1 00:00:00,080 --> 00:00:02,430 The following content is provided under a Creative 2 00:00:02,430 --> 00:00:03,820 Commons license. 3 00:00:03,820 --> 00:00:06,060 Your support will help MIT OpenCourseWare 4 00:00:06,060 --> 00:00:10,150 continue to offer high quality educational resources for free. 5 00:00:10,150 --> 00:00:12,690 To make a donation or to view additional materials 6 00:00:12,690 --> 00:00:16,600 from hundreds of MIT courses, visit MIT OpenCourseWare 7 00:00:16,600 --> 00:00:17,305 at ocw.mit.edu. 8 00:00:31,670 --> 00:00:34,729 PROFESSOR: How you guys doing? 9 00:00:34,729 --> 00:00:36,620 I don't know. 10 00:00:36,620 --> 00:00:38,329 As Nickolai said, thanks for inviting us. 11 00:00:38,329 --> 00:00:40,453 It's a real pleasure to come here and have a chance 12 00:00:40,453 --> 00:00:41,680 to talk to everybody today. 13 00:00:41,680 --> 00:00:43,638 I brought one of my senior managers 14 00:00:43,638 --> 00:00:46,360 who oversees the network and security areas, Dave LaPorte, 15 00:00:46,360 --> 00:00:48,933 who's going to talk about some of the more 16 00:00:48,933 --> 00:00:50,224 tactical details of what we do. 17 00:00:50,224 --> 00:00:52,615 I'm going to talk about the high level. 18 00:00:52,615 --> 00:00:54,446 Feel free to ask questions at any time. 19 00:00:54,446 --> 00:00:56,571 So really your opportunity free to ask any anything 20 00:00:56,571 --> 00:00:57,510 you're curious about. 21 00:00:57,510 --> 00:01:00,686 So there's no decorum in terms of what you guys may ask, 22 00:01:00,686 --> 00:01:03,470 at anytime feel free to engage. 23 00:01:03,470 --> 00:01:07,226 And so I think I was sitting where you guys are sitting-- 24 00:01:07,226 --> 00:01:09,218 I don't know-- it's almost 20 years ago now? 25 00:01:09,218 --> 00:01:09,716 PROFESSOR: Yeah. 26 00:01:09,716 --> 00:01:11,040 PROFESSOR: [CHUCKLES] So Nickolai and I 27 00:01:11,040 --> 00:01:12,190 were a lot younger then. 28 00:01:12,190 --> 00:01:13,870 And I was probably a lot thinner by then 29 00:01:13,870 --> 00:01:16,800 and had a little bit more hair. 30 00:01:16,800 --> 00:01:19,160 You know, one of the nice things about overseeing 31 00:01:19,160 --> 00:01:21,840 MIT's infrastructure and operations areas, 32 00:01:21,840 --> 00:01:24,061 you can see all sorts of interesting things. 33 00:01:24,061 --> 00:01:26,560 And some of the things we'll talk about, a lot of what we do 34 00:01:26,560 --> 00:01:28,510 is dealing with interesting problems. 35 00:01:28,510 --> 00:01:32,230 And you know, there's no shortage of things 36 00:01:32,230 --> 00:01:33,620 in an environment like MIT's. 37 00:01:33,620 --> 00:01:35,390 I think what's really remarkable is 38 00:01:35,390 --> 00:01:38,490 we run an open network, which is a little bit of a good thing 39 00:01:38,490 --> 00:01:40,730 and a bad thing. 40 00:01:40,730 --> 00:01:43,374 We don't have a broad campus firewall, for the most part. 41 00:01:43,374 --> 00:01:44,790 And everything's pretty much open. 42 00:01:44,790 --> 00:01:47,320 If you guys want to run a computer in your dorm, right 43 00:01:47,320 --> 00:01:49,240 here in the lecture hall, or anything else, 44 00:01:49,240 --> 00:01:50,823 you have pretty much unfettered access 45 00:01:50,823 --> 00:01:53,940 to the internet, which is, compared to other schools, 46 00:01:53,940 --> 00:01:55,255 actually, fairly unusual. 47 00:01:55,255 --> 00:01:57,380 You know, you may not realize that as you sit here, 48 00:01:57,380 --> 00:01:58,910 but that's not the norm. 49 00:01:58,910 --> 00:02:02,970 And that brings with it a whole slew of challenges, 50 00:02:02,970 --> 00:02:05,052 in terms of keeping things secure. 51 00:02:05,052 --> 00:02:08,259 So pretty much, we're wide open to the world. 52 00:02:08,259 --> 00:02:09,690 And that means anybody, anywhere, 53 00:02:09,690 --> 00:02:12,051 from whatever country, from whatever part of the planet. 54 00:02:12,051 --> 00:02:14,550 If they want to reach out and touch your device sitting here 55 00:02:14,550 --> 00:02:15,770 in this room, as you're sitting here today, 56 00:02:15,770 --> 00:02:17,040 whether it's your phone in your pocket, 57 00:02:17,040 --> 00:02:19,040 or your laptop that you're typing on when you're 58 00:02:19,040 --> 00:02:20,740 sitting here, they can do that. 59 00:02:20,740 --> 00:02:23,045 There's nothing to prevent them from doing that, right? 60 00:02:23,045 --> 00:02:25,390 And that's kind of scary, right? 61 00:02:25,390 --> 00:02:28,330 So we did an experiment a couple of years ago. 62 00:02:28,330 --> 00:02:33,210 And we just took a device out of box brand new, brand new Apple 63 00:02:33,210 --> 00:02:36,270 laptop, and just plugged it in. 64 00:02:36,270 --> 00:02:39,550 Registered it for DHCP and just left it there sitting there 65 00:02:39,550 --> 00:02:40,670 for 24 hours. 66 00:02:40,670 --> 00:02:44,330 And we left TCP dumps running to just take 67 00:02:44,330 --> 00:02:46,370 an inventory of what was coming into the machine 68 00:02:46,370 --> 00:02:49,280 for a 24-hour period, just to see what we would see. 69 00:02:49,280 --> 00:02:51,470 And then we combined that with, hey, 70 00:02:51,470 --> 00:02:55,150 let's go and graph all the various IPs, using GeoIP lookup 71 00:02:55,150 --> 00:02:57,440 and graphed them, put them on Google Earth 72 00:02:57,440 --> 00:02:59,840 and see what that looks like. 73 00:02:59,840 --> 00:03:03,450 And for one 24-hour period, for an inauspicious or relevant 74 00:03:03,450 --> 00:03:07,010 host which is just publicly registered for the internet, 75 00:03:07,010 --> 00:03:09,920 it received connections from every country on the earth, 76 00:03:09,920 --> 00:03:12,240 except for two. 77 00:03:12,240 --> 00:03:17,650 In one 24-hour period, one host, every country, except for two. 78 00:03:17,650 --> 00:03:19,150 That's pretty startling, right? 79 00:03:19,150 --> 00:03:20,110 Does anybody want to take a guess what 80 00:03:20,110 --> 00:03:22,390 the two countries that were not trying to connect 81 00:03:22,390 --> 00:03:24,002 to this machine were? 82 00:03:24,002 --> 00:03:24,918 AUDIENCE: [INAUDIBLE]. 83 00:03:24,918 --> 00:03:25,350 AUDIENCE: North Korea. 84 00:03:25,350 --> 00:03:26,220 PROFESSOR: Anyone? 85 00:03:26,220 --> 00:03:27,590 North Korea is one. 86 00:03:27,590 --> 00:03:28,590 Good. 87 00:03:28,590 --> 00:03:29,090 Nope. 88 00:03:29,090 --> 00:03:31,015 China was very actively represented. 89 00:03:31,015 --> 00:03:32,075 [LAUGHTER] 90 00:03:32,075 --> 00:03:34,200 So might have been the military part, I don't know, 91 00:03:34,200 --> 00:03:37,190 but certainly was very actively represented. 92 00:03:37,190 --> 00:03:38,460 AUDIENCE: Antarctica. 93 00:03:38,460 --> 00:03:39,459 PROFESSOR: That's right. 94 00:03:39,459 --> 00:03:40,086 Antarctica. 95 00:03:40,086 --> 00:03:41,512 Very good. 96 00:03:41,512 --> 00:03:42,970 So you get the gold star for today. 97 00:03:42,970 --> 00:03:44,400 It's excellent. 98 00:03:44,400 --> 00:03:44,900 Yeah. 99 00:03:44,900 --> 00:03:46,020 Yeah. 100 00:03:46,020 --> 00:03:48,260 And so, for one 24-hour period, you're 101 00:03:48,260 --> 00:03:52,200 seeing yourself subjected to potential attacks, threats, 102 00:03:52,200 --> 00:03:54,985 malware, anything else everywhere. 103 00:03:54,985 --> 00:03:56,820 For one host. 104 00:03:56,820 --> 00:04:01,540 And the entire MIT campus right now compromises about, I'd say, 105 00:04:01,540 --> 00:04:04,450 150,000 different devices. 106 00:04:04,450 --> 00:04:06,049 And so, if you do the math-- 107 00:04:06,049 --> 00:04:07,090 you can do that outright. 108 00:04:07,090 --> 00:04:10,270 You're good at math here at MIT-- 109 00:04:10,270 --> 00:04:13,580 that's a lot of threats, right? 110 00:04:13,580 --> 00:04:18,290 And you know that happens all day, every day. 111 00:04:18,290 --> 00:04:18,790 Right? 112 00:04:18,790 --> 00:04:20,370 And that's pretty scary. 113 00:04:20,370 --> 00:04:22,420 And you want to combine that with something else 114 00:04:22,420 --> 00:04:24,520 to make a little bit more scared? 115 00:04:24,520 --> 00:04:29,320 So Dave and I were sitting in a meaning a couple of months ago. 116 00:04:29,320 --> 00:04:31,320 This is kind of a follow-up as to a power outage 117 00:04:31,320 --> 00:04:32,110 that happened. 118 00:04:32,110 --> 00:04:34,235 Any of you here for the big power outage a year ago 119 00:04:34,235 --> 00:04:35,400 or a year and a half ago? 120 00:04:35,400 --> 00:04:36,860 It was an exciting time, right? 121 00:04:36,860 --> 00:04:38,309 [CHUCKLES FROM AUDIENCE] 122 00:04:38,309 --> 00:04:40,600 I was here for the big power outage about 20 years ago, 123 00:04:40,600 --> 00:04:42,349 when the entire city of Cambridge was out. 124 00:04:42,349 --> 00:04:43,630 Now, that was cool. 125 00:04:43,630 --> 00:04:45,345 Except it was about 100 degrees, so it 126 00:04:45,345 --> 00:04:46,845 was a good time to go over to Boston 127 00:04:46,845 --> 00:04:49,242 and see a movie in a movie theater. 128 00:04:49,242 --> 00:04:50,825 But one thing that came out of it that 129 00:04:50,825 --> 00:04:52,075 was really interesting to us-- 130 00:04:52,075 --> 00:04:53,765 I don't know, let's talk about it 131 00:04:53,765 --> 00:04:55,931 for a second-- but Facilities department comes to us 132 00:04:55,931 --> 00:04:58,615 and says, you know, this has been really bad, 133 00:04:58,615 --> 00:04:59,510 this power outage. 134 00:04:59,510 --> 00:05:01,600 We've really had to spend the last four or five 135 00:05:01,600 --> 00:05:04,570 months going across the campus and reprogramming 136 00:05:04,570 --> 00:05:07,041 all these devices. 137 00:05:07,041 --> 00:05:07,540 OK. 138 00:05:07,540 --> 00:05:09,880 Well, they must have some SCADA systems 139 00:05:09,880 --> 00:05:11,755 that are connected to their air conditioning, 140 00:05:11,755 --> 00:05:14,990 or to the lights in the room, the doors, things like that, 141 00:05:14,990 --> 00:05:15,490 right? 142 00:05:15,490 --> 00:05:16,490 You would think they do. 143 00:05:16,490 --> 00:05:17,390 It's MIT. 144 00:05:17,390 --> 00:05:19,350 Makes sense. 145 00:05:19,350 --> 00:05:23,850 So sure, you imagine they're secure. 146 00:05:23,850 --> 00:05:25,600 Talk about that in a second. 147 00:05:25,600 --> 00:05:29,900 And so we figured that was pretty straightforward. 148 00:05:29,900 --> 00:05:33,010 And they said one of the things they had a problem with was 149 00:05:33,010 --> 00:05:34,878 their devices keep getting knocked off 150 00:05:34,878 --> 00:05:37,030 the net, have these issues. 151 00:05:37,030 --> 00:05:38,710 And the more you start talking to them, 152 00:05:38,710 --> 00:05:39,670 you peel back layers of the onion. 153 00:05:39,670 --> 00:05:42,266 You're like, what do you mean your devices are on the net? 154 00:05:42,266 --> 00:05:44,891 Say, well, yeah, our devices are on the net. 155 00:05:44,891 --> 00:05:45,390 Oh. 156 00:05:45,390 --> 00:05:49,030 You must have some secure, proprietary control 157 00:05:49,030 --> 00:05:51,442 system, a control network. 158 00:05:51,442 --> 00:05:53,400 And they kind of looked at us with a blank look 159 00:05:53,400 --> 00:05:56,250 and were like, uh, I think that's what it is. 160 00:05:56,250 --> 00:05:58,280 That's what the vendor told us. 161 00:05:58,280 --> 00:06:00,610 And this brings up one of the interesting things 162 00:06:00,610 --> 00:06:02,195 of the internet of things or the era 163 00:06:02,195 --> 00:06:06,237 we're moving into is, for the most part, when I was younger, 164 00:06:06,237 --> 00:06:08,695 people using the internet had to be fairly specific, right? 165 00:06:08,695 --> 00:06:11,480 You had to fairly know something that you were doing. 166 00:06:11,480 --> 00:06:13,650 Today, everybody's using it. 167 00:06:13,650 --> 00:06:16,067 And the bar to use it used to be, when you ride the roller 168 00:06:16,067 --> 00:06:17,816 coaster, thou shalt be this tall if you're 169 00:06:17,816 --> 00:06:19,300 going to ride this rocket. 170 00:06:19,300 --> 00:06:21,460 It's gotten a lot lower, all right? 171 00:06:21,460 --> 00:06:24,050 And so through the conversation with them, 172 00:06:24,050 --> 00:06:27,510 we find out that they have pretty much everything 173 00:06:27,510 --> 00:06:29,630 you could think of connected to the internet. 174 00:06:29,630 --> 00:06:30,955 Everything. 175 00:06:30,955 --> 00:06:32,580 One of the things that was interesting. 176 00:06:32,580 --> 00:06:33,996 MIT launched an energy Initiative, 177 00:06:33,996 --> 00:06:35,540 I don't know, five, seven years ago, 178 00:06:35,540 --> 00:06:37,460 when Susan Hockfield was here as president. 179 00:06:37,460 --> 00:06:38,959 And one of the things Facilities did 180 00:06:38,959 --> 00:06:42,255 was really grow the internet of things on campus 181 00:06:42,255 --> 00:06:45,300 to create these dynamically managed buildings. 182 00:06:45,300 --> 00:06:48,260 So when a classroom isn't in use, lights will go off, 183 00:06:48,260 --> 00:06:49,230 heating will change. 184 00:06:49,230 --> 00:06:49,730 It's new. 185 00:06:49,730 --> 00:06:52,840 They're doing things like that across the campus. 186 00:06:52,840 --> 00:06:56,060 They deployed a gigantic control network. 187 00:06:56,060 --> 00:06:57,190 Gigantic. 188 00:06:57,190 --> 00:06:59,570 It's actually bigger than our own campus internet is, 189 00:06:59,570 --> 00:07:00,070 somewhat. 190 00:07:00,070 --> 00:07:01,830 So their control compromises, I think, 191 00:07:01,830 --> 00:07:03,950 400,000 different points that they're 192 00:07:03,950 --> 00:07:05,900 monitoring across the campus. 193 00:07:05,900 --> 00:07:09,790 Over 75,000 to 100,000 places. 194 00:07:09,790 --> 00:07:12,030 And so the next question you ask yourself-- 195 00:07:12,030 --> 00:07:14,390 Dave asks, with the big, bright, wide eyes 196 00:07:14,390 --> 00:07:17,260 is, how you guys securing that? 197 00:07:17,260 --> 00:07:19,050 They're like, well, we called you guys up, 198 00:07:19,050 --> 00:07:20,724 and we were going to check. 199 00:07:20,724 --> 00:07:21,515 And they put it in. 200 00:07:21,515 --> 00:07:23,780 And they got an IP address by going through a web form 201 00:07:23,780 --> 00:07:25,420 and request an IP. 202 00:07:25,420 --> 00:07:28,290 Requested IP, it's working. 203 00:07:28,290 --> 00:07:32,560 And you know we're sitting there going, yeah, this whole open 204 00:07:32,560 --> 00:07:34,222 internet thing-- 205 00:07:34,222 --> 00:07:37,125 how are you guys securing that? 206 00:07:37,125 --> 00:07:39,366 And the question, of course, which is, you know, 207 00:07:39,366 --> 00:07:42,110 when your blood pressure goes up a little bit 208 00:07:42,110 --> 00:07:46,000 was, well, it's secure, because you guys take care of that. 209 00:07:46,000 --> 00:07:48,960 So the security's already taken care of. 210 00:07:48,960 --> 00:07:52,390 And you know our look on our face is a little bit-- 211 00:07:52,390 --> 00:07:53,650 what do you mean by secure? 212 00:07:53,650 --> 00:07:55,164 Well, we have corporate firewalls. 213 00:07:55,164 --> 00:07:55,830 It's dealt with. 214 00:07:55,830 --> 00:07:56,330 And everything's cool. 215 00:07:56,330 --> 00:07:57,510 [AUDIENCE CHUCKLES] 216 00:07:57,510 --> 00:07:59,980 And you know my next question was, 217 00:07:59,980 --> 00:08:01,910 can you show me where that is? 218 00:08:01,910 --> 00:08:02,890 I don't know. 219 00:08:02,890 --> 00:08:05,200 And you know, of course, the response 220 00:08:05,200 --> 00:08:08,240 was, well, everybody does. 221 00:08:08,240 --> 00:08:10,426 And of course, we're a little different, 222 00:08:10,426 --> 00:08:12,050 going back to the point I made earlier, 223 00:08:12,050 --> 00:08:14,200 we operate a fairly open environment. 224 00:08:14,200 --> 00:08:16,740 And we've always believed and it's MIT's philosophy 225 00:08:16,740 --> 00:08:22,297 that we believe in defense and security across the stack. 226 00:08:22,297 --> 00:08:24,880 You don't want to depend on any one part of the infrastructure 227 00:08:24,880 --> 00:08:25,635 to implement security. 228 00:08:25,635 --> 00:08:27,844 It's something you have to do at every layer, right? 229 00:08:27,844 --> 00:08:29,140 You don't just do it at the infrastructure, 230 00:08:29,140 --> 00:08:30,348 you do it at the application. 231 00:08:30,348 --> 00:08:31,799 You do it all sorts of places. 232 00:08:31,799 --> 00:08:33,049 That's not how these systems-- 233 00:08:33,049 --> 00:08:35,988 you know, the internet of things on the SCADA side-- get built. 234 00:08:35,988 --> 00:08:38,340 You know, that's kind of scary. 235 00:08:38,340 --> 00:08:40,469 And so one of the things we're seeing here 236 00:08:40,469 --> 00:08:42,760 that we deal with, so in addition to dealing with folks 237 00:08:42,760 --> 00:08:44,320 like yourself who are doing all sorts 238 00:08:44,320 --> 00:08:47,169 of creative and inventive things that keep people like Dave 239 00:08:47,169 --> 00:08:49,126 and I up at night. 240 00:08:49,126 --> 00:08:50,500 You know, the internet's becoming 241 00:08:50,500 --> 00:08:52,760 this utility that's used for all sorts of things 242 00:08:52,760 --> 00:08:53,750 across the campus. 243 00:08:53,750 --> 00:08:55,530 And it's really changed the dynamics 244 00:08:55,530 --> 00:08:58,460 that we have to worry about, in terms of threats, 245 00:08:58,460 --> 00:09:00,610 security issues, all sorts of things. 246 00:09:00,610 --> 00:09:02,340 So now, you know, when the internet 247 00:09:02,340 --> 00:09:06,030 used to go down or have an issue when we were students, 248 00:09:06,030 --> 00:09:07,102 it was an inconvenience. 249 00:09:07,102 --> 00:09:07,602 Right? 250 00:09:07,602 --> 00:09:10,940 It was annoying. 251 00:09:10,940 --> 00:09:12,790 In these most recent types of event, 252 00:09:12,790 --> 00:09:14,998 when the internet goes out, people's air conditioning 253 00:09:14,998 --> 00:09:15,650 stops working. 254 00:09:15,650 --> 00:09:17,720 Your heat goes out, you know? 255 00:09:17,720 --> 00:09:19,650 So the threats have really changed. 256 00:09:19,650 --> 00:09:23,201 And so for us, we deal with this whole broad spectrum of things 257 00:09:23,201 --> 00:09:25,450 where we operate as a service provider for the campus, 258 00:09:25,450 --> 00:09:27,200 providing services to folks like yourself. 259 00:09:27,200 --> 00:09:29,520 We also provide services to all sorts of things. 260 00:09:29,520 --> 00:09:32,920 And if you combine that with our open network philosophy, 261 00:09:32,920 --> 00:09:36,720 it creates a lot of interesting use cases and threats 262 00:09:36,720 --> 00:09:41,150 that we have to worry about on a pretty persistent basis. 263 00:09:41,150 --> 00:09:44,010 And people's expectation of how the internet is going to work 264 00:09:44,010 --> 00:09:46,093 and one of the things that's also been eye opening 265 00:09:46,093 --> 00:09:48,350 is these systems kind of grow. 266 00:09:48,350 --> 00:09:50,045 When the power outage happened, one 267 00:09:50,045 --> 00:09:53,010 of the first questions they had was, 268 00:09:53,010 --> 00:09:55,680 why did the network stop working? 269 00:09:55,680 --> 00:09:59,375 Our response was, well, there was no power. 270 00:09:59,375 --> 00:10:02,000 And they said, well, that comes from the batteries on the phone 271 00:10:02,000 --> 00:10:03,050 system, right? 272 00:10:03,050 --> 00:10:05,006 It's all taken care of. 273 00:10:05,006 --> 00:10:05,880 Like, no, it doesn't. 274 00:10:05,880 --> 00:10:07,171 That's analog phone technology. 