Dr. Dan Plante is a very persuasive guy.
Plante serves as professor of Computer Science at Central Florida’s Stetson University. In 2008, to promote collaboration between his students and the university and enhance computer security on campus, he convinced the university to allow him to develop a unique computer and networking class that uses the university’s own computer network to test for security vulnerabilities.
In short, Plante’s students spend a semester figuring out how to attack and exploit vulnerabilities in the university’s computer network. The idea being that if you know how to attack, you’ll know how to defend and, just maybe, uncover new and undiscovered security vulnerabilities in the meantime.
And that’s just what happened.
Stetson’s Slow Loris Goes Mobile
Plante’s innovative approach to teaching security helped two of his students discover a potentially unknown, pervasive TCP vulnerability impacting all TCP listening services running on industry hardware, like servers. Through a contact of Bob Huth, Stetson’s Executive VP and CFO, the security vulnerability was brought to the attention of Microsoft by Plante and his students. It was then mitigated using The Industry Consortium for Advancement of Security on the Internet’s (ICASI) Unified Security Incident Response Plan (USIRP) process. Microsoft is a member of ICASI.
As students in the class are encouraged to more deeply understand and implement vulnerabilities discovered during class, Stetson University students, Sebastian Florez* and Richard Roe**, were experimenting with a common Slow Loris attack which some of Stetson’s servers were found to be vulnerable to. They wrote code for an application that allowed them to attack a server with a mobile device and control the attack with the push of a button. When they experimented in Plante’s class on the university’s network the students discovered something that, in Plante’s words was, potentially “. . . very substantial. The vulnerability did not seem to target one particular piece of hardware. It very well could be pervasive across all products.” Florez and Roe found that in fact, all TCP listening services as well as TLS secure connections were vulnerable to what amounted to a new and highly efficient denial of service (DoS) attack.
The Unified Security Incident Response Plan (USIRP) Implemented
The TCP vulnerability uncovered by Florez and Roe was potentially pervasive, so their contacts at Microsoft suggested involving ICASI. ICASI is how the industry collaborates on incident response to complex, multi-vendor security challenges. After all, ICASI’s members include the hardware and software vendors responsible for the Internet’s backbone.
The security threat brought to ICASI’s attention by Stetson University triggered the implementation of a USIRP triage. USIRP is one of the primary means by which ICASI fulfills its mission of enhancing the global security landscape through multi-stakeholder collaboration. Comprising a deep-trust forum and supporting processes, procedures, and tools, the USIRP enables Security Incident Response Teams (SIRTs) from ICASI member companies to collaborate quickly and effectively to resolve complex, Internet security issues that could have a significant impact on customers.
Once triggered, the USIRP has three phases:
“Triage” is when the initial security vulnerability information is shared and analyzed. “Resolve” is where the solution is collaborated on and coordinated among all members and involved affinity groups. The final step is “Close” when the solution is implemented.
In the case of the TCP vulnerability discovered by Florez and Roe under Plante’s guidance, ICASI’s USURIP process was followed. They shared the code Florez and Roe wrote and had two conference calls with ICASI members to exchange information and collaborate on a solution. The eventual solution ICASI recommended implementing based on the information and research provided by Stetson University and their own testing was to mitigate the solution by using a large load-balancing front-end. This would spread out the possible denial of service attack against servers rendering the attack almost negligible.
In conclusion, Plante’s class at Stetson University takes hands-on learning to a new level allowing students to uncover possible security vulnerabilities that could impact people and businesses far beyond the walls of academia.
# # #
*Florez has since graduated from Stetson with a degree in Computer Science and is working as a software developer.
**Roe will be a senior at Stetson University this year in Computer Information Systems. He spent the summer as an application security engineering intern at Apple.