1

從監聽門事件看資通訊安全演進Evolution of ICT Security:

A Perspective From Wiretapping

林盈達IEEE Fellow, IEEE ComSoC Distinguished

Lecturer交通大學資訊工程系ydlin@cs.nctu.edu.tw

11-28-2013

2

Areas of research interests Deep Packet Inspection

Attack, virus, spam, porno, P2P Software, algorithm, hardware, SoC Real traffic, beta site, botnet

Internet security and QoS Wireless communications Test technologies of switch, router, WLAN,

security, VoIP, 4G/LTE and smartphones Publications

International journal: 95 International conference: 51 IETF Internet Draft: 1 Industrial articles: 153 Textbooks: 3 (Ying-Dar Lin, Ren-Hung Hwang,

Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011)

Patents: 30 Tech transfers: 8

Well-cited paper: Multihop Cellular: A New Architecture for Wireless Communications, INFOCOM 2000, YD Lin and YC Hsu; #citations: 600; standardized into IEEE 802.11s, Bluetooth, WiMAX, and LTE

B.S., NTU-CSIE, 1988; Ph.D., UCLA-CS, 1993 Professor (1999~)/Associate Professor (1993~1999),

NCTU-CS; IEEE Fellow (2013); IEEE ComSoC Distinguished Lecturer (2014&2015)

Founder and Director, III-NCTU Embedded Benchmarking Lab (EBL; www.ebl.org.tw), 2011~

Founder and Director, NCTU Network Benchmarking Lab (NBL; www.nbl.org.tw), 2002~

Editorial Boards: IEEE Wireless Comm. (2013~), IEEE Transactions on Computers (2011~), IEEE Computer (2012~), IEEE Network (2011~), IEEE Communications Magazine – Network Testing Series (2010~), IEEE Communications Letters (2010~), Computer Communications (2010~), Computer Networks (2010~) , IEEE Communications Surveys and Tutorials (2008~), IEICE Transactions on Information and Systems (11/2011~)

Guest Editors of Special Issues: Open Source for Networking, IEEE Network, Mar 2014; Mobile Application Security, IEEE Computer, Mar 2014; Multi-Hop Cellular, IEEE Wireless Communications, Oct 2014; Deep Packet Inspection, IEEE JSAC, Q4 2014; Traffic Forensics, IEEE Systems Journal, early 2015.

CEO, Telecom Technology Center (www.ttc.org.tw), 7/2010~5/2011

Director, Computer and Network Center, NCTU, 2007~2010

Consultant, ICL/ITRI, 2002~2010 Visiting Scholar, Cisco, San Jose, 7/2007-7/2008 Director, Institute of Network Engineering, NCTU,

2005~2007 Co-Founder, L7 Networks Inc. (www.L7.com.tw), 2002

林盈達 Ying-Dar Lin

3

Computer Networks: An Open Source Approach considers why a protocol, designed a specific way, is more important than how a protocol works. Key concepts and underlying principles are conveyed while explaining protocol behaviors. To further bridge the long-existing gap between design and implementation, it illustrates where and how protocol designs are implemented in Linux-based systems. A comprehensive set of fifty-six live open source implementations spanning across hardware (8B/10B, OFDM, CRC32, CSMA/CD, and crypto), driver (Ethernet and PPP), kernel (longest prefix matching, checksum, NAT, TCP traffic control, socket, shaper, scheduler, firewall, and VPN), and daemon (RIP/OSPF/BGP, DNS, FTP, SMTP/POP3/IMAP4, HTTP, SNMP, SIP, streaming, and P2P) are interleaved with the text.

Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011.www.mhhe.com/lin; available now at amazon.comFacebook Q&A Communit: www.facebook.com/CNFBs ISBN: 0-07-337624-8 / 978-007-337624-0

4

大綱1. 監聽門的來龍去脈 20 mins2. 電話與網路監聽的可能方式 20 mins3. 網路通訊安全的演進歷程 20 mins4. 最新網路駭客攻擊方式與解決技術 40 mins5. Q&A 20 min

5

監聽門的來龍去脈• 0972 節費電話能否監聽 ?

