0
Internet Attack Trend  and Defense SC Leung Senior Consultant
Agenda <ul><li>Trend of the information security threat </li></ul><ul><li>How we become victims … </li></ul><ul><li>Most e...
Security Threat Landscape
Attacks targeting at Our Vulnerabilities <ul><li>Insecure Configuration defaults: AutoRuns in USB, CDROM … </li></ul><ul><...
New Phishing Tactic Targets Tabs <ul><li>http:// www.azarask.in /blog/post/a-new-type-of-phishing-attack/   (Proof of conc...
Botnet ( ro Bot Net work ) ‏  is the major threat Bot Herder C&C Command &  Control Centre Bots attacks Your computers! vi...
Maturity of the Underground Economy <ul><li>Sell products (credentials malware and tools)  </li></ul><ul><li>Hosting - spa...
Malware 2.0 Evade Detection Command & Control <ul><li>Propagation </li></ul><ul><li>Forming a  Botnet </li></ul><ul><li>Ma...
Malware 2.0 <ul><li>Encryption or obfuscation </li></ul><ul><li>Morphing </li></ul><ul><li>Uses Search Engine  to evade de...
Malware Propagation channels Executables Document  Malware Website
Malware Propagation channels <ul><li>Fake security software </li></ul><ul><li>Fake video player codec </li></ul>Executable...
Malware Propagation channels Executables Document  Malware <ul><li>Embedded malware in PDF or Office files </li></ul><ul><...
Malware Propagation channels Executables Document  Malware Website <ul><li>Legitimate and trusted websites compromised </l...
Malware Propagation via websites <ul><li>Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010) </li></u...
PHPNuke.org web site hacked in May 2010 <ul><li>PHPNuke.org web site hacked (7 May 2010) </li></ul><ul><ul><li>Serving sev...
Malware Propagation Channels <ul><li>Hackers exploit  Social Network Services  to convince victims </li></ul><ul><li>Hacke...
Targeted Attacks <ul><li>Targeted, crafted email to corporations and government </li></ul>Executables Document  Malware We...
Attacks Following Money <ul><li>Targeting traditional online banking, online game </li></ul><ul><li>Obtaining credential f...
Data Leakage <ul><li>Insecure default settings </li></ul><ul><li>Malware embedded in P2P software </li></ul><ul><ul><li>e....
Social network Id Theft Data Leakage Social Engineering
Client Side attacks via Social Network Sites <ul><li>Surge in Facebook Malware </li></ul><ul><li>TRUST: </li></ul><ul><ul>...
Client Side attacks via Social Network Sites <ul><li>Suggesting to install a codec in order to view the movie </li></ul>In...
Submitting the malware to VirusTotal.com Only small portion of scanners can identify the malware
<ul><li>Malicious servers redirect victims to the Exploit Server which serves as a central delivery </li></ul>Redirection ...
Mobile Computing <ul><li>Attacks exist for different mobile platforms </li></ul><ul><li>2009-11 Attack jailbreak iPhones’s...
Targeted Attack continues <ul><li>Chained exploit </li></ul><ul><li>Advanced Persist Threats </li></ul><ul><ul><li>Governm...
Consequence of Attack
Consequences of Security Exposure <ul><li>Machines fall into control by Hackers </li></ul><ul><li>Theft of Credentials   ...
Mitigation Strategies Revisited
What do we do? <ul><ul><li>Good example of Conficker Working Group </li></ul></ul><ul><li>collecting information of hacker...
Awareness Education and Training <ul><li>Awareness </li></ul><ul><ul><li>Social Engineering </li></ul></ul><ul><ul><li>Eme...
Proactivity in Incident Handling in HKCERT <ul><li>Incident Reports Statistics (Apr-3 to Sep-30 2009) </li></ul><ul><li>Tr...
What can you do – infrastructure? <ul><li>Install Antivirus </li></ul><ul><li>Install Personal Firewall </li></ul><ul><li>...
