1 / 49

從監聽門事件看資通訊安全 演進 Evolution of ICT Security: A Perspective From Wiretapping

從監聽門事件看資通訊安全 演進 Evolution of ICT Security: A Perspective From Wiretapping. 林盈達 IEEE Fellow, IEEE ComSoC Distinguished Lecturer 交通大學資訊工程 系 ydlin@cs.nctu.edu.tw 11-28-2013. 林盈達 Ying-Dar Lin. B.S., NTU-CSIE, 1988; Ph.D ., UCLA-CS, 1993

jamal
Download Presentation

從監聽門事件看資通訊安全 演進 Evolution of ICT Security: A Perspective From Wiretapping

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 從監聽門事件看資通訊安全演進Evolution of ICT Security: A Perspective From Wiretapping 林盈達 IEEE Fellow, IEEEComSoC Distinguished Lecturer 交通大學資訊工程系 ydlin@cs.nctu.edu.tw 11-28-2013

  2. 林盈達 Ying-Dar Lin • B.S., NTU-CSIE, 1988; Ph.D., UCLA-CS, 1993 • Professor (1999~)/Associate Professor (1993~1999), NCTU-CS; IEEE Fellow (2013); IEEEComSoC Distinguished Lecturer (2014&2015) • Founder and Director, III-NCTU Embedded Benchmarking Lab (EBL; www.ebl.org.tw), 2011~ • Founder and Director, NCTU Network Benchmarking Lab (NBL; www.nbl.org.tw), 2002~ • Editorial Boards: IEEE Wireless Comm. (2013~), IEEE Transactions on Computers (2011~), IEEE Computer (2012~), IEEE Network (2011~), IEEE Communications Magazine – Network Testing Series (2010~), IEEE Communications Letters (2010~), Computer Communications (2010~), Computer Networks (2010~) , IEEE Communications Surveys and Tutorials (2008~), IEICE Transactions on Information and Systems (11/2011~) • Guest Editors of Special Issues: Open Source for Networking, IEEE Network, Mar 2014; Mobile Application Security, IEEE Computer, Mar 2014; Multi-Hop Cellular, IEEE Wireless Communications, Oct 2014; Deep Packet Inspection, IEEE JSAC, Q4 2014; Traffic Forensics, IEEE Systems Journal, early 2015. • CEO, Telecom Technology Center (www.ttc.org.tw), 7/2010~5/2011 • Director, Computer and Network Center, NCTU, 2007~2010 • Consultant, ICL/ITRI, 2002~2010 • Visiting Scholar, Cisco, San Jose, 7/2007-7/2008 • Director, Institute of Network Engineering, NCTU, 2005~2007 • Co-Founder, L7Networks Inc. (www.L7.com.tw), 2002 • Areas of research interests • Deep Packet Inspection • Attack, virus, spam, porno, P2P • Software, algorithm, hardware, SoC • Real traffic, beta site, botnet • Internet security and QoS • Wireless communications • Test technologies of switch, router, WLAN, security, VoIP, 4G/LTE and smartphones • Publications • International journal: 95 • International conference: 51 • IETF Internet Draft: 1 • Industrial articles: 153 • Textbooks: 3 (Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011) • Patents: 30 • Tech transfers: 8 • Well-cited paper: Multihop Cellular: A New Architecture for Wireless Communications, INFOCOM 2000, YD Lin and YC Hsu; #citations: 600; standardized into IEEE 802.11s, Bluetooth, WiMAX, and LTE

  3. Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011. www.mhhe.com/lin; available now at amazon.com Facebook Q&A Communit: www.facebook.com/CNFBs ISBN: 0-07-337624-8 / 978-007-337624-0 Computer Networks: An Open Source Approach considers why a protocol, designed a specific way, is more important than how a protocol works. Key concepts and underlying principles are conveyed while explaining protocol behaviors. To further bridge the long-existing gap between design and implementation, it illustrates where and how protocol designs are implemented in Linux-based systems. A comprehensive set of fifty-six live open source implementations spanning across hardware (8B/10B, OFDM, CRC32, CSMA/CD, and crypto), driver (Ethernet and PPP), kernel (longest prefix matching, checksum, NAT, TCP traffic control, socket, shaper, scheduler, firewall, and VPN), and daemon (RIP/OSPF/BGP, DNS, FTP, SMTP/POP3/IMAP4, HTTP, SNMP, SIP, streaming, and P2P) are interleaved with the text. 3

  4. 大綱 • 監聽門的來龍去脈 20 mins • 電話與網路監聽的可能方式 20 mins • 網路通訊安全的演進歷程 20 mins • 最新網路駭客攻擊方式與解決技術40 mins • Q&A 20 min

