Independent Submission D. Lazanski
Internet Draft Last Press Label
Intended status: Informational March 8, 2020
Expires: September 9, 2020
A User-Focused Internet Threat Model
draft-lazanski-users-threat-model-t-00
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on September 9, 2020.
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Lazanski Expires September 9, 2020 [Page 1]
Internet-Draft A User-Focused Internet Threat Model March 2020
Abstract
RFC 3552 introduces a threat model that does not include endpoint
security. RFC 3552 is 15 years old and in those 15 years the threat
landscape has changed. Security issues and cyber attacks have
increased and there are more devices, users, and applications on the
endpoint than ever. This draft proposes a new approach to the
Internet threat model which will include endpoint security, focus on
users and provide an update to the threat model in RC 3552.
Table of Contents
1. Introduction...................................................2
2. A History of Data Breaches.....................................3
3. Botnets........................................................5
4. Emerging Threats...............................................6
5. Impacts........................................................7
6. Guidelines.....................................................7
7. A New Internet Threat Model....................................7
8. Way Forward....................................................8
9. Security Considerations........................................9
10. IANA Considerations...........................................9
11. Conclusions...................................................9
12. References....................................................9
12.1. Informative References...................................9
13. Acknowledgments..............................................11
1. Introduction
Data breaches are on the rise: personal data is stolen and often
leaked or sold on a never-before-seen scale. Malware and ransomware
attacks impact the most vulnerable in our global societies today.
Better security results in better privacy through prevention of
these breaches. However, even though the IETF is privacy-focused,
policy and design decisions taken by the IETF have radically changed
the architecture of the Internet, arguably without due consideration
to cyber defence implications or outcomes.
In recent years, this has obsoleted many systems, technologies and
programmes which use Internet protocols for prevention, detection
and mitigation of cyber attacks. RFC 7258 established that
"Pervasive Monitoring" is an attack on privacy that needs to be
mitigated where possible. Furthermore, RFC 3552 assumes that the
endpoints involved in a communications exchange have not been
compromised, but that the attacker has near complete control over
the network between the endpoints rather than the endpoints
themselves. These assumptions have led to a focus on communications
Lazanski Expires September 9, 2020 [Page 2]
Internet-Draft A User-Focused Internet Threat Model March 2020
security and the development of protocols that place this kind of
security above all else. Ironically - or coincidentally - as the
development of these protocols have taken place over the last
several decades, there has been and continues to be a sharp rise in
cyber attacks. The Internet threat model in RFC 3552 does not even
mention that the greatest threat to the Internet is the growing
scale and variety of cyber attacks against all types of endpoints
that is resulting in significant data breaches. This now needs to
change.
2. A History of Data Breaches
A data breach is an incident where data is inadvertently exposed in
a vulnerable system, usually due to insufficient access controls or
security weaknesses in the software.[1] In the first six months of
2018 alone, Gemalto reported that there were 945 data breaches
resulting in 4.5 billion records being compromised.[2] This section
describes some recent cyber attacks on the Internet that led to data
breaches.
In October 2013, Adobe announced that hackers had stolen nearly 3
million encrypted customer credit card details and the IDs and
encrypted passwords of 35 million customers.[3]
In December 2013, the retailer Target announced that 40 million
credit card records and personal details for a further 70 million
customers had been compromised. A report from Verizon indicated that
after one week, 86percent of passwords used by Target had been
cracked and Verizon's security consultants were able to move about
with complete freedom on Target's internal network.[4]
In May 2014, eBay notified 145 million users to change their
passwords following a cyber attack that compromised encrypted
passwords, customer names, email addresses, mailing addresses, phone
numbers and dates of birth.[5]
In July 2015, a commercial website that enabled extramarital affairs
(called Ashley Madison) was breached; a month later, more than 25GB
of company data, including user details, was leaked. The ethics and
impact on human rights of this breach are particularly notable, as
it resulted in at least one confirmed suicide.[6]
In 2016, Uber was breached, giving hackers access to the names,
email addresses and phone numbers of 57 million riders and drivers.
600,000 US drivers had their names and license plate numbers stolen.
The current assessment is that other personal data, including trip
location history, credit card details, social security numbers and
dates of birth were not downloaded. [7] Also, in August of 2016,
Lazanski Expires September 9, 2020 [Page 3]
Internet-Draft A User-Focused Internet Threat Model March 2020
Dropbox was hacked to release over 68million user email addresses
and passwords onto the Internet. [8]
In March 2018, as part of a coding review, Google uncovered a coding
glitch that potentially exposed the personal data of up to 500,000
Google Plus users, including their names, email addresses,
occupations, genders and ages.[9] Google could not confirm which
users were affected by the security flaw as they keep API log data
for only two weeks (and, presumably, log data analysis was lacking
or insufficient to detect the breach as it was happening).