275 00:10:07,171 --> 00:10:08,930 Like, well, what's the difference? 276 00:10:08,930 --> 00:10:11,510 Well, you guys know a lot. 277 00:10:11,510 --> 00:10:13,910 But there's this expectation that these things operate 278 00:10:13,910 --> 00:10:15,610 with the utility service, whether it's 279 00:10:15,610 --> 00:10:17,885 at the security level, resiliency level, or everything 280 00:10:17,885 --> 00:10:18,750 else. 281 00:10:18,750 --> 00:10:22,712 And I love the folks that have so much confidence 282 00:10:22,712 --> 00:10:24,920 that these things are being dealt with at that level. 283 00:10:24,920 --> 00:10:29,020 But that's a big gap from where we are right now. 284 00:10:29,020 --> 00:10:31,270 And so we spend a majority of our time trying 285 00:10:31,270 --> 00:10:34,120 to keep the campus environment running, 286 00:10:34,120 --> 00:10:35,790 keep everything as secure as we can. 287 00:10:35,790 --> 00:10:37,670 Dave will talk about that in a little bit more detail. 288 00:10:37,670 --> 00:10:39,000 He'll give you some interesting stories about the kinds 289 00:10:39,000 --> 00:10:40,510 of things we deal with. 290 00:10:40,510 --> 00:10:44,700 But it's an interesting job, right? 291 00:10:44,700 --> 00:10:47,470 And we see all sorts of interesting things. 292 00:10:47,470 --> 00:10:49,910 And I think the problems just get harder and harder. 293 00:10:49,910 --> 00:10:53,166 And I think the thing is is the internet kind of expands. 294 00:10:53,166 --> 00:10:55,040 And the internet of things is a big buzzword. 295 00:10:55,040 --> 00:10:57,710 How many of you have heard of that before today? 296 00:10:57,710 --> 00:11:00,520 You guys have gone to a Cisco website or something. 297 00:11:00,520 --> 00:11:03,641 Trying to sell you expensive equipment. 298 00:11:03,641 --> 00:11:05,390 But this whole phenomenon where everything 299 00:11:05,390 --> 00:11:09,680 is internet or IP-enabled, that's here. 300 00:11:09,680 --> 00:11:12,580 And unfortunately, a lot of the people writing these systems 301 00:11:12,580 --> 00:11:16,194 are not as studious as people who went to MIT. 302 00:11:16,194 --> 00:11:18,110 They create all sorts of interesting problems. 303 00:11:18,110 --> 00:11:19,693 So I think, for us, the real challenge 304 00:11:19,693 --> 00:11:22,759 is, when you look at security from a systemic level, 305 00:11:22,759 --> 00:11:24,800 it's just there's a thousand little bitty pieces. 306 00:11:24,800 --> 00:11:26,350 And it's really, really hard. 307 00:11:26,350 --> 00:11:29,600 And even for us, we have to deal with service providers 308 00:11:29,600 --> 00:11:30,476 on the external side. 309 00:11:30,476 --> 00:11:32,100 We have to deal with our own customers. 310 00:11:32,100 --> 00:11:33,950 We have to deal with application providers. 311 00:11:33,950 --> 00:11:35,700 It's this very broad ecosystem of issues 312 00:11:35,700 --> 00:11:38,620 you have to worry about to provide security holistically. 313 00:11:38,620 --> 00:11:40,760 And the challenge is pretty bumpy at times. 314 00:11:40,760 --> 00:11:42,824 And so from that point, I guess I'll 315 00:11:42,824 --> 00:11:44,990 have Dave talk a little bit about a couple of things 316 00:11:44,990 --> 00:11:45,720 we've seen. 317 00:11:45,720 --> 00:11:47,345 You guys have any questions before Dave 318 00:11:47,345 --> 00:11:51,710 gets set up that you'd like to ask on anything in particular? 319 00:11:51,710 --> 00:11:52,700 Anything? 320 00:11:52,700 --> 00:11:53,960 Come on up, Dave. 321 00:11:53,960 --> 00:11:55,668 PROFESSOR: Oh, you've got a question now. 322 00:11:55,668 --> 00:11:56,760 PROFESSOR: Yeah? 323 00:11:56,760 --> 00:11:59,780 AUDIENCE: Have you seen any APT campaigns 324 00:11:59,780 --> 00:12:02,205 attacking MIT directly? 325 00:12:02,205 --> 00:12:03,175 PROFESSOR: Yes. 326 00:12:03,175 --> 00:12:04,172 Yes. 327 00:12:04,172 --> 00:12:06,130 I think what's interesting is one of the things 328 00:12:06,130 --> 00:12:10,112 we're seeing more of is-- 329 00:12:10,112 --> 00:12:12,570 you know, one of the things Dave will talk about now that's 330 00:12:12,570 --> 00:12:15,610 really hard is visibility. 331 00:12:15,610 --> 00:12:18,900 If I told you the story about the one laptop, 332 00:12:18,900 --> 00:12:22,217 and we have 100,000 or 150,000 devices, and also, 333 00:12:22,217 --> 00:12:24,800 if you think of the number of IP addresses MIT has just having 334 00:12:24,800 --> 00:12:30,160 /8 network, finding the needle in the haystack is really hard. 335 00:12:30,160 --> 00:12:34,640 So these APTs-- which we do have-- 336 00:12:34,640 --> 00:12:36,302 finding that noise or that activity 337 00:12:36,302 --> 00:12:38,135 going on within this broad stream of traffic 338 00:12:38,135 --> 00:12:39,150 is very difficult. 339 00:12:39,150 --> 00:12:41,150 One of the things we've have help with 340 00:12:41,150 --> 00:12:43,816 is some of the tools we have now are a little bit more advanced. 341 00:12:43,816 --> 00:12:45,840 And we'll talk about that in a minute. 342 00:12:45,840 --> 00:12:47,381 But one of the things we also see now 343 00:12:47,381 --> 00:12:50,260 is law enforcement's help from the Federal side 344 00:12:50,260 --> 00:12:53,077 or from other parts where they reach out to you 345 00:12:53,077 --> 00:12:54,910 to give you guidance in some of these things 346 00:12:54,910 --> 00:12:59,720 where they see things like that, which is very helpful. 347 00:12:59,720 --> 00:13:01,730 But you know, operating an open environment, 348 00:13:01,730 --> 00:13:04,150 we've had a few of these where I've 349 00:13:04,150 --> 00:13:06,890 been really surprised that they were going on, but they do. 350 00:13:06,890 --> 00:13:08,598 And I think one of the other things we're 351 00:13:08,598 --> 00:13:11,060 going to see in the future is-- today, 352 00:13:11,060 --> 00:13:13,700 we do a lot of research activity here at MIT. 353 00:13:13,700 --> 00:13:16,530 It's one of our primary missions. 354 00:13:16,530 --> 00:13:19,650 The Federal funding sources that provide for that research 355 00:13:19,650 --> 00:13:24,994 don't really have a lot of rules about how you do it. 356 00:13:24,994 --> 00:13:27,160 As you'll find out, as you go into your grad student 357 00:13:27,160 --> 00:13:28,576 lives and other things and you get 358 00:13:28,576 --> 00:13:30,910 Federal grants for research, whether it's private 359 00:13:30,910 --> 00:13:32,455 or primarily from the government, 360 00:13:32,455 --> 00:13:36,954 whether it's the NSF, NIH, their requirements are pretty vague. 361 00:13:36,954 --> 00:13:38,745 One of the things we're dealing with lately 362 00:13:38,745 --> 00:13:42,880 is they'll say, we have a data requirement in the grant that 363 00:13:42,880 --> 00:13:45,727 says, you should have a data policy about all the data you 364 00:13:45,727 --> 00:13:47,810 generate from your grant is going to be preserved. 365 00:13:47,810 --> 00:13:48,610 All right? 366 00:13:48,610 --> 00:13:52,120 And the way MIT does that is it says to the PI, that's great. 367 00:13:52,120 --> 00:13:53,295 We have this requirement. 368 00:13:53,295 --> 00:13:54,670 Are you going to take care of it? 369 00:13:54,670 --> 00:13:55,295 They say, sure. 370 00:13:55,295 --> 00:13:56,380 I'll take care of it. 371 00:13:56,380 --> 00:13:59,280 Sign the document, right? 372 00:13:59,280 --> 00:14:00,460 Compliance with that? 373 00:14:00,460 --> 00:14:02,387 What they did with it? 374 00:14:02,387 --> 00:14:04,720 It's left to the discretion of the primary investigator. 375 00:14:04,720 --> 00:14:07,094 So if the government was ever to come to us and say, hey, 376 00:14:07,094 --> 00:14:08,560 where's the data? 377 00:14:08,560 --> 00:14:11,420 Just point to a faculty member and say, hey, talk to home. 378 00:14:11,420 --> 00:14:12,360 But one of the things we're also seeing 379 00:14:12,360 --> 00:14:13,880 is the government saying, hey, look. 380 00:14:13,880 --> 00:14:16,070 We're investing a lot of money in doing this research. 381 00:14:16,070 --> 00:14:17,170 We don't want to spend all the money 382 00:14:17,170 --> 00:14:18,920 and give the research to another country-- 383 00:14:18,920 --> 00:14:20,930 in some cases, right? 384 00:14:20,930 --> 00:14:22,840 So what we've seen on the legislative side 385 00:14:22,840 --> 00:14:24,780 or some of the Federal funding agencies side 386 00:14:24,780 --> 00:14:28,845 is a lot of them are coming to us and saying, as an industry, 387 00:14:28,845 --> 00:14:31,650 I think we some more security departments for this. 388 00:14:31,650 --> 00:14:33,700 And I think what's hard for us is 389 00:14:33,700 --> 00:14:35,860 MIT is very much an incubator. 390 00:14:35,860 --> 00:14:39,360 We have an incredible number of brilliant people. 391 00:14:39,360 --> 00:14:41,026 And for the administration at large, 392 00:14:41,026 --> 00:14:42,900 we serve as sort of a hosting company, right? 393 00:14:42,900 --> 00:14:44,010 We incubate that activity. 394 00:14:44,010 --> 00:14:46,705 We provide them lab spaces, or internet connectivity, 395 00:14:46,705 --> 00:14:48,942 or all sorts of things. 396 00:14:48,942 --> 00:14:51,400 But for the most part, it's a fairly federated environment. 397 00:14:51,400 --> 00:14:53,290 People have a level of autonomy. 398 00:14:53,290 --> 00:14:56,160 And so, as you have more requirements coming up, 399 00:14:56,160 --> 00:14:58,990 applying those across the institution is very hard. 400 00:14:58,990 --> 00:15:00,570 To go back to the APT thing, there's 401 00:15:00,570 --> 00:15:02,775 a tremendous amount of intellectual capital here. 402 00:15:02,775 --> 00:15:04,400 Tremendous amount of interesting things 403 00:15:04,400 --> 00:15:07,605 going on here that folks outside this country 404 00:15:07,605 --> 00:15:09,040 are very interested in. 405 00:15:09,040 --> 00:15:11,050 And I don't know if you guys know this. 406 00:15:11,050 --> 00:15:13,560 What country do you think is responsible for more 407 00:15:13,560 --> 00:15:16,420 intellectual property theft than most any place in the world? 408 00:15:16,420 --> 00:15:18,888 Anyone want to take a guess? 409 00:15:18,888 --> 00:15:20,774 AUDIENCE: That's a dangerous proposition. 410 00:15:20,774 --> 00:15:21,690 PROFESSOR: No, no, no. 411 00:15:21,690 --> 00:15:22,370 But I'm serious. 412 00:15:22,370 --> 00:15:23,620 I mean, one of the ones that-- 413 00:15:23,620 --> 00:15:26,210 it was really shocking to me, because I never expected it. 414 00:15:26,210 --> 00:15:28,126 And that's not to say they're doing that here. 415 00:15:28,126 --> 00:15:30,900 But anyone want to take a hint? 416 00:15:30,900 --> 00:15:34,068 Come on, somebody. 417 00:15:34,068 --> 00:15:35,980 Anybody. 418 00:15:35,980 --> 00:15:36,750 AUDIENCE: China? 419 00:15:36,750 --> 00:15:37,800 PROFESSOR: Who? 420 00:15:37,800 --> 00:15:39,254 It's not China. 421 00:15:39,254 --> 00:15:40,150 AUDIENCE: Russia? 422 00:15:40,150 --> 00:15:41,592 PROFESSOR: Nope. 423 00:15:41,592 --> 00:15:42,175 Wasn't Russia. 424 00:15:42,175 --> 00:15:43,105 No. 425 00:15:43,105 --> 00:15:44,304 AUDIENCE: Is it Canada? 426 00:15:44,304 --> 00:15:44,970 PROFESSOR: Nope. 427 00:15:44,970 --> 00:15:45,470 [LAUGHTER] 428 00:15:45,470 --> 00:15:47,511 You're getting close, though, but it's in Europe. 429 00:15:47,511 --> 00:15:48,680 AUDIENCE: France? 430 00:15:48,680 --> 00:15:50,090 PROFESSOR: France. 431 00:15:50,090 --> 00:15:51,699 France. 432 00:15:51,699 --> 00:15:52,240 That's right. 433 00:15:52,240 --> 00:15:53,070 AUDIENCE: What was it? 434 00:15:53,070 --> 00:15:53,820 PROFESSOR: France. 435 00:15:56,246 --> 00:15:58,560 Yeah. 436 00:15:58,560 --> 00:16:00,790 So yeah, you wouldn't expect that, right? 437 00:16:00,790 --> 00:16:02,290 But I have a bunch of folks who work 438 00:16:02,290 --> 00:16:07,079 in the industry side, commercial sector, in the security area. 439 00:16:07,079 --> 00:16:08,995 And one of the things they have to worry about 440 00:16:08,995 --> 00:16:11,860 is companies, some of them located in this geography, 441 00:16:11,860 --> 00:16:14,030 is that's one of their biggest threats, 442 00:16:14,030 --> 00:16:15,220 which is kind of surprising. 443 00:16:15,220 --> 00:16:16,110 You would think it's Iran. 444 00:16:16,110 --> 00:16:18,226 You would think it's all sorts of other places. 445 00:16:18,226 --> 00:16:19,140 No. 446 00:16:19,140 --> 00:16:22,540 And so, it's interesting, right? 447 00:16:22,540 --> 00:16:23,950 You wouldn't expect that. 448 00:16:23,950 --> 00:16:26,780 And that's not to say the US isn't doing it too. 449 00:16:26,780 --> 00:16:27,800 Let's be honest, right? 450 00:16:27,800 --> 00:16:28,925 We're just doing it better. 451 00:16:28,925 --> 00:16:31,350 We're not getting caught, probably. 452 00:16:31,350 --> 00:16:35,760 But needless to say, it's one of the more interesting things. 453 00:16:35,760 --> 00:16:36,710 Another question? 454 00:16:36,710 --> 00:16:37,600 You ready, Dave? 455 00:16:37,600 --> 00:16:39,040 PROFESSOR: Sure. 456 00:16:39,040 --> 00:16:40,000 PROFESSOR: Yeah? 457 00:16:40,000 --> 00:16:43,540 AUDIENCE: What sorts of things do you log on an IP sector? 458 00:16:43,540 --> 00:16:44,444 [LAUGHTER] 459 00:16:44,444 --> 00:16:47,790 PROFESSOR: Turn the camera off now. 460 00:16:47,790 --> 00:16:51,530 We log some fairly interesting things. 461 00:16:51,530 --> 00:16:53,760 I'd say, for the most part, I'll be honest with you, 462 00:16:53,760 --> 00:16:55,440 authentication requests, we log. 463 00:16:55,440 --> 00:16:57,071 So when you log-in through Kerberos, 464 00:16:57,071 --> 00:16:58,570 you log-in through Active Directory, 465 00:16:58,570 --> 00:17:01,900 you log-in through Touchstone, through our SAML iVp, 466 00:17:01,900 --> 00:17:03,850 those things get logged. 467 00:17:03,850 --> 00:17:05,936 We have very detailed retention policies, which 468 00:17:05,936 --> 00:17:07,186 we're happy to share with you. 469 00:17:07,186 --> 00:17:09,079 It's published. 470 00:17:09,079 --> 00:17:13,780 If you access a web page, if you check in to read your email, 471 00:17:13,780 --> 00:17:15,530 things like that, then one of the problems 472 00:17:15,530 --> 00:17:17,321 we have is correlating all that information 473 00:17:17,321 --> 00:17:18,265 would be fairly hard. 474 00:17:18,265 --> 00:17:19,981 That's a lot of different sources. 475 00:17:19,981 --> 00:17:21,730 Dave will talk about that in a little bit. 476 00:17:21,730 --> 00:17:23,146 But that's pretty much what we do. 477 00:17:23,146 --> 00:17:25,569 We try to keep our retention period, usually, 478 00:17:25,569 --> 00:17:27,717 within 30 days. 479 00:17:27,717 --> 00:17:31,021 AUDIENCE: So MIT runs its own CA, right? 480 00:17:31,021 --> 00:17:32,920 There's a root MIT certificate. 481 00:17:32,920 --> 00:17:36,470 Private key [INAUDIBLE] Where do you guys keep that private key? 482 00:17:36,470 --> 00:17:41,970 [LAUGHTER] 483 00:17:41,970 --> 00:17:42,960 PROFESSOR: OK. 484 00:17:42,960 --> 00:17:43,950 AUDIENCE: Could you use tamper-resistant hardware, 485 00:17:43,950 --> 00:17:44,908 or something like that? 486 00:17:44,908 --> 00:17:46,920 Or do you just put it on computer somewhere 487 00:17:46,920 --> 00:17:49,900 running Linux [INAUDIBLE]? 488 00:17:49,900 --> 00:17:51,690 PROFESSOR: Well, wow. 489 00:17:51,690 --> 00:17:52,572 Good question. 490 00:17:52,572 --> 00:17:53,530 Yes, we run our own CA. 491 00:17:53,530 --> 00:17:57,860 We've been running our own CA since the late 1990s. 492 00:17:57,860 --> 00:18:01,240 So in a whole world where the web was doing authentication 493 00:18:01,240 --> 00:18:03,600 using username, password over SSL, 494 00:18:03,600 --> 00:18:06,910 I think MIT was fairly progressive there, doing PKI. 495 00:18:06,910 --> 00:18:07,780 Now, I don't know. 496 00:18:07,780 --> 00:18:11,107 You guys are a little bit younger, but back in 1998, 497 00:18:11,107 --> 00:18:13,440 they were telling me the year of PKI is just about here. 498 00:18:13,440 --> 00:18:14,569 It's going to be next year. 499 00:18:14,569 --> 00:18:16,485 And we've been saying that for about 20 years. 500 00:18:16,485 --> 00:18:17,879 So hopefully, soon. 501 00:18:17,879 --> 00:18:19,170 So in terms of how it's stored? 502 00:18:21,699 --> 00:18:23,615 Tamper-resistant hardware, that's a nice idea. 503 00:18:23,615 --> 00:18:25,370 I like that. 504 00:18:25,370 --> 00:18:27,090 That would be great. 505 00:18:27,090 --> 00:18:28,731 That's not how we're doing it. 506 00:18:28,731 --> 00:18:30,230 AUDIENCE: Is that how the CAs do it? 507 00:18:30,230 --> 00:18:34,930 PROFESSOR: So the CA's usually do it through using USB keys 508 00:18:34,930 --> 00:18:38,151 or other tokens that have fairly involved protocols where 509 00:18:38,151 --> 00:18:39,770 you can only access information off 510 00:18:39,770 --> 00:18:41,426 once it's been written, in terms of you 511 00:18:41,426 --> 00:18:43,050 could send something out for signature, 512 00:18:43,050 --> 00:18:45,410 but you can't actually get the key off. 513 00:18:45,410 --> 00:18:47,940 So they have a whole way of doing that. 514 00:18:47,940 --> 00:18:49,800 To be honest, the CA server we're using now 515 00:18:49,800 --> 00:18:52,640 was written before any of those markets existed. 516 00:18:52,640 --> 00:18:56,210 And so we've used, I'd say, a typical MIT spirit 517 00:18:56,210 --> 00:18:58,540 of being a little bit creative. 518 00:18:58,540 --> 00:19:03,450 And so it is stored on the file system. 519 00:19:03,450 --> 00:19:06,005 It's stored in such a way to make it difficult to recover. 520 00:19:06,005 --> 00:19:07,380 And it's stored in multiple ways. 521 00:19:07,380 --> 00:19:09,100 And it's encrypted with multiple keys. 522 00:19:09,100 --> 00:19:11,610 And there's a variety of system-specific parameters, 523 00:19:11,610 --> 00:19:14,749 which I will not get into every one of them here. 524 00:19:14,749 --> 00:19:16,790 AUDIENCE: So it's more of a security by security. 525 00:19:16,790 --> 00:19:18,160 PROFESSOR: Yes. 526 00:19:18,160 --> 00:19:18,690 Yes. 527 00:19:18,690 --> 00:19:22,570 So if you know the specific locations, 528 00:19:22,570 --> 00:19:24,190 which may not even be files-- 529 00:19:24,190 --> 00:19:26,579 I'll give you a hint to look-- 530 00:19:26,579 --> 00:19:28,120 and you know how many keys are needed 531 00:19:28,120 --> 00:19:29,705 and you know how many bytes to read, 532 00:19:29,705 --> 00:19:31,431 you might be able to figure it out. 533 00:19:31,431 --> 00:19:32,930 But to be honest with you, if you're 534 00:19:32,930 --> 00:19:35,462 able to actually get on the machine, it's game over, right? 535 00:19:35,462 --> 00:19:37,977 If you're able to get on the machine, it's game over. 536 00:19:37,977 --> 00:19:40,018 You know, people who tell you that they can still 537 00:19:40,018 --> 00:19:41,726 break into the machine and not compromise 538 00:19:41,726 --> 00:19:43,960 the key for some ETA, nah. 539 00:19:43,960 --> 00:19:45,670 I'd be very skeptical about that. 540 00:19:45,670 --> 00:19:48,040 So we try to be fairly secure, but-- 541 00:19:48,040 --> 00:19:51,684 anyway, it's not perfect. 542 00:19:51,684 --> 00:19:52,350 Other questions? 543 00:19:55,230 --> 00:19:56,920 AUDIENCE: Typically, what percent 544 00:19:56,920 --> 00:19:59,260 would you say of MIT accounts are 545 00:19:59,260 --> 00:20:01,059 compromised at a given time? 546 00:20:01,059 --> 00:20:02,100 PROFESSOR: Good question. 547 00:20:02,100 --> 00:20:04,420 Not yours, right? 