Download Can We Survive the Next Information Security Attack

Can we survive
the Next Information Security Attacks
S. C. Leung
CISSP CISA CBCP
IEE Technical Conference on IT Security and Cyber Crime 2005
Disclaimer
• This material is NOT intended to be adopted in the course of
attacking any computing system, nor does it encourage such
act.
• PISA takes no liability to any act of the user or damage
caused in making use of this report.
• The points made here are deliberately kept concise for the
purpose of presentation. If you require technical details
please refer to other technical references.
2
Can We Survive the Next Security Attack?
Copyright
• The copyright of this material belongs to the Professional
Information Security Association (PISA).
• A third party could use this material for non-commercial
purpose, given that no change in the meaning or
interpretation of the content was made and reference is
made to PISA. All rights are reserved by PISA.
3
Can We Survive the Next Security Attack?
Agenda
•
•
•
•
•
4
The Nature of In-Security
Vulnerabilities & Threats
Development of Security Vulnerabilities
Development of Security Attacks
What can we do?
Can We Survive the Next Security Attack?
The Nature of Insecurity of the
Ubiquitous Information Society
• Internet = untrusted, unregulated (or distributively
regulated )
• Virtual World
– No physical attribute for TRUST building
– Anonymity is much easier
• Easy to collect information & resources for doing a
constructive job (or an attack)
• Any device is becoming a network service node
5
Can We Survive the Next Security Attack?
Trust - a barrier to online shopping
30
25
25%
Reasons for not buying over the Internet in EU
countries (individuals with Internet access), 2003
20
15
10
5
0
Not interested Do not trust Buying over Internet is too Don't have
the Internet the Internet is complicated credit cards
in buying
too
anything on
complicated
the Internet
Other
reasons
Don't
Using Internet
understand
is too
expensive the language
well enough
Don't know
Source: European Commission, Special Eurobarometer survey on European Union public opinion on issues
relating to business to consumer e-commerce March 2004.
6
Can We Survive the Next Security Attack?
Security Vulnerability and Threats
RISK = Vulnerability x Threat
• Vulnerabilities (漏洞)
– Weak policy /
enforcement
– Weak infrastructure
– Security holes of
software
– Human Vulnerabilities
7
• Threats (威胁)
–
–
–
–
–
Hackers 骇客 / 黑客
Script Kiddies 腳本程式小子
Virus & Worm 病毒和蠕虫
Cyber-criminals
Cyber-terrorists
Can We Survive the Next Security Attack?
Profile of Security Vulnerabilities
Security Vulnerabilities Trend
5000
4229
3784
4000
3780
2874
3000
2437
2000
1090
1000
171
345
311
262
417
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005Q2
Source : CERT/CC, USA
9
Can We Survive the Next Security Attack?
Weak Infrastructure
• DNS - the Achilles’ heel
– Security researcher Dan Kaminsky: in a scan of 2.5M Domain
Name System machines, 9.2% were potentially vulnerable to
DNS cache poisoning
• http://news.com.com/DNS+servers-an+Internet+Achilles+heel/2100-7349_3-5816061.html?tag=alert
• Mobile Devices
– Mobile devices have networking function; connected directly to
PC or internal network
– Devices have no security by default
• Web Services
– Application of the tomorrow, using HTTP (TCP port 80) only
and can bypass all packet filtering firewalls.
10
Can We Survive the Next Security Attack?
Weak Policy or Enforcement
• CardSystems server hacked Æ 40M credit card No. lost (June2005)
– MasterCard, VISA, AE and more … outsourced their operation
– Risk escalated because CardSystems stored more customer data than it
should on the server!
• CS had failed to comply with the card issuer security standard
• But CS passed the audit in June 2004!
• Citigroup lost credit records of 3.9M customers (June 2005)
– United Parcel Service lost a box of backup tapes. Citigroup said they
encrypt the data from that point onwards.
• Many other examples available at the “Hall of the Shame”
• http://www.baselinemag.com/article2/0,1397,1834526,00.asp?kc=BARSS
02129TX1K0000533
11
Can We Survive the Next Security Attack?
Human Vulnerability
• Insecure password
• Giving a too power tool to kids who cannot handle it safely
• Giving out Trust in some occasion
– After hurricane Katrina, Internet frauds followed up quickly …
12
Can We Survive the Next Security Attack?
Vulnerability Exploitation is
Becoming Easier and Easier
Vulnerability no more obscure
• Google Hack
– Use Google for effective search
and how to query vulnerable
sites or servers using Google’s
advance syntaxes
– Ref:
– Santy.A (Dec-2004) targetted at
phpBB vulnerability. It used
Google to locate a typical
phpBB file ““viewtopic.php”
Æ 8M sites found!