HKCERT Guidelines <ul><li>&quot;Autorun virus&quot; Removal Procedure </li></ul><ul><li>SQL Injection Defense Guideline </...
Point of Contact <ul><li>Phone :   +852   8105 6060 </li></ul><ul><li>Fax :   +852 8105 9760 </li></ul><ul><li>Email :   h...
Upcoming SlideShare
Loading in...5
×

3 Hkcert Trend

1,163

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,163
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
20
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "3 Hkcert Trend"

  1. 1. Internet Attack Trend and Defense SC Leung Senior Consultant
  2. 2. Agenda <ul><li>Trend of the information security threat </li></ul><ul><li>How we become victims … </li></ul><ul><li>Most economical way to mitigate risks </li></ul>
  3. 3. Security Threat Landscape
  4. 4. Attacks targeting at Our Vulnerabilities <ul><li>Insecure Configuration defaults: AutoRuns in USB, CDROM … </li></ul><ul><li>All software have security holes </li></ul><ul><ul><li>Opportunity Window between discovery of security hole and availability of Patch </li></ul></ul><ul><li>People can be cheated </li></ul><ul><ul><li>“ Social Engineering” techniques </li></ul></ul><ul><ul><li>How can you gain trust from others == How can hacker gain trust from you </li></ul></ul>System and Applications Human
  5. 5. New Phishing Tactic Targets Tabs <ul><li>http:// www.azarask.in /blog/post/a-new-type-of-phishing-attack/   (Proof of concept included) </li></ul><ul><li>http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/ </li></ul>
  6. 6. Botnet ( ro Bot Net work ) ‏ is the major threat Bot Herder C&C Command & Control Centre Bots attacks Your computers! victim victim bot bot bot
  7. 7. Maturity of the Underground Economy <ul><li>Sell products (credentials malware and tools) </li></ul><ul><li>Hosting - spam or phishing hosting </li></ul><ul><li>CaaS (cybercrime as a service) - hired gun </li></ul>Commercialization Professionalization <ul><li>Manageability of Infrastructure  Botnets </li></ul><ul><li>Specialization, Outsourcing, and Globalization of HR </li></ul><ul><li>Chained exploits </li></ul>Risk Management <ul><li>Invisibility </li></ul><ul><li>Security </li></ul><ul><ul><ul><li>authentication, encryption </li></ul></ul></ul><ul><li>Survivability </li></ul><ul><ul><ul><li>e.g. Conficker </li></ul></ul></ul>sophistication
  8. 8. Malware 2.0 Evade Detection Command & Control <ul><li>Propagation </li></ul><ul><li>Forming a Botnet </li></ul><ul><li>Manage </li></ul><ul><li>Update </li></ul><ul><li>Survive the adverse </li></ul>Malware today causes victim PC becoming part of botnet
  9. 9. Malware 2.0 <ul><li>Encryption or obfuscation </li></ul><ul><li>Morphing </li></ul><ul><li>Uses Search Engine to evade detection </li></ul><ul><ul><ul><li>Malware URL visible only when referred by search engine </li></ul></ul></ul><ul><ul><ul><li>Done by configuring “.htaccess” file of web server </li></ul></ul></ul>Sample content of “.htaccess” file under hacker’s control
  10. 10. Malware Propagation channels Executables Document Malware Website
  11. 11. Malware Propagation channels <ul><li>Fake security software </li></ul><ul><li>Fake video player codec </li></ul>Executables Document Malware Website
  12. 12. Malware Propagation channels Executables Document Malware <ul><li>Embedded malware in PDF or Office files </li></ul><ul><li>Zeus botnet served PDF malware (Apr-2010) </li></ul>Website Image by Websense
  13. 13. Malware Propagation channels Executables Document Malware Website <ul><li>Legitimate and trusted websites compromised </li></ul><ul><li>Used to redirect user to malicious websites (via injected invisible iframes) </li></ul><ul><li>Most significant </li></ul><ul><li>Web admin incapable to detect and mitigate the risks </li></ul>
