Internet Security Threat Trends. S.C. Leung ( 梁兆昌 ) Senior Consultant CISSP CISA CBCP [email protected] 香港電腦保安事故協調中心. HKCERT 簡介. 2001 年由香港特別行政區政府成立，香港生產力促進局運作. C omputer ( 計算機 ) E mergency ( 緊急 ) R esponse ( 回應 ) T eam ( 小組 ). CERT. 服務 電腦保安警報監測及預警 保安事故報告及應變 出版資訊保安指引和資訊
CERT Teams in Asia Pacific
CERT Teams around the World
Virus & Security
Local Enterprise &
Traditional attacks - Untargeted (Virus/worm) attack
rise of incident reports to security SPs, CERT, police
rise in distributed security probe statistics
Honeypot collected samples
Kiddies/Hobbyist --> Criminals --> Spies
Bot: compromised & hacker controlled machines
Bots more welcomed
Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware
Motive of attackers turn to $$$
Keep bots under control
Keep bots un-noticed
Stealing email addresses, password to on-line bank, eBay+Paypal, stock brokers
Targeted attack: industrial espionage
FBI “Operation Bot Roast”
Identified 1M+ bots (Jun 2007)
Arrested 3 persons:
Robert Soloway: the spam king
James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay
Jason Downey: linked with DDoS attack by the Agobot worm
It can be simple
Just a postcard email, with simple social engineering technique to hide itself --> can use unpacker to get the binary
It can be complex
Have to use decryption, debugger and reverse engineering to analyse
Storm worm, or Trojan.Peacomm (Jan-2007)
Use Virus/Worm to infect many machines
Once infects a machine, installs a Downloader.
Downloader then download from dynamic web site the malware component(s)
Bot0 or Bot
The Bot0 generate and install the bot
The Bot install itself on the machine and report duty to the controller which disseminate hacker’s commands
If bot is removed, Bot0 activates and generate another copy of bot
AutoUpdater keeps Bot0 and Bot updated
10000+ Italian legitimate web servers hacked
The sites were installed the Hacker Kit: MPack
Author has $$$ motivation
Professionally written, with management console
to be hosted on web servers with PHP and database support
come with collection of exploit modules for different platform and browsers
Steps Attacking Web server attacking:
hack into popular web server
add iframe snippets to web page of compromised web servers
spam out emails with IFRAME code
Steps Attacking a User
user browse compromise web server
user\'s browser execute IFRAME code, causing it redirected to Mpack server
At Mpack server,
analyse HTTP header
according to platform and browser, serve many exploits designed for user
Mpack has a management console
Mpack Management console
Should you use your web server to browse and install software there?
block unnecessary incoming traffics
block outgoing traffic except for troubleshooting
Patching, Patching, Patching
Vulnerability scanning (for techcies)
Nikto for techcies
Phishers use ways to save space and time
One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.”
likely responsible for 50%+ of current phishing attacks
Malware Review Dec-2006 http://www.security.iia.net.au/news/220.html
Malware reborn after clean up
Use Rock Phishing
Use domain name, not IP addresses
Use Dynamic DNS to create so many URLs
We must involve domain registrar and ISPs
Time-zone dependent behaviour
Blocking investigators evidence collection
Intruder get access to database
TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made.
UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information.
Backup Tape loss
Johns Hopkins U. 2006: containing sensitive personal data of 52000 employees
Bank of America 2005: containing personal information (SSN, account information) of 1.2M federal employees, including U.S. senators.
Boeing 2006: names, salary information, SSN, addresses, phone numbers and birth dates of 382,000 current/former employees exposed
U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed.
On-line Data Leakage
IPCC 2006: a subcontractor exposed the personal data of police complaint cases related information by putting them on-line
Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers.
A local recruitment agency leaks personal data on the Internet
Abuse in data collection
FBI audit finds widespread abuse in data collection
telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect
Google aims to net teenagers \'for life’
Provide email network to schools
Privacy International: Google collect info about people tastes, interests and beliefs that could be used by advertiser.
Google: we do not reveal email content nor personal details
Use of Proxy Servers (operated by whom?)
Web access control
Access game servers in Korea which allows local access only
Bypass censorship control
Security Risk Assessment
What are our critical data and systems?
What are the risks of them?
What measures are required to protect the data assets?
Security Management Practice
Standard Compliance and Certification
Four steps of Security Management
printed by OGCIO
Install protection tool of malware
Antivirus and Antispyware
keeping program & signature up to date
Patching your system
Linux: run Bastille, SELinux
Windows: use Vista security
AVG Free Edition
Microsoft Defender Beta 2(or Win2000-SP4 or above)
Ad-aware SE Personal(or Win98 or above)
Windows XP built-in firewall
ZoneAlarm(for Win98 or above)
Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.
Use browsers with added anti-phishing features
IE 7.0, Firefox
Use as few browser add-ons as possible
Use SSL 3.0 and TLS 1.0, not SSL 2.0
Check SSL certificate of on-line transaction web sites
Do not save passwords on browser
Browser addon may be a source of attack
Browser addon introduce vulnerability
GreaseMonkey – Firefox addon
User scripts loaded on to the browser
Some scripts bypass security
Allow password remembering
Basically user has no knowledge what the develop put into the code
Backup your data periodically so that you have a way to restore it
Test the backup periodically
For more critical systems, you may need to have redundant server or backup site.
Use only user account in daily operation
Do not share user accounts (even at home)
Use good password
Do not use public kiosk for sensitive surfing
Read User License Agreement before installing software
Educate children and colleagues
We have seen hackers developing better tools and skills. They are more professional and are becoming organized crimes.
When we looked into the mirror, we have a lot to improve in security protection.
Data protection is another area of problems.
We need to seriously improve our security by management and technology.