• “Demystifying Google Hacks”
written by Debasis Mohanty
• http://johnny.ihackstuff.com
– W32.MyDoom.O worm (Aug
2004) search for
“@<domain_names>” to
harvest valid email addresses
14
Can We Survive the Next Security Attack?
Other examples of Google Hack
• Privacy Exposure via Web Cam
15
Can We Survive the Next Security Attack?
0-day Attack is nearer
Time between
Vuln. Disclosure &
Worm Attack
337
No. of Days
400
300
185
200
28
100
18
0
2001
(Nimda )
16
2003 Q1
(SQL
Slammer)
2003 Q3
(Blaster)
2004
(Sasser)
Can We Survive theWorms
Next Security Attack?
Rapid Exploit Development
• Metasploit Framework
– a MODULAR platform for developing and applying exploit more efficiently. It is a
neutral platform, used by penetration tester and security researcher.
– Concept: Recycle of Code
– Payload = independent of vulnerability; dependent on platform and service to obtain
– Exploit = varies with vulnerability
• Underground exploit framework designed for bad guys can be more
harmful
17
Can We Survive the Next Security Attack?
Rapid Exploit Development
Today’s
Today’s Set
Set Menu
Menu (Choose
(Choose only
only 11 from
from each)
each)
1.1. Soup
Soup of
of the
the Day
Day (Payload)
(Payload)
Metasploit
Framework
••
••
••
••
Windows
WindowsBind
BindDLL
DLL Inject
Inject
Windows
Add
User
Windows Add User
Mac
Mac OS
OSXX PPC
PPCBind
BindShell
Shell
Solaris
SPARC
Reverse
Solaris SPARC Reverse Shell
Shell
2.2. Main
Main Course
Course (Exploit)
(Exploit)
••
••
••
Microsoft
MicrosoftRPC
RPCDCOM
DCOM MSO3-026
MSO3-026
IIS
5.0
Printer
Buffer
Overflow
IIS 5.0 Printer Buffer Overflow
CA
CABrightStor
BrightStorUniversal
UniversalAgent
Agent Overflow
Overflow
3.3. Dissert
Dissert (Propagation
(Propagation ÆÆ worm)
worm)
••
••
••
18
Scan
Scanrandom
random IP
IP
File
Fileshare
share
Mass
Mass mailing
mailing
Can We Survive the Next Security Attack?
Profile of Security Attacks
What is the next big thing?
•
•
•
•
•
•
•
20
20002001
2002
2003
2004
2005
2006
Mass Mailing Worm
Hacking Worm (IIS)
Wireless LAN In-security
Hacking Worm (RPC), Spam
Phishing, Browser security holes
Spyware
??
Can We Survive the Next Security Attack?
APCERT: Change of incidents
Previous
Now
• Large scale, widespread
attack; highly visible
• Pin point incidents using
powerful tools; low profile
• Script kiddies, manias
• Professional, criminals
• Motivation:
• For theft of ID, personal
information, $$$
– For fun / fame / recognition
• Format
• Format
– Worm, DOS, Defacement
– Phishing, Spyware, Trojan
Ref: APCERT presentation on OECD-APEC Joint Workshop, APELTEL32 meeting
5-Sep-2005, Seoul, South Korea
21
Can We Survive the Next Security Attack?
A Cool Hello from Hacker
• New hackers might not inform you compromised
22
Can We Survive the Next Security Attack?
“Incident Report” by Hackers …
• Zone-H.org
–
23
http://www.zone-h.org/en/defacements/filter/filter_domain=.hk/
Can We Survive the Next Security Attack?
Change of Motivation lead to ..
… Change of Attack Strategies
• Maintain longer influence on a machine
–
–
–
–
Stay quiet after compromise
Disable AV software, personal firewall and anti-spyware
Hiding techniques: rootkit
Worms: releases more variants that exist for shorter period
of time
• Stay in control by the commander
– Install Remote Access Trojan (backdoor) after compromise
– Phone home: use IRC to communicate with master server to
get command and upload stolen information
24
Can We Survive the Next Security Attack?
Some recent statistics …
• Earthlink, the Atlanta-based ISP (April 2004)
– In 1.6M computers studied, 370,000 (37%) found to have
Trojan horses and system monitors installed.
• Gartner Group (June 2004)
– online bank accounts had been looted of US$2.4 Bn in the
previous 12 months. Around 1.98M adults had suffered
losses.
– Much of the problem was traced to “Phishing” malicious programs that surreptitiously collect passwords
and other confidential data.
