Chapter 23. Assert Clarify Evade Extend precaution Preconception Resemble Rigid Senseless vertical.
Internet Attack Trend and Defense - index-of.co.ukindex-of.co.uk/Various/20100528_05.pdf2010/05/28...
Transcript of Internet Attack Trend and Defense - index-of.co.ukindex-of.co.uk/Various/20100528_05.pdf2010/05/28...
Internet Attack Trend Internet Attack Trend and Defenseand Defense
SC LeungSenior Consultant
Page 2
Agenda
Trend of the information security threat …
How we become victims …
How to mitigate risks …
Security Threat LandscapeSecurity Threat Landscape
Page 4
Attacks targeting at Our Vulnerabilities
Insecure Configuration defaults– e.g. AutoRuns in USB, CDROM …
– default password or settings
All software have security holes– Opportunity Window between
discovery of security hole and availability of Patch
People can be cheated– “Social Engineering” techniques
– How can you gain trust from others == How can hacker gain trust from you
System and System and ApplicationsApplications HumanHuman
Page 5
victim victim
Botnet (roBot Network) is the major threat
Bot Herder
bot bot bot
C&C
Command & Command & Control CentreControl Centre
BotsBots
attacks
Your computers!
Page 6
Maturity of the Underground Economy
Sell products (credentials malware and tools) Hosting - spam or
phishing hosting CaaS (cybercrime as
a service) - hired gun
Commercialization Professionalization
Manageability of Infrastructure Botnets Specialization,
Outsourcing, and Globalization of HR Chained exploits
Risk Management
Invisibility Security
• authentication, encryption
Survivability• e.g. Conficker
sophisticationsophistication
Page 7
Malware 2.0
Evade DetectionEvade Detection Command & ControlCommand & Control
PropagationForming a BotnetManageUpdateSurvive the adverse
Malware today causes victim PC becoming part of botnetMalware today causes victim PC becoming part of botnet
Page 8
Malware 2.0
Encryption or Obfuscation
Morphing
Uses Search Engine to evade detection
• Malware URL visible only when referred by search engine
• Done by configuring “.htaccess” file of web server Sample content of “.htaccess”
file under hacker’s control
Page 9
Malware Propagation channels
ExecutablesExecutables Document Document MalwareMalware WebsiteWebsite
Page 10
Malware Propagation channels
Fake security software Fake video player
codec
ExecutablesExecutables Document Malware Website
Page 11
Malware Propagation channels
Executables Document Document MalwareMalware
Embedded malware in PDF or Office files Zeus botnet served
PDF malware (Apr-2010)
Website
Page 12
Malware Propagation channels
Executables Document Malware WebsiteWebsite
Legitimate and trusted websites compromised Used to redirect user
to malicious websites (via injected invisible iframes) Most significantWeb admin incapable
to detect and mitigate the risks
Page 13
Malware Propagation via websites
Mass infection of Wordpress blogs hosted by Network Solutions (Apr 2010)– Use insecure web application configuration
Page 14
Malware Propagation via websites
PHPNuke.org web site hacked (7 May 2010)– Serving several exploits
Page 15
Malware Propagation Channels
Hackers exploit Social Network Services to convince victims
Hacker uses Search Engine Optimization techniques to escalate malicious website ranking in search results
Executables Document Malware Website
Social Engineering & Black Hat SEOSocial Engineering & Black Hat SEO
Page 16
Targeted Attacks
Executables Document Malware Website
Social Engineering & Black Hat SEO
Targeted AttacksTargeted Attacks
Targeted, crafted email to corporations and government
Page 17
Social network
Id TheftId Theft
Data LeakageData Leakage
Social EngineeringSocial Engineering
Page 18
Targeted Attack continues
Chained exploit
Advanced Persist Threats– Governments, critical infrastructure, private companies
Page 19
Chained Exploit Case Study: Client Side attacks via Social Network Sites
Surge in Facebook MalwareTRUST:
– Use social engineering trick, spoofing user’s friend and sending a message with an URL pertaining to be a movie
– URL brings user to a fake YouTube site
Page 20
Chained Exploit Case Study: Client Side attacks via Social Network Sites
Suggesting to install a codec in order to view the movie
Install the codec to view the movie
Page 21
Malicious servers redirect victims to the Exploit Server which serves as a central delivery
Redirection of attacks to central exploit server
Source: http://www.honeynet.org/papers/mws/KYE-Malicious_Web_Servers.htm
Page 22
Low Detection Rate- Submitting the malware to VirusTotal.com
Only small portion of scanners can identify the malware
Page 23
Attacks Following Money
Targeting traditional online banking, online gameObtaining credential for
later use or for salevia keyloggers
PhishingPhishing Banking TrojansBanking Trojans
Targeting new online banking services, esp.two factor authenticationPerforming transaction
on the spotvia advanced banking
trojans, using involved man-in-the browser techniques
Page 24
Data Leakage
Insecure default settingsMalware embedded in
P2P software– e.g. Foxy software
P2P File SharingP2P File Sharing Social NetworkingSocial NetworkingServicesServices
Insecure default privacy settingsLeak out of personal
information by friendsLack of control 3rd party
apps on SNSMalware on SNS
Page 25
Mobile Computing
Attacks exist for different mobile platforms
2009-11 Attack jailbreak iPhones’sSSH backdoor
MobileSpy logs GPS location, call logs, sms log. Versions available for Android, Blackberry, iPhone, Windows Mobile, Symbian
Store personal & sensitive data
Some banks (UK Lloyd TSB) start to use as the client tool NextGen data/voice integration
Insecure habits– Short URLs is common
– Click links in email is common
– Saved passwords is common
Security protection less mature than in PC
Consequence of AttackConsequence of Attack
Page 27
Consequences of Security Exposure
Machines fall into control by Hackers
Theft of Credentials financial loss
Hacker launch local attacks to the whole network
Bandwidth and Performance downgrade
Legal liability liable for hacking activities within your premise
Mitigation Strategies Mitigation Strategies RevisitedRevisited
Page 29
What do we do?
– Good example of Conficker Working Group
collecting information of hacker behaviour
International International CollaborationCollaboration Cyber Drill ExerciseCyber Drill Exercise
Proactive DiscoveryProactive Discoveryof Incidentsof Incidents
Intelligence and Intelligence and ResearchResearch
– finding compromised web site and malware hosting
Page 30
What can you do – infrastructure?
Install Antivirus & Update
Install Personal Firewall
Close all security holes– Close Insecure default settings: Autorun, …– Patch software
Set Strong Password
Scan your system periodically
Additional measures
At Firewall, block all incoming traffic to servers except known services
Separate SAMS, ITED and public servers in zones
Set up Security Policy– Ban unauthorized servers in your
network
PersonalPersonal CompanyCompany
Page 31
Awareness Education and Training
Awareness– Understand emerging attacks like SNS,
mobile
– Beware of Social Engineering
Follow Guidelines
Train your staff
Set up Incident Response Procedure
Page 32
HKCERT Guidelines
"Autorun virus" Removal Procedure
SQL Injection Defense Guideline
Data Protection Guideline
Guideline for Safety Using Wireless LAN
SME Information Security Guideline
Guideline for Prevention of Spyware and other Potentially Unwanted Software
http://www.hkcert.org/english/sguide_faq/home.html
Point of ContactPoint of Contact
Phone : +852 8105 6060 Fax : +852 8105 9760 Email : [email protected] URL : http://www.hkcert.org/