In May 2018, Twitter advised all 330 million of its users to change
their passwords after a software exposed them in plaintext. [10]
Additionally, in September 2018, British Airways announced that
personal and financial details of up to 380,000 customers who had
booked flights over a 16-day period had been stolen. This breach was
traced to a rogue script that had been installed on the third-party
payment supplier used by British Airways.[11]
Also in September 2018, Facebook suffered its worst security breach
ever; the exploitation of several simultaneous software bugs gave
login access to as many as 50 million accounts.[12] April 2019, a
146GB data set containing over 540 million Facebook records were
found exposed on AWS servers, as two third-party companies had
collected Facebook data on their own servers.[13] In November 2018,
500 million Marriott International customers had their details
stolen in an ongoing breach since 2014. Approximately 327 million
hotel guests had a combination of name, address, phone number, email
address, passport number, date of birth, gender and
arrival/departure information stolen.[14]
In January 2019, the personal data of more than 3500 people living
with HIV in Singapore was leaked in Singapore, allegedly by an
insider with access to sensitive records.[15] Also in February 2019,
a file containing 2.2 billion compromised usernames and passwords
was found on the dark web. This 600GB file was a collation of
previous data breaches, truly demonstrating the scale and severity
of the data breach and cyber defence problem in totality.[16]
And these are only a handful of breaches that have been made public.
So many more go unreported in the public. Data breaches are one of
the singular most important issue in cybersecurity today. IBM's 13th
"Cost of a Data Breach" study found that the global average cost of
a data breach in 2018 was $3.86 million.[17] That is the average
cost of one - not many - data breaches.
It is unthinkable and unrealistic that any revised Internet threat
model does not highlight the large and ongoing threat from data
Lazanski Expires September 9, 2020 [Page 4]
Internet-Draft A User-Focused Internet Threat Model March 2020
breaches, whatever their cause. Threat actors are making full use of
the Internet technology that allows them to hide on endpoints and
perform such large data hacks that mostly go undetected.
Internet security researchers and developers must accept the reality
of all the security issues in the Internet ecosystem. Decisions
being made in the name of privacy are sometimes leading to larger
inadvertent security and privacy losses.
3. Botnets
A botnet is a string of connected computers used, in this case, to
perform a malicious function against an end user, organisation or
series of users.[18] Though computers working together to increase
computing power for functions does not constitute a botnet in itself
(and is used often in data centres for chat rooms or email services,
for example) botnets are a specifically used for malicious intent.
There have been a number of recent, high profile botnet attacks and
only a few will be described here as examples.
In 2000, EarthLink Spammer sent 1.25 million phishing emails over a
year and made $3 million in profits by using fake websites and
domain names to accomplish this. Subsequently the spammer was
convicted and Earthlink won $25 million in damages.[19]
Created in 2007, Cutwail was the biggest botnet on the Internet by
2009 by number of infected computers or hosts sending email. It was
sending 51 million emails every minute.[20] By 2010, however, it
started a DDoS attack to nearly 300 major sites including PayPal and
US federal agencies. By 2013 it was the botnet to use for sending
spam, but over time its use declined through targeted attempts to
take it offline as well as the expiration of email addresses. Though
not as popular and sending far less than it once did, Cutwail still
sends spam to this day.[21]
A more recent botnet was the centre of one of the biggest outages of
the Internet network. The Mirai botnet was first identified in 2016.
The Mirai botnet as well as variants infect Internet of things
devices and those infected devices scan the Internet for IP
addresses of other Internet of Things devices, thus creating a
multiplication of IoT devices which are infected. Though the bot
still exists in various forms, the most serious attack took place on
21 October 2016 when the Domain Name System (DNS) provider Dyn was
attacked by DDoS using a coordinated system of infected IoT devices.
Much of the Internet was unreachable after three attacks occurred
during the day. Though eventually resolved on that day, the sheer
size and scale of the attack is still viewed as one of the biggest
attacks on the Internet to this day.[22]
Lazanski Expires September 9, 2020 [Page 5]
Internet-Draft A User-Focused Internet Threat Model March 2020
According to Kaspersky Labs, there were just over 15,000 botnet
attacks in 2018.[23] Worryingly, of those attacks, approximately 40
percent were new in both type and the target. Again, as IoT devices
increase and as networks expand coverage and ability to handle even
more devices and data, it is likely that botnet attacks willcontinue
to be seen on such a scale.
4. Emerging Threats
Older methods of cyber attacks are still happening and causing
breaches, as endpoint security remains incomplete and not up to
date. Servers remain unpatched and vulnerable and client devices
become legacy or unsupported, to name just a few issues. In
parallel, new categories of attacks are emerging.
