idnits 2.17.1 draft-lazanski-smart-users-internet-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- -- The document has an IETF Trust Provisions (28 Dec 2009) Section 6.c(ii) Publication Limitation clause. If this document is intended for submission to the IESG for publication, this constitutes an error. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 5 instances of too long lines in the document, the longest one being 6 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 2019) is 1740 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: '1' is mentioned on line 123, but not defined == Missing Reference: '2' is mentioned on line 125, but not defined == Missing Reference: '3' is mentioned on line 131, but not defined == Missing Reference: '4' is mentioned on line 138, but not defined == Missing Reference: '5' is mentioned on line 143, but not defined == Missing Reference: '6' is mentioned on line 149, but not defined == Missing Reference: '7' is mentioned on line 156, but not defined == Missing Reference: '8' is mentioned on line 159, but not defined == Missing Reference: '9' is mentioned on line 164, but not defined == Missing Reference: '10' is mentioned on line 170, but not defined == Missing Reference: '12' is mentioned on line 180, but not defined == Missing Reference: '13' is mentioned on line 183, but not defined == Missing Reference: '14' is mentioned on line 189, but not defined == Missing Reference: '15' is mentioned on line 193, but not defined == Missing Reference: '17' is mentioned on line 205, but not defined == Missing Reference: '18' is mentioned on line 223, but not defined == Missing Reference: '20' is mentioned on line 238, but not defined == Missing Reference: '21' is mentioned on line 244, but not defined == Missing Reference: '22' is mentioned on line 258, but not defined == Missing Reference: '23' is mentioned on line 261, but not defined == Missing Reference: '24' is mentioned on line 279, but not defined == Missing Reference: '25' is mentioned on line 288, but not defined == Missing Reference: '26' is mentioned on line 293, but not defined == Missing Reference: '27' is mentioned on line 307, but not defined == Missing Reference: '28' is mentioned on line 322, but not defined == Missing Reference: '29' is mentioned on line 322, but not defined == Missing Reference: '30' is mentioned on line 341, but not defined Summary: 1 error (**), 0 flaws (~~), 29 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Independent Submission D. Lazanski 2 Internet Draft Last Press Label 3 Intended status: Informational July 2019 4 Expires: January 8, 2020 6 An Internet for Users Again 7 draft-lazanski-smart-users-internet-00.txt 9 Status of this Memo 11 This Internet-Draft is submitted in full conformance with the 12 provisions of BCP 78 and BCP 79. 14 This Internet-Draft is submitted in full conformance with the 15 provisions of BCP 78 and BCP 79. This document may not be modified, 16 and derivative works of it may not be created, and it may not be 17 published except as an Internet-Draft. 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. This document may not be modified, 21 and derivative works of it may not be created, except to publish it 22 as an RFC and to translate it into languages other than English. 24 This document may contain material from IETF Documents or IETF 25 Contributions published or made publicly available before November 26 10, 2008. The person(s) controlling the copyright in some of this 27 material may not have granted the IETF Trust the right to allow 28 modifications of such material outside the IETF Standards Process. 29 Without obtaining an adequate license from the person(s) controlling 30 the copyright in such materials, this document may not be modified 31 outside the IETF Standards Process, and derivative works of it may 32 not be created outside the IETF Standards Process, except to format 33 it for publication as an RFC or to translate it into languages other 34 than English. 36 Internet-Drafts are working documents of the Internet Engineering 37 Task Force (IETF), its areas, and its working groups. Note that 38 other groups may also distribute working documents as Internet- 39 Drafts. 41 Internet-Drafts are draft documents valid for a maximum of six 42 months and may be updated, replaced, or obsoleted by other documents 43 at any time. It is inappropriate to use Internet-Drafts as 44 reference material or to cite them other than as "work in progress." 45 The list of current Internet-Drafts can be accessed at 46 http://www.ietf.org/ietf/1id-abstracts.txt 48 The list of Internet-Draft Shadow Directories can be accessed at 49 http://www.ietf.org/shadow.html 51 This Internet-Draft will expire on January 8, 2020. 53 Copyright Notice 55 Copyright (c) 2019 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with 63 respect to this document. 65 Abstract 67 RFC 3552 introduces a threat model that does not include endpoint 68 security. In the fifteen years since RFC 3552 security issues and 69 cyber attacks have increased, especially on the endpoint. This 70 document proposes a new approach to Internet cyber security protocol 71 development that focuses on the user of the Internet, namely those 72 who use the endpoint and are the most vulnerable to attacks. 