Security Threats to Internet and Data Protection
Download
Report
Transcript Security Threats to Internet and Data Protection
Internet Security
Threat Trends
S.C. Leung (梁兆昌)
Senior Consultant
CISSP CISA CBCP
[email protected]
香港電腦保安事故協調中心
HKCERT 簡介
2001年由香港特別行政區政府成立,香港生產力促進局運作
Computer
Emergency
Response
Team
服務
電腦保安警報監測及預警
保安事故報告及應變
出版資訊保安指引和資訊
提高資訊保安意識
(計算機)
(緊急)
(回應)
(小組)
Collaboration 對外協調合作
CERT Teams in Asia Pacific
亞太區其他協調中心
CERT
CERT
CERT Teams around the World
全球其他協調中心
CERT
CERT
CERT
CERT
CERT
CERT
APCERT
FIRST
CERT
Virus & Security
Research Centre
電腦病毒及保安研究中心
Software Vendor
軟件供應商
Universities
大學
Local Enterprise &
Internet Users
本地企業及互聯網用戶
ISP
互聯網供應商
Law Enforcement
執法機關
HKCERT observation
Traditional attacks - Untargeted (Virus/worm) attack
symptoms:
rise of incident reports to security SPs, CERT, police
rise in distributed security probe statistics
Honeypot collected samples
Targeted attacks
Several emails to some organizations
PPT, Word & Excel
Email impersonate your friend /
colleagues using your local language
Attackers
Kiddies/Hobbyist --> Criminals --> Spies
Attraction of “Bots” to hackers
Bot: compromised & hacker controlled
machines
Bots more welcomed
Worms too widespread, too
noticeable --> owners soon patch the
security hole and remove the
malware
Motive of attackers turn to $$$
Keep bots under control
Keep bots un-noticed
Business
Stealing email addresses, password
to on-line bank, eBay+Paypal, stock
brokers
Targeted attack: industrial espionage
Botnet: Network of Bots
FBI “Operation Bot Roast”
Identified 1M+ bots (Jun 2007)
Arrested 3 persons:
Robert Soloway: the spam king
http://seattlepi.nwsource.com/local/317795_sol
oway31.html
James Brewer: operating a botnet
of over 10,000 PCs, infecting PCs
in Chicago hospitals, whose
services were significantly delay
Jason Downey: linked with DDoS
attack by the Agobot worm
Malware Complexity
It can be simple
Just a postcard email, with
simple social engineering
technique to hide itself --> can
use unpacker to get the binary
http://isc.sans.org/diary.html
?storyid=2022
It can be complex
Have to use decryption, debugger
and reverse engineering to analyse
http://isc.sans.org/diary.html?st
oryid=2223
Storm worm, or Trojan.Peacomm
(Jan-2007)
Sophistication of Malware
Use Virus/Worm to infect many machines
Once infects a machine, installs a Downloader.
Downloader then download from dynamic web site the
malware component(s)
Bot0 or Bot
AutoUpdater
(optional) terminator & signature
(optional) rootkit
The Bot0 generate and install the bot
The Bot install itself on the machine and report duty to
the controller which disseminate hacker’s commands
If bot is removed, Bot0 activates and generate another
copy of bot
AutoUpdater keeps Bot0 and Bot updated
Virus
/Worm
Downloader
Bot0
Bot
Watch your web server
10000+ Italian legitimate web servers hacked
The sites were installed the Hacker Kit: MPack
Author has $$$ motivation
Professionally written, with management console
to be hosted on web servers with PHP and database support
come with collection of exploit modules for different platform
and browsers
Watch your web server
Steps Attacking Web server attacking:
hack into popular web server
add iframe snippets to web page of
compromised web servers
spam out emails with IFRAME code
Steps Attacking a User
user browse compromise web server
user's browser execute IFRAME code,
causing it redirected to Mpack server
At Mpack server,
analyse HTTP header
according to platform and
browser, serve many exploits
designed for user
Mpack has a management console
Mpack Management console
Watch your web server
Should you use your web server to browse
and install software there?
Firewall
block unnecessary incoming traffics
block outgoing traffic except for troubleshooting
Patching, Patching, Patching
Vulnerability scanning (for techcies)
Nessus
Nikto for techcies
http://www.cirt.net/code/nikto.shtml
Rock Phishing using domain names
Phishers use ways to save space and
time
One single site with multiple DNS names
now holds a multitude of Phishing pages,
covering a broad range of different banks.”
www.volksbank.de.vr-web.www.ioio3.hk/volksbank/
85.114.xxx.53
www.volksbank.de.vr-web.yydonhb.gksh.hk/volksbank/
85.114.xxx.53
www.paypal.de.vr-web.www26zroh.jordi.hk/paypal/
85.114.xxx.53
likely responsible for 50%+ of current
phishing attacks
Malware Review Dec-2006
http://www.security.iia.net.au/news/220.html
Phishers' business continuity
Malware reborn after clean up
Use Rock Phishing
Use domain name, not IP addresses
Use Dynamic DNS to create so many
URLs
www.usbank.com.[random 092304124].domain.com/usbank/
www.pay.com.[random 06382124].domain.com/paypal/
We must involve domain registrar and ISPs
Resist Detection
Time-zone dependent behaviour
Blocking investigators evidence collection
Data Leakage Risks
Intruder get access to database
TJX: the retailer, which operates T.J. Maxx, Marshalls,
etc., had the system accessed by intruder for over 1
year before discovery. 47M customer personal
information exposed, unknown transactions made.
