Internet security threat trends
This presentation is the property of its rightful owner.
Sponsored Links
1 / 28

Internet Security Threat Trends PowerPoint PPT Presentation


  • 68 Views
  • Uploaded on
  • Presentation posted in: General

Internet Security Threat Trends. S.C. Leung ( 梁兆昌 ) Senior Consultant CISSP CISA CBCP [email protected] 香港電腦保安事故協調中心. HKCERT 簡介. 2001 年由香港特別行政區政府成立,香港生產力促進局運作. C omputer ( 計算機 ) E mergency ( 緊急 ) R esponse ( 回應 ) T eam ( 小組 ). CERT. 服務 電腦保安警報監測及預警 保安事故報告及應變 出版資訊保安指引和資訊

Download Presentation

Internet Security Threat Trends

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Internet security threat trends

Internet Security Threat Trends

S.C. Leung (梁兆昌)

Senior Consultant

CISSP CISA CBCP

[email protected]

香港電腦保安事故協調中心


Hkcert

HKCERT 簡介

2001年由香港特別行政區政府成立,香港生產力促進局運作

Computer (計算機)

Emergency(緊急)

Response(回應)

Team(小組)

CERT

  • 服務

    • 電腦保安警報監測及預警

    • 保安事故報告及應變

    • 出版資訊保安指引和資訊

    • 提高資訊保安意識


Collaboration

Collaboration 對外協調合作

CERT Teams in Asia Pacific

亞太區其他協調中心

CERT Teams around the World

全球其他協調中心

CERT

CERT

CERT

CERT

CERT

CERT

CERT

FIRST

APCERT

CERT

CERT

Virus & Security

Research Centre

電腦病毒及保安研究中心

Software Vendor

軟件供應商

Universities

大學

ISP

互聯網供應商

Law Enforcement

執法機關

Local Enterprise &

Internet Users

本地企業及互聯網用戶


Hkcert observation

HKCERT observation

Traditional attacks - Untargeted (Virus/worm) attack

symptoms:

rise of incident reports to security SPs, CERT, police

rise in distributed security probe statistics

Honeypot collected samples

Attackers

Kiddies/Hobbyist --> Criminals --> Spies

  • Targeted attacks

    • Several emails to some organizations

    • PPT, Word & Excel

    • Email impersonate your friend / colleagues using your local language


Attraction of bots to hackers

Attraction of “Bots” to hackers

Bot: compromised & hacker controlled machines

Bots more welcomed

Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware

Motive of attackers turn to $$$

Keep bots under control

Keep bots un-noticed

Business

Stealing email addresses, password to on-line bank, eBay+Paypal, stock brokers

Targeted attack: industrial espionage


Botnet network of bots

Botnet: Network of Bots

FBI “Operation Bot Roast”

Identified 1M+ bots (Jun 2007)

Arrested 3 persons:

Robert Soloway: the spam king

http://seattlepi.nwsource.com/local/317795_soloway31.html

James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay

Jason Downey: linked with DDoS attack by the Agobot worm


Malware complexity

Malware Complexity

It can be simple

Just a postcard email, with simple social engineering technique to hide itself --> can use unpacker to get the binary

http://isc.sans.org/diary.html?storyid=2022

It can be complex

Have to use decryption, debugger and reverse engineering to analyse

http://isc.sans.org/diary.html?storyid=2223

Storm worm, or Trojan.Peacomm (Jan-2007)


Sophistication of malware

Sophistication of Malware

Use Virus/Worm to infect many machines

Once infects a machine, installs a Downloader.

Downloader then download from dynamic web site the malware component(s)

Bot0 or Bot

AutoUpdater

The Bot0 generate and install the bot

The Bot install itself on the machine and report duty to the controller which disseminate hacker’s commands

If bot is removed, Bot0 activates and generate another copy of bot

AutoUpdater keeps Bot0 and Bot updated

Virus

/Worm

Downloader

  • (optional) terminator & signature

  • (optional) rootkit

Bot0

Bot


Watch your web server

Watch your web server

10000+ Italian legitimate web servers hacked

The sites were installed the Hacker Kit: MPack

Author has $$$ motivation

Professionally written, with management console

to be hosted on web servers with PHP and database support

come with collection of exploit modules for different platform and browsers


Watch your web server1

Watch your web server

Steps Attacking Web server attacking:

hack into popular web server

add iframe snippets to web page of compromised web servers

spam out emails with IFRAME code

Steps Attacking a User

user browse compromise web server

user's browser execute IFRAME code, causing it redirected to Mpack server

At Mpack server,

analyse HTTP header

according to platform and browser, serve many exploits designed for user

Mpack has a management console

Mpack Management console


Watch your web server2

Watch your web server

Should you use your web server to browse and install software there?

