Universal Answer
- Many attacks were theoretical…
- SYN packet flooding, Mail flooding and similar application overflows,
TCP hijacking, Hadn’t seen a worm in years, Unix viruses were research
topics, Attacks on the TCP/IP stacks, Packet amplification
- …and then they happened…
- Massive sniffing (1994), SYN packet DOS attacks (1996), TCP hijacking
(1996), Ping-of-death (1996?), SMURF (1997?), Massive worm and viral
outbreaks (Mellissa, Code Red, etc. )
|
|
15
|
- Bright spots (Since 1994)
- The crypto export war appears to be over
- There are better tools available for some situations
- Ssh
- IPsec
- Better Linux and Unix systems
- Microsoft security initiative
- Honeyd and other tools
- Un*x/Linux/GNU is freely available, and a reasonable solution
|
|
16
|
- Chez is optimistic. Good security is possible
- One can engineer reliable systems out of unreliable parts
- We have the home-field advantage: we can choose to set the rules on our
hosts
- World-class encryption is now available and cheap
- The Bad Guys are giving us lots of practice
|
|
17
|
- Talk to spooks: they have security experience
- Don’t try to get their secrets, get their security advice
- A number of secret networks appear to be well-run
- Slammer-free
- Rare virus sightings
- They do all the stuff we all know about, and
- Management uses a big hammer for compliance
- Bigger problem than spies: morons
|
|
18
|
- Spooks
- Use enclaves
- Run their own compilers
- Buy off-the-shelf hardware
- Restrict client software
- Watch their networks closely
- Make IP addresses useful
- No RFC 1918, they need accountability
|
|
19
|
- Skim the papers for yourself
- Proceedings from the last year are available for USENIX members. (Though authors may post copies on
their own site.)
- Proceedings from all USENIX conferences over one year old are available
for all.
- http://www.usenix.org/publications/library/proceedings/
|
Notes
