Information Security Threat Trends

Talk @ Microsoft Security Day Sep 2005 Information Security Threat Trends Mr. S.C. Leung 梁 兆 昌 Senior Consultant 高 級 顧 問 CISSP CISA CBCP M@PISA Email: scleung@hkcert.org 香 港 電 腦 保 安 事 故 協 調 中 心

Introducing HKCERT History Computer ( 計 算 機 ) Emergency ( 緊 急 ) Response ( 回 應 ) Team ( 小 組 ) Established in February 2001 by HKSAR Government Operated by Hong Kong Productivity Council Missions as the centre for coordination of computer security incident response for local enterprises and individuals 2 Hong Kong Computer Emergency Response Team

Collaboration CERT Teams in Asia Pacific 亞 太 區 其 他 協 調 中 心 CERT Teams around the World 全 球 其 他 協 調 中 心 CERT CERT CERT CERT CERT CERT CERT CERT APCERT FIRST CERT Virus & Security Research Centre 電 腦 病 毒 及 保 安 研 究 中 心 Software Vendorr 軟 件 供 應 商 Local Enterprise & Internet Users 本 地 企 業 及 互 聯 網 用 戶 Universities 大 學 ISP 互 聯 網 供 應 商 Law Enforcement 執 法 機 關 3 Hong Kong Computer Emergency Response Team

Our Services Alert Monitoring & Early Warning 電 腦 保 安 警 報 監 測 及 預 警 Incident Report and Response 保 安 事 故 報 告 及 應 變 FREE ALERTS EMAIL & SMS FREE HOTLINE 8105-6060 Publication of Security Guidelines and Information 出 版 資 訊 保 安 指 引 和 資 訊 Promotion of Information Security Awareness 提 高 資 訊 保 安 意 識 4 Hong Kong Computer Emergency Response Team

Security Vulnerabilities is Rising 5000 4000 4229 3784 3780 3000 2437 2874 2000 1000 0 171 345 311 262 417 1090 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005- Q2 Source : CERT/CC, USA 5 Hong Kong Computer Emergency Response Team

Zero-day Attack is nearer Time between Vuln. Disclosure & Worm Attack 400 337 No. of Days 300 200 185 100 28 18 0 2001 (Nimda ) 2003 Q1 (SQL Slammer) 2003 Q3 (Blaster) 2004 (Sasser) Worms 6 Hong Kong Computer Emergency Response Team

Change of Security Incidents Ref: APCERT presentation in OECD-APEC Joint Workshop, APELTEL32 meeting 5-Sep-2005, Seoul, South Korea Previous Motivation: For fun / fame / recognition Large scale, highly visible attacks Source: script kiddies Format Worm, DOS, Defacement Now For theft of ID, personal information, $$$ Pin point incidents using powerful tools; low profile Professional, criminals Phishing, Spyware, Trojan 7 Hong Kong Computer Emergency Response Team

A Cool Hello from Hacker in the past New hackers might not inform you compromised 8 Hong Kong Computer Emergency Response Team

Incident Report by Hackers Zone-H.org http://www.zone-h.org/en/defacements/filter/filter_domain=.hk/ 9 Hong Kong Computer Emergency Response Team

Change of Motivation lead to.. Change of Attack Strategies Maintain longer influence on a machine Stay quiet after compromise Disable AV software, personal firewall and anti-spyware Stealthing (hiding) techniques: rootkit Worms: releases more variants that exist for shorter period of time Stay in control by the commander Install Remote Access Trojan (backdoor) after compromise Phone home: use IRC to communicate with master server to get command and upload stolen information 10 Hong Kong Computer Emergency Response Team

Zombie Army (Botnet) Mastermind Controller Controller Controller Agent Agent Agent Agent Agent Agent Agent Zombies Victim Control data streams Attack data streams 11 Hong Kong Computer Emergency Response Team

Zombie Army (Botnet) Hackers are assembling big network of zombies (or bot networks) that they can then turn into profit-making machines to steal confidential information; to be used as spam relay e.g. Bagle and MyDoom infected machines serve as open mail relay for spamming to host phishing web site; to launch DDoS attack army hired to attacking business rivals e.g. in March 2005, a 16-year-old hacker and a businessman were arrested in New Jersey 12 Hong Kong Computer Emergency Response Team

