A 10,000 Foot View of Internet Security in 2017

Zakir Durumeric Who am I?

I am joining the Stanford CS Department in Fall 2018

My research primarily focuses on empirical security, particularly improving network security through large-scale measurement

This includes building systems to perform large-scale data collection, uncovering vulnerabilities in how systems have been deployed in practice, designing more secure protocols and systems Worsening Distributed Denial of Service (DSoS) Attacks Devastating DDoS Attacks

In October 2016, DDoS attacks took DNS provider offline

Largest denial of service attack on public record (>600gbps)

Source: Dyn Mirai: IoT Devices to Blame

Understanding the Mirai , USENIX Security ‘17 Mirai: IoT Devices to Blame

700,000 Total Mirai Scans TCP/6789 600,000 TCP/23231 TCP/8080 Peak: 600K+ Infected Devices TCP/22 TCP/80 scans 500,000 TCP/2222 TCP/23 TCP/37777 TCP/2323 400,000 TCP/443 TCP/7547 Steady State: 2-300K TCP/5555 telescope 300,000

200,000 network

# 100,000

0 08/01/16 09/01/16 10/01/16 11/01/16 12/01/16 01/01/17 02/01/17 Date

Understanding the Mirai Botnet, USENIX Security ‘17 What Happened?

“It is possible, investigators say, that the attack on Dyn was conducted by a criminal group that wanted to extort the company. Or it could have been done by “hacktivists.” Or a foreign power that wanted to remind the United States of its vulnerability.”

Understanding the Mirai Botnet, USENIX Security ‘17 Embarrassingly Bad Security

Mirai was possible because Targeted IP rDNS Passive DNS hundreds of thousands of 208.78.70.5 ns1.p05.dynect.net ns00.playstation.net devices used default logins 204.13.250.5 ns2.p05.dynect.net ns01.playstation.net and had trivial vulnerabilities 208.78.71.5 ns3.p05.dynect.net ns02.playstation.net 204.13.251.5 ns4.p05.dynect.net ns03.playstation.net Nearly every aspect of Mirai 198.107.156.219 service.playstation.net ns05.playstation.net was poorly orchestrated 216.115.91.57 service.playstation.net ns06.playstation.net Dyn was taken offline by a handful of miscreants Used no modern trying to attack a Playstation Game Server techniques