  14. 14. Malware Propagation via websites <ul><li>Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010) </li></ul><ul><ul><li>Use insecure web application configuration </li></ul></ul>
  15. 15. PHPNuke.org web site hacked in May 2010 <ul><li>PHPNuke.org web site hacked (7 May 2010) </li></ul><ul><ul><li>Serving several exploits </li></ul></ul>
  16. 16. Malware Propagation Channels <ul><li>Hackers exploit Social Network Services to convince victims </li></ul><ul><li>Hacker uses Search Engine Optimization techniques to escalate malicious website ranking in search results </li></ul>Executables Document Malware Website Social Engineering & Black Hat SEO
  17. 17. Targeted Attacks <ul><li>Targeted, crafted email to corporations and government </li></ul>Executables Document Malware Website Social Engineering & Black Hat SEO Targeted Attacks
  18. 18. Attacks Following Money <ul><li>Targeting traditional online banking, online game </li></ul><ul><li>Obtaining credential for later use or for sale </li></ul><ul><li>via keyloggers </li></ul>Phishing Banking Trojans <ul><li>Targeting new online banking services, esp. two factor authentication </li></ul><ul><li>Performing transaction on the spot </li></ul><ul><li>via advanced banking trojans, using involved man-in-the browser techniques </li></ul>
  19. 19. Data Leakage <ul><li>Insecure default settings </li></ul><ul><li>Malware embedded in P2P software </li></ul><ul><ul><li>e.g. Foxy software </li></ul></ul>P2P File Sharing Social Networking Services <ul><li>Insecure default privacy settings </li></ul><ul><li>Leak out of personal information by friends </li></ul><ul><li>Lack of control 3 rd party apps on SNS </li></ul><ul><li>Malware on SNS </li></ul>
  20. 20. Social network Id Theft Data Leakage Social Engineering
  21. 21. Client Side attacks via Social Network Sites <ul><li>Surge in Facebook Malware </li></ul><ul><li>TRUST: </li></ul><ul><ul><li>Use social engineering trick, spoofing user’s friend and sending a message with an URL pertaining to be a movie </li></ul></ul><ul><ul><li>URL brings user to a fake YouTube site </li></ul></ul>
  22. 22. Client Side attacks via Social Network Sites <ul><li>Suggesting to install a codec in order to view the movie </li></ul>Install the codec to view the movie
  23. 23. Submitting the malware to VirusTotal.com Only small portion of scanners can identify the malware
  24. 24. <ul><li>Malicious servers redirect victims to the Exploit Server which serves as a central delivery </li></ul>Redirection of attacks to central exploit server Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
  25. 25. Mobile Computing <ul><li>Attacks exist for different mobile platforms </li></ul><ul><li>2009-11 Attack jailbreak iPhones’s SSH backdoor </li></ul><ul><li>MobileSpy logs GPS location, call logs, sms log. Versions available for Android, Blackberry, iPhone, Windows Mobile, Symbian </li></ul><ul><li>Store personal & sensitive data </li></ul><ul><li>Some banks (UK Lloyd TSB) start to use as the client tool </li></ul><ul><li>NextGen data/voice integration </li></ul><ul><li>Insecure habits </li></ul><ul><ul><li>Short URLs is common </li></ul></ul><ul><ul><li>Click links in email is common </li></ul></ul><ul><ul><li>Saved passwords is common </li></ul></ul><ul><li>Security protection less mature than in PC </li></ul>
  26. 26. Targeted Attack continues <ul><li>Chained exploit </li></ul><ul><li>Advanced Persist Threats </li></ul><ul><ul><li>Governments, critical infrastructure, private companies </li></ul></ul>
