How to protect you and your company from the latest Internet security threats Hari Veladanda Director, Engineer (Symantec Corporation) Agenda 1 Major Internet security threats 主要网络安全威胁？ 2 Why this many threats? 为什么有这么多威胁？ 3 Is TLS Protocol safe? TLS Protocol安全吗？ 4 Best Practices to protect you and your company 保护您和您公司的最佳措施 5 Future of Internet Web Security 互联网安全的未来展望 MAJOR INTERNET WEB SECURITY THREATS… ShellShock {bashbug} Logjam SSL/TLS Vulnerability TLS HISTORY • Multiple versions in use by both client and servers ‒ Client start with strong and then fallback based on server support… • Broad range of support SSLv1 (1994) Netscape unreleased SSLv2 (1994) Netscape 1st release SSLv3 (1995) Netscape TLS 1.0 (1999) IETF TLS 1.1 (2006) IETF TLS 1.2 (2008) IETF MAJOR INTERNET SECURITY THREATS - 2014 Heartbleed April 2014  Vulnerability description: Allows attacker to retrieve private keys and decrypt encrypted traffic, steal user passwords, Personally identifiable information (PII) etc…  Impact: Half a million widely trusted websites vulnerable*(as reported by Netcraft..)  Root Cause: Missing bounds check in the handling of the TLS heartbeat extension allowing attackers to read up to 64 kilobytes of the affected server’s memory  Fix: Upgrade OpenSSL library 1.0.1g “Not a vulnerability with SSL/TLS Protocol but with implementation” …programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services Hao Yeli – Deputy Director Innovation MAJOR INTERNET SECURITY THREATS - 2014 Shellshock September 2014  Vulnerability description: An attacker can run critical shell commands…allowing the attacker to gain control over a targeted computer  Impact: HIGH.. potentially affects most versions of the Linux and Unix operating systems. Has been in the wild for a long time. Allows control over the target machine and affects broader range of devices  Root Cause: Shell was designed long before common use of internet…security was not the prime concern in its design  Fix: Apply patch for specific distributions of Linux or Unix “Unix Bash Shell vulnerability, Bug in the web server Operating System” ShellShock {bashbug} HEARTBLEED AND SHELLSHOCK ATTACKS • Targeted attackers feast on zero days before they are discovered • Heartbleed vulnerability exploited less than 4 hours after becoming public • Others jump in once they become public MAJOR INTERNET SECURITY THREATS - 2014 POODLE October 2014 (Padding Oracle On Downgraded Legacy Encryption)  Vulnerability description: an attacker can potentially interfere with the handshake process which verifies which protocol the server can use and force it to use SSL 3.0 even if a newer protocol version is supported  Impact: Was supported by nearly every Web browser and a large number of Web servers. Because the attacker needs to have access to the network, this issue is not as severe as Heartbleed. Public Wi-Fi hotspots are potential avenues for this attack.  Root Cause: faulty logic for negotiating SSL/TLS version  Fix: Disable SSL 3.0 protocol in the client or in the server (or both) “18 years old, insecure, obsolete protocol, still widely supported!” MAJOR INTERNET SECURITY THREATS - 2014 FREAK March 2015  Vulnerability description: Force clients and servers to use weak encryption  Impact: 26% https servers, 9.6% Alexa Top 1 million web sites* (as reported by  Root Cause: Implementation defect; clients and servers neglected to remove support for obsolete cipher suites  Fix: web server: disable support for TLS export cipher suites, upgrade to latest versions for browsers freakattack.com..) “Not a vulnerability with SSL/TLS Protocol but with implementation” SSL/TLS Vulnerability MAJOR INTERNET SECURITY THREATS - 2014 Logjam June 2015  Vulnerability description: allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography  Impact: 8.4% of the Top 1 Million domains were vulnerable* (as reported by https://weakdh.org)  Root Cause: Implementation defect; clients and servers neglected to remove support for obsolete cipher suites  Fix: disable support for the export-grade (DHE_EXPORT) cipher suites “insecure, obsolete cipher suites, still widely supported!” Logjam MITM What is MITM.. “attack vector involves the attacker placing himself–or his malicious tools–between the victim and a valuable resource, such as a banking W