Security Outlook

2012

S.C. LeungCISSP CISA CBCP

Page 2

Who are we?

HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services

• Security Monitor and Early Warning• Incident Report Handling• Publication of guideline• Public Awareness

– www.hkcert.org– Free subscription of alert information via email and mobile (we pay for the SMS

charges)

Page 3

HKCERT

Local Enterprise & Internet Users

本地企業及互聯網用戶

CERTCERT

CERTCERTCERTCERT

CERTCERT

APCERTAPCERT

CERT Teams in Asia Pacific亞太區其他協調中心

CERTCERT

CERTCERT CERTCERT

CERTCERT

CERTCERTFIRSTFIRST

CERT Teams around the World全球其他協調中心

Law Enforcement 執法機關

Internet Infrastructure互聯網基建機構

Universities大學

Software Vendor軟件供應商

Security Research Centre

保安研究中心

Page 4

HKCERT Statistics – Incident Reports

481846

468 516322 337

162 145

936

13751127 1271

922 961 980810

217

2616

3211

150 240461

0

500

1000

1500

2000

2500

3000

3500

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Malware at tack

Securi ty at tack

Source locality of reports 2010 2011

Local parties 360 (26.3%) 400 (34.3%)

Overseas parties 554 (40.6%) 405 (34.7%)

Proactive discovery 452 (33.1%) 360 (30.9%)

Page 5

HKCERT Statistics – Security Bulletins published

Number of Published Security Bulletins per year

156116

178

242 234 220

308343

136106 125

0

100

200

300

400

2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011

Page 6

New Motives of Cyber Attacks

Hacktivism: ideology– Anonymous, Lulzsec groups

State sponsored: political, military– Civilian monitoring

• Doubts on R2D2 Trojan in Germany

– Attacks to state critical infrastructure or military

• Stuxnet - 2010

• USA drone malware – 2011

Cybercriminals: Money– Theft of information

– Extortion

– Control machine for other purposes

Unfriendly parties: others– Disgruntled employees

– Business competitors

Kiddies and Early Hackers: Fame

Page 7

Hactivism

Anonymous– Exposed FBI & Scotland Yard 15-min conference call (Mar

2012)– Defaced Greek Justice Ministry website– Operation Payback (DDoS) vs VISA, MC, Paypal who

blocked $$ to Wikileaks (Jan 2011)– FBI investigator Eric Storm (Mar 2012): ”Anonymous

members arrested but enterprises pay insufficient attention to this group”

LulzSec– steal and leak any classified government and high profile

institution– targeted Sony, Sega, CIA, U.K.-based Serious Organized

Crime Agency– “Sabu” the leader was arrested. Anonymous hacked

Pandalabs website for revenge for their “brothers”

Page 8

Anonymous – an analysis

The Anatomy of Anonymous Attack (by Imperva, 2012)– Observed a proactive attack vs. a client through the client’s web

application firewall log. Imperva also analyzed the social mediacommunication

“Anonymous” hacking group– Two groups of volunteers

• skilled hackers : laymen (1:10)– Steal data first, and if fails, attempt a DDoS attack– Crowd sourcing hacking model

• Public recruitment, not private – use of SNS• Use inexpensive and off-shelf tools• No reliance on malware, no phishing or spear phishing• Seldom use botnets (avoid rental cost)

Page 9

Hactivism campaign – a case study D1-18: Recruitment & Communication

– Attract attention to a cause, via Facebook, Twitter, Youtube …– Declare dates and targets, and recruit protesters and hackers

D19-22: Reconnaissance & App Attack– Skill hackers hide behind TOR– Scan target for web vulnerabilities Attack

• SQL injection, XSS, directory traversal– Scan for DDoS relevant pages – use searchwords that

overload the server and change to avoid use of cache

D24-25: DDoS after failure to steal data– LOIC

• lower orbit ionic cannon

– Mobile LOIC• a webpage with javascript that loops rendering of

an image from the target web server with some random attribute

Source: The Anatomy of Anonymous Attack (by Imperva, 2012)

Page 10

Anonymous

Operation Global Blackout– Target: Root DNS servers– D-Day: 31-Mar-2012– Root Servers installed in Hong

Kong

HKCERT working with HKIX and ISC

Ref: No, #Anonymous can't DDoS the root DNS servers– http://erratasec.blogspot.com/2012/

02/no-anonymous-cant-ddos-root-dns-servers.html

Page 11

Defense vs Hactivist Attack

Patch web server and web applications Scan web server for vulnerabilities

– Acunetix• checks for vulnerabilities such as SQL injection, Cross Site scripting,

remote file inclusion, etc.– Nikto

• tests for dangerous files/CGIs, outdated server software Web application code review

Web application firewall– Blocks web attacks

– Log analysis : attack count surge

Monitor social media for campaigns– High profile organizations can be a target

Page 12

DDoS Attack Surge

Cases– 第一亞洲商人金銀業有限公司 (Feb-2012)

• extortion– HK Stock Exchange 披露易 (Aug-2011)