74 Table of Contents 76 1. Introduction...................................................3 77 2. A History of Data Breaches.....................................3 78 3. Botnets........................................................5 79 4. Emerging Threats...............................................6 80 5. An Internet For Users Again....................................7 81 6. Security Considerations........................................8 82 7. IANA Considerations............................................8 83 8. Conclusions....................................................8 84 9. References.....................................................9 85 9.1. Normative References......................................9 86 9.2. Informative References....................................9 87 10. Acknowledgments..............................................11 89 1. Introduction 91 Data breaches are on the rise: personal data is stolen and often 92 leaked or sold on a never-before-seen scale. The truth is that 93 malware and ransomware attacks impact the most vulnerable in our 94 global societies today. But the key to better privacy is better 95 security and cyber defence. And better cybersecurity, ultimately, 96 results in even better privacy. However, even though IETF attendees 97 are privacy-focused, policy and design decisions taken by the IETF 98 have radically changed the architecture of the Internet, arguably 99 without due consideration to cyber defence implications or outcomes. 100 In recent years, this has obsoleted many systems, technologies and 101 programmes which use Internet protocols for prevention, detection 102 and mitigation of cyber attacks. RFC 7258 established that 103 "Pervasive Monitoring" is an attack on privacy that needs to be 104 mitigated where possible. Furthermore, RFC 3552 assumes that the 105 endpoints involved in a communications exchange have not been 106 compromised, but that the attacker has near complete control over 107 the network between the endpoints rather than the endpoints 108 themselves. These assumptions have led to a focus on communications 109 security and the development of protocols that place this kind of 110 security above all else. Ironically - or coincidentally - as the 111 development of these protocols have taken place over the last 112 several decades, there has been and continues to be a sharp rise in 113 cyber attacks. The Internet threat model in RFC 3552 does not even 114 mention that the greatest threat to the Internet is the growing 115 scale and variety of cyber attacks against all types of endpoints 116 that is resulting in significant data breaches. This now needs to 117 change. 119 2. A History of Data Breaches 121 A data breach is an incident where data is inadvertently exposed in 122 a vulnerable system, usually due to insufficient access controls or 123 security weaknesses in the software.[1] In the first six months of 124 2018 alone, Gemalto reported that there were 945 data breaches 125 resulting in 4.5 billion records being compromised.[2] This section 126 describes some recent cyber attacks on the Internet which led to 127 data breaches. 129 In October 2013, Adobe announced that hackers had stolen nearly 3 130 million encrypted customer credit card details and the IDs and 131 encrypted passwords of 35 million customers.[3] 133 In December of 2013, the retailer Target announced that 40 million 134 credit card records and personal details for a further 70 million 135 customers had been compromised. A report from Verizon indicated that 136 after one week, 86% of passwords used by Target had been cracked and 137 Verizon's security consultants were able to move about with complete 138 freedom on Target's internal network.[4] 140 In May 2014, eBay notified 145 million users to change their 141 passwords following a cyber attack that compromised encrypted 142 passwords, customer names, email addresses, mailing addresses, phone 143 numbers and dates of birth.[5] 145 In July 2015, a commercial website that enabled extramarital affairs 146 (called Ashley Madison) was breached; a month later, more than 25GB 147 of company data, including user details, was leaked. The ethics and 148 impact on human rights of this breach are particularly notable, as 149 it resulted in at least one confirmed suicide.[6] 151 In 2016, Uber was breached, giving hackers access to the names, 152 email addresses and phone numbers of 57 million riders and drivers. 153 600,000 US drivers had their names and license plate numbers stolen. 154 The current assessment is that other personal data, including trip 155 location history, credit card details, social security numbers and 156 dates of birth were not downloaded. [7] 158 Also, in August of 2016, Dropbox was hacked to release over 68 159 million user email addresses and passwords onto the Internet. [8] 161 In March 2018, as part of a coding review, Google uncovered a coding 162 glitch that potentially exposed the personal data of up to 500,000 163 Google Plus users, including their names, email addresses, 164 occupations, genders and ages.