MIT course "Computer Systems Security". Lecture 22: MIT Information Security, Part 1
Original author: Mark Silis, David LaPort (employees of the Information Systems and Technologies Department of MIT IS & T)
Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems." Nikolai Zeldovich, James Mykens. year 2014
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.
Lecture 1: “Introduction: threat models” Part 1 / Part 2 / Part 3
Lecture 2: “Control of hacker attacks” Part 1 / Part 2 / Part 3
Lecture 3: “Buffer overflow: exploits and protection” Part 1 /Part 2 / Part 3
Lecture 4: “Privilege Separation” Part 1 / Part 2 / Part 3
Lecture 5: “Where Security System Errors Come From” Part 1 / Part 2
Lecture 6: “Capabilities” Part 1 / Part 2 / Part 3
Lecture 7: “Native Client Sandbox” Part 1 / Part 2 / Part 3
Lecture 8: “Network Security Model” Part 1 / Part 2 / Part 3
Lecture 9: “Web Application Security” Part 1 / Part 2/ Part 3
Lecture 10: “Symbolic execution” Part 1 / Part 2 / Part 3
Lecture 11: “Ur / Web programming language” Part 1 / Part 2 / Part 3
Lecture 12: “Network security” Part 1 / Part 2 / Part 3
Lecture 13: “Network Protocols” Part 1 / Part 2 / Part 3
Lecture 14: “SSL and HTTPS” Part 1 / Part 2 / Part 3
Lecture 15: “Medical Software” Part 1 / Part 2/ Part 3
Lecture 16: “Attacks through a side channel” Part 1 / Part 2 / Part 3
Lecture 17: “User authentication” Part 1 / Part 2 / Part 3
Lecture 18: “Private Internet viewing” Part 1 / Part 2 / Part 3
Lecture 19: “Anonymous Networks” Part 1 / Part 2 / Part 3
Lecture 20: “Mobile Phone Security” Part 1 / Part 2 / Part 3
Lecture 21: “Data Tracking” Part 1 /Part 2 / Part 3
Lecture 22: “MIT information security” Part 1 / Part 2 / Part 3
Mark Sailis: thanks to Nikolay for the invitation, we were very pleased to come here today to talk with all of you. I brought one of my senior managers who oversees the Internet and network security, Dave LaPort, to tell you about some technical details of what we are doing. I'm going to cover more general questions.
Feel free to ask questions at any time, ask about everything that interests you, do not hesitate to join the battle. I think I was sitting exactly where you guys are sitting almost 20 years ago. Really, Nikolay? Nikolay and I were much younger then. And I was probably much thinner then, and I had a little more hair.
So, watching the MIT infrastructure and control zones, you can see all sorts of interesting things. Some of what we will talk about, and a lot of what we do, concerns interesting issues. As you know, there are plenty of such problems in our institute.
I think it's great that we manage an open network, but there are good and bad sides to this. We do not have a firewall on the campus with a sufficient degree of coverage, so almost everything is open. If you want to run a computer in your dorm room, or right here in the hall, or anywhere else on campus, then you have almost unlimited access to the Internet, which is rather unusual compared to other universities. . True, you know that you can not go online while sitting here at a lecture, but this is not the norm. From a security point of view, so free access to the Internet brings a number of problems.
Of course, it is good that we are open to the whole world, to anyone, anywhere, from anywhere, from any country and any part of the planet. But if they want to reach out to your device from there while you are sitting here in this room, whether your phone is in your pocket or the laptop you are typing on when you are sitting here, then they can do it. Nothing will stop them from doing this, right?
This is a bit scary. A couple of years ago, we conducted an experiment, just taking a new Apple laptop out of the box and connecting it to the network. He registered through DHCP and remained online for 24 hours. We ran TCP dumps, so that we could take an inventory of what went into the computer for a 24-hour period, just to find out what we would find there. Then we combined the results in the form of IP addresses with their graphic display in Google Earth using the GeoIP viewer to see how it looks on the map.
We found out that during one only 24-hour period, the laptop of a carefree host who had registered on the Internet publicly received incoming connections from computers from all countries of the world, except for two. Only 24 hours, one owner, all countries of the world, except two. It is strong, is not it? Does anyone want to guess which two countries have not tried to connect to this laptop?
Audience: North Korea?
Mark Sailis: right, one of these countries was North Korea. China? No, China is very active in these compounds. Perhaps it was some kind of military department, I don’t know, but it was very actively trying to contact our computer.
