Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
12/11/2010
1
Cyber War
Monday, December 6, 2010
CS342 Wellesley
Tyler Moore
Motivation
• ‘Cyber’ security has grabbed the attention of policymakerspolicymakers– Lots of hype
– Lots of legitimate threats
– Lots of misinformed parties
– Fortunately, you are all now computer security experts
• Today we’ll try to make sense of the threats, what distinguishes ‘cyber war’ from the traditional variety, and the choices policymakers now face
12/11/2010
2
Cyber attacks in Estonia April 2007
Russia‐Georgia War of 2008
12/11/2010
3
12/11/2010
4
How “the most significant breach of US military computers ever” happened
Brazil 2005‐2007Power Outages
12/11/2010
5
Except it wasn’t actually cyber war…
12/11/2010
6
How Stuxnet works
Diagram based on paper describing operation by Falliere, Murchu, & Chie: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
Stuxnet
• Four zero‐day exploits used to spread worm, plus exploits aimed at specialist softwareexploits aimed at specialist software– The point of the exploits is to locate “air‐gapped” machines that load code onto PLCs, devices that operate industrial control systems
– Apparent purpose of the custom PLC code: wreck nuclear centrifuges (http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html)
• Originator of attack still unknownOriginator of attack still unknown– Speculated to be nation‐state due to resources required (several exploits, intricate knowledge of Seimens control systems, access to Iranian facilities for initial infection)
– US, Israel have been discussed as prime candidates
• Target presumed to be Iran
12/11/2010
7
Why does Iran appear to be the target?
Source: Falliere, Murchu, & Chie, W32.Stuxnet Dossier: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
Why does Stuxnet appear to only target process control systems?
Source: Falliere, Murchu, & Chie, W32.Stuxnet Dossier: http://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
12/11/2010
8
Cyber espionage
• Not quite cyber war, but nonetheless state‐di t d tt k th t tdirected attacks that worry governments
– Straightforward to implement (look at e‐crime)
– Theft of information difficult to detect
– Using technology for intelligence gathering
– Comes in industrial and political varietiesComes in industrial and political varieties
Ghostnet: political espionage
12/11/2010
9
How Ghostnet spread
How Ghostnet spread
• A few monks who worked as administrators for Tibetan gov‐in‐exile also posted on forumsTibetan gov‐in‐exile also posted on forums– Attackers sent spear‐phishing emails with malware
• Once compromised, their address books were raided and more spear phishing commenced– Email bodies were copied and reattached with malicious files
• The malware installed keyloggers that transmitted files to servers in China
• Chinese government denied any involvement
12/11/2010
10
State Dept.: China used similar tactics during climate change negotiations
12/11/2010
11
Cyber war trends
• Now that we’ve seen lots of examples of “ b ” l t’ t k t b k d l k f“cyber war”, let’s take a step back and look for some trends
– Critical infrastructures are often owned and operated by the private sector, yet government seems more worried about their security
– Differences between attack and defense
– Attributing acts of war to perpetrators is surprisingly difficult
12/11/2010
12
Public vs. private control of critical infrastructures
• Most critical infrastructures are privately owned and operated– Internet backbone– Power grid– Chemical refineries
• Governments are worried by attacks targeting these infrastructures– Attacks often led by other nations– Private operators don’t always perceive the threat to be as important as the government does
– Lack of control leads governments/militaries to fear the worst‐case scenario and propose oversight mechanisms
S. 3480: Protecting Cyberspace as a National Asset Act of 2010
• Among other things, sets the groundwork for th id t t ll ‘ ti l bthe president to call a ‘national cyber emergency’
– Requires cooperation between government and critical infrastructures
– Proposes a so‐called Internet “kill switch” to shut off Internet access either entirely or to attacking countries.