Worldwide Infrastructure Security Report 2011 (Arbor Networks)– DDoS increases– Major in ideology (hactivism)– Flooding attack: average bandwidth 10Gbps,

largest 60Gbps• 74% respondents: target is the customers

– L7 (application layer) DDoS more common• HTTP > DNS > SMTP > HTTPS

– HTTP Get flood, HTTP Post flood

Page 13

Network attacks trend

Hard to detect security attack in Mobile and Fixed Wireless networks

Firewall, IPS and load balancer not sufficient defense for DDoS attack

Top 3 Security Concerns for next 12 months– DDoS towards your customers

– DDoS towards your infrastructure

– DDoS towards your service

Page 14

DDoS Attack Defense

Deploy Application Firewall to block L7 DDoS– Drop traffics not conforming to protocol standard Prepare for bandwidth adequacy with ISP Provision web service on cloud (bandwidth $$$) Subscribe web security managed service on cloud (web attack and small

volume DDoS attack) Subscribe to DDoS scrubbing service (more costly)

Reference: “DDoS Attack and Defense” @HKCERT seminar 2011-10-21– https://www.hkcert.org/my_url/zh/event/11102101

Page 15

IPv6 Network Attacks

Source: Worldwide Infrastructure Security Report 2011 (Arbor Networks)

Page 16

IPv6 Security Awareness

World IPv6 Launch June 6, 2012– Google, Facebook, Yahoo!, Akamai, Cisco … will turn on IPv6 forever– IPv6 deployments increasing attack will increase

Preparedness– Is your staff equipped with IPv6 knowledge?– Is your purchasing policy mandate IPv6 a pre-requisite for new purchases– Is your current infrastructure upgradable to IPv6

Network visibility– Can your network / security devices inspect IPv6 traffic?

• How about deep packet inspection?– Can the firewall / router enable / block IPv6 traffic?– Can you log management handle IPv6 traffic?

Network manageability– Is your IPv4 traffic managed, but the IPv6 traffic always through, or tunneled through?

– Ref: http://blog.fortinet.com/security-challenges-emerge-with-ipv6-launch/

Page 17

Targeted Attacks

Global Risks Report 2012 (World Economic Forum)– High impact attacks likelihood:

• cyber attacks (3.8)

• massive incident of data fraud/theft (3.4)

• critical system failure (2.9)

Businesses increasingly worried about targeted attacks which aim to sabotage or steal data from their systems.

Targeted Attack and APT

Page 18

Targeted Attack on SCADA

Supervisory Control and Data Acquisition (SCADA) Systems Stuxnet targeted nuclear plants in Iran (2010)

– Refer to talk on “Targeted Attacks and Trend of Security Threats”• https://www.hkcert.org/my_url/en/event/11031801

Duqu in 2011 - Variants of Stuxnet– Refer to “Duqu Q&A”

• http://www.f-secure.com/weblog/archives/00002264.html

Some attack cases in 2011 Q4• Disabled automated response system of St. John ambulances

comm. centers (New Zealand, Nov 2011)• Attacker Pr0f released screenshots showing a UI used to

monitor and control equipment at the Water and Sewer Department (Texas, USA Nov 2011)

• Malware forced a hospital system to declare “total diversion”status and shut its doors. (Georgia, USA Dec-2011)

Page 19

Targeted Attack on Critical Infrastructure of Trust

Stolen digital certificates by Stuxnet (Jan 2011) and Duqu (Oct 2011) Trojans

RSA SecurID hacked (Mar 2011)– Cause a global replacement of tokens in years

Certificate Authorities attacks– Comodo (Mar 2011), DigiNotar (Aug 2011), DigiCert Malaysia (Nov 2011)– More Dutch CAs: Getronic KPN CA (Nov 2011) GenNet (Dec 2011)

Consequence– Root certificate of these CAs are distrusted or removed from the

browsers/OS– Some out of business after attack– Attack down to the root of trust of the Internet

Page 20

What happened to gov.nl?

DigitNotar root certificate no longer trusted digital cert of issued no longer tursted– DigiNotar provided certificate service to Netherlands government (gov.nl) at that time!

– What happened to gov.nl?

BTW, Gov.nl now redirected to community.e-overheidvoorburgers.nl.

Try government.nl now

Page 21

Advanced Persistent Threats (APT)

Advanced - Skilled, Well-funded Persistent - Targeted, Repeated

– Different techniques targeting same organization (Critical Infrastructure, Government)

Typical Advanced Attack Goes Unnoticed for More Than a Year– only 6% victim organizations discovered the attacks on their own. Most found out from ext. sources,

e.g. law enforcement

Malware Only Tells Half of the Story– Uses malware to gain an initial foothold within an organization, then shift to use legitimate credentials

to move laterally

Persistence Mechanisms– traditional reverse backdoors for remote access routine outgoing traffic detectable– new backdoor mechanisms passive backdoors such as miniport drivers & web shells harder to

detect

Financially Motivated Attackers Are Increasingly Persistent

Ref: Mandiant Annual Threat Report on Advanced Targeted Attacks– http://www.mandiant.com/news_events/article/mandiant_releases_annual_threat_report_on_advanced_targeted_attacks

