secure internetsecure internet - introducciónpd... · 2020. 5. 9. · hacking usa 3734 9859 21756...

1

Secure InternetSecure InternetSecure Internet

2004. 2

KIM,WooHan

Head of KISC

[email protected]

KIM,WooHanKIM,WooHan

Head of KISCHead of KISC

[email protected]@kisa.or.kr

Korea Information Security Agency

2

Positive Sides of Internet (Global)Positive Sides of Internet (Global)Source: Peacockmaps,IANA

NetworkNetworkNetwork

171,638,2972003.1

93,047,7852000.7

26,053,0001997.7

3,864,0001994.10

617,0001991.10

56,0001988.10

28,1741987.12

1,9611986.10

1,0241984.10

2351982.5

2131981.8

No. of HostsYEAR

020,000,00040,000,00060,000,00080,000,000

100,000,000120,000,000140,000,000160,000,000180,000,000

'82 '84 '86 '87 '88 '91 '94 '97 '00 '03

No. of Host ComputersNo. of Host Computers


3

Negative Sides of Internet (Global)Negative Sides of Internet (Global)Source:dshield.orgSource:dshield.org

0

10000

20000

30000

40000

50000

60000

70000

80000

90000

100000

No.ofHacking

USA 3734 9859 21756 52658 73359

UK 1594 1712 4783 40274 99940

Japan 923 788 2232 2853 996

1998 1999 2000 2001 2002


4

Positive Sides of Internet (Korea)Positive Sides of Internet (Korea)Source: KrNiC

NetworkNetwork

3098060820032003

2717952020022002

2298521620012001

1892198420002000

1040230419991999

817408019981998

725657619971997

620800019961996

476620819951995

384870419941994

332441619931993

No. of IP AddressesNo. of IP AddressesYear Year

0

5,000,000

10,000,000

15,000,000

20,000,000

25,000,000

30,000,000

35,000,000

1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003

No. of IP addresses in Korea


5

Negative Sides of Internet (Korea)Negative Sides of Internet (Korea)

0

5,000

10,000

15,000

20,000

25,000

Jan. Feb. M ar. Apr. M ay Jun. Jul. Aug. Sep.

V irus

Worm

Trojan Horse

Hoax

Joke

etc.

0

5,000

10,000

15,000

20,000

25,000

Jan. Feb. M ar. Apr. M ay Jun. Jul. Aug. Sep.

V irus

Worm

Trojan Horse

Hoax

Joke

etc.

Source : KISA( 2003) Source : KISA( 2003)

Number of Intrusion events reported to KISA ( Except Slammer WorNumber of Intrusion events reported to KISA ( Except Slammer Worm )m )


6

Evolution of Virus & WormEvolution of Virus & Worm……

Intruder’s Knowledge


7

Threat from evolving wormThreat from evolving worm……

1980s 1990-2000 Today Future

First Gen• Boot viruses• CIH

First Gen• Boot viruses• CIH

Weeks Second Gen• Macro viruses• Denial of

service• CodeRed,• Nimda

Second Gen• Macro viruses• Denial of

service• CodeRed,• Nimda

DaysThird Gen• Distributed

denial of service

• Blended threats

• Slammer• MSblast

Third Gen• Distributed

denial of service

• Blended threats

• Slammer• MSblast

Hr./Min.

Next Gen• Flash threats• Massive

worm-driven DDoS

• Damaging payload worms

• Slammer +Welchia +SoBig.X

• ?????

Next Gen• Flash threats• Massive

worm-driven DDoS

• Damaging payload worms

• Slammer +Welchia +SoBig.X

• ?????

Min./Sec.

PC/Server

LAN

ISP

Mul.ISPs

GlobalDay Zero


8

Announcement : Announcement : Top 20 Vulnerabilities ListTop 20 Vulnerabilities ListSource:Symantec

10

2530

50

70

0

10

20

30

40

50

60

70

'99 '00 '01 '02 '03 proj.

