1
Online threats and trendsand the role of a CERT
PacINET 2008Kathryn Kerr, AusCERT
Copyright © 2008 AusCERT 1
Outline
• Introduction• Online threats and trends
– What’s at risk– Attacks trends
• What does AusCERT do?– Role of the national CERT
• Ideas for building capability
Copyright © 2008 AusCERT 2
Copyright © 2008 AusCERT
What’s at risk? Confidentiality Health records via the web
• At risk – integrity and confidentiality• For example, NSW government Health-e-link
– http://www.healthelink.nsw.gov.au/additional_resources/?a=53559#7
• Single factor authentication over web based SSL• Adheres to privacy principles and has measures to
protect the security of the Health-e-link servers and database
• But none of these counter-measures protects against commonplace attacks directed at client PCs – which may capture online transactions, including form data
sent or received via SSL sessions
Copyright © 2008 AusCERT 4
What’s at risk? Availability
• Access to your country’s online systems and services• Example - Estonia is a small country but highly dependent on its
online systems– 100% use e-government– 99% use online banking– 86% online taxes
• Estonian DDOS attacks lasted for 3 weeks (May 2007)?– targeted government and commercial systems– Attacks politically motivated but with financial and social impacts
• CERT- Estonia played a significant role coordinating response to defend and mitigate these attacks
– Sought assistance from experts around the world (including ISPs, CERT communities, network and infosec communities)?
– Developing lessons-learned reports
Copyright © 2008 AusCERT 5 Copyright © 2008 AusCERT
The threat and motivation• Since 2003 – cybercrime economy started with
phishing• Criminals are actively targeting e-commerce and e-
government services• Motivation is money – illicit financial gain• Many types of cybercrime
• identity theft features prominently
• Returns are high – risk is low• Common attacks directed at:
• Client PCs (home and work)?• Web applications/servers
2
Evolution of the threat
• Botnets are the criminals’ “killer app” (swiss army knife)?– Hosting malware sites– Hosting phishing sites– Advertisement click fraud– Sending out spam– For rent/sale– DDOS attacks
• Fast flux domains (using fraudulently registered domains)?• Complex and resilient communication structures• Self defending, eg Storm P2P botnet
Copyright © 2008 AusCERT 7
Fast Flux domains
Copyright © 2008 AusCERT 8
Sophisticated malware functionality• Ability to defeat various forms of two factor authentication
– Ability to initiate transactions in the background after legitimate user has authenticated during the authenticated session.
• Ability to defeat SSL digital certificates by using HTML injection and retaining connection to legitimate site with legitimate digital certificate
• Ability to modify browser stored root certificates• Ability to access all information on the computer including
protected store data (passwords), including soft certificates an d protected store
• Ability to hide itself (rootkits) and disable or by pass security counter-measures
• Ability of attacker to control hundreds of thousands of computers simultaneously, via the malware
Copyright © 2008 AusCERT 9 Copyright © 2007 AusCERT10
Trojans
Copyright © 2008 AusCERT
Logging behaviour
Tsunami Trojan: infections and logging
0
2000
4000
6000
8000
10000
12000
19/1
1/20
04
24/1
1/20
04
29/1
1/20
04
04/1
2/20
04
09/1
2/20
04
14/1
2/20
04
19/1
2/20
04
Date / time
Lo
gg
ing
sit
e h
its
Data logged Trojan infections
3
Copyright © 2008 AusCERT 13
Captured credentials and web sessions
SPAM
Clicks on the
link“Your order #[number] has been accepted for the amount 865.00 AUD”“Act of terrorism at The Opening Ceremony of the ATHENS 2004 Olym pic Games”"Current Australia's Prime Minister survived a near attack"“Osama Found Hanged”“George Bush sniper-rifle shot! ”“Huge ocean wave! ” - http://www.tsunamidanger.com“I sent Sent You an E-Card From AOL E-Cards powered by BlueMountainCards.com.au”“SENSATION! It's happened again! White house orgie! ”
Visitslegitimate
Website withusername &
password
E-government security challenges
• Security of e-government transactions depends on the security of the entire channel
– Channel includes the remote client PCs that connect to those systems– For all personal information accessed or submitted online
• In event of remote system compromise, technology exists to protect integrity of financial transactions (eg, online banking)?
– Eg transaction signing off untrusted device
• For compromised remote client systems there is no way to protect the confidentiality of those transactions.
– For e-government services confidentiality is paramount security goal
• Assume remote client PC is compromised when developing your risk management strategy
Copyright © 2008 AusCERT
15
ID theft malware 1
https://online.NatLloyds.co.uk/logon.ibc
14/12/2004 14:24:16
form=theform;type=text; UserId1=xxxxxxxx
form=theform;type=password; Password=txxxxxxxxle
URL=https://online.NatLloyds.co.uk/logon.ibc
To log on enter your User ID and Password.
………...
Please enter characters 1, 2 and 6 from your Memorable Information
1 a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
2 a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
6 a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9
Forgotten your Memorable Information?
