從監聽門事件看資通訊安全 演進 evolution of ict security: a perspective from...
DESCRIPTION
從監聽門事件看資通訊安全 演進 Evolution of ICT Security: A Perspective From Wiretapping. 林盈達 IEEE Fellow, IEEE ComSoC Distinguished Lecturer 交通大學資訊工程 系 [email protected] 11-28-2013. 林盈達 Ying-Dar Lin. B.S., NTU-CSIE, 1988; Ph.D ., UCLA-CS, 1993 - PowerPoint PPT PresentationTRANSCRIPT
1
從監聽門事件看資通訊安全演進Evolution of ICT Security:
A Perspective From Wiretapping
林盈達IEEE Fellow, IEEE ComSoC Distinguished
Lecturer交通大學資訊工程系[email protected]
11-28-2013
2
Areas of research interests Deep Packet Inspection
Attack, virus, spam, porno, P2P Software, algorithm, hardware, SoC Real traffic, beta site, botnet
Internet security and QoS Wireless communications Test technologies of switch, router, WLAN,
security, VoIP, 4G/LTE and smartphones Publications
International journal: 95 International conference: 51 IETF Internet Draft: 1 Industrial articles: 153 Textbooks: 3 (Ying-Dar Lin, Ren-Hung Hwang,
Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011)
Patents: 30 Tech transfers: 8
Well-cited paper: Multihop Cellular: A New Architecture for Wireless Communications, INFOCOM 2000, YD Lin and YC Hsu; #citations: 600; standardized into IEEE 802.11s, Bluetooth, WiMAX, and LTE
B.S., NTU-CSIE, 1988; Ph.D., UCLA-CS, 1993 Professor (1999~)/Associate Professor (1993~1999),
NCTU-CS; IEEE Fellow (2013); IEEE ComSoC Distinguished Lecturer (2014&2015)
Founder and Director, III-NCTU Embedded Benchmarking Lab (EBL; www.ebl.org.tw), 2011~
Founder and Director, NCTU Network Benchmarking Lab (NBL; www.nbl.org.tw), 2002~
Editorial Boards: IEEE Wireless Comm. (2013~), IEEE Transactions on Computers (2011~), IEEE Computer (2012~), IEEE Network (2011~), IEEE Communications Magazine – Network Testing Series (2010~), IEEE Communications Letters (2010~), Computer Communications (2010~), Computer Networks (2010~) , IEEE Communications Surveys and Tutorials (2008~), IEICE Transactions on Information and Systems (11/2011~)
Guest Editors of Special Issues: Open Source for Networking, IEEE Network, Mar 2014; Mobile Application Security, IEEE Computer, Mar 2014; Multi-Hop Cellular, IEEE Wireless Communications, Oct 2014; Deep Packet Inspection, IEEE JSAC, Q4 2014; Traffic Forensics, IEEE Systems Journal, early 2015.
CEO, Telecom Technology Center (www.ttc.org.tw), 7/2010~5/2011
Director, Computer and Network Center, NCTU, 2007~2010
Consultant, ICL/ITRI, 2002~2010 Visiting Scholar, Cisco, San Jose, 7/2007-7/2008 Director, Institute of Network Engineering, NCTU,
2005~2007 Co-Founder, L7 Networks Inc. (www.L7.com.tw), 2002
林盈達 Ying-Dar Lin
3
Computer Networks: An Open Source Approach considers why a protocol, designed a specific way, is more important than how a protocol works. Key concepts and underlying principles are conveyed while explaining protocol behaviors. To further bridge the long-existing gap between design and implementation, it illustrates where and how protocol designs are implemented in Linux-based systems. A comprehensive set of fifty-six live open source implementations spanning across hardware (8B/10B, OFDM, CRC32, CSMA/CD, and crypto), driver (Ethernet and PPP), kernel (longest prefix matching, checksum, NAT, TCP traffic control, socket, shaper, scheduler, firewall, and VPN), and daemon (RIP/OSPF/BGP, DNS, FTP, SMTP/POP3/IMAP4, HTTP, SNMP, SIP, streaming, and P2P) are interleaved with the text.
Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011.www.mhhe.com/lin; available now at amazon.comFacebook Q&A Communit: www.facebook.com/CNFBs ISBN: 0-07-337624-8 / 978-007-337624-0
4
大綱1. 監聽門的來龍去脈 20 mins2. 電話與網路監聽的可能方式 20 mins3. 網路通訊安全的演進歷程 20 mins4. 最新網路駭客攻擊方式與解決技術 40 mins5. Q&A 20 min
5
監聽門的來龍去脈• 0972 節費電話能否監聽 ?
– 三個政府單位 ( 調查局 , 刑事警察局 , NCC) 三個答案 : no( 如果不事先知道是節費電話 ), yes, don‘t know!
– 用戶端線路與局端線路之差異– 0972630235 vs. (02)2358-5858
• 從電信機房到監聽機房– 符合 RFC3924 之監聽設備
• 裁判 vs. 球員 : 法院 / 監聽機房 vs. 調查單位
6
Centrex + PBX 架構CHT
Centrex Switching中華電信虛擬總機
NECPBX立法院交換總機
2358-XXXX
1000
1001
1002
1003
分機
E1 節費專線 (0972-630231~37)
• 用戶撥 2358-XXXX , Centrex 會將目的碼送給交換機,交換機會根據後四碼判斷 是要響鈴哪一隻分機。• 分機撥出時,交換機會將 2358( 局碼 ) 加上分機碼送出。• 分機撥” 0” 時, NEC 交換機會去抓 E1 節費專線,經由 E1 專線將通話送至 CHT交換機,撥出之電話雖設定為”沒有來話顯示“,但系統仍會紀錄為 0972-
630231~37 的撥出號碼,計價為”節費電話“之費率。• 分機撥” *0” 時, NEC 交換機會去抓 Centrex 線,按平常的通信路由,將通話送至 CHT 交換機,此時帶出的號碼會顯示 Centrex 的號碼,計價為“一般費率”。
7
0972630235 vs. (02)2358-5858
• 三種組合 :– 立法院內各分機立法院外 : 控制訊息攜帶
0972630235• 要監聽與側錄 !
– 立法院外 (02)2358-5858 立法院內各分機• 無監聽與側錄
– 立法院外 0972630235 立法院內各分機• 要監聽與側錄 !
8
電話監聽方式• 無遠端監聽系統:
– 監聽單位直接拿監聽票進機房於 MDF( 配線架 ) 或在測量台上直接掛線監聽。
• 遠端監聽系統:– 所有一類電信公司 ( 固網及手機運營商 ) 及新的特二類業者 ( 節費公司 ) 均已有供調查局或刑事警察局之遠端監聽系統介接,但操作、管理、監聽內容儲存、處理之設備均建置於情治單位。– 一類電信運營商:一般由調查局負責監聽。– 特二類 ( 節費公司 ) :一般由 刑事警察局負責監聽。
9
Lawful Intercept Architecture Reference Model
Law Enforcement Agency (LEA)
Law Intercept
Administration Function
Intercept RelatedInformation (IRI) IAP Mediation Device (MD)
Content InterceptAccess Point (IAP)
Service ProviderFunctions
MD Provisioning Interface b
HI1(a)
e
IRI (e)
HI2(g)
User Content User Content
c
Intercept Request (d)f
Intercepted Content ( f)
HI3(h)
d
IETF RFC 3924 / ETSI ES 201671
10
A100 0 AX
CHTCentrex虛擬總機
E1 專線NECPBX
C7
建置於固網或手機運營商機房 建置於情治單位
11
監聽只有電話不含網路 ?
• 網路也被掛線– RFC3924 也包含 Data Services– 大部分應用協定都沒加密– 常見應用協定之封包辨識沒問題– 可以錄製或即時同步播放– P2P 應用之封包辨識與解譯之誤判與漏判較高
12
裁判 vs. 球員 : 法院 / 監聽機房 vs. 調查單位• 電話與網路掛線人數 ?
– 三萬… anytime!• 若每人被掛線平均六個月 , 一年應該有六萬張監聽票 !! 但實際監聽票遠低於此數 !• 原因 ??