Vulnerabilities on the Rise Vulnerabilities on the Rise –– New Vulnerabilities per WeekNew Vulnerabilities per Week


9

Announcement : Announcement : Top 20 Vulnerabilities ListTop 20 Vulnerabilities ListSource: isc.incidents.org• Unix

• BIND (Berkeley Internet Name Domain)/DNS• Remote Procedure Call (RPC)• Apache Web Server• General UNIX Authentication• Clear Text Services• Sendmail• Simple network Management Protocol (SNMP)• Secure Shell (SSH)• Misconfiguration of Enterprise Services (NFS/NIS)• Open Secure Sockets Layer

•Windows• Internet Information Server (IIS)• Microsoft SQL Server• Windows Authentication• Internet Explorer• Windows Remote Access Services• Microsoft Data Access Components (MDAC)• Windows Scripting Host (WSH)• Microsoft Outlook -- Outlook Express• Windows Peer to Peer File Sharing (P2P)• Simple Network Management Protocol (SNMP)


10

NetworkNetwork & Vulnerabilities& Vulnerabilities……

ATM교환망

보 라 넷

교육기관

Video

기지국

HDSL-CO

HDSL-RT

전자도서관

교육기관

ONU

CATVHead End

교육기관

DACS교육기관

L/L

4W

4W

가입자 댁내

초고속국가망인터넷Gateway

L2-IX

국내인터넷트래픽

DREAMLINEEDUNET

ChanneliNetsgoUNITEL

KRNET

GigaPOP

GigaPOP

GigaPOP

해외인터넷 트래픽케이블모뎀

한국전산원

BGP4

1472

DNS

Web Hosting

News

Mail

FTP

가정고객

분기결합기

가정고객

케이블모뎀

D/U모뎀

스위칭허브

국가망인터넷서버(국가망투자비활용)

PSTN

서버…. 서버

….

천리안

* 국가망 노드에서 개별학교까지의 가입자망은중계유선망, B-WLL, 전용회선등 활용가능함.

Web Mailing(교육부전용)

ISP

VideoRP

DSLAM

xDSLModem

WLL

ONU

CATVHead End

Router L/L

2W

4W

Customer Site

ISP NetworkGateway

L2-IX

ISP NISP5

ISP4ISP3ISP2

ISP1

GigaPOP

GigaPOP

GigaPOP

International InternetCM

ForeignISP

BGP4

DNS

DBMS

Web

Mail

FTP

Home

Splitter

Home

Cable Modem

D/UModem

Server Farm

Dial-Up

Web Mail

BINDBIND

RRPPCC

SendSendMailMail

Apache/Apache/IISIIS

SQLSQL

ExplorerExplorer

MisMis__ConfigConfig

IOS/IOS/JuNOSJuNOS

MS:MS:Patch !!Patch !!


11

Doomsday Doomsday ……. (. (’’03.1.25)03.1.25)

First 30 min. infected ration among74,856 distinct IP addresses.

1.531.53Netherlands

1.721.72Japan

2.022.02U.K.

2.022.02Australia

2.382.38Canada

2.882.88Taiwan

3.983.98China

6.966.96Unknown

11.8211.82KOREA

42.8742.87USA

% of % of VictimsVictims

CountryCountry

SlammerSlammer’’s Geographical s Geographical DistributionDistribution

SQL Slammer worm infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet.

SQL Slammer worm infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet.


12

Another Worm in Aug., Another Worm in Aug., ’’0303MSBlastMSBlast :2003.8.12:2003.8.12

Source:McAfeeSource:McAfee

Infected System : 200,000 more

Spread Speed : a couple of hours

DDoS against windowsupdate.com

Infected System : 200,000 more

Spread Speed : a couple of hours

DDoS against windowsupdate.com

Vulnerability : RPC-DCOM -. RPC was fine : Just receiving data and passes to DCOM-. DCOM was problems : File name was limited to 544 Bytes, No Checking

for length of file nameLarge file name -> Stack O/F -> Arbitrary code can be executed.

Vulnerability : RPC-DCOM -. RPC was fine : Just receiving data and passes to DCOM-. DCOM was problems : File name was limited to 544 Bytes, No Checking

for length of file nameLarge file name -> Stack O/F -> Arbitrary code can be executed.


13

Another Worm in Aug., Another Worm in Aug., ’’0303WelchiaWelchia : 2003.8.15: 2003.8.15


Traffic flooding to LAN and ISP Network

Remove MSBlaster.exe

Scheduled to stop on Jan.1st, 2004

Traffic flooding to LAN and ISP Network

Remove MSBlaster.exe

Scheduled to stop on Jan.1st, 2004

MSBlaster Clone : Same Vulnerability as MSBlasterICMP Packet increment : Traffic Flooding to ISP NetworkPing Request –(Answer)->RPC 135 Scan -> DNS Query for MS Patch (MS 02-029) to wipeout MSBlastRecursive Attack to find another victims

MSBlaster Clone : Same Vulnerability as MSBlasterICMP Packet increment : Traffic Flooding to ISP NetworkPing Request –(Answer)->RPC 135 Scan -> DNS Query for MS Patch (MS 02-029) to wipeout MSBlastRecursive Attack to find another victims


