Information Security Threat Trends

Transcription

1 Microsoft Security Day Sep 2005 Information Security Threat Trends Mr. S.C. Leung 梁 兆 昌 Senior Consultant 高 級 顧 問 CISSP CISA CBCP M@PISA scleung@hkcert.org 香 港 電 腦 保 安 事 故 協 調 中 心

2 Introducing HKCERT History Computer ( 計 算 機 ) Emergency ( 緊 急 ) Response ( 回 應 ) Team ( 小 組 ) Established in February 2001 by HKSAR Government Operated by Hong Kong Productivity Council Missions as the centre for coordination of computer security incident response for local enterprises and individuals 2 Hong Kong Computer Emergency Response Team

3 Collaboration CERT Teams in Asia Pacific 亞 太 區 其 他 協 調 中 心 CERT Teams around the World 全 球 其 他 協 調 中 心 CERT CERT CERT CERT CERT CERT CERT CERT APCERT FIRST CERT Virus & Security Research Centre 電 腦 病 毒 及 保 安 研 究 中 心 Software Vendorr 軟 件 供 應 商 Local Enterprise & Internet Users 本 地 企 業 及 互 聯 網 用 戶 Universities 大 學 ISP 互 聯 網 供 應 商 Law Enforcement 執 法 機 關 3 Hong Kong Computer Emergency Response Team

4 Our Services Alert Monitoring & Early Warning 電 腦 保 安 警 報 監 測 及 預 警 Incident Report and Response 保 安 事 故 報 告 及 應 變 FREE ALERTS & SMS FREE HOTLINE Publication of Security Guidelines and Information 出 版 資 訊 保 安 指 引 和 資 訊 Promotion of Information Security Awareness 提 高 資 訊 保 安 意 識 4 Hong Kong Computer Emergency Response Team

5 Security Vulnerabilities is Rising Q2 Source : CERT/CC, USA 5 Hong Kong Computer Emergency Response Team

6 Zero-day Attack is nearer Time between Vuln. Disclosure & Worm Attack No. of Days (Nimda ) 2003 Q1 (SQL Slammer) 2003 Q3 (Blaster) 2004 (Sasser) Worms 6 Hong Kong Computer Emergency Response Team

7 Change of Security Incidents Ref: APCERT presentation in OECD-APEC Joint Workshop, APELTEL32 meeting 5-Sep-2005, Seoul, South Korea Previous Motivation: For fun / fame / recognition Large scale, highly visible attacks Source: script kiddies Format Worm, DOS, Defacement Now For theft of ID, personal information, $$$ Pin point incidents using powerful tools; low profile Professional, criminals Phishing, Spyware, Trojan 7 Hong Kong Computer Emergency Response Team

8 A Cool Hello from Hacker in the past New hackers might not inform you compromised 8 Hong Kong Computer Emergency Response Team

9 Incident Report by Hackers Zone-H.org 9 Hong Kong Computer Emergency Response Team

10 Change of Motivation lead to.. Change of Attack Strategies Maintain longer influence on a machine Stay quiet after compromise Disable AV software, personal firewall and anti-spyware Stealthing (hiding) techniques: rootkit Worms: releases more variants that exist for shorter period of time Stay in control by the commander Install Remote Access Trojan (backdoor) after compromise Phone home: use IRC to communicate with master server to get command and upload stolen information 10 Hong Kong Computer Emergency Response Team

11 Zombie Army (Botnet) Mastermind Controller Controller Controller Agent Agent Agent Agent Agent Agent Agent Zombies Victim Control data streams Attack data streams 11 Hong Kong Computer Emergency Response Team

12 Zombie Army (Botnet) Hackers are assembling big network of zombies (or bot networks) that they can then turn into profit-making machines to steal confidential information; to be used as spam relay e.g. Bagle and MyDoom infected machines serve as open mail relay for spamming to host phishing web site; to launch DDoS attack army hired to attacking business rivals e.g. in March 2005, a 16-year-old hacker and a businessman were arrested in New Jersey 12 Hong Kong Computer Emergency Response Team

