Information Security Threat Trends

Information Security

Information Security

Threat Trends

_{Threat Trends}

Mr. S.C.

Mr. S.C.

Leung

Leung

梁兆昌

梁兆昌

Senior Consultant 高級顧問

CISSP CISA CBCP M@PISA

Introducing HKCERT

Introducing HKCERT

C

omputer

(計算機)

E

mergency

(緊急)

R

esponse

(回應)

T

eam

(小組)

„

History

‰

Established in February 2001 by HKSAR Government

Operated by Hong Kong Productivity Council

„

Missions

‰

as the centre for coordination of computer security incident

Collaboration

Collaboration

Local Enterprise & Internet Users 本地企業及互聯網用戶 CERT CERT CERT CERT CERT CERT CERT CERT CERT CERT CERT

CERT CERTCERT

CERT

CERT

CERT

CERT

APCERT

APCERT

FIRST

FIRST

CERT Teams in Asia Pacific

亞太區其他協調中心

CERT Teams around the World

全球其他協調中心

Virus & Security Research Centre 電腦病毒及保安研究中心

Our Services

Our Services

„

Alert Monitoring & Early Warning

電腦保安警報監測及預警

„

Incident Report and Response

保安事故報告及應變

„

Publication of Security Guidelines and Information

出版資訊保安指引和資訊

„

Promotion of Information Security Awareness

提高資訊保安意識

FREE ALERTS

EMAIL & SMS

FREE ALERTS

EMAIL & SMS

FREE HOTLINE

8105-6060

FREE HOTLINE

8105-6060

Security Vulnerabilities

Security Vulnerabilities

is Rising

is Rising

171

345

311

262

417

1090

2437

4229

3784

3780

2874

0

1000

2000

3000

4000

5000

1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

2005-Q2

Zero

Zero

-

-

day

day

Attack is nearer

Attack is nearer

337

185

28

₁₈

0

100

200

300

400

N

o

. of

D

ays

Worms

Time between

Vuln. Disclosure &

Worm Attack

Change

Change

of

of

Security Incidents

Security Incidents

Ref: APCERT presentation in OECD-APEC Joint Workshop, APELTEL32 meeting

5-Sep-2005, Seoul, South Korea

Previous

„

Motivation:

‰

For fun / fame / recognition

„

Large scale, highly visible

attacks

„

Source: script kiddies

„

Format

‰

Worm, DOS, Defacement

Now

„

For theft of ID, personal

information, $$$

„

Pin point incidents using

powerful tools; low profile

„

Professional, criminals

A Cool Hello from

A Cool Hello from

Hacker in the past

Hacker in the past

“

“

Incident

Incident

Report

Report

”

”

by Hackers

by Hackers

…

…

„

Zone-H.org

Change of Motivation lead to ..

Change of Motivation lead to ..

… Change of Attack Strategies

„

Maintain

longer influence

on a machine

‰

Stay quiet after compromise

‰

Disable AV software, personal firewall and anti-spyware

Stealthing (hiding) techniques: rootkit

‰

Worms: releases more variants that exist for shorter period

of time

„

Stay in control by the

commander

‰

Install Remote Access Trojan (backdoor) after compromise

Phone home: use IRC to communicate with master server

Zombie

Zombie

Army (Botnet)

_{Army (Botnet)}

Control data streams

Victim

Mastermind

Controller

Controller

Controller

Agent

Agent

Agent

Agent

Agent

Agent

Agent

Zombies

Zombie

Zombie

Army

_Army

(Botnet)

(Botnet)

„

Hackers are assembling big “network of zombies” (or

bot networks)

that they can then turn into profit-making

machines

‰

to

steal confidential information

;

to

be used as spam relay

„

e.g. Bagle and MyDoom infected machines serve as open

mail relay for spamming

to

host phishing web site

;

‰

to

launch DDoS attack

– army hired to attacking business

rivals

„

e.g. in March 2005, a 16-year-old hacker and a businessman

Incident

Incident

Reports

Reports

(HKCERT)

(HKCERT)

481

2616

450

150

936

817

3211

217240

461

0

500

1000

1500

2000

2500

3000

3500

2001

2002

2003

2004

2005 (Jun)

Virus attack

Security attack

Are we

more safe

this year ?