Understanding the Mirai Botnet, USENIX Security ‘17 Embarrassingly Bad Security

Understanding the Mirai Botnet, USENIX Security ‘17 Cluster 0 Cluster 2 proht.usgettwrrnty.us Moving Forward Cluster 6 nextorrent.net elyricsworld.comboost-factory.com kedbuffigfjs.online avac.io emp3world.com nuvomarine.com alcvid.com rippr.club bklan.ru kciap.pw xex-pass.com clearsignal.com strongconnection.cc mwcluster.comxf0.pw dibamovie.site xpknpxmywqsrhe.onlinetr069.support investor-review.com pontobreventos.com.br anabolika.bz ip-137-74-49.eu ip-51-255-103.eudmim.irdiamondhax.comelektro-engel.de srrys.pw binpt.pw drogamedic.com.brcontroluz.com.br expertscompany.com youporn.wfangoshtarkhatam.irpiratetorrents.net mziep.pw voxility.net postrader.eunfoservers.com 2ws.com.br dibamovie.bizmoreoverus.com novotele.online voxility.orgvoxility.com 2world.com.br tr069.online soplya.com robositer.com voxility.mobivoxility.ro postrader.itsistematitanium.comgeroncioribeiro.com as62454.net siterhunter.com gideonneto.com postrader.org woodpallet.com.br aodxhb.ru zugzwang.mejgop.org sipa.be mehinso.ru myfootbalgamestoday.xyzdyndn-web.commufoscam.orgbitnodes.io escolavitoria.com.br nrzkobn.ru pontobreventos.comacessando.com.br zogrm.ruqlrzb.ru checkforupdates.onlinebluematt.me sillycatmouth.us hyrokumata.com stt-spb.rushokwave.ru infoyarsk.ru bitcoinstats.com txocxs.ru domisto.ru zosjoupf.ru polycracks.com 5153030.ru kernelorg.downloadfastgg.netmediaforetak.com Mirai hasn’t gone away— absentvodka.com daf-razbor.ru lottobooker.ru dom-italia39.ru eduk-central.net firstclaz-shop.ru kiditema.ru alexandramoore.co.ukanalianus.com hightechcrime.clubgreenkittensdeal.pw ta-bao.comrutrax.ru cheapestdogspecials.win tr069.pw intervideo.online dardiwaterjet.ru securityupdates.us 33kittensspecials.pw pornopokrovitel.ru childrens-health.ru intervideo.top yellowpetsspecials.pwgreenbirdsspecials.win wwrf.ru findcatspecial.win kia-moskva.ru timeserver.host fractured control—could easily ocalhost.hostdolgoprud.top bluepuppyspecial.pw infonta.ru 33puppiesspecials.win avtotyn.ru food-syst.ru xn--b1acdqjrfck3b7e.xn--p1ai cheapestdogspecial.pwbluepuppiesdeals.pw upfarm.ru sony-s.ru yellowcatdeal.win xn----7sbhguokj.xn--p1aifavy.clubadmin-vk.rukopernick.ruudalenievmiatin.ru greendoggyspecial.pw sert-cgb.ru video-girle.ruavtoatelie-at.ru yellowpuppyspecial.pw xn--80aac5cct.xn--80aswg kvartplata1.ru findbirdsspecials.pw videostrannik.ru transfer.clubkinosibay.ru 33catspecials.pwfinddogdeal.win lr-top.ru jealousyworld.ru return osinniki-tatu.ru infobusiness-eto-prosto.ru tomlive.ru gam-mon.ru cheapkittensspecial.win33catsdeal.pw taylor-lautner.ru bocciatime.ru alexander-block.ru sims-4.ru party-bar66.ru cheapestdoggyspecial.pw aaliya.ru general-city.ru hotelkhiva.ru wapud.ru agrohim33.ru igm-shop.ru poliklinikasp.ru receptprigotovlenia.ru pavelsigal.ru 5d-xsite-cinema.ru Cluster 23 vkladpodprocenti.ru svoibuhgalter.ru 69speak.eu titata.ru It will return unless there’s ip-149-202-144.eu mp3impulse.ru bebux.netgramtu.pldopegame.ru sl22.ru russianpotatoes.ru semazen.com.trmadlamhockeyleague.com 3200138.com q5f2k0evy7go2rax9m4g.ru disabled.racing e3ybt.top occurelay.netdopegame.susecure-limited-accounts.com hexacooperation.comipeb.biz icmp.online germanfernandez.cl netwxrk.org protopal.clubdumpsterrentalwestpalmbeachfl....blockquadrat.de significant change servdiscount-customer.com ip-151-80-27.eu middlechildink.comrencontreadopoursitedetours.xyzcritical-damage.org lateto.work kentalmanis.info layerjet.com serverhost.namedoki.co addsow.topzeldalife.com edhelppro.bid 6969max.com chiviti.com brendasaviationplans.xyznerafashion.com kunathemes.comsecure-support.servicessecure-payment.online happy-hack.ruzvezdogram.com my2016mobileapplications.techcloudtechaz.net Cluster 7 grotekleinekerkstraat.nlplaykenogamesonline.comok6666.net topdealdiscounted.onlinethqaf.comcenturystyleantiques.com megadealsfinder.online thcrcz.top megadealsdiscounter.online realsaunasuit.com bigdealsfinder.online kcgraphics.co.ukstbenedictschoolbx.org superpriceshopping.online starpricediscounted.online bestsavingfinder.onlinesantasbigcandycane.cx superpriceshopper.onlineboatnetswootnet.xyz greatdealninja.online Cluster 1 bestpricecastle.online skinplat.ru smsall.pksteamon.ru skincoin24.ru amgauto.vn joomlavision.com gameshoper.ru gowars.ru tradewallet.ru irisstudio.vn dacsanthitchua.comherokids.vn keygolds.ru steamcoin24.ru ngot.netssldomainerrordisp2003.comousquadrant.comkeyzet.ru teamcoin.ru tamthat.com tradewallet24.ru namlimxanh.net.vnspevat.netapkmarket.mobi kleverfood.vn skincoin.ru keycoins.ru muplay.ru keydealer.ruwalletzone.ru gamegolds.ru playerstore.ru gamewallet.ru

Understanding the Mirai Botnet, USENIX Security ‘17 IoT Security Beyond Mirai

Mirai is one example of poor security in a worrisome trend

Second Example: Hundreds of thousands of embedded devices serve user data to the public over FTP

Data ranges from clinical medical records to HR and financial data are publicly available

