Dorothy E.
Denning
Georgetown University
March 5, 1996
� Copyright 1996 by Dorothy E. Denning.
This paper gives a brief overview of information system security vulnerabilities and countermeasures. It outlines why systems are vulnerable to intrusion, common methods of attack, and tools the attacker can draw upon. It summarizes information security technologies, including a new authentication technology based on geodetic location, and international efforts to address the societal conflict raised by powerful encryption programs. The paper is based on a talk given at the conference on National Security in the Information Age at the US Air Force Academy, Colorado Springs, February 28 - March 1, 1996.
Attacks and Vulnerabilities
The Automated Systems Security Incident Support Team (ASSIST) of the Defense Information Systems Agency (DISA) tested the vulnerability of 12,000 DoD host computers in the unclassified domain. They found that 1-3% of the systems had exploitable front doors and that 88% could be penetrated by network trust relationships. Only 4% of the penetrations were detected and, of those, only 5% reported. The 3rd Annual Information Week/Ernst &Young security survey found that one in five of the 1,290 companies responding reported network break-ins. Two-thirds said they were hit by a virus.
Why Systems are Vulnerable. There are many reasons why systems are vulnerable to attack:
Security is hard and expensive. It is not easy to design systems that resist penetration, particularly in today's world where they are connected to open networks. It requires considerable skill and investment of resources, often involving dozens of engineers and scientists and years of work. Consequently, many systems have vulnerabilities which allow an intruder to bypass the security controls. In many cases, the security controls themselves introduce weaknesses.
Security is a bottomless pit. It is often said that the only way to make a system secure is to pull the plug. It is not practical, and usually impossible, to achieve 100% security. Not only is it too expensive, it is unachievable because not all weaknesses and attacks can be anticipated. Vulnerabilities can be found in even carefully designed products.[1] New methods of attack are continually being discovered.[2] Thus, one settles for something less than perfect, say a 90% solution aimed at preventing the simplest and most common attacks. However, this brings me to the next observation:
Security is complex and fuzzy. We speak about information security as though it were well-defined and quantifiable. In fact, it is neither of these. Security policies are often complex, imprecise, sometimes conflicting, and subject to human judgement.[3]
Organizations are willing to take risks. Organizations generally do not demand perfect security for their systems and information. They are willing to take risks, as they do with other assets and technologies, in order to save time and money, to enjoy the benefits of the Internet and new services, to boost productivity, and to ensure that their employees and customers are not denied legitimate access. Many organizations connect to the Internet knowing fully well that they may be vulnerable to attack. Access to people, organizations, and information world-wide is considered well worth the risk. Security is about risk management, not absolute prevention.
Developers and users have limited resources. System developers have limited resources to spend on product development, and those resources have competing demands, including functionality, performance, and customer support. Decisions are based on factors such as marketability and profitability. Similarly, organizations have limited resources. Funds for security management, products, and training are balanced with other needs of the organization. In many organizations, the senior management do not view security as very important.[4]
New technology is constantly emerging. New technologies, for example, to support World Wide Web applications, bring forth new forms of vulnerabilities. In the rush to bring products to market and increase connectivity, the security implications are not always thoroughly researched and understood. Weaknesses are not discovered until after the products have been on the market. Security engineering lags behind the product development curve.
Security involves humans. Human beings are responsible for designing, configuring, and using systems with security features. They make mistakes in judgement and in implementation. They take shortcuts. They do not anticipate all possible failures. They can be conned by those wishing to intrude.
Lack of cryptographic infrastructure. In order to realize the full potential of cryptography for information security, a global public-key infrastructure must be developed. The infrastructure must offer high assurance that public keys are bound to particular individuals and organizations. It must provide services in support of confidentiality and authentication.
Export controls. Inadequate security is often blamed on export controls over strong encryption technology. The argument is that if there were no controls, strong encryption would be integrated into applications and networks, thereby making them secure. However, the situation is not so simple as security involves much more than unbreakable encryption algorithms. Thus, while export controls may have inhibited the integration of strong encryption into systems, the preceding factors seem much more significant. Moreover, cryptographic methods of authentication, which are largely exempt from export restrictions, play a larger role in preventing intrusions than methods of confidentiality protection.
Hackers often justify their cracking activities with the argument that systems should be secure; they are merely exposing flaws that never should have appeared in the first place and should be fixed. This argument falls apart, however, in the context of the preceding analysis. Networked systems will always have vulnerabilities, just as our streets, homes, and other public infrastructures do. Breaking into a computer system, without authorization to do so, is no more ethical than breaking into a house to demonstrate its physical vulnerabilities.
