Cyber Security and Internet Governance

Transcription

1 Cyber Security and Internet Governance SC Leung CISSP CISA CBCP

2 Who am I? Director, Internet Society Hong Kong SC Leung Work: Information Security ISP Banking Telecom Software Distributor School Teacher

3

4 Working Groups Internet Accessibility Internet technology, e.g. IPv6, DNSSEC Internet Security & Privacy Copyright and Creativity Startup Activities Seminar, conference, campaign (IPv6 in Action) and workshops, startup award, policy paper

5 What can be hacked?

6 Do you buy this argument? Everything has a computer in it. Every computer can be hacked. Source: Apple Daily July

7 Students faked GPS signals to Hijack $80M yacht Source: Networkworld July 29, 2013

8 Can this be hacked? Which has more attack surfaces?

9 Can this be hacked?

10 What is Cyber Security Risks? TERMS Attacks Explicit action to damage Threats Dangers, Motives to attack Vulnerabilities Security Holes Impacts The damage done to the victim Risks -- Probability of damage/loss/negative effects

11 Hong Kong s Internet Profile

12 Internet and Economy of Hong Kong Internet s contribution to HK economy (2009): USD12.4B (5.9% GDP) 1/3 consumption 1/3 govt. /private investment in Internet-related goods/ services 1/3 net exports of e-commerce and hardware Projected 7% per year Source: Study by Boston Group, commissioned by Google

13 Hong Kong Communication Statistics Internet Services (2015 Jan, CenStatD) Internet penetration rate 73% (5.75M) Household broadband penetration rate 83.2% Public Wi-Fi access points 30,297 Mobile Services (2014 Nov, CenStatD) Mobile subscribers 17.5M Mobile penetration rate (Nov 2014) 241.7% Smartphone users accessing Internet daily 96% Facebook Users (2014 Jan, TNS) 4.4M

14 Internet Speed and Attack Economies with fastest Internet speed Hong Kong 1 st : 84.6Mbps Singapore 2 nd : 83Mbps South Korea 3 rd : 74.2Mbps Japan 4 th : 65.1Mbps Economies with highest portion of attack traffics Source: Akamai 2014-Q3 Internet Report

15 The Attackers The Threat

16 Traditional Attackers Script Kiddies Genius Hackers Disgruntled Workers Business Rivals

17 Modern Attackers Cyber Criminal Hacktivist Nation State Image credits: Infographics of WatchGuard

18 Modern Attackers Cyber Criminal Motive: $$$ Underground economy Crime-as-a-Service Botnet infrastructure Advanced (banking) Trojan Moving to mobile and cloud Image credits: Infographics of WatchGuard

19 Cybercriminal Underground Economy Sales ranking on underground economy Source: Symantec

20 Modern Attackers Hacktivist } Motive: Ideological } High profile } Crowdsourcing } Data leakage à DDoS Image credits: Infographics of WatchGuard

21 Anonymous Hacktivist Group

22 Modern Attackers Motive: Political/Military Nation State Targeted critical infrastructure Advanced malware / attacks Low profile Espionage Image credits: Infographics of WatchGuard

23 Critical infrastructure at Risk Stuxnet botnet (2010) Designed to overcome the network gap Targeted programmable logic controllers in the Natanz nuclear facilities in Iran Supervisory Control and Data Acquisition (SCADA) Water and sewage system Hospital Telecommunication Transport Critical infrastructure

24 Targeted Attack on Critical Infrastructure of Trust Stolen digital certificates by Stuxnet (Jan 2011) and Duqu (Oct 2011) RSA SecurID hacked (Mar 2011) Cause a global replacement of tokens in years Certificate Authorities attacks Comodo (Mar 2011), DigiNotar (Aug 2011), DigiCert Malaysia (Nov 2011) More Dutch CAs: Getronic KPN CA (Nov 2011) GenNet (Dec 2011) Consequence Root certificate of these CAs are distrusted or removed from the browsers/os Some out of business after attack Attack down to the root of trust of the Internet

25 Impacts of the new chemistry Nation X Nation Y Lower hurdle to access sophisticated attack technologies collateral damages Provide attack services to hacktivists Image credits: Infographics of WatchGuard

