1 CERT Polska operates within the framework of the Research and Academic Computer Network CERT POLSKA REPORT AN ANALYSIS OF NETWORK SECURITY INCIDENTS FIRST HALF OF 2011
2 2 Contents How to read this document? 3 The most important observations summing up the report 3 Information about CERT Polska 5 Introduction 6 Amount of information in all categories 6 Traditional phishing 7 Sites associated with malware 9 From a sandbox to Polish networks: addresses visited by malware 10 Spam from Polish networks 11 Scanning 12 Most scanned services 12 Most infected Polish networks 13 Bots 14 Command & Control servers 18 DDoS attacks, fast flux and other submissions 19
3 3 Summary How to read this document? / The most important observations summing up the report How to read this document? This report presents selected statistics on security incident data handled by CERT Polska in the first half of 2011 along with discussion and conclusions. It is our first semiannual report and our first report translated into English up till now we have published only annual reports in Polish. As a result of this report, we hope that our readers can obtain a relatively up to date view of the Internet threat landscape as seen by our team. This report covers threats observed in networks allocated to Poland and the.pl domain. It is based on data received from different entities engaged in monitoring and responding to threats. As the report takes into account data concerning all the Polish providers, it gives a wide overview of what goes on in the Polish Internet. We compare our observations with those made in the report for the year 2010 as well as compare - when possible Poland to the rest of the world. The most important observations summing up the report Despite the increasing number of automated information sources, we received less than half of submissions concerning Poland than we expected. In February a new version of Zeus appeared that targeted Polish users. It was unique, as it attacked not only computers but also cell phones. An attacker could read and modify information provided in an SMS, including transaction authorization codes. It was the second, fully documented case of such an incident in the world. In April, a large scale attack targeting Polish Internet users took place. A fake invoice in PDF format was sent in a mass mailing. After opening the attached invoice, the trojan SpyEye was downloaded and took control over a user s computer. Subsequently, all confidential information entered by user on websites (including e-banking sites) could be captured. During the period between the end of April and June 2011 there were many serious leaks of customer data worldwide. The most serious data theft concerned Sony. Hackers took data of 100 million user accounts, and probably also about 10 million credit cards from the PSN and SEN services databases. User data leaked also from Nintendo, Codemasters, pornographic site pron.com and Citibank (200 thousand accounts). Some attacks are ascribed to Anonymous and LulzSec groups. These cases also affected Polish users. Although hosting providers in Poland are far more affected by phishing than Internet access providers, they are much more effective at reacting to such threats. More than every fifth (21%) domain in Poland involved in a phishing case, belonged to an e-commerce site. Polish networks accounted for about 2% of malicious webpage cases worldwide. This was a percentage-wise increase compared to last year (1.4% for all of last year). è
4 4 Summary The most important observations summing up the report Surprisingly, we discovered that a large majority of malicious websites were located on hosts belonging to Internet service provider networks, not hosting providers as was the case last year. We identified 1,033,681 unique incidents of spam originating in Poland. More than half (573,721) originated from the Netia network. We noted only 151,502 incidents of spam from Polish Telecom network. This observation is not surprising this has been the case since the end of 2009 when Polish Telecom introduced filtering of port 25/TCP. An overwhelming majority of scans hit port 445/TCP. These can be mostly attributed to attempts to exploit a vulnerability connected with an error in the handling of RPC requests described in Microsoft bulletin number MS The Top 10 list of infected networks in Poland largely reflects the size of the operators with respect to number of users. In the first half of 2011, we observed over 1 million bots in Polish networks. The most common bots reported to us were Torpig and Rustock. Their number was at least three times larger than that of other bots. Most bots were observed in AS 5617 belonging to Polish Telecom (almost 560 thousand). A large number of bots but a small amount of spam from Polish Telecom clearly indicates the effectiveness of blocking port 25/TCP - we would therefore a recommend a similar measure for other ISPs. The increase of sandbox related information is attributed to Sality trojan activity, which used Interia domains as C&C. We did not receive any APT (Advanced Persistent Threat) reports regarding entities in Poland for the first half of The United States and Canada dominated as a source of phishing cases. This dominance was even greater than in Together they accounted for 60% of submissions. There was an increase in China s share in the statistics of countries in which malware URLs are located. In percentage terms, the United States has less malware URLs than last year. However, it is still remains the lead location. Over 50% of malicious websites reported to us were located in the two countries mentioned above. 50% of C&C servers worldwide reported to us were located in the United States and Germany.