  5. 監聽門的來龍去脈 • 0972節費電話能否監聽? • 三個政府單位(調查局, 刑事警察局, NCC)三個答案: no(如果不事先知道是節費電話), yes, don‘t know! • 用戶端線路與局端線路之差異 • 0972630235 vs. (02)2358-5858 • 從電信機房到監聽機房 • 符合RFC3924之監聽設備 • 裁判vs.球員: 法院/監聽機房 vs. 調查單位

  6. Centrex + PBX架構 分機 CHT Centrex Switching 中華電信 虛擬總機 1000 NEC PBX 立法院 交換總機 2358-XXXX 1001 1002 E1節費專線 (0972-630231~37) 1003 • 用戶撥2358-XXXX,Centrex會將目的碼送給交換機,交換機會根據後四碼判斷 • 是要響鈴哪一隻分機。 • 分機撥出時,交換機會將2358(局碼)加上分機碼送出。 • 分機撥”0”時,NEC交換機會去抓E1節費專線,經由E1專線將通話送至CHT交換機,撥出之電話雖設定為”沒有來話顯示“,但系統仍會紀錄為0972-630231~37的撥出號碼,計價為”節費電話“之費率。 • 分機撥”*0”時,NEC交換機會去抓Centrex線,按平常的通信路由,將通話送至CHT交換機,此時帶出的號碼會顯示Centrex的號碼,計價為“一般費率”。

  7. 0972630235 vs. (02)2358-5858 • 三種組合: • 立法院內各分機立法院外:控制訊息攜帶0972630235 • 要監聽與側錄! • 立法院外(02)2358-5858立法院內各分機 • 無監聽與側錄 • 立法院外0972630235立法院內各分機 • 要監聽與側錄!

  8. 電話監聽方式 • 無遠端監聽系統: • 監聽單位直接拿監聽票進機房於MDF(配線架)或在測量台上直接掛線監聽。 • 遠端監聽系統: • 所有一類電信公司(固網及手機運營商)及新的特二類業者(節費公司)均已有供調查局或刑事警察局之遠端監聽系統介接,但操作、管理、監聽內容儲存、處理之設備均建置於情治單位。 • 一類電信運營商:一般由調查局負責監聽。 • 特二類(節費公司):一般由 刑事警察局負責監聽。

  9. Intercept Related Information (IRI) IAP Mediation Device (MD) Content Intercept Access Point (IAP) User Content User Content IETF RFC 3924 / ETSI ES 201671 Lawful Intercept Architecture Reference Model Law Intercept Administration Function Law Enforcement Agency (LEA) HI1(a) MD Provisioning Interface b HI2(g) c HI3(h) e IRI (e) f d Intercept Request (d) Intercepted Content ( f) Service Provider Functions

  10. A100 0 AX 建置於情治單位 建置於固網或手機運營商機房 NEC PBX E1 專線 CHT Centrex 虛擬總機 C7

  11. 監聽只有電話不含網路? • 網路也被掛線 • RFC3924也包含Data Services • 大部分應用協定都沒加密 • 常見應用協定之封包辨識沒問題 • 可以錄製或即時同步播放 • P2P應用之封包辨識與解譯之誤判與漏判較高

  12. 裁判vs.球員: 法院/監聽機房 vs. 調查單位 • 電話與網路掛線人數? • 三萬… anytime! • 若每人被掛線平均六個月, 一年應該有六萬張監聽票!! 但實際監聽票遠低於此數! • 原因?? • 檢察官一張監聽票吃到飽 (wild card) • 加掛不相干人等 • 法院失職! • 球員兼裁判 • 球員: 檢察體系、調查局、刑事警察局 • 裁判: 法院、調查局、刑事警察局 • 調查局與刑事局辦案人員 <-> 調查局與刑事局監聽機房管理人員 • 不能申請監聽票的情治監聽 • 機房應交給第三者管理!

  13. "非法"電話與網路監聽的可能方式 • RFC3924標準監聽機房 • 與調查局機房合作 • 直接由調查局拉線到自建機房 • 直接與電信業者或網站業者合作 • A國政府向在A國經營的B國業者索取: 看A國市場大小 • A國政府向在B國經營的A國業者索取: 最容易 • A國政府向在B國經營的C國業者索取: 美國才作得到 • 無線與有線攔截 • 電纜攔截 • 無線攔截 • IMSI Catcher: Rohde & Schwartz 2003年專利, 2012年英國法院宣告失效 • Femtocatch: femtocell • Bluejacking: Bluetooth, Wi-Fi, GPS, etc. • 後門程式 • 手動: 安裝軟體(phone spy, call interception), 拷貝SIM卡 • 自動: 惡意程式 (malware)

  14. 直接與電信業者或網站業者合作 • 被電信業者或網站出賣? • 電信業者已被RFC3924 • 用美國或日本的網站與社群較不會被出賣? • 用當地國的業者一定被出賣 • 用敵對國的業者鐵定被出賣 • 用第三國的相對較不會 • 用Skype及Line絕對安全? • 是的…. 如果它沒出賣你 • 乾脆用Bitmessage! • Decentralized P2P • 不會被出賣!

