3/4/2010
Two major cyber-security stories have just broken in the national media, and some leading experts at the University of Illinois are weighing in with their perspectives.
Written by
Two major cyber-security stories have just broken in the national media, and some leading experts at the University of Illinois are weighing in with their perspectives.
Then, on February 18, the real-life existence of a massive, now 18-month-old botnet attack became public. The attack, which has not yet been halted or traced to its perpetrators, has stolen massive amounts of valuable personal and corporate data. At least tens of thousands of machines, belonging to over 2,400 companies in almost 200 countries, have been infiltrated.
Professor David M. Nicol of the Department of Electrical and Computer Engineering (ECE) and the Information Trust Institute (ITI) has offered his thoughts on the events of recent days.
“Worms that were of interest to us back in the early portion of this decade were loud, fast, and noisy; the people who were doing them were doing them for bragging rights,” Nicol explained. “They caused damage but they weren’t trying to steal anything; for the most part they weren’t trying to wipe disks or anything like that. It was more like, who can capture the most machines the fastest?”
Times have changed, and today’s botnets are often geared towards criminal activities like stealing information. However, the attacks to date have been nowhere near as bad as they could be, in terms of the technological opportunities now available to attackers.
“This latest one, you know, people are talking about this great big botnet that’s got 25,000 or 30,000 owned hosts; but just a year ago, Conficker passed through, and that had millions,” Nicol added. “Now, Conficker turned out mostly to be used to spam. Although it had the capability to be loaded to go after sensitive information, it mostly wasn’t being used that way. What’s scary about this new one is that it is doing that. It’s going after the sensitive stuff. You can imagine if you had something that is like Conficker in size, doing the sorts of things that this present one is doing! You know, we’d go back to using gold coins instead of credit cards!”
Nicol played a major role in a previous Department of Homeland Security cyberattack exercise similar to this week’s "Cyber ShockWave," and he explained that there are a variety of kinds of cyberattack exercises. In so-called “tabletop exercises,” of which "Cyber ShockWave" is an example, “they’re trying to get the decision-makers to be presented with problems and find out what decisions they have to make, and find out where their policies need to be clarified so they can deal with something like this. I think 'Cyber Shockwave' did exactly what it was set out to do, and that was to push those people. There was really no technology involved in it.”
Other kinds of cyberattack simulations are much more technical in nature, and involve operators of networks, Internet service providers, and other technical personnel. In those exercises, simulations and more realistic technology come into play. “And frankly,” added Nicol, “we come off looking just as bad in those as we do in 'Cyber ShockWave'.”
The University of Illinois boasts a large number of leading cyber-security experts, some of whom are pursuing research directly relevant to the problems of defending against botnets.
Nicol himself, for example, has built a simulator for use in training exercises such as those described above. It became the basis for the simulator currently used in ITI’s $26.3 million Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center, where it is used for simulating attacks, including worm and botnet attacks, and evaluating the effectiveness of defenses against those attacks. In addition, his student Kurt Thomas is currently pursuing a botnet that is spreading through Twitter and Facebook by means of messages from infected members to their friends. Thomas has infiltrated this botnet so that he is now talking to the software that controls the botnet in such a way that it thinks he’s part of the botnet. In that way, Nicol explains, “he can learn more about what’s happening and how things work inside this botnet. And the information that we learn about how this and other ones work will give us the data so that we can create high-fidelity models of the way these things propagate.”
In addition, collaborating with Professor William Sanders, programmer Mouna Seri, and student Sankalp Singh, Nicol has developed the Access Policy Tool (APT), which fights botnets by specifying the kinds of traffic that are and are not allowed in communication channels, particularly in process control systems. This approach takes advantage of the fact that botnets must have open communication paths between an owned machine and the botnet’s owner, or else the owner has no way to use the captured machine. By limiting traffic only to the traffic that is explicitly needed for the appropriate use of the system, APT closes many possible avenues of botnet communication.
In other botnet-related work at Illinois, assistant professor Nikita Borisov (ECE) and Matthew Caesar, an assistant professor of computer science, both of whom are also members of ITI, are collaborating on techniques to identify peer-to-peer (P2P) botnets on the Internet. P2P botnets use a decentralized command-and-control structure, making them resilient to individual node failures and difficult to detect through normal means. Borisov and Caesar’s research focuses on combining data across Internet service providers and identifying connection patterns that create an efficient communication structure. This work will allow the identification of previously unknown botnets, and also detect the botnet “partners” of hosts known to be compromised. It is particularly effective against extremely large-scale botnets, such as Conficker.
Sam King, an assistant professor in computer science and ITI researcher, faults the underlying architecture of current web browsers for many of the security breaches that we see today, including the recent hacking attempt on Google’s China operations that exploited a bug in Internet Explorer and many of the botnet attacks that appear in the news.
"From a security perspective, browsers are completely broken," King said. The problem with traditional browsers is that the way people use the Web has changed. Instead of just looking up information on static pages coded with HTML, or HyperText Markup Language, people are using the browser to run Web versions of applications that used to reside on a PC, such as email, social networking, and online banking.”
To address these deficiencies, King is working to create a redefined web browser--on that has security in mind from the ground up. His Opus Palladianum borrows concepts typically seen in operating systems to securely manage web applications and data access.
“With our approach, your browser is the last line of defense, instead of the gate that lets the attackers in,” King explained. King is further turning the security model on its head with his efforts to close the increasingly common security vulnerabilities in hardware. He and his team are working on methods to identify potentially risky sections of hardware, by using software to enforce the behavior of the hardware.
“The complexity in creating hardware is every bit the same as it is for software--but as of now, people generally only think about security issues in software. We’re taking a look at implementing the same kind of security measures for hardware as we currently do for software,” King said.
Other Illinois security researchers are pursuing a broad range of approaches, addressing today’s computing security challenges from every angle.
• Carl Gunter, a computer science professor and ITI researcher, is developing improved theoretical models for DoS to inspire and analyze new types of DoS countermeasures.
“Denial of Service (DoS) attacks deplete the resources of target systems to deny service to legitimate users. Preventing such attacks is quite difficult because of fundamental design decisions in the Internet and in wireless systems,” Gunter stated. Additionally, Gunter is developing theory, architectures, and applications for communication and information systems based on automated use and management of attributes to improve the privacy and efficiency of messaging and the management of access permissions to enterprise data resources.
• Matt Caesar, in addition to the botnet work described above, is devising network management approaches, protocols, and systems that bootstrap, configure, and troubleshoot network problems with only minimal manual intervention.
“Forcing humans to configure and manage networks increases reaction time to faults, introduces the potential for misconfiguration, and substantially increases operating costs,” Caesar remarked. “What is lacking today is a principled look at how to make systems manage themselves. We need a fresh approach to designing networks and protocols with self-management in mind.”
• Roy Campbell, a computer science professor and ITI researcher, is seeking new solutions for the security assessment of SCADA networks, and operating system dependability and security.
• Marianne Winslett, a computer science professor and ITI researcher, and director of the Advanced Digital Sciences Center is creating a new approach to access control and authentication in open computing environments. She is participating in the TrustBuilder project to develop automated trust negotiation.
__________________
Writers/Contacts: Jenny Applequist, senior program manager, Information Trust Institute, 217/2448920.
Jennifer LaMontagne, associate director of communications, Department of Computer Science, 217/333-4049.
If you have any questions about the College of Engineering, or other story ideas, contact Rick Kubetz, Engineering Communications Office, 217/244-7716, editor.