Network Security & Network Virtualization

Transcription

1 Network Security & Network Virtualization Akihiro Nakao Applied Computer Science Course Graduate School of Interdisciplinary Information Studies 2012/5/24 1

2 SPAM: The Most Annoying Problem of Today Source: APWG 3

3 Spam Coupons coupon is more attractive word than discount (kaspersky lab) 4

4 Sources of Spam in March 2012 (TOP 20) (kaspersky lab) 5

5 Spam Category Fraud Dominates in Spams (34%) (kaspersky lab) 6

6 Phishing 1. Forged Address 2. Forged Company Logo 3. Fake company site to steal your identity / privacy info 7

7 Phishing in March 2012 Finance/E-Commerce Dominate (24.6%+18.3%) SNS follows (22.85%) (kaspersky lab) 8

8 Threat of Bot/BotNets 9

9 Bot/BotNets Actions Send nuisance s (spams) Launch DDoS attacks Network infection Network scanning Spying / Eavesdropping Offered in black markets 10

10 Top-10 Spamming BotNets 11

11 Mobile Botnet Android phones are exploited as of 2012 (10k-30k devices) RootSmart backdoor (remotely controlling Android phones) Number of malware modifications for Android OS 12

12 Mac BotNets Flashback infected 700k macs in march

13 BotNets Reloaded Botnets are one of the primary technologies utilized by cyber-criminals cyber-criminals were relatively silent In Q1 2012, cyber-criminals created a botnet using an invisible bot, a fileless bot for the first time. 14

14 Slices (accommodate(diverse(nws( Network(Virtualiza/on(Infrastructure 15

15 16

16 In-Network DPI Best Spot 17

17 18

18 19

19 20

20 Processing Detail Cluster 0 Cluster1 Mails Cluster2 Cluster3 Cluster

21 BotNets on Sale! DDoS attacks typically use large botnets that rent bots on the black market for $0.03 per week PAXSON, V. private communication, December million zombie computers currently exist, and spammers can rent botnets for $.05 to 0.10 per minute. Above the Clouds: A Berkeley View of Cloud Computing February 10, $5,000 per day for a botnet of 50,000 to 70,000 PCs The New Front Line, Michael Lesk, Martin R. Stytz, Roland L. Trope 22

22 Where can I buy a BotNet? Black Market is the source of all the troubles... J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 23

23 IRC Internet Relay Chat (IRC): standard protocol for real-time message exchange over the Internet public (one-to-many) and private (one-to-one) authenticated by nickname and password 24

24 Data Collection 2.4GB of IRC logs archived over 7 month (2006) 13 M messages from 100 K nicknames timestamp, IRC server, source id, channel, message CAVEATS: Market Visibility (no private message) Assertions vs. Intentions (intention not known) Monitored Individuals Biasing Analysis J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 25

25 Market Activity Advertisements J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 26

26 Market Activity Sensitive Data Identity Information Banking Information J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 27

27 Sensitive Data Distribution J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 28

28 Luhn Algorithm X (X: Check Digit) X=3 Double every other digit Multiply by 9 (603) Compute the sum of the digits (67) Take the last digit (3) as check digit The sum with the check digit should be module

29 Luhn Check in Ruby def luhn(cc) cc = cc.gsub(/d/,'').split(//).collect{ d d.to_i } parity = cc.length % 2 sum = 0 cc.each_with_index do d,i d = d * 2 if i%2==parity d = d - 9 if d > 9 sum = sum + d end return (sum%10)==0 end 30

30 Credit Card Arrival 402 valid cards / day (17 cards / hour) 88 invalid cards / day J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 31

31 Hacking Related Ads Bank Login Sales Ads (5%) Hacked Host Sales Ads (3%) Bank Login Demand (2%) Hacked Host Demand (1%) Mailer Sales Ads (3.5%) List Sales Ads (2.5%) J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 32

32 Compromised Host Demand About 100 unique, over 1000 total demands per day J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 33

33 Compromised Host Sales About 200 unique, over 2000 total supply per day J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 34