  15. 美國在各國之監聽 • 根據史諾登(Edward Snowden)給英國媒體的資料 • 與當地政府監聽機房合作 • 與業者機房與網站合作 • 有線與無線攔截? • 後門程式?

  16. 無線攔截IMSI Catcher • IMSI (International Mobile Subscriber Identity) • Afalse mobile tower – man-in-the-middle attack • Identify IMSI number and intercept through protocol hacking – solicit/associate/configure/tap • Masquerade as a base station and log IMSI numbers of nearby handsets • No authentication of base station by handset • Downgrade to GSM • Disable encryption (A5/0 mode)

  17. Defcon: Hacker shows how he can intercept cell phone calls with $1,500 device • Chris Paget at Defcon in Las Vegas, 7-31-2010 • Demo video at http://venturebeat.com/2010/07/31/hacker-shows-how-he-can-intercept-cell-phone-calls-for-1500/

  18. Black Hat: Intercepting Calls and Cloning Phones with Femtocells • Ritter and DePerry at Black Hat in Las Vegas on 8-1-2013 • CDMA femtocell • Femtocatch: 2.5-way call

  19. 後門程式 • 安裝軟體 • StealthGenie • Wireflex • Call Interceptor • Spyera • 拷貝SIM卡 • Phone cloning • Read crypto key by SIM reader • Install spyware on the target phone • 惡意程式 • Repackaged applications • Repackaged documents

  20. StealthGenie • Spy on their Calls • Spy on their SMS Messages • Track their GPS Location • Read their Emails • Spy on their Instant Messengers • View their Multimedia Files • Monitor their Internet Activities • View their Contacts and Calendar Activities • Bug their phone • Instant Alerts and Notifications • Remotely Control their Phone

  21. 網路通訊安全的演進歷程 • 從伺服器到用戶端 • 從主動攻擊到被動傳播 • 從桌機與筆電到手機 • 從程式散播到文件搭載

  22. General Security Issues • Data security: protecting private data on the public Internet • Encryption & authentication  Virtual Private Network (VPN) • Access security: deciding who can access what • TCP/IP firewall or application firewall • System security: protecting system resources from hackers • Intrusion detection and prevention • Malware detection and prevention

  23. Vulnerability Exploiting on “Servers” • Buffer overflow attack • Put more data to the specified buffer to cause buffer overflow • Return address pointing to the cracked file to execute

  24. Some Server Vulnerabilities

  25. Open Source Implementation 8.7: Snort • Three modes • Sniffer • Read and decode network packets • Packet logger • Log packets to disk • Intrusion detection system • Analyze traffic based on pre-defined rules • Perform actions based upon what it sees

  26. Writing Snort Rules • Rule headeralert tcp any any - > 10.1.1.0/24 80 • Rule option(content: “/cgi-bin/phf”; msg: “PHF probe!”;) action protocol Source address and port number destination address and port number alert message inspective part

  27. Open Source Implementation 8.6: ClamAV • Introduction • open-source package for virus scanning • have detected over 570,000 malicious codes (viruses, worms and trojans, etc.) with the release of 0.95.2 version • Types of signatures • MD5 for a certain PE section (part of an executable file) • basic signatures of fixed strings (to be scanned in the entire file) • extended signatures (in a simplified form of regular expressions containing multiple parts • logical signatures (multiple signatures combined with logical operators) • logical signatures (multiple signatures combined with logical operators)

  28. Block Diagrams of ClamAV for signature loading for signature matching

  29. Performance Matters: Comparing Intrusion Detection, Antivirus, Anti-Spam, Content Filtering, and P2P Classification

  30. Distribution of Captured Malware: Active Collection vs. Passive Collection • Active collection and passive collection are quite disjoint.

  31. Architecture of a Botnet

  32. Distribution of Malware’s Capture Time • More zero-day malware can be collected “actively”. Ying-Dar Lin, Chia-Yin Lee, Yu-Sung Wu, Pei-Hsiu Ho, Fu-Yu Wang, Yi-Lang Tsai, "How Different Are Malware Collected Actively and Passively?," IEEE Computer, to appear in 2014.