Methods of Attack. The following are some common methods of attack:
Insider misuse. Some of the most serious breaches of security are performed by insiders misusing their access authorizations. This is another reason why total security is unachievable. Although a user's access rights can be contained, they can never be so constrained as to preclude any misuse.
Social engineering. The attacker uses lies and deception to con the victim into providing information (e.g., passwords) that facilitates an attack. Strong technical safeguards can be useless against this form of attack.
Password cracking. Many passwords are easily guessed or vulnerable to systematic attack. These attacks are typically launched with the aid of a dictionary and password cracking program. First the attacker acquires a file of encrypted passwords. Then the cracking program is used to encrypt all of the words in the dictionary along with commonly chosen passwords until a match is found in the encrypted password file.
Key cracking. If encryption keys are not sufficiently long, they can be systematically broken by trying all possible keys until the correct one is found. Even keys that are long enough to withstand a brute force attack can be cracked if the random number generator used to create keys is not sufficiently good or if the cryptosystem has protocol failures or other weaknesses. In some cases, keys have been broken within a few minutes.[5]
Sniffers. "Sniffer" programs, installed on network nodes, intercept packets traversing the network and ferret out login IDs and passwords, credit card numbers, or messages containing certain keywords.[6] This information is stored in a file, where it can be read by or transmitted back to the owner of the program.
IP Spoofing. This involves forging the Internet Protocol (IP) address of a trusted host in order to establish a connection with a victim machine. One method floods the trusted host with connection requests and then, while the host is recovering, sends packets that forge the node's IP address. The forged packets may contain data that allow the attacker to gain privileged access on the victim machine.
Injecting viruses, Trojan horses, time bombs, and other malicious code. Malicious code is injected into a target system through a disk or computer network. The code could alter or destroy data or cause other types of mischief.
Exploiting weaknesses in operating systems, network protocols, and applications. In general, any system vulnerability can be exploited to form an attack.[7] Depending on the weaknesses, such attacks may effectively circumvent access controls and encryption, allowing access to plaintext data without the need to crack passwords or encryption keys. An intruder may be able to download tens of thousands of credit or calling card numbers at a time. Weaknesses are often found in configuration settings and parameter checking.
The Attacker's Toolkit. The attacker has many tools to draw upon. These include:
Programs and scripts. A variety of programs and scripts are available to locate system vulnerabilities and launch attacks. These include password crackers, key crackers, cryptanalytic tools, vendor utility and diagnostic programs, Trojan horse system utilities, special hacker tools (e.g, RootKit [8]), and graphical network sweepers (e.g., SATAN). A Trojan horse system utility is a program which resembles a real utility to the unsuspecting user but performs some subversive function. The attacker replaces the real utility with the Trojan horse, which is then executed whenever the utility is invoked. Network sweepers are programs that check the nodes on a network for poor configuration settings and other vulnerabilities. Many programs and scripts that are developed to aid the system administrator check for weaknesses are also useful to the attacker and vice-versa. As these tools become more powerful and user friendly, the job of the attacker becomes easier. Sophisticated attacks can be launched by persons with only modest technical expertise.
Delivery mechanisms. Malicious code can be injected into a target system through a variety of delivery mechanisms, including floppy disks, network protocols, electronic mail, and web browsers. It can be concealed in the low order bits of images or in macros attached to documents, and then activated when the image or document is opened and processed. A web browser or other Internet application may download and execute software without the user's knowledge.
Publications and forum. Information and software tools that facilitate attacks are exchanged and distributed through a variety of media including electronic bulletin boards, Internet web pages and news groups, Internet chat services, electronic and paper magazines, conferences and meetings, and e-mail distribution lists. The Internet has greatly facilitated the spread of knowledge about vulnerabilities and the distribution of tools, both to the attackers and to those who are responsible for defending against intrusion.
Massive computing resources. This includes powerful workstations and supercomputers, but also the Internet as a massive distributed computing system. The Internet lends itself particularly well to any task that can be broken into independent pieces, for example, breaking encryption keys.[9]
Anonymity and invisibility. Attackers use a variety of mechanisms to hide their identity, activities, and location. These include masquerading as legitimate users (after first acquiring their passwords) and hosts (IP spoofing), disabling audit programs, looping, sending messages through anonymous remailers, and encrypting electronic mail and files. Looping involves logging into a target system via a lengthy path that goes through many intermediate systems, using multiple carriers and passing through multiple jurisdictions. The objective is to make it extremely difficult to trace the connection back to the attacker. Anonymous remailers allow an attacker to send e-mail or post messages that cannot be traced to the source.