Incident Reports (HKCERT) 3500 3211 3000 2500 2000 Virus attack Security attack 2616 Are we more safe this year? 1500 1000 500 481 150 217240 461 936 450 817 0 2001 2002 2003 2004 2005 (Jun) Source : HKCERT 13 Hong Kong Computer Emergency Response Team

Breakdown for Security Incident Report Statistics indicating spyware becoming a major source of security attack Hibernating nature of spyware causes a lower report rate 2003 2004 2005 Q2 Security Incidents Reported 461 783 82 (10%) Phishing Incidents Reported 73 61 (7%) Spam Incidents Reported 80 41 (5%) Spyware Incidents Reported 633 (77%) ALL Security Incidents Reported 461 936 817 (100%) Source : HKCERT 14 Hong Kong Computer Emergency Response Team

What is Spyware? a category of malicious programs that are installed on the computer without user s knowledge or consent, with a threat to information leakage 15 Hong Kong Computer Emergency Response Team

Comparing Two Classes of Malware Virus / Worm No user wants it Infection Immediate Damage Underground Author, active anonymity in forums Illegal criminal damage Control of PC, crash PC Spyware User wants sth. out of it No infection Silent operation Author do business with it, have their own web site Legal gray area Information theft 16 Hong Kong Computer Emergency Response Team

Case Study Marketscore MKSC hit many US Universities in Dec-2004 Some banks in HK issued notification letter to customers of suspected installation of the software in April 2005 17 Hong Kong Computer Emergency Response Team

What is installed? A user with administrator premission is prompted to click OK to install MKSC. Root Cert 1: Marketscore Inc Root Cert 2: Netsetter 18 Hong Kong Computer Emergency Response Team

Threat 1 : Web traffic proxied http/https traffics route through Marketscore proxy server Windows TCPIP network driver replaced in installation C> Netstat -a 19 Hong Kong Computer Emergency Response Team

Threat 2 : SSL encryption broken Fake Server certificate signed by Marketscore, verified OK with Marketscore public key in its Root certificate 20 Hong Kong Computer Emergency Response Team

Man-in in-the-middle attack web browser Marketscore proxy server plain text web server End User Encrypted MKSC cert. pseudo server Log pseudo client Encrypted Real cert. Marketscore.com Research User sees encrypted traffic using Marketscore certificate. The Marketscore proxy server decrypted client traffic using her server SSL key, taking some statistics, and encrypted the traffic with the bank web server SSL key to sent to the bank web site. The proxy server requested an SSL session to bank web site on behalf and the bank build such session using the Bank s certificate. 21 Hong Kong Computer Emergency Response Team

Defense Approaches: Technical Clean Your PC 1-2-3 (www.infosec.gov.hk) Antivirus Firewall Patch your system Remember Anti-spyware too! Anti-spyware is too still green now. Minimum Privilege login as common user Secure Remote Access Use IPSec VPN Use SSH (Linux & Win). Tunnel the GUI. Use Certificate which is stronger than password Ref: http://www.engr.wisc.edu/computing/best/rdesktop-putty.html 22 Hong Kong Computer Emergency Response Team

Defense Approaches: Non-Technical Policy A clear Acceptable Use Policy (AUP) can help Education about Spyware Users know virus and worms but not spyware. They think AV software can guard spyware. Users have a tendency to download trialware and NOT knowing what they had agreed to 23 Hong Kong Computer Emergency Response Team

Information Security Myths of Schools Myth Our school data has no value to hackers. Reality Hackers prey on schools as Springbroad of other attack Myth Our school is neither famous nor infamous. Only few people are likely to attack us. Reality Hackers can find you easily. HKCERT frequently receive incident reports from schools 24 Hong Kong Computer Emergency Response Team

Information Security Myths of Schools Myth Our school students are not hackers. Reality They might not intend to, but can make mistake. They can be dangerous source of threat. So do your colleagues. Dilemma Our school has no resources to secure the system. Reality If you do not secure your network, the resulting incident causes you more hassle and hazard. 25 Hong Kong Computer Emergency Response Team

Conclusion Security on Internet is a community effort. - CERT/CC 2000 FREE ALERTS EMAIL & SMS FREE HOTLINE 8105-6060 HKCERT hotline:8105-6060 email : hkcert@hkcert.org URL : http://www.hkcert.org 26 Hong Kong Computer Emergency Response Team