Software updates are a new attacked vector. In March 2019, Kaspersky
uncovered the ShadowHammer supply-chain attack which injected
malicious code into the ASUS Live Update Utility. This attack
involved signing malicious code using stolen certificates and was
estimated to have affected half a million users.[24] As a result of
the ShadowHammer attack, public focus turned to how and what could
be the point of infection. Suggestions were that the IP addresses
could have been the point of origin of the attack while others
suggested that the malware itself was dormant and inactive until a
certain update triggered the malware.
In July 2019, Godlua became the first publicly known malware to use
DNS-over-HTTPS to avoid DNS-based malware protection security
systems. [25] The malware uses DoH requests to determine where the
active URL originates and where it will connect. The malware takes
advantage of this information in order to initiate a DDoS attacks.
The malware attacks both windows and linux systems and takes
advantage of a backdoor exploit. [26]
Attacks on individual consumers have dropped by nearly 40 percent,
due to the fact that attacking one person is largely not financially
viable, but attacks on business organisations have increased year on
year.[27] Ransomware is on the rise, motivated by economic gain and
the weaknesses in endpoints. Malware is freely available and the
vulnerable attack point of an endpoint can be found. Botnets are
increasing in size and scale as well as ease of use.
There are other emerging threats that require more research to
collate fully and this section is a starting point.
Lazanski Expires September 9, 2020 [Page 6]
Internet-Draft A User-Focused Internet Threat Model March 2020
5. Impacts
As noted in
draft-arkko-farrell-arch-model-t-02 there is a difference between user
interaction endpoints and system endpoints. Acknowledging that the
end-to-end model supports permissionless innovation, it is
imperative to ensure that the open and innovative nature of the
Internet continues. However, a taxonomy of endpoints and agreement
on those which have had the most security impact in the last 15
years in necessary to continue this work.
Work is underway in to attempt to catalogue the most well-known
threats and considerations to be taken for protocol designers in
light of these threats. This is a taxonomy of a sort along with
basic guidelines and information.
6. Guidelines
TODO: insert list of guidelines for protocol designers.
7. A New Internet Threat Model
Many endpoints are vulnerable; CLESS begins a much needed research
programme to demonstrate what capabilities and what limitations can
be expected at the endpoint and from a variety of types of
endpoints.[28] Endpoints have changed over the last 10 years, but
assumptions about endpoints in the IETF hasn't changed in that time.
Draft-iab-for-the-users-03 discusses that end users are
beneficiaries of the IETF standards. End users use endpoints which
have new and emerging threats. Even the user is not often in full
control of what happens on their endpoint and what security
protections apply to their own data a model where the Internet is
user-centric would give more control to the user. The user is both
the home Internet citizen and the organisation administrator seeking
to protect against data breaches; both need the power to control
where their data goes and choose their security protections. So
while endpoints are the focus now, does the Internet need to be
user-centric in the future? Won't that give users even more assure
privacy?
ATTACK versions of methods, when categorised by type, show that
endpoint methods of compromise are increasing faster than network
attacks.[29][30] This may be due to more variety in endpoints,
substandard security in many endpoints or the difficulty of
attacking a network compared to an endpoint. Whatever the reason,
the logical conclusion is that the current Internet design is not
stopping cyber attacks. Perhaps a fresh approach is required.
Lazanski Expires September 9, 2020 [Page 7]
Internet-Draft A User-Focused Internet Threat Model March 2020
As more power and control has shifted to endpoints - and even to
only a select few applications on endpoints network defences can
protect fewer and fewer endpoints; concurrently, attacks have
increased and attacks have increased. The diagram above shows the
proliferation of attacks on end points increase over a 3 and a half
year timescale while network an physical attacks remain largely
unchanged. Whether this is correlation or causation requires
thorough research, essential to changing the existing threat model
approach from its current approach.
The existing Internet Threat Model of RFC3552 makes the general
assumption that end-systems have not been compromised and that while
end-systems are difficult to protect against compromise, protocol
design can help minimise the damage.[31] Revisiting this general
assumption in the light of the magnitude of an increase in data
breaches and their subsequent negative results is a good starting
point for a new Threat Model which can result in protocol design
that helps mitigate end-system compromise.
8. Way Forward
Additional Internet drafts on the same topic were published include
this one and
draft-arkko-farrell-arch-model-t-02. The logical way forward would be
to this draft and the concurrent other two.
RFC 3552 will need to be revised in light of the development of the
threat landscape that has changed and grown in the 15 years since
RFC 3552 was published. This draft highlights a selection of attacks
and data breaches over the last decade and a half. A revision to RFC
3552 would need to include all known and potential attack surfaces
taking into account mobile network development, new and emerging
devices which are connected to the Internet and the proliferation of
users, devices and applications on and over the Internet, as
mentioned above.