[9] Google could not confirm which 165 users were affected by the security flaw as they keep API log data 166 for only two weeks (and, presumably, log data analysis was lacking 167 or insufficient to detect the breach as it was happening). 169 In May 2018, Twitter advised all 330 million of its users to change 170 their passwords after a software exposed them in plaintext. [10] 172 Additionally, in September 2018, British Airways announced that 173 personal and financial details of up to 380,000 customers who had 174 booked flights over a 16-day period had been stolen. This breach was 175 traced to a rogue script that had been installed on the third-party 176 payment supplier used by British Airways.[11] 178 Also in September 2018, Facebook suffered its worst security breach 179 ever; the exploitation of several simultaneous software bugs gave 180 login access to as many as 50 million accounts.[12] April 2019, a 181 146GB data set containing over 540 million Facebook records were 182 found exposed on AWS servers, as two third-party companies had 183 collected Facebook data on their own servers.[13] 185 In November 2018, 500 million Marriott International customers had 186 their details stolen in an ongoing breach since 2014. Approximately 187 327 million hotel guests had a combination of name, address, phone 188 number, email address, passport number, date of birth, gender and 189 arrival/departure information stolen.[14] 191 In January 2019, the personal data of more than 3500 people living 192 with HIV in Singapore was leaked in Singapore, allegedly by an 193 insider with access to sensitive records.[15] 195 In February 2019, a file containing 2.2 billion compromised 196 usernames and passwords was found on the dark web. This 600GB file 197 was a collation of previous data breaches, truly demonstrating the 198 scale and severity of the data breach and cyber defence problem in 199 totality.[16] 201 And these are only a handful of breaches that have been made public. 202 So many more go unreported in the public. Data breaches are one of 203 the singular most important issue in cybersecurity today. In IBM's 13th 204 "Cost of a DataBreach" study found that the global average cost of a 205 data breach in 2018 was $3.86 million.[17] That is the average cost of 206 one - not many -data breaches. 208 It is unthinkable and unrealistic that any revised Internet threat 209 model does not highlight the large and ongoing threat from data 210 breaches, whatever their cause. Threat actors are making full use of 211 the Internet technology that allows them to hide on endpoints and 212 perform such large data hacks that mostly go undetected. 214 Internet security research and technical development must accept the 215 reality of all the security issues in the Internet ecosystem. 216 Decisions being made in the name of privacy are sometimes leading to 217 larger inadvertent security and privacy losses. 219 3. Botnets 221 A botnet is a string of connected computers used, in this case, to 222 perform a malicious function against an end user, organisation or 223 series of users.[18] Though computers working together to increase 224 computing power for functions does not constitute a botnet in itself 225 (and is used often in data centres for chat rooms or email services, 226 for example) botnets are a specifically used for malicious intent. 228 There have been a number of recent, high profile botnet attacks and 229 only a few will be described here as examples. 231 In 2000, EarthLink Spammer sent 1.25 million phishing emails over a 232 year and made $3 million in profits by using fake websites and 233 domain names to accomplish this. Subsequently the spammer was 234 convicted and Earthlink won $25 million in damages.[19] 236 Created in 2007, Cutwail was the biggest botnet on the Internet by 237 2009 by number of infected computers or hosts sending email. It was 238 sending 51 million emails every minute.[20] By 2010, however, it 239 started a DDoS attack to nearly 300 major sites including PayPal and 240 US federal agencies. By 2013 it was the botnet to use for sending 241 spam, but over time its use declined through targeted attempts to 242 take it offline as well as the expiration of email addresses. Though 243 not as popular and sending far less than it once did, Cutwail still 244 sends spam to this day.[21] 246 A more recent botnet was the centre of one of the biggest outages of 247 the Internet network. The Mirai botnet was first identified in 2016. 248 The Mirai botnet as well as variants infect Internet of Things 249 devices and those infected devices scan the Internet for IP 250 addresses of other Internet of Things devices, thus creating a 251 multiplication of IoT devices which are infected. Though the bot 252 still exists in various forms, the most serious attack took place on 253 21 October 2016 when the Domain Name System (DNS) provider Dyn was 254 attacked by DDoS using a coordinated system of infected IoT devices. 