internet security threat trends s.c. leung ( 梁兆昌 ) senior consultant cissp cisa cbcp...
TRANSCRIPT
Internet Security Threat Trends
S.C. Leung ( 梁兆昌 )Senior ConsultantSenior ConsultantCISSP CISA CBCP
[email protected]香港電腦保安事故協調中心
HKCERT 簡介
服務 電腦保安警報監測及預警 保安事故報告及應變 出版資訊保安指引和資訊 提高資訊保安意識
Computer ( 計算機 )Emergency ( 緊急 ) Response ( 回應 ) Team ( 小組 )
2001 年由香港特別行政區政府成立,香港生產力促進局運作
Collaboration 對外協調合作
Local Enterprise & Internet Users
本地企業及互聯網用戶
CERTCERT
CERTCERTCERTCERT
CERTCERT
CERTCERT
CERTCERT CERTCERT
CERTCERT
CERTCERTAPCERTAPCERT FIRSTFIRST
CERT Teams in Asia Pacific亞太區其他協調中心
CERT Teams around the World全球其他協調中心
Law Enforcement 執法機關
ISP 互聯網供應商
Universities大學
Software Vendor軟件供應商
Virus & Security Research Centre
電腦病毒及保安研究中心
HKCERT observation Traditional attacks - Untargeted (Virus/worm) attack
symptoms: rise of incident reports to security SPs, CERT, police rise in distributed security probe statistics Honeypot collected samples
Attackers Kiddies/Hobbyist --> Criminals --> Spies
Targeted attacks Several emails to some organizations PPT, Word & Excel Email impersonate your friend /
colleagues using your local language
Attraction of “Bots” to hackers
Bot: compromised & hacker controlled machines Bots more welcomed
Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware
Motive of attackers turn to $$$ Keep bots under control Keep bots un-noticed Business
Stealing email addresses, password to on-line bank, eBay+Paypal, stock brokers
Targeted attack: industrial espionage
Botnet: Network of Bots FBI “Operation Bot Roast”
Identified 1M+ bots (Jun 2007) Arrested 3 persons:
Robert Soloway: the spam king http://seattlepi.nwsource.com/local/
317795_soloway31.html
James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay
Jason Downey: linked with DDoS attack by the Agobot worm
Malware Complexity It can be simple
Just a postcard email, with simple social engineering technique to hide itself --> can use unpacker to get the binary
http://isc.sans.org/diary.html?storyid=2022
It can be complex Have to use decryption, debugger
and reverse engineering to analyse http://isc.sans.org/diary.html?sto
ryid=2223
Storm worm, or Trojan.Peacomm (Jan-2007)
Sophistication of Malware Use Virus/Worm to infect many machines Once infects a machine, installs a Downloader. Downloader then download from dynamic web site the
malware component(s) Bot0 or Bot AutoUpdater
The Bot0 generate and install the bot The Bot install itself on the machine and report duty to
the controller which disseminate hacker’s commands If bot is removed, Bot0 activates and generate another
copy of bot AutoUpdater keeps Bot0 and Bot updated
Virus
/Worm
Downloader
Bot
Bot0
(optional) terminator & signature (optional) rootkit
Watch your web server
10000+ Italian legitimate web servers hacked The sites were installed the Hacker Kit: MPack
Author has $$$ motivation Professionally written, with management console to be hosted on web servers with PHP and database support come with collection of exploit modules for different platform
and browsers
Watch your web server Steps Attacking Web server attacking:
hack into popular web server add iframe snippets to web page of
compromised web servers spam out emails with IFRAME code
Steps Attacking a User user browse compromise web server user's browser execute IFRAME code,
causing it redirected to Mpack server At Mpack server,
analyse HTTP header according to platform and
browser, serve many exploits designed for user
Mpack has a management console Mpack Management console
Watch your web server
Should you use your web server to browse and install software there?