548 00:20:04,420 --> 00:20:06,160 I think I'm amazed-- 549 00:20:06,160 --> 00:20:07,960 so does everyone know what phishing is? 550 00:20:07,960 --> 00:20:08,430 AUDIENCE: Mm-hm. 551 00:20:08,430 --> 00:20:08,700 PROFESSOR: OK. 552 00:20:08,700 --> 00:20:09,105 Good. 553 00:20:09,105 --> 00:20:11,688 I can't tell you how many talks I go to where they look at you 554 00:20:11,688 --> 00:20:14,690 and they say, isn't that like Seattle? 555 00:20:14,690 --> 00:20:17,691 But that's a little bit of an older audience. 556 00:20:17,691 --> 00:20:19,690 Every time one of these phishing things happen-- 557 00:20:19,690 --> 00:20:21,981 and they happen quite a bit where these emails go out-- 558 00:20:21,981 --> 00:20:23,870 I will tell you, it amazes me. 559 00:20:23,870 --> 00:20:27,280 You're the world's smartest institution, all right? 560 00:20:27,280 --> 00:20:29,832 As an alum, I'm pretty proud to believe that. 561 00:20:29,832 --> 00:20:31,290 You know, we're the world's leading 562 00:20:31,290 --> 00:20:34,452 technological institution in the world, right? 563 00:20:34,452 --> 00:20:36,660 I cannot tell you how many people will reply to those 564 00:20:36,660 --> 00:20:37,130 things. 565 00:20:37,130 --> 00:20:38,440 It just always amazes me how many 566 00:20:38,440 --> 00:20:39,815 of them reply to "Dear Help Desk, 567 00:20:39,815 --> 00:20:42,570 here's my user name and password. 568 00:20:42,570 --> 00:20:44,090 It shocks me, right? 569 00:20:44,090 --> 00:20:47,250 And some of them are faculty. 570 00:20:47,250 --> 00:20:49,252 And they call the help desk and go, hey, 571 00:20:49,252 --> 00:20:50,710 I wrote back to your quota message. 572 00:20:50,710 --> 00:20:52,910 How come my quota hasn't gone up? 573 00:20:52,910 --> 00:20:55,330 And oh, by the way, like my inbox is full now. 574 00:20:55,330 --> 00:20:56,630 So what happened? 575 00:20:56,630 --> 00:20:59,865 Well, they got 200,000 bounced messages to be in their inbox 576 00:20:59,865 --> 00:21:02,387 because it's being used to send mass emails. 577 00:21:02,387 --> 00:21:03,220 So I'm being honest. 578 00:21:03,220 --> 00:21:07,800 I'd say we see 10, 15, 20 to 30 a month. 579 00:21:07,800 --> 00:21:10,090 During one of these phishing spikes, even larger. 580 00:21:10,090 --> 00:21:12,420 And I think the ones that have been really interesting 581 00:21:12,420 --> 00:21:15,550 are the ones we don't know about, OK? 582 00:21:15,550 --> 00:21:19,020 And the government came to us, I don't know, about a year or two 583 00:21:19,020 --> 00:21:23,500 ago and said, hey, we won't get into specifics, 584 00:21:23,500 --> 00:21:25,730 but there's a marketplace where you 585 00:21:25,730 --> 00:21:27,650 can buy MIT usernames and passwords so you 586 00:21:27,650 --> 00:21:29,640 can access library resources. 587 00:21:29,640 --> 00:21:33,497 And so they're bidding on them online on these black markets. 588 00:21:33,497 --> 00:21:35,372 If you'd like to access all the materials MIT 589 00:21:35,372 --> 00:21:37,667 has in their libraries or on campus, 590 00:21:37,667 --> 00:21:39,500 you can simply auction one of these accounts 591 00:21:39,500 --> 00:21:41,860 that they've compromised off the web page. 592 00:21:41,860 --> 00:21:44,486 And they said, oh, by the way, do you know about this? 593 00:21:44,486 --> 00:21:45,841 No. 594 00:21:45,841 --> 00:21:46,340 No. 595 00:21:46,340 --> 00:21:49,890 And so we see a tremendous number of those. 596 00:21:49,890 --> 00:21:51,820 The success of the social vectors 597 00:21:51,820 --> 00:21:54,160 for getting people's credentials is 598 00:21:54,160 --> 00:21:56,414 incredibly high, in particular, across our industry-- 599 00:21:56,414 --> 00:21:58,580 Dave will talk about it in a little bit, how you try 600 00:21:58,580 --> 00:22:01,170 and mitigate those things-- is very high. 601 00:22:01,170 --> 00:22:02,970 And it's a little bit scary. 602 00:22:02,970 --> 00:22:05,310 Yeah? 603 00:22:05,310 --> 00:22:08,140 AUDIENCE: Dealing on that, is there a way or some web site 604 00:22:08,140 --> 00:22:11,650 to see all the places you've logged-in 605 00:22:11,650 --> 00:22:14,470 with Touchstone or something? 606 00:22:14,470 --> 00:22:15,410 PROFESSOR: Yeah. 607 00:22:15,410 --> 00:22:18,990 So we're working on-- one of the things I talked about in answer 608 00:22:18,990 --> 00:22:22,070 to the log question was what do you guys collect? 609 00:22:22,070 --> 00:22:23,570 We collect a variety of information. 610 00:22:23,570 --> 00:22:25,880 One of the things we don't have the ability to do today 611 00:22:25,880 --> 00:22:27,640 is to correlate. 612 00:22:27,640 --> 00:22:30,317 So in our case, there's 30 different technology systems 613 00:22:30,317 --> 00:22:32,650 involved in some of these things, and different formats, 614 00:22:32,650 --> 00:22:35,509 and all sorts of different ways to generate it. 615 00:22:35,509 --> 00:22:37,300 We are working to try and make that easier. 616 00:22:37,300 --> 00:22:39,960 And our hope is to give the user community something where, 617 00:22:39,960 --> 00:22:41,470 from a GeoIP or other standpoint, 618 00:22:41,470 --> 00:22:43,220 they can see where their activity is maybe 619 00:22:43,220 --> 00:22:45,357 over the last 30 days, or seven days, 620 00:22:45,357 --> 00:22:47,045 or whatever their retention period is, 621 00:22:47,045 --> 00:22:48,420 to help inform people about where 622 00:22:48,420 --> 00:22:49,544 these things are happening. 623 00:22:49,544 --> 00:22:51,311 Dave wants to go a step further. 624 00:22:51,311 --> 00:22:53,310 He wants to have you can pick a circle of radius 625 00:22:53,310 --> 00:22:55,730 where you're allowed to log-in from geographically. 626 00:22:55,730 --> 00:22:57,569 And if you log-in from outside that range, 627 00:22:57,569 --> 00:22:59,360 it either shouldn't allow it, or it'll just 628 00:22:59,360 --> 00:23:00,752 send a text to your phone to let you know that something 629 00:23:00,752 --> 00:23:03,870 happened, which I think is a step in the right direction. 630 00:23:03,870 --> 00:23:06,330 But so yes, we're working on that, 631 00:23:06,330 --> 00:23:09,266 but we don't have it today. 632 00:23:09,266 --> 00:23:11,736 AUDIENCE: You said there was malicious traffic on the MIT 633 00:23:11,736 --> 00:23:12,724 network? 634 00:23:12,724 --> 00:23:14,210 PROFESSOR: Yes. 635 00:23:14,210 --> 00:23:15,086 In terms of-- 636 00:23:15,086 --> 00:23:16,586 AUDIENCE: What's the primary source? 637 00:23:16,586 --> 00:23:18,195 Is it from outside going in? 638 00:23:18,195 --> 00:23:22,384 Or is there malicious traffic from the inside going out? 639 00:23:22,384 --> 00:23:24,550 PROFESSOR: You know, I'd love to say it's completely 640 00:23:24,550 --> 00:23:26,040 from the outside coming in. 641 00:23:26,040 --> 00:23:29,466 I'd say there's a fair bit of it from the inside going out. 642 00:23:29,466 --> 00:23:32,090 I think, realistically, we have a tremendous amount of internet 643 00:23:32,090 --> 00:23:34,170 bandwidth and connectivity. 644 00:23:34,170 --> 00:23:36,650 We'll talk about some of these more recent UDP reflection 645 00:23:36,650 --> 00:23:38,730 attacks, which is a great example. 646 00:23:38,730 --> 00:23:40,184 But when you have big pipes, it's 647 00:23:40,184 --> 00:23:42,047 a good resource to use to hurt other folks. 648 00:23:42,047 --> 00:23:43,880 And so we see a lot of that, I'd say more so 649 00:23:43,880 --> 00:23:44,755 than stuff coming in. 650 00:23:44,755 --> 00:23:46,255 Stuff coming in, you see a fair bit, 651 00:23:46,255 --> 00:23:47,920 like I talked about with the laptop. 652 00:23:47,920 --> 00:23:50,625 But I'd say, in terms of actual volume of traffic, 653 00:23:50,625 --> 00:23:52,250 the bigger stuff you see is in and out, 654 00:23:52,250 --> 00:23:56,466 in terms of just sheer throughput. 655 00:23:56,466 --> 00:23:59,220 AUDIENCE: How many people connect to the MIT 656 00:23:59,220 --> 00:24:01,640 Network on a given day? 657 00:24:01,640 --> 00:24:04,320 PROFESSOR: On a given day, I'd say like, I don't know, 658 00:24:04,320 --> 00:24:07,190 100,000, 120,000 different kinds of devices. 659 00:24:07,190 --> 00:24:10,320 I'd say, people-wise, if you figure people average 2-1/2 660 00:24:10,320 --> 00:24:14,174 devices, probably 35,000 folks, 40,000 folks on a given day. 661 00:24:14,174 --> 00:24:16,590 I think what's more surprising is our visitor population's 662 00:24:16,590 --> 00:24:17,589 fairly large in a month. 663 00:24:20,050 --> 00:24:22,133 AUDIENCE: What's the policy for running a TOR exit 664 00:24:22,133 --> 00:24:23,461 node on the MIT network? 665 00:24:23,461 --> 00:24:24,210 PROFESSOR: Policy? 666 00:24:24,210 --> 00:24:24,672 What? 667 00:24:24,672 --> 00:24:25,171 No. 668 00:24:25,171 --> 00:24:26,520 [LAUGHTER] 669 00:24:26,520 --> 00:24:28,830 AUDIENCE: Is there a good reason not to? 670 00:24:28,830 --> 00:24:31,492 PROFESSOR: So you know, MIT's a very open place, all right? 671 00:24:31,492 --> 00:24:33,700 And I think that's one of the great beauties of being 672 00:24:33,700 --> 00:24:35,700 a student here and one of the things I've always 673 00:24:35,700 --> 00:24:38,120 cherished about being here is we're a place where 674 00:24:38,120 --> 00:24:39,565 it's OK to experiment. 675 00:24:39,565 --> 00:24:40,440 It's OK to do things. 676 00:24:40,440 --> 00:24:41,590 It's OK to learn about things. 677 00:24:41,590 --> 00:24:42,510 It's OK to develop new things. 678 00:24:42,510 --> 00:24:44,650 That's one of the great things about being at MIT 679 00:24:44,650 --> 00:24:47,430 and it's what's special about being here too, right? 680 00:24:47,430 --> 00:24:48,629 That's what's pretty unique. 681 00:24:48,629 --> 00:24:50,670 You don't need to go to the policy office to say, 682 00:24:50,670 --> 00:24:53,625 hey, I want to run a core exit node today, 683 00:24:53,625 --> 00:24:55,500 or I want to invent a new anonymous protocol, 684 00:24:55,500 --> 00:24:56,560 or something like that. 685 00:24:56,560 --> 00:24:59,060 That's one of the thing's that's really unique about working 686 00:24:59,060 --> 00:25:00,480 here and going to school here. 687 00:25:00,480 --> 00:25:04,800 And I think, for us, is it a good idea or is it a bad idea, 688 00:25:04,800 --> 00:25:06,760 depends how you're trying to do it, right? 689 00:25:06,760 --> 00:25:09,087 If you're doing it as part of some thesis research 690 00:25:09,087 --> 00:25:11,045 into an automatization technique, some privacy, 691 00:25:11,045 --> 00:25:12,604 it's probably fine. 692 00:25:12,604 --> 00:25:14,020 If you're doing it for the purpose 693 00:25:14,020 --> 00:25:17,461 of running some kind of black market ring or something 694 00:25:17,461 --> 00:25:17,960 like that-- 695 00:25:17,960 --> 00:25:20,210 I mean it's probably not a good idea. 696 00:25:20,210 --> 00:25:23,010 But from a policy standpoint, MIT's fairly flexible. 697 00:25:23,010 --> 00:25:27,635 We really try to balance the need for-- 698 00:25:27,635 --> 00:25:29,135 the institution has a responsibility 699 00:25:29,135 --> 00:25:30,662 to behave responsibly, right? 700 00:25:30,662 --> 00:25:31,554 Let's just be honest. 701 00:25:31,554 --> 00:25:33,350 As an institution, we have to do that. 702 00:25:33,350 --> 00:25:35,480 But we try as much as possible not to encumber 703 00:25:35,480 --> 00:25:37,320 the activity of innovation. 704 00:25:37,320 --> 00:25:40,090 And so, for the most part, that's worked out pretty well. 705 00:25:40,090 --> 00:25:42,780 I'd say MIT's been fairly successful over the last 125 706 00:25:42,780 --> 00:25:44,720 years. 707 00:25:44,720 --> 00:25:47,020 But you know, I think it's one of those areas where 708 00:25:47,020 --> 00:25:48,850 if one of those activities was to place 709 00:25:48,850 --> 00:25:51,595 the institution collectively in jeopardy, then 710 00:25:51,595 --> 00:25:53,180 we have to look at that. 711 00:25:53,180 --> 00:25:55,140 But MIT does run a variety of TOR exit nodes. 712 00:25:55,140 --> 00:25:56,650 SIPI has some. 713 00:25:56,650 --> 00:25:57,930 CSAIL has a few. 714 00:25:57,930 --> 00:26:00,770 They show up on Dave's naughty list like a plague, 715 00:26:00,770 --> 00:26:03,740 but we do that. 716 00:26:03,740 --> 00:26:06,210 You can't run that at most schools. 717 00:26:06,210 --> 00:26:06,710 Questions? 718 00:26:13,660 --> 00:26:15,880 My esteemed colleague, Dave LaPorte. 719 00:26:15,880 --> 00:26:20,867 He from used to work in the Harvard University network. 720 00:26:20,867 --> 00:26:22,700 And he'll talk a little bit about networking 721 00:26:22,700 --> 00:26:25,682 at a liberal arts school, if you get him outside of the office. 722 00:26:25,682 --> 00:26:29,578 And he's also a teacher himself at Northeastern, 723 00:26:29,578 --> 00:26:31,526 which is great. 724 00:26:31,526 --> 00:26:33,660 So Dave will talk to you a little bit 725 00:26:33,660 --> 00:26:35,839 about some specific examples of the kings of things 726 00:26:35,839 --> 00:26:36,880 that keep us up at night. 727 00:27:01,207 --> 00:27:02,040 PROFESSOR: Oh, wait. 728 00:27:02,040 --> 00:27:02,290 Wait. 729 00:27:02,290 --> 00:27:03,140 I think I got it. 730 00:27:03,140 --> 00:27:03,848 Loose connection. 731 00:27:10,835 --> 00:27:11,335 OK. 732 00:27:17,192 --> 00:27:17,692 [INAUDIBLE] 733 00:27:22,350 --> 00:27:22,850 All right. 734 00:27:22,850 --> 00:27:23,690 Hello, everybody. 735 00:27:23,690 --> 00:27:24,690 My name is Dave LaPorte. 736 00:27:27,050 --> 00:27:29,950 As this very verbose title claims, 737 00:27:29,950 --> 00:27:33,272 I am Manager of Infrastructure and Security Operations, 738 00:27:33,272 --> 00:27:34,730 which basically in a nutshell means 739 00:27:34,730 --> 00:27:38,970 I'm responsible for maintaining and operating and securing 740 00:27:38,970 --> 00:27:44,190 mit.net, which is definitely a full-time job. 741 00:27:44,190 --> 00:27:47,212 Today, I've got a lot of content to cover. 742 00:27:47,212 --> 00:27:49,670 I'm going to cruise through it, to leave room for questions 743 00:27:49,670 --> 00:27:51,878 at the end, because I think that's probably where you 744 00:27:51,878 --> 00:27:53,070 guys get the most out of it. 745 00:27:53,070 --> 00:27:54,990 If anything's not clear, just stop me. 746 00:27:54,990 --> 00:27:55,220 Raise your hand. 747 00:27:55,220 --> 00:27:56,511 I don't mind being interrupted. 748 00:27:58,930 --> 00:28:02,170 But yeah, with that, we'll start talking with the Security 749 00:28:02,170 --> 00:28:05,800 Operations Team, which is really the one central body that 750 00:28:05,800 --> 00:28:08,432 does security as a full-time job here at MIT. 751 00:28:08,432 --> 00:28:09,890 We'll talk about some of the events 752 00:28:09,890 --> 00:28:12,530 that we've had in the recent past here 753 00:28:12,530 --> 00:28:14,610 and what we've done to mitigate them 754 00:28:14,610 --> 00:28:18,970 and to leave the current state of security at mit.net. 755 00:28:18,970 --> 00:28:20,910 We'll talk about the current landscape, what 756 00:28:20,910 --> 00:28:23,210 we're facing a lot of now, which-- as Mark alluded to-- 757 00:28:23,210 --> 00:28:26,600 is to a large degree, social. 758 00:28:26,600 --> 00:28:29,150 And we'll talk about some future trends, 759 00:28:29,150 --> 00:28:35,340 which are nebulous by nature, so the slides are kind of sparse. 760 00:28:35,340 --> 00:28:38,520 So the team there, as you can see is Mark. 761 00:28:38,520 --> 00:28:40,090 I report directly to Mark. 762 00:28:40,090 --> 00:28:42,530 Under me, there's a Security Operations Team 763 00:28:42,530 --> 00:28:44,440 led by our team lead, Harry Hoffman. 764 00:28:44,440 --> 00:28:49,325 He has three people under him, Andrew Munchbach, 765 00:28:49,325 --> 00:28:51,080 who basically is the analyst who does 766 00:28:51,080 --> 00:28:52,880 a lot of the washing of the systems, 767 00:28:52,880 --> 00:28:55,190 does a lot of the notifications to users, 768 00:28:55,190 --> 00:28:57,461 responds to complaints from the outside world. 769 00:28:57,461 --> 00:29:00,086 Then Mike Hossle, who does a lot of the engineering activities, 770 00:29:00,086 --> 00:29:01,910 a lot of the forensics. 771 00:29:01,910 --> 00:29:03,600 And you have Monique Buchanan, who 772 00:29:03,600 --> 00:29:05,840 handles a lot of the correspondence and community 773 00:29:05,840 --> 00:29:07,370 outreach. 774 00:29:07,370 --> 00:29:09,765 Harry himself is also extremely hands-on. 775 00:29:09,765 --> 00:29:11,515 So I just want to preface this whole thing 776 00:29:11,515 --> 00:29:14,045 with we have a team of four in a very large institution 777 00:29:14,045 --> 00:29:15,650 with tons of devices. 778 00:29:15,650 --> 00:29:17,530 So the federation that Mark talked about 779 00:29:17,530 --> 00:29:19,900 is really a necessity, in order to even try 780 00:29:19,900 --> 00:29:22,579 to secure a network of this size. 781 00:29:22,579 --> 00:29:24,620 So now, the portfolio services we have and what-- 782 00:29:24,620 --> 00:29:26,730 we're going to blast through this stuff fast-- 783 00:29:26,730 --> 00:29:30,750 consulting, we talk with people and help them on campus. 784 00:29:30,750 --> 00:29:34,280 Services, we provide some services to the community. 785 00:29:34,280 --> 00:29:37,620 And the tool set that we use. 786 00:29:37,620 --> 00:29:41,520 The services we provide are pretty varied. 787 00:29:41,520 --> 00:29:43,230 We do abuse reporting. 788 00:29:43,230 --> 00:29:44,790 So this is response to complaints 789 00:29:44,790 --> 00:29:46,391 from the outside world, typically, 790 00:29:46,391 --> 00:29:50,000 the vast majority of which are Tor exit node-related. 791 00:29:50,000 --> 00:29:50,700 [LAUGHTER] 792 00:29:50,700 --> 00:29:52,076 They just are. 793 00:29:52,076 --> 00:29:53,584 PROFESSOR: They just are. 794 00:29:53,584 --> 00:29:55,250 PROFESSOR: Endpoint protection, so there 795 00:29:55,250 --> 00:29:57,250 are some tools and products out there 796 00:29:57,250 --> 00:30:00,800 that we install on both the community at large machines-- 797 00:30:00,800 --> 00:30:02,680 you opt-in if you prefer. 798 00:30:02,680 --> 00:30:05,115 If you're part of the MIT domain, which is typically 799 00:30:05,115 --> 00:30:08,602 administrative staff, some might be auto-installed for you. 800 00:30:08,602 --> 00:30:10,810 Network protection, these are tool sets that we have, 801 00:30:10,810 --> 00:30:13,260 either at the border or throughout mit.net 802 00:30:13,260 --> 00:30:19,570 that detect anomalies or capture flow data for analysis. 803 00:30:19,570 --> 00:30:22,071 Data analytics helps us correlate, put all this stuff 804 00:30:22,071 --> 00:30:24,404 together and try to get some actionable intelligence out 805 00:30:24,404 --> 00:30:26,100 of it. 806 00:30:26,100 --> 00:30:30,300 Forensics are-- well, we'll talk about those in a second. 807 00:30:30,300 --> 00:30:33,830 Risk identification, basically probing and assessment tools, 808 00:30:33,830 --> 00:30:37,750 basically Nessus and things that look for PII, 809 00:30:37,750 --> 00:30:40,010 Personally Identifiable Information. 810 00:30:40,010 --> 00:30:44,210 which, being in Massachusetts, we need to comply with 201 CMR 811 00:30:44,210 --> 00:30:47,470 17.00, which is a Mass regulation that requires us 812 00:30:47,470 --> 00:30:51,650 to be able to identify where all the PII on our network lives. 813 00:30:51,650 --> 00:30:54,520 Outreach awareness and training, just what it says. 814 00:30:54,520 --> 00:30:58,590 Compliance needs, this is, in large part, PCI DSS. 815 00:30:58,590 --> 00:31:01,160 So PCI, being the Payment Card Industry, 816 00:31:01,160 --> 00:31:04,302 has DSS, which is the Data Security Standard. 