Mark Sailis:quite right, Antarctica. For this answer you get a Gold Star today. It is excellent.
So for a single 24-hour period, we exposed ourselves to a variety of threats, potential attacks, and the effects of malware. And it all fell on one computer user. There are approximately 150,000 different devices located throughout the MIT campus, and all of them can be compromised. This happens every day throughout the day, and it's pretty scary.
Want to get scared even more? A few months ago, Dave and I attended a meeting on emergency shutdowns. Do any of you remember the power outage a year or a year and a half ago? It was an exciting event, right?
I was here during a big power outage about 20 years ago, when the entire city of Cambridge was left without light. So, it was really great. Except that it was about 100 degrees (38 ° C), but it was a suitable excuse to go to Boston and watch a movie in a movie theater.
But the one thing that happened because of this was of interest to us. After the meeting, the guys from the equipment department came to us, and they said that because of this blackout, they had to spend the last four or five months reprogramming all their devices throughout the campus. You know, they use SCADA systems connected to air conditioning, lighting and heating in rooms, door locks and so on. This is understandable, because we have a technological institute where there must be a lot of such systems. I am sure that they presented themselves in complete safety, but they had problems with the constant disconnection of devices from the network, connection to the Internet, and so on. Talking with them, we cleaned the onion layer by layer, constantly revealing more and more new details.
We asked what they had in mind when talking about connecting equipment to the network. Well, they answer, all our devices communicate via the Internet. We said that in this case they should have systems that guarantee the stable operation of equipment during various accidents, a separate control system, an autonomous network, and so on.
They looked at us with empty eyes and replied: “Yeah, so that's what it is! So, the equipment seller told us about these things ”!
This affects one of the interesting problems of the “Internet of things”, the era in which we are entering deeper and deeper. When I was younger, people using the Internet knew what they were doing; they had to understand the specific things about networking. Today, everyone can use the Internet without thinking about how it works. People grew out of old standards. It’s like when you approach a rocket on a merry-go-round and notice that it has become much smaller, but in reality it’s just you who grew up.
So, talking with these guys further, we learned that they have almost everything you could think of when connecting to the Internet. All that was needed.
Interestingly, the Massachusetts Institute of Technology launched the Energy Initiative five to seven years ago when Susan Hockfield was president. One of the requirements for the equipment department was the deployment of a real “Internet of things” on campus to create a dynamic management of the building life support systems. For example, if the audience is not used, the lights go out, the temperature of the heating system goes down, and so on. And this technology works across campus.
They deployed a giant management network, just a giant one. It is several times larger than our local Internet institute network. I think they control about 400,000 different points, from which they monitor the entire campus, it is from 75,000 to 100,000 objects.
And so Dave, with wide eyes, asks them: “How do you protect all this, guys?”. They say something like: "Well, we called you guys to check it all together." And they start checking - they request an IP address via a web form, connect to it and say: “well, you see, everything works”!
We look at it and say: “But this is all connected with the open Internet, how does the network secure here?”, And we get an answer, from which our pressure rises a bit: “Well, it's safe because you guys are talking about take care! ". That is, in their opinion, it is safe because someone cares about it.
Here the expression of our faces changes again and we ask what they mean by security? “Well, we have a corporate firewall! We have already dealt with him and realized that everything is completely safe! ”
My next question was: “Can you show me where this firewall is? Because I do not know that! ”The answer was:“ Well, because everyone is doing it! ”
So, going back to what I said earlier, I will repeat - we are working in a fairly open environment. And we have always believed, and this is the MIT philosophy, that we believe in defense and security “through the stack.” We do not want security implementation to depend on any one part of the infrastructure; safety must be ensured at every level. You do not just do it through the infrastructure, you provide security through the application, do it in different places. This is not at all how the “Internet of things” is created from the point of view of SCADA. And it scares a little.
This is one of the things we are dealing with, in addition to the fact that we are dealing with people like you who come up with technically advanced dirty tricks, which is why Dave and I have to jump in the middle of the night. You know, the Internet is becoming a kind of utility that is used for everything that happens on campus. And it really changed the trends that we have to worry about in terms of threats, security issues and everything else.
Now you know that when the Internet disappears or a network problem occurs, this causes inconvenience to you as students, because air conditioners stop working or heating disappears. So the threats have really changed.
Therefore, we deal with a wide range of things, we act as a network provider for a campus that provides services to people like you, and we also provide outsourcing services. If you combine this with our open network philosophy, you will understand why this approach creates threats that we constantly have to worry about.
