3  Hkcert Trend
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,527
On Slideshare
1,526
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
19
Comments
0
Likes
1

Embeds 1

http://www.slideshare.net 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Internet Attack Trend and Defense SC Leung Senior Consultant
  • 2. Agenda
    • Trend of the information security threat
    • How we become victims …
    • Most economical way to mitigate risks
  • 3. Security Threat Landscape
  • 4. Attacks targeting at Our Vulnerabilities
    • Insecure Configuration defaults: AutoRuns in USB, CDROM …
    • All software have security holes
      • Opportunity Window between discovery of security hole and availability of Patch
    • People can be cheated
      • “ Social Engineering” techniques
      • How can you gain trust from others == How can hacker gain trust from you
    System and Applications Human
  • 5. New Phishing Tactic Targets Tabs
    • http:// www.azarask.in /blog/post/a-new-type-of-phishing-attack/   (Proof of concept included)
    • http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
  • 6. Botnet ( ro Bot Net work ) ‏ is the major threat Bot Herder C&C Command & Control Centre Bots attacks Your computers! victim victim bot bot bot
  • 7. Maturity of the Underground Economy
    • Sell products (credentials malware and tools)
    • Hosting - spam or phishing hosting
    • CaaS (cybercrime as a service) - hired gun
    Commercialization Professionalization
    • Manageability of Infrastructure  Botnets
    • Specialization, Outsourcing, and Globalization of HR
    • Chained exploits
    Risk Management
    • Invisibility
    • Security
        • authentication, encryption
    • Survivability
        • e.g. Conficker
    sophistication
  • 8. Malware 2.0 Evade Detection Command & Control
    • Propagation
    • Forming a Botnet
    • Manage
    • Update
    • Survive the adverse
    Malware today causes victim PC becoming part of botnet
  • 9. Malware 2.0
    • Encryption or obfuscation
    • Morphing
    • Uses Search Engine to evade detection
        • Malware URL visible only when referred by search engine
        • Done by configuring “.htaccess” file of web server
    Sample content of “.htaccess” file under hacker’s control
  • 10. Malware Propagation channels Executables Document Malware Website
  • 11. Malware Propagation channels
    • Fake security software
    • Fake video player codec
    Executables Document Malware Website
  • 12. Malware Propagation channels Executables Document Malware
    • Embedded malware in PDF or Office files
    • Zeus botnet served PDF malware (Apr-2010)
    Website Image by Websense
  • 13. Malware Propagation channels Executables Document Malware Website
    • Legitimate and trusted websites compromised
    • Used to redirect user to malicious websites (via injected invisible iframes)
    • Most significant
    • Web admin incapable to detect and mitigate the risks
  • 14. Malware Propagation via websites
    • Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010)
      • Use insecure web application configuration
  • 15. PHPNuke.org web site hacked in May 2010
    • PHPNuke.org web site hacked (7 May 2010)
      • Serving several exploits
  • 16. Malware Propagation Channels
    • Hackers exploit Social Network Services to convince victims
    • Hacker uses Search Engine Optimization techniques to escalate malicious website ranking in search results
    Executables Document Malware Website Social Engineering & Black Hat SEO
  • 17. Targeted Attacks
    • Targeted, crafted email to corporations and government
    Executables Document Malware Website Social Engineering & Black Hat SEO Targeted Attacks
  • 18. Attacks Following Money
    • Targeting traditional online banking, online game
    • Obtaining credential for later use or for sale
    • via keyloggers
    Phishing Banking Trojans
    • Targeting new online banking services, esp. two factor authentication
    • Performing transaction on the spot
    • via advanced banking trojans, using involved man-in-the browser techniques
  • 19. Data Leakage
    • Insecure default settings
    • Malware embedded in P2P software
      • e.g. Foxy software
    P2P File Sharing Social Networking Services
    • Insecure default privacy settings
    • Leak out of personal information by friends
    • Lack of control 3 rd party apps on SNS
    • Malware on SNS
  • 20. Social network Id Theft Data Leakage Social Engineering
  • 21. Client Side attacks via Social Network Sites
    • Surge in Facebook Malware
    • TRUST:
      • Use social engineering trick, spoofing user’s friend and sending a message with an URL pertaining to be a movie
      • URL brings user to a fake YouTube site
  • 22. Client Side attacks via Social Network Sites
    • Suggesting to install a codec in order to view the movie
    Install the codec to view the movie
  • 23. Submitting the malware to VirusTotal.com Only small portion of scanners can identify the malware
  • 24.
