1 / 17

GRNET CERT 2012

GRNET CERT 2012. by Alex Zaharis. Website: http://cert.grnet.gr Email: cert@grnet.gr Team: GRNET-CERT Phone: +30 210 7475718. Overview. GRNET-CERT I nfo & Deliverables GRNET-CERT Services Workload Statistics Case 1: Phishing Attack Case 2: SQL Injection Attack

kishi
Download Presentation

GRNET CERT 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GRNET CERT 2012 by Alex Zaharis Website: http://cert.grnet.gr Email: cert@grnet.gr Team: GRNET-CERT Phone: +30 210 7475718

  2. Overview • GRNET-CERT Info & Deliverables • GRNET-CERT Services • Workload Statistics • Case 1: Phishing Attack • Case 2: SQL Injection Attack • Case 3: Malware Analysis • Case 4: Anon • Tools of the Trade Τίτλος παρουσίασης

  3. GNET-CERT AT A GLANCE • Created in 2002. • National Point of contact for all Educational & Research Institutes. • Protecting the Greek Critical Internet Infrastructure. • Participating on National Cyber Defense Committee Other Greek CERTs: GR-NCERT FORTHCERT AUTH-CERT GRNET-CERT

  4. GRNET-CERT Deliverables • Create an Overview of the risks the use of Internet poses in GREECE. • Through Communication with other CERTs create a CYBER DEFENCE Coordination Team that can handle any kind of Cyber / Electronic attack. • Participated/Co-ordinated the National Cyber Defense Exercise 2011. • TF–CERT members GRNET-CERT

  5. CERT Cooperation Plan incidents incidents incidents incidents Y CERT GRNET CERT X CERT incidents CERT Law Enforcement CERT Knowledge Pool National Cyber Defense Committee National Cyber Space Foreign Cyber Space 22/5/2012 GRNET-CERT 5

  6. GRNET-CERT SERVICES 1. Security Announcements 2. Technology Watch 3. Security Audits & Assessments 4. Development of Security Tools 5. Intrusion Detection Services 1. Issue Alerts & Warnings 2. Incident Handling -Incident Analysis -Incident Response Coordination 3. Vulnerability Handling -Vulnerability Analysis 4. Artifact Handling -Artifact Analysis 5. Forensics Proactive Services Reactive Services GRNET-CERT

  7. Τίτλος παρουσίασης

  8. Τίτλος παρουσίασης

  9. Some Statistics • For 2012 (5 months) -900+ Various Abuse Reports Mitigated -500+ Infringement Notices Handled -397 Network Scans -22 DOS Attacks -20 DDOS Attacks -Over 20 Cases of Phishing / Defacing etc. -2 Malware Analysis (Trojan, Scareware) -1 Anonymous Attack -Vulnerability (SQLi,XSS) Warning issued for: http://eclass.aspete.gr • For 2011 (last 3 months) -600+ Abuse Reports Mitigated -350+ Infringement Notices Handled -Vulnerability (SQLi,XSS) Warning issued for: http://labs.opengov.gr http://www.presidency.gr/ GRNET -CERT

  10. Website Τίτλος παρουσίασης

  11. Cases Τίτλος παρουσίασης

  12. ΙΚΑ Phishing Type Of Attack:Phishing • Scam email Received. • Attack Site detected & scanned. • Original Phishing Forms along with contact info recovered. (emails used by attackers) • Police Authorities Informed. GRNET-CERT

  13. High Profile Warning issued Type Of Attack:SQLi • Labs.opengov.gr SQLi on facebookmodule GRNET -CERT

  14. Malware Analysis Type Of Attack:Scareware \ Malware CONTACTING IP:91.232.29.95 (Ukraine) http://91.232.29.95/?0bbccd2979886358e559cd8ebc45985d Τίτλος παρουσίασης

  15. Anonymous Attack Type Of Attack:Reflective Amplified DNS Spoofing Attack • DNS requests (ANY) για το isc.org • Source IP = SpoofedIPs.,PORT80 • DestinationIps = Ipsτου φοιτητικού DSL,PORT53 (UDP). • Φοιτητικά DSL modems με ανοιχτό recursivenameserver (dnsmasq) και forwarders αυτούς που έλαβαν από το PPP, δηλ. τους rns0.grnet.gr & rns1.grnet.gr • Προωθούν το ίδιο query στους rns μας. Οι rns μας απαντούν στα modems, και κατόπιν οι dnsmasq των modems απαντούν στον αρχικό (spoofed) προορισμό. • Η ιδιαιτερότητα εδώ είναι ότι το isc.org είναι από τις πρώτες DNSSEC-signed ζώνες, που σημαίνει πως η απάντηση στο αρχικό DNS query είναι μεγάλη (> 512 bytes), οπότε σύμφωνα με το πρωτόκολλο, κάνει upgrade σε EDNS, που είναι TCP. Αποτέλεσμα είναι, ότι όλες αυτές οι χιλιάδες διευθύνσεις του φοιτητικού, ανοίγουν TCP connection στην port 80 (HTTP) στα targetedhosts (δηλ. στις spoofed αυτές διευθύνσεις) και κατά συνέπεια κάνουν DoS GRNET -CERT

  16. Tools • Websites: • https://apps.db.ripe.net/search/query.html#resultsAnchor • http://cqcounter.com/whois/ • http://projecthoneypot.org/ • http://www.phishtank.com/ • http://www.exploit-db.com/ • https://www.virustotal.com/ • http://anubis.iseclab.org • http://www.iptrackeronline.com/header.php • http://www.liveipmap.com/ • Tools: • Netsparker, Acunetix, Metasploit • Wireshark, Burp Suite • Nmap, Zenmap • BackTrack (Various Tools) • Sqlmap, Havij • Vmware Workstation • Sysintelnals • FTK GRNET -CERT

  17. Questions? Personal Info: Name: Alex Zaharis Email: azaharis@admin.grnet.gr Team: GRNET-CERT Phone: +30 210 7475718 GRNET-CERT

More Related