14

Another Worm in Aug., Another Worm in Aug., ’’0303SoBig.FSoBig.F : 2003. 8.19: 2003. 8.19


6th Version of SoBig Series in 2003-. Launched via

UseNet

Attached File (80KB) sending -> Traffic Flooding to ISP and Mail Server

20 Master Servers: 2 Servers in Korea

6th Version of SoBig Series in 2003-. Launched via

UseNet

Attached File (80KB) sending -> Traffic Flooding to ISP and Mail Server

20 Master Servers: 2 Servers in Korea

Massive Mailing Worm ( Release / Closing Date )

-. SoBig.A ( 2003. 1. 9/ ) -. SoBig.B ( 2003. 5.18/2003.5.31) -. SoBig.C ( 2003. 5.31/2003.6.8 ) -. SoBig.D ( 2003. 6.18/2003.7.2 )-. SoBig.E ( 2003. 6.25/2003.7.14) -. SoBig.F ( 2003.8.18/ 2003.9.10)

Massive Mailing Worm ( Release / Closing Date )

-. SoBig.A ( 2003. 1. 9/ ) -. SoBig.B ( 2003. 5.18/2003.5.31) -. SoBig.C ( 2003. 5.31/2003.6.8 ) -. SoBig.D ( 2003. 6.18/2003.7.2 )-. SoBig.E ( 2003. 6.25/2003.7.14) -. SoBig.F ( 2003.8.18/ 2003.9.10)


15

New Movement from MicrosoftNew Movement from Microsoft

SDSD33 + Communications+ Communications

Secure by Secure by DesignDesign

Secure by Secure by DefaultDefault

Secure in Secure in DeploymentDeployment

CommunicationsCommunications

Windows95/98

33.5%

Windows

NT/XP/2000

62.6%

etc

0.1%

Solaris

0.2%Linux

3.7%

Window 98 : Fade out by 2006Window 98 : Fade out by 2006Longhorn Longhorn : 2005 ?: 2005 ?Security Enhancement: Competing with Security Enhancement: Competing with

Vaccine companiesVaccine companiesFighting with Linux Consortium ?Fighting with Linux Consortium ?

Source : Microsoft


16

Microsoft has changed,Microsoft has changed,“ Open Policy, no more Almighty…”

Source : Microsoft

TwC Partnerships: Enterprise, Academic and Government

Shared Source InitiativesShared Source InitiativesEnterprise Source Licensing ProgramEnterprise Source Licensing ProgramAcademic Source Licensing Program Academic Source Licensing Program Windows CE Licensing ProgramsWindows CE Licensing Programs

Government Security ProgramGovernment Security ProgramAllows national governments and international organizations to Allows national governments and international organizations to

confirm the quality of the platformconfirm the quality of the platformHelps governments build a secure infrastructureHelps governments build a secure infrastructureIncludes opportunities for security trainingIncludes opportunities for security training

Over 60 governments eligible for GSP, current signatories include NATO, United Kingdom, Russia, China, Chinese-Taipei, Australia, New Zealand, etc.

Over 60 governments eligible for GSP, current signatories includOver 60 governments eligible for GSP, current signatories include NATO, e NATO, United Kingdom, Russia, China, ChineseUnited Kingdom, Russia, China, Chinese--Taipei, Australia, New Zealand, Taipei, Australia, New Zealand, etc.etc.


17

Movement from CiscoMovement from CiscoSource: Cisco

Ope

ratio

nal c

apab

ility

Applications to services and complexity of network security

Protection from threats- Comprehensive, integrated solutions

Protection from threats- Comprehensive, integrated solutions

Detection of threats- Reactive point products, some automationDetection of threats- Reactive point products, some automation

Block and hide- Manual, crypto solves allBlock and hide- Manual, crypto solves all

19951995

19851985

Future

Today

Detection

Protection

Adaptive networks- Self-managing, self-healing- Security-aware networks


18

So, Cisco wants to doSo, Cisco wants to do……..

Policy Servers

Deny!

Compliant Endpoint:

internetinternet

Admit!

Noncompliant Endpoint:

What does that mean?What does that mean?

. . To protectTo protect innocent & clean network user and system. (?)innocent & clean network user and system. (?)

. . To protectTo protect IP network (IP network (LAN,WAN,GlobalLAN,WAN,Global) (?)) (?)

. . To protectTo protect CiscoCisco’’s IP products from competitors (?)s IP products from competitors (?)

. . To protectTo protect selected US friends in IT industry (?)selected US friends in IT industry (?)

Conclusion : Conclusion : ““Security is the last business model to be survivedSecurity is the last business model to be survived..””