Next steps would be to identify the threat landscape and the attack
vectors that have appeared in the 15 years and are well known since
RFC 3552. Though threats have focused on the network side of the
security landscape, a combined Internet draft should include an
identification of different threats, definitions and
classifications, examples, assumptions about the endpoints and an
update to this Internet draft and RFC 3552 as well. Such a combined
draft would supersede RFC 3552 and be more representative of the
current state of play of the threat landscape.
Lazanski Expires September 9, 2020 [Page 8]
Internet-Draft A User-Focused Internet Threat Model March 2020
9. Security Considerations
This document proposes a new way of thinking about developing
Internet security protocols and does not create, extend or modify
any protocols. The intent is to continue discussion and bring in a
cyber defence viewpoint.
10. IANA Considerations
Upon publication this document has no required actions for IANA.
11. Conclusions
The Threat Model indeed needs revisiting and changing, because cyber
defence threats and attacks are increasing, yet the responsibility
to help mitigate these threats and attacks is largely unrecognised
in the IETF community. These threats and attacks should be given
the attention they deserve and a way forward is proposed.
Further, it is imperative that new conclusions and recommendations
from a revisited threat model are backed up by research, case
studies and experience, rather than bold assertions. Research and
evidence is important to achieve effective security, unsubstantiated
guesswork is not.
This draft continues to highlight the importance that any threat
model must be based in evidence about data breaches. This draft
continues the discussion which focuses on the user, identifies the
current threats and proposes mitigation of those threats.
12. References
12.1. Informative References
[1]https://haveibeenpwned.com/FAQs/
[2]https://www.cbronline.com/news/global-data-breaches-2018
[3]https://krebsonsecurity.com/2013/10/adobe-to-announce-source-
code-customer-data-breach/
[4]https://krebsonsecurity.com/2015/09/inside-target-corp-days-
after-2013-breach/
[5]https://www.businessinsider.com/cyber-thieves-took-data-on-145-
million-ebay-customers-by-hacking-3-corporate-employees-2014-5
Lazanski Expires September 9, 2020 [Page 9]
Internet-Draft A User-Focused Internet Threat Model March 2020
[6]See https://digitalguardian.com/blog/timeline-ashley-madison-
hackfor a timeline of the breach.
[7]https://us.norton.com/internetsecurity-emerging-threats-uber-
breach-57-million.html
[8]https://www.theguardian.com/technology/2016/aug/31/dropbox-hack-
passwords-68m-data-breach
[9]https://www.experian.com/blogs/ask-experian/google-data-breach-
what-you-need-to-know/
[10]https://www.theverge.com/2018/5/3/17316684/twitter-password-bug-
security-flaw-exposed-change-now
[11] https://medium.com/asecuritysite-when-bob-met-alice/the-
british-airways-hack-javascript-weakness-pin-pointed-through-time-
lining-dd0c2dbc7b50
[12]https://www.nytimes.com/2018/09/28/technology/facebook-hack-
data-breach.html
[13]https://www.databreachtoday.co.uk/millions-facebook-records-
found-unsecured-on-aws-a-12337
[14]https://www.bbc.co.uk/news/technology-46401890
[15]https://www.straitstimes.com/singapore/2400-singaporeans-
affected-by-data-leak-contacted-by-moh
[16] https://mobilesyrup.com/2019/01/31/collection-2-data-breach-
600gb-leaked-emails-passwords/
[17]https://securitytoday.com/articles/2018/07/17/the-average-cost-
of-a-data-breach.aspx
[18]https://us.norton.com/internetsecurity-malware-what-is-a-
botnet.html
[19]https://www.bizjournals.com/atlanta/stories/2002/07/22/story4.ht
ml
[20]https://www.whiteops.com/blog/9-of-the-most-notable-botnets
[21]https://www.wired.co.uk/article/infoporn-rise-and-fall-of-uks-
biggest-spammer
Lazanski Expires September 9, 2020 [Page 10]
Internet-Draft A User-Focused Internet Threat Model March 2020
[22]https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos-
attack-cause-outage-status-explained
[23]https://securelist.com/bots-and-botnets-in-2018/90091/
[24]https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-
software-updates-to-install-backdoors-on-thousands-of-computers
13. Acknowledgments
This document was prepared using 2-Word-v2.0.template.dot.
A previous version of this draft was posted in July 2019 with a name
of draft-lazanski-users-internet-model-t-00 - this version is
intended to update that document with further information.
Authors' Addresses
Dominique Lazanski
Last Press Label
London
United Kingdom
Email: dml@lastpresslabel.com
Lazanski Expires September 9, 2020 [Page 11]