12/11/2010
13
Some reasons why anInternet kill switch is a bad idea
• The Internet does not have well‐defined national bordersborders– No simple instruction to “block all packets from China”
• Distributed nature of Internet means implementing a single kill switch instruction would be very complicated and expensive
• Lots of unintended consequences that only reveal themselves when Internet connectivity actually shutthemselves when Internet connectivity actually shut off
• Why couldn’t an attacker use the kill switch on us?• For more, see: http://www.schneier.com/blog/archives/2010/07/internet_kill_s.html
How cyber attack differs from defense
• Some nations have more to lose from cyber‐attackattack– US: highly dependent on IT infrastructure
– North Korea: a little less so…
• Most nations can afford to develop effective offensive capability
h h d l ’ h d– Spear phishing and malware‐writing isn’t so hard
– Widespread vulnerability means there are plenty of available targets
12/11/2010
14
Why the defender’s job is so hard (1)
• Overall system security often determined by th k t li kthe weakest link
– Vulnerability discovery: many bugs, any one that grants root will do
– Spear phishing: compromising one insider’s credentials can yield a treasure trove
• By contrast: successfully stopping all attacks is impossible
Why the defender’s job is so hard (2)
• Control of cyber infrastructure is distributed diff t tacross many different actors
– Internet is highly distributed
– Any solution that requires everyone’s cooperation is likely to fail
– Collecting accurate information on attacker behavior is made harder when the defender doesn’t control all aspects of the infrastructure
12/11/2010
15
Why the defender’s job is so hard (3)
• Detecting that you have been attacked is hard h i f ti h b t lwhen information has been stolen
• Determining who has attacked you is also hard
– In military circles: the “attribution problem”
– Attackers tunnel through compromised computers to launch attacks & take steps to hide their tracksp
– The sources of nearly all the attacks described earlier remain in dispute
Mutually Assured Destruction (MAD) & Theories of Deterrence
12/11/2010
16
Why poor attribution scares the military
• In cold war, the credible threat of nuclear attack created a stable outcome where neither the UScreated a stable outcome where neither the US nor USSR attacked– But a nuclear bomb is highly observable
– Identifying who launched the bomb was also easy
• Because these conditions do not hold in the cyber context, those who use a nuclear‐cyber y , yanalogy fear that we are doomed to attack each other because deterrence isn’t credible– Call for the adoption of an “accountable” Internet
How attribution works today
• Machine‐level attribution: IP addresses identify a machine at a point in timemachine at a point in time– Indirectly linked to a person (e.g., South Korea, RIAA)
– Roughly map to ISPs and countries
– Spoofable, but usually not
• Human‐level attribution: some web applications associate session with identityassociate session with identity– Online banking
– E‐commerce
– Digital signatures
12/11/2010
17
What an “accountable” Internet might look like
• Some call for a stronger association between an IP address and an identityIP address and an identity– Right now, only ISPs can reveal, but what if the ISP is in a hostile country?
– Including some form of identifying information with each packet could allow a third party to associate with ID
• But would this really solve the attribution problem for cyber war?– Multi‐stage attacks– Weakest‐link jurisdictions
Priorities of US DoD in Cyberspace
• A National Strategy of “ i t i i b t“maintaining a robust defense of cyberspace while exploiting adversary cyberspace vulnerabilities”
‐‐‐National Military Strategy for Cyberspace Operations (2006)
12/11/2010
18
Cyber Command
Cyber Command is a political and institutional compromise to integrate DoD strategy with NSA technical capabilities
Stated control over .mil networks.
What happens when the attacker is also the defender?
• How can a cybersecurity organization tasked with both offense and defense balance this tradeoff?both offense and defense balance this tradeoff?
• Example: vulnerability disclosure
– NSA identifies Windows 0‐day exploit. Should it:
• Pass along the information to Microsoft, protecting US citizens against cyber crime and other attacks
• Keep the exploit hidden stockpiling it for later use in an• Keep the exploit hidden, stockpiling it for later use in an offensive operation
• For more, see http://people.seas.harvard.edu/~tmoore/nspw10.pdf
12/11/2010
19
Concluding remarks
• Congratulations on completing a course in t it fcomputer security, you are now more of an
expert than many cyber‐war experts
• Use your knowledge for good!
– Improve system security for our nation’s critical infrastructures
– Join the policy debate on how to meaningfully improve Internet security