26 Vulnerabilities Image credit:

27 Software Vulnerabilities Source: Security bulletins in

28 Mac OS Security Vulnerabilities Some people think We don t need anti-virus for Mac OS Is this true? Flashback Trojan for OS X Appear in Sep 2011, pretended to be Adobe Flash installer Evolved to target Java runtime vulnerability of MAC computers in 2012 Said to have infected 500,000 Mac computers. JAVA vulnerability targeted by Flashback Oracle announce in Nov 2011 Apple not patched till Apr Conclusion Do not believe in this myth Apple does not need antivirus

29 Who are you really talking to? Social Engineering uses a lot of identity theft

30 Spoofing

31 Threats, Vulnerabilities, Risks and Risk Mitigations Threats (Disasters, Attackers) Threats (Disasters, Attackers Risks Attacks Attacks Risks Vulnerabilities (System / Human) Risk Mitigations (Technology / Awareness) Compromised Your System / System Data / Data Your System / Data

32 Attacks

33 Malware Propagation channels Executables Document Malware Website Fake security software Fake video player codec

34 Malware Propagation channels Executables Document Malware Embedded malware in PDF or Office files Botnet served PDF malware Website Image by Websense

35 Malware Propagation channels Executables Document Malware Website Legitimate and trusted websites compromised Web admin incapable to detect and mitigate the risks

36 Multi-stage infection (drive-by download) Web server (injected) Exploit server Malware Hosting Web request Browser p p Exploits imported from other servers via iframes, redirects When compromised, dropper download and install the actual bot malware

37 Threat: Botnet (robot Network Command & Control Centre Bot Herder Services Manage Update Survive the adverse C&C Bots bot bot bot attacks Your computers! victim victim

38 Reflective DDoS using Open DNS resolvers (2) A spoofs a DNS query by Server B domain.com TYPE = ANY Packet size = 20 bytes Attacker A Misconfigured DNS open resolvers C (1) A wants to attack B without being identified Server B under attack (3) Reply to query of unauthorized domain; Amplified DNS Reply Packet size = 1,200 bytes

39 Reflective DDoS using Open DNS resolvers Misconfigured DNS open resolvers Bots Server under attack

40 Hong Kong Security Profile

41 Critical Attacks in Hong Kong Recent Cases 第 一 亞 洲 商 人 金 銀 業 有 限 公 司 (Feb-2012) HK Stock Exchange 披 露 易 (Aug-2011)

42 Civil e-voting Campaigns targeted Attack bandwidth up to 400Gbps (source: CloudFlare)

43 Territory-wide attack no longer a myth Hong Kong came across a territory-wide attack in October the Operation Hong Kong campaign initiated by a hacktivist group Many websites targeted, both government and nongovernment In form web defacement, DDoS attacks and intrusion of information system Also brought about collateral damages to other users in neighbouring networks.

44 Security Incident Reports Handled in the past 10 years 3,443 2, % 1,605 1,797 1,255 1,304 1, ,189 1, % of incident reports in 2014 were referred by external parties

45 Incident Reports Breakdown in 年 保 安 事 故 報 告 的 分 佈 Total 總 數 : 3,443 l Botnet ( 殭 屍 網 絡 ): 1,973 (57%) l Phishing ( 釣 魚 網 站 ): 594 (17%) l Malware ( 惡 意 軟 件 ): 298 (9%) l Defacement ( 網 頁 塗 改 ) : 146 (4%) l Distributed Denial-of-Service (DDoS) ( 分 散 式 阻 斷 服 務 攻 擊 ): 125 (4%) 9% 4% 9% 4% 17% 57% Botnet 殭 屍 網 絡 Phishing 釣 魚 網 站 Malware 惡 意 軟 件 Web Defacement 網 頁 塗 改

46 Prediction

47 Mobile Malware China statistics 2012, 95 % of mobile malware targeting Android (NQ Mobile) Infected 32.8M smartphones 28% collect personal data for $$ Mostly from unofficial app store Package malware into normal apps and put on app store

48 Mobile banking is it secure? Two factor authentication using SMS? Some banks start to use as the client tool Loss of out-of-band communication when using SMS as soft token à token device is recommended Unauthenticated mobile Apps Hackers ported Zeus botnet to mobile Zeus: botnet targeting financial institutions Man in the Mobile attack (Mitmo)