255 Much of the Internet was unreachable after three attacks occurred 256 during the day. Though eventually resolved on that day, the sheer 257 size and scale of the attack is still viewed as one of the biggest 258 attacks on the Internet to this day.[22] 260 According to Kaspersky Labs, there were just over 15,000 botnet 261 attacks in 2018.[23] Worryingly, of those attacks, approximately 40 percent 262 were new in both type and the target. Again, as IoT devices increase 263 and as networks expand coverage and ability to handle even more 264 devices and data, it is likely that botnet attacks will continue to 265 be seen on such a scale. 267 4. Emerging Threats 269 Older methods of cyber attacks are still happening and causing 270 breaches, as endpoint security remains incomplete and not up to 271 date. Servers remain unpatched and vulnerable and client devices 272 become legacy or unsupported, to name just a few issues. In 273 parallel, new categories of attacks are emerging. 275 Software updates are a new attacked vector. In March 2019, Kaspersky 276 uncovered the ShadowHammer supply-chain attack which injected 277 malicious code into the ASUS Live Update Utility. This attack 278 involved signing malicious code using stolen certificates and was 279 estimated to have affected half a million users.[24] As a result of 280 the ShadowHammer attack, public focus turned to how and what could 281 be the point of infection. Suggestions were that the IP addresses 282 could have been the point of origin of the attack while others 283 suggested that the malware itself was dormant and inactive until a 284 certain update triggered the malware. 286 In July 2019, Godlua became the first publicly known malware to use 287 DNS-over-HTTPS to avoid DNS-based malware protection security 288 systems. [25] 290 Though attacks on individual consumers have dropped by nearly 40 percent, 291 due to the fact that attacking one person is largely not financially 292 viable, but attacks on business organisations have increased year on 293 year.[26] Ransomware is on the rise, motivated by economic gain and 294 the ever increasing weaknesses in endpoints. Malware is freely 295 available and the vulnerable attack point of an endpoint can be 296 found. Botnets are increasing in size and scale as well as ease of 297 use. 299 There are other emerging threats that require more research to 300 collate fully; this section is a starting point. 302 5. An Internet For Users Again 304 Many endpoints are vulnerable; CLESS begins a much needed research 305 programme to demonstrate what capabilities and what limitations can 306 be expected at the endpoint and from a variety of types of 307 endpoints.[27] Endpoints have changed over the last 10 years, but 308 assumptions about endpoints in the IETF hasn't changed in that time. 310 Even the user is not in full control of what happens on their 311 endpoint much of the time and what security protections apply to 312 their own data; a model where the Internet is user-centric would 313 give more control to the user. The user is both the home Internet 314 citizen and the organisation administrator seeking to protect 315 against data breaches; both need the power to control where their 316 data goes and choose their security protections. So while endpoints 317 are the focus now, does the Internet need to be user-centric in the 318 future? Won't that give users even more assured privacy? 320 ATT&CK versions of methods, when categorised by type, show that 321 endpoint methods of compromise are increasing faster than network 322 attacks.[28][29] This may be due to more variety in endpoints, 323 substandard security in many endpoints or the difficulty of 324 attacking a network compared to an endpoint. Whatever the reason, 325 the logical conclusion is that the current Internet design is not 326 stopping cyber attacks. Perhaps a fresh approach is required. 328 As more power and control has shifted to endpoints - and even to 329 only a select few applications on endpoints - fewer and fewer 330 network-based security solutions have been effective and attacks 331 have increased. The diagram above shows the proliferation of attacks 332 on endpoints increase over a 3 and a half year timescale while network and 333 physical attacks remain largely unchanged. Whether this is 334 correlation or causation requires thorough research, essential to 335 changing the existing threat model approach from its current 336 approach. 338 The existing Internet Threat Model of RFC3552 makes the general 339 assumption that end-systems have not been compromised and that while 340 end-systems are difficult to protect against compromise, protocol 341 design can help minimise the damage.[30] Revisiting this general 342 assumption in the light of the magnitude of an increase in data 343 breaches and their subsequent negative results is a good starting 344 point for a new Threat Model which can result in protocol design 345 that helps mitigate end-system compromise. 347 6. Security Considerations 349 This document proposes a new way of thinking about developing 350 Internet security protocols and does not create, extend or modify 351 any protocols. The intent is to initiate discussion. 