5 5 Information about CERT Polska CERT Polska (Computer Emergency Response Team Poland - is a security incident handling team operating in the framework of the Research and Academic Computer Network Research Institute (http://www.nask.pl/). CERT Polska was established in 1996 and since 1997 has been a member of FIRST (Forum of Incidents Response and Security Teams - an organization that associates response and security teams from all over the world. Since 2000 it has also been a member of TERENA TF-CSIRT (http://www.terena.nl/tech/task-forces/tf-csirt/) that brings together European response teams and Trusted Introducer (www.trusted-introducer.org), an initiative in the framework of the TERENA TF-CSIRT 1. Within these organizations CERT Polska cooperates with similar teams around the world - at an operational level and through research and development projects. The main tasks of CERT Polska include: registering and handling network security incidents for Poland and the.pl domain name space; providing watch & warning services to Internet users in Poland; conducting analyses of advanced Internet threats; cooperation with other incident response teams, including those operating in the framework of FIRST and TERENA TF-CSIRT; conducting informational and educational activities aimed at raising awareness about IT security, maintaining a blog at social networking accounts, and organizing an annual conference on IT security aimed at Polish users (SECURE conference conducting research and preparing reports on security of the Polish Internet resources; independent testing of IT security products and solutions; work on creating standards of registration and handling of incidents; taking part in national and international projects in the area of IT security aimed in particular at developing tools to support intrusion detection and incident handling ; 1 In 2001 CERT Polska Team was awarded the highest trust certification under TERENA s Trusted Introducer. è
6 6 Introduction This report is our first semi-annual report. It is also our first report made fully available in the English language. We decided to opt for a half year report as we believe in the importance of providing as up to date view as possible on threats in the Internet. We also believe in the necessity of sharing threat analysis information with the wider CERT and security community in general. Starting several years ago, we observed an important shift in the way incident information is submitted to our team. We receive a larger and larger volume of incident data from external automated data feeds, making manual incident handling an impossible task. This has forced us to prioritize, handling just the more serious cases, with the rest forwarded to entities directly responsible for security in their networks, such as Polish Internet providers. In this case CERT Polska acts as a coordinator. This is an optimal solution both for data providers, who do not have to seek contacts to individual abuse teams, and for Internet providers, who can get information, originating from many sources merged into one. Taking into consideration the enormous amount of data shared with CERT Polska within the framework of coordination, we made an effort to standardize them and illustrate what actually happens on the Polish Internet. The formula is similar to our report for the year Such an approach allows us to make comparisons and detect trends in attacks. In this report, as opposed to our annual reports, we focus mostly on the automated submissions. Incidents handled manually will be summarized in the full year report for Amount of information in all categories In the first half of 2011, we received 3,906,411 submissions from external automated data feeds attributed to Polish networks. Most of them concerned spam and other botnet related activities. The chart on the following page illustrates the distribution of the categories that we selected in the report (note the logarithmic scale!) The data comes from various sources. These sources, in turn, use different methods for data collection even for the same types of incidents and often present them in different ways. This makes comparison difficult. Therefore, we distinguish only broad categories of submissions. Just like in 2010, submissions are divided into 10 categories that describe their common features in what we view as the most appropriate way: spam, botnets, scanning, malware URLs, C&C servers, data derived from sandboxes, phishing, fast flux, DDoS and others. These categories are discussed in more detail below. Comparing these data with those from 2010, a decline in the number of events may be observed, even though we have an increasing amount of information sources. The most considerable decline can be seen in the botnet category - based on data from 2010 we would expect at least twice as many incidents. We also received almost 50% less submissions than we had expected in the following categories: spam, phishing, malware URLs, fast flux and C&C servers. We received more in the sandbox, DDoS and scanning
7 7 SPAM BOTNET SCANNERS MAL_URL 3648 SANDBOX 1199 PHISHING 879 FASTFLUX 757 DDOS 14 C&C 9 OTHERS Chart 1. Number of the automated submissions in the categories categories. Traditional phishing In this category of incidents there were no significant changes in relation to the year The position of Poland compared to other countries is almost unchanged. This is despite the fact that the absolute numbers are lower than expected. In the first half of 2011, we had 879 phishing cases in Poland compared to 2,222 throughout all of last year. Thanks to the fact that we also often receive data for other countries, we can compare Poland to the rest of the world. From our observations, the United States and Canada dominate among the countries where phishing cases were found. Together they generated 60% of our submissions. Last year this percentage was 53%. The chart 2. illustrates the number of reported phishing incidents in Poland in comparison to other countries (from January to June). 1 US ,1% 2 CA ,6% 3 DE ,1% 4 GB ,8% 5 CL ,9% 6 RU ,6% 7 HK ,6% 8 FR ,4% 9 CZ ,2% 10 NL ,8% 20 PL 879 0,5% Chart 2. Number of reported phishing cases in relation to geographical location è