817 00:31:04,302 --> 00:31:06,760 Believe it or not, MIT-- well, you'll probably believe it-- 818 00:31:06,760 --> 00:31:08,570 MIT is a credit card merchant. 819 00:31:08,570 --> 00:31:11,140 We have multiple vendors on campus, 820 00:31:11,140 --> 00:31:12,750 and we need to be able to make sure 821 00:31:12,750 --> 00:31:15,620 that that infrastructure is compliant with PCI DSS. 822 00:31:15,620 --> 00:31:19,700 So Security is a part of the team that basically manages 823 00:31:19,700 --> 00:31:21,820 and ensures that compliance. 824 00:31:21,820 --> 00:31:27,230 PCI 3.0, which is the sixth major update to the standard, 825 00:31:27,230 --> 00:31:28,820 goes live on January 1. 826 00:31:28,820 --> 00:31:30,800 So we're kind of in the process right now 827 00:31:30,800 --> 00:31:33,460 of ensuring compliance of all of our infrastructure. 828 00:31:33,460 --> 00:31:39,520 And providing reporting alerting metrics on the work we do. 829 00:31:39,520 --> 00:31:43,440 So here's some of the end point protection products we use. 830 00:31:43,440 --> 00:31:46,100 This eagle-- I think it's an eagle there-- 831 00:31:46,100 --> 00:31:49,890 is a tool called CrowdStrike, which is currently 832 00:31:49,890 --> 00:31:53,595 being tested within IS&T. Basically, it's 833 00:31:53,595 --> 00:31:56,990 a tool that watches for anomalous behavior 834 00:31:56,990 --> 00:31:59,350 from a system call perspective. 835 00:31:59,350 --> 00:32:00,977 If you're using Word, and Word suddenly 836 00:32:00,977 --> 00:32:02,810 starts doing something that it shouldn't do, 837 00:32:02,810 --> 00:32:05,320 like maybe trying to read the account database off 838 00:32:05,320 --> 00:32:07,430 of the system and a bunch of passwords, 839 00:32:07,430 --> 00:32:10,220 it alerts and throws a flag. 840 00:32:10,220 --> 00:32:13,430 It's a cloud-based tool, which we'll talk more about later. 841 00:32:13,430 --> 00:32:16,120 So all this data gets sent to a central console. 842 00:32:16,120 --> 00:32:18,890 And should machines start doing things untoward 843 00:32:18,890 --> 00:32:21,430 from a heuristic or behavioral perspective, 844 00:32:21,430 --> 00:32:24,040 they get red flagged. 845 00:32:24,040 --> 00:32:26,410 GPO here, these are just Group Policy Objects, 846 00:32:26,410 --> 00:32:28,950 so managed systems which push down policy. 847 00:32:28,950 --> 00:32:30,790 The S is Sophos. 848 00:32:30,790 --> 00:32:33,320 It's anti-xrays, anti-malware, anti-spam-- 849 00:32:33,320 --> 00:32:35,130 oh, not anti-spam-- but anti-malware, 850 00:32:35,130 --> 00:32:37,210 anti-virus, all of the typical stuff 851 00:32:37,210 --> 00:32:41,750 that we expect when we buy and end point protection product. 852 00:32:41,750 --> 00:32:48,480 PGP does hard drive encryption for select systems on campus 853 00:32:48,480 --> 00:32:50,650 that have sensitive data. 854 00:32:50,650 --> 00:32:53,070 Some of these tools are in flux. 855 00:32:53,070 --> 00:32:55,180 The industry seems to be going more towards a more 856 00:32:55,180 --> 00:32:58,540 vendor-neutral solution, if you want 857 00:32:58,540 --> 00:33:02,420 to call it that, so BitLocker on Windows, FileVault on the Mac. 858 00:33:02,420 --> 00:33:04,720 So we're exploring those options as well. 859 00:33:04,720 --> 00:33:10,070 And Casper is a way to manage, mostly Macs, to enforce policy 860 00:33:10,070 --> 00:33:12,980 on managed Macs. 861 00:33:12,980 --> 00:33:15,760 On the network protection side-- 862 00:33:15,760 --> 00:33:17,770 I'll just start down here. 863 00:33:17,770 --> 00:33:20,280 Akamai is a company that came out of MIT, 864 00:33:20,280 --> 00:33:21,780 has a lot of MIT alums. 865 00:33:21,780 --> 00:33:24,220 They also have extremely good services, 866 00:33:24,220 --> 00:33:28,410 so we have partnered with them on a lot of their services. 867 00:33:28,410 --> 00:33:31,390 And we'll talk about them fairly extensively. 868 00:33:31,390 --> 00:33:35,900 TippingPoint is an IDS vendor, an intrusion detection system. 869 00:33:35,900 --> 00:33:38,197 As I said, some of these tools are in flux. 870 00:33:38,197 --> 00:33:39,280 That might be one of them. 871 00:33:39,280 --> 00:33:42,740 But we basically have an intrusion prevention system 872 00:33:42,740 --> 00:33:43,750 at our border. 873 00:33:43,750 --> 00:33:45,970 We don't actually prevent, we just detect. 874 00:33:45,970 --> 00:33:49,600 So we don't actually block anything on the MIT border, 875 00:33:49,600 --> 00:33:52,370 except for some very basic anti-spoofing 876 00:33:52,370 --> 00:33:55,300 and standard rules you'd find anywhere. 877 00:33:55,300 --> 00:33:58,610 Stealth Watch is a tool that generates NetFlow data-- 878 00:33:58,610 --> 00:34:00,870 or I should say collects NetFlow data. 879 00:34:00,870 --> 00:34:05,140 So we use Cisco devices, but all network devices 880 00:34:05,140 --> 00:34:07,924 will output details, meta information 881 00:34:07,924 --> 00:34:09,679 about the flows that they're sending, 882 00:34:09,679 --> 00:34:12,415 source port, dest port, source IP, dest IP, protocol, 883 00:34:12,415 --> 00:34:14,380 et cetera. 884 00:34:14,380 --> 00:34:18,520 StealthWatch collects this, does some basic security analysis 885 00:34:18,520 --> 00:34:20,650 on it, and also provides APIs that we 886 00:34:20,650 --> 00:34:22,310 can interface our tools with to do 887 00:34:22,310 --> 00:34:25,949 some more intelligent things. 888 00:34:25,949 --> 00:34:28,580 And RSA Security Analytics, this is another tool. 889 00:34:28,580 --> 00:34:30,570 [BANG] Oops. 890 00:34:30,570 --> 00:34:34,710 It's, in a lot of ways, like an IDS on steroids. 891 00:34:34,710 --> 00:34:36,800 It does full packet capture, so you can actually 892 00:34:36,800 --> 00:34:38,864 see some content if things get red flagged. 893 00:34:42,310 --> 00:34:44,090 On the risk identification front, 894 00:34:44,090 --> 00:34:50,290 Nessus, kind of the de facto vulnerability assessment tool. 895 00:34:50,290 --> 00:34:52,350 So we typically use this on-demand. 896 00:34:52,350 --> 00:34:55,420 We don't unleash this on 18/8 at large. 897 00:34:55,420 --> 00:34:59,240 But if we get an on campus DLC that 898 00:34:59,240 --> 00:35:03,360 would like us to come in and perform some basic assessment 899 00:35:03,360 --> 00:35:05,750 for them, we can use Nessus. 900 00:35:05,750 --> 00:35:08,810 Shodan is a computer-- they call it a computer search engine. 901 00:35:08,810 --> 00:35:11,430 Basically, they scan the internet at large 902 00:35:11,430 --> 00:35:13,334 and have lots of, lots of good security data. 903 00:35:13,334 --> 00:35:14,750 We have a subscription, so that we 904 00:35:14,750 --> 00:35:16,940 can leverage that intelligence. 905 00:35:16,940 --> 00:35:19,790 And Identity Finder, that's a tool 906 00:35:19,790 --> 00:35:22,930 that we use in locations where there's PII, 907 00:35:22,930 --> 00:35:24,480 Personally Identifiable Information, 908 00:35:24,480 --> 00:35:26,652 in order to comply with mass regs 909 00:35:26,652 --> 00:35:28,985 and just to make sure we know where critical data lives. 910 00:35:31,920 --> 00:35:42,163 Forensics is a business that is-- 911 00:35:42,163 --> 00:35:43,430 periodic? 912 00:35:43,430 --> 00:35:44,950 I'm looking for the right word. 913 00:35:44,950 --> 00:35:47,250 This isn't something we do, until we do a lot of it 914 00:35:47,250 --> 00:35:48,010 for a long time. 915 00:35:48,010 --> 00:35:49,410 And then we don't do a lot of it. 916 00:35:49,410 --> 00:35:52,430 Basically, when cases surface, we have the tool sets. 917 00:35:52,430 --> 00:35:54,510 EnCase is a tool that allows us to image drives 918 00:35:54,510 --> 00:35:56,450 and go through them looking for content. 919 00:35:56,450 --> 00:35:59,575 FTK, the Forensic Toolkit and the Sleuth Kit are other tools. 920 00:36:02,090 --> 00:36:06,160 We often get called in for cases where we have to image drives 921 00:36:06,160 --> 00:36:10,300 for intellectual property cases or whatever cases the OGC, 922 00:36:10,300 --> 00:36:11,900 the Office of the General Counsel, 923 00:36:11,900 --> 00:36:15,910 needs to have computers imaged for. 924 00:36:15,910 --> 00:36:18,520 So we have all the tools that's necessary to do that. 925 00:36:18,520 --> 00:36:20,050 But frankly, it's not our day job. 926 00:36:20,050 --> 00:36:22,154 It's something that comes up occasionally. 927 00:36:22,154 --> 00:36:23,820 So how do we put all this data together? 928 00:36:23,820 --> 00:36:26,690 Mark alluded to correlation. 929 00:36:26,690 --> 00:36:30,165 We have operating system logs for managed systems. 930 00:36:30,165 --> 00:36:31,540 You can see that we have NetFlow. 931 00:36:31,540 --> 00:36:35,940 We have some DHCP logs, IDS logs, Touchstone logs. 932 00:36:35,940 --> 00:36:41,440 Splunk is a tool that does a lot of this correlation 933 00:36:41,440 --> 00:36:44,842 work and take data that's not necessarily normalized 934 00:36:44,842 --> 00:36:46,740 and normalize it and allow us to correlate 935 00:36:46,740 --> 00:36:49,690 across different sources to get more intelligence. 936 00:36:49,690 --> 00:36:52,117 So when you were talking about-- 937 00:36:52,117 --> 00:36:53,700 whomever out there asked about, maybe, 938 00:36:53,700 --> 00:36:56,720 a log-in page that could show where you last logged 939 00:36:56,720 --> 00:37:00,280 in, et cetera, Splunk would probably 940 00:37:00,280 --> 00:37:01,915 be the enabling technology for that, 941 00:37:01,915 --> 00:37:03,540 because we can put everything together, 942 00:37:03,540 --> 00:37:07,340 we can do GeoIP lookups, and really build something 943 00:37:07,340 --> 00:37:11,080 on top of the raw data, pull some actual wisdom 944 00:37:11,080 --> 00:37:13,605 of that data, so that we could present it to you in a page. 945 00:37:16,540 --> 00:37:17,040 OK. 946 00:37:17,040 --> 00:37:21,055 So now, we'll talk about attacks and things 947 00:37:21,055 --> 00:37:23,274 that you might find more interesting. 948 00:37:23,274 --> 00:37:25,440 We'll talk first about Distributed Denial of Service 949 00:37:25,440 --> 00:37:26,940 attacks, which we've really received 950 00:37:26,940 --> 00:37:29,290 a lot of in the past few years. 951 00:37:29,290 --> 00:37:31,040 We'll also talk specifically about attacks 952 00:37:31,040 --> 00:37:34,160 that resulted from the Aaron Swartz tragedy of a few years 953 00:37:34,160 --> 00:37:38,730 ago, which ties in to the Distributed Denial of Service 954 00:37:38,730 --> 00:37:40,850 attacks. 955 00:37:40,850 --> 00:37:41,350 OK. 956 00:37:41,350 --> 00:37:44,230 So just a primer on Distributed Denial of Service. 957 00:37:44,230 --> 00:37:47,110 I apologize if this is remedial. 958 00:37:47,110 --> 00:37:48,980 So Denial of Service attack really 959 00:37:48,980 --> 00:37:51,110 attacks the A of the CIA triad. 960 00:37:51,110 --> 00:37:53,110 CIA triad's the foundation of computer security. 961 00:37:53,110 --> 00:37:55,955 It's Confidentiality, Integrity, and Availability. 962 00:37:55,955 --> 00:37:57,830 So we're going after the availability, right? 963 00:37:57,830 --> 00:38:01,260 We want to take a resource down so that legitimate users can't 964 00:38:01,260 --> 00:38:03,092 use it. 965 00:38:03,092 --> 00:38:04,550 That could be defacement of a page. 966 00:38:04,550 --> 00:38:05,530 Very simple, right? 967 00:38:05,530 --> 00:38:08,362 Digital graffiti, just ruin the page so nobody could see it. 968 00:38:08,362 --> 00:38:09,820 Could be resource consumption where 969 00:38:09,820 --> 00:38:12,510 you eat up all the computation on a system, 970 00:38:12,510 --> 00:38:14,700 all the bandwidth on a network. 971 00:38:14,700 --> 00:38:16,219 Could be a single attacker. 972 00:38:16,219 --> 00:38:17,760 But much more likely nowadays, you're 973 00:38:17,760 --> 00:38:19,384 going to invite your friends and you're 974 00:38:19,384 --> 00:38:20,957 going to have a party and a DDoS, 975 00:38:20,957 --> 00:38:22,290 a Distributed Denial of Service. 976 00:38:27,330 --> 00:38:29,340 OK these are recent trends in the industry. 977 00:38:29,340 --> 00:38:31,580 These are pulled from the Arbor Networks 978 00:38:31,580 --> 00:38:35,010 State of the Internet report. 979 00:38:35,010 --> 00:38:39,370 Hacktivism is the most common motivation. 980 00:38:39,370 --> 00:38:43,690 According to them, it's 40% of all claimed-- 981 00:38:43,690 --> 00:38:46,240 actually, those attacks that are attributed, 40% of them 982 00:38:46,240 --> 00:38:48,090 are attributed to hacktivism. 983 00:38:48,090 --> 00:38:50,030 The next one is 39% unknown. 984 00:38:50,030 --> 00:38:56,380 So it's dominating the top of the heap. 985 00:38:56,380 --> 00:38:59,750 Last year-- and these numbers, I believe, are from 2013-- 986 00:38:59,750 --> 00:39:03,320 there were multiple 100Gbps attacks. 987 00:39:03,320 --> 00:39:04,850 So the year before that made news 988 00:39:04,850 --> 00:39:07,885 because I think there was an attack on Spamhaus that 989 00:39:07,885 --> 00:39:09,990 was 300Gbpm. 990 00:39:09,990 --> 00:39:12,244 This following year, that's kind of-- 991 00:39:12,244 --> 00:39:13,660 I wouldn't say the norm, but we're 992 00:39:13,660 --> 00:39:16,280 seeing a lot more of that. 993 00:39:16,280 --> 00:39:19,570 Longer-lasting attack, this operation here, 994 00:39:19,570 --> 00:39:22,850 Ababil, was a multi-month attack against the US 995 00:39:22,850 --> 00:39:25,370 financial sector. 996 00:39:25,370 --> 00:39:26,720 It went on for months. 997 00:39:26,720 --> 00:39:29,579 It was 65Gps sustained at times. 998 00:39:29,579 --> 00:39:31,870 I've heard stories about this-- but you can Google more 999 00:39:31,870 --> 00:39:32,700 online-- 1000 00:39:32,700 --> 00:39:35,130 where it was just relentless. 1001 00:39:35,130 --> 00:39:36,600 They just couldn't stop it. 1002 00:39:36,600 --> 00:39:39,170 And we'll talk about the way that they ended up doing it. 1003 00:39:39,170 --> 00:39:42,919 But frankly, at 65Gbps or at 100Gbps, 1004 00:39:42,919 --> 00:39:44,710 you're at the mercy of the attacker, right? 1005 00:39:44,710 --> 00:39:47,200 There's very few organizations on the planet 1006 00:39:47,200 --> 00:39:49,390 that can sustain an attack-- 1007 00:39:49,390 --> 00:39:54,260 can sustain-- can survive a sustained attack 1008 00:39:54,260 --> 00:39:55,622 of that magnitude. 1009 00:39:55,622 --> 00:39:58,350 You just can't do it. 1010 00:39:58,350 --> 00:40:01,400 And we're seeing a shift towards reflection and amplification 1011 00:40:01,400 --> 00:40:02,310 attacks. 1012 00:40:02,310 --> 00:40:07,080 So this is where you take a small input 1013 00:40:07,080 --> 00:40:08,720 and generate a large output. 1014 00:40:08,720 --> 00:40:09,640 This is nothing new. 1015 00:40:09,640 --> 00:40:12,610 This goes way back to-- 1016 00:40:12,610 --> 00:40:17,070 let's go ahead a sec, all right, I left that slide out-- 1017 00:40:17,070 --> 00:40:22,880 but this goes way back to the ICMP Smurf attack 1018 00:40:22,880 --> 00:40:25,645 where you would ping a broadcast address of a network, 1019 00:40:25,645 --> 00:40:27,020 and every machine on that network 1020 00:40:27,020 --> 00:40:30,326 would respond to the supposed originator 1021 00:40:30,326 --> 00:40:32,700 of the packet, which, of course, would be spoofed, right? 1022 00:40:32,700 --> 00:40:35,090 So I would masquerade as Mark. 1023 00:40:35,090 --> 00:40:37,580 I would sent a packet to this class's broadcast address. 1024 00:40:37,580 --> 00:40:40,960 And you would all respond with packets to Mark, 1025 00:40:40,960 --> 00:40:42,240 thinking that he sent it. 1026 00:40:42,240 --> 00:40:44,410 Meanwhile, I sit in the corner and laugh. 1027 00:40:44,410 --> 00:40:45,770 So this is nothing new. 1028 00:40:45,770 --> 00:40:48,050 This goes back-- I mean, when I was in high school, 1029 00:40:48,050 --> 00:40:51,011 I was reading about this stuff. 1030 00:40:51,011 --> 00:40:53,170 [LAUGHTER] 1031 00:40:53,170 --> 00:40:57,370 So UDP and ICMP, but UDP is a fire and forget protocol, 1032 00:40:57,370 --> 00:40:57,870 right? 1033 00:40:57,870 --> 00:40:58,746 It's not TCP. 1034 00:40:58,746 --> 00:40:59,495 It's not reliable. 1035 00:40:59,495 --> 00:41:01,220 It's not connection-oriented. 1036 00:41:01,220 --> 00:41:04,740 So fire and forget, it's easily spoofable. 1037 00:41:04,740 --> 00:41:06,780 And over the past year, what we've seen 1038 00:41:06,780 --> 00:41:12,560 are exploits of amplifiable features of these three 1039 00:41:12,560 --> 00:41:14,720 protocols, in particular. 1040 00:41:14,720 --> 00:41:17,844 So DNS-- this isn't working. 1041 00:41:17,844 --> 00:41:20,150 It works with a clicker. 1042 00:41:20,150 --> 00:41:24,280 DNS, port 53, UDP, right? 1043 00:41:24,280 --> 00:41:27,770 Basically, if you sent a 64-byte ANY query 1044 00:41:27,770 --> 00:41:30,000 to a misconfigured server, it would respond 1045 00:41:30,000 --> 00:41:32,740 with a 512-byte response. 1046 00:41:32,740 --> 00:41:36,070 So that's an 8X amplification factor there. 1047 00:41:36,070 --> 00:41:38,400 Not bad. 1048 00:41:38,400 --> 00:41:40,860 What we found personally here on mit.net was, 1049 00:41:40,860 --> 00:41:44,022 when this whole trend started, like most things-- 1050 00:41:44,022 --> 00:41:46,230 EDUs and particularly here-- we were at the forefront 1051 00:41:46,230 --> 00:41:47,210 into this trend. 1052 00:41:47,210 --> 00:41:49,640 We were seeing this before it really took off 1053 00:41:49,640 --> 00:41:52,190 against commercial victims. 1054 00:41:52,190 --> 00:41:56,890 But we saw a 12-gig DNS amplification attack here, 1055 00:41:56,890 --> 00:42:00,500 which substantially impacted our outbound bandwidth. 1056 00:42:00,500 --> 00:42:03,190 We have sufficient bandwidth. 1057 00:42:03,190 --> 00:42:06,550 But at those rates, if you add that to legitimate traffic, 1058 00:42:06,550 --> 00:42:07,810 we started to notice issues. 1059 00:42:07,810 --> 00:42:10,150 And Mark and I had to come in and resolve that. 1060 00:42:13,270 --> 00:42:18,710 SNMP, which is UDP port 161, very useful management 1061 00:42:18,710 --> 00:42:19,750 protocol. 1062 00:42:19,750 --> 00:42:24,820 But if you send a GetBulkRequest of 64 bytes to a device 1063 00:42:24,820 --> 00:42:30,330 that's improperly configured, it will respond with up to 1,000X 1064 00:42:30,330 --> 00:42:31,560 amplification. 1065 00:42:31,560 --> 00:42:33,100 So that's even better, right? 1066 00:42:33,100 --> 00:42:35,308 If you're an attacker, you're going to target things. 1067 00:42:35,308 --> 00:42:38,950 And we saw huge attacks against printers on campus. 1068 00:42:38,950 --> 00:42:42,290 So they would have a printer with an open SNMP agent. 1069 00:42:42,290 --> 00:42:44,280 They would send packets to it. 1070 00:42:44,280 --> 00:42:50,360 And we would send back 1,000 of them and pollute the internet. 1071 00:42:50,360 --> 00:42:54,720 NTP, Network Time Protocol. 1072 00:42:54,720 --> 00:42:56,220 In this case, a misconfigured server 1073 00:42:56,220 --> 00:42:59,514 would respond to MONLIST command, which would-- 1074 00:42:59,514 --> 00:43:01,180 I'm not sure of the amplification factor 1075 00:43:01,180 --> 00:43:01,680 on that one. 1076 00:43:01,680 --> 00:43:03,680 But that one's really, really popular. 1077 00:43:03,680 --> 00:43:06,970 So we got hit pretty hard with the NTP MONLIST 1078 00:43:06,970 --> 00:43:08,530 misconfiguration. 