FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
從監聽門事件看資通訊安全演進
1. 從監聽門事件看資通訊安全演進
Evolution of ICT Security:
A Perspective From Wiretapping
林盈達
IEEE Fellow, IEEE ComSoC Distinguished Lecturer
交通大學資訊工程系
ydlin@cs.nctu.edu.tw
11-28-2013
1
2. 2
Areas of research interests
Deep Packet Inspection
Attack, virus, spam, porno, P2P
Software, algorithm, hardware, SoC
Real traffic, beta site, botnet
Internet security and QoS
Wireless communications
Test technologies of switch, router, WLAN,
security, VoIP, 4G/LTE and smartphones
Publications
International journal: 95
International conference: 51
IETF Internet Draft: 1
Industrial articles: 153
Textbooks: 3 (Ying-Dar Lin, Ren-Hung Hwang,
Fred Baker, Computer Networks: An Open
Source Approach, McGraw-Hill, Feb 2011)
Patents: 30
Tech transfers: 8
Well-cited paper: Multihop Cellular: A New
Architecture for Wireless Communications,
INFOCOM 2000, YD Lin and YC Hsu; #citations: 600;
standardized into IEEE 802.11s, Bluetooth, WiMAX,
and LTE
B.S., NTU-CSIE, 1988; Ph.D., UCLA-CS, 1993
Professor (1999~)/Associate Professor (1993~1999), NCTU-
CS; IEEE Fellow (2013); IEEE ComSoC Distinguished
Lecturer (2014&2015)
Founder and Director, III-NCTU Embedded Benchmarking
Lab (EBL; www.ebl.org.tw), 2011~
Founder and Director, NCTU Network Benchmarking Lab
(NBL; www.nbl.org.tw), 2002~
Editorial Boards: IEEE Wireless Comm. (2013~), IEEE
Transactions on Computers (2011~), IEEE Computer
(2012~), IEEE Network (2011~), IEEE Communications
Magazine – Network Testing Series (2010~), IEEE
Communications Letters (2010~), Computer
Communications (2010~), Computer Networks (2010~) ,
IEEE Communications Surveys and Tutorials (2008~),
IEICE Transactions on Information and Systems
(11/2011~)
Guest Editors of Special Issues: Open Source for
Networking, IEEE Network, Mar 2014; Mobile
Application Security, IEEE Computer, Mar 2014; Multi-
Hop Cellular, IEEE Wireless Communications, Oct 2014;
Deep Packet Inspection, IEEE JSAC, Q4 2014; Traffic
Forensics, IEEE Systems Journal, early 2015.
CEO, Telecom Technology Center (www.ttc.org.tw),
7/2010~5/2011
Director, Computer and Network Center, NCTU, 2007~2010
Consultant, ICL/ITRI, 2002~2010
Visiting Scholar, Cisco, San Jose, 7/2007-7/2008
Director, Institute of Network Engineering, NCTU,
2005~2007
Co-Founder, L7 Networks Inc. (www.L7.com.tw), 2002
林盈達 Ying-Dar Lin
3. 3
Computer Networks: An Open Source Approach
considers why a protocol, designed a specific way, is
more important than how a protocol works. Key
concepts and underlying principles are conveyed
while explaining protocol behaviors. To further bridge
the long-existing gap between design and
implementation, it illustrates where and how protocol
designs are implemented in Linux-based systems. A
comprehensive set of fifty-six live open source
implementations spanning across hardware (8B/10B,
OFDM, CRC32, CSMA/CD, and crypto), driver
(Ethernet and PPP), kernel (longest prefix matching,
checksum, NAT, TCP traffic control, socket, shaper,
scheduler, firewall, and VPN), and daemon
(RIP/OSPF/BGP, DNS, FTP, SMTP/POP3/IMAP4, HTTP,
SNMP, SIP, streaming, and P2P) are interleaved with
the text.
Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer
Networks: An Open Source Approach, McGraw-Hill,
Feb 2011.
www.mhhe.com/lin; available now at amazon.com
Facebook Q&A Communit: www.facebook.com/CNFBs
ISBN: 0-07-337624-8 / 978-007-337624-0
4. 大綱
1. 監聽門的來龍去脈 20 mins
2. 電話與網路監聽的可能方式 20 mins
3. 網路通訊安全的演進歷程 20 mins
4. 最新網路駭客攻擊方式與解決技術 40 mins
5. Q&A 20 min
4
9. Lawful Intercept Architecture Reference Model
Law Enforcement
Agency (LEA)
Law Intercept
Administration Function
Intercept Related
Information (IRI) IAP
Mediation Device (MD)
Content Intercept
Access Point (IAP)
Service Provider
Functions
MD Provisioning
Interfaceb
HI1(a)
e
IRI (e)
HI2(g)
User Content User Content
c
Intercept Request (d)
f
Intercepted Content ( f)
HI3(h)
d
IETF RFC 3924 / ETSI ES 201671
9
16. 無線攔截
IMSI Catcher
• IMSI (International Mobile Subscriber Identity)
• A false mobile tower – man-in-the-middle attack
• Identify IMSI number and intercept through
protocol hacking – solicit/associate/configure/tap
– Masquerade as a base station and log IMSI numbers
of nearby handsets
– No authentication of base station by handset
– Downgrade to GSM
– Disable encryption (A5/0 mode)
16
17. Defcon: Hacker shows how he can intercept
cell phone calls with $1,500 device
• Chris Paget at Defcon in Las Vegas, 7-31-2010
• Demo video at
http://venturebeat.com/2010/07/31/hacker-
shows-how-he-can-intercept-cell-phone-calls-
for-1500/
17
18. Black Hat: Intercepting Calls and
Cloning Phones with Femtocells
• Ritter and DePerry at Black Hat in Las Vegas on
8-1-2013
• CDMA femtocell
• Femtocatch: 2.5-way call
18
20. StealthGenie
• Spy on their Calls
• Spy on their SMS Messages
• Track their GPS Location
• Read their Emails
• Spy on their Instant Messengers
• View their Multimedia Files
• Monitor their Internet Activities
• View their Contacts and Calendar
Activities
• Bug their phone
• Instant Alerts and Notifications
• Remotely Control their Phone
20
22. General Security Issues
• Data security: protecting private data on the
public Internet
– Encryption & authentication Virtual Private
Network (VPN)
• Access security: deciding who can access what
– TCP/IP firewall or application firewall
• System security: protecting system resources
from hackers
– Intrusion detection and prevention
– Malware detection and prevention
22
23. Vulnerability Exploiting on “Servers”
• Buffer overflow attack
– Put more data to the specified buffer to cause
buffer overflow
– Return address pointing to the cracked file to
execute
23
stack pointer
return address
buffer (200 bytes)
stack pointer
cracked file address
buffer (200 bytes)
. . . . . .
. . .
. . .
. . .
. . .
Put more data to buffer
then cause buffer
overflow
and point to the cracked
file address
void called()
{
. . .
char buffer[200];
. . .
}
24. Some Server Vulnerabilities
24
Vulnerabilities Application Version Reason
phf Remote Command Execution
Vulnerability
Apache Group Apache 1.0.3 Input Validation
Error
Multiple Vendor BIND (NXT
Oveflow) Vulnerabilities
ISC BIND 8.2.1 Buffer Overflow
MS IIS FrontPage 98 Extensions
Buffer Overflow Vulnerability
Microsoft IIS 4.0 Buffer Overflow
Univ. Of imapd Buffer Overflow
Vulnerability
imapd 12.264 Buffer Overflow
ProFTPD Remote Buffer Overflow Professional FTP proftpd 1.2pre5 Buffer Overflow
Sendmail Daemon Mode
Vulnerability
Eric Allman Sendmail 8.8.2 Input Validation
Error
RedHat Piranha Virtual Server
Package Default Account and
Password Vulnerability
RedHat Linux 6.2 Configuration Error
Wu-Ftpd Remote Format String
Stack Overwrite Vulnerability
wu-ftpd 2.6 Input Validation
Error
25. Open Source Implementation 8.7: Snort
25
Three modes
Sniffer
Read and decode network packets
Packet logger
Log packets to disk
Intrusion detection system
Analyze traffic based on pre-defined rules
Perform actions based upon what it sees
26. 26
Writing Snort Rules
• Rule header
alert tcp any any - > 10.1.1.0/24 80
• Rule option
(content: “/cgi-bin/phf”; msg: “PHF probe!”;)
action protocol Source address
and port number
destination address
and port number
alert messageinspective part
27. Open Source Implementation 8.6:
ClamAV
• Introduction
– open-source package for virus scanning
– have detected over 570,000 malicious codes (viruses, worms and
trojans, etc.) with the release of 0.95.2 version
– Types of signatures
• MD5 for a certain PE section (part of an executable file)
• basic signatures of fixed strings (to be scanned in the entire file)
• extended signatures (in a simplified form of regular expressions
containing multiple parts
• logical signatures (multiple signatures combined with logical operators)
• logical signatures (multiple signatures combined with logical operators)
27
29. Performance Matters: Comparing Intrusion Detection,
Antivirus, Anti-Spam, Content Filtering, and P2P Classification
29
Snort DansGuardian ClamAV SpamAssassin L7-filter
Percentage
of string
matching
62% 86% 57% 31% 70%
Inspection
depth
Byte
jump
Http request /
response
All
attachment
content
Mail header/
body
First 10
packets
30. Distribution of Captured Malware: Active
Collection vs. Passive Collection
30
Others
21%
Worm
8%
Trojan
59%
Bot
12%
Honey-Inspector
Others
13%
Worm
3%
Trojan
5%
Bot
79%
Thepassivehoneypotsystem
(a) The distribution of captured
malware for Honey-Inspector
(b) The distribution of captured malware
for the passive honeypot system
• Active collection and passive collection are quite disjoint.