Breakdown for Security Incident Report

Breakdown for Security Incident Report

„

Statistics indicating spyware becoming a major

source of security attack

„

Hibernating nature of spyware causes a lower

report rate

2003

2004

Security Incidents Reported

461

783

82

(10%)

Phishing Incidents Reported

73

61

(7%)

Spam Incidents Reported

80

41

(5%)

Spyware Incidents Reported

633

(77%)

ALL Security Incidents Reported

461

936

817

(100%)

2005 Q2

What is Spyware?

What is Spyware?

„

a category of

malicious programs

that are

installed on the computer

without user’s

knowledge or consent

, with a

threat to

information leakage

Comparing Two Classes of

Comparing Two Classes of

Malware

Malware

Virus / Worm

„

No user wants it

„

Infection

„

Immediate Damage

„

Underground Author, active

anonymity in forums

„

Illegal – criminal damage

„

Control of PC, crash PC

Spyware

„

User wants sth. out of it

„

“No” infection

„

Silent operation

„

Author do business with it,

have their own web site

„

Legal gray area

Case Study

Case Study

„

Marketscore

‰

MKSC hit many US Universities in Dec-2004

‰

Some banks in HK issued notification letter to customers

What is

What is

installed?

_installed?

Root Cert 1:

Marketscore Inc

Root Cert 2:

Netsetter

A user with administrator

premission is prompted to

click OK to install MKSC.

Threat 1 : Web traffic

Threat 1 : Web traffic

proxied

_proxied

„

http/https

traffics route through Marketscore proxy server

‰

Windows TCPIP network driver replaced in installation

Threat 2 : SSL encryption broken

Threat 2 : SSL encryption broken

Fake Server certificate

signed by Marketscore,

verified OK with

Marketscore public key

Man

Man

-

_-

in

_in

-

_-

the

_the

-

_-

middle attack

_{middle attack}

web

server

web

browser

Marketscore proxy server

Real cert.

‰

User sees encrypted traffic using

Marketscore certificate

.

‰

The Marketscore proxy server decrypted client traffic using her server SSL

key, taking some “statistics”, and encrypted the traffic with the bank web

server SSL key to sent to the bank web site.

‰

The proxy server requested an SSL session to bank web site on behalf and

MKSC cert. pseudo server plain text Encrypted pseudo client Encrypted Log

Marketscore.com

Research

End User

Defense Approaches: Technical

Defense Approaches: Technical

„

Clean Your PC 1-2-3 (www.infosec.gov.hk)

„

Antivirus

Firewall

„

Patch your system

‰

Remember Anti-spyware too!

„

Anti-spyware is too still green now.

„

Minimum Privilege

login as common user

„

Secure Remote Access

‰

Use IPSec VPN

‰

Use SSH (Linux & Win). Tunnel the GUI.

„

Use Certificate which is stronger than password

Defense Approaches: Non

Defense Approaches: Non

-

-

Technical

Technical

„

Policy

‰

A clear Acceptable Use Policy (AUP) can help

„

Education about Spyware

‰

Users know virus and worms but not spyware. They

think AV software can guard spyware.

‰

Users have a tendency to download trialware and NOT

Information

Information

Security

Security

Myths of

Myths of

Schools

Schools

„

Myth

‰

Our school data has no value to hackers.

„

Reality

‰

Hackers prey on schools as Springbroad of other attack

„

Myth

‰

Our school is neither famous nor infamous. Only few

people are likely to attack us.

„

Reality

‰

Hackers can find you easily.

Information

Information

Security

Security

Myths of

Myths of

Schools

Schools

„

Myth

‰

Our school students are not hackers.

„

Reality

‰

They might not intend to, but can make mistake. They can

be dangerous source of threat. So do your colleagues.

„

Dilemma

‰

Our school has no resources to secure the system.

„

Reality

‰

If you do not secure your network, the resulting

incident causes you more hassle and hazard.

Conclusion

Conclusion

„

Security on Internet is a

community effort.

- CERT/CC 2000

FREE ALERTS

EMAIL & SMS

FREE ALERTS

EMAIL & SMS

FREE HOTLINE

8105-6060

FREE HOTLINE

8105-6060

„

HKCERT

hotline

：8105-6060

email

: [email protected]

URL

: http://www.hkcert.org