1 / 28

Internet Security Threat Trends

Internet Security Threat Trends. S.C. Leung ( 梁兆昌 ) Senior Consultant CISSP CISA CBCP scleung@hkcert.org. 香港電腦保安事故協調中心. HKCERT 簡介. 2001 年由香港特別行政區政府成立,香港生產力促進局運作. C omputer ( 計算機 ) E mergency ( 緊急 ) R esponse ( 回應 ) T eam ( 小組 ). CERT. 服務 電腦保安警報監測及預警 保安事故報告及應變 出版資訊保安指引和資訊

lethia
Télécharger la présentation

Internet Security Threat Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Internet Security Threat Trends S.C. Leung (梁兆昌) Senior Consultant CISSP CISA CBCP scleung@hkcert.org 香港電腦保安事故協調中心

  2. HKCERT 簡介 2001年由香港特別行政區政府成立,香港生產力促進局運作 Computer (計算機) Emergency(緊急) Response (回應) Team (小組) CERT • 服務 • 電腦保安警報監測及預警 • 保安事故報告及應變 • 出版資訊保安指引和資訊 • 提高資訊保安意識

  3. Collaboration 對外協調合作 CERT Teams in Asia Pacific 亞太區其他協調中心 CERT Teams around the World 全球其他協調中心 CERT CERT CERT CERT CERT CERT CERT FIRST APCERT CERT CERT Virus & Security Research Centre 電腦病毒及保安研究中心 Software Vendor 軟件供應商 Universities 大學 ISP 互聯網供應商 Law Enforcement 執法機關 Local Enterprise & Internet Users 本地企業及互聯網用戶

  4. HKCERT observation Traditional attacks - Untargeted (Virus/worm) attack symptoms: rise of incident reports to security SPs, CERT, police rise in distributed security probe statistics Honeypot collected samples Attackers Kiddies/Hobbyist --> Criminals --> Spies • Targeted attacks • Several emails to some organizations • PPT, Word & Excel • Email impersonate your friend / colleagues using your local language

  5. Attraction of “Bots” to hackers Bot: compromised & hacker controlled machines Bots more welcomed Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware Motive of attackers turn to $$$ Keep bots under control Keep bots un-noticed Business Stealing email addresses, password to on-line bank, eBay+Paypal, stock brokers Targeted attack: industrial espionage

  6. Botnet: Network of Bots FBI “Operation Bot Roast” Identified 1M+ bots (Jun 2007) Arrested 3 persons: Robert Soloway: the spam king http://seattlepi.nwsource.com/local/317795_soloway31.html James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay Jason Downey: linked with DDoS attack by the Agobot worm

  7. Malware Complexity It can be simple Just a postcard email, with simple social engineering technique to hide itself --> can use unpacker to get the binary http://isc.sans.org/diary.html?storyid=2022 It can be complex Have to use decryption, debugger and reverse engineering to analyse http://isc.sans.org/diary.html?storyid=2223 Storm worm, or Trojan.Peacomm (Jan-2007)

  8. Sophistication of Malware Use Virus/Worm to infect many machines Once infects a machine, installs a Downloader. Downloader then download from dynamic web site the malware component(s) Bot0 or Bot AutoUpdater The Bot0 generate and install the bot The Bot install itself on the machine and report duty to the controller which disseminate hacker’s commands If bot is removed, Bot0 activates and generate another copy of bot AutoUpdater keeps Bot0 and Bot updated Virus /Worm Downloader • (optional) terminator & signature • (optional) rootkit Bot0 Bot

  9. Watch your web server 10000+ Italian legitimate web servers hacked The sites were installed the Hacker Kit: MPack Author has $$$ motivation Professionally written, with management console to be hosted on web servers with PHP and database support come with collection of exploit modules for different platform and browsers

  10. Watch your web server Steps Attacking Web server attacking: hack into popular web server add iframe snippets to web page of compromised web servers spam out emails with IFRAME code Steps Attacking a User user browse compromise web server user's browser execute IFRAME code, causing it redirected to Mpack server At Mpack server, analyse HTTP header according to platform and browser, serve many exploits designed for user Mpack has a management console Mpack Management console

  11. Watch your web server Should you use your web server to browse and install software there? Firewall block unnecessary incoming traffics block outgoing traffic except for troubleshooting Patching, Patching, Patching Vulnerability scanning (for techcies) Nessus Nikto for techcies http://www.cirt.net/code/nikto.shtml

