Internet security threat trends
1 / 28

Internet Security Threat Trends - PowerPoint PPT Presentation

  • Uploaded on

Internet Security Threat Trends. S.C. Leung ( 梁兆昌 ) Senior Consultant CISSP CISA CBCP 香港電腦保安事故協調中心. HKCERT 簡介. 2001 年由香港特別行政區政府成立,香港生產力促進局運作. C omputer ( 計算機 ) E mergency ( 緊急 ) R esponse ( 回應 ) T eam ( 小組 ). CERT. 服務 電腦保安警報監測及預警 保安事故報告及應變 出版資訊保安指引和資訊

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Internet Security Threat Trends' - lethia

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Internet security threat trends
Internet Security Threat Trends

S.C. Leung (梁兆昌)

Senior Consultant





Computer (計算機)


Response (回應)

Team (小組)


  • 服務

    • 電腦保安警報監測及預警

    • 保安事故報告及應變

    • 出版資訊保安指引和資訊

    • 提高資訊保安意識

Collaboration 對外協調合作

CERT Teams in Asia Pacific


CERT Teams around the World













Virus & Security

Research Centre


Software Vendor






Law Enforcement


Local Enterprise &

Internet Users


Hkcert observation
HKCERT observation

Traditional attacks - Untargeted (Virus/worm) attack


rise of incident reports to security SPs, CERT, police

rise in distributed security probe statistics

Honeypot collected samples


Kiddies/Hobbyist --> Criminals --> Spies

  • Targeted attacks

    • Several emails to some organizations

    • PPT, Word & Excel

    • Email impersonate your friend / colleagues using your local language

Attraction of bots to hackers
Attraction of “Bots” to hackers

Bot: compromised & hacker controlled machines

Bots more welcomed

Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware

Motive of attackers turn to $$$

Keep bots under control

Keep bots un-noticed


Stealing email addresses, password to on-line bank, eBay+Paypal, stock brokers

Targeted attack: industrial espionage

Botnet network of bots
Botnet: Network of Bots

FBI “Operation Bot Roast”

Identified 1M+ bots (Jun 2007)

Arrested 3 persons:

Robert Soloway: the spam king

James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay

Jason Downey: linked with DDoS attack by the Agobot worm

Malware complexity
Malware Complexity

It can be simple

Just a postcard email, with simple social engineering technique to hide itself --> can use unpacker to get the binary

It can be complex

Have to use decryption, debugger and reverse engineering to analyse

Storm worm, or Trojan.Peacomm (Jan-2007)

Sophistication of malware
Sophistication of Malware

Use Virus/Worm to infect many machines

Once infects a machine, installs a Downloader.

Downloader then download from dynamic web site the malware component(s)

Bot0 or Bot


The Bot0 generate and install the bot

The Bot install itself on the machine and report duty to the controller which disseminate hacker’s commands

If bot is removed, Bot0 activates and generate another copy of bot

AutoUpdater keeps Bot0 and Bot updated




  • (optional) terminator & signature

  • (optional) rootkit



Watch your web server
Watch your web server

10000+ Italian legitimate web servers hacked

The sites were installed the Hacker Kit: MPack

Author has $$$ motivation

Professionally written, with management console

to be hosted on web servers with PHP and database support

come with collection of exploit modules for different platform and browsers

Watch your web server1
Watch your web server

Steps Attacking Web server attacking:

hack into popular web server

add iframe snippets to web page of compromised web servers

spam out emails with IFRAME code

Steps Attacking a User

user browse compromise web server

user's browser execute IFRAME code, causing it redirected to Mpack server

At Mpack server,

analyse HTTP header

according to platform and browser, serve many exploits designed for user

Mpack has a management console

Mpack Management console

Watch your web server2
Watch your web server

Should you use your web server to browse and install software there?


block unnecessary incoming traffics

block outgoing traffic except for troubleshooting

Patching, Patching, Patching

Vulnerability scanning (for techcies)


