Internet Security Threat Trends S.C. Leung ( 梁兆昌 ) Senior Consultant CISSP CISA CBCP 香港電腦保安事故協調中心

HKCERT 簡介 服務  電腦保安警報監測及預警  保安事故報告及應變  出版資訊保安指引和資訊  提高資訊保安意識 Computer ( 計算機 ) Emergency( 緊急 ) Response( 回應 ) Team( 小組 ) 2001 年由香港特別行政區政府成立，香港生產力促進局運作

Collaboration 對外協調合作 Local Enterprise & Internet Users 本地企業及互聯網用戶 CERT APCERT FIRST CERT Teams in Asia Pacific 亞太區其他協調中心 CERT Teams around the World 全球其他協調中心 Law Enforcement 執法機關 ISP 互聯網供應商 Universities 大學 Software Vendor 軟件供應商 Virus & Security Research Centre 電腦病毒及保安研究中心

HKCERT observation  Traditional attacks - Untargeted (Virus/worm) attack symptoms:  rise of incident reports to security SPs, CERT, police  rise in distributed security probe statistics  Honeypot collected samples  Attackers Kiddies/Hobbyist --> Criminals --> Spies  Targeted attacks Several s to some organizations PPT, Word & Excel impersonate your friend / colleagues using your local language

Attraction of “Bots” to hackers  Bot: compromised & hacker controlled machines Bots more welcomed  Worms too widespread, too noticeable --> owners soon patch the security hole and remove the malware  Motive of attackers turn to $$$ Keep bots under control Keep bots un-noticed Business  Stealing addresses, password to on-line bank, eBay+Paypal, stock brokers  Targeted attack: industrial espionage

Botnet: Network of Bots  FBI “Operation Bot Roast” Identified 1M+ bots (Jun 2007) Arrested 3 persons:  Robert Soloway: the spam king  oway31.html  James Brewer: operating a botnet of over 10,000 PCs, infecting PCs in Chicago hospitals, whose services were significantly delay  Jason Downey: linked with DDoS attack by the Agobot worm

Malware Complexity  It can be simple Just a postcard , with simple social engineering technique to hide itself --> can use unpacker to get the binary  ?storyid= ?storyid=2022  It can be complex Have to use decryption, debugger and reverse engineering to analyse  oryid= oryid=2223 Storm worm, or Trojan.Peacomm (Jan-2007)

Sophistication of Malware  Use Virus/Worm to infect many machines  Once infects a machine, installs a Downloader.  Downloader then download from dynamic web site the malware component(s) Bot0 or Bot AutoUpdater  The Bot0 generate and install the bot  The Bot install itself on the machine and report duty to the controller which disseminate hacker’s commands  If bot is removed, Bot0 activates and generate another copy of bot  AutoUpdater keeps Bot0 and Bot updated Virus /Worm Downloader Bot Bot0  (optional) terminator & signature  (optional) rootkit

Watch your web server  Italian legitimate web servers hacked  The sites were installed the Hacker Kit: MPack Author has $$$ motivation Professionally written, with management console to be hosted on web servers with PHP and database support come with collection of exploit modules for different platform and browsers

Watch your web server  Steps Attacking Web server attacking: hack into popular web server add iframe snippets to web page of compromised web servers spam out s with IFRAME code  Steps Attacking a User user browse compromise web server user's browser execute IFRAME code, causing it redirected to Mpack server At Mpack server,  analyse HTTP header  according to platform and browser, serve many exploits designed for user  Mpack has a management console Mpack Management console

Watch your web server  Should you use your web server to browse and install software there?  Firewall block unnecessary incoming traffics block outgoing traffic except for troubleshooting  Patching, Patching, Patching  Vulnerability scanning (for techcies) Nessus Nikto for techcies 

Rock Phishing using domain names Phishers use ways to save space and time  One single site with multiple DNS names now holds a multitude of Phishing pages, covering a broad range of different banks.”  xxx.53  xxx.53  xxx.53 likely responsible for 50%+ of current phishing attacks  Malware Review Dec

Phishers' business continuity  Malware reborn after clean up  Use Rock Phishing  Use domain name, not IP addresses  Use Dynamic DNS to create so many URLs ].domain.com/usbank/ ].domain.com/paypal/ We must involve domain registrar and ISPs  Resist Detection Time-zone dependent behaviour Blocking investigators evidence collection

Data Leakage Risks Intruder get access to database  TJX: the retailer, which operates T.J. Maxx, Marshalls, etc., had the system accessed by intruder for over 1 year before discovery. 47M customer personal information exposed, unknown transactions made.  UCLA: the personal information of 800,000 current and former students, staff, parents and applicants, including SSN, birth dates, addresses and contact information. Backup Tape loss  Johns Hopkins U. 2006: containing sensitive personal data of employees  Bank of America 2005: containing personal information (SSN, account information) of 1.2M federal employees, including U.S. senators.