– 檢察官一張監聽票吃到飽 (wild card)• 加掛不相干人等• 法院失職 !
– 球員兼裁判• 球員 : 檢察體系、調查局、刑事警察局• 裁判 : 法院、調查局、刑事警察局• 調查局與刑事局辦案人員 <-> 調查局與刑事局監聽機房管理人員• 不能申請監聽票的情治監聽• 機房應交給第三者管理 !
13
"非法 "電話與網路監聽的可能方式• RFC3924 標準監聽機房
– 與調查局機房合作– 直接由調查局拉線到自建機房
• 直接與電信業者或網站業者合作– A 國政府向在 A 國經營的 B 國業者索取 : 看 A 國市場大小– A 國政府向在 B 國經營的 A 國業者索取 : 最容易– A 國政府向在 B 國經營的 C 國業者索取 : 美國才作得到
• 無線與有線攔截– 電纜攔截– 無線攔截
• IMSI Catcher: Rohde & Schwartz 2003 年專利 , 2012 年英國法院宣告失效• Femtocatch: femtocell• Bluejacking: Bluetooth, Wi-Fi, GPS, etc.
• 後門程式– 手動 : 安裝軟體 (phone spy, call interception), 拷貝 SIM 卡– 自動 : 惡意程式 (malware)
14
直接與電信業者或網站業者合作• 被電信業者或網站出賣 ?
– 電信業者已被 RFC3924– 用美國或日本的網站與社群較不會被出賣 ?
• 用當地國的業者一定被出賣• 用敵對國的業者鐵定被出賣• 用第三國的相對較不會
– 用 Skype 及 Line 絕對安全 ?• 是的… . 如果它沒出賣你
– 乾脆用 Bitmessage!• Decentralized P2P• 不會被出賣 !
15
美國在各國之監聽• 根據史諾登 (Edward Snowden) 給英國媒體的資料
– 與當地政府監聽機房合作– 與業者機房與網站合作
• 有線與無線攔截 ?• 後門程式 ?
16
無線攔截IMSI Catcher
• IMSI (International Mobile Subscriber Identity)• A false mobile tower – man-in-the-middle attack• Identify IMSI number and intercept through
protocol hacking – solicit/associate/configure/tap– Masquerade as a base station and log IMSI numbers
of nearby handsets– No authentication of base station by handset– Downgrade to GSM– Disable encryption (A5/0 mode)
17
Defcon: Hacker shows how he can intercept cell phone calls with $1,500 device
• Chris Paget at Defcon in Las Vegas, 7-31-2010• Demo video at
http://venturebeat.com/2010/07/31/hacker-shows-how-he-can-intercept-cell-phone-calls-for-1500/
18
Black Hat: Intercepting Calls and Cloning Phones with Femtocells
• Ritter and DePerry at Black Hat in Las Vegas on 8-1-2013
• CDMA femtocell• Femtocatch: 2.5-way call
19
後門程式• 安裝軟體
– StealthGenie– Wireflex– Call Interceptor– Spyera
• 拷貝 SIM 卡– Phone cloning– Read crypto key by SIM reader– Install spyware on the target phone
• 惡意程式– Repackaged applications– Repackaged documents
20
StealthGenie• Spy on their Calls• Spy on their SMS Messages• Track their GPS Location• Read their Emails• Spy on their Instant Messengers• View their Multimedia Files
• Monitor their Internet Activities• View their Contacts and Calendar
Activities• Bug their phone• Instant Alerts and Notifications• Remotely Control their Phone
21
網路通訊安全的演進歷程• 從伺服器到用戶端• 從主動攻擊到被動傳播• 從桌機與筆電到手機• 從程式散播到文件搭載
General Security Issues• Data security: protecting private data on the
public Internet– Encryption & authentication Virtual Private
Network (VPN)• Access security: deciding who can access what
– TCP/IP firewall or application firewall• System security: protecting system resources
from hackers– Intrusion detection and prevention– Malware detection and prevention
22
Vulnerability Exploiting on “Servers”
• Buffer overflow attack– Put more data to the specified buffer to cause
buffer overflow– Return address pointing to the cracked file to
execute
23
stack pointer
return address
buffer (200 bytes)
stack pointer
cracked file address
buffer (200 bytes)
. . . . . .