– 三個政府單位 ( 調查局 , 刑事警察局 , NCC) 三個答案 : no( 如果不事先知道是節費電話 ), yes, don‘t know!

– 用戶端線路與局端線路之差異– 0972630235 vs. (02)2358-5858

• 從電信機房到監聽機房– 符合 RFC3924 之監聽設備

• 裁判 vs. 球員 : 法院 / 監聽機房 vs. 調查單位

6

Centrex + PBX 架構CHT

Centrex Switching中華電信虛擬總機

NECPBX立法院交換總機

2358-XXXX

1000

1001

1002

1003

分機

E1 節費專線 (0972-630231~37)

• 用戶撥 2358-XXXX ， Centrex 會將目的碼送給交換機，交換機會根據後四碼判斷 是要響鈴哪一隻分機。• 分機撥出時，交換機會將 2358( 局碼 ) 加上分機碼送出。• 分機撥” 0” 時， NEC 交換機會去抓 E1 節費專線，經由 E1 專線將通話送至 CHT交換機，撥出之電話雖設定為”沒有來話顯示“，但系統仍會紀錄為 0972-

630231~37 的撥出號碼，計價為”節費電話“之費率。• 分機撥” *0” 時， NEC 交換機會去抓 Centrex 線，按平常的通信路由，將通話送至 CHT 交換機，此時帶出的號碼會顯示 Centrex 的號碼，計價為“一般費率”。

7

0972630235 vs. (02)2358-5858

• 三種組合 :– 立法院內各分機立法院外 : 控制訊息攜帶

0972630235• 要監聽與側錄 !

– 立法院外 (02)2358-5858 立法院內各分機• 無監聽與側錄

– 立法院外 0972630235 立法院內各分機• 要監聽與側錄 !

8

電話監聽方式• 無遠端監聽系統：

– 監聽單位直接拿監聽票進機房於 MDF( 配線架 ) 或在測量台上直接掛線監聽。

• 遠端監聽系統：– 所有一類電信公司 ( 固網及手機運營商 ) 及新的特二類業者 ( 節費公司 ) 均已有供調查局或刑事警察局之遠端監聽系統介接，但操作、管理、監聽內容儲存、處理之設備均建置於情治單位。– 一類電信運營商：一般由調查局負責監聽。– 特二類 ( 節費公司 ) ：一般由 刑事警察局負責監聽。

9

Lawful Intercept Architecture Reference Model

Law Enforcement Agency (LEA)

Law Intercept

Administration Function

Intercept RelatedInformation (IRI) IAP Mediation Device (MD)

Content InterceptAccess Point (IAP)

Service ProviderFunctions

MD Provisioning Interface b

HI1(a)

e

IRI (e)

HI2(g)

User Content User Content

c

Intercept Request (d)f

Intercepted Content ( f)

HI3(h)

d

IETF RFC 3924 / ETSI ES 201671

10

A100 0 AX

CHTCentrex虛擬總機

E1 專線NECPBX

C7

建置於固網或手機運營商機房 建置於情治單位

11

監聽只有電話不含網路 ?

• 網路也被掛線– RFC3924 也包含 Data Services– 大部分應用協定都沒加密– 常見應用協定之封包辨識沒問題– 可以錄製或即時同步播放– P2P 應用之封包辨識與解譯之誤判與漏判較高

12

裁判 vs. 球員 : 法院 / 監聽機房 vs. 調查單位• 電話與網路掛線人數 ?

– 三萬… anytime!• 若每人被掛線平均六個月 , 一年應該有六萬張監聽票 !! 但實際監聽票遠低於此數 !• 原因 ??

– 檢察官一張監聽票吃到飽 (wild card)• 加掛不相干人等• 法院失職 !

– 球員兼裁判• 球員 : 檢察體系、調查局、刑事警察局• 裁判 : 法院、調查局、刑事警察局• 調查局與刑事局辦案人員 <-> 調查局與刑事局監聽機房管理人員• 不能申請監聽票的情治監聽• 機房應交給第三者管理 !