1079 00:43:08,530 --> 00:43:10,150 And we ended up doing a few things 1080 00:43:10,150 --> 00:43:12,450 to mitigate all these attacks. 1081 00:43:12,450 --> 00:43:14,590 So on the NTP side, we disabled MONLIST 1082 00:43:14,590 --> 00:43:16,950 on the NTP server we could, which kind of 1083 00:43:16,950 --> 00:43:19,080 kills the attack in its tracks. 1084 00:43:19,080 --> 00:43:21,960 But this being a federated institution where we don't have 1085 00:43:21,960 --> 00:43:23,924 power over nearly anything-- 1086 00:43:23,924 --> 00:43:24,840 I shouldn't say that-- 1087 00:43:24,840 --> 00:43:26,420 nearly everything, there's just a lot 1088 00:43:26,420 --> 00:43:29,370 of things we just don't have the reach to touch or the authority 1089 00:43:29,370 --> 00:43:30,024 to touch. 1090 00:43:30,024 --> 00:43:31,440 So what we ended up doing was just 1091 00:43:31,440 --> 00:43:33,530 rate-limiting NTP at the border. 1092 00:43:33,530 --> 00:43:36,940 And that's been in place now for almost a year? 1093 00:43:36,940 --> 00:43:40,180 Almost a year with almost no negative impact. 1094 00:43:40,180 --> 00:43:44,140 So we rate-limited down to, let's say, a few megabits, 1095 00:43:44,140 --> 00:43:46,640 which was certainly better than the gigs we were sending out 1096 00:43:46,640 --> 00:43:47,890 to the internet previously. 1097 00:43:47,890 --> 00:43:49,990 So that's kind of a solved problem. 1098 00:43:49,990 --> 00:43:56,380 DNS is a bit harder, was a bit harder to take care of. 1099 00:43:56,380 --> 00:43:58,390 What we ended up doing was started to leverage 1100 00:43:58,390 --> 00:44:00,860 an Akamai service called, eDNS. 1101 00:44:00,860 --> 00:44:02,720 So Akamai has this service where you could 1102 00:44:02,720 --> 00:44:04,900 host your zones with them. 1103 00:44:04,900 --> 00:44:06,150 They're one of many providers. 1104 00:44:06,150 --> 00:44:07,852 But we had an existing relationship 1105 00:44:07,852 --> 00:44:09,810 with Akamai, which I'll talk about in a minute. 1106 00:44:09,810 --> 00:44:14,240 So we leveraged their eDNA, bifurcated our DNS, our domain 1107 00:44:14,240 --> 00:44:16,270 name system space. 1108 00:44:16,270 --> 00:44:18,720 We put an external view on Akamai. 1109 00:44:18,720 --> 00:44:23,070 We put an internal on the servers that always served MIT. 1110 00:44:23,070 --> 00:44:25,410 And then we ACL'd off the internal view, 1111 00:44:25,410 --> 00:44:28,220 so only MIT clients could hit our internal servers. 1112 00:44:28,220 --> 00:44:31,290 And the rest of the world hits Akamai. 1113 00:44:31,290 --> 00:44:34,380 The benefit of Akamai eDNS is it's hosted in a content 1114 00:44:34,380 --> 00:44:35,690 distribution network. 1115 00:44:35,690 --> 00:44:36,960 It's all over the world. 1116 00:44:36,960 --> 00:44:41,170 It's being served out of Asia, Europe, North America 1117 00:44:41,170 --> 00:44:42,510 East, West. 1118 00:44:42,510 --> 00:44:45,472 It's all over the place. 1119 00:44:45,472 --> 00:44:46,930 Most people can't take down Akamai, 1120 00:44:46,930 --> 00:44:49,532 so we don't have to worry about our DNS going down any more. 1121 00:44:49,532 --> 00:44:51,490 So that's kind of how we resolved that problem. 1122 00:44:54,950 --> 00:44:55,450 OK. 1123 00:44:55,450 --> 00:45:00,350 So these are details of the attacks themselves. 1124 00:45:00,350 --> 00:45:03,080 Source obfuscation, this is probably remedial. 1125 00:45:03,080 --> 00:45:05,163 Why you do it, to avoid detection and prosecution. 1126 00:45:07,770 --> 00:45:10,070 I'll skip that one. 1127 00:45:10,070 --> 00:45:10,570 OK. 1128 00:45:10,570 --> 00:45:12,480 So maybe you don't want to hide your address 1129 00:45:12,480 --> 00:45:14,460 or spoof your address, you just want 1130 00:45:14,460 --> 00:45:17,420 to destroy a target with bots. 1131 00:45:17,420 --> 00:45:20,632 So botnets are huge right now. 1132 00:45:20,632 --> 00:45:23,820 The "it's OK, no problem, bro" was 1133 00:45:23,820 --> 00:45:27,510 used in that operation Ababil, which really targeted the US 1134 00:45:27,510 --> 00:45:29,390 financial sector. 1135 00:45:29,390 --> 00:45:31,140 So in this case, rather than just spoofing 1136 00:45:31,140 --> 00:45:33,330 a bunch of packets from one host, 1137 00:45:33,330 --> 00:45:37,170 we're using a botnet of legitimate systems 1138 00:45:37,170 --> 00:45:40,340 that don't necessarily need to just spoof. 1139 00:45:40,340 --> 00:45:41,810 Since these are legitimate systems 1140 00:45:41,810 --> 00:45:45,040 and they'll respond to, say, a TCP synack, 1141 00:45:45,040 --> 00:45:46,920 we can actually do more higher level attacks, 1142 00:45:46,920 --> 00:45:49,967 like attack an HTTP server and do GET and POST floods. 1143 00:45:53,630 --> 00:45:55,180 They might hire stressors. 1144 00:45:55,180 --> 00:45:57,880 Stressors are basically botnets for hire 1145 00:45:57,880 --> 00:46:02,170 where you hire them to do load testing, 1146 00:46:02,170 --> 00:46:06,440 and they go and load test someone else for you. 1147 00:46:06,440 --> 00:46:09,980 There's, no doubt, probably legitimate ones out there. 1148 00:46:09,980 --> 00:46:13,334 But there are others that aren't and are basically 1149 00:46:13,334 --> 00:46:14,500 denial of services for hire. 1150 00:46:18,140 --> 00:46:19,770 OK, so the mitigation strategies. 1151 00:46:19,770 --> 00:46:22,800 We talked about one, which is DNS. 1152 00:46:22,800 --> 00:46:25,500 We can use DNS to mitigate these attacks. 1153 00:46:25,500 --> 00:46:28,620 So we have used Akamai to do that. 1154 00:46:28,620 --> 00:46:32,150 In this graphic here-- which is probably too small for you 1155 00:46:32,150 --> 00:46:33,810 to see-- 1156 00:46:33,810 --> 00:46:41,170 but basically, this slide is way too far ahead 1157 00:46:41,170 --> 00:46:42,030 where it should be. 1158 00:46:42,030 --> 00:46:44,770 So OK, we had an attack against our web server, 1159 00:46:44,770 --> 00:46:46,300 so I'll just brief you real quick. 1160 00:46:46,300 --> 00:46:48,730 One of the attacks that followed the Swartz tragedy 1161 00:46:48,730 --> 00:46:51,050 was an attack against web.mit. 1162 00:46:51,050 --> 00:46:52,840 They took down our web server. 1163 00:46:52,840 --> 00:46:56,880 The way we solved that was we used our bifurcated DNS 1164 00:46:56,880 --> 00:47:00,520 to point internal clients to web.mit internally. 1165 00:47:00,520 --> 00:47:03,240 And then we use the Akamai content distribution network 1166 00:47:03,240 --> 00:47:05,710 to basically mirror web.mit. 1167 00:47:05,710 --> 00:47:07,450 And then we used the external view 1168 00:47:07,450 --> 00:47:11,020 of our DNS to point external clients to Akamai. 1169 00:47:11,020 --> 00:47:14,560 So when a user out on the internet-- 1170 00:47:14,560 --> 00:47:16,200 which we'll say is over here-- 1171 00:47:16,200 --> 00:47:18,620 wants to go to web.mit, they actually 1172 00:47:18,620 --> 00:47:22,180 go to the Akamai CDN, which serves up the content. 1173 00:47:22,180 --> 00:47:23,790 If it's content that, for some reason, 1174 00:47:23,790 --> 00:47:25,580 they can't directly serve out cache, 1175 00:47:25,580 --> 00:47:31,050 it's dynamic or whatever, the origin server, which is still 1176 00:47:31,050 --> 00:47:35,910 web.mit, and Akamai will go and fetch the necessary content, 1177 00:47:35,910 --> 00:47:38,370 send it to the user, and then potentially cache it 1178 00:47:38,370 --> 00:47:40,050 for some interval. 1179 00:47:40,050 --> 00:47:43,350 So short story here is that the attack-- 1180 00:47:43,350 --> 00:47:44,840 I'll talk about it in a minute-- 1181 00:47:44,840 --> 00:47:47,520 but the way we solved it was we put the actual web server 1182 00:47:47,520 --> 00:47:50,462 on the content distribution network of Akamai. 1183 00:47:53,870 --> 00:47:56,380 The other attacks that we'll talk 1184 00:47:56,380 --> 00:47:57,950 about-- this how we mitigated. 1185 00:47:57,950 --> 00:48:01,982 These two slides are out of order. 1186 00:48:01,982 --> 00:48:03,190 So I mentioned a few attacks. 1187 00:48:03,190 --> 00:48:06,090 I mentioned the NTP attack. 1188 00:48:06,090 --> 00:48:08,050 I'm going to mention a couple of others. 1189 00:48:08,050 --> 00:48:09,610 But basically, these are attacks that 1190 00:48:09,610 --> 00:48:12,130 are just brute force, trying to overwhelm our bandwidth. 1191 00:48:12,130 --> 00:48:14,140 And I mentioned, when you get up into the tens 1192 00:48:14,140 --> 00:48:19,830 of gigabits range, a lot of internet end users, 1193 00:48:19,830 --> 00:48:20,849 such as MIT-- 1194 00:48:20,849 --> 00:48:23,140 you can name another service provider, but a very large 1195 00:48:23,140 --> 00:48:25,170 user-- even we would have trouble handling 1196 00:48:25,170 --> 00:48:28,077 tens of gigabits of traffic. 1197 00:48:28,077 --> 00:48:30,410 So in that case, your options are really limited, right? 1198 00:48:30,410 --> 00:48:31,868 If it's spoofed traffic, how do you 1199 00:48:31,868 --> 00:48:35,260 put a filter at your border to block this traffic? 1200 00:48:35,260 --> 00:48:37,702 And even so, once it's got to your border 1201 00:48:37,702 --> 00:48:39,910 where you filter it, it's already flooded your pipes. 1202 00:48:39,910 --> 00:48:41,047 So how do you do this? 1203 00:48:41,047 --> 00:48:43,630 You have to push it back up into the cloud, into the internet, 1204 00:48:43,630 --> 00:48:45,200 and block it there. 1205 00:48:45,200 --> 00:48:47,305 And the way that many people are choosing to do it 1206 00:48:47,305 --> 00:48:51,719 and the way we've done it here is through BGP mitigation. 1207 00:48:51,719 --> 00:48:54,010 So if you're familiar with BGP, which is Border Gateway 1208 00:48:54,010 --> 00:48:57,250 Protocol, it's the protocol that runs routing on the internet. 1209 00:48:57,250 --> 00:48:59,680 And it's a path vector protocol that 1210 00:48:59,680 --> 00:49:04,630 uses ASN, so autonomous system numbers. 1211 00:49:04,630 --> 00:49:07,840 So every multi-homed organization on the internet 1212 00:49:07,840 --> 00:49:11,180 has an ASN, an autonomous system number. 1213 00:49:11,180 --> 00:49:16,410 And BGP uses that number to build paths 1214 00:49:16,410 --> 00:49:19,120 through the internet so that you can have multiple paths to get 1215 00:49:19,120 --> 00:49:22,090 to a particular ASN. 1216 00:49:22,090 --> 00:49:24,225 In this case, I'm using example 123, 1217 00:49:24,225 --> 00:49:27,230 because I created this for another organization. 1218 00:49:27,230 --> 00:49:31,530 We're three, because we're awesome like that. 1219 00:49:31,530 --> 00:49:35,020 Harvard was 11, so they're a little slower to the punch. 1220 00:49:35,020 --> 00:49:37,930 But in this case, we've got a path. 1221 00:49:37,930 --> 00:49:41,990 So we've got the beginning of the path is ASN123. 1222 00:49:41,990 --> 00:49:44,160 The end of the path is 789. 1223 00:49:44,160 --> 00:49:47,990 And there's some sequence of ASes, autonomous systems, 1224 00:49:47,990 --> 00:49:50,320 that this packet has to pass through. 1225 00:49:50,320 --> 00:49:54,160 So what we're going to with BGP mitigation 1226 00:49:54,160 --> 00:49:57,050 is just inject another ASN into the mix. 1227 00:49:57,050 --> 00:49:59,100 And that ASN has the capabilities 1228 00:49:59,100 --> 00:50:02,000 to handle this traffic on our. 1229 00:50:02,000 --> 00:50:06,020 So in this case, we have ASN456. 1230 00:50:06,020 --> 00:50:08,210 And they are going to be kind of a sanctioned man 1231 00:50:08,210 --> 00:50:09,460 in the middle for us. 1232 00:50:09,460 --> 00:50:13,290 We're going to allow them to advertise our prefixes so that, 1233 00:50:13,290 --> 00:50:20,480 when we come under attack, if 18.1.2.3.0/24, 1234 00:50:20,480 --> 00:50:25,070 a small slice of 255 addresses at MIT comes under attack, 1235 00:50:25,070 --> 00:50:31,980 we allow this AS456 to advertise that prefix on our behalf. 1236 00:50:31,980 --> 00:50:34,620 Once that change propagates across the internet, 1237 00:50:34,620 --> 00:50:37,480 all of the traffic starts going into that AS. 1238 00:50:37,480 --> 00:50:40,119 And in this case, for us, that AS is Akamai. 1239 00:50:40,119 --> 00:50:42,410 And they have lots of scrubbers and can handle the high 1240 00:50:42,410 --> 00:50:44,240 bandwidth that we can't. 1241 00:50:44,240 --> 00:50:46,970 So on the back end of that connection 1242 00:50:46,970 --> 00:50:48,940 is a private connection we have into Akamai 1243 00:50:48,940 --> 00:50:50,640 where they send the post-scrubbed, 1244 00:50:50,640 --> 00:50:53,110 the clean traffic out to us. 1245 00:50:53,110 --> 00:50:56,310 And that way, we can avoid these sorts 1246 00:50:56,310 --> 00:50:58,195 of potentially deadly attacks that 1247 00:50:58,195 --> 00:50:59,550 could just take us offline. 1248 00:50:59,550 --> 00:51:01,460 If you're getting hit with that much traffic, 1249 00:51:01,460 --> 00:51:02,793 there's just nothing you can do. 1250 00:51:07,664 --> 00:51:09,080 So actually, before we keep going, 1251 00:51:09,080 --> 00:51:13,400 any questions on what we've covered so far? 1252 00:51:13,400 --> 00:51:14,692 Yes? 1253 00:51:14,692 --> 00:51:16,900 AUDIENCE: This is just more of a networking question. 1254 00:51:16,900 --> 00:51:17,983 You mentioned the borders. 1255 00:51:17,983 --> 00:51:18,900 PROFESSOR: Yes. 1256 00:51:18,900 --> 00:51:21,400 AUDIENCE: And [INAUDIBLE]. 1257 00:51:25,400 --> 00:51:29,730 So I'm trying to understand the structure of the micro-network 1258 00:51:29,730 --> 00:51:32,830 and just what a border actually is. 1259 00:51:32,830 --> 00:51:34,194 PROFESSOR: Let's see. 1260 00:51:34,194 --> 00:51:36,787 Let me see if I can pull up a quick diagram for you. 1261 00:51:36,787 --> 00:51:37,745 PROFESSOR: [INAUDIBLE]. 1262 00:51:39,944 --> 00:51:41,110 PROFESSOR: Oh, that's right. 1263 00:51:41,110 --> 00:51:41,610 Yeah. 1264 00:51:41,610 --> 00:51:43,780 It's a video camera, it's not-- 1265 00:51:43,780 --> 00:51:58,680 So MIT really has three border routers, external 1, 1266 00:51:58,680 --> 00:52:01,820 external 2, and another router. 1267 00:52:01,820 --> 00:52:04,380 Let's just call it external 3. 1268 00:52:04,380 --> 00:52:05,380 So these are our-- 1269 00:52:14,610 --> 00:52:18,300 so basically, the actual mit.net is pretty much a standard hub 1270 00:52:18,300 --> 00:52:19,340 and spoke topology. 1271 00:52:19,340 --> 00:52:23,170 We have core switches connected out to a distribution layer. 1272 00:52:23,170 --> 00:52:25,930 And then they go out to access layers, 1273 00:52:25,930 --> 00:52:27,600 which are basically buildings. 1274 00:52:27,600 --> 00:52:29,645 At the border, we have these three borders here. 1275 00:52:32,420 --> 00:52:33,470 This is incredibly vague. 1276 00:52:33,470 --> 00:52:34,170 I apologize. 1277 00:52:34,170 --> 00:52:37,600 But we have multiple providers. 1278 00:52:37,600 --> 00:52:40,550 So for instance, our commercial providers 1279 00:52:40,550 --> 00:52:43,320 will soon be dual home to both of our border routers. 1280 00:52:43,320 --> 00:52:44,990 This external router 3 here-- 1281 00:52:47,820 --> 00:52:50,660 which is not its real name-- but this external router here 1282 00:52:50,660 --> 00:52:53,440 is basically for research peering. 1283 00:52:53,440 --> 00:52:56,820 So we kind of have a delineation between commodity 1284 00:52:56,820 --> 00:53:00,070 and commercial peering and research peering. 1285 00:53:00,070 --> 00:53:03,170 So all of the BGP we're talking about 1286 00:53:03,170 --> 00:53:06,700 happens between the external border and our providers 1287 00:53:06,700 --> 00:53:08,900 and back up into the internet itself. 1288 00:53:11,820 --> 00:53:14,680 Oh, and these are just choke point routers 1289 00:53:14,680 --> 00:53:17,120 that we have between our border and our core. 1290 00:53:21,690 --> 00:53:22,190 OK. 1291 00:53:22,190 --> 00:53:27,910 So in response to the Swartz tragedy of-- 1292 00:53:27,910 --> 00:53:32,260 I believe it was two years ago, I had just started here-- 1293 00:53:32,260 --> 00:53:34,010 certain hactivists took it upon themselves 1294 00:53:34,010 --> 00:53:35,560 to attack MIT as an institution. 1295 00:53:35,560 --> 00:53:37,387 So we experienced three attacks. 1296 00:53:37,387 --> 00:53:38,970 And I'm going to go through all three, 1297 00:53:38,970 --> 00:53:42,466 because there were three separate and distinct types 1298 00:53:42,466 --> 00:53:42,965 of attacks. 1299 00:53:45,940 --> 00:53:49,460 So the first attack was against our infrastructure itself. 1300 00:53:49,460 --> 00:53:55,810 So at the time, MIT did and does and will support openness. 1301 00:53:55,810 --> 00:53:59,240 And we have a very open network, especially in comparison 1302 00:53:59,240 --> 00:54:04,690 to other dot edus, having come from another one. 1303 00:54:04,690 --> 00:54:07,269 That can be a blessing and a curse from a security 1304 00:54:07,269 --> 00:54:08,060 perspective, right? 1305 00:54:08,060 --> 00:54:10,070 So we're open to the world. 1306 00:54:10,070 --> 00:54:12,970 In this case, our border routers, these guys here 1307 00:54:12,970 --> 00:54:16,470 that we just drew, were running an older version of software 1308 00:54:16,470 --> 00:54:20,770 that was vulnerable to a particular denial of service 1309 00:54:20,770 --> 00:54:22,000 attack. 1310 00:54:22,000 --> 00:54:25,100 So the attackers in this case sent a very low bandwidth 1311 00:54:25,100 --> 00:54:25,800 stream. 1312 00:54:25,800 --> 00:54:27,470 I mean, it was really low. 1313 00:54:27,470 --> 00:54:28,610 It was less than 100k. 1314 00:54:28,610 --> 00:54:30,890 It would have been totally non-noticeable, 1315 00:54:30,890 --> 00:54:33,200 without actually going on the device and debugging. 1316 00:54:33,200 --> 00:54:36,010 They send it to the management interface of those devices. 1317 00:54:36,010 --> 00:54:38,860 And those devices promptly just keeled over, right? 1318 00:54:38,860 --> 00:54:40,470 They didn't die, but the CPU spiked. 1319 00:54:40,470 --> 00:54:41,840 They weren't routing packets. 1320 00:54:41,840 --> 00:54:45,920 mit.net, at that point, was offline. 1321 00:54:45,920 --> 00:54:49,680 So in this case, this was the first attack we experienced. 1322 00:54:49,680 --> 00:54:52,532 I think it was during the Patriots playoff game. 1323 00:54:52,532 --> 00:54:53,990 Sometimes, I think these things are 1324 00:54:53,990 --> 00:54:57,610 planned to find it when staff is not paying attention. 1325 00:54:57,610 --> 00:55:01,130 So it was during that playoff game. 1326 00:55:01,130 --> 00:55:02,720 What we ended up doing was immediately 1327 00:55:02,720 --> 00:55:04,845 upgrading the software to a patched version, right? 1328 00:55:04,845 --> 00:55:07,550 That was a quick triage fix. 1329 00:55:07,550 --> 00:55:10,824 The longer term fix was that-- 1330 00:55:10,824 --> 00:55:12,240 outsiders on the internet probably 1331 00:55:12,240 --> 00:55:14,680 don't need to access our management interfaces, right? 1332 00:55:14,680 --> 00:55:18,860 A very select few need to access those interfaces. 1333 00:55:18,860 --> 00:55:22,400 So we ended up implementing, basically, 1334 00:55:22,400 --> 00:55:24,420 the least privileged, so that only at the IP 1335 00:55:24,420 --> 00:55:28,010 addresses of our staff on VPN could access them. 1336 00:55:28,010 --> 00:55:33,190 And we stopped using clear text management protocols. 1337 00:55:33,190 --> 00:55:36,330 So that one was fixed. 1338 00:55:36,330 --> 00:55:37,836 Then attack two came in. 1339 00:55:37,836 --> 00:55:39,502 PROFESSOR: There's a question over here. 1340 00:55:39,502 --> 00:55:39,886 PROFESSOR: Oh, a question. 