Data Leakage Risks Laptop loss/theft  Boeing 2006: names, salary information, SSN, addresses, phone numbers and birth dates of 382,000 current/former employees exposed  U.S. Department of Veterans Affairs 2006: Data from 26.5M veterans and 2.1M service members exposed. On-line Data Leakage  IPCC 2006: a subcontractor exposed the personal data of police complaint cases related information by putting them on-line  Texas Guaranteed Student Loan Corp. 2006: a subcontractor lost equipment containing the names and SSN of 1.7M borrowers.  A local recruitment agency leaks personal data on the Internet

Data Leakage Risks  Abuse in data collection FBI audit finds widespread abuse in data collection  telephone companies and Internet providers gave agents phone and records the agents did not request and were not authorized to collect Google aims to net teenagers 'for life’  Provide network to schools  Privacy International: Google collect info about people tastes, interests and beliefs that could be used by advertiser.  Google: we do not reveal content nor personal details

Data Leakage Risks  Use of Proxy Servers (operated by whom?)  Web access control  Performance Enhancement  Anonymity  Access game servers in Korea which allows local access only  Bypass censorship control

Security Management  Security Policy  Security Risk Assessment  What are our critical data and systems?  What are the risks of them?  What measures are required to protect the data assets?  Security Management Practice  Procedure, Guideline  Standard Compliance and Certification  Awareness  Security personnel  Training  Certification Assessment Security Management Certification Professional Certification

Security Management  Four steps of Security Management printed by OGCIO

Prevention  Prevention: Install protection tool of malware  Antivirus and Antispyware  keeping program & signature up to date Install Firewall System Hardening  Patching your system  Linux: run Bastille, SELinux  Windows: use Vista security

Some free security software Antivirus software  AVG Free Edition Antispyware software  Microsoft Defender Beta 2 (or Win2000-SP4 or above) afa4-f7f14e605a0d&displaylang=en afa4-f7f14e605a0d&displaylang=en  Ad-aware SE Personal (or Win98 or above) Personal Firewall  Windows XP built-in firewall (FAQ)  ZoneAlarm (for Win98 or above) p?dc=12bms&ctry=AU&lang=en p?dc=12bms&ctry=AU&lang=en Data Encryption  TrueCrypt Note: Free security software may have limited features, compared with commercial software. Furthermore, there may be restriction on personal and non-commercial use.

Working with the browser  Use browsers with added anti-phishing features IE 7.0, Firefox  Use as few browser add-ons as possible  SSL Use SSL 3.0 and TLS 1.0, not SSL 2.0 Check SSL certificate of on-line transaction web sites Do not save passwords on browser

Browsers protection  Browser addon may be a source of attack Browser addon introduce vulnerability GreaseMonkey – Firefox addon  User scripts loaded on to the browser  Some scripts bypass security  Allow password remembering  Autologin  Basically user has no knowledge what the develop put into the code

Browser History

Detection  SysInternals net/sysinternals/securityutilities.mspx net/sysinternals/securityutilities.mspx AutoRun Process Explorer PsTools suite  includes command-line utilities for listing the processes running on local or remote computers, running processes remotely, rebooting computers, dumping event logs, and more. Rootkit Revealer  PeiD Detect Packers, Cryptors and compilers of PE files

Recovery  Backup your data periodically so that you have a way to restore it  Test the backup periodically  For more critical systems, you may need to have redundant server or backup site.

Adopt Good Practices  Use only user account in daily operation  Do not share user accounts (even at home)  Use good password  Do not use public kiosk for sensitive surfing  Read User License Agreement before installing software  Educate children and colleagues

Conclusion  We have seen hackers developing better tools and skills. They are more professional and are becoming organized crimes.  When we looked into the mirror, we have a lot to improve in security protection.  Data protection is another area of problems.  We need to seriously improve our security by management and technology. THANK YOU