13

"非法 "電話與網路監聽的可能方式• RFC3924 標準監聽機房

– 與調查局機房合作– 直接由調查局拉線到自建機房

• 直接與電信業者或網站業者合作– A 國政府向在 A 國經營的 B 國業者索取 : 看 A 國市場大小– A 國政府向在 B 國經營的 A 國業者索取 : 最容易– A 國政府向在 B 國經營的 C 國業者索取 : 美國才作得到

• 無線與有線攔截– 電纜攔截– 無線攔截

• IMSI Catcher: Rohde & Schwartz 2003 年專利 , 2012 年英國法院宣告失效• Femtocatch: femtocell• Bluejacking: Bluetooth, Wi-Fi, GPS, etc.

• 後門程式– 手動 : 安裝軟體 (phone spy, call interception), 拷貝 SIM 卡– 自動 : 惡意程式 (malware)

14

直接與電信業者或網站業者合作• 被電信業者或網站出賣 ?

– 電信業者已被 RFC3924– 用美國或日本的網站與社群較不會被出賣 ?

• 用當地國的業者一定被出賣• 用敵對國的業者鐵定被出賣• 用第三國的相對較不會

– 用 Skype 及 Line 絕對安全 ?• 是的… . 如果它沒出賣你

– 乾脆用 Bitmessage!• Decentralized P2P• 不會被出賣 !

15

美國在各國之監聽• 根據史諾登 (Edward Snowden) 給英國媒體的資料

– 與當地政府監聽機房合作– 與業者機房與網站合作

• 有線與無線攔截 ?• 後門程式 ?

16

無線攔截IMSI Catcher

• IMSI (International Mobile Subscriber Identity)• A false mobile tower – man-in-the-middle attack• Identify IMSI number and intercept through

protocol hacking – solicit/associate/configure/tap– Masquerade as a base station and log IMSI numbers

of nearby handsets– No authentication of base station by handset– Downgrade to GSM– Disable encryption (A5/0 mode)

17

Defcon: Hacker shows how he can intercept cell phone calls with $1,500 device

• Chris Paget at Defcon in Las Vegas, 7-31-2010• Demo video at

http://venturebeat.com/2010/07/31/hacker-shows-how-he-can-intercept-cell-phone-calls-for-1500/

18

Black Hat: Intercepting Calls and Cloning Phones with Femtocells

• Ritter and DePerry at Black Hat in Las Vegas on 8-1-2013

• CDMA femtocell• Femtocatch: 2.5-way call

19

後門程式• 安裝軟體

– StealthGenie– Wireflex– Call Interceptor– Spyera

• 拷貝 SIM 卡– Phone cloning– Read crypto key by SIM reader– Install spyware on the target phone

• 惡意程式– Repackaged applications– Repackaged documents

20

StealthGenie• Spy on their Calls• Spy on their SMS Messages• Track their GPS Location• Read their Emails• Spy on their Instant Messengers• View their Multimedia Files

• Monitor their Internet Activities• View their Contacts and Calendar

Activities• Bug their phone• Instant Alerts and Notifications• Remotely Control their Phone

21

網路通訊安全的演進歷程• 從伺服器到用戶端• 從主動攻擊到被動傳播• 從桌機與筆電到手機• 從程式散播到文件搭載

General Security Issues• Data security: protecting private data on the

public Internet– Encryption & authentication Virtual Private

Network (VPN)• Access security: deciding who can access what

– TCP/IP firewall or application firewall• System security: protecting system resources

from hackers– Intrusion detection and prevention– Malware detection and prevention

22

Vulnerability Exploiting on “Servers”

• Buffer overflow attack– Put more data to the specified buffer to cause

buffer overflow– Return address pointing to the cracked file to

execute

23

stack pointer

return address

buffer (200 bytes)

stack pointer

cracked file address

buffer (200 bytes)

. . . . . .

. . .

. . . . . .

. . .

Put more data to buffer then cause buffer overflowand point to the cracked file address

void called(){ . . . char buffer[200]; . . .