Technologies of Defense
Information security is about risk management, not absolute security, and involves application of both technical and non-technical countermeasures. Non-technical defenses include formulating a security policy for the organization and educating users about that policy.
The following gives a brief description of the main technologies of defense and some of their potential vulnerabilities. In describing vulnerabilities, I do not mean to suggest that the technologies are riddled with holes or useless, only that they may not be foolproof. Particular attention is given to two recent technologies, location-based authentication and key escrow encryption.
Authentication. These technologies are used to determine the authenticity of users, network nodes, and documents. They are typically based on knowledge of secret information such as a password, PIN, or cryptographic key; possession of a device such as an access token or crypto card; and biometrics such as a thumb print or iris pattern. While all of these methods are valuable, they also have limitations. Secret information may be vulnerable to guessing and cracking, hardware tokens to theft, and biometrics to false positives, false negatives, and replay. In addition, authentication controls are potentially vulnerable to subversion or by-pass.
Location-based authentication. International Series Research, Inc. of Boulder, Colorado, has developed a new technology for authentication, called CyberLocatorTM, which uses space geodetic methods to authenticate the physical locations of users, network nodes, and documents.[10] This is accomplished through a location signature sensor, which uses signals from the Global Positioning System's worldwide satellite constellation to create a location signature that is unique to every location on Earth at every instant in time. This signature is used to verify and certify geodetic location to within a few meters or better. Because the GPS observations at any given site are unpredictable in advance (at the required accuracy level), constantly changing, and everywhere unique, it is virtually impossible to spoof the signature.
The CyberLocator technology is not vulnerable to many of the techniques in the attacker's toolkit, in part, because it does not rely on any secret information and it is not readily forged. In addition, it counters one of the attacker's most powerful tools, anonymity. Because the exact location of the intruder is revealed, it defeats looping and masquerading. It would be a strong deterrent to many potential intruders, who would be unwilling to make their locations known.
Location-based authentication would normally be used in combination with another method of authentication. Its value added is a high level of assurance against intrusion from any unapproved location regardless of whether the other methods have been compromised. In critical environments, for example, military command and control, nuclear materials handling, telephone switching, air traffic control, and large financial transactions, this extra assurance could be extremely valuable. Location-based authentication also has applications besides access control, for example, implementation of an electronic notary function or enforcement of transborder data flows (e.g., export controls).
Cryptography. Various cryptographic techniques provide confidentiality protection (encryption) and authentication, which includes data integrity; user, host, and message authentication; and digital signatures. They are used to protect both communications transmitted over open networks and data stored in computer files. Cryptographic systems can be implemented as stand-alone products or they can be integrated into applications and network services, where they may be transparent to the user. They are potentially vulnerable to weaknesses in algorithms, protocols, key generation, and key management.
The encryption conflict. Encryption is essential for protecting classified national security information, unclassified but sensitive business and government information, and individual privacy. At the same time, in the hands of foreign adversaries, it interferes with signals intelligence. Terrorists, drug dealers, and computer intruders can use it to conceal their activities and stored records. Law enforcement agencies are concerned that as encryption proliferates worldwide, it could seriously imperil their ability to counter domestic and international organized crime and terrorism. It could cut off valuable sources of foreign intelligence. Even within an organization, encryption can cause problems. If keys are lost or damaged, valuable data may become inaccessible.
Because of its significance to national security, encryption is classified as a munitions and subject to export controls. These controls have come into conflict with the need for strong encryption on the global information infrastructure to support secure international communications and the desire of industry to compete in the global encryption market.[11]
While it is beyond the scope of this paper to discuss the encryption conflict in any depth [12], I shall briefly summarize international efforts aimed at accommodating the different interests. The Organization for Economic Cooperation Development (OECD) is addressing the issues through its Committee for Information, Computer, and Communications Policy (ICCP). An ad-hoc group of experts on cryptography policy held an initial meeting in December 1995, and is expected to meet again in spring 1996 after being officially established by the ICCP. The December meeting was immediately followed by a Business-Government Forum on Global Cryptography Policy sponsored by the OECD, the International Chamber of Commerce, and the Business and Industry Advisory Committee to the OECD. At that meeting, representatives from the international business community and member governments agreed to work together to develop encryption policy guidelines based on agreed upon principles that accommodate their mutual interests. Statements of principles were issued by the INFOSEC Business Advisory Group (IBAG), an association of associations representing the information security interests of users, and a quadripartite group consisting of EUROBIT (European Association of Manufacturers of Business Machines and Information Technology Industry), ITAC (Information Technology industry Association of Canada), ITI (Information Technology Industry Council, U.S.), and JEIDA (Japan Electronic Industry Development Association), which accounts for more than 90% of the worldwide revenue in information technology.[13] In addition to the above OECD-related efforts, the International Cryptography Institute, sponsored by the National Intellectual Property Law Institute and chaired by myself, brought together people from all over the world to address the encryption conflict at its meetings in September 1994 and 1995.[14]
One approach that has received considerable attention uses trusted parties as key holders.