Firewall block unnecessary incoming traffics block outgoing traffic except for troubleshooting
Patching, Patching, Patching Vulnerability scanning (for techcies)
Nessus Nikto for techcies
http://www.cirt.net/code/nikto.shtml
Rock Phishing using domain names
Phishers use ways to save space and time
One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.”
www.volksbank.de.vr-web.www.ioio3.hk/volksbank/ 85.114.xxx.53
www.volksbank.de.vr-web.yydonhb.gksh.hk/volksbank/ 85.114.xxx.53
www.paypal.de.vr-web.www26zroh.jordi.hk/paypal/ 85.114.xxx.53
likely responsible for 50%+ of current phishing attacks
Malware Review Dec-2006 http://www.security.iia.net.au/news/220.html
Phishers' business continuity
Malware reborn after clean up Use Rock Phishing Use domain name, not IP addresses Use Dynamic DNS to create so many
URLs www.usbank.com.[random 092304124].domain.com/usbank/ www.pay.com.[random 06382124].domain.com/paypal/
We must involve domain registrar and ISPs
Resist Detection Time-zone dependent behaviour Blocking investigators evidence collection
Data Leakage Risks Intruder get access to database
TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made.
UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information.
Backup Tape loss Johns Hopkins U. 2006: containing sensitive personal
data of 52000 employees Bank of America 2005: containing personal
information (SSN, account information) of 1.2M federal employees, including U.S. senators.
Data Leakage Risks
Laptop loss/theft Boeing 2006: names, salary information, SSN, addresses,
phone numbers and birth dates of 382,000 current/former employees exposed
U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed.
On-line Data Leakage IPCC 2006: a subcontractor exposed the personal data
of police complaint cases related information by putting them on-line
Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers.
A local recruitment agency leaks personal data on the Internet
Data Leakage Risks Abuse in data collection
FBI audit finds widespread abuse in data collection
telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect
Google aims to net teenagers 'for life’ Provide email network to schools Privacy International: Google collect info about people
tastes, interests and beliefs that could be used by advertiser.
Google: we do not reveal email content nor personal details
Data Leakage Risks Use of Proxy Servers (operated by whom?)
Web access control Performance Enhancement Anonymity Access game servers in Korea which allows local access
only Bypass censorship control
Security Management
Security Policy Security Risk Assessment
What are our critical data and systems? What are the risks of them? What measures are required to protect the data
assets?
Security Management Practice Procedure, Guideline Standard Compliance and Certification Awareness
Security personnel Training Certification
Assessment
Security ManagementCertification
Professional Certification
Security Management
Four steps of Security Management printed by OGCIO
Prevention
Prevention: Install protection tool of malware
Antivirus and Antispywarekeeping program & signature up to date
Install Firewall System Hardening
Patching your systemLinux: run Bastille, SELinuxWindows: use Vista security
Some free security software
Antivirus software AVG Free Edition
http://free.grisoft.com/doc/1 Antispyware software
Microsoft Defender Beta 2 (or Win2000-SP4 or above) http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-
afa4-f7f14e605a0d&displaylang=en Ad-aware SE Personal (or Win98 or above)
http://www.lavasoft.de/software/adaware/ Personal Firewall
Windows XP built-in firewall (FAQ) http://thesource.ofallevil.com/taiwan/security/protect/firewall.asp
ZoneAlarm (for Win98 or above) http://www.zonelabs.com/store/content/company/products/znalm/
freeDownload2.jsp?dc=12bms&ctry=AU&lang=en Data Encryption
TrueCrypt http://www.truecrypt.org/
Note: Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.
Working with the browser
Use browsers with added anti-phishing features IE 7.0, Firefox
Use as few browser add-ons as possible SSL
Use SSL 3.0 and TLS 1.0, not SSL 2.0 Check SSL certificate of on-line transaction web
sites Do not save passwords on browser
Browsers protection Browser addon may be a
source of attack Browser addon introduce
vulnerability GreaseMonkey – Firefox addon
User scripts loaded on to the browser
Some scripts bypass security Allow password remembering Autologin Basically user has no knowledge
what the develop put into the code
Browser History
Detection
SysInternalshttp://www.microsoft.com/technet/sysinternals/securityutilities.mspx
AutoRun Process Explorer PsTools suite
includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.
Rootkit Revealer
PeiD Detect Packers, Cryptors and
compilers of PE files
Recovery
Backup your data periodically so that you have a way to restore it
Test the backup periodically
For more critical systems, you may need to have redundant server or backup site.
Adopt Good Practices Use only user account in daily operation
Do not share user accounts (even at home)
Use good password
Do not use public kiosk for sensitive surfing
Read User License Agreement before installing software Educate children and colleagues
Conclusion We have seen hackers developing better tools and
skills. They are more professional and are becoming organized crimes.
When we looked into the mirror, we have a lot to improve in security protection.
Data protection is another area of problems. We need to seriously improve our security by
management and technology.
THANK YOU82056060