8 8 There was no change in the distribution of operators in whose networks phishing cases were detected. As in 2010, mostly hosting providers faced this problem. The numbers shown above illustrate the number of phishing incident reports. They concern 507 unique URLs. We investigated more closely how many incidents involved the same URLs. Average number of submissions / URL Number of URLs ASN 2, (TKP) 2, (GTS) 2, (IWACOM) 2, (CONNECTED) 2, (VECTRA) 2, (MULTIMEDIA) 2, (TP) 1, (KEI) 1, (LEASEWEB) 1, (CROWLEY DATA POLAND) 1, (NETART) 1, (NETWORK COMMUNICATION) 1, (IQ PL) 1, (HOME.PL) 1, (INOTEL) 1, (SUPERHOST.PL) (NETART) (HOME.PL) (TP) (CONNECTED) (KEI) Chart 3. Number of phishing cases in Poland per autonomous system The fact that most often the same sources report a given URL periodically until it is cleaned can be used as an indicator of how long a phishing site is hosted before being removed. On average, we received 1.72 submissions per URL. In the worst cases 6 submissions concerned a single URL. We made a comparison of this ratio among operators where more than 5 URLs were identified to contain a phishing webpage in a six month timeframe. The chart 4. with traditional ISPs coming out on top seems to illustrate that although hosting providers are more often used for phishing, they are more efficient at taking it down. The reported phishing sites were located in 346 different domains. The vast majority of sites are a result of a website compromise. This method was used for 228 (65.9%) domains. However, 55 (15.9%) domains were registered through sites offering free subdomains, for example More than every fifth (21%) domain where phishing case was observed, belonged to an e-commerce site. Among the sites that are faked most often, PayPal (85 URLs) still dominates, but we also noted the presence of Western Union (9 URLs) and Amazon (6 URLs). Banks appeared in a total of 24 cases. 1, (INTERIA) 1, (SUPERMEDIA) Chart 4. Number of traditional phishing cases in Poland grouped by autonomous systems
9 9 Sites associated with malware This category describes incident reports obtained from external data feeds that involve cases of hosting malicious files in Polish operators networks. These include: malicious code that compromises a browser or one of its plugins or extensions, malicious executables (including ones downloaded as a result of execution of code mentioned above), configuration files used to control malicious software The submissions do not concern phishing which is discussed in another category. In this half-year, we had fewer incidents concerning malware sites than we expected (counted as a unique combination of date of submission, IP address and the URL). Based on statistics from last year, we expected at least twice as many submissions. We are unable to explain why we received fewer reports. In the first half of 2011, we received 3,648 incidents concerning Poland (in the whole of last year we had 12,917 incidents). This was about 2% of submissions worldwide that we received. This is a percentage increase in relation to data from 2010 (when Poland was responsible for 1.4% of submissions worldwide). Interestingly, even though the United States remain the predominant location of malware, there was a significant decrease of their percentage share: (34% percent vs. 48,2%), mainly due to a significant increase of China (last year also ranked second, but only with 11.9% share as opposed to the 20% first half of this year). Note the high position of China, Russia and Ukraine. When we confront the malware chart with the chart for phishing cases, it can be seen that the positions of these countries (in particular China) are significantly higher in the category EU GB CZ NL IT PL FR BR CA UA RU DE KR CN INNE US Diagram 1. Countries where malware sites were found the most often (by number of submissions) Number of submissions Country Number of submissions Number of Url/ IP 1 US % 2 CN % 3 KR % 4 DE % 5 RU % 6 UA % 7 CA % 8 BR % 9 FR % 10 PL % 11 EU % 12 GB % 13 CZ % 14 NL % 15 IT % Chart 5. Number of incidents of malware software on WWW sites by geographical location è
10 10 of malicious software. This may imply that the malicious files in these countries do not appear solely as a result of blind hacking attacks (in this case we would expect the distribution to be similar to phishing cases) but that the countries are chosen on purpose. On the one hand, many Chinese and Russian hosting providers have a reputation for bulletproof hosting because of the difficulty in convincing them to remove malicious resources. On the other hand, there was intense speculation that cyber criminals act in China, Russia or Ukraine with the tacit consent of local influential circles. Of course, both theories are not mutually exclusive and are not the only possible explanations of the high position of these countries in these statistics. When we analyzed the results for Poland, they turned out to be quite surprising. The biggest perpetrators are the largest ISPs such as Polish Telecom, Netia and ATM. We expected something different a ranking similar to the last year s which was dominated by the largest hosting