The keys held by these parties are not normally the same as the ones used for data encryption, but they allow access to the data encryption keys. This approach, sometimes called key escrow or emergency data recovery, can accommodate access by the owners of data who have lost their keys as well as by government officials operating under a court order or other lawful authorization [15]. Many existing encryption products have data recovery capabilities to accommodate user needs; some have integrated it into their key management services. Data recovery could be a service provided by an international network of trusted parties accredited to offer services that support digital signatures, notarization, confidentiality, and data integrity. This effectively puts key escrow in the public-key infrastructure. The European Commission is proposing a project to establish such a European-wide network. X/Open is drawing up plans for a public-key infrastructure project that would create specifications and possibly operating manuals for use in conformance testing and site accreditation. The U.S. government plans to finalize criteria for exporting software encryption with key escrow in early 1996 [16].
The objectives of business regarding encryption with trusted parties are articulated in the IBAG principles. Businesses and individuals would lodge keys with accredited trusted parties, which could be independent entities or entities within a company. The trusted parties would be liable for any loss or damage resulting from compromise or misuse of keys. Keys would be available to businesses and individuals on proof of ownership and to governments under due process of law. The principles call for industry to develop open voluntary, consensus, international standards and for governments, businesses, and individuals to work together to define the requirements for those standards. The standards would allow choices about key holder(s), algorithm, mode of operation, key length, and implementation in hardware or software. Products conforming to the standards would not be subject to restrictions on import or use and would be generally exportable.
Access controls. These technologies are used to control access to networks, computers, applications, transactions, and information according to a security policy. Policies can be based on individual users, groups, or roles and on time of day or location. Access controls rely on authentication mechanisms to confirm the identity of users attempting access. They are typically integrated into both applications and systems software. Access controls are potentially vulnerable to bypass, failure to correctly implement the security policy, and ill-defined policies.
Firewalls. A firewall is a trusted computer system that monitors all traffic into and out of a protected network. It is frequently placed between an organization's internal network and the Internet with the objective of keeping intruders out and proprietary or sensitive data in. The firewall examines each incoming or outgoing message to determine whether it should be allowed to pass. Decisions can be based on protocol, source or destination address or port number, and message contents. Firewalls are potentially vulnerable to subversion, to malicious code that enters the firewall in a seemingly legitimate message, and to ill-defined or incomplete policies.
Audit. Audit logs record security relevant activity, for example, successful and unsuccessful logins, execution of system commands and applications, and access to files and database records. Auditing can be performed at both the system level and the application level. Audit mechanisms are potentially vulnerable to being disabled or bypassed; audit records to tampering or deletion.
Intrusion detection/monitoring. Intrusion detection systems actively monitor a system for intrusions and unauthorized activity. They typically inspect audit records, either after the fact or in real-time. They can look for particular events or event sequences, or for behavior that is abnormal. They are normally run under the direction of a security officer who specifies the events of interest and evaluates the results. Monitoring is analogous to the use of guards to keep watch over the physical premises of a protected site, either through direct surveillance or through video cameras. It is potentially vulnerable to false positives and false negatives, to being disabled, and to incomplete or false knowledge about misuse scenarios.
Anti-viral tools. These include scanners, which look for specified patterns; disinfectants, which remove viruses; and integrity checkers, which check for modifications to files and code. Potential vulnerabilities include failure to detect unknown viruses or to adequately protect checksums.
Vulnerability assessment tools. These are the same tools described earlier under the attacker's toolkit. They are potentially vulnerable to failure to detect a weakness or to misuse.
Trusted systems design. Good engineering, based on sound security models, is the bedrock for all trusted systems (complete systems or components). It can increase assurance that the systems meet their specifications and do not have certain weaknesses. It is integral to the development of high assurance systems. Trusted system development does not, however, guarantee perfect security. It is limited by the underlying models, which do not capture the full complexity of systems or their operating environments; by the fuzzy nature of information security; and by the human beings who do the work.