}

Some Server Vulnerabilities

24

Vulnerabilities Application Version Reason

phf Remote Command Execution Vulnerability

Apache Group Apache 1.0.3 Input Validation Error

Multiple Vendor BIND (NXT Oveflow) Vulnerabilities

ISC BIND 8.2.1 Buffer Overflow

MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

Microsoft IIS 4.0 Buffer Overflow

Univ. Of imapd Buffer Overflow Vulnerability

imapd 12.264 Buffer Overflow

ProFTPD Remote Buffer Overflow Professional FTP proftpd 1.2pre5 Buffer Overflow

Sendmail Daemon Mode Vulnerability

Eric Allman Sendmail 8.8.2 Input Validation Error

RedHat Piranha Virtual Server Package Default Account and Password Vulnerability

RedHat Linux 6.2 Configuration Error

Wu-Ftpd Remote Format String Stack Overwrite Vulnerability

wu-ftpd 2.6 Input Validation Error

Open Source Implementation 8.7: Snort

25

Three modes Sniffer

Read and decode network packets Packet logger

Log packets to disk Intrusion detection system

Analyze traffic based on pre-defined rules Perform actions based upon what it sees

26

Writing Snort Rules

• Rule headeralert tcp any any - > 10.1.1.0/24 80

• Rule option (content: “/cgi-bin/phf”; msg: “PHF probe!”;)

action protocol Source address and port number

destination address and port number

alert messageinspective part

Open Source Implementation 8.6: ClamAV

• Introduction– open-source package for virus scanning– have detected over 570,000 malicious codes (viruses, worms and

trojans, etc.) with the release of 0.95.2 version– Types of signatures

• MD5 for a certain PE section (part of an executable file)• basic signatures of fixed strings (to be scanned in the entire file)• extended signatures (in a simplified form of regular expressions containing

multiple parts• logical signatures (multiple signatures combined with logical operators)• logical signatures (multiple signatures combined with logical operators)

27

Block Diagrams of ClamAV

28

cl_load cli_load cli_cvdload

cli_loadmd5

cli_loadndb

cli_loadldb

cli_loadwdb

cli_loadpdb

cli_loaddb

cli_parseadd

cli_scanfile

cli_magic_scandesc

cli_scandesc

cli_scanrar

cli_unzip

cli_unzip

……

cli_ac_scanbuff

cli_bm_scanbuff

for signature matching

for signature loading

Performance Matters: Comparing Intrusion Detection, Antivirus, Anti-Spam, Content Filtering, and P2P Classification

29

　 Snort DansGuardian ClamAV SpamAssassin L7-filter

Percentage of string matching

62% 86% 57% 31% 70%

Inspection depth

Byte jump

Http request / response

All attachment content

Mail header/ body

First 10 packets

30

Distribution of Captured Malware: Active Collection vs. Passive Collection

Others21%

Worm8%

Trojan59%

Bot12%

Honey-InspectorOthers

13%Worm

3%

Trojan5%

Bot79%

The passive honeypot system

(a) The distribution of capturedmalware for Honey-Inspector

(b) The distribution of captured malwarefor the passive honeypot system

• Active collection and passive collection are quite disjoint.

31

AttackerC&C

Server

Bot

Bot Victim

(2)C&C channel (3)Attack(1)Injection

Architecture of a Botnet

32

Distribution of Malware’s Capture Time

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

Honey-Inspector

The passive honeypot system

The days that malware signature existed

(Day)

Percentage of captured time

(%)

• More zero-day malware can be collected “actively”.

Ying-Dar Lin, Chia-Yin Lee, Yu-Sung Wu, Pei-Hsiu Ho, Fu-Yu Wang, Yi-Lang Tsai, "How Different Are Malware Collected Actively and Passively?," IEEE Computer, to appear in 2014.

