2012-03 security outlook
TRANSCRIPT
Security Outlook
2012
S.C. LeungCISSP CISA CBCP
Page 2
Who are we?
HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services
• Security Monitor and Early Warning• Incident Report Handling• Publication of guideline• Public Awareness
– www.hkcert.org– Free subscription of alert information via email and mobile (we pay for the SMS
charges)
Page 3
HKCERT
Local Enterprise & Internet Users
本地企業及互聯網用戶
CERTCERT
CERTCERTCERTCERT
CERTCERT
APCERTAPCERT
CERT Teams in Asia Pacific亞太區其他協調中心
CERTCERT
CERTCERT CERTCERT
CERTCERT
CERTCERTFIRSTFIRST
CERT Teams around the World全球其他協調中心
Law Enforcement 執法機關
Internet Infrastructure互聯網基建機構
Universities大學
Software Vendor軟件供應商
Security Research Centre
保安研究中心
Page 4
HKCERT Statistics – Incident Reports
481846
468 516322 337
162 145
936
13751127 1271
922 961 980810
217
2616
3211
150 240461
0
500
1000
1500
2000
2500
3000
3500
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
Malware at tack
Securi ty at tack
Source locality of reports 2010 2011
Local parties 360 (26.3%) 400 (34.3%)
Overseas parties 554 (40.6%) 405 (34.7%)
Proactive discovery 452 (33.1%) 360 (30.9%)
Page 5
HKCERT Statistics – Security Bulletins published
Number of Published Security Bulletins per year
156116
178
242 234 220
308343
136106 125
0
100
200
300
400
2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
Page 6
New Motives of Cyber Attacks
Hacktivism: ideology– Anonymous, Lulzsec groups
State sponsored: political, military– Civilian monitoring
• Doubts on R2D2 Trojan in Germany
– Attacks to state critical infrastructure or military
• Stuxnet - 2010
• USA drone malware – 2011
Cybercriminals: Money– Theft of information
– Extortion
– Control machine for other purposes
Unfriendly parties: others– Disgruntled employees
– Business competitors
Kiddies and Early Hackers: Fame
Page 7
Hactivism
Anonymous– Exposed FBI & Scotland Yard 15-min conference call (Mar
2012)– Defaced Greek Justice Ministry website– Operation Payback (DDoS) vs VISA, MC, Paypal who
blocked $$ to Wikileaks (Jan 2011)– FBI investigator Eric Storm (Mar 2012): ”Anonymous
members arrested but enterprises pay insufficient attention to this group”
LulzSec– steal and leak any classified government and high profile
institution– targeted Sony, Sega, CIA, U.K.-based Serious Organized
Crime Agency– “Sabu” the leader was arrested. Anonymous hacked
Pandalabs website for revenge for their “brothers”
Page 8
Anonymous – an analysis
The Anatomy of Anonymous Attack (by Imperva, 2012)– Observed a proactive attack vs. a client through the client’s web
application firewall log. Imperva also analyzed the social mediacommunication
“Anonymous” hacking group– Two groups of volunteers
• skilled hackers : laymen (1:10)– Steal data first, and if fails, attempt a DDoS attack– Crowd sourcing hacking model
• Public recruitment, not private – use of SNS• Use inexpensive and off-shelf tools• No reliance on malware, no phishing or spear phishing• Seldom use botnets (avoid rental cost)
Page 9
Hactivism campaign – a case study D1-18: Recruitment & Communication
– Attract attention to a cause, via Facebook, Twitter, Youtube …– Declare dates and targets, and recruit protesters and hackers
D19-22: Reconnaissance & App Attack– Skill hackers hide behind TOR– Scan target for web vulnerabilities Attack
• SQL injection, XSS, directory traversal– Scan for DDoS relevant pages – use searchwords that
overload the server and change to avoid use of cache
D24-25: DDoS after failure to steal data– LOIC
• lower orbit ionic cannon
– Mobile LOIC• a webpage with javascript that loops rendering of
an image from the target web server with some random attribute
Source: The Anatomy of Anonymous Attack (by Imperva, 2012)
Page 10
Anonymous
Operation Global Blackout– Target: Root DNS servers– D-Day: 31-Mar-2012– Root Servers installed in Hong
Kong
HKCERT working with HKIX and ISC
Ref: No, #Anonymous can't DDoS the root DNS servers– http://erratasec.blogspot.com/2012/
02/no-anonymous-cant-ddos-root-dns-servers.html
Page 11
Defense vs Hactivist Attack
Patch web server and web applications Scan web server for vulnerabilities
– Acunetix• checks for vulnerabilities such as SQL injection, Cross Site scripting,
remote file inclusion, etc.– Nikto