• Privacy, Identity Theft are becoming great concerns.
– Note the cover story of Newsweek 4-Sep-2005 issue.
25
Can We Survive the Next Security Attack?
Spyware threat is rising
• What is Spyware?
– a category of malicious programs that are installed on the computer
without sufficient notice to users and obtaining their consent, with a
threat to information leakage
• Many users are not aware they are infected
– National Cyber Security Alliance Survey 2004
• 80% of home PCs in US infected with Adware and Spyware
• 88% infected users were not aware
Reference:
http://www.staysafeonline.info/news/NCSA-AOLIn-HomeStudyRelease.pdf
• There was a difficulty in definition of spyware and the
appropriate law to regulate it.
– OECD-APEC Joint Workshop, APECTEL32 Meeting Seoul, Sep-5
2005.
26
Can We Survive the Next Security Attack?
Case Study
Marketscore (MKSC) software
– MKSC hit many US Universities in Dec-2004
– Some banks in HK issued notification letter to customers
in 2005, warning of suspected installation of the
software
• MKSC packaged as
• an Internet accelerator using proxy server
• a mail filter for virus
– In exchange of
• user personal information on web browsing activities
27
Can We Survive the Next Security Attack?
What is installed?
User had admin right,
prompted to click OK to
install MKSC.
Root Cert 1:
Marketscore Inc
Root Cert 2:
Netsetter
28
Can We Survive the Next Security Attack?
Threat 1 : Web traffic proxied
• All Traffic Route through Marketscore proxy server
29
Can We Survive the Next Security Attack?
Threat 2 : SSL encryption broken
Fake Server certificate
signed by Marketscore,
verified OK with
Marketscore public key
in its Root certificate
30
Can We Survive the Next Security Attack?
Man-in-the-middle attack
web
browser
web
server
Marketscore proxy server
plain
text
MKSC
cert.
End User
Encrypted
pseudo
server
Log
pseudo
client
Encrypted
Real
cert.
Marketscore.com
Research
– User sees encrypted traffic using Marketscore certificate.
– The Marketscore proxy server decrypted client traffic using her server SSL key,
taking some “statistics”, and encrypted the traffic with the bank web server SSL
key to sent to the bank web site.
– The proxy server requested an SSL session to bank web site on behalf and the
bank build such session using the Bank’s certificate.
31
Can We Survive the Next Security Attack?
Zombie Army
Attacker
Handler
Agent
Handler
Agent
Agent
Agent
Victim
Handler
Agent
Agent
Agent
Zombies
Control data streams
Attack data streams
32
Can We Survive the Next Security Attack?
Zombie Army
• Hackers are assembling big “network of zombies”
(or bot networks) that they can then turn into
profit-making machines
– to steal confidential information;
– to be used as spam relay
•
e.g. Bagle and MyDoom infected machines serve as open mail relay
for spamming
– to host phishing web site;
– to launch DDoS attack – army hired to attacking business
rivals
•
33
e.g. in March 2005, a 16-year-old hacker and a businessman were
arrested in New Jersey
Can We Survive the Next Security Attack?
Theft of Server Identity
• Fake domain name similar to real one, OR use IP
address in URL
– Easy to resist by manually enter URL
• DNS poisoning
– Spoof the web site even if user type in URL manually
Methodology
– Modifying HOSTS file - by malicious software
• HOSTS file override DNS resolution
– Reference: http://www.vnunet.com/news/1159171
– Pharming
34
Can We Survive the Next Security Attack?
Pharming
By poisoning the victim DNS server, attacker can redirect the
traffic of a legitimate site to the attacker server where the attacker
can sniff password information even in the HTTPS connection.
Legitimate web
server
The victim thought that he is talking
to the legitimate site
Victim PC
Actually, the victim is talking to
the attack server
Attacker server which sniff the password
information and proxy the HTTPS traffic
between the victim and legitimate web server
35
Can We Survive the Next Security Attack?
Move towards Organized Cyber Crime
Fraud Ring invaded Choicepoint
• Choicepoint fraud (publicized Feb 2005)
– A fraud ring has stolen the personal and financial
information of an estimated 100,000 consumers from
computer databases maintained by ChoicePoint, Inc.
– The ring established at least 50 fake client accounts with
ChoicePoint, giving them access to the company's vast data
banks with records on millions of people.
– The individuals allegedly used the information to divert the
mail of more than 700 people to false addresses, and then
stole the identities of many of those people and made
purchases in their names
37
Can We Survive the Next Security Attack?