  33. Behaviors by GFI Sandbox • Some permissions are potentially more malicious than the others. 1 2 3 4 5 6 7 8 9 10 11 12

  34. Top 20 Requested Permissions by Android Malware • Again, some permissions are potentially more malicious than the others.

  35. Malicious Behaviors • Host behaviors • Non-intrusive behaviors • Network behaviors • Intrusive behaviors Benign behaviors Suspicious behaviors Malicious behaviors (non-intrusive behaviors) Malicious network behaviors (intrusive behaviors)

  36. PC與Android行為、傳播、偵測方式比較

  37. APK檔案架構

  38. Android惡意程式行為及種類 Trojan(對使用者的資料,做惡意的行為)、Rootkit(權限的更動)、Spyware(監聽使用者隱私)、Adware(對使用者散播無意義廣告)、PuA(對使用者的手機資源惡意使用)、Backdoor(利用程式中的後門,在使用者執行程式時竊取資料)

  39. APT攻擊 vs. 傳統攻擊

  40. 最新網路駭客攻擊方式與解決技術 • 最新攻擊方式 • 殭屍電腦網路(botnet) • 重新打包之應用程式(repackaged app) • 進階持續性威脅(APT, Advanced Persistent Threat) • 解決技術 • 特徵碼比對(signature matching) • 行為分析(behavior analysis) • 逆向工程(reverse engineering)

  41. 惡意程式偵測方法 • Three methodologies for malware detection • Static Analysis • Behavior Analysis • Reverse Engineering

  42. 樣本收集 • 300 APT samples

  43. Heap spraying Normal heap layout After heap spraying 300 MB 300 MB 200 MB 200 MB 100 MB 100 MB 0 MB 0 MB Used memory : Used memory : Free memory : Free memory : Shellcode :

  44. Experiment 1: 逆向工程Classifying samples by malware region CVE-2010-3333

  45. Experiment 2: 逆向工程Classifying samples by malware region CVE-2012-0158

  46. Experiment 3: 正向工程Embedding malware into normal RTF • After embedding: • malware is detected • context does not change context context Normal RTF file shellcode Embedded malicious code RTF shellcode Malicious RTF Sample

  47. APT總結 • APT的特點: 客製化樣本、匿蹤 • 偵測方法: 靜態、動態、逆向工程 • 在RTF文件塞惡意程式 • 加shellcode • Where: pFragments, OBJDATA, Themedata, Datastore, Outside structures • 不同惡意程式用不同區塊 • 相同CVE的惡意程式也會用不同區塊

  48. 結論 • 電話與網路監聽氾濫 • 法規要將球員與裁判釐清 • 技術方法多元: RFC3924, 索取, 攔截, 後門 • 相關正反向產品有市場潛力 • 更高層次之資通訊安全 • 從伺服器到用戶端 • 從主動攻擊到被動傳播 • 從桌機與筆電到手機 • 從程式散播到文件搭載 • 個人自保之道?

  49. Q&A • Q1: 0972節費電話之分機不能被RFC3924監聽機房監聽。 • Q2: 電信業者不知道RFC3924監聽機房所監聽之對象為何。 • Q3: 加密過的行動電話之通話無法被無線攔截監聽。 • Q4: 通訊網路設備在通過安全檢測之後仍可經過韌體更新將後門程式植入。 • Q5: 近年來的網路攻擊模式中主動的比率較被動高。 • Q6: 防毒軟體常常抓不到APT是因為: (1)沒有取得病毒樣本、(2)病毒會變形以至於病毒碼比對不到、(3)沒有去動態執行文件檔中的macro程式、(4)以上都可能。 • Q7: Honeypot收集惡意程式的特性: (1)主動收集主動傳播、(2)主動收集被動傳播、(3)被動收集主動傳播、(4)被動收集被動傳播。 • Q8: 手機病毒目前最常見的傳播方式為: (1)主動傳播之程式、(2)主動傳播之文件、(3)被動傳播之程式、(4)被動傳播之文件。 • Q9: 特徵碼比對、行為分析與逆向工程三者中何者有執行病毒程式: (1)特徵碼比對、(2)行為分析、(3)逆向工程、(4)行為分析與逆向工程、(5)特徵碼比對與行為分析、(6)特徵碼比對與逆向工程。 • Q10: 哪些資通訊產品使用習慣是高度危險的 (複選): (1)手機之Bluetooth的default設定是打開、(2)手機借朋友、(3)別人可以看到你Facebook的好友有哪些、(4)使用Line或Skype通訊、(5)使用WeChat通訊、(6)在P2P網路尋找程式、音樂與遊戲。

More Related