33

Alters Windows FirewallChecks For Debugger

Copies to WindowsCould Not Load

Creates DLL in SystemCreates EXE in System

Creates Hidden FileCreates Mutex

Creates ServiceDeletes File in System

Deletes Original SampleHooks Keyboard

Injected CodeMakes Network Connection

Modifies File in SystemModifies Local DNS

More than 5 ProcessesOpens Physical MemoryStarts EXE in Documents

Starts EXE in RecycleStarts EXE in System

Windows/Run Registry Key Set

0 10 20 30 40 50 60 70 80 90 100

benign programsmalware

Frequency of behaviors(%)

Beha

vior

s Behaviors by GFI Sandbox

1

23

45

67

8

910

1112

• Some permissions are potentially more malicious than the others.

34

Top 20 Requested Permissions by Android Malware

• Again, some permissions are potentially more malicious than the others.

35

Malicious Behaviors

Benign behaviors

Suspicious behaviors

Malicious network behaviors (intrusive behaviors)

Malicious behaviors (non-intrusive behaviors)

• Host behaviorsNon-intrusive behaviors

• Network behaviorsIntrusive behaviors

36

PC 與 Android 行為、傳播、偵測方式比較 PC Android

行為 用戶端行為資料檔案破壞、隱私竊取、系統執行程序錯亂、佔用大量的電腦資源 網路端行為網路擁塞

資料破壞、隱私竊取、金融商業行為

傳播 超 連 結 、 電 子 郵 件 附件、 P2P 軟 體 、 USB/ 磁片 /光碟

APK檔案

偵測方式

Behavior-based detection & Signature-based detection

Signature-based detection

37

APK 檔案架構APK 檔案架構 說明

META-INF(Directory)

Manifest.mf Manifest file

Cert.rsa Application certification

Cert.sf List of resources/SHA-1

Res (Directory) Resource used by APK(png/xml)

Resources.arsc List of resource locations

AndroidManifest.xml Android binary containing name, version, permissions

Classes.dex Compiled source code

38

Trojan Rootkit Spyware Adware PuA Backdoor

Geinimi PJApps ADRD DroidDream droidKungFu SMS.FakeInst GGTracker J.SMSHider DroidDreamLight BgServ RogueSPPush NickySpy Toolbar.MywebSearch

Ropin

Trojan( 對使用者的資料，做惡意的行為 ) 、 Rootkit(權限的更動 ) 、 Spyware( 監聽使用者隱私 ) 、 Adware( 對使用者散播無意義廣告 ) 、 PuA( 對使用者的手機資源惡意使用 ) 、 Backdoor( 利用程式中的後門，在使用者執行程式時竊取資料 )

Android惡意程式行為及種類

39

APT 攻擊 vs. 傳統攻擊  APT Attacks Traditional Attacks

Persistent Yes No

Targeted Yes No

Planned Yes No

Custom exploits Yes No

Hidden Yes No

Motivation Collect benefit information and Exfiltration Variable

40

最新網路駭客攻擊方式與解決技術• 最新攻擊方式

–殭屍電腦網路 (botnet)–重新打包之應用程式 (repackaged app)–進階持續性威脅 (APT, Advanced Persistent

Threat)• 解決技術

–特徵碼比對 (signature matching)–行為分析 (behavior analysis)–逆向工程 (reverse engineering)

41

惡意程式偵測方法

AttributesMethods Execute File Fast/Slow Information Overhead Example tools

Static Analysis No Fast General Low ClamAV

Behavior Analysis Yes Slow General HighViCheck.ca Joe Sandbox

Reverse Engineering Partial Slow Detailed High Xecure

Three methodologies for malware detection Static Analysis Behavior Analysis Reverse Engineering

42

樣本收集– 300 APT samples

CVE Number File Type # Samples Product Vulnerability

CVE-2010-0188 PDF 48 Acrobat Reader Adobe Reader PDF LibTiff Integer Overflow

CVE-2010-2883 PDF 24 Acrobat & Acrobat Reader

Adobe CoolType SING Table Stack Buffer Overflow

CVE-2010-3333 RTF 52 Microsoft Office MS Office 2010 RTF Header Stack Overflow

CVE-2011-2462 PDF 25 Acrobat& Acrobat Reader Adobe Reader U3D Memory Corruption

CVE-2012-0158 RTF 131 Microsoft Office Stack Buffer Overflow in MSCOMCTL.OCX

CVE-2013-0640 PDF 20 Acrobat& Acrobat Reader

Adobe Reader Unspecified Buffer Overflow

43

Heap sprayingAfter heap spraying

0 MB

100 MB

200 MB

Normal heap layout

300 MB

Used memory :