Online Trade of Credit Card
-------------www.carderportal.org
To: [email protected]
domain closed down recently
Subject: My LoVe - www.carderportal.org
From: "Ramon Thorpe" <[email protected]>
Date: Sat, 31 Jan 2004 21:39:48 +0100
Message-id: <[email protected]>
Old-return-path: <[email protected]>
-------------Hello, Thank you for registration on our board - http://www.carderportal.org
Welcome to our underground Site! http://www.carderportal.org
In our site you will find:
Spam Hosting - from 20$ per mounth.
Fraud Hosting - from 30$ per mounth.
Stoln Credit Cards, Fake ID, DL's.
Spam For free only from 1.02.2004 to 5.02.2004.
Welcome - http://www.carderportal.org and http://forum.carderportal.org
-------
38
Can We Survive the Next Security Attack?
Site openly advertises service for fraud
HangUp Team (Russia)
http://rat.net.ru/index.php
- advertises its programming services
to custom design Remote Access
Trojan (RAT) to defraud the bank or
credit card company of your choice
Altavista Russian-to-English Translator
http://world.altavista.com/babelfish/tr
39
Can We Survive the Next Security Attack?
Zombie network
Identity Theft
Spyware
Pharming Attack
What are we going to do with this?
40
Can We Survive the Next Security Attack?
Identify the Major Battlefields
• Identity Theft of Users and Websites for Money
•
•
•
•
•
•
•
41
Users tempted to download & install malware
Silent agent, only phone home periodically
How to respond to unknown attacks?
Man-in-the-middle (MITM) Attack
Evasion (hiding)
Remote Controlled Zombies
Legal grey area, hurdles of cross-border law
enforcement
Can We Survive the Next Security Attack?
Defense Strategies
•
•
•
•
•
•
•
•
•
42
Legislation
Incident Response and Collaboration
Automated Response
Stronger Policy and Enforcement
Stronger Trust Mechanism
User Education
System Secure Design to Minimize User Risk
Detection
Prevention
Can We Survive the Next Security Attack?
Legislation
– Legislation Area
• Local legislation fine tuning
• Harmonize the international framework of cybercrime
legislation to minimize discrepancies
– e.g. Cybercrime Convention of EU
– Cross-border collaboration and enforcement,
• e.g. bilateral MOU signed by Asia Pacific countries on
anti-spam strategy
– Digital Divide
• Helping Developing Countries
43
Can We Survive the Next Security Attack?
Incident Response & Collaboration
• CERTs around the world are developing close collaboration
in information exchange and pin down of bogus website.
FIRST
Forum of Incident Response and Security Teams
APCERT
CERT – Computer Emergency Response Team
44
Can We Survive the Next Security
Attack?
http://www.cert.org/csirts/images/map-full.gif
Stronger Policy Compliance
• External Party Security Enforcement
– BS7799:2005 include outsourcing controls
• PISA and others encourage the Govt to promote
Information Security Management Standard like
BS7799 and CoBit to commerce
70%
64%
62%
Proposition:
The standards for IT governance and IS (such
as COBIT and ISO17799) are well-deployed
60%
50%
40%
26%
30%
26%
Public sector
Private sector
20%
10%
12%
10%
0%
Disagree or Strongly Disagree
45
No idea
Agree or Strongly Agree
Can We Survive the Next Security Attack?
User Education
• Security Hygience: baseline security for
everyone
– My Security depends on Your Security, vice versa
– Clean Your PC 1-2-3 (www.infosec.gov.hk)
• Antivirus
• Personal Firewall
• Patch your system
Plus
– Don’t forget Anti-spyware now!
– Care when handle software
• Safe downloading (do not trust public utility download
site)
46
Can We Survive the Next Security Attack?
Building Trust (Client)
• Secure Client
– Two-factor authentication
• Internet banks in Hong Kong mandatory to “high risk
transaction”
• It can resist Replay Attack when hacker got user PIN.
But it cannot resist MITM attack.
– Browser empowerment
• Detect and prevent malicious URL and content
– e.g. Deepnet Explorer
• Protect certificate store!!
– Insufficient protection NOW!
47
Can We Survive the Next Security Attack?
Building Trust (Provider)
• Service Provider (Server) also need to
authenticate themselves to the users!
– Brand management
– Good practice in the consistent use of domain
name
• Banks are exploring technologies to display
personalized image and greeting to user to
authenticate the online banking web site.
– Can resist pharming and phishing to some extent
48
Can We Survive the Next Security Attack?
Walkthrough of emerging security
technologies
Reforming the Perimeter
• Network Admission Control: no one is to be believed
– Security Baseline Met?