UCLA: the personal information of 800,000 current and
former students, staff, parents and applicants, including SSN,
birth dates, addresses and contact information.
Backup Tape loss
Johns Hopkins U. 2006: containing sensitive personal
data of 52000 employees
Bank of America 2005: containing personal
information (SSN, account information) of 1.2M
federal employees, including U.S. senators.
Data Leakage Risks
Laptop loss/theft
Boeing 2006: names, salary information, SSN, addresses,
phone numbers and birth dates of 382,000 current/former
employees exposed
U.S. Department of Veterans Affairs 2006: Data from
26.5M veterans and 2.1M service members exposed.
On-line Data Leakage
IPCC 2006: a subcontractor exposed the personal
data of police complaint cases related information by
putting them on-line
Texas Guaranteed Student Loan Corp. 2006: a
subcontractor lost equipment containing the names
and SSN of 1.7M borrowers.
A local recruitment agency leaks personal data on the
Internet
Data Leakage Risks
Abuse in data collection
FBI audit finds widespread abuse in data
collection
telephone companies and Internet providers gave
agents phone and e-mail records the agents did not
request and were not authorized to collect
Google aims to net teenagers 'for life’
Provide email network to schools
Privacy International: Google collect info about
people tastes, interests and beliefs that could be used
by advertiser.
Google: we do not reveal email content nor personal
details
Data Leakage Risks
Use of Proxy Servers (operated by whom?)
Web access control
Performance Enhancement
Anonymity
Access game servers in Korea which allows local access
only
Bypass censorship control
Security Management
Security Policy
Security Risk Assessment
Assessment
What are our critical data and systems?
What are the risks of them?
What measures are required to protect the data assets?
Security Management Practice
Procedure, Guideline
Standard Compliance and Certification
Awareness
Security
Management
Certification
Security personnel
Training
Certification
Professional
Certification
Security Management
Four steps of Security
Management
printed by OGCIO
Prevention
Prevention:
Install protection tool of malware
Antivirus and Antispyware
keeping program & signature up to date
Install Firewall
System Hardening
Patching your system
Linux: run Bastille, SELinux
Windows: use Vista security
Some free security software
Antivirus software
AVG Free Edition
Antispyware software
Microsoft Defender Beta 2 (or Win2000-SP4 or above)
http://www.lavasoft.de/software/adaware/
Personal Firewall
Windows XP built-in firewall
(FAQ) http://thesource.ofallevil.com/taiwan/security/protect/firewall.asp
ZoneAlarm (for Win98 or above)
http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6aafa4-f7f14e605a0d&displaylang=en
Ad-aware SE Personal (or Win98 or above)
http://free.grisoft.com/doc/1
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload2.js
p?dc=12bms&ctry=AU&lang=en
Data Encryption
TrueCrypt
http://www.truecrypt.org/
Note:
Free security software may have limited
features, compared with commercial software.
Furthermore, there may be restriction on
personal and non-commercial use.
Working with the browser
Use browsers with added anti-phishing
features
IE 7.0, Firefox
Use as few browser add-ons as possible
SSL
Use SSL 3.0 and TLS 1.0, not SSL 2.0
Check SSL certificate of on-line transaction web
sites
Do not save passwords on browser
Browsers protection
Browser addon may be a
source of attack
Browser addon introduce
vulnerability
GreaseMonkey – Firefox addon
User scripts loaded on to the
browser
Some scripts bypass security
Allow password remembering
Autologin
Basically user has no knowledge
what the develop put into the code
Browser History
Detection
SysInternalshttp://www.microsoft.com/tech
net/sysinternals/securityutilities.mspx
AutoRun
Process Explorer
PsTools suite
includes command-line utilities for listing the
processes running on local or remote
computers, running processes remotely,
rebooting computers, dumping event logs, and
more.
Rootkit Revealer
PeiD
Detect Packers, Cryptors and
compilers of PE files
Recovery
Backup your data periodically so that you
have a way to restore it
Test the backup periodically
For more critical systems, you may need to
have redundant server or backup site.
Adopt Good Practices
Use only user account in daily operation
Do not share user accounts (even at home)
Use good password
Do not use public kiosk for sensitive surfing
Read User License Agreement before installing software
Educate children and colleagues
Conclusion
We have seen hackers developing better tools and skills.
They are more professional and are becoming organized
crimes.
When we looked into the mirror, we have a lot to
improve in security protection.
Data protection is another area of problems.
We need to seriously improve our security by
management and technology.
THANK YOU
82056060
[email protected]