• tests for dangerous files/CGIs, outdated server software Web application code review
Web application firewall– Blocks web attacks
– Log analysis : attack count surge
Monitor social media for campaigns– High profile organizations can be a target
Page 12
DDoS Attack Surge
Cases– 第一亞洲商人金銀業有限公司 (Feb-2012)
• extortion– HK Stock Exchange 披露易 (Aug-2011)
Worldwide Infrastructure Security Report 2011 (Arbor Networks)– DDoS increases– Major in ideology (hactivism)– Flooding attack: average bandwidth 10Gbps,
largest 60Gbps• 74% respondents: target is the customers
– L7 (application layer) DDoS more common• HTTP > DNS > SMTP > HTTPS
– HTTP Get flood, HTTP Post flood
Page 13
Network attacks trend
Hard to detect security attack in Mobile and Fixed Wireless networks
Firewall, IPS and load balancer not sufficient defense for DDoS attack
Top 3 Security Concerns for next 12 months– DDoS towards your customers
– DDoS towards your infrastructure
– DDoS towards your service
Page 14
DDoS Attack Defense
Deploy Application Firewall to block L7 DDoS– Drop traffics not conforming to protocol standard Prepare for bandwidth adequacy with ISP Provision web service on cloud (bandwidth $$$) Subscribe web security managed service on cloud (web attack and small
volume DDoS attack) Subscribe to DDoS scrubbing service (more costly)
Reference: “DDoS Attack and Defense” @HKCERT seminar 2011-10-21– https://www.hkcert.org/my_url/zh/event/11102101
Page 15
IPv6 Network Attacks
Source: Worldwide Infrastructure Security Report 2011 (Arbor Networks)
Page 16
IPv6 Security Awareness
World IPv6 Launch June 6, 2012– Google, Facebook, Yahoo!, Akamai, Cisco … will turn on IPv6 forever– IPv6 deployments increasing attack will increase
Preparedness– Is your staff equipped with IPv6 knowledge?– Is your purchasing policy mandate IPv6 a pre-requisite for new purchases– Is your current infrastructure upgradable to IPv6
Network visibility– Can your network / security devices inspect IPv6 traffic?
• How about deep packet inspection?– Can the firewall / router enable / block IPv6 traffic?– Can you log management handle IPv6 traffic?
Network manageability– Is your IPv4 traffic managed, but the IPv6 traffic always through, or tunneled through?
– Ref: http://blog.fortinet.com/security-challenges-emerge-with-ipv6-launch/
Page 17
Targeted Attacks
Global Risks Report 2012 (World Economic Forum)– High impact attacks likelihood:
• cyber attacks (3.8)
• massive incident of data fraud/theft (3.4)
• critical system failure (2.9)
Businesses increasingly worried about targeted attacks which aim to sabotage or steal data from their systems.
Targeted Attack and APT
Page 18
Targeted Attack on SCADA
Supervisory Control and Data Acquisition (SCADA) Systems Stuxnet targeted nuclear plants in Iran (2010)
– Refer to talk on “Targeted Attacks and Trend of Security Threats”• https://www.hkcert.org/my_url/en/event/11031801
Duqu in 2011 - Variants of Stuxnet– Refer to “Duqu Q&A”
• http://www.f-secure.com/weblog/archives/00002264.html
Some attack cases in 2011 Q4• Disabled automated response system of St. John ambulances
comm. centers (New Zealand, Nov 2011)• Attacker Pr0f released screenshots showing a UI used to
monitor and control equipment at the Water and Sewer Department (Texas, USA Nov 2011)
• Malware forced a hospital system to declare “total diversion”status and shut its doors. (Georgia, USA Dec-2011)
Page 19
Targeted Attack on Critical Infrastructure of Trust
Stolen digital certificates by Stuxnet (Jan 2011) and Duqu (Oct 2011) Trojans
RSA SecurID hacked (Mar 2011)– Cause a global replacement of tokens in years
Certificate Authorities attacks– Comodo (Mar 2011), DigiNotar (Aug 2011), DigiCert Malaysia (Nov 2011)– More Dutch CAs: Getronic KPN CA (Nov 2011) GenNet (Dec 2011)
Consequence– Root certificate of these CAs are distrusted or removed from the
browsers/OS– Some out of business after attack– Attack down to the root of trust of the Internet
Page 20
What happened to gov.nl?
DigitNotar root certificate no longer trusted digital cert of issued no longer tursted– DigiNotar provided certificate service to Netherlands government (gov.nl) at that time!
– What happened to gov.nl?
BTW, Gov.nl now redirected to community.e-overheidvoorburgers.nl.