  27. 27. Consequence of Attack
  28. 28. Consequences of Security Exposure <ul><li>Machines fall into control by Hackers </li></ul><ul><li>Theft of Credentials  financial loss </li></ul><ul><li>Hacker launch local attacks to the whole network </li></ul><ul><li>Bandwidth and Performance downgrade </li></ul><ul><li>Legal liability  liable for hacking activities within your premise </li></ul>
  29. 29. Mitigation Strategies Revisited
  30. 30. What do we do? <ul><ul><li>Good example of Conficker Working Group </li></ul></ul><ul><li>collecting information of hacker behaviour </li></ul>International Collaboration Cyber Drill Exercise Proactive Discovery of Incidents Intelligence and Research <ul><ul><li>finding compromised web site and malware hosting </li></ul></ul>
  31. 31. Awareness Education and Training <ul><li>Awareness </li></ul><ul><ul><li>Social Engineering </li></ul></ul><ul><ul><li>Emerging attacks like SNS, mobile </li></ul></ul><ul><li>Social Engineering Drill Exercise </li></ul><ul><li>Publish Guidelines </li></ul><ul><li>Training of staff </li></ul><ul><li>Local cyber response drills </li></ul><ul><ul><li>Cyber Response Drill – some teams do hold it annually </li></ul></ul><ul><li>Form ISAC (Information Sharing and Advisory Centre) </li></ul>Public ISPs
  32. 32. Proactivity in Incident Handling in HKCERT <ul><li>Incident Reports Statistics (Apr-3 to Sep-30 2009) </li></ul><ul><li>Traditional report vs Proactive Discovery (search incidents that are not reported) </li></ul><ul><ul><li>Traditional report: 493 (60%); Proactive Discovery: 330 (40%) </li></ul></ul><ul><li>Among Traditional reports (493 cases) </li></ul><ul><ul><li>Direct Phone in: 244 (49.5%), Referral: 170 (34.5%), Direct Email: 79 (16%), </li></ul></ul><ul><ul><li>Report by Local parties: 329 (67%), Report by Overseas parties: 164 (33%) </li></ul></ul><ul><li>Conclusion: </li></ul><ul><ul><li>Proactive Discovery is becoming a key source of incident reports </li></ul></ul><ul><ul><li>Overseas and referral reports has a significant portion. </li></ul></ul><ul><ul><li>We are aware more resources are required for handling external communication, development of automated searching capability </li></ul></ul>
  33. 33. What can you do – infrastructure? <ul><li>Install Antivirus </li></ul><ul><li>Install Personal Firewall </li></ul><ul><li>Close all security holes </li></ul><ul><ul><li>Patch systems </li></ul></ul><ul><li>Set Strong Password </li></ul><ul><li>Close Insecure default settings: Autorun, … </li></ul><ul><li>Install Antivirus </li></ul><ul><li>Install Firewall. Block all incoming traffic except known services </li></ul><ul><li>Separate SAMS, ITED and public servers in zones </li></ul><ul><li>Set up Security Policy </li></ul><ul><ul><li>Ban unauthorized servers in your network </li></ul></ul>Personal Company
  34. 34. HKCERT Guidelines <ul><li>&quot;Autorun virus&quot; Removal Procedure </li></ul><ul><li>SQL Injection Defense Guideline </li></ul><ul><li>Data Protection Guideline </li></ul><ul><li>Guideline for Safety Using Wireless LA </li></ul><ul><li>SME Information Security Guideline </li></ul><ul><li>Guideline for Prevention of Spyware and other Potentially Unwanted Software  </li></ul><ul><li>http:// www.hkcert.org/english/sguide_faq/home.html </li></ul>
  35. 35. Point of Contact <ul><li>Phone : +852 8105 6060 </li></ul><ul><li>Fax : +852 8105 9760 </li></ul><ul><li>Email : hkcert @ hkcert.org </li></ul><ul><li>URL : http://www.hkcert.org/ </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×