providers HOME.PL, Netart or KEI. The average number of URLs per single address also decreased. Number of submissions Autonomous system Operator Number of URL/IP TP 3, ATOM 6, NETIA 5, HOME.PL 2, ATMAN 2,9 Chart 6. Number of malware cases on the Polish WWW sites grouped by autonomous systems It is not clear to us why there were changes in the ranking of operators whether they are a result of the way in which data concerning malicious sites is collected by our sources or whether the reason is that the hosting providers introduced better security policy which in turn resulted in the changing of the strategy of the cybercriminal underground. From a sandbox to Polish networks: addresses visited by malware This category of information is in many ways an extension of the previous one. It concerns addresses that were visited by malware installed for observation inside sandboxes - that is a specially prepared environment in which untrusted software can be safely run. In total, 1,302 unique files attempted to connect to 1,199 unique WWW and FTP addresses (2,752 in the whole 2010). Approximately 25% of them (32% in 2010) were recognized by antivirus programs as malware (on the basis of Cymru Malware Hash Registry Most connections were observed to a server with an IP address of We observed 275 unique requests. They were generated by a Trojan horse that, when installed on the victim s system, attempted to connect to its command center. Interestingly, this Trojan was never assigned a name by the antivirus vendors. Another very interesting situation relates to addresses in the interia.pl domain: pelcpawel.fm.interia.pl, radson_master.fm.interia.pl, aanna74.eu.interia.pl and mattfoll.eu.interia.pl. In all these cases, the culprit was a trojan horse named Sality. Again, as in the example described above, it attempted to connect to its command centers. In the case of appmsg.gadu-gadu.pl, as last year, we dealt with software initiating connections to gadu-gadu network. 23% of connecting files were identified as malware. Unfortunately, we were unable to determine exactly why the rest of addresses were visited.
11 pelcpawel.fm.interia.pl 85 3 radson_master.fm.interia.pl 50 4 webpark.pl 46 5 footballteam.pl 38 6 aanna74.eu.interia.pl 30 7 appmsg.gadu-gadu.pl s1.footballteam.pl hit.stat24.com ftp.webpark.pl uaneskeylogger.hdo01.pdg.pl mattfoll.eu.interia.pl kluczewsko.gmina.pl Chart 7. Number of malware cases on the Polish WWW sites grouped by autonomous systems Spam from Polish networks In the first half of 2011, we received 2,151,415 incident reports about hosts sending spam from Polish networks. When we take into account all submissions concerning a single IP address, between which there was a break not longer than 3 days we can distinguish 1,033,681 incidents. More than half of these (573,721) related to the Netia network. By comparison, Polish Telecom which introduced filtering of port 25/TCP for its clients at the end of 2009, had only 151,502 incidents, almost the same as Plus network (138,591 incidents). In the first quarter of 2011 we noticed an increase of spam cases originating in Poland. At the turn of April and May, the number dropped to similar levels as in the middle of Since then we have observed a slight decrease Diagram 2. Number of events concerning hosts sending spam from the Polish networks è
12 12 Scanning As in previous years one of the main categories of submissions is scanning. Scanning is usually related to botnet or worm activity, sometimes to network mapping tools. Over the years, scanning has become background noise on the Internet often ignored by many users and even dedicated security teams. Nowadays, many organizations detect and analyze information on scanning in a fully automated way, without manual intervention. If an incident is analyzed carefully it can be associated with the activity of a particular botnet and worm. If not, it remains classified as scanning and is reported to us as such. We analyzed the most often scanned TCP/UDP ports and the most common sources of scanning from Poland. We examined scanning incidents first counting the unique source IP addresses that were registered by reporting systems in the first half of 2011 (globally or per destination port), and also counting unique combination of IP/ destination port scans seen per day. The first category allows for estimation of the number of infected computers, second one illustrates the aggressiveness of the scanning activity. Most scanned services As in the whole of 2010, the first half of 2011 saw a clearly dominant port 445 TCP as the most often attacked port. This is not surprising a large amount of wormable serious vulnerabilities affecting Microsoft software can be found in applications listening on this port (MS in particular). Lp. Number of unique IP seen Destination port/protocol Probable leading mechanism of attacks /TCP Buffer overflow attacks on Windows RPC service /TCP Attacks related to file sharing/windows printers /TCP Dictionary attacks on MS SQL /TCP Attacks on Microsoft Endpoint Mapper service /TCP Attacks related to web applications /TCP Possible spamming attempts /TCP Attacks on a remote control application, radmin /TCP Attacks on VNC /TCP Dictionary attacks on telnet service /TCP Part of an attack sequence (loading of a worm) Chart 8. TOP 10 of destination ports by number of unique scanning sources In comparison to 2010, we observed fewer hosts scanning 22/TCP port (SSH service on which dictionary attacks are often carried out). Port 5060/TCP (SIP protocol) also dropped out of the TOP 10 list. However, port 135/TCP (Microsoft RPC Endpoint Mapper) and port 25/TCP related to STMP service ( ) made a reappearance.