Conclusions
The encryption conflict is an instance of a broader conflict between the defensive use of information security technologies and offensive operations against foreign adversaries, criminals, and terrorists. To the extent that the systems and communications of our adversaries are secure, they preclude penetration or signals intelligence. The central question facing us is how best to accommodate the need for government access. Should national policy promote or require approaches that ensure access by the government? This will be the topic of much debate for at least the near future.
Notes and References
1. As an example, in February 1996, the COAST (Computer Operations,
Audit, and Security Technology) Laboratory at Purdue University reported an
unexpected weakness in version 4 of Kerberos, a system that provides
authentication and encryption services for distributed systems. Kerberos was
developed in the mid-1980's at MIT and had been regarded as very secure.
2. For example, Paul Kocher recently demonstrated a new method of
cryptanalysis based on timing estimates. See Paul Kocher, "Cryptanalysis of
Diffie-Hellman, RSA, DSS, and Other Systems Using Timing Attacks," Dec. 7, 1995.
3. See Hilary Hosmer, "Security is Fuzzy: Applying Fuzzy Logic to
the Multipolicy Paradigm," Computer Security Journal, Vol. XI, No. 2,
Fall 1995, pp. 15-24.
4. The 3rd Annual Information Week/Ernst & Young survey
found that only 24% of information security managers reported that senior
management perceives security as extremely important. 32% reported it as
somewhat important, 39% as important, and 5% as unimportant.
5. The Kerberos vulnerability involved a poor random number
generator that allowed session keys to be cracked in just a few minutes. A
similar weakness was found (and corrected) in Netscape. See Steven Levy,
"Wisecrackers," Wired, Mar. 1996, pp. 128+.
6. Many security papers and books discuss these attacks. For an
award-winning paper on this topic, see E. Eugene Schultz and Thomas A.
Longstaff, "Internet Sniffer Attacks," Proc. 18th National Information
Systems Security Conf., Oct. 1995, pp. 534-542.
7. See William R. Cheswick and Steven M. Bellovin, Firewalls and
Internet Security, Addison-Wesley, 1994, for a good discussion of system
vulnerabilities and countermeasures.
8. RootKit includes a network sniffer, a backdoor login which
disables auditing, Trojan horse system utilities, and an installation tool to
match checksums to originals.
9. For example, the Internet was used to help break a 129-digit
secret RSA key between September 1993 and October 1994. The attack, which
required factoring a 129-digit public key, was carried out with the assistance
of 1,600 machines that sent partial results to a computer at MIT. See Steven
Levy, "Wisecrackers," Wired, Mar. 1996, pp. 128+.
10. See Dorothy E. Denning and Peter F. MacDoran, "Location-based system delivers
user authentication breakthrough," Computer Security Alert, No. 154,
Jan. 1996, pp 1+.
11. See the Computer Systems Policy Project report, "Perspectives
on Security in the Information Age," Jan. 1996 for the views and recommendations
of representatives of the U.S. computer systems industry regarding export
controls.
12. For a balanced discussion of the issues, see Susan Landau et.
al, Codes, Keys,
and Conflicts: Issues in U.S. Crypto Policy, ACM, June 1994. For my
personal perspective, see Dorothy E. Denning, "The Future of
Cryptography," presented at the joint Australian-OECD Conference on
Security, Privacy, and Intellectual Property Protection, Canberra, Feb. 7-8,
1996.
13. The IBAG and EUROBIT-ITAC-ITI-JEIDA statements are available
at http://www.cs.georgetown.edu/~denning/crypto.
14. Information about the ICI is available at http://www.cs.georgetown.edu/~denning/crypto.
15. For a general description of key escrow and the U.S.
government's proposal for exporting software encryption with key escrow, see
Dorothy E. Denning and William E. Baugh, Jr., "Decoding Encryption Policy,"
Security Management, Feb. 1996, pp. 59-63. For a more detailed
description of key escrow systems, see Dorothy E. Denning and Dennis K.
Branstad, "A Taxonomy
for Key Escrow Encryption Systems," Communications of the ACM, Vol.
39, No. 3, Mar. 1996.
16. Draft Software Key Escrow Encryption Export Criteria (11/95
version) and Key Escrow Agent Criteria," draft, Dec. 1, 1995. Available through
http://csrc.ncsl.nist.gov/keyescrow.