32. Distribution of Malware’s Capture Time
32
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Honey-Inspector
The passive honeypot system
The days that malware
signature existed
(Day)
Percentage of
captured time
(%)
• More zero-day malware can be collected “actively”.
Ying-Dar Lin, Chia-Yin Lee, Yu-Sung Wu, Pei-Hsiu Ho, Fu-Yu Wang, Yi-Lang Tsai,
"How Different Are Malware Collected Actively and Passively?," IEEE Computer,
to appear in 2014.
33. 0 10 20 30 40 50 60 70 80 90 100
Alters Windows Firewall
Checks For Debugger
Copies to Windows
Could Not Load
Creates DLL in System
Creates EXE in System
Creates Hidden File
Creates Mutex
Creates Service
Deletes File in System
Deletes Original Sample
Hooks Keyboard
Injected Code
Makes Network Connection
Modifies File in System
Modifies Local DNS
More than 5 Processes
Opens Physical Memory
Starts EXE in Documents
Starts EXE in Recycle
Starts EXE in System
Windows/Run Registry Key Set
Frequency of behaviors(%)
Behaviors
benign programs
malware
Behaviors by GFI Sandbox
1
2
3
4
5
6
7
8
9
10
11
12
33
• Some permissions are potentially more malicious than the others.
34. 34
Top 20 Requested Permissions by Android Malware
• Again, some permissions are potentially more malicious than the others.
39. 39
APT 攻擊 vs. 傳統攻擊
APT Attacks Traditional Attacks
Persistent Yes No
Targeted Yes No
Planned Yes No
Custom exploits Yes No
Hidden Yes No
Motivation
Collect benefit information
and Exfiltration
Variable
41. 41
惡意程式偵測方法
Attributes
Methods
Execute File Fast/Slow Information Overhead Example tools
Static Analysis No Fast General Low ClamAV
Behavior Analysis Yes Slow General High
ViCheck.ca
Joe Sandbox
Reverse Engineering Partial Slow Detailed High Xecure
Three methodologies for malware detection
Static Analysis
Behavior Analysis
Reverse Engineering
42. 42
樣本收集
– 300 APT samples
CVE Number File Type # Samples Product Vulnerability
CVE-2010-0188 PDF 48 Acrobat Reader
Adobe Reader PDF LibTiff Integer
Overflow
CVE-2010-2883 PDF 24
Acrobat
& Acrobat Reader
Adobe CoolType SING Table Stack Buffer
Overflow
CVE-2010-3333 RTF 52 Microsoft Office
MS Office 2010 RTF Header Stack
Overflow
CVE-2011-2462 PDF 25
Acrobat
& Acrobat Reader
Adobe Reader U3D Memory Corruption
CVE-2012-0158 RTF 131 Microsoft Office
Stack Buffer Overflow in
MSCOMCTL.OCX
CVE-2013-0640 PDF 20
Acrobat
& Acrobat Reader
Adobe Reader Unspecified Buffer
Overflow
43. 43
Heap spraying
After heap spraying
0 MB
100 MB
200 MB
Normal heap layout
300 MB
Used memory :
Free memory :
0 MB
100 MB
200 MB
300 MB
Used memory :
Free memory :
Shellcode :