– Qualify or Quarantine
Connection
request
Client
Client
Qualification
Qualification
Process
Process
Rules
Rules
Qualified
Internal
Internal Network
Network
Not Qualified
Quarantine
Quarantine
– Next Generation network switch may have this as default
50
Can We Survive the Next Security Attack?
Stronger Infrastructure
• Secure DNS protocol (DNSSEC)
– Can greatly improve security, but cannot solving all
problems
• Ref: http://www.linuxsecurity.com/content/view/113965/65/
– Restrict Zone Transfer permission can greatly help
• Trusted Computing Base (or Next Generation Secure
Computing Base of Microsoft)
– Require change in operating system and hardware
• sealed storage to store keys, secure I/O
– We have heard about it since 5 years ago
• Cost to business, Govt. adoption are the issues
51
Can We Survive the Next Security Attack?
Incident Response to the Unknown Attack
• Detection
– Network Monitoring
System
• Ref:
– Internet Storm Centre
http://isc.sans.org/
– European CSIRT
http://www.ecsirt.net/
– Detect Suspicious Traffic
and Track Sources
– Some Asia Pacific CERT
teams are building theirs,
KR, CN, JP, SG, Brunei …
52
Can We Survive the Next Security Attack?
Incident Response to the Unknown Attack
• Active Detection
– Automated Web Patrol with Strider HoneyMonkeys
http://www.usenix.org/events/sec05/wips.html
http://research.microsoft.com/HoneyMonkey/
http://www.ieee-security.org/TC/SP2005/oakland05-5minutes.html
53
Can We Survive the Next Security Attack?
Incident Response to the Unknown Attack
• Response
– Can we automate signature generation for malicisous
software?
• Still a R&D topic. Can easily be bypassed with scripts/variants
– Ref: Coolaborative Internet Worm Containment (Min Cai et al 2005) IEEE
Security and Privacy May-June 2005 Vol 3 No 3 pp25-33
– Can we use heuristics (dynamic – intelligent signatures)
over signatures?
• Greatly improve the detection against unknown attack
• But problems come when packer/ ncryptors appear
• Research to find the entry points of the packer/encryptor programs
– Ref: Anti-virus Heuristic by Drew Copley at XCON Aug-2005
http://xcon.xfocus.org/archives/2005/Xcon2005_Drew_Copley.pdf
54
Can We Survive the Next Security Attack?
Hiding and Anti-hiding
an eternal battle between cat and mouse
• Maintain longer influence on a
machine - hide the tract
• Rootkit can wrap existing Trojan and
hide them
• Rootkit Knowledge publicly
available
– “Rootkits : Subverting the
Windows Kernel” July 2005
by Greg Hoglund, Jamie Butler
– Once installed, rootkit tries to fool
the virus scanner, task manager ...
• Rootkit Detection becomes popular
– e.g. Microsoft Malicious Software
Removal Tool, F-Secure Blacklight
– Strider GhostBuster Rootkit
Detection
• http://research.microsoft.com/ro
otkit/
55
Can We Survive the Next Security Attack?
Minimum Privilege
• Why should we use Administrator privilege?
– Windows:
• I need to install program;
• My Nero CD burn program cannot work under user account
• Workaround in Windows: “RunAs” administrator
• Linux defaults today
– No remote root login. Use normal account, then “su”
– User can run administrative task (e.g. install programs) by
entering root password
56
Can We Survive the Next Security Attack?
Security Usability
• Security is often easier said than done
• Online Survey in August 2005 showed that many users do not
understand security options in IE, OE and Word. If they
cannot use the features, they will remain unprotected.
• Need good default settings (e.g. WinXP SP2), but users still
need the option to change things
• Need to cater for users at all levels
– Ref: Online survey conducted in August 2005 by Steven Furnell,
Network Research Group, University of Plymouth, United Kingdom
57
Can We Survive the Next Security Attack?
Design and Write Secure Applications
• Many existing problems arise from problem of
software – design or coding.
• Software Architects and Developers play a
vital role.
• I will leave to the next Speakers would deliver
a good talk on this. :-P
58
Can We Survive the Next Security Attack?
Conclusion
• Multi-party Collaboration
–
–
–
–
–
–
–
Governments
Standards Bodies
Corporations
Product Vendors
Application Developers
Researchers
Users
• Multi-Layer Defense
– Legislation and Cross-border
collaboration
– Technology
– Management Policy
– Process and Practices
– Incident Response
– Education is more and more
important
Creativity
Determination
Sharing & Collaboration
Putting Security in Best Practice
59
Can We Survive the Next Security Attack?
Yes
NO
Can we survive
the Next Information Security Attacks?
60
Can We Survive the Next Security Attack?