49 More ios malware Wirelurker infected JB & non-jb devices Infections via synchronization with desktop Host Mac malware on piracy app store 麥 芽 地 Mac malware monitor USB connection, and sync with ios device to infect it with WireLurker Use Enterprise provision profile to install malware not published on Apple app store

50 Security Implications of Internet of Things

51 IoT Security Outlook l Hackers now control Internet devices to steal data, or use them to launch attacks IP Camera leaking personal privacy Broadband routers launch DDoS TV Box compromised by preloaded malware l Potential threats for Internet of Things ( 物 聯 網 ) Smart Home, Smart Watch or Industrial Control System (ICS) connected to the Internet

52 Smart Home Remote Control Mobile Devices Personal Cloud Managed Service Home Gateway Home Devices Reference: Amdocs_Connected_Home-SmartCity-2012-June.pdf

53 Smart Home Google Nest thermostat hacked University of Central Florida) Can boot via USB to bypass verification and install any code Can read log file that contains local Wifi credentials in plaintext Can block sending log back to server

54 Smart Car security BMW Issues Security Patch for ConnectedDrive after Unlocking Hack Discovered (Feb 2015) Hack: use fake cellphone base to intercept mobile network traffic to send forged command to BMW server to open the car window

55 CyberSecurity Freedom and Privacy

56 The Internet 911? Cybersecurity A national defense strategy Countries want more control Internet Freedom and Privacy Human Rights

57 Edward Snowden on digital surveillance General Surveillance justified for National Security? Data Privacy concerns Data in transmission Data in storage Snowden said strong encryption helps Data sovereignty issue Brazil regulating cloud firms to open local data centre for Brazil citizens (Nov 2013)

58 Risks to Privacy Big Data Lenovo SuperFish Adware Preinstalled adware leaking personal data GreyFish Disk Firmware leaking personal data Xiaomi phone update data to cloud

59 Some trend worth to note Internet had contributed greatly to Globalization Lack of Trust à Localization is emerging? Use our digital products Train our own professional Do our own research and not sharing Mandate code review of foreign products Fragmented Internet Filtering content

60 Arab Spring 2010 and afterwards Most popular Twitter hashtags in the Arab region: Egypt, Jan25, Libya, Bahrain and protest in 2010, Million Arab Users on Facebook Arab Social Media Report 2011 March 9 in 10 Egyptians and Tunisians used Facebook to organise protests or spread awareness Image credit:

61 Internet Governance becomes hot debate Internet Governance: currently a distributed model ITU World Conference on International Telecom (WCIT) December 2012 Debate on the new International Telecomm Regulation (ITR) to include regulation of the Internet

62 WCIT 2012 Dubai The Dubai meeting became a hotspot -- some member states tabled very controversial proposals, including: Extending ITU s regulatory authority from telecommunication to include the Internet. Some African member states even proposed to expand further to anything relating ICT. Requiring the member states to address cyber security and anti-spam issues Permitting member states to impose restrictions on the routing of Internet traffic and collect subscriber identity information

63 Cold War in the Dubai Meeting One camp proposed to regulate the Internet -- included Russia, China, some Arab and African countries. Another insisted to maintain a multi-stakeholder governance model for open and free Internet. camp including United States, Canada, EU countries and their allies The two camps stalled in a tug-of-war. Finally, The Chairman then announced the new regulations with effect on January 1, 2015.

64 Signature of the Final Acts 89 signed, 55 not signed

65 After the Dubai Meeting Internet Society published the report of Global Internet User Survey % agreed or agreed strongly that access to the Internet should be considered a basic human right. 89% agreed or agreed strongly that Internet access allows freedom of expression on all subjects, and 86% agreed or agreed strongly that freedom of expression should be guaranteed. The European Union published the Cyber Security Strategy in February 2013 Human rignts being a fundamental of cybersecurity

66 Internet Governance ICANN: a distributed governance model with inputs from multiple stakeholders: governments, public organizations and the netizens.

67 Governments, Public Organizations, Business, Common People

68 Thank You