13 13 Most infected Polish networks The distribution of infected unique IP addresses amongst Polish operators is shown below. It sheds some light on the scale of malware infections in Poland. Lp. Number of unique IP Autonomous system number Operator TP NETIA DIALOG PTK CENTERTEL PLUSNET MULTIMEDIA ASK-NET VECTRA ATOM PTC Chart 9. TOP 10 of operators in Poland grouped by the number of scanning source IP Like last year, we believe that the ranking reflects the size of operators user-wise thus the top position of Polish Telecom is not surprising. We also investigated the top operators with respect to frequency of observed scans for this purpose we added up source IPs reported to us daily (effectively IPs that are reported to us most often). Sum of all reported IP/day Autonomous system number Operator TP DIALOG NETIA VECTRA MULTIMEDIA PTK CENTERTEL PLUSNET ASK-NET ASTA-NET LEASEWEB Chart 10. Ranking of operators in respect to frequency of observed scans è
14 14 Bots This category includes computers in Polish networks that are part of botnets and are not included in other categories. Botnets have become the Swiss Army Knife in the miscreant toolset, used for purposes such as theft of user credentials, ad fraud, spam, DDoS or simply as an additional layer of anonymity. In the first half of 2011, we observed over 1 million bots in Polish networks. Torpig and Rustock dominated. Their number was at least three times larger than the other bots. We observed almost 380 thousand machines infected by Torpig and almost 350 thousand machines infected by Rustock. Other dominant bots included IRC bots, mebroot and Conficker. In the case of IRC bots there were many varieties with an IRC management channel as the common characteristic feature. Special attention should be devoted to mebroot that was used to steal confidential data from financial institutions Torpig Rustock irc Mebroot Conficker Ponmocup Artro Diagram 3. Number of bots by types In the first half of 2011, the daily distribution of bots was between two and four thousand machines. In the middle of March it increased to about 12 thousand. This was related to Rustock submissions that we started receiving from the 16th of March (see diagram 5.). At the turn of April and May, there was another important incident resulting in 14 thousand received submissions. This was the result of activities of security researchers from the University of California in Santa Barbara who took over the Torpig botnet. This allowed for more precise registrations of victims that connected to C&C servers. This peak can be observed on the diagram 6. showing the number of computers infected by Torpig.
15 Diagram 4. Daily distribution of bots in the first half of Diagram 5. Daily distribution of Rustock in the first half of 2011 è
16 Diagram 6. Daily distribution of Torpig in the first half of 2011 In the case of IRC bots we registered 800 infected machines per day on average. When it comes to mebroot (diagram 7.), most of the time the number of infected machines fluctuated between a few hundred and 1,500 machines per day. However, two events are exceptions here. The first one took place between the 15th and 20th of April (over 8,500 computers), and the second one on the 31st of May (over 6,500 computers). We speculate that this might be due to an attack aimed at Polish users of financial institutions. Most bots were observed in AS 5617 belonging to Polish Telecom (diagram 8.). It was a number close to 560 thousand and up to four times larger than the number of bots in AS belonging to Netia (about 140 thousand). In the networks of other operators there were less than 50 thousand infected computers. There is no doubt that most bots are located in the networks of the operators that provide Internet for individual users. These are large telecommunication companies like Polish Telecom or Netia, Internet providers in cable networks Multimedia and Vectra and also mobile Internet providers T-Mobile and Polkomtel. More than half of all bots (about 55%) were in the Polish Telecom network, while 15% were in the Netia network.