353 7. IANA Considerations 355 Upon publication this document has no required IANA considerations. 357 8. Conclusions 359 The Threat Model indeed needs revisiting and changing, because cyber 360 defence threats and attacks are increasing, yet the responsibility 361 to help mitigate these threats and attacks is largely unrecognised 362 in the IETF community - as of yet. These threats and attacks should 363 be given the seriousness they deserve. 365 Further, it is imperative that new conclusions and recommendations 366 from a revisited threat model are backed up by research, case 367 studies and experience - rather than bold assertions. Research and 368 evidence is important to achieve effective security; unsubstantiated 369 guesswork is not. 371 While this draft does not claim to hold all the answers or all of 372 the research questions, it highlights the importance that any threat 373 model must be based in evidence about data breaches. This draft 374 initiates a much needed discussion which, as mentioned, is that it 375 is time to think, discuss and research what a new Threat Model - 376 with all security issues of note - included. 378 At this stage, we merely insist that the possibility of an Internet 379 for users - for the user to be in control of mitigations against a 380 new and more substantive threat model - is not blatantly 381 disregarded. An endpoint without user control doesn't work; user 382 control must be permitted in future threat models. For most users 383 and current as well as future deployments, it will be the best way 384 to protect personal data and ensure privacy. 386 9. References 388 9.1. Normative References 390 No normative references. 392 9.2. Informative References 394 [1]https://haveibeenpwned.com/FAQs/ 396 [2]https://www.cbronline.com/news/global-data-breaches-2018 398 [3]https://krebsonsecurity.com/2013/10/adobe-to-announce-source- 399 code-customer-data-breach/ 401 [4]https://krebsonsecurity.com/2015/09/inside-target-corp-days- 402 after-2013-breach/ 404 [5]https://www.businessinsider.com/cyber-thieves-took-data-on-145- 405 million-ebay-customers-by-hacking-3-corporate-employees-2014-5 407 [6]See https://digitalguardian.com/blog/timeline-ashley-madison-hack 408 for a timeline of the breach. 410 [7]https://us.norton.com/internetsecurity-emerging-threats-uber- 411 breach-57-million.html 413 [8]https://www.theguardian.com/technology/2016/aug/31/dropbox-hack- 414 passwords-68m-data-breach 416 [9]https://www.experian.com/blogs/ask-experian/google-data-breach- 417 what-you-need-to-know/ 419 [10]https://www.theverge.com/2018/5/3/17316684/twitter-password-bug- 420 security-flaw-exposed-change-now 422 [11] https://medium.com/asecuritysite-when-bob-met-alice/the- 423 british-airways-hack-javascript-weakness-pin-pointed-through-time- 424 lining-dd0c2dbc7b50 426 [12]https://www.nytimes.com/2018/09/28/technology/facebook-hack- 427 data-breach.html 429 [13]https://www.databreachtoday.co.uk/millions-facebook-records- 430 found-unsecured-on-aws-a-12337 432 [14]https://www.bbc.co.uk/news/technology-46401890 434 [15]https://www.straitstimes.com/singapore/2400-singaporeans- 435 affected-by-data-leak-contacted-by-moh 437 [16] https://mobilesyrup.com/2019/01/31/collection-2-data-breach- 438 600gb-leaked-emails-passwords/ 440 [17]https://securitytoday.com/articles/2018/07/17/the-average-cost- 441 of-a-data-breach.aspx 443 [18]https://us.norton.com/internetsecurity-malware-what-is-a- 444 botnet.html 446 [19] 447 https://www.bizjournals.com/atlanta/stories/2002/07/22/story4.html 449 [20]https://www.whiteops.com/blog/9-of-the-most-notable-botnets 451 [21]https://www.wired.co.uk/article/infoporn-rise-and-fall-of-uks- 452 biggest-spammer 454 [22]https://www.theverge.com/2016/10/21/13362354/dyn-dns-ddos- 455 attack-cause-outage-status-explained 457 [23]https://securelist.com/bots-and-botnets-in-2018/90091/ 459 [24]https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus- 460 software-updates-to-install-backdoors-on-thousands-of-computers 462 [25]https://www.techspot.com/news/80791-meet-godlua-first-known- 463 malware-leverages-dns-over.html 465 [26]https://blog.malwarebytes.com/cybercrime/2019/04/labs- 466 cybercrime-tactics-and-techniques-report-finds-businesses-hit-with- 467 235-percent-more-threats-in-q1/ 469 [27]https://datatracker.ietf.org/doc/draft-taddei-smart-cless- 470 introduction/ 472 [28]Pastor, Antonio."Applying AI to Protect 5G Control Traffic", 473 ETSI Security Week, 19 June 2019, ETSI, Sophia Antipolis, France. 475 [29]https://info.vectra.ai/hubfs/no_index/compliance/cb_mitre_082318 476 .pdf 478 [30]RFC3552, 2004, Section 3 Internet Threat Model: "In general, we 479 assume that the end-systems engaging in a protocol exchange have not 480 themselves been compromised. It is, however, possible to design 481 protocols which minimize the extent of the damage done under these 482 circumstances." 484 10. Acknowledgments 486 This document was prepared using 2-Word-v2.0.template.dot. 488 Authors' Addresses 490 Dominique Lazanski 491 Last Press Label 492 London, UK 494 Phone: +447783431555 495 Email: dml@lastpresslabel.com