People are used to relying on the Internet and expect it to work without interruption. When the power outage occurred, the first questions were, why did the Internet stop working? We answered: "because there is no electricity." But some students said that because the network is taken from the battery in the phones, where does the electricity in the outlet? I had to explain that this was not the case; this is analog telephone technology. "So what, what's the difference?" Well, guys, you really know a lot!
So people expect that all the problems at the level of security, resiliency and everything else must be addressed by the service provider. I like people who are completely confident that all problems can be solved at the provider level, but, unfortunately, this confidence is far from the real state of affairs.
Therefore, we spend most of our time trying to preserve the efficiency and maximum security of the institute's Internet environment. Dave will talk about this in a bit more detail and cite as an example interesting stories about the things we deal with. But we have a really interesting job, and I think that problems are becoming more and more difficult. The fact is that the Internet is expanding.
For example, “Internet of things” is a very fashionable word. How many of you have heard of this until today? Go to a Cisco or similar site where they try to sell expensive equipment to you with this phrase. There is a phenomenon when almost everything is connected to the Internet or has an IP address. Unfortunately, many people who write these systems are not as diligent as the people who studied at the Massachusetts Institute of Technology, so they create all sorts of interesting problems.
The real problem is that when you look at security from a system level, you see a mosaic of thousands of small pieces, and this is very hard. Even we have to deal with external Internet service providers, we have to deal with our own clients, we have to do business with application providers. This is a huge system of problems to worry about in order to ensure complete security, and at times it is a very difficult task.
Now I will ask Dave to talk a bit about the things we face in our work. Do you have any questions for me?
Audience: Have you seen any apt campaigns attacking MIT directly?
Mark Sailis:Yes, we saw this. It's interesting, and Dave will talk about it, that the most difficult thing in our work is to see the attack. If I tell you the story about a single laptop, and we have 100 or 150 thousand devices that have their IP address in the institute network / 8, then it is as difficult as finding a needle in a haystack. Therefore, it is very difficult to detect the target APT attack in all this wide traffic flow.
Now we have advanced tools that can help solve the problem, we will talk about it in a minute. We also see a desire to help us from law enforcement agencies, the federal system, which provide us with useful instructions regarding countering certain types of threats. One of the things that helps us to look confidently into the future is the research that is carried out in this area by our institute. This is one of our main tasks. Federal sources of funding that provide such research do not set strict rules on how we should do this.
When you come across research grants, whether they are private or government grants, NSF, NIH, you will see that their requirements are rather vague. For example, one of the requirements for receiving a grant is the obligation to comply with such data policy, according to which all the results of your research should be saved. MIT does just that, we say, “fine, we will, and we will take care of that,” and sign the document. How we save data is our sole concern. How do grantors check compliance with this requirement? If the government comes to you one day and says, “hey, where is the research data?”, Just point out the teacher and say: “Talk to him”!
We see that the government in some cases says: “Look, we are investing a lot of money in this research, because we don’t want to spend money on conducting such research in another country”. Representatives of federal agencies or financial organizations come to us and say that since they have a whole industry, they need to create additional security departments, and at the same time MIT acts as an incubator for an incredible number of brilliant people.
For the administration as a whole, we serve as a kind of hosting company, right? We develop this activity. We provide them with laboratory facilities, or an internet connection, or all sorts of things for research. However, this is basically a federal environment in which people work autonomously, so we have different requirements for ensuring the security of activities of the most diverse nature occurring within the walls of our institute. And therein lies the complexity of our work.
Returning to the APT problem, I will say that a huge amount of intellectual capital is concentrated in our institute. Here there is a huge amount of interesting things that are very interesting for people outside our country.
What country do you think is responsible for stealing intellectual property more than any other country in the world? Does anyone take a guess?
Audience: this is a dangerous proposition.
Mark Silis: No, no, I ask quite seriously. This shocked me, because the answer is very unexpected. And this does not mean that they do it here at our institute. Anyone try to guess?
Marc Sylis: No, this is not China.
Mark Silis: No, it was not Russia.
Audience: is it Canada?
Marc Sylis: No, you are close to the answer, though, this is a European country.