17 Diagram 7. Daily distribution of mebroot in the first half of TP Netia Multimedia Vectra T-Mobile Diagram 8. Distribution of bots grouped by autonomous systems Polkomtel TK Telekom UPC ATOM P4 è
18 18 18 Command & Control servers In the first half of 2011, we received 1,565 submissions from external automated data feeds that concerned unique Command & Control servers used to manage botnets. They were located in 68 countries. Most of these were in the United States 32.1%. Together with Germany, the USA hosts almost 50% of C&C controllers. Like last year, the leaders in this category are the countries of Western Europe such as Great Britain, the Netherlands and France. China occupies a relatively low position the 10th on the list. Based on this data Poland appears to be rarely used for C&C purposes it is on the 30th position with 9 controllers, even lower than last year, when Poland was the 25th on the list. Item Country Number of C&C Chart 12. C&C servers by geographical location Percentage share 1 US ,1 2 DE ,4 3 GB 86 5,5 4 RU 78 5,0 5 NL 57 3,6 6 FR 57 3,6 7 CA 41 2,6 8 TR 37 2,4 9 CL 34 2,2 10 CN 29 1,9 11 CY 28 1,8 12 UA 25 1,6 13 LU 25 1,6 14 SG 22 1,4 15 KR 21 1, PL 9 0,6 Number of C&C AS Chart 11. Number of C&C servers in Poland GB DE Operator NETIA TP LEASEWEB VECTRA LODMAN Most of the submissions from Poland related to IRC servers. In comparison to last year, the most affected provider is NETIA, not Polish Telecom. However, because of the small number of submissions it is difficult to draw any reasonable conclusions. It is interesting that controllers appeared in Leaseweb, a Dutch operator, whose some networks are registered in the RIPE database as being in Poland. TR CL CN CA INNE FR NL RU US Diagram 9. Countries where C&C servers were located the most often
19 19 DDoS attacks, fast flux and other submissions In this section of the report we present a brief overview of other types of submissions from which we distinguished two important categories: DDoS and fastflux. In the first half of 2011, we received 14 automated submissions on DDoS attacks on hosts located in Polish networks. These were incidents of issuing a command to attack, registered on surveilled C&C servers. Four of the attacks were targeting online game servers. According to our analysis, other attacks were targeting individual users. The number of the attacks is higher than in 2010 when we received 11 incidents, however still less in comparison with other categories. In the first half of 2011, we received 757 submissions (each with a different IP number) on usage of Polish computers for fast flux purposes by 17 domains. Like last year, the incidents mostly concerned networks with large number of individual users almost half of the IP addresses belonged to Polish Telecom. However, the number of incidents is lower than in In our opinion the reason is that this technique is becoming less popular. Other reported submissions concerned open DNS resolvers and brute force attacks. These incidents will be analyzed in the report at the end of this year.
Overview Common Internet Threats Tom Chothia Computer Security, Lecture 19 Phishing Sites Trojans, Worms, Viruses, Drive-bydownloads Net Fast Flux Domain Flux Infiltration of a Net Underground economy.
Microsoft Security Intelligence Report volume 7 (January through June 2009) Key Findings Summary Volume 7 of the Microsoft Security Intelligence Report provides an in-depth perspective on malicious and
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
New Staff Members Common Internet Threats Tom Chothia Computer Security, Lecture 16 Osama is leaving the School Joe Gardiner will be a new lab demonstrator Ian Batten will be a new tutor. Overview Phishing
Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...
2012 Bit9 Cyber Security Research Report Table of Contents Executive Summary Survey Participants Conclusion Appendix 3 4 10 11 Executive Summary According to the results of a recent survey conducted by
Security Incidents And Trends In Croatia Domagoj Klasić firstname.lastname@example.org Croatian National CERT About us Founded in 2008. in accordance with the Information Security Act We are a department of the Croatian
About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology
Indian Computer Emergency Response Team (CERT-In) Annual Report (2010) Indian Computer Emergency Response Team (CERT-In) Department of Information Technology Ministry of Communications & Information Technology
Phishing Activity Trends Report, 26 Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account
Phishing Activity Trends Report for the Month of, 27 Summarization of Report Findings The number of phishing reports received by the (APWG) came to 23,61 in, a drop of over 6, from January s previous record
Denial of service attacks: what you need to know Contents Introduction... 2 What is DOS and how does it work?... 2 DDOS... 4 Why are they used?... 5 Take action... 6 Firewalls, antivirus and updates...
Commercial Banking Customers Securing Your Business s Bank Account Trusteer Rapport Resource Guide For Business Banking January 2014 Table of Contents 1. Introduction 3 Who is Trusteer? 3 2. What is Trusteer
Botnets come in many flavors. As one might expect, these flavors all taste different. A lot of Internet users have had their taste of IRC, P2P and HTTP based botnets as their computers were infected with
Section III - Cyber-Attacks Evolution and Cybercrime Trends Report on Cyber Security Alerts Processed by CERT-RO in 2014 Romanian National Computer Security Incident Response Team email@example.com The
Security Challenges and Solutions for Higher Education May 2011 Discussion Topics Security Threats and Challenges Education Risks and Trends ACH and Wire Fraud Malware and Phishing Techniques Prevention
Internet Security Threat Report Volume XII B-Security(1) Internet Security Threat Report XII Important Facts Data Sources Symantec Global Intelligence Network 40,000 registered sensors in 180 countries.