<!>https://online.NatLloyds.co.uk/logon.ibc
14/12/2004 14:24:27
form=theForm;type=select-one; ResponseValue0=g
form=theForm;type=select-one; ResponseValue1=a
form=theForm;type=select-one; ResponseValue2=r
16
ID theft malware 3
URL=https://www.ir_online.gov.uk/irsa2/RenderEngine?eForms_timestamp=1104501920101This site is compatible with assistive technology. Skip to the top menu including help, save and
close. Skip to the menu on the left. Skip to the first paragraph or entry box on this page.Online Tax Return - Self Assessment
Mr XXXX XXXXXXXX Tax Return: 2003/2004
Main Form (SA100)?Welcome
My DetailsForm(s) SelectionEmploymentSelf-employmentPartnershipLand & PropertyMain Form
17
ID theft malware 4
Message 14 of 2898From:XXXXXXXTo:XXXXXXSubject:RE: VPN ConnectionsSent Date:XXXXXXXReceived Date:XXXXXXX
No Problem XXXXX. If you do have any troubles please don't hesitate to call.
Best wishes,
XXX-----Original Message-----From:XXXXX Sent: XXXXTo: XXXXSubject: Re: VPN Connections
XXX,after having no luck for some days - I've just got through..... Sorry for wasting your time,XXXX
18
ID theft malware 5
Mail | Directory | Return To Portal | Preferences | Logout | HelpCopyright © 1998, 2004, XXXXX. All rights reserved.[1]<>https://www.XXXX.com/frame=1 form=Logon i_1=XXXXXXX[pwd] frame=1 form=Logon i_2=XXXXXURL=https://www.XXXX.com/ Employee GuideXXX HomepageXXXXX OpportunitiesXXXCarXXXUserCareer ManagementInternal TrainingWelcome to your personal view and data on XXXX's HR database. Logon here to view your Select Flexible Benefits system or access your Personal Documents. [1]< >https://www.xxxx.com/12/31/2004 11:29:41 AMframe=1 form=Logon i_1=xxxxxx[pwd] frame=1 form=Logon i_2=xxxxxxxxx
4
Copyright © 2008 AusCERT
Web app vulnerabilties
• Many cyber attacks are hosted on compromised web sites
• Use a variety of attack mechanisms to compromise web site and serve malware to visitors to the site
• No need for spam to direct visitors to the site• Rather than scanning, specific vulnerabilities are
searched for (eg using Google) then exploited– Attacks often automated – bulk compromises
Overt web defacement - before
Copyright © 2008 AusCERT
Copyright © 2007 AusCERT21
Now – covert compromise Now
Copyright © 2008 AusCERT 22
Locating vulnerable web pages
Copyright © 2006 AusCERT 23
SQL injection using ASProx malware• Active Server Pages (ASP) is Microsoft ’s implementation
of server-side scripting• ASProx conducts automated Google searches for .asp
web pages and launches SQL injection attacks• If successful, includes a malicious script tags which
attempts to install malware• AusCERT is monitoring .au domains compromised by
ASProx• Between 24 June 2008 – 17 July 2008, 98 .au domains
compromised• Purpose to create bots
Copyright © 2008 AusCERT 24
5
ASProx SQL injection
Copyright © 2008 AusCERT 25 Copyright © 2008 AusCERT
About AusCERT
• Australia’s national CERT– Constituency - all Australian Internet users– 15 years of operation
• Independent and impartial– University-based, non-government– Self-funded and not-for-profit
• Primary point of contact for incidents affecting Australian networks– Analysis and advice about computer network threats and
vulnerabilities– Incident response, coordination and mitigation
What is AusCERT doing?
– Monitoring and providing advice about threats and vulnerabilities and security management
– Incident response and mitigation assistance for current attacks
– Analysing malware to understand the nature of the threat and how to prevent and recover from the attack
– Build and maintain links with national and international stakeholders vital for effective incident response.
Copyright © 2008 AusCERT2 7
Attack detection and mitigation
• Detecting and providing advice about , eg– vulnerable DNS servers– vulnerable web servers– ASProx web compromises– compromised PII and credentials (log data)?
• Compromised PII and credentials:– Sort and separate by domain– Then redistribute to affected parties in Australia and around
the world
Copyright © 2008 AusCERT 28
What are the solutions?
• National e -security plans and arrangements, which include:– National or regional CERT capability– Capability for monitoring, analysing and reporting on cyber
threats and vulnerabilities– Plans for dealing with DDOS attacks against critical online
systems/services– Best practice domain name registry policies– Adherence to effective Acceptable Use Policies by ISPs– Education and awareness raising program for government,
business and end-users and incentives for applying good security
– Recognise risks to e-government systems - channelCopyright © 2008 AusCERT 29
What are the solutions?
• Internationally– Coordinated and cohesive cyber response capabilities
• Among like sectors, law enforcement, CERTs, domain name registries, ISPs, ICT regulators, anti-virus vendors, product vendors
– Current priorities require focus on:• Detecting and cleaning bots/botnets• Secure web programming to prevent legitimate sites being
used to serve malware• Malware detection and analysis • Procedures to prevent and remove fraudulent domains• Building trusted (trustworthy) (more secure) software
6
31
Domain registries
Domain Registries
Model for national and international cooperation
Finance Sector
Finance Sector
Law Enforcement
Law Enforcement
National CERT
National CERT
FS
LE CERT
FS
ISP
ISPs
Further information
• E-government risks• Managing risk associated with online ID theft for government
and providers of e-government services, 2005, www.auscert.org.au
• Cybercrime and malware– OECD, Malicious software (malware) – a security threat to the
internet economy, Ministerial Background Report, June 2008, available online
– House of Lords, Personal Internet Security, Science and Technology Committee Report, Volume 1, 2007, available online
– CERT/CC, Botnets as a vehicle for online crime, 2005, http://www.cert.org/archive/pdf/Botnets.pdf
Copyright © 2008 AusCERT 32
Thank you.
Questions?
Copyright © 2008 AusCERT 33