Professor: France. That's right, it was France. You did not expect this, did you? But I have a lot of familiar people who work in industry, in the commercial sector, in the field of security. Some of their companies are located in France, where theft of intellectual property is one of the biggest security threats. You would think that this is Iran. You can imagine that this happens in other places, but no, it is not. Quite unexpected, isn't it? This does not mean that the United States does not do this, let's be honest, okay? We just do it better, so we can hope that they won't catch us. But needless to say, this is one of the most interesting things. Are there any other questions?
Audience: what kind of things do you register in the IP sector?
Mark Sailis:please turn off the camera! (laughs) We register quite interesting things, so I will try to answer you honestly this question. We register authentication requests, and when you log in through Kerberos, you log in through Active Directory, or through Touchstone, through our SAML iVP, this is all logged. We have detailed policies for retention retention policies, which we are happy to share with you, they are published. If you are accessing a webpage or if you register to read your email, then one of the problems we solve is the comparison of all registration information. She is drawn from many different sources, later Dave will tell about it. But this is a significant part of our work. Our storage period is about 30 days.
Audience: MIT has its own CA, right? There is a MIT root certificate with a private key. Where do you keep this private key? (audience laughter)
Mark Silis: Yes, go ahead.
Audience: Do you have hardware that is protected from intentional damage, or something like that? Or do you just store keys somewhere on a computer running Linux?
Mark Sailis:this is probably the best question for today. Yes, we manage our own certificate authority since the late 1990s. MIT has made progress in this area, because while worldwide user authentication over the Internet via SSL based on login and password was used, our institute has already used PKI-based authorization. You guys are much younger, but back in 1998 I was told that PKI is about to be introduced, it will be next year, and we talked about this about 20 years ago.
Regarding the storage of keys - I like your idea of using tamper-resistant hardware, hardware, protected from deliberate damage. But we do not do that.
Audience: how do you make CA certificates?
Mark Sailis:CA usually does this using USB keys or other tokens that use protocols that provide access to the information immediately after it was written, in the sense that you can send something to sign, but cannot get the key .
To be honest, the CA server that we are using now was created before all these existing certificate authorities appeared. Therefore, we used, I would say, the typical creative spirit of MIT. We have everything stored in the file system, and it is stored in such a way that it is difficult to recover. And it is saved in several ways and encrypted with several keys. A variety of systems has quite specific parameters, I am not going to list them all in detail.
Lecture hall:So, is this a “safer” security system?
Mark Sailis: yes it is. Therefore, if you know specific locations that may not even be files, and you know how many keys are needed for them, and how many bytes you need to read, then maybe you can find out. But to be honest, if you really are going to keep it all on one computer, consider that the game is over on this.
You know, I am very skeptical that you can hack a car and not compromise the key. Therefore, we try to be safe, but in any case, it is not perfect.
Audience: How many percent of MIT accounts have been compromised at this point in time?
Mark Sailis:good question. I think everyone knows what phishing is? I can't tell you how many conversations I had with people who look at me and ask: “But this is not how it was in Seattle”? But this is a slightly more adult audience. I am amazed every time one of these phishing e-mails happens, and there are not too many of them.
You study in one of the “smartest” institutions in the world, and I, as its graduate, am very proud of it. I can't tell you how many people respond to these phishing emails. It always amazed me when users send us emails with the following content: “Dear customer support, here is my username and password”. It just shocks me! And some of them are teachers. And they call customer support and say: “Hey, I answered your quota message. Why didn't my quota grow? And by the way, it seems to me that my mailbox is full! What happened to him"?
It turns out that they received 200,000 response messages in their inbox, because it is used for sending mass spam.
Therefore, I will try to be honest and say that we see 10, 15, 20, up to 30 compromised accounts per month, and during the peak of phishing attacks, even more. And I think that really interesting cases of hacking accounts are those that we don’t know about.
A couple of years ago, people from the government came to us and said that they would not go into details, but there is a market where you can buy MIT logins and passwords to access the resources of our library. On the black market, they are in demand. If you want to access all MIT materials stored in libraries or other campus resources, then you will be sold one of these accounts that they have compromised on the Internet. The feds asked if we knew about it? No, we knew nothing about it. But such cases a huge amount. The success of social vectors aimed at obtaining someone else's confidential information is incredibly high, especially in relation to the users of our industry, Dave will talk a little about this and how we try to mitigate the consequences of such illegal interest. And it scares a little.
Audience: Considering what you said, is there some way or website to see all the places where you logged out through the Touchstone authentication service or something similar?