34 Distribution of Ads of Services Cashier: a miscreant who converts financial accounts to cash Confirmer: a miscreant who helps verification for money transfer DoS, Phishing, Carder (Purchasing Goods with Others Cards J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 35

35 Prices for Compromised Hosts Extract a $ sign and non-zero digits Use SVM classifier to identify sales Ads Important to know the prices to combat attackes J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 36

36 Efficient Countermeasures Sybil Attack (1) Sybil Generation - Join channels (multiple times) (2) Achieving Verified Status - Use disjoint markets and relay sensitive data to increase status (3) Deceptive Sales - Utilize verified status Sybils to rip - Decrease buyer and seller confidence in verification system - Buyers cannot distinguish between honest and dishonest sellers - Create Lemon Market J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 37

37 Efficient Countermeasures Slander Attack - Similar to Sybil attack - Uses false defamation to reduce the status of honest sellers - Current verification uses chat transcripts as evidence J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 38

38 Is Spam Efficient? Spam is inefficient! 350 M spam messages result in 28 sales* botnets used with other form of crimes at the same time (e.g., phishing, online scam) *C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA, October

39 Cyber Clean Center ( ) 40

40 One-Click Fraud One-Click Fraud is a very successful online confident fraud in Japan Significant loss of 26B JPY ($260M) / year New laws being passed and special help desk Only 657 arrests and 2859 solved cases /year Ministry of Justice, Japan. Act on special provisions to the civil code concerning electronic consumer contracts and electronic acceptance notice. Japanese Information Technology Promotion Agency. Virus detection reports, October

41 OneClick Fraud Statistics Japanese Information Technology Promotion Agency. Virus detection reports, October

42 Data Collection 2 Channel BBS: The largest bulletin board in Japan, which provides discussion threads on various topics ranging from Japanese anime to sports. Several ongoing threads are dedicated to denouncing One Click Frauds. Koguma-neko Teikoku: Privately owned website providing help to solve consumer problems related with online activities. A section of the site is devoted to describing One Click Frauds, including informatio about scam incidents. Wan-Cli Zukan: Privately owned website solely devoted to exposing websites partaking in One Click Frauds. Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security43

43 Extracted Incidents Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security44

44 2 Channel Thread 45

45 Financial Damages Caused by One-Click Frauds Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security46

46 Amout of Money Requested Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security47

47 Correlation with Other Incidents One-Click site domain involves other illicit activities Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security48

48 Popular Registrar for One Click Fraud Market Share Fraudulent Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security49

49 maido3.com Top 8 Domain Resellers That Miscreants Prefer Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security50

50 DNS Changer 51

51 Literature Underground Cyber Markets DeepSight Analyst Team. Online Fraud Communities and Tools. Technical report, Symantec, January Rob Thomas and Jerry Martin. the underground economy: priceless. USENIX ;login:, 31(6), December 2006 J. Franklin et al., An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants ACM CCS 07 Economics Approach Ross Anderson. Why Information Security is Hard - An Economic Perspective. In 17th Annual Computer Security Applications Conference, J. Aspnes, J. Feigenbaum, M. Mitzenmacher, and D. Parkes. Towards better definitions and measures of internet security. In Workshop on Large-Scale Network Security and Deployment Obstacles,

52 Literature Bot-nets and spams C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. Voelker, V. Paxson, and S. Savage. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA, October B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of ACM CCS 09, Chicago, IL, October G. Wondracek, T. Holz, C. Platzer, E. Kirda, and C. Kruegel. Is the internet for porn? An insight into the onlineadult industry. In Proceedings (online) of the 9th Workshop on Economics of Information Security, Cambridge, MA, June

53 Literature One Click Fraud Nicolas Christin, Sally S. Yanagihara, Keisuke Kamataki,"Dissecting one click frauds", Proceeding CCS '10 Proceedings of the 17th ACM conference on Computer and communications security Japanese Information Technology Promotion Agency. Virus detection reports, October

54 Conclusion Cyber-crimes are advancing not only in the technical viewpoint but in economics Financial incentives back up the evolution of cybercrimes, especially accelerated by black markets Legislating laws and arresting cyber-criminals may not be effective for resolving cyber-crime issues Economics approach and/or game changes necessary to combat cybercrimes 55