1341 00:55:39,886 --> 00:55:40,468 Sorry. 1342 00:55:40,468 --> 00:55:44,010 AUDIENCE: So is it not correct that this was a zero-day attack 1343 00:55:44,010 --> 00:55:45,300 against the service provider? 1344 00:55:45,300 --> 00:55:46,540 PROFESSOR: I think it would be fair to say 1345 00:55:46,540 --> 00:55:47,770 it was not a zero-day attack. 1346 00:55:50,960 --> 00:55:53,700 The second attack was against web.mit.edu itself. 1347 00:55:53,700 --> 00:55:59,206 And this was what I alluded to on the DNS mitigation slide 1348 00:55:59,206 --> 00:56:00,910 that I got ahead of myself on. 1349 00:56:00,910 --> 00:56:05,850 So web.mit was in our data center, 1350 00:56:05,850 --> 00:56:07,010 protected by a firewall. 1351 00:56:07,010 --> 00:56:08,570 So it was behind a firewall. 1352 00:56:08,570 --> 00:56:11,300 What ended up happening was that the attacker 1353 00:56:11,300 --> 00:56:14,820 sent a flood of HTTP traffic. 1354 00:56:14,820 --> 00:56:16,540 It was a GET and POST flood. 1355 00:56:16,540 --> 00:56:19,800 I'm not sure which one it was. 1356 00:56:19,800 --> 00:56:21,795 But basically, they didn't kill the web server, 1357 00:56:21,795 --> 00:56:23,580 they killed the firewall. 1358 00:56:23,580 --> 00:56:27,060 The firewall keeled over because firewalls too are 1359 00:56:27,060 --> 00:56:28,710 a blessing and a curse, right? 1360 00:56:28,710 --> 00:56:33,465 A stateless router access list is very simple, is very fast, 1361 00:56:33,465 --> 00:56:35,215 but you also lose a lot of the granularity 1362 00:56:35,215 --> 00:56:36,700 in what you can filter. 1363 00:56:36,700 --> 00:56:38,325 Because it's doing it packet by packet, 1364 00:56:38,325 --> 00:56:41,150 you can only use the criteria in each packet, ports, and IP 1365 00:56:41,150 --> 00:56:43,250 addresses, mostly. 1366 00:56:43,250 --> 00:56:47,220 We hid behind a firewall, which worked well when it worked. 1367 00:56:47,220 --> 00:56:49,310 But when it came under load, the state 1368 00:56:49,310 --> 00:56:50,515 required of the firewall-- 1369 00:56:50,515 --> 00:56:52,973 because of firewall tracking in every state, in addition to 1370 00:56:52,973 --> 00:56:54,115 the packets-- 1371 00:56:54,115 --> 00:56:55,920 it died. 1372 00:56:55,920 --> 00:56:59,310 So the triage fix for this attack 1373 00:56:59,310 --> 00:57:02,090 was that we moved it to a routed network. 1374 00:57:02,090 --> 00:57:04,840 And that's something we would have preferred not to do, 1375 00:57:04,840 --> 00:57:08,080 but you really had to, due to the attack that was ongoing. 1376 00:57:08,080 --> 00:57:10,410 The longer term mitigation that we performed 1377 00:57:10,410 --> 00:57:13,420 was that we moved into the Akamai CDN. 1378 00:57:13,420 --> 00:57:15,860 So you may notice, if you go outside of MIT, 1379 00:57:15,860 --> 00:57:21,110 as you go to web.mit now, it doesn't resolve to 18.09.22 1380 00:57:21,110 --> 00:57:21,610 anymore. 1381 00:57:21,610 --> 00:57:25,060 It resolves to a C name, which in turn resolves 1382 00:57:25,060 --> 00:57:26,856 to an Akamai IP address. 1383 00:57:30,670 --> 00:57:34,630 And attack number three, this one actually 1384 00:57:34,630 --> 00:57:38,180 wasn't on the side of mit.net. 1385 00:57:38,180 --> 00:57:40,180 This was on the side of our registrar. 1386 00:57:40,180 --> 00:57:44,760 So we found the homepage of MIT-- 1387 00:57:44,760 --> 00:57:48,350 www.mit and web.mit replaced with this page here. 1388 00:57:48,350 --> 00:57:51,660 And we quickly did some diagnostics on the web server. 1389 00:57:51,660 --> 00:57:53,010 Everything looked fine. 1390 00:57:53,010 --> 00:57:54,660 The server was not compromised. 1391 00:57:54,660 --> 00:57:57,130 It was not defaced like this. 1392 00:57:57,130 --> 00:58:00,180 And what we did end up finding was 1393 00:58:00,180 --> 00:58:05,380 that our who is information for our name and our actual DNS 1394 00:58:05,380 --> 00:58:07,590 delegations weren't working. 1395 00:58:07,590 --> 00:58:11,000 So in this case, you can see the administrative contact, 1396 00:58:11,000 --> 00:58:12,550 "I got owned." 1397 00:58:12,550 --> 00:58:17,710 And then our address, "Owned network operations, Destroyed, 1398 00:58:17,710 --> 00:58:19,060 Massachusetts." 1399 00:58:19,060 --> 00:58:22,466 They were clearly just trying to poke at us. 1400 00:58:22,466 --> 00:58:24,340 But it was delegated out to these two servers 1401 00:58:24,340 --> 00:58:26,778 at CloudFlare, which is a cloud-based hosting provider. 1402 00:58:30,770 --> 00:58:33,220 So this is what I call the troll. 1403 00:58:33,220 --> 00:58:34,570 This was on Gizmodo. 1404 00:58:34,570 --> 00:58:38,700 This was a bit of indirection on the part of the attackers, 1405 00:58:38,700 --> 00:58:40,792 however many there were. 1406 00:58:40,792 --> 00:58:42,000 The hack went down like this. 1407 00:58:42,000 --> 00:58:43,510 So this is what he told the world 1408 00:58:43,510 --> 00:58:45,210 very soon after this happened. 1409 00:58:45,210 --> 00:58:48,080 So once we realize that it wasn't 1410 00:58:48,080 --> 00:58:51,030 MIT or anything on mit.net that was hacked, 1411 00:58:51,030 --> 00:58:53,270 it was actually our registrar, we got in contact 1412 00:58:53,270 --> 00:58:53,805 with our registrar. 1413 00:58:53,805 --> 00:58:54,929 We got our records changed. 1414 00:58:54,929 --> 00:58:56,690 We got everything locked down. 1415 00:58:56,690 --> 00:59:00,250 But of course, in DNS, there's time to live values involved. 1416 00:59:00,250 --> 00:59:01,570 Some of them are hours. 1417 00:59:01,570 --> 00:59:04,410 So after this attack was resolved, 1418 00:59:04,410 --> 00:59:06,660 there were still some flux afterwards. 1419 00:59:06,660 --> 00:59:09,790 And during that time, we're trying to clean everything up, 1420 00:59:09,790 --> 00:59:12,080 he posts on Gizmodo in the comments 1421 00:59:12,080 --> 00:59:14,630 on an article about this. 1422 00:59:14,630 --> 00:59:17,760 "Own the MIT NOC guy with a browser exploit." 1423 00:59:17,760 --> 00:59:20,220 That guy. 1424 00:59:20,220 --> 00:59:23,570 "Get their Educause logins, which were blah." 1425 00:59:23,570 --> 00:59:27,560 So he goes through the whole scenario. 1426 00:59:27,560 --> 00:59:32,120 But the vector here was the MIT NOC guy. 1427 00:59:32,120 --> 00:59:34,037 So Mark is swearing at the time, up and down-- 1428 00:59:34,037 --> 00:59:35,536 not actually swearing-- but swearing 1429 00:59:35,536 --> 00:59:36,890 up and down that it's not him. 1430 00:59:36,890 --> 00:59:39,660 He's not compromised. 1431 00:59:39,660 --> 00:59:44,050 So what we did end up finding out after the fact was this 1432 00:59:44,050 --> 00:59:46,331 was published well after the incident. 1433 00:59:46,331 --> 00:59:48,580 That link is still live, if you want to read about it. 1434 00:59:48,580 --> 00:59:51,050 This was indirection. 1435 00:59:51,050 --> 00:59:52,260 It wasn't true. 1436 00:59:52,260 --> 00:59:55,640 The actual vector was that our entire registrar was owned. 1437 00:59:55,640 --> 00:59:59,160 Our registrar, being .edu, is run by an organization called 1438 00:59:59,160 --> 01:00:01,180 Educause. 1439 01:00:01,180 --> 01:00:04,520 Turns out that every DNS registration 1440 01:00:04,520 --> 01:00:05,970 account had been compromised. 1441 01:00:05,970 --> 01:00:08,040 The attacker had this for I don't know how long, 1442 01:00:08,040 --> 01:00:11,590 but they just decided to show their hand with the MIT hack 1443 01:00:11,590 --> 01:00:14,600 here and actually use their power to expose themselves, 1444 01:00:14,600 --> 01:00:17,630 but to also hack our DNS. 1445 01:00:17,630 --> 01:00:20,220 So this one wasn't actually anybody 1446 01:00:20,220 --> 01:00:23,780 at MIT's fault, it was on the part of our registrar, 1447 01:00:23,780 --> 01:00:25,860 which they soon acknowledged. 1448 01:00:25,860 --> 01:00:28,810 This was in February of 2013. 1449 01:00:28,810 --> 01:00:31,275 They mentioned that they were in fact breached. 1450 01:00:31,275 --> 01:00:32,900 And we all had to change our passwords. 1451 01:00:32,900 --> 01:00:34,400 And do we have two-factor now? 1452 01:00:34,400 --> 01:00:35,400 PROFESSOR: No. 1453 01:00:35,400 --> 01:00:38,400 PROFESSOR: OK. 1454 01:00:38,400 --> 01:00:40,740 But we ended up locking down our domain account so 1455 01:00:40,740 --> 01:00:41,580 that it couldn't be changed. 1456 01:00:41,580 --> 01:00:43,996 But you know, it turns out, if the entire system is owned, 1457 01:00:43,996 --> 01:00:45,660 if you check a box that says, "locked," 1458 01:00:45,660 --> 01:00:47,300 which prevents people from updating it, 1459 01:00:47,300 --> 01:00:49,530 it doesn't do much good. 1460 01:00:49,530 --> 01:00:51,880 In any case, they've fixed their system. 1461 01:00:51,880 --> 01:00:53,910 And this one wasn't our fault, but it 1462 01:00:53,910 --> 01:00:55,910 was kind of an interesting one because it really 1463 01:00:55,910 --> 01:00:58,090 subverted some of the core protocols of the internet 1464 01:00:58,090 --> 01:01:00,849 in order to do this. 1465 01:01:00,849 --> 01:01:03,687 OK, so the current threat landscape. 1466 01:01:03,687 --> 01:01:04,633 No, no, no. 1467 01:01:04,633 --> 01:01:06,052 [INAUDIBLE] 1468 01:01:06,052 --> 01:01:07,950 Ah. 1469 01:01:07,950 --> 01:01:11,920 So if you can't exploit the silicon, exploit the carbon. 1470 01:01:11,920 --> 01:01:13,990 Exploit the use at the keyboard. 1471 01:01:13,990 --> 01:01:18,091 And this is what we're seeing a lot of now. 1472 01:01:18,091 --> 01:01:19,590 I mean, from my personal experience, 1473 01:01:19,590 --> 01:01:22,530 having been in this for almost 20 years, 1474 01:01:22,530 --> 01:01:25,477 the network-based vector-- 1475 01:01:25,477 --> 01:01:27,060 with the exception of this year, which 1476 01:01:27,060 --> 01:01:29,120 I'll talk about in a minute-- but the network-based vector, 1477 01:01:29,120 --> 01:01:30,661 attacks that originate on the network 1478 01:01:30,661 --> 01:01:33,180 and remotely exploit hosts, that isn't 1479 01:01:33,180 --> 01:01:35,620 a lot of what we see anymore. 1480 01:01:35,620 --> 01:01:38,700 Computer systems actually do seem to be getting more secure, 1481 01:01:38,700 --> 01:01:40,185 from the outside at least. 1482 01:01:40,185 --> 01:01:43,510 You know, Windows, and Solaris, and Linux, in the old days, 1483 01:01:43,510 --> 01:01:46,190 maybe a decade ago, they used to ship with all their services 1484 01:01:46,190 --> 01:01:46,782 enable. 1485 01:01:46,782 --> 01:01:48,490 I called it lit up like a Christmas tree. 1486 01:01:48,490 --> 01:01:53,520 Everything would be on, because on the convenience and security 1487 01:01:53,520 --> 01:01:54,090 continuum-- 1488 01:01:54,090 --> 01:01:56,965 if we agree that one exists, some people don't-- but they 1489 01:01:56,965 --> 01:01:58,530 were way on the convenient side. 1490 01:01:58,530 --> 01:02:01,160 They wanted everything to work out of the box. 1491 01:02:01,160 --> 01:02:03,170 Whereas, I think we found a sensible medium 1492 01:02:03,170 --> 01:02:06,050 where, when you install a fresh operating system, 1493 01:02:06,050 --> 01:02:09,350 there is a host-based firewall running. 1494 01:02:09,350 --> 01:02:13,170 And there aren't world accessible services 1495 01:02:13,170 --> 01:02:14,340 running on a system. 1496 01:02:14,340 --> 01:02:17,320 We've also got things like Windows Update and Apple Update 1497 01:02:17,320 --> 01:02:20,070 and package managers in all the Linux distros, 1498 01:02:20,070 --> 01:02:23,280 so that a box that gets online, pretty quickly, 1499 01:02:23,280 --> 01:02:24,552 will get itself up to date. 1500 01:02:24,552 --> 01:02:27,010 So you don't have these ancient boxes with ancient services 1501 01:02:27,010 --> 01:02:28,660 open to the world. 1502 01:02:28,660 --> 01:02:29,160 OK. 1503 01:02:29,160 --> 01:02:32,090 So where I was going with that is they've 1504 01:02:32,090 --> 01:02:34,312 moved up the stack now, right? 1505 01:02:34,312 --> 01:02:36,020 Maybe they're at level eight or nine now. 1506 01:02:36,020 --> 01:02:37,186 They're dealing with people. 1507 01:02:37,186 --> 01:02:41,680 And they're trying to exploit human failings or frailties, 1508 01:02:41,680 --> 01:02:45,950 like fear, or greed, or trust, or familiarity, to kind 1509 01:02:45,950 --> 01:02:49,220 of leverage credentials, so that they can exploit application 1510 01:02:49,220 --> 01:02:50,720 access or privileged access. 1511 01:02:50,720 --> 01:02:52,640 Rather than exploiting hosts themselves, 1512 01:02:52,640 --> 01:02:56,410 they're exploiting people. 1513 01:02:56,410 --> 01:03:01,190 A few things we've seen on campus in the very recent past. 1514 01:03:01,190 --> 01:03:02,780 This one here-- oh, I should say, 1515 01:03:02,780 --> 01:03:04,800 we have not experienced this one on campus. 1516 01:03:04,800 --> 01:03:06,660 I don't want to scare anybody. 1517 01:03:06,660 --> 01:03:09,550 This has been seen, though, across the nation in different 1518 01:03:09,550 --> 01:03:10,174 .edus. 1519 01:03:10,174 --> 01:03:11,840 And it's a very serious threat, so we're 1520 01:03:11,840 --> 01:03:13,270 moving quickly to address it. 1521 01:03:13,270 --> 01:03:15,490 However, we have not actually seen it here. 1522 01:03:15,490 --> 01:03:18,089 So this threat is spear phishing. 1523 01:03:18,089 --> 01:03:20,130 And this is probably remedial, but spear phishing 1524 01:03:20,130 --> 01:03:22,650 targets a particular community with a plausible message. 1525 01:03:22,650 --> 01:03:26,620 So if you just get spam messages or phishing messages, 1526 01:03:26,620 --> 01:03:30,420 they're just casting a wide net and catching 1527 01:03:30,420 --> 01:03:34,940 people who, for some bizarre reason, might respond to that. 1528 01:03:34,940 --> 01:03:37,765 However, in a spear phishing attack, 1529 01:03:37,765 --> 01:03:40,610 if they're able to narrow it and find a community of interest, 1530 01:03:40,610 --> 01:03:43,690 that they can actually say something that sounds mildly 1531 01:03:43,690 --> 01:03:45,640 plausible, Bank of America customers, 1532 01:03:45,640 --> 01:03:47,420 or MIT students, staff, and faculty. 1533 01:03:50,420 --> 01:03:53,140 In this case, they were able to choose communities 1534 01:03:53,140 --> 01:03:55,012 of different institutions. 1535 01:03:55,012 --> 01:03:56,970 I'm not singling anybody out, but it is public. 1536 01:03:56,970 --> 01:03:59,760 And Boston University was one of them. 1537 01:03:59,760 --> 01:04:04,950 They targeted the community with bogus email messages pointing 1538 01:04:04,950 --> 01:04:06,870 to a bogus authentication site. 1539 01:04:06,870 --> 01:04:09,179 Some percentage of the users actually clicked through 1540 01:04:09,179 --> 01:04:11,220 and logged in, which of course, gave the attacker 1541 01:04:11,220 --> 01:04:12,480 the credentials. 1542 01:04:12,480 --> 01:04:15,800 The attacker then went to the legitimate site 1543 01:04:15,800 --> 01:04:17,645 and redirected those user's direct deposits 1544 01:04:17,645 --> 01:04:19,790 to an account under their control 1545 01:04:19,790 --> 01:04:22,660 and emptied that account. 1546 01:04:22,660 --> 01:04:26,080 I'm not sure the dollars affected there are public, 1547 01:04:26,080 --> 01:04:30,140 but it was probably a large amount. 1548 01:04:30,140 --> 01:04:31,970 So in response to this-- 1549 01:04:31,970 --> 01:04:33,510 I mean, how do you combat that? 1550 01:04:33,510 --> 01:04:37,110 To a large extent, it's a user education issue, so 1551 01:04:37,110 --> 01:04:38,150 community awareness. 1552 01:04:38,150 --> 01:04:41,180 Just let people know you can't trust email. 1553 01:04:41,180 --> 01:04:44,720 You just have to verify things, before you click on them. 1554 01:04:44,720 --> 01:04:49,681 But from experience and just knowing human nature, 1555 01:04:49,681 --> 01:04:51,180 that's only going to get you so far. 1556 01:04:51,180 --> 01:04:52,490 There's always going to be some percentage of people 1557 01:04:52,490 --> 01:04:53,540 who click on it. 1558 01:04:53,540 --> 01:04:55,530 And I'm amazed. 1559 01:04:55,530 --> 01:04:57,670 As you can imagine-- you all probably are as well-- 1560 01:04:57,670 --> 01:04:59,544 I'm a repository of all the phishing messages 1561 01:04:59,544 --> 01:05:00,590 my family receives. 1562 01:05:00,590 --> 01:05:03,880 So I'm getting stuff from my father, my sister, like, 1563 01:05:03,880 --> 01:05:04,730 is this legit? 1564 01:05:04,730 --> 01:05:06,695 And it's getting increasingly hard to tell. 1565 01:05:06,695 --> 01:05:08,570 So you've got to actually go into the headers 1566 01:05:08,570 --> 01:05:09,861 and see where it's coming from. 1567 01:05:12,470 --> 01:05:13,940 And a lot of male clients now, they 1568 01:05:13,940 --> 01:05:15,606 don't actually like to show you the link 1569 01:05:15,606 --> 01:05:18,690 that it points to, which gets really annoying. 1570 01:05:18,690 --> 01:05:19,800 So it's getting harder. 1571 01:05:19,800 --> 01:05:24,800 So some of it is just user error, 1572 01:05:24,800 --> 01:05:25,940 for lack of a better word. 1573 01:05:25,940 --> 01:05:28,690 And some of it is it's just increasingly difficult to tell. 1574 01:05:28,690 --> 01:05:31,630 So at the root of the problem, in my opinion, 1575 01:05:31,630 --> 01:05:34,526 is that passwords are just a dead technology, right? 1576 01:05:34,526 --> 01:05:37,025 In terms of the factors, it's something you know a password, 1577 01:05:37,025 --> 01:05:39,240 it's something you are, maybe a biometric, 1578 01:05:39,240 --> 01:05:42,840 or something you have, a token. 1579 01:05:42,840 --> 01:05:46,120 So what we're doing to try to mitigate this here-- 1580 01:05:46,120 --> 01:05:48,650 because basically, these man-in-the-middle attacks are 1581 01:05:48,650 --> 01:05:50,330 just stealing something you know. 1582 01:05:50,330 --> 01:05:51,780 They're stealing your password. 1583 01:05:51,780 --> 01:05:55,084 Well, if we can also add something that you have, 1584 01:05:55,084 --> 01:05:57,000 that attack is only going to get them halfway. 1585 01:05:57,000 --> 01:06:00,150 They're not going to be able to compromise your identity. 1586 01:06:00,150 --> 01:06:02,430 AUDIENCE: [INAUDIBLE] number? 1587 01:06:02,430 --> 01:06:04,648 PROFESSOR: You won't be able to compromise-- 1588 01:06:04,648 --> 01:06:06,314 the attacker won't be able to compromise 1589 01:06:06,314 --> 01:06:07,910 the identity of the user. 1590 01:06:07,910 --> 01:06:11,720 So we are rolling out a second authentication factor 1591 01:06:11,720 --> 01:06:18,380 in the near term that will be tied into our Touchstone IDP. 1592 01:06:18,380 --> 01:06:20,150 We can release that to these guys, right? 1593 01:06:20,150 --> 01:06:22,440 So early release, if you're interested. 1594 01:06:22,440 --> 01:06:28,217 If you're go to duo.mit.edu, we're using a vendor 1595 01:06:28,217 --> 01:06:29,050 called Duo Security. 1596 01:06:29,050 --> 01:06:32,640 It's a cloud-based two-factor authentication system that's 1597 01:06:32,640 --> 01:06:34,330 being used in a lot of edus. 1598 01:06:34,330 --> 01:06:37,750 But basically, you'll register your phone as a second factor 1599 01:06:37,750 --> 01:06:39,530 and you run a little smartphone app. 1600 01:06:39,530 --> 01:06:41,960 If you don't have a smartphone, I'm sorry. 1601 01:06:41,960 --> 01:06:47,980 But if you don't have one, you can also do it via SMS. 1602 01:06:47,980 --> 01:06:51,090 It will actually call you and tell you a number. 