  12. Rock Phishing using domain names Phishers use ways to save space and time One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.” www.volksbank.de.vr-web.www.ioio3.hk/volksbank/ 85.114.xxx.53 www.volksbank.de.vr-web.yydonhb.gksh.hk/volksbank/ 85.114.xxx.53 www.paypal.de.vr-web.www26zroh.jordi.hk/paypal/ 85.114.xxx.53 likely responsible for 50%+ of current phishing attacks Malware Review Dec-2006 http://www.security.iia.net.au/news/220.html

  13. Phishers' business continuity Malware reborn after clean up Use Rock Phishing Use domain name, not IP addresses Use Dynamic DNS to create so many URLs www.usbank.com.[random 092304124].domain.com/usbank/ www.pay.com.[random 06382124].domain.com/paypal/ We must involve domain registrar and ISPs Resist Detection Time-zone dependent behaviour Blocking investigators evidence collection

  14. Data Leakage Risks Intruder get access to database TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made. UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information. Backup Tape loss Johns Hopkins U. 2006: containing sensitive personal data of 52000 employees Bank of America 2005: containing personal information (SSN, account information) of 1.2M federal employees, including U.S. senators.

  15. Data Leakage Risks Laptop loss/theft Boeing 2006: names, salary information, SSN, addresses, phone numbers and birth dates of 382,000 current/former employees exposed U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed. On-line Data Leakage IPCC 2006: a subcontractor exposed the personal data of police complaint cases related information by putting them on-line Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers. A local recruitment agency leaks personal data on the Internet

  16. Data Leakage Risks Abuse in data collection FBI audit finds widespread abuse in data collection telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect Google aims to net teenagers 'for life’ Provide email network to schools Privacy International: Google collect info about people tastes, interests and beliefs that could be used by advertiser. Google: we do not reveal email content nor personal details

  17. Data Leakage Risks Use of Proxy Servers (operated by whom?) Web access control Performance Enhancement Anonymity Access game servers in Korea which allows local access only Bypass censorship control

  18. Security Management Security Policy Security Risk Assessment What are our critical data and systems? What are the risks of them? What measures are required to protect the data assets? Security Management Practice Procedure, Guideline Standard Compliance and Certification Awareness Security personnel Training Certification Assessment Security Management Certification Professional Certification

  19. Security Management Four steps of Security Management printed by OGCIO

  20. Prevention Prevention: Install protection tool of malware Antivirus and Antispyware keeping program & signature up to date Install Firewall System Hardening Patching your system Linux: run Bastille, SELinux Windows: use Vista security

  21. Some free security software Antivirus software AVG Free Edition http://free.grisoft.com/doc/1 Antispyware software Microsoft Defender Beta 2(or Win2000-SP4 or above) http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&displaylang=en Ad-aware SE Personal(or Win98 or above) http://www.lavasoft.de/software/adaware/ Personal Firewall Windows XP built-in firewall (FAQ) http://thesource.ofallevil.com/taiwan/security/protect/firewall.asp ZoneAlarm(for Win98 or above) http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.jsp?dc=12bms&ctry=AU&lang=en Data Encryption TrueCrypt http://www.truecrypt.org/ Note: Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.

  22. Working with the browser Use browsers with added anti-phishing features IE 7.0, Firefox Use as few browser add-ons as possible SSL Use SSL 3.0 and TLS 1.0, not SSL 2.0 Check SSL certificate of on-line transaction web sites Do not save passwords on browser

  23. Browsers protection Browser addon may be a source of attack Browser addon introduce vulnerability GreaseMonkey – Firefox addon User scripts loaded on to the browser Some scripts bypass security Allow password remembering Autologin Basically user has no knowledge what the develop put into the code

  24. Browser History

  25. Detection • SysInternalshttp://www.microsoft.com/technet/sysinternals/securityutilities.mspx • AutoRun • Process Explorer • PsTools suite • includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more. • Rootkit Revealer • PeiD • Detect Packers, Cryptors and compilers of PE files

  26. Recovery Backup your data periodically so that you have a way to restore it Test the backup periodically For more critical systems, you may need to have redundant server or backup site.

  27. Adopt Good Practices Use only user account in daily operation Do not share user accounts (even at home) Use good password Do not use public kiosk for sensitive surfing Read User License Agreement before installing software Educate children and colleagues

  28. Conclusion We have seen hackers developing better tools and skills. They are more professional and are becoming organized crimes. When we looked into the mirror, we have a lot to improve in security protection. Data protection is another area of problems. We need to seriously improve our security by management and technology. THANK YOU 82056060 hkcert@hkcert.org

More Related