Nikto for techcies

Rock phishing using domain names
Rock Phishing using domain names

Phishers use ways to save space and time

One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.”

likely responsible for 50%+ of current phishing attacks

Malware Review Dec-2006

Phishers business continuity
Phishers' business continuity

Malware reborn after clean up

Use Rock Phishing

Use domain name, not IP addresses

Use Dynamic DNS to create so many URLs[random 092304124][random 06382124]

We must involve domain registrar and ISPs

Resist Detection

Time-zone dependent behaviour

Blocking investigators evidence collection

Data leakage risks
Data Leakage Risks

Intruder get access to database

TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made.

UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information.

Backup Tape loss

Johns Hopkins U. 2006: containing sensitive personal data of 52000 employees

Bank of America 2005: containing personal information (SSN, account information) of 1.2M federal employees, including U.S. senators.

Data leakage risks1
Data Leakage Risks

Laptop loss/theft

Boeing 2006: names, salary information, SSN, addresses, phone numbers and birth dates of 382,000 current/former employees exposed

U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed.

On-line Data Leakage

IPCC 2006: a subcontractor exposed the personal data of police complaint cases related information by putting them on-line

Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers.

A local recruitment agency leaks personal data on the Internet

Data leakage risks2
Data Leakage Risks

Abuse in data collection

FBI audit finds widespread abuse in data collection

telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect

Google aims to net teenagers 'for life’

Provide email network to schools

Privacy International: Google collect info about people tastes, interests and beliefs that could be used by advertiser.

Google: we do not reveal email content nor personal details

Data leakage risks3
Data Leakage Risks

Use of Proxy Servers (operated by whom?)

Web access control

Performance Enhancement


Access game servers in Korea which allows local access only

Bypass censorship control

Security management
Security Management

Security Policy

Security Risk Assessment

What are our critical data and systems?

What are the risks of them?

What measures are required to protect the data assets?

Security Management Practice

Procedure, Guideline

Standard Compliance and Certification


Security personnel




Security Management


Professional Certification

Security management1
Security Management

Four steps of Security Management

printed by OGCIO



Install protection tool of malware

Antivirus and Antispyware

keeping program & signature up to date

Install Firewall

System Hardening

Patching your system

Linux: run Bastille, SELinux

Windows: use Vista security

Some free security software
Some free security software

Antivirus software

AVG Free Edition

Antispyware software

Microsoft Defender Beta 2(or Win2000-SP4 or above)

Ad-aware SE Personal(or Win98 or above)

Personal Firewall

Windows XP built-in firewall


ZoneAlarm(for Win98 or above)

Data Encryption



Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.

Working with the browser
Working with the browser

Use browsers with added anti-phishing features

IE 7.0, Firefox

Use as few browser add-ons as possible


Use SSL 3.0 and TLS 1.0, not SSL 2.0

Check SSL certificate of on-line transaction web sites

Do not save passwords on browser

Browsers protection
Browsers protection

Browser addon may be a source of attack

Browser addon introduce vulnerability

GreaseMonkey – Firefox addon

User scripts loaded on to the browser

Some scripts bypass security

Allow password remembering


Basically user has no knowledge what the develop put into the code


  • SysInternals

    • AutoRun

    • Process Explorer

    • PsTools suite

      • includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more.

    • Rootkit Revealer

  • PeiD

    • Detect Packers, Cryptors and compilers of PE files


Backup your data periodically so that you have a way to restore it

Test the backup periodically

For more critical systems, you may need to have redundant server or backup site.

Adopt good practices
Adopt Good Practices

Use only user account in daily operation

Do not share user accounts (even at home)

Use good password

Do not use public kiosk for sensitive surfing

Read User License Agreement before installing software

Educate children and colleagues


We have seen hackers developing better tools and skills. They are more professional and are becoming organized crimes.

When we looked into the mirror, we have a lot to improve in security protection.

Data protection is another area of problems.

We need to seriously improve our security by management and technology.