CERT-GOV-GE Activities & International Partnerships Zurich, Switzerland 2014 CERT-GOV-GE Manager David Kvatadze www.dea.gov.ge CERT-GOV-GE - Structural unit was formed within the Information Security and
STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration
Unknown threats in Sweden Study publication August 27, 2014 Executive summary To many international organisations today, cyber attacks are no longer a matter of if but when. Recent cyber breaches at large
The Leader in Cloud Security RESEARCH REPORT Botnet Analysis Leveraging Domain Ratio Analysis Uncovering malicious activity through statistical analysis of web log traffic ABSTRACT Zscaler is a cloud-computing,
Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from
FINANCIAL FRAUD: THE IMPACT ON CORPORATE SPEND IT SECURITY RISKS SPECIAL REPORT SERIES Kaspersky Lab 2 Corporate IT Security Risks Survey details: More than 5,500 companies in 26 countries around the world
Phishing Activity Trends Report for the Month of December, 2007 Summarization of December Report Findings The total number of unique phishing reports submitted to APWG in December 2007 was 25,683, a decrease
THE HOME LOAN SAVINGS BANK Corporate Account Takeover & Information Security Awareness The information contained in this session may contain privileged and confidential information. This presentation is
QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY EXPLOIT KITS UP 75 PERCENT The Infoblox DNS Threat Index, powered by IID, stood at 122 in the third quarter of 2015, with exploit kits up 75 percent
Beyond Aurora s Veil: A Vulnerable Tale Derek Manky Cyber Security & Threat Research FortiGuard Labs October 26th, 2010: SecTor 2010 Toronto, CA Conficker: April Doomsday.. Meanwhile JBIG2 Zero Day PDF/SWF
Spyware Michael Glenn Technology Management Michael.Glenn@Qwest.com Agenda Security Fundamentals Current Issues Spyware Definitions Overlaps of Threats Best Practices What Service Providers are Doing References
Countermeasures against Bots Are you sure your computer is not infected with Bot? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Bot? Bot is a computer
2014 Crucial Cloud Hosting Crucial Research [WEB HOSTING SECURITY 2014] Security is a growing threat for hyper-connected and Internet-dependent businesses whose activities increasingly rely on web hosting
Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
1 st Half 2009 Committed to Wiping Out Internet Scams and Fraud January June 2009 Phishing Report Scope The quarterly APWG analyzes phishing attacks reported to the APWG by its member companies, its Global
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain,
Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall A FORTINET WHITE PAPER www.fortinet.com Introduction Denial of Service attacks are rapidly becoming a popular attack vector used
LASTLINE WHITEPAPER Large-Scale Detection of Malicious Web Pages Abstract Malicious web pages that host drive-by-download exploits have become a popular means for compromising hosts on the Internet and,
Corporate Account Takeover & Information Security Awareness Customer Training No computer system can provide absolute security under all conditions. NO SECURITY MEASURE OR LIST OF SECURITY MEASURES CAN
Botnets: The Advanced Malware Threat in Kenya's Cyberspace AfricaHackon 28 th February 2014 Who we Are! Paula Musuva-Kigen Research Associate Director, Centre for Informatics Research and Innovation (CIRI)
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia firstname.lastname@example.org email@example.com Framework
TRAINING FOR AMERICAN MOMENTUM BANK CLIENTS Corporate Account Takeover & Information Security Awareness The information contained in this session may contain privileged and confidential information. This
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
Security workshop Belnet Aris Adamantiadis Brussels 18 th April 2013 Agenda What is a botnet? Symptoms How does it work? Life cycle How to fight against botnets? Proactive and reactive NIDS 2 What is a
INFORMATION SECURITY REVIEW 14.10.2008 CERT-FI Information Security Review 3/2008 In the summer, information about a vulnerability in the internet domain name service (DNS) was released. If left unpatched,
Malicious Network Traffic Analysis Uncover system intrusions by identifying malicious network activity. There are a tremendous amount of network based attacks to be aware of on the internet today and the
NSP Integration DNS Sinkhole with URL Sandboxing Botnets are a complex and pervasive form of cyber attack that has been used by attackers, for over a decade, to compromise millions of endpoints in order
The Benefits of SSL Content Inspection ABSTRACT SSL encryption is the de-facto encryption technology for delivering secure Web browsing and the benefits it provides is driving the levels of SSL traffic