13 Incident Reports (HKCERT) Virus attack Security attack 2616 Are we more safe this year? (Jun) Source : HKCERT 13 Hong Kong Computer Emergency Response Team

14 Breakdown for Security Incident Report Statistics indicating spyware becoming a major source of security attack Hibernating nature of spyware causes a lower report rate Q2 Security Incidents Reported (10%) Phishing Incidents Reported (7%) Spam Incidents Reported (5%) Spyware Incidents Reported 633 (77%) ALL Security Incidents Reported (100%) Source : HKCERT 14 Hong Kong Computer Emergency Response Team

15 What is Spyware? a category of malicious programs that are installed on the computer without user s knowledge or consent, with a threat to information leakage 15 Hong Kong Computer Emergency Response Team

16 Comparing Two Classes of Malware Virus / Worm No user wants it Infection Immediate Damage Underground Author, active anonymity in forums Illegal criminal damage Control of PC, crash PC Spyware User wants sth. out of it No infection Silent operation Author do business with it, have their own web site Legal gray area Information theft 16 Hong Kong Computer Emergency Response Team

17 Case Study Marketscore MKSC hit many US Universities in Dec-2004 Some banks in HK issued notification letter to customers of suspected installation of the software in April Hong Kong Computer Emergency Response Team

18 What is installed? A user with administrator premission is prompted to click OK to install MKSC. Root Cert 1: Marketscore Inc Root Cert 2: Netsetter 18 Hong Kong Computer Emergency Response Team

19 Threat 1 : Web traffic proxied http/https traffics route through Marketscore proxy server Windows TCPIP network driver replaced in installation C> Netstat -a 19 Hong Kong Computer Emergency Response Team

20 Threat 2 : SSL encryption broken Fake Server certificate signed by Marketscore, verified OK with Marketscore public key in its Root certificate 20 Hong Kong Computer Emergency Response Team

21 Man-in in-the-middle attack web browser Marketscore proxy server plain text web server End User Encrypted MKSC cert. pseudo server Log pseudo client Encrypted Real cert. Marketscore.com Research User sees encrypted traffic using Marketscore certificate. The Marketscore proxy server decrypted client traffic using her server SSL key, taking some statistics, and encrypted the traffic with the bank web server SSL key to sent to the bank web site. The proxy server requested an SSL session to bank web site on behalf and the bank build such session using the Bank s certificate. 21 Hong Kong Computer Emergency Response Team

22 Defense Approaches: Technical Clean Your PC ( Antivirus Firewall Patch your system Remember Anti-spyware too! Anti-spyware is too still green now. Minimum Privilege login as common user Secure Remote Access Use IPSec VPN Use SSH (Linux & Win). Tunnel the GUI. Use Certificate which is stronger than password Ref: 22 Hong Kong Computer Emergency Response Team

23 Defense Approaches: Non-Technical Policy A clear Acceptable Use Policy (AUP) can help Education about Spyware Users know virus and worms but not spyware. They think AV software can guard spyware. Users have a tendency to download trialware and NOT knowing what they had agreed to 23 Hong Kong Computer Emergency Response Team

24 Information Security Myths of Schools Myth Our school data has no value to hackers. Reality Hackers prey on schools as Springbroad of other attack Myth Our school is neither famous nor infamous. Only few people are likely to attack us. Reality Hackers can find you easily. HKCERT frequently receive incident reports from schools 24 Hong Kong Computer Emergency Response Team

25 Information Security Myths of Schools Myth Our school students are not hackers. Reality They might not intend to, but can make mistake. They can be dangerous source of threat. So do your colleagues. Dilemma Our school has no resources to secure the system. Reality If you do not secure your network, the resulting incident causes you more hassle and hazard. 25 Hong Kong Computer Emergency Response Team

26 Conclusion Security on Internet is a community effort. - CERT/CC 2000 FREE ALERTS & SMS FREE HOTLINE HKCERT hotline: hkcert@hkcert.org URL : 26 Hong Kong Computer Emergency Response Team