. . .
. . . . . .
. . .
Put more data to buffer then cause buffer overflowand point to the cracked file address
void called(){ . . . char buffer[200]; . . .
}
Some Server Vulnerabilities
24
Vulnerabilities Application Version Reason
phf Remote Command Execution Vulnerability
Apache Group Apache 1.0.3 Input Validation Error
Multiple Vendor BIND (NXT Oveflow) Vulnerabilities
ISC BIND 8.2.1 Buffer Overflow
MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability
Microsoft IIS 4.0 Buffer Overflow
Univ. Of imapd Buffer Overflow Vulnerability
imapd 12.264 Buffer Overflow
ProFTPD Remote Buffer Overflow Professional FTP proftpd 1.2pre5 Buffer Overflow
Sendmail Daemon Mode Vulnerability
Eric Allman Sendmail 8.8.2 Input Validation Error
RedHat Piranha Virtual Server Package Default Account and Password Vulnerability
RedHat Linux 6.2 Configuration Error
Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
wu-ftpd 2.6 Input Validation Error
Open Source Implementation 8.7: Snort
25
Three modes Sniffer
Read and decode network packets Packet logger
Log packets to disk Intrusion detection system
Analyze traffic based on pre-defined rules Perform actions based upon what it sees
26
Writing Snort Rules
• Rule headeralert tcp any any - > 10.1.1.0/24 80
• Rule option (content: “/cgi-bin/phf”; msg: “PHF probe!”;)
action protocol Source address and port number
destination address and port number
alert messageinspective part
Open Source Implementation 8.6: ClamAV
• Introduction– open-source package for virus scanning– have detected over 570,000 malicious codes (viruses, worms and
trojans, etc.) with the release of 0.95.2 version– Types of signatures
• MD5 for a certain PE section (part of an executable file)• basic signatures of fixed strings (to be scanned in the entire file)• extended signatures (in a simplified form of regular expressions containing
multiple parts• logical signatures (multiple signatures combined with logical operators)• logical signatures (multiple signatures combined with logical operators)
27
Block Diagrams of ClamAV
28
cl_load cli_load cli_cvdload
cli_loadmd5
cli_loadndb
cli_loadldb
cli_loadwdb
cli_loadpdb
cli_loaddb
cli_parseadd
cli_scanfile
cli_magic_scandesc
cli_scandesc
cli_scanrar
cli_unzip
cli_unzip
……
cli_ac_scanbuff
cli_bm_scanbuff
for signature matching
for signature loading
Performance Matters: Comparing Intrusion Detection, Antivirus, Anti-Spam, Content Filtering, and P2P Classification
29
Snort DansGuardian ClamAV SpamAssassin L7-filter
Percentage of string matching
62% 86% 57% 31% 70%
Inspection depth
Byte jump
Http request / response
All attachment content
Mail header/ body
First 10 packets
30
Distribution of Captured Malware: Active Collection vs. Passive Collection
Others21%
Worm8%
Trojan59%
Bot12%
Honey-InspectorOthers
13%Worm
3%
Trojan5%
Bot79%
The passive honeypot system
(a) The distribution of capturedmalware for Honey-Inspector
(b) The distribution of captured malwarefor the passive honeypot system
• Active collection and passive collection are quite disjoint.
31
AttackerC&C
Server
Bot
Bot Victim
(2)C&C channel (3)Attack(1)Injection
Architecture of a Botnet
32
Distribution of Malware’s Capture Time
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Honey-Inspector
The passive honeypot system
The days that malware signature existed
(Day)
Percentage of captured time
(%)
• More zero-day malware can be collected “actively”.
Ying-Dar Lin, Chia-Yin Lee, Yu-Sung Wu, Pei-Hsiu Ho, Fu-Yu Wang, Yi-Lang Tsai, "How Different Are Malware Collected Actively and Passively?," IEEE Computer, to appear in 2014.