Firewall

block unnecessary incoming traffics

block outgoing traffic except for troubleshooting

Patching, Patching, Patching

Vulnerability scanning (for techcies)

Nessus

Nikto for techcies

http://www.cirt.net/code/nikto.shtml


Rock phishing using domain names

Rock Phishing using domain names

Phishers use ways to save space and time

One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.”

www.volksbank.de.vr-web.www.ioio3.hk/volksbank/ 85.114.xxx.53

www.volksbank.de.vr-web.yydonhb.gksh.hk/volksbank/ 85.114.xxx.53

www.paypal.de.vr-web.www26zroh.jordi.hk/paypal/ 85.114.xxx.53

likely responsible for 50%+ of current phishing attacks

Malware Review Dec-2006 http://www.security.iia.net.au/news/220.html


Phishers business continuity

Phishers' business continuity

Malware reborn after clean up

Use Rock Phishing

Use domain name, not IP addresses

Use Dynamic DNS to create so many URLs

www.usbank.com.[random 092304124].domain.com/usbank/

www.pay.com.[random 06382124].domain.com/paypal/

We must involve domain registrar and ISPs

Resist Detection

Time-zone dependent behaviour

Blocking investigators evidence collection


Data leakage risks

Data Leakage Risks

Intruder get access to database

TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made.

UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information.

Backup Tape loss

Johns Hopkins U. 2006: containing sensitive personal data of 52000 employees

Bank of America 2005: containing personal information (SSN, account information) of 1.2M federal employees, including U.S. senators.


Data leakage risks1

Data Leakage Risks

Laptop loss/theft

Boeing 2006: names, salary information, SSN, addresses, phone numbers and birth dates of 382,000 current/former employees exposed

U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed.

On-line Data Leakage

IPCC 2006: a subcontractor exposed the personal data of police complaint cases related information by putting them on-line

Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers.

A local recruitment agency leaks personal data on the Internet


Data leakage risks2

Data Leakage Risks

Abuse in data collection

FBI audit finds widespread abuse in data collection

telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect

Google aims to net teenagers 'for life’

Provide email network to schools

Privacy International: Google collect info about people tastes, interests and beliefs that could be used by advertiser.

Google: we do not reveal email content nor personal details


Data leakage risks3

Data Leakage Risks

Use of Proxy Servers (operated by whom?)

Web access control

Performance Enhancement

Anonymity

Access game servers in Korea which allows local access only

Bypass censorship control


Security management

Security Management

Security Policy

Security Risk Assessment

What are our critical data and systems?

What are the risks of them?

What measures are required to protect the data assets?

Security Management Practice

Procedure, Guideline

Standard Compliance and Certification

Awareness

Security personnel

Training

Certification

Assessment

Security Management

Certification

Professional Certification


Security management1

Security Management

Four steps of Security Management

printed by OGCIO


Prevention

Prevention

Prevention:

Install protection tool of malware

Antivirus and Antispyware

keeping program & signature up to date

Install Firewall

System Hardening

Patching your system

Linux: run Bastille, SELinux

Windows: use Vista security


Some free security software

Some free security software

Antivirus software

AVG Free Edition

http://free.grisoft.com/doc/1

Antispyware software

Microsoft Defender Beta 2(or Win2000-SP4 or above)

http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&displaylang=en

Ad-aware SE Personal(or Win98 or above)

http://www.lavasoft.de/software/adaware/

Personal Firewall

Windows XP built-in firewall

(FAQ) http://thesource.ofallevil.com/taiwan/security/protect/firewall.asp

ZoneAlarm(for Win98 or above)

http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.jsp?dc=12bms&ctry=AU&lang=en

Data Encryption

TrueCrypt

http://www.truecrypt.org/

Note:

Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.


Working with the browser

Working with the browser

Use browsers with added anti-phishing features

IE 7.0, Firefox

Use as few browser add-ons as possible

SSL

Use SSL 3.0 and TLS 1.0, not SSL 2.0

Check SSL certificate of on-line transaction web sites

Do not save passwords on browser


Browsers protection

Browsers protection

Browser addon may be a source of attack

Browser addon introduce vulnerability

GreaseMonkey – Firefox addon

User scripts loaded on to the browser

Some scripts bypass security

Allow password remembering

Autologin

Basically user has no knowledge what the develop put into the code


Browser history

Browser History


Detection

Detection

  • SysInternalshttp://www.microsoft.com/technet/sysinternals/securityutilities.mspx

    • AutoRun

    • Process Explorer

    • PsTools suite

      • includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

    • Rootkit Revealer

  • PeiD

    • Detect Packers, Cryptors and compilers of PE files


Recovery

Recovery

Backup your data periodically so that you have a way to restore it

Test the backup periodically

For more critical systems, you may need to have redundant server or backup site.


Adopt good practices

Adopt Good Practices

Use only user account in daily operation

Do not share user accounts (even at home)

Use good password

Do not use public kiosk for sensitive surfing

Read User License Agreement before installing software

Educate children and colleagues


Conclusion

Conclusion

We have seen hackers developing better tools and skills. They are more professional and are becoming organized crimes.

When we looked into the mirror, we have a lot to improve in security protection.

Data protection is another area of problems.

We need to seriously improve our security by management and technology.

THANK YOU

82056060

[email protected]


  • Login