Try government.nl now
Page 21
Advanced Persistent Threats (APT)
Advanced - Skilled, Well-funded Persistent - Targeted, Repeated
– Different techniques targeting same organization (Critical Infrastructure, Government)
Typical Advanced Attack Goes Unnoticed for More Than a Year– only 6% victim organizations discovered the attacks on their own. Most found out from ext. sources,
e.g. law enforcement
Malware Only Tells Half of the Story– Uses malware to gain an initial foothold within an organization, then shift to use legitimate credentials
to move laterally
Persistence Mechanisms– traditional reverse backdoors for remote access routine outgoing traffic detectable– new backdoor mechanisms passive backdoors such as miniport drivers & web shells harder to
detect
Financially Motivated Attackers Are Increasingly Persistent
Ref: Mandiant Annual Threat Report on Advanced Targeted Attacks– http://www.mandiant.com/news_events/article/mandiant_releases_annual_threat_report_on_advanced_targeted_attacks
Page 22
Malware
Hong Kong Status– 3rd in hosting of malware, after Korea and China (McAfee Threat Report 2011 Q4)
Botnet– Global botnet take downs in 2011
• Rustock, Coreflood, DNS Changer and Kelihos– DNS Changer botnet
• Taken down in Nov 2011. Court order allowed temporary DNS server up till Mar 8• HKCERT informed ISPs of over 3000 victim machines• Detection
– DNS Changer Working Group Eyechart http://dns-ok.us
• Note: court order extended to July 9
Page 23
Financial Trojans
Outlook: PC Bot + Mobile Bot integration will continue
ZitMo (Sep-2010) and SpyEye (Apr-2011) go mobile– Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature– Mobile Infection:
• Infected PC visit bank website• Zeus inject HTML content into webpage, requesting user to input their mobile phone
number and the IMEI # (and phone model)• Hacker sends a new "digital certificate" to the phone• User install the Zeus mobile.
– Sniff the SMS messages when waken up by special SMS• Steal one-time password (OTP) sent via SMS
Cridex Trojan Targets 137 Financial Organizations in One Go– takes control of the victim’s machines and allows it to collect information and potentially
make fraudulent transactions by manipulating the bank Web pages– has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks
Page 24
Redirecte
d to Malware
server
Download
Malw
are
Exploits imported from other web servers via iframes, redirects
When compromised, dropper download and install the actual bot malware
Multi-stage infection (drive-by download)
Exploit serverWeb server (injected) Malware Hosting
Browser
Web request
Serve Exploit Page
Redirected to
Exploit server
Page 25
HKCERT Guidelines
Malware Defense Guideline (new)– https://www.hkcert.org/my_url/en/guideline/12022902
Document Malware Defense Guideline (new)– https://www.hkcert.org/my_url/en/guideline/12022801
SQL Injection Defense Guideline– https://www.hkcert.org/my_url/en/guideline/08081101
Page 26
Mobile Malware
Mobile malware overtaking PC malware (McAfee Threat Report Q3, Q4 2011)
Android malware risk factor going high– Unregulated Android Market
– Rooting app available – install and click a button
– Attackers repackaging those same root exploits with malware
Massive infection 5M machines (Jan 2012)– "Android.Counterclank” Trojan packed in 13 Android apps
• Collect information including bookmarks, handset model
• Modifies the browser's home page, push unwanted ads.
Android Malware– Mostly for-profit SMS-sending Trojans
– Collect personal data for phishing or ID theft
– used in hactivism in Tunisia
Mobile malware samples
Page 27
Mobile Malware
Android Malware Vulnerability Database (PolyU research)– http://www4.comp.polyu.edu.hk/~appsec/
Mobile malware analysis website– http://mobile-sandbox.com
Page 28
Android Market security enhancement
Bouncer: new security system for the Android Market• Released in Q4 2011 to make sure no malware apps in Market.
– Analyze new applications, applications already in Android Market, and developer accounts
– Analyze uploaded Apps for known malware, spyware and trojans
– Looks for suspicious behaviors
Need to see its effectiveness in the coming year
Page 29
Cloud Computing Security
Crime in the Cloud– Password cracking– Hosting phishing site, malware; – Botnet in the Cloud, launching DDoS
Attackers will exploit cloud vulnerabilities– Vulnerability in Amazon Web Services allowed hackers to take control of the systems.– Vulnerability in Dropbox security allowed Dropbox user data accessible to all users.
Outlook– More use of Cloud by everyone– Federated identity management for cloud services emerge– Problem in reporting security incidents to local CSP– Pressure on Cloud service providers for better security
• Establish CSP CERT for incident handling• Provide forensics tools and assistance to law enforcement
Page 30
Social Network Security
We have a presentation from PISA today and I am not going to cover much
SNS becomes part of our life. Privacy is key concern.– UK consumer survey revealed many are far more careful with their social
network login credentials than passwords that grant access to corporate systems.• 34% of 2,000 people admitted sharing their work passwords• 80% of the same group were unwilling to reveal their Facebook login details.
Most recent concern areas in SNS– Google Privacy Policy– Facebook Timeline and Social Path
Page 31
Trendy Technologies
DNSSEC – Domain name security extension– “.hk” DNSSEC deployment at the end of 2012– A change of infrastructure like IPv6
HTML5– Next generation web technology standard (more on 2014)– Provides multimedia, desktop experience, geo-location, local cache support,
performance and security– But also has security issues, e.g. websockets scan, privacy
NFC (Near field communication)– Non-contact, near distance wireless communication technology in transaction– Visa approves smartphones for NFC payments (Jan 2012)– Google Wallet NFC exploited (Jan 2012)– Paypal abandoned NFC after trial and adopts its own technology (Feb 2012)– Issues: financial liability in case of device theft, security
DNSSEC
Q & AQ & A
Website: www.hkcert.orgHotline: 81056060Email: [email protected]