Mark Sailis:Yes, I have already said that we collect various information about user authentication, the only thing that we are not doing very well so far is its correlation. In our case, there are 30 different technological systems involved in some of these things, different formats and different ways of generating keys. We are working to make this process as simple as possible. We hope to provide the user community with something like GeoIP, where they will be able to see their activity, say, for the past 30 days or a week, or without a retention period, to inform people about when, where and from where they were authorized and logged in the system.
Dave wants to go even further. He wants you to choose a circle of a certain radius in which you are located and where the entrance to the system will be allowed on the basis of specified geographic parameters. If you try to log in outside this circle, you are not allowed or a message is sent to your phone so that you know that something extraordinary has happened. I think Dave is going in the right direction. So we are working on it, but today we have nothing of the kind.
Audience: did you say that there was malicious traffic on the MIT network? Where did he come from? The source of malicious traffic was located outside the institute’s network or inside it?
Mark Sailis:you know, I would love to say that it was completely external traffic, but unfortunately, we also have the output of such traffic from the inside. We have a huge bandwidth and a large number of connections. Later we will talk about repelling UDP attacks for example, but when you have such wide channels, this is a good resource to harm other people. But I would say that we mainly observe incoming malicious traffic, as in the previously mentioned case with a laptop.
Audience: how many people connect to the MIT network every day?
Mark Sailis: I don’t know for sure, anywhere from 100 to 120 thousand different types of devices. I would say that an average of 2.5 devices per person, so that from 35 to 40 thousand people use the network every day.
Lecture hall:do we have a policy for creating TOR nodes in the MIT network?
Mark Silis: politics? You what? Of course not!
Audience: Are there good reasons for not doing this?
Mark Sailis:you know that MIT is a very open place, and one of its greatest advantages is being able to experiment. I dreamed of such an opportunity, while still a student. It is normal to do something, it is normal to learn about different things, develop them, invent new things. This is one of the unique features of MIT. You do not need to go to the Policy Department to say: “Hey, I want to run an exit-node today, or I want to invent a new anonymous protocol,” or something like that. This is a truly unique thing - to work here and here to study. Whether you have a good idea or a bad one depends on what you want to do.
If you do this as part of anonymization research, then some privacy is normal. If you do this for the black market, then this is not a good idea. MIT policies are quite flexible. We are really trying to balance them, but agree, because the institution is obliged to behave responsibly? Let's just be honest. As an institution, we must do this. But we try not to limit innovation as much as possible, and for the most part, it works quite well. I would say that MIT has been a fairly successful institution over the past 125 years.
But I think that we should immediately pay attention to what is capable of threatening the collective security of the institution. At the moment, MIT manages a set of output TOR nodes - there is a bit of an exit node in the SIPI department, some at CSAIL. They appear on Dave’s list of violations, but we close our eyes to this. However, in most other educational institutions this is not possible.
If there are no more questions, I present to you my distinguished colleague Dave Laporte. He has worked at Harvard University’s networks and may even tell you a little about the specifics of the network of the art school if you catch him after the lecture. In addition, he teaches in the Northeast, which is very cool. Dave will tell you about the specific cases that make us jump in the middle of the night.
David Laporte:Hi there, my name is Dave Laporte. I have a very verbose position as a manager of infrastructure and security operations. In a nutshell, this means that I am responsible for the maintenance, operation and security of the mit.net network, which takes me a full day.
Today I am going to tell you a lot and leave at the end time for your questions so that you get the most out of our conversation. If something is incomprehensible, just interrupt me by raising your hand, I do not mind.
We begin our conversation with a description of the work of the Security Operations Team, the central authority involved in the MIT network security. Then we will talk about some of the events that happened in the recent past, and what we have done to mitigate their consequences and preserve the existing security state of mit.net.
We will talk about the current state of things, about what we are facing now, and as Mark said, this is more a social area. And we will talk about some future trends that are rather vague, so a small number of slides are devoted to them.
In this slide, you can see a diagram of the Security Operations Team team. It is headed by Mark, to whom I report directly. Under my command is the Security Group, led by group leader Harry Hoffman. 3 people obey him.
Analyst Andrew Munchbach oversees the system, sends notifications to users and responds to complaints from outside the institute. Mike Khosl is involved in engineering and computer forensics. Monique Buchanan is responsible for most of the correspondence and communication with the institute community. Harry himself deals with almost all of these issues.
Course MIT "Computer Security". Lecture 22: MIT Information Security, Part 2
Full version of the course is available here .
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until January for free if you pay for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only here2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?