Page 22

Malware

Hong Kong Status– 3rd in hosting of malware, after Korea and China (McAfee Threat Report 2011 Q4)

Botnet– Global botnet take downs in 2011

• Rustock, Coreflood, DNS Changer and Kelihos– DNS Changer botnet

• Taken down in Nov 2011. Court order allowed temporary DNS server up till Mar 8• HKCERT informed ISPs of over 3000 victim machines• Detection

– DNS Changer Working Group Eyechart http://dns-ok.us

• Note: court order extended to July 9

Page 23

Financial Trojans

Outlook: PC Bot + Mobile Bot integration will continue

ZitMo (Sep-2010) and SpyEye (Apr-2011) go mobile– Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature– Mobile Infection:

• Infected PC visit bank website• Zeus inject HTML content into webpage, requesting user to input their mobile phone

number and the IMEI # (and phone model)• Hacker sends a new "digital certificate" to the phone• User install the Zeus mobile.

– Sniff the SMS messages when waken up by special SMS• Steal one-time password (OTP) sent via SMS

Cridex Trojan Targets 137 Financial Organizations in One Go– takes control of the victim’s machines and allows it to collect information and potentially

make fraudulent transactions by manipulating the bank Web pages– has a “WORLD BANKER CENTER” plug-in which includes a database of 137 banks

Page 24

Redirecte

d to Malware

server

Download

Malw

are

Exploits imported from other web servers via iframes, redirects

When compromised, dropper download and install the actual bot malware

Multi-stage infection (drive-by download)

Exploit serverWeb server (injected) Malware Hosting

Browser

Web request

Serve Exploit Page

Redirected to

Exploit server

Page 25

HKCERT Guidelines

Malware Defense Guideline (new)– https://www.hkcert.org/my_url/en/guideline/12022902

Document Malware Defense Guideline (new)– https://www.hkcert.org/my_url/en/guideline/12022801

SQL Injection Defense Guideline– https://www.hkcert.org/my_url/en/guideline/08081101

Page 26

Mobile Malware

Mobile malware overtaking PC malware (McAfee Threat Report Q3, Q4 2011)

Android malware risk factor going high– Unregulated Android Market

– Rooting app available – install and click a button

– Attackers repackaging those same root exploits with malware

Massive infection 5M machines (Jan 2012)– "Android.Counterclank” Trojan packed in 13 Android apps

• Collect information including bookmarks, handset model

• Modifies the browser's home page, push unwanted ads.

Android Malware– Mostly for-profit SMS-sending Trojans

– Collect personal data for phishing or ID theft

– used in hactivism in Tunisia

Mobile malware samples

Page 27

Mobile Malware

Android Malware Vulnerability Database (PolyU research)– http://www4.comp.polyu.edu.hk/~appsec/

Mobile malware analysis website– http://mobile-sandbox.com

Page 28

Android Market security enhancement

Bouncer: new security system for the Android Market• Released in Q4 2011 to make sure no malware apps in Market.

– Analyze new applications, applications already in Android Market, and developer accounts

– Analyze uploaded Apps for known malware, spyware and trojans

– Looks for suspicious behaviors

Need to see its effectiveness in the coming year

Page 29

Cloud Computing Security

Crime in the Cloud– Password cracking– Hosting phishing site, malware; – Botnet in the Cloud, launching DDoS

Attackers will exploit cloud vulnerabilities– Vulnerability in Amazon Web Services allowed hackers to take control of the systems.– Vulnerability in Dropbox security allowed Dropbox user data accessible to all users.

Outlook– More use of Cloud by everyone– Federated identity management for cloud services emerge– Problem in reporting security incidents to local CSP– Pressure on Cloud service providers for better security

• Establish CSP CERT for incident handling• Provide forensics tools and assistance to law enforcement

Page 30

Social Network Security

We have a presentation from PISA today and I am not going to cover much

SNS becomes part of our life. Privacy is key concern.– UK consumer survey revealed many are far more careful with their social

network login credentials than passwords that grant access to corporate systems.• 34% of 2,000 people admitted sharing their work passwords• 80% of the same group were unwilling to reveal their Facebook login details.

Most recent concern areas in SNS– Google Privacy Policy– Facebook Timeline and Social Path

Page 31

Trendy Technologies

DNSSEC – Domain name security extension– “.hk” DNSSEC deployment at the end of 2012– A change of infrastructure like IPv6

HTML5– Next generation web technology standard (more on 2014)– Provides multimedia, desktop experience, geo-location, local cache support,

performance and security– But also has security issues, e.g. websockets scan, privacy

NFC (Near field communication)– Non-contact, near distance wireless communication technology in transaction– Visa approves smartphones for NFC payments (Jan 2012)– Google Wallet NFC exploited (Jan 2012)– Paypal abandoned NFC after trial and adopts its own technology (Feb 2012)– Issues: financial liability in case of device theft, security

DNSSEC

Q & AQ & A

Website:  www.hkcert.orgHotline:  81056060Email:  hkcert@hkcert.org