Typically due to poor user interfaces, default credentials, and easy-to-find vulnerabilities

FTP: The Forgotten Cloud, DSN’16 Malware, Infection, and A Thriving Underground Economy

“Pay Per Install”: Compromised machines are a purchasable commodity

Allows multi-tenancy of machines for denial of service attacks, malicious hosting, spam, PII theft, ad fraud

Fill out web form with the number of machines you need and payment, then upload your malware binary:

- 1000 U.S./Western Europe Installs: $100-180 - 1000 Less Popular Installs (mostly Asia): $7-8

Large providers see abusive traffic from tens of millions of abusive IPs on a daily basis

Source: The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges DDoS For Hire: Booter/Stresser Services

DDoS has been commoditized:

• Enables non-sophisticated subscribers to extort, harass, and censor

• First major Mirai attack was taking down Brian Kreb’s blog

Popular services carry out of 100Ks of attacks from 1Ks of subscribers

Accept PayPal, . $10-500 based on duration/intensity

Primarily amplification attacks that use misconfigured NTP, DNS, SIP

Source: Understanding and Undermining the Business of DDoS Services The Rise of Ransomware

Ransomware has become extremely popular—dwarfs other types of malware attacks

Little change in distribution: Phishing emails, social media scams

Largest 2017 Family (Cerber): ~7M USD

- Expansive affiliate program

Source: Unmasking the Ransomware Kingpins Data Breaches and Mismanagement Data Breaches

Constantly hearing about data breaches—Equifax, Anthem, eBay, Home Depot, Target, Adobe, Sony, Adult Friend Finder, OMB, … Hard to detect root cause, but a few major problems: - Network mismanagement - Phishing - Out of date software - 20% of Flash installs are vulnerable - 25% of browsers out of date

Source: Duo Trusted Access Report Patching Behavior

12 Alexa Top 1 Million Sites —OpenSSL 10 Public IPv4 Address Space vulnerability allowed remote attackers to dump memory 8 Massive publicity—likely best 6 case patching scenario Patching plateaued with 30% of 4 IPv4 hosts remaining vulnerable 2 Today, 100K+ hosts remain

Vulnerable Percentage of HTTPS Hosts vulnerable. Most are IoT devices 0 04/12 04/19 04/26 05/03 05/10 05/17 05/24

Date The Matter of Heartbleed, IMC’14 Increased Data Collection

Many of the headlines are about financial data leaks - Primary worry: Identity theft Hospitals, insurance providers are also commonly. Earlier this year, Uber.

Worrisome trend of collecting and store all data - IoT devices will continue to have access to more sensitive information Encrypting Data in Transit Increasing HTTPS Deployment

For the first time, 50% of Chrome and Firefox page loads use HTTPS Chrome more restrictive on loading HTTP content Firefox only releasing new features for HTTPS connections

Percent of page loads over HTTPS in Google Chrome [Source: Google Chrome Team] TLS 1.3 Nearing Completion

We’ve seen quite a few TLS 1.2 protocol vulnerabilities the last few years: POODLE, FREAK, Logjam + Weak Diffie-Hellman Keys, DROWN, […]

TLS 1.3: A simpler protocol built on lessons from the last few years: - Simpler construction with formal analysis before finalization - Removes many insecure options - Increased Performance

Current Impediment: Poorly constructed middle boxes are holding back deployment Trustworthy PKI

<2011: Little visibility into the certificate authorities that support HTTPS

2013-7: Uncovered rampant abuse through Internet-Wide Scanning

2015-7: Web browsers taking more proactive role policing CAs

2018: Browsers requiring trusted certificates to be in public logs (CT)

2018: Proactive, programmatic detection of authority mismanagement

Analysis of the HTTPS Certificate Ecosystem, IMC’13 | Tracking Certificate Misissuance in the Wild, S&P’18 Email Delivery Security

Inbound Email Outbound Email 90% Email security has historically lagged behind HTTPS 68% November 2017: ~90% of email is encrypted in transit 45% 230% increase in the last four years

23% IETF is finalizing Strict Transport Security to protect against email

Gmail Messages Delivered over TLS Gmail Messages Delivered attacks uncovered in 2014 0% 2013 2014 2015 2016 2017

Details: An Empirical Analysis of Email Delivery Security, IMC’15 A 10,000 Foot View of Internet Security in 2017

Zakir Durumeric Stanford University [email protected]