1603 01:06:51,090 --> 01:06:58,930 And you can also generate one-time passwords, 1604 01:06:58,930 --> 01:07:01,240 a list of 10 passwords that you can use. 1605 01:07:01,240 --> 01:07:03,150 So this is coming soon to the community. 1606 01:07:03,150 --> 01:07:06,020 It is completely active at this point, it's just not announced. 1607 01:07:06,020 --> 01:07:08,640 If you want to go to duo.mit, you can opt your phone in. 1608 01:07:08,640 --> 01:07:10,870 You can actually turn on Touchstone. 1609 01:07:10,870 --> 01:07:15,690 I'll give you a quick demo, to show you how it integrates. 1610 01:07:15,690 --> 01:07:19,870 The beauty of using standards and federated systems, 1611 01:07:19,870 --> 01:07:23,260 like SAML and Shibboleth, which underlay Touchstone, 1612 01:07:23,260 --> 01:07:28,020 is that we can easily lay on additional factors. 1613 01:07:28,020 --> 01:07:33,240 So in this case, I'm going to just go to a tool that I use, 1614 01:07:33,240 --> 01:07:37,010 which is transparently going to authenticate me using 1615 01:07:37,010 --> 01:07:38,390 Touchstone with my certificate. 1616 01:07:38,390 --> 01:07:39,980 But I should now get prompted for-- 1617 01:07:44,625 --> 01:07:45,250 too fast there. 1618 01:07:52,881 --> 01:07:53,631 Who runs this now? 1619 01:07:56,589 --> 01:07:58,054 PROFESSOR: Don't know that guy. 1620 01:07:58,054 --> 01:07:59,054 PROFESSOR: I don't know. 1621 01:07:59,054 --> 01:07:59,554 [LAUGHTER] 1622 01:07:59,554 --> 01:08:00,554 PROFESSOR: He got owned. 1623 01:08:00,554 --> 01:08:01,519 [LAUGHTER] 1624 01:08:01,519 --> 01:08:02,185 AUDIENCE: Yeah. 1625 01:08:02,185 --> 01:08:03,560 PROFESSOR: Give me a site to hit. 1626 01:08:03,560 --> 01:08:05,020 I'm just drawing a blank, because I'm 1627 01:08:05,020 --> 01:08:05,560 in front of a crowd. 1628 01:08:05,560 --> 01:08:06,310 PROFESSOR: Splunk? 1629 01:08:06,310 --> 01:08:07,290 PROFESSOR: Splunk. 1630 01:08:07,290 --> 01:08:08,760 No, not Splunk. 1631 01:08:08,760 --> 01:08:12,060 Because that's not a native Touchstone integration. 1632 01:08:12,060 --> 01:08:12,780 Atlas. 1633 01:08:12,780 --> 01:08:13,738 PROFESSOR: Atlas, yeah. 1634 01:08:25,956 --> 01:08:27,033 [LAUGHTER] 1635 01:08:27,033 --> 01:08:27,908 PROFESSOR: All right. 1636 01:08:27,908 --> 01:08:28,408 All right. 1637 01:08:28,408 --> 01:08:30,533 PROFESSOR: Well, he's very secure, at least, right? 1638 01:08:30,533 --> 01:08:31,460 [LAUGHTER] 1639 01:08:31,460 --> 01:08:33,585 The only real security is to stay off the internet. 1640 01:08:36,904 --> 01:08:37,779 PROFESSOR: All right. 1641 01:08:37,779 --> 01:08:43,349 If this doesn't work in 20 seconds, I will move on. 1642 01:08:43,349 --> 01:08:45,890 PROFESSOR: Do you have another browser, maybe, that's cached? 1643 01:08:45,890 --> 01:08:46,598 PROFESSOR: Maybe. 1644 01:08:53,580 --> 01:08:54,130 There we go. 1645 01:08:54,130 --> 01:08:54,630 Oh, weird. 1646 01:08:54,630 --> 01:08:57,065 OK, so here's my typical Touchstone login. 1647 01:09:00,120 --> 01:09:02,055 Now, you're going to just get one more prompt. 1648 01:09:05,700 --> 01:09:08,566 PROFESSOR: You're actually off the Wi-Fi, it looks like. 1649 01:09:08,566 --> 01:09:09,399 PROFESSOR: Oh, yeah. 1650 01:09:09,399 --> 01:09:09,899 I did. 1651 01:09:17,166 --> 01:09:17,666 All right. 1652 01:09:17,666 --> 01:09:19,499 Well, let's leave that demo for after class, 1653 01:09:19,499 --> 01:09:21,870 and let's edit that out. 1654 01:09:21,870 --> 01:09:23,490 [LAUGHTER] 1655 01:09:23,490 --> 01:09:24,990 PROFESSOR: In fact, now I tried it-- 1656 01:09:24,990 --> 01:09:25,080 PROFESSOR: All right. 1657 01:09:25,080 --> 01:09:27,204 I did not rehearse that demo, so that's what I get. 1658 01:09:27,204 --> 01:09:28,790 But trust me, it works. 1659 01:09:28,790 --> 01:09:31,850 If you go to Duo, you can register yourself. 1660 01:09:31,850 --> 01:09:34,924 And all of your two-factor interactions-- or I'm sorry, 1661 01:09:34,924 --> 01:09:37,340 your Touchstone interactions will all be two-factored now. 1662 01:09:37,340 --> 01:09:39,270 And you'll be super secure. 1663 01:09:39,270 --> 01:09:41,450 It really does work well. 1664 01:09:41,450 --> 01:09:47,120 Another threat we've experienced in the past few months is-- 1665 01:09:47,120 --> 01:09:49,850 this, again, is something that's targeting not just edus, 1666 01:09:49,850 --> 01:09:52,630 but organizations across the country. 1667 01:09:52,630 --> 01:09:55,040 But we've been getting police called ID spoofing. 1668 01:09:55,040 --> 01:09:57,850 And this kind of transcends the digital world, 1669 01:09:57,850 --> 01:09:59,474 for the most part. 1670 01:09:59,474 --> 01:10:01,140 Members of the MIT community are getting 1671 01:10:01,140 --> 01:10:03,720 calls from local police departments 1672 01:10:03,720 --> 01:10:05,284 nearby their hometown. 1673 01:10:05,284 --> 01:10:05,950 PROFESSOR: Yeah. 1674 01:10:05,950 --> 01:10:07,110 It appears to be a call. 1675 01:10:07,110 --> 01:10:08,280 PROFESSOR: Yes. 1676 01:10:08,280 --> 01:10:12,205 So these police departments are telling them bad news, right? 1677 01:10:12,205 --> 01:10:13,830 They're telling them you're about to be 1678 01:10:13,830 --> 01:10:14,890 charged with a crime. 1679 01:10:14,890 --> 01:10:16,900 I think some of them are tax fraud. 1680 01:10:16,900 --> 01:10:19,160 Your family member's been in an accident. 1681 01:10:19,160 --> 01:10:21,740 Of course, it's not real. 1682 01:10:21,740 --> 01:10:23,600 Their call's coming from an attacker who's 1683 01:10:23,600 --> 01:10:26,573 using ANI, which is automated-- 1684 01:10:26,573 --> 01:10:28,545 PROFESSOR: They're using SIP, basically, 1685 01:10:28,545 --> 01:10:31,037 to forge their From field in their voice call, right? 1686 01:10:31,037 --> 01:10:31,620 PROFESSOR: OK. 1687 01:10:31,620 --> 01:10:32,746 Which feeds into caller ID. 1688 01:10:32,746 --> 01:10:34,286 PROFESSOR: Which then gets translated 1689 01:10:34,286 --> 01:10:36,850 by a bridge who trust the From field that a SIP message to be 1690 01:10:36,850 --> 01:10:38,141 whatever number's placed in it. 1691 01:10:38,141 --> 01:10:38,770 PROFESSOR: OK. 1692 01:10:38,770 --> 01:10:41,617 PROFESSOR: And so the attacker's like, all right, so I sign up 1693 01:10:41,617 --> 01:10:42,700 for a cheapie SIP service. 1694 01:10:42,700 --> 01:10:45,170 And I'll set my From field to be the police department's 1695 01:10:45,170 --> 01:10:46,590 number in Lexington. 1696 01:10:46,590 --> 01:10:47,480 And I'll send it. 1697 01:10:47,480 --> 01:10:49,560 And once it gets to the transcoding gateway that 1698 01:10:49,560 --> 01:10:51,780 turns it back into traditional telephony, it says, all right. 1699 01:10:51,780 --> 01:10:53,196 Well, that's the number it's from. 1700 01:10:53,196 --> 01:10:55,235 We'll just show it to the user when it shows up. 1701 01:10:55,235 --> 01:10:56,860 PROFESSOR: So you end up getting a call 1702 01:10:56,860 --> 01:10:59,235 from what you think is a police department with extremely 1703 01:10:59,235 --> 01:11:00,300 bad news. 1704 01:11:00,300 --> 01:11:02,390 Again, they're exploiting human frailty here. 1705 01:11:02,390 --> 01:11:04,210 In this case, it's probably fear. 1706 01:11:04,210 --> 01:11:06,540 Maybe it's a little anger, but it's the case-- 1707 01:11:06,540 --> 01:11:07,410 PROFESSOR: Or guilt. 1708 01:11:07,410 --> 01:11:08,060 PROFESSOR: What's that? 1709 01:11:08,060 --> 01:11:08,480 PROFESSOR: Or guilt. 1710 01:11:08,480 --> 01:11:09,146 PROFESSOR: Yeah. 1711 01:11:09,146 --> 01:11:10,010 Yeah, I suppose. 1712 01:11:10,010 --> 01:11:12,680 [LAUGHS] If it's legit. 1713 01:11:12,680 --> 01:11:15,730 But in any case, these calls all come to the same point, which 1714 01:11:15,730 --> 01:11:21,242 is you need to pay a fee for something, which, on its face 1715 01:11:21,242 --> 01:11:21,950 is kind of bogus. 1716 01:11:21,950 --> 01:11:23,180 But once they've told you this-- 1717 01:11:23,180 --> 01:11:25,260 I mean, if they told me that my wife was in a car accident, 1718 01:11:25,260 --> 01:11:27,010 I would not be in the right state of mind. 1719 01:11:27,010 --> 01:11:28,630 And I might believe some craziness 1720 01:11:28,630 --> 01:11:30,400 that they tell me after the fact. 1721 01:11:30,400 --> 01:11:35,930 So we've had people on campus who-- 1722 01:11:35,930 --> 01:11:38,420 I don't think it's actually anyone's actually paid, 1723 01:11:38,420 --> 01:11:40,940 but we have had multiple targets of this attack. 1724 01:11:40,940 --> 01:11:42,569 And again, this isn't just here. 1725 01:11:42,569 --> 01:11:44,360 If you Google it, you'll find reports of it 1726 01:11:44,360 --> 01:11:47,637 in Pittsburgh newspapers and all over the country. 1727 01:11:47,637 --> 01:11:49,720 But again, this is a spear phishing attack, right? 1728 01:11:49,720 --> 01:11:51,510 They figure out where you live. 1729 01:11:51,510 --> 01:11:53,520 And they can do this by just Googling your name 1730 01:11:53,520 --> 01:11:56,920 or just looking at MIT and checking the directory 1731 01:11:56,920 --> 01:11:59,080 and finding out some details about you. 1732 01:11:59,080 --> 01:12:00,940 And they just need enough to be plausible. 1733 01:12:00,940 --> 01:12:03,740 And then they proceed to call you and scare you and try 1734 01:12:03,740 --> 01:12:05,890 to extort you. 1735 01:12:05,890 --> 01:12:07,969 The mitigation here is difficult, 1736 01:12:07,969 --> 01:12:09,510 because it involves the phone system. 1737 01:12:09,510 --> 01:12:11,992 It involves multiple bridges. 1738 01:12:11,992 --> 01:12:13,450 Frankly, I'm not a phone guy, so it 1739 01:12:13,450 --> 01:12:16,700 involves lots of stuff I'm just going to wave my hands about. 1740 01:12:16,700 --> 01:12:19,432 But law enforcement needs to be involved here. 1741 01:12:19,432 --> 01:12:22,015 You have to go to your providers and work with law enforcement 1742 01:12:22,015 --> 01:12:23,090 to get that traced back. 1743 01:12:25,842 --> 01:12:26,800 Actually moved forward? 1744 01:12:26,800 --> 01:12:33,067 And one more along the spear phishing email side of things. 1745 01:12:33,067 --> 01:12:34,650 There's another thing that some people 1746 01:12:34,650 --> 01:12:36,720 call whaling, which is the intentional targeting 1747 01:12:36,720 --> 01:12:38,344 of high level staff at an organization. 1748 01:12:41,280 --> 01:12:42,790 We have experienced this-- 1749 01:12:42,790 --> 01:12:45,373 I've experienced it elsewhere, but we've also experienced this 1750 01:12:45,373 --> 01:12:48,110 here where they will send extremely targeted messages 1751 01:12:48,110 --> 01:12:51,620 at high level staff, using org charts, 1752 01:12:51,620 --> 01:12:54,420 using directories to find plausible reporting 1753 01:12:54,420 --> 01:12:59,830 relationships, and write some really believable messages 1754 01:12:59,830 --> 01:13:02,107 that, if you're not careful when you click reply, 1755 01:13:02,107 --> 01:13:03,690 that wire transfer number that they're 1756 01:13:03,690 --> 01:13:05,790 asking for isn't going to the person that you think 1757 01:13:05,790 --> 01:13:06,498 sent the message. 1758 01:13:06,498 --> 01:13:09,660 It's going to somewhere on the other side of the world 1759 01:13:09,660 --> 01:13:11,470 or the other side of the country. 1760 01:13:11,470 --> 01:13:13,544 So we've been experiencing this as well. 1761 01:13:13,544 --> 01:13:16,210 The short of it is-- in your own security class, you know this-- 1762 01:13:16,210 --> 01:13:18,090 SMTP is not a reliable protocol. 1763 01:13:18,090 --> 01:13:19,960 You can't believe pretty much anything 1764 01:13:19,960 --> 01:13:23,150 in there, which just runs completely counter 1765 01:13:23,150 --> 01:13:23,900 to human nature. 1766 01:13:23,900 --> 01:13:27,302 So take everything with a grain of salt. 1767 01:13:27,302 --> 01:13:28,926 PROFESSOR: You going to tell the story? 1768 01:13:28,926 --> 01:13:29,884 PROFESSOR: No, you can. 1769 01:13:29,884 --> 01:13:31,782 PROFESSOR: Yeah. 1770 01:13:31,782 --> 01:13:32,740 Yeah. 1771 01:13:32,740 --> 01:13:34,320 So you could tell it. 1772 01:13:34,320 --> 01:13:35,810 Basically, we had one recently. 1773 01:13:35,810 --> 01:13:38,360 And I won't go into the details or the names. 1774 01:13:38,360 --> 01:13:39,577 Keep anonymity. 1775 01:13:39,577 --> 01:13:44,040 But a senior member of the administration 1776 01:13:44,040 --> 01:13:49,180 reaches out and says, hey, I got this email. 1777 01:13:49,180 --> 01:13:51,800 This is from someone and says, I need 1778 01:13:51,800 --> 01:13:55,270 help-- a very senior executive-- with a wire transfer. 1779 01:13:55,270 --> 01:13:56,640 And so he sent me this email. 1780 01:13:56,640 --> 01:13:57,450 And I replied. 1781 01:13:57,450 --> 01:14:00,820 And he said he didn't know what I was talking about. 1782 01:14:00,820 --> 01:14:01,990 And so how did that happen? 1783 01:14:01,990 --> 01:14:03,180 Is my email account hacked? 1784 01:14:03,180 --> 01:14:06,410 It says I sent this email, but I didn't. 1785 01:14:06,410 --> 01:14:10,140 And to Dave's point, the whole possibility that email itself 1786 01:14:10,140 --> 01:14:12,794 could somehow be spoofed, without your account itself 1787 01:14:12,794 --> 01:14:14,960 being compromised, is very foreign to people, right? 1788 01:14:14,960 --> 01:14:16,270 It's a trust relationship. 1789 01:14:16,270 --> 01:14:17,970 So it turns out, I guess, it was someone 1790 01:14:17,970 --> 01:14:22,485 at an internet cafe in Nigeria or something like that, 1791 01:14:22,485 --> 01:14:23,610 which we were joking about. 1792 01:14:23,610 --> 01:14:25,735 But yeah, they basically went to the MIT org chart, 1793 01:14:25,735 --> 01:14:27,520 found a senior executive, found someone 1794 01:14:27,520 --> 01:14:29,770 in the Vice President of Finance office and said, hey, 1795 01:14:29,770 --> 01:14:31,894 I need you to help me with this wire transfer call. 1796 01:14:31,894 --> 01:14:32,760 Here's the number. 1797 01:14:32,760 --> 01:14:36,510 And these are the kinds of things that happen every day. 1798 01:14:36,510 --> 01:14:38,450 They didn't transfer the money, obviously. 1799 01:14:38,450 --> 01:14:39,520 PROFESSOR: The email was totally believable? 1800 01:14:39,520 --> 01:14:39,780 PROFESSOR: Yeah. 1801 01:14:39,780 --> 01:14:40,980 PROFESSOR: I've seen it. 1802 01:14:40,980 --> 01:14:41,830 PROFESSOR: Even the tone and everything 1803 01:14:41,830 --> 01:14:42,810 seemed very plausible. 1804 01:14:42,810 --> 01:14:42,845 PROFESSOR: Yep. 1805 01:14:42,845 --> 01:14:44,678 PROFESSOR: They actually used email messages 1806 01:14:44,678 --> 01:14:46,590 this senior executive had written 1807 01:14:46,590 --> 01:14:48,174 that were posted on public websites, 1808 01:14:48,174 --> 01:14:49,840 because they send memos to the community 1809 01:14:49,840 --> 01:14:53,760 and things like that that used the exact same style, 1810 01:14:53,760 --> 01:14:56,200 introduction, the way they closed the message. 1811 01:14:56,200 --> 01:14:59,055 Even the language and terms they used was identical. 1812 01:14:59,055 --> 01:15:01,214 This is stuff they had used in other ways. 1813 01:15:01,214 --> 01:15:02,630 So it was actually kind of creepy, 1814 01:15:02,630 --> 01:15:04,046 because even when I first read it, 1815 01:15:04,046 --> 01:15:07,060 if you didn't know what it was, it was semi-plausible. 1816 01:15:07,060 --> 01:15:09,310 And thankfully, the staff member that it was requested 1817 01:15:09,310 --> 01:15:11,910 of-- like this was kind of an out of the ordinary request, 1818 01:15:11,910 --> 01:15:14,180 it got flagged, even though it looked legitimate. 1819 01:15:14,180 --> 01:15:19,530 And he or she responded directly to the sender, 1820 01:15:19,530 --> 01:15:21,300 removing the Reply To address and actually 1821 01:15:21,300 --> 01:15:25,170 putting in a known good one from his address book or her address 1822 01:15:25,170 --> 01:15:29,377 book, and responded and asked and kind of unveiled 1823 01:15:29,377 --> 01:15:30,270 the whole scheme. 1824 01:15:30,270 --> 01:15:34,620 But it could have gone south really quickly. 1825 01:15:34,620 --> 01:15:36,620 OK, so I mentioned that the network-based vector 1826 01:15:36,620 --> 01:15:39,310 in my experience isn't as prevalent as it used to be. 1827 01:15:39,310 --> 01:15:43,900 And I'll kind of belie that here, or make a lie of it here. 1828 01:15:43,900 --> 01:15:47,390 This year has been a year of major exploits. 1829 01:15:47,390 --> 01:15:50,320 Every single major SSL implementation 1830 01:15:50,320 --> 01:15:51,630 has been targeted. 1831 01:15:51,630 --> 01:15:55,120 There was Schannel on the Microsoft side. 1832 01:15:55,120 --> 01:15:59,190 There was the Apple implementation, open SSL. 1833 01:15:59,190 --> 01:16:00,640 There was Poodle with SSL v3. 1834 01:16:04,179 --> 01:16:04,970 This is SSL, right? 1835 01:16:04,970 --> 01:16:06,220 This is a security service. 1836 01:16:06,220 --> 01:16:09,770 So when you put a service up facing the world, 1837 01:16:09,770 --> 01:16:11,240 you're going to run SSL. 1838 01:16:11,240 --> 01:16:13,360 So we had a lot of world-facing services 1839 01:16:13,360 --> 01:16:16,220 out there that were vulnerable to some of these things. 1840 01:16:16,220 --> 01:16:19,990 Shellshock was one that affected the Bash shell where you could 1841 01:16:19,990 --> 01:16:21,680 remotely exploit a system. 1842 01:16:21,680 --> 01:16:24,730 So these are all kind of the gold standard 1843 01:16:24,730 --> 01:16:26,644 of a network-based exploit. 1844 01:16:26,644 --> 01:16:28,560 They were remotely exploitable, and they could 1845 01:16:28,560 --> 01:16:31,330 get administrative privileges. 1846 01:16:31,330 --> 01:16:34,400 So it's been a kind of a nasty year, in terms of that. 1847 01:16:34,400 --> 01:16:37,560 So it's, in my opinion, a bit of an outlier. 1848 01:16:37,560 --> 01:16:38,970 But how do we deal with this? 1849 01:16:38,970 --> 01:16:40,780 Because these services are public. 1850 01:16:40,780 --> 01:16:41,840 They need to be public. 1851 01:16:41,840 --> 01:16:43,800 We can't just fence them off, because they're 1852 01:16:43,800 --> 01:16:46,040 vulnerable to something. 1853 01:16:46,040 --> 01:16:49,640 The first thing is automatic patching. 1854 01:16:49,640 --> 01:16:52,875 In the old days, the latency between a zero day coming out 1855 01:16:52,875 --> 01:16:54,500 and a patch coming out was fairly long. 1856 01:16:54,500 --> 01:16:56,583 That's shortening, and shortening, and shortening, 1857 01:16:56,583 --> 01:16:58,572 so we're down to literally hours. 1858 01:16:58,572 --> 01:17:00,030 So when these things surface, we're 1859 01:17:00,030 --> 01:17:02,029 able to push out updates to at least the systems 1860 01:17:02,029 --> 01:17:03,370 that we maintain. 1861 01:17:03,370 --> 01:17:05,455 The systems we don't maintain, we're 1862 01:17:05,455 --> 01:17:09,500 able to use our communication folks, like the communications 1863 01:17:09,500 --> 01:17:11,770 office and Monique on the security team, 1864 01:17:11,770 --> 01:17:14,410 to craft messages to go out to the community to at least alert 1865 01:17:14,410 --> 01:17:16,460 them to the fact that you really need the patch, 1866 01:17:16,460 --> 01:17:20,030 because this is dangerous and it's out there. 1867 01:17:20,030 --> 01:17:23,800 On the more active front, we can detect these scans. 1868 01:17:23,800 --> 01:17:26,990 So the StealthWatch tool, I mentioned way back, 1869 01:17:26,990 --> 01:17:28,920 is a tool that pulls NetFlow data off 1870 01:17:28,920 --> 01:17:30,507 of our network devices. 