    • Malicious servers redirect victims to the Exploit Server which serves as a central delivery
    Redirection of attacks to central exploit server Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
  • 25. Mobile Computing
    • Attacks exist for different mobile platforms
    • 2009-11 Attack jailbreak iPhones’s SSH backdoor
    • MobileSpy logs GPS location, call logs, sms log. Versions available for Android, Blackberry, iPhone, Windows Mobile, Symbian
    • Store personal & sensitive data
    • Some banks (UK Lloyd TSB) start to use as the client tool
    • NextGen data/voice integration
    • Insecure habits
      • Short URLs is common
      • Click links in email is common
      • Saved passwords is common
    • Security protection less mature than in PC
  • 26. Targeted Attack continues
    • Chained exploit
    • Advanced Persist Threats
      • Governments, critical infrastructure, private companies
  • 27. Consequence of Attack
  • 28. Consequences of Security Exposure
    • Machines fall into control by Hackers
    • Theft of Credentials  financial loss
    • Hacker launch local attacks to the whole network
    • Bandwidth and Performance downgrade
    • Legal liability  liable for hacking activities within your premise
  • 29. Mitigation Strategies Revisited
  • 30. What do we do?
      • Good example of Conficker Working Group
    • collecting information of hacker behaviour
    International Collaboration Cyber Drill Exercise Proactive Discovery of Incidents Intelligence and Research
      • finding compromised web site and malware hosting
  • 31. Awareness Education and Training
    • Awareness
      • Social Engineering
      • Emerging attacks like SNS, mobile
    • Social Engineering Drill Exercise
    • Publish Guidelines
    • Training of staff
    • Local cyber response drills
      • Cyber Response Drill – some teams do hold it annually
    • Form ISAC (Information Sharing and Advisory Centre)
    Public ISPs
  • 32. Proactivity in Incident Handling in HKCERT
    • Incident Reports Statistics (Apr-3 to Sep-30 2009)
    • Traditional report vs Proactive Discovery (search incidents that are not reported)
      • Traditional report: 493 (60%); Proactive Discovery: 330 (40%)
    • Among Traditional reports (493 cases)
      • Direct Phone in: 244 (49.5%), Referral: 170 (34.5%), Direct Email: 79 (16%),
      • Report by Local parties: 329 (67%), Report by Overseas parties: 164 (33%)
    • Conclusion:
      • Proactive Discovery is becoming a key source of incident reports
      • Overseas and referral reports has a significant portion.
      • We are aware more resources are required for handling external communication, development of automated searching capability
  • 33. What can you do – infrastructure?
    • Install Antivirus
    • Install Personal Firewall
    • Close all security holes
      • Patch systems
    • Set Strong Password
    • Close Insecure default settings: Autorun, …
    • Install Antivirus
    • Install Firewall. Block all incoming traffic except known services
    • Separate SAMS, ITED and public servers in zones
    • Set up Security Policy
      • Ban unauthorized servers in your network
    Personal Company
  • 34. HKCERT Guidelines
    • "Autorun virus" Removal Procedure
    • SQL Injection Defense Guideline
    • Data Protection Guideline
    • Guideline for Safety Using Wireless LA
    • SME Information Security Guideline
    • Guideline for Prevention of Spyware and other Potentially Unwanted Software 
    • http:// www.hkcert.org/english/sguide_faq/home.html
  • 35. Point of Contact
    • Phone : +852 8105 6060
    • Fax : +852 8105 9760
    • Email : hkcert @ hkcert.org
    • URL : http://www.hkcert.org/