33
Alters Windows FirewallChecks For Debugger
Copies to WindowsCould Not Load
Creates DLL in SystemCreates EXE in System
Creates Hidden FileCreates Mutex
Creates ServiceDeletes File in System
Deletes Original SampleHooks Keyboard
Injected CodeMakes Network Connection
Modifies File in SystemModifies Local DNS
More than 5 ProcessesOpens Physical MemoryStarts EXE in Documents
Starts EXE in RecycleStarts EXE in System
Windows/Run Registry Key Set
0 10 20 30 40 50 60 70 80 90 100
benign programsmalware
Frequency of behaviors(%)
Beha
vior
s Behaviors by GFI Sandbox
1
23
45
67
8
910
1112
• Some permissions are potentially more malicious than the others.
34
Top 20 Requested Permissions by Android Malware
• Again, some permissions are potentially more malicious than the others.
35
Malicious Behaviors
Benign behaviors
Suspicious behaviors
Malicious network behaviors (intrusive behaviors)
Malicious behaviors (non-intrusive behaviors)
• Host behaviorsNon-intrusive behaviors
• Network behaviorsIntrusive behaviors
36
PC 與 Android 行為、傳播、偵測方式比較 PC Android
行為 用戶端行為資料檔案破壞、隱私竊取、系統執行程序錯亂、佔用大量的電腦資源 網路端行為網路擁塞
資料破壞、隱私竊取、金融商業行為
傳播 超 連 結 、 電 子 郵 件 附件、 P2P 軟 體 、 USB/ 磁片 /光碟
APK檔案
偵測方式
Behavior-based detection & Signature-based detection
Signature-based detection
37
APK 檔案架構APK 檔案架構 說明
META-INF(Directory)
Manifest.mf Manifest file
Cert.rsa Application certification
Cert.sf List of resources/SHA-1
Res (Directory) Resource used by APK(png/xml)
Resources.arsc List of resource locations
AndroidManifest.xml Android binary containing name, version, permissions
Classes.dex Compiled source code
38
Trojan Rootkit Spyware Adware PuA Backdoor
Geinimi PJApps ADRD DroidDream droidKungFu SMS.FakeInst GGTracker J.SMSHider DroidDreamLight BgServ RogueSPPush NickySpy Toolbar.MywebSearch
Ropin
Trojan( 對使用者的資料,做惡意的行為 ) 、 Rootkit(權限的更動 ) 、 Spyware( 監聽使用者隱私 ) 、 Adware( 對使用者散播無意義廣告 ) 、 PuA( 對使用者的手機資源惡意使用 ) 、 Backdoor( 利用程式中的後門,在使用者執行程式時竊取資料 )
Android惡意程式行為及種類
39
APT 攻擊 vs. 傳統攻擊 APT Attacks Traditional Attacks
Persistent Yes No
Targeted Yes No
Planned Yes No
Custom exploits Yes No
Hidden Yes No
Motivation Collect benefit information and Exfiltration Variable
40
最新網路駭客攻擊方式與解決技術• 最新攻擊方式
–殭屍電腦網路 (botnet)–重新打包之應用程式 (repackaged app)–進階持續性威脅 (APT, Advanced Persistent
Threat)• 解決技術
–特徵碼比對 (signature matching)–行為分析 (behavior analysis)–逆向工程 (reverse engineering)
41
惡意程式偵測方法
AttributesMethods Execute File Fast/Slow Information Overhead Example tools
Static Analysis No Fast General Low ClamAV
Behavior Analysis Yes Slow General HighViCheck.ca Joe Sandbox
Reverse Engineering Partial Slow Detailed High Xecure
Three methodologies for malware detection Static Analysis Behavior Analysis Reverse Engineering