1871 01:17:30,507 --> 01:17:32,340 And we can do some basic heuristics on that. 1872 01:17:32,340 --> 01:17:34,570 And if we see an outside IP address 1873 01:17:34,570 --> 01:17:37,370 talking to several hundred MIT systems, 1874 01:17:37,370 --> 01:17:40,780 that's probably not good. 1875 01:17:40,780 --> 01:17:41,620 It could be good. 1876 01:17:41,620 --> 01:17:43,814 And if it's good, we will totally white list it. 1877 01:17:43,814 --> 01:17:46,230 And we've done that many, many times for research projects 1878 01:17:46,230 --> 01:17:48,500 and just things that are legitimate. 1879 01:17:48,500 --> 01:17:50,440 But it's probably not a bad posture 1880 01:17:50,440 --> 01:17:52,980 to say, OK, if we see that, it's probably bad. 1881 01:17:52,980 --> 01:17:54,560 Let's block it. 1882 01:17:54,560 --> 01:17:57,230 So we actually have some automated BGP null-routing 1883 01:17:57,230 --> 01:17:59,640 going on where we're actually watching the flows. 1884 01:17:59,640 --> 01:18:01,470 And if we see an anomalous behavior, 1885 01:18:01,470 --> 01:18:03,410 we null-route on-the-fly. 1886 01:18:03,410 --> 01:18:04,710 That runs every five minutes. 1887 01:18:04,710 --> 01:18:10,330 So as soon as a scan starts, we cut it off at the knees. 1888 01:18:10,330 --> 01:18:15,100 On a more proactive front even than that is 1889 01:18:15,100 --> 01:18:16,630 we will proactively scan. 1890 01:18:16,630 --> 01:18:20,900 So in the case of Shellshock and some of the earlier SSL 1891 01:18:20,900 --> 01:18:23,350 vulnerabilities that were really deadly, 1892 01:18:23,350 --> 01:18:24,980 we actually scanned the community 1893 01:18:24,980 --> 01:18:26,950 and sent out lists to those we had 1894 01:18:26,950 --> 01:18:28,890 contact info for to let them know, hey, 1895 01:18:28,890 --> 01:18:30,480 this IP address is running a service. 1896 01:18:30,480 --> 01:18:31,605 This is a known vulnerable. 1897 01:18:31,605 --> 01:18:32,352 Please patch it. 1898 01:18:32,352 --> 01:18:34,435 It's really just about getting the information out 1899 01:18:34,435 --> 01:18:36,910 to the community as quickly as we can. 1900 01:18:36,910 --> 01:18:39,950 OK future trends, because we're running short on time, 1901 01:18:39,950 --> 01:18:43,500 consumerization of IT. 1902 01:18:43,500 --> 01:18:47,720 I call them future trends, but the future is now here at MIT 1903 01:18:47,720 --> 01:18:49,410 and pretty much at any .edu. 1904 01:18:49,410 --> 01:18:51,870 These are old things that we've been dealing with. 1905 01:18:51,870 --> 01:18:53,050 Bring your own device-- 1906 01:18:53,050 --> 01:18:54,740 I mean, I've owned my own phone here 1907 01:18:54,740 --> 01:18:58,880 and at other institutions in the edu space forever. 1908 01:18:58,880 --> 01:19:00,866 It makes policy enforcement really difficult, 1909 01:19:00,866 --> 01:19:02,740 because how do you enforce policy on a device 1910 01:19:02,740 --> 01:19:04,725 that you didn't pay for that you don't manage? 1911 01:19:07,260 --> 01:19:10,417 Consumerization of services, here at MIT, 1912 01:19:10,417 --> 01:19:12,250 we have an enterprise agreement with Dropbox 1913 01:19:12,250 --> 01:19:14,760 now, so that you can store data up on Dropbox. 1914 01:19:14,760 --> 01:19:15,510 Unlimited storage. 1915 01:19:15,510 --> 01:19:17,140 That's open to students, right? 1916 01:19:17,140 --> 01:19:21,660 So yes, unlimited storage on Dropbox, which is great. 1917 01:19:21,660 --> 01:19:23,340 The problems that come along with that 1918 01:19:23,340 --> 01:19:24,780 are maybe data custody. 1919 01:19:24,780 --> 01:19:26,320 Where is that data going to live? 1920 01:19:26,320 --> 01:19:28,910 In our case, we've made sure that jurisdiction will always 1921 01:19:28,910 --> 01:19:30,050 be in the United States. 1922 01:19:30,050 --> 01:19:32,500 But what happens if you're dealing with a provider that 1923 01:19:32,500 --> 01:19:35,640 crosses national boundaries into areas where they 1924 01:19:35,640 --> 01:19:37,450 have different regulations? 1925 01:19:37,450 --> 01:19:41,845 What do you do if a person puts sensitive information up 1926 01:19:41,845 --> 01:19:44,400 on that Dropbox and it gets synced up to the cloud. 1927 01:19:44,400 --> 01:19:46,880 And they think it just lives in the cloud, 1928 01:19:46,880 --> 01:19:49,330 but we know that Dropbox syncs to the local system. 1929 01:19:49,330 --> 01:19:54,670 There's a lot of issues involved with the consumerization of IT, 1930 01:19:54,670 --> 01:19:56,520 because the IT department doesn't 1931 01:19:56,520 --> 01:19:57,710 control the service anymore. 1932 01:19:57,710 --> 01:20:00,251 They're really just brokering the service between the service 1933 01:20:00,251 --> 01:20:02,570 provider and the consumer. 1934 01:20:02,570 --> 01:20:04,640 Third-party email providers, kind of same thing. 1935 01:20:04,640 --> 01:20:06,180 You might send sensitive information 1936 01:20:06,180 --> 01:20:08,390 through an email system that's not totally internal. 1937 01:20:08,390 --> 01:20:10,660 So sensitive data might leave the institution. 1938 01:20:13,240 --> 01:20:16,390 Cloud-based resources kind of ties into that as well. 1939 01:20:16,390 --> 01:20:18,600 MIT never really had a perimeter. 1940 01:20:18,600 --> 01:20:21,400 Neither does the rest of the world now, right? 1941 01:20:21,400 --> 01:20:23,150 If you're a small startup-- 1942 01:20:23,150 --> 01:20:26,530 and I'm sure you all have many friends at startups, 1943 01:20:26,530 --> 01:20:27,530 I do as well-- 1944 01:20:27,530 --> 01:20:29,660 none of them have local resources anymore, right? 1945 01:20:29,660 --> 01:20:32,540 They're using stuff that's entirely in the cloud. 1946 01:20:32,540 --> 01:20:34,570 How do you draw a line or put a moat 1947 01:20:34,570 --> 01:20:37,000 around those resources when they're living in Amazon Web 1948 01:20:37,000 --> 01:20:40,310 Services, and at Salesforce.com, and as Google Apps, 1949 01:20:40,310 --> 01:20:42,180 and as Dropbox? 1950 01:20:42,180 --> 01:20:44,390 We need to find different ways to handle that. 1951 01:20:44,390 --> 01:20:46,120 We have the same data custody issues 1952 01:20:46,120 --> 01:20:47,990 as to where that data might live. 1953 01:20:47,990 --> 01:20:51,110 We've also got authentication and authorization issues. 1954 01:20:51,110 --> 01:20:53,520 How do you make sure that just your users 1955 01:20:53,520 --> 01:20:55,065 are accessing those services? 1956 01:20:55,065 --> 01:20:56,440 And that's where things like SAML 1957 01:20:56,440 --> 01:21:00,380 come in, which I think MIT is really well-positioned, 1958 01:21:00,380 --> 01:21:03,510 because we have this really robust SAML architecture. 1959 01:21:03,510 --> 01:21:05,100 When we wanted to add Dropbox, it 1960 01:21:05,100 --> 01:21:07,141 was easy enough to add them as a service provider 1961 01:21:07,141 --> 01:21:09,580 to our Touchstone infrastructure. 1962 01:21:09,580 --> 01:21:11,170 And it just worked. 1963 01:21:11,170 --> 01:21:13,030 I'm sure I'm glazing over some things, 1964 01:21:13,030 --> 01:21:15,060 but you know, in the grand scheme, 1965 01:21:15,060 --> 01:21:16,680 standards-based and federated systems, 1966 01:21:16,680 --> 01:21:19,810 like SAML and Shibboleth are really 1967 01:21:19,810 --> 01:21:23,070 life savers in a cloud-based world. 1968 01:21:23,070 --> 01:21:25,150 The internet of things, what does that mean? 1969 01:21:25,150 --> 01:21:28,310 It seems to be the new buzzword du jour. 1970 01:21:28,310 --> 01:21:30,450 But in terms of our experience so far, 1971 01:21:30,450 --> 01:21:33,030 the internet of things at mit.net, 1972 01:21:33,030 --> 01:21:36,042 we have building management systems all over, right? 1973 01:21:36,042 --> 01:21:37,500 These are computer systems that are 1974 01:21:37,500 --> 01:21:39,010 built by the fine folks that built 1975 01:21:39,010 --> 01:21:40,590 air conditioners last year. 1976 01:21:40,590 --> 01:21:44,706 So they're not all that secure, for the most part. 1977 01:21:44,706 --> 01:21:46,330 Mark had the story about they were just 1978 01:21:46,330 --> 01:21:47,830 living on public mit.net. 1979 01:21:47,830 --> 01:21:49,864 They could be probed by anyone in the world. 1980 01:21:49,864 --> 01:21:51,530 What we've started to do-- and actually, 1981 01:21:51,530 --> 01:21:53,821 we're almost entirely done with our building management 1982 01:21:53,821 --> 01:21:54,930 systems-- 1983 01:21:54,930 --> 01:21:57,120 is move them onto a different VRF, which 1984 01:21:57,120 --> 01:21:59,100 is a Virtual Routing and Forwarding instance, 1985 01:21:59,100 --> 01:22:01,980 so that they have a completely different forwarding path. 1986 01:22:01,980 --> 01:22:03,550 And we front-end it with a firewall. 1987 01:22:03,550 --> 01:22:04,740 It's all access controlled. 1988 01:22:04,740 --> 01:22:08,260 It lives on separate physical infrastructure in closets. 1989 01:22:08,260 --> 01:22:10,100 The closets are secured. 1990 01:22:10,100 --> 01:22:12,570 But when we move into a internet of things world, 1991 01:22:12,570 --> 01:22:14,260 this problem is just going to multiply. 1992 01:22:14,260 --> 01:22:15,968 What happens when the light switches have 1993 01:22:15,968 --> 01:22:19,690 IP addresses and, who knows, my shoes have IP addresses? 1994 01:22:19,690 --> 01:22:21,544 And it's going to get crazy. 1995 01:22:21,544 --> 01:22:22,710 So how do we deal with that? 1996 01:22:22,710 --> 01:22:25,320 And frankly, I don't have an answer quite yet. 1997 01:22:25,320 --> 01:22:26,520 Many companies say they do. 1998 01:22:26,520 --> 01:22:29,040 And they'll make you spend a lot of money on solutions. 1999 01:22:29,040 --> 01:22:31,560 But one of them I can think of is maybe we map access policy 2000 01:22:31,560 --> 01:22:33,750 down to devices, based on 802.1X. 2001 01:22:33,750 --> 01:22:36,620 So when I authenticate or my device authenticates, 2002 01:22:36,620 --> 01:22:39,059 it pulls down the thermostat policy, 2003 01:22:39,059 --> 01:22:40,850 so that it can coexist on the same network, 2004 01:22:40,850 --> 01:22:44,840 and yet not be wide open to the world as, say, my laptop is. 2005 01:22:47,207 --> 01:22:49,290 So with that, I realized we're over, but are there 2006 01:22:49,290 --> 01:22:49,873 any questions? 2007 01:22:52,485 --> 01:22:53,359 Yes. 2008 01:22:53,359 --> 01:22:55,359 AUDIENCE: So there was one page you skipped over 2009 01:22:55,359 --> 01:22:56,317 a coupld of slides ago. 2010 01:22:56,317 --> 01:22:57,637 PROFESSOR: Oh, sure. 2011 01:22:57,637 --> 01:22:58,720 AUDIENCE: Campus firewall. 2012 01:22:58,720 --> 01:22:59,835 PROFESSOR: Oh, I'm sorry. 2013 01:22:59,835 --> 01:23:00,460 Where was this? 2014 01:23:00,460 --> 01:23:02,190 AUDIENCE: I'm curious about it. 2015 01:23:02,190 --> 01:23:03,520 PROFESSOR: [INAUDIBLE]. 2016 01:23:03,520 --> 01:23:05,270 PROFESSOR: I swear, it wasn't intentional. 2017 01:23:05,270 --> 01:23:06,320 Oh, yeah. 2018 01:23:06,320 --> 01:23:07,120 Coming soon. 2019 01:23:07,120 --> 01:23:09,520 So this is-- do you want to talk about it, or shall I? 2020 01:23:09,520 --> 01:23:10,186 PROFESSOR: Yeah. 2021 01:23:10,186 --> 01:23:11,182 So I'll talk about it. 2022 01:23:11,182 --> 01:23:13,390 I mean, one of the things we realized, as David said, 2023 01:23:13,390 --> 01:23:18,240 is that your default posture for things, you get it with an Xbox 2024 01:23:18,240 --> 01:23:19,610 you install it today. 2025 01:23:19,610 --> 01:23:22,080 You have IP tables by default. Install Windows machine, 2026 01:23:22,080 --> 01:23:24,000 you have Windows host firewall. 2027 01:23:24,000 --> 01:23:25,410 One of the things we look at is-- 2028 01:23:25,410 --> 01:23:27,159 you know, you have this internet of things 2029 01:23:27,159 --> 01:23:29,596 and this vast variety of devices on mit.net 2030 01:23:29,596 --> 01:23:32,170 is having a more secure posture by default, 2031 01:23:32,170 --> 01:23:34,930 so that devices, by default, may not necessarily 2032 01:23:34,930 --> 01:23:37,620 be exposed to the entire public network. 2033 01:23:37,620 --> 01:23:39,377 And there are legitimate reasons people 2034 01:23:39,377 --> 01:23:41,210 want to have a device on the public network. 2035 01:23:41,210 --> 01:23:41,876 And that's fine. 2036 01:23:41,876 --> 01:23:44,480 You know, one of the things that's great about MIT is, 2037 01:23:44,480 --> 01:23:47,180 if people want to do that, you allow them to do that. 2038 01:23:47,180 --> 01:23:48,770 They can do that in an automated way. 2039 01:23:48,770 --> 01:23:49,910 They can do that by themselves. 2040 01:23:49,910 --> 01:23:51,430 They don't need to ask a policy person. 2041 01:23:51,430 --> 01:23:53,190 They don't need to do anything like that. 2042 01:23:53,190 --> 01:23:54,690 So what we're trying to move towards 2043 01:23:54,690 --> 01:23:58,210 is really a network topology where, by default, people 2044 01:23:58,210 --> 01:24:00,490 will be behind some layer of protection. 2045 01:24:00,490 --> 01:24:02,960 If they want to go to a web page and enroll themselves 2046 01:24:02,960 --> 01:24:04,645 in the public internet level of access, 2047 01:24:04,645 --> 01:24:06,436 they can do that without talking to anyone. 2048 01:24:06,436 --> 01:24:07,690 And it's automated. 2049 01:24:07,690 --> 01:24:11,154 And it just happens within a minute or two. 2050 01:24:11,154 --> 01:24:13,070 And so I think what we're trying to do is just 2051 01:24:13,070 --> 01:24:14,986 move the default security posture to something 2052 01:24:14,986 --> 01:24:17,980 a little bit more secure, by default. But at the same time, 2053 01:24:17,980 --> 01:24:20,262 we recognize that our goal here is 2054 01:24:20,262 --> 01:24:22,220 to not really disrupt the innovative activities 2055 01:24:22,220 --> 01:24:23,190 that happen here. 2056 01:24:23,190 --> 01:24:25,440 And so if people want to do that, students or faculty, 2057 01:24:25,440 --> 01:24:28,956 on an opt-in basis and go to the web page, that's up to them. 2058 01:24:31,790 --> 01:24:33,661 Any other questions? 2059 01:24:33,661 --> 01:24:34,494 AUDIENCE: I had one. 2060 01:24:34,494 --> 01:24:36,374 PROFESSOR: Sure. 2061 01:24:36,374 --> 01:24:39,750 AUDIENCE: What's the traffic like now on the MIT network? 2062 01:24:39,750 --> 01:24:42,180 It's like, what kind of traffic do you see the most of? 2063 01:24:42,180 --> 01:24:42,500 PROFESSOR: Yeah. 2064 01:24:42,500 --> 01:24:43,990 So I mean, looking at StealthWatch, 2065 01:24:43,990 --> 01:24:46,930 I'd say like 80% of our traffic, if you look at it by protocol, 2066 01:24:46,930 --> 01:24:48,930 is like HTTP, you know, [INAUDIBLE]. 2067 01:24:48,930 --> 01:24:51,210 PROFESSOR: Which would include HTTP-streamed media. 2068 01:24:51,210 --> 01:24:52,300 PROFESSOR: Movies, media. 2069 01:24:52,300 --> 01:24:54,180 Now, I think the interesting question you could ask 2070 01:24:54,180 --> 01:24:56,300 is how much of it is legitimate research activity. 2071 01:24:56,300 --> 01:24:57,670 [LAUGHTER] 2072 01:24:57,670 --> 01:24:59,730 I know you guys are all studying hard. 2073 01:24:59,730 --> 01:25:01,730 I know I was, that's why I'm still working here. 2074 01:25:01,730 --> 01:25:02,230 No. 2075 01:25:02,230 --> 01:25:04,590 But yeah, it's interesting breakdown. 2076 01:25:04,590 --> 01:25:06,950 I think the one thing we do philosophically, 2077 01:25:06,950 --> 01:25:08,735 as a provider, is-- 2078 01:25:08,735 --> 01:25:10,110 you know, a lot of schools, there 2079 01:25:10,110 --> 01:25:11,485 was a time where they were trying 2080 01:25:11,485 --> 01:25:14,450 to make judgments about what kinds of traffic 2081 01:25:14,450 --> 01:25:16,730 and how much were going across their campus networks. 2082 01:25:16,730 --> 01:25:17,990 MIT does not do that. 2083 01:25:17,990 --> 01:25:21,210 One thing we believe very strongly in is not me 2084 01:25:21,210 --> 01:25:23,080 nor anybody else in the administration 2085 01:25:23,080 --> 01:25:26,310 is in a position to pass value judgment over someone's 2086 01:25:26,310 --> 01:25:27,520 internet activity. 2087 01:25:27,520 --> 01:25:28,540 PROFESSOR: Because people live here. 2088 01:25:28,540 --> 01:25:29,250 PROFESSOR: You live here, right? 2089 01:25:29,250 --> 01:25:30,430 PROFESSOR: It's not just your work. 2090 01:25:30,430 --> 01:25:32,800 I mean, people are doing a lot of research on Netflix, 2091 01:25:32,800 --> 01:25:34,340 because we have a Netflix cache. 2092 01:25:34,340 --> 01:25:35,840 And we a lot of traffic going there. 2093 01:25:35,840 --> 01:25:39,780 But we also have thousands of students and staff living here. 2094 01:25:39,780 --> 01:25:42,900 So that's them at night powering up their Netflix box 2095 01:25:42,900 --> 01:25:43,750 and streaming. 2096 01:25:43,750 --> 01:25:44,720 PROFESSOR: Or whatever it may be. 2097 01:25:44,720 --> 01:25:46,510 So we've always been in the position of like, you know, we 2098 01:25:46,510 --> 01:25:48,718 have some very detailed information about what it is. 2099 01:25:48,718 --> 01:25:51,200 But I'd say that most of it is, I'd say, 2100 01:25:51,200 --> 01:25:53,290 even nowadays, is kind of scary. 2101 01:25:53,290 --> 01:25:56,550 I'd say, at night, half of it's video stream, which is-- 2102 01:25:56,550 --> 01:25:58,780 AUDIENCE: Would you allow torrent traffic? 2103 01:25:58,780 --> 01:25:58,910 PROFESSOR: Porn? 2104 01:25:58,910 --> 01:25:59,620 PROFESSOR: We don't. 2105 01:25:59,620 --> 01:26:00,210 No. 2106 01:26:00,210 --> 01:26:00,595 AUDIENCE: Torrents. 2107 01:26:00,595 --> 01:26:00,980 [INAUDIBLE] 2108 01:26:00,980 --> 01:26:01,563 PROFESSOR: Oh. 2109 01:26:01,563 --> 01:26:02,910 You know what's interesting? 2110 01:26:02,910 --> 01:26:06,370 So porn and torrents are pretty similar, so yeah. 2111 01:26:06,370 --> 01:26:07,027 [LAUGHTER] 2112 01:26:07,027 --> 01:26:09,360 Not that that's what went through my head Freudian-wise. 2113 01:26:09,360 --> 01:26:10,845 I'm sorry. 2114 01:26:10,845 --> 01:26:11,970 You know, it's interesting. 2115 01:26:11,970 --> 01:26:14,245 Torrent traffic has actually gone down. 2116 01:26:14,245 --> 01:26:15,870 I think that's what's been interesting. 2117 01:26:15,870 --> 01:26:18,180 I'd say it's actually gone down over the years. 2118 01:26:18,180 --> 01:26:21,966 I think, on the plus side, most things are getting so easy 2119 01:26:21,966 --> 01:26:24,090 for people to get through something like a Netflix, 2120 01:26:24,090 --> 01:26:25,800 or an Amazon Prime, or whatever it 2121 01:26:25,800 --> 01:26:28,940 is, where you can subscribe for $4 a month, 2122 01:26:28,940 --> 01:26:30,550 where people are generally doing it. 2123 01:26:30,550 --> 01:26:32,200 We have a Comcast video TV service 2124 01:26:32,200 --> 01:26:34,222 we offer for free to the students. 2125 01:26:34,222 --> 01:26:36,680 If you want to do IPTV, you can just do it on your computer 2126 01:26:36,680 --> 01:26:37,319 now. 2127 01:26:37,319 --> 01:26:39,610 But for the most part, I've seen torrents have actually 2128 01:26:39,610 --> 01:26:40,448 gone down. 2129 01:26:40,448 --> 01:26:42,614 I would just be honest, which is kind of a surprise. 2130 01:26:44,785 --> 01:26:45,660 PROFESSOR: All right. 2131 01:26:45,660 --> 01:26:46,820 Well, let's thank Dave and Mark. 2132 01:26:46,820 --> 01:26:47,420 PROFESSOR: Thank you, guys. 2133 01:26:47,420 --> 01:26:48,295 PROFESSOR: Thank you. 2134 01:26:48,295 --> 01:26:49,570 [APPLAUSE]