EMERGING THREATS & STRATEGIES FOR DEFENSE Stephen Coty Chief Security Evangelist @StephenCoty Industry Analysis 2014 Data Breaches - Ponemon Ponemon 2014 Data Breach Report *Statistics from 2013 Verizon
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
Data Centers Protection from DoS attacks. Trends and solutions Michael Soukonnik, Radware Ltd firstname.lastname@example.org Riga. Baltic IT&T. 21.04.2010 Cybercrime Trends Page 2 Types of DoS attacks and classical
21. Botnets ENEE 757 CMSC 818V Prof. Tudor Dumitraș Assistant Professor, ECE University of Maryland, College Park http://ter.ps/757 https://www.facebook.com/sdsatumd Today s Lecture Where we ve been AuthenDcaDon
The Impact of Cybercrime on Business Studies of IT practitioners in the United States, United Kingdom, Germany, Hong Kong and Brazil Sponsored by Check Point Software Technologies Independently conducted
January 2011 Report #49 Spam made up 81.69% of all messages in December, compared with 84.31% in November. The consistent drop in spam made us wonder, did spammers take a holiday break? Global spam volume
Emerging Security Technological Threats Jamie Gillespie Training and Education Team Leader, AusCERT About AusCERT Australia s national CERT Collect, monitor, advise on threats and vulnerabilities Incident
Phishing Trends Report Analysis of Online Financial Fraud Threats Second Quarter, 2009 For more information, please contact: email@example.com 888.239.6932 www.internetidentity.com Internet Identity
Tespok Kenya icsirt: Enterprise Cyber Threat Attack Targets Report About this Report This report was compiled and published by the Tespok icsirt in partnership with the Serianu Cyber Threat Intelligence
Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working
Course: Malicious Network Traffic Analysis Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: There are a tremendous amount of network based attacks to be aware of on the internet
CERT-GOV-GE Activities & Services Tbilisi, Georgia 2014 CERT-GOV-GE Manager David Kvatadze www.dea.gov.ge CERT-GOV-GE - Structural unit was formed within the Information Security and Policy division of
- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online
Corporate Account Takeover & Corporate Account Takeover & Information Security Awareness The information contained in this session may contain privileged and confidential information. This presentation
Challenges and Best Practices in Fighting Financial Fraud in Brazil Cristine Hoepers firstname.lastname@example.org CERT.br Computer Emergency Response Team Brazil NIC.br - Network Information Center Brazil CGI.br -
Cyber Security and Critical Information Infrastructure Dr. Gulshan Rai Director General Indian Computer Emergency Response Team (CERT- In) grai [at] cert-in.org.in The Complexity of Today s Network Changes
BOTNETS Douwe Leguit, Manager Knowledge Center GOVCERT.NL Agenda Bots: what is it What is its habitat How does it spread What are its habits Dutch cases Ongoing developments Visibility of malware vs malicious
Cybercrime Metrics and Threat Data: Warsaw - Poland What are the Current Trends? Who? Why? and Where? Jart Armin HostExploit CyberDefcon - CyberROAD Jart Armin NGO - Research group for Cyber threat analysis
The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security
Symantec enterprise security Symantec Internet Security Threat Report April 00 Regional Data Sheet Latin America An important note about these statistics The statistics discussed in this document are based
Data Center security trends Tomislav Tucibat Major accounts Manager, Adriatic Copyright Fortinet Inc. All rights reserved. IT Security evolution How did threat market change over the recent years? Problem:
Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for
ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS The Internet Threat Landscape Symantec TM Dean Turner Director Global Intelligence Network Symantec Security
Practical guide for secure Christmas shopping Navid 1 CONTENTS 1. Introduction 3 2. Internet risks: Threats to secure transactions 3 3. What criteria should a secure e-commerce page meet?...4 4. What security
Lab Exercises Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Review Questions 1) In class, we made the distinction between a front-door attack and
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
Mobile Malware Network View Kevin McNamee : Alcatel-Lucent Agenda Introduction How the data is collected Lies, Damn Lies and Statistics Windows PC Malware Android Malware Network Impact Examples of malware
The McAfee SECURE TM Standard December 2008 What is the McAfee SECURE Standard? McAfee SECURE Comparison Evaluating Website s Security Status Websites Not In Compliance with McAfee SECURE Standard Benefits
Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for