42
樣本收集– 300 APT samples
CVE Number File Type # Samples Product Vulnerability
CVE-2010-0188 PDF 48 Acrobat Reader Adobe Reader PDF LibTiff Integer Overflow
CVE-2010-2883 PDF 24 Acrobat & Acrobat Reader
Adobe CoolType SING Table Stack Buffer Overflow
CVE-2010-3333 RTF 52 Microsoft Office MS Office 2010 RTF Header Stack Overflow
CVE-2011-2462 PDF 25 Acrobat& Acrobat Reader Adobe Reader U3D Memory Corruption
CVE-2012-0158 RTF 131 Microsoft Office Stack Buffer Overflow in MSCOMCTL.OCX
CVE-2013-0640 PDF 20 Acrobat& Acrobat Reader
Adobe Reader Unspecified Buffer Overflow
43
Heap sprayingAfter heap spraying
0 MB
100 MB
200 MB
Normal heap layout
300 MB
Used memory :
Free memory :
0 MB
100 MB
200 MB
300 MB
Used memory :
Free memory :
Shellcode :
SAMPLE
maliciouspFragments 42%
Outside structure
7%
2 regions
Datastore+outside structure 2%
pFragments+outside structure 18%
pFragments+Objdata 1%
pFragments+Datastore 2%
3 regions
pFragments+Datastore+outside structure 10%
benign 13% Error 2%
Experiment 1: 逆向工程Classifying samples by malware region
44
CVE-2010-3333
Experiment 2: 逆向工程Classifying samples by malware region
45
Sample
benign3.3%
malicious
pF rag ments0. 6%
Outside s tructure19.6%
2 regions
pFragments+outs ide structure
0.3%
Da tas tore +Objdat a 0.3%
da tas tore +outside structure 0.3%
Themedata +outs ide structure 1%
Themedata +Objdata 5.6%
Objdata +outs ide structure
39.6%
Objda ta7. 3%
Themedata21%
CVE-2012-0158
Experiment 3: 正向工程Embedding malware into normal RTF
• After embedding:1. malware is detected2. context does not change
46
Malicious RTFSample
Normal RTF file
Embedded malicious code
RTF
context
context
shellcode
shellcode
47
APT 總結• APT 的特點 : 客製化樣本、匿蹤• 偵測方法 : 靜態、動態、逆向工程• 在 RTF文件塞惡意程式
– 加 shellcode– Where: pFragments, OBJDATA, Themedata,
Datastore, Outside structures– 不同惡意程式用不同區塊– 相同 CVE 的惡意程式也會用不同區塊
48
結論• 電話與網路監聽氾濫
– 法規要將球員與裁判釐清– 技術方法多元 : RFC3924, 索取 , 攔截 , 後門– 相關正反向產品有市場潛力
• 更高層次之資通訊安全– 從伺服器到用戶端– 從主動攻擊到被動傳播– 從桌機與筆電到手機– 從程式散播到文件搭載
• 個人自保之道 ?
49
Q&A• Q1: 0972 節費電話之分機不能被 RFC3924 監聽機房監聽。• Q2: 電信業者不知道 RFC3924 監聽機房所監聽之對象為何。• Q3: 加密過的行動電話之通話無法被無線攔截監聽。• Q4: 通訊網路設備在通過安全檢測之後仍可經過韌體更新將後門程式植入。• Q5: 近年來的網路攻擊模式中主動的比率較被動高。• Q6: 防毒軟體常常抓不到 APT 是因為 : (1) 沒有取得病毒樣本、 (2)病毒會變形以至於病毒碼比對不到、 (3) 沒有去動態執行文件檔中的 macro 程式、 (4) 以上都可能。• Q7: Honeypot收集惡意程式的特性 : (1) 主動收集主動傳播、 (2) 主動收集被動傳播、 (3) 被動收集主動傳播、 (4) 被動收集被動傳播。• Q8: 手機病毒目前最常見的傳播方式為 : (1) 主動傳播之程式、 (2) 主動傳播之文件、 (3) 被動傳播之程式、 (4) 被動傳播之文件。• Q9: 特徵碼比對、行為分析與逆向工程三者中何者有執行病毒程式 : (1)特徵碼比對、 (2)行為分析、 (3)逆向工程、 (4)行為分析與逆向工程、 (5)特徵碼比對與行為分析、 (6)特徵碼比對與逆向工程。• Q10: 哪些資通訊產品使用習慣是高度危險的 (複選 ): (1) 手機之 Bluetooth 的
default 設定是打開、 (2) 手機借朋友、 (3)別人可以看到你 Facebook 的好友有哪些、 (4)使用 Line 或 Skype通訊、 (5)使用 WeChat通訊、 (6) 在 P2P 網路尋找程式、音樂與遊戲。