Free memory :

0 MB

100 MB

200 MB

300 MB

Used memory :

Free memory :

Shellcode :

SAMPLE

maliciouspFragments 42%

Outside structure

7%

2 regions

Datastore+outside structure 2%

pFragments+outside structure 18%

pFragments+Objdata 1%

pFragments+Datastore 2%

3 regions

pFragments+Datastore+outside structure 10%

benign 13% Error 2%

Experiment 1: 逆向工程Classifying samples by malware region

44

CVE-2010-3333

Experiment 2: 逆向工程Classifying samples by malware region

45

Sample

benign3.3%

malicious

pF rag ments0. 6%

Outside s tructure19.6%

2 regions

pFragments+outs ide structure

0.3%

Da tas tore +Objdat a 0.3%

da tas tore +outside structure 0.3%

Themedata +outs ide structure 1%

Themedata +Objdata 5.6%

Objdata +outs ide structure

39.6%

Objda ta7. 3%

Themedata21%

CVE-2012-0158

Experiment 3: 正向工程Embedding malware into normal RTF

• After embedding:1. malware is detected2. context does not change

46

Malicious RTFSample

Normal RTF file

Embedded malicious code

RTF

context

context

shellcode

shellcode

47

APT 總結• APT 的特點 : 客製化樣本、匿蹤• 偵測方法 : 靜態、動態、逆向工程• 在 RTF文件塞惡意程式

– 加 shellcode– Where: pFragments, OBJDATA, Themedata,

Datastore, Outside structures– 不同惡意程式用不同區塊– 相同 CVE 的惡意程式也會用不同區塊

48

結論• 電話與網路監聽氾濫

– 法規要將球員與裁判釐清– 技術方法多元 : RFC3924, 索取 , 攔截 , 後門– 相關正反向產品有市場潛力

• 更高層次之資通訊安全– 從伺服器到用戶端– 從主動攻擊到被動傳播– 從桌機與筆電到手機– 從程式散播到文件搭載

• 個人自保之道 ?

49

Q&A• Q1: 0972 節費電話之分機不能被 RFC3924 監聽機房監聽。• Q2: 電信業者不知道 RFC3924 監聽機房所監聽之對象為何。• Q3: 加密過的行動電話之通話無法被無線攔截監聽。• Q4: 通訊網路設備在通過安全檢測之後仍可經過韌體更新將後門程式植入。• Q5: 近年來的網路攻擊模式中主動的比率較被動高。• Q6: 防毒軟體常常抓不到 APT 是因為 : (1) 沒有取得病毒樣本、 (2)病毒會變形以至於病毒碼比對不到、 (3) 沒有去動態執行文件檔中的 macro 程式、 (4) 以上都可能。• Q7: Honeypot收集惡意程式的特性 : (1) 主動收集主動傳播、 (2) 主動收集被動傳播、 (3) 被動收集主動傳播、 (4) 被動收集被動傳播。• Q8: 手機病毒目前最常見的傳播方式為 : (1) 主動傳播之程式、 (2) 主動傳播之文件、 (3) 被動傳播之程式、 (4) 被動傳播之文件。• Q9: 特徵碼比對、行為分析與逆向工程三者中何者有執行病毒程式 : (1)特徵碼比對、 (2)行為分析、 (3)逆向工程、 (4)行為分析與逆向工程、 (5)特徵碼比對與行為分析、 (6)特徵碼比對與逆向工程。• Q10: 哪些資通訊產品使用習慣是高度危險的 (複選 ): (1) 手機之 Bluetooth 的

default 設定是打開、 (2) 手機借朋友、 (3)別人可以看到你 Facebook 的好友有哪些、 (4)使用 Line 或 Skype通訊、 (5)使用 WeChat通訊、 (6) 在 P2P 網路尋找程式、音樂與遊戲。