Source: Cisco

1st : Team_Up1st : Team_Up 2nd : Network Admission Control2nd : Network Admission Control


19

All Round Counter MeasurersAll Round Counter Measurers……

Source: Source: www.caida.orgwww.caida.org ( World Wide BGP Connection )( World Wide BGP Connection ) Harmonization required !

Gov.: Policy, EducationGov.: Policy, Education

Corp : Investment, MindCorp : Investment, Mind

ISV : Secure S/W codingISV : Secure S/W coding

User : Patch, Vaccine, PCUser : Patch, Vaccine, PC--F/WF/W

ISP : Secure ISP : Secure Network,CollaborationNetwork,Collaboration


http://www.caida.org/

20

Reaction from MIC after 1/25/Reaction from MIC after 1/25/’’0303MIC : Ministry of Information and Communication

Regulations for more secure internet ( 12/29/Regulations for more secure internet ( 12/29/’’03 )03 )--. E. E--Secure Korea from internet intrusion Attack ( Hacking and Virus/Secure Korea from internet intrusion Attack ( Hacking and Virus/Worm )Worm )--. E. E--Clean Korea from SPAM Mail and Pornography Clean Korea from SPAM Mail and Pornography --. E. E--Privacy Korea protecting personal private information (SSN etc.Privacy Korea protecting personal private information (SSN etc.))

Stimulation for the Internet Security Investment by ISP & CorpStimulation for the Internet Security Investment by ISP & Corp..--. 30 B KW planned before 1/25/. 30 B KW planned before 1/25/’’03 03 --. 100 B KW invested within Year 2003 after 1/25/. 100 B KW invested within Year 2003 after 1/25/’’0303

Monitoring and Protection Center Opening (12/17/Monitoring and Protection Center Opening (12/17/’’03)03)--. KISA/KISC ( Korea Internet Security Center ). KISA/KISC ( Korea Internet Security Center )

Promotion for the Cyber Security AwarenessPromotion for the Cyber Security Awareness--. . NetizenNetizen : Training and Education: Training and Education--. ISP : Security Guide line for the ISP and IDC . ISP : Security Guide line for the ISP and IDC

Secure Core Router DevelopmentSecure Core Router Development--. Long term R&D project for the more secure router. Long term R&D project for the more secure router


21

KISCKISC’’ss Task & Job FlowTask & Job Flow……

Major ISPs

Sec. Co

RTSD Agent

Notice Mail

IDS/Firewall

User

S/W,H/W

AV/Vaccine

ISP/ESM

Vul.

Worm

Detc.

Fore

ign

Info

.

Notifica

tion

Mail

Web.

SMS

Messenger

FAX

TRS

KISC

Analysis

Propagation

Detect

Recovery

Private SectorsPrivate SectorsPrivate Sectors

Home UsersHome UsersHome Users

Press & TV/RadioPress & TV/RadioPress & TV/Radio

ISP & Hot LinersISP & Hot LinersISP & Hot Liners

PropagationPropagationPropagationDetectDetectDetect AnalysisAnalysisAnalysis


22

KISCKISC’’ss Today & Today & To_Be_ModelTo_Be_Model……

KISC

Int’l Relations

NetizenCompanySecurity Co.

Other Institutes

Network Vul.

S/W Vul.

백신

보안 패치

바이러스샘플/공격 유형

ISPs / IDCs / SOs

해외 동향침해사고 공동대응

Vul. R&D Center

인터넷

B/U-Site

I S P

Cyber Vac.

Other ISACs

Telecom ISAC

KISC’s Expert Sys.

Other ISVsOther ISVs

Other AVsOther AVs

Global R&D Cooperation

US-CERT-CN-CERUS-JP T

국제공조 체계


23

We are the partnersWe are the partners……

Thanks !

For the Secure Internet !!!


Secure InternetPositive Sides of Internet (Global)Negative Sides of Internet (Global)Positive Sides of Internet (Korea)Negative Sides of Internet (Korea)Evolution of Virus & Worm…Threat from evolving worm…Announcement : Top 20 Vulnerabilities ListAnnouncement : Top 20 Vulnerabilities ListNetworkDoomsday …. (’03.1.25)Another Worm in Aug., ’03Another Worm in Aug., ’03Another Worm in Aug., ’03New Movement from MicrosoftMicrosoft has changed,Movement from CiscoSo, Cisco wants to do….All Round Counter Measurers…Reaction from MIC after 1/25/’03KISC’s Task & Job Flow…KISC’s Today & To_Be_Model…We are the partners…

secure internetsecure internet - introducciónpd... · 2020. 5. 9. · hacking usa 3734 9859 21756...

Documents