Computer Incident Trend and How HKCERT Tackles Them Roy Ko, Centre Manager
advertisement
香港電腦保安 事故協調中心 Computer Incident Trend and How HKCERT Tackles Them Roy Ko, Centre Manager Hong Kong Computer Emergency Response Team Coordination Centre City University of Hong Kong 3 November 2011 Agenda Background Incident Trend up to 2005 From 2005 From 2006 2008 onwards What is Next Conclusion 2 What is CERT? Computer Emergency Response Team An organization that studies computer and network INFOSEC in order to provide incident response services to victims of attacks, publish alerts concerning vulnerabilities and threats, and offer other information to help improve computer and network security. - RFC 2828 (Internet Security Glossary)3 History of CERT CERT/CC - Computer Emergency Response Team Coordination Centre, USA Founded in December 1988 at Carnegie Mellon University, Software Engineering Institute to respond to a number of network incidents Funded by Defence Advanced Research Projects Agency (DARPA) 4 HKCERT Operation since February 2001 Funding from HKSAR Government Operated by Hong Kong Productivity Council 5 Objectives To handle computer and network security related incidents To promote the awareness of information security to the community To carry out studies and researches to plan for improving security in future 6 Our Services (1) Security Alert Monitoring and Early Warning Monitor security vulnerabilities and development of viruses & worms Issue alerts to the public to mitigate the impact of these threats Incident Report and Response Hotline services for incident reporting and handling Cross Border coordination Proactive Discovery 7 Our Services (2) Publication of Security Guidelines and Information Security Alerts & Advisories Security News Security Guidelines Monthly Newsletter Promotion of Information Security Awareness Organize Security Seminars and Briefings Attend Security Events Local and Overseas Coordination 8 HKCERT Web site http://www.hkcert.org/ 9 HKCERT Coordination Overseas Organizations Banks E-commerce Sites CERT teams FIRST APCERT CNCERT/CC CROSS BORDER CONNECT (POLICE, GOVERNMENT) Internet Users & SMEs in Hong Kong H KCERT LOCAL ISPs HKDNR CRITICAL BUSINESSES VENDORS 10 FIRST Forum of Incident Response and Security Teams (FIRST) Over 200 CERT organizations registered as members of FIRST Cooperation on prevention, detection, and recovery from computer security incidents Means for the communication of alert and advisory information on potential threats and emerging incident situations Sharing of security-related information, tools, and techniques 11 APCERT Encourage and support regional and international cooperation on information security in the Asia Pacific region; Jointly develop measures to deal with large-scale or regional network security incidents; Facilitate info sharing and technology exchange, including info security, computer virus and malicious code, among its members; Promote collaborative research and development on subjects of interest to its members; Assist other CSIRTs in the region to conduct efficient and effective computer emergency response capability; Provide inputs and/or recommendations to help address legal issues related to info security and emergency response across issues regional boundaries; Organize annual conference to raise awareness Copyright © 2008 APCERT on computer security incident responses and trends. Network Security Cooperation Emergency Response Computer Security Awareness 12 APCERT Member Teams 27 Teams/18 Economies, as of September 2011 (Started from 15 Teams/12 Economies) Full Members (19) AusCERT – Australia BKIS – Vietnam BruCERT – Negara Brunei Darussalam CCERT – People's Republic of China CERT-In – India CNCERT/CC – People's Republic of China HKCERT/CC – Hong Kong, China IDCERT – Indonesia ID-SIRTII – Indonesia JPCERT/CC – Japan KrCERT/CC – Korea MyCERT – Malaysia PHCERT – Philippine SingCERT – Singapore SLCERT – Sri Lanka ThaiCERT – Thailand TWCERT/CC –Chinese Taipei TWNCERT – Chinese Taipei VNCERT – Vietnam General Members (8) BDCERT – Bangladesh BP DSIRT – Singapore CERT Australia – Australia GCSIRT – Philippines MOCERT – Macau MonCIRT – Mongolia NUSCERT – Singapore TechCERT – Sri Lanka 13 HKCERT Statistics Incidents Reported 3500 3000 3211 2616 2500 2000 1500 1000 1375 936 481 240 461 500 150 217 1127 1271 922 846 468 516 961 980 567 322 337 162 95 20 01 20 02 20 03 20 04 20 05 20 06 20 07 20 08 20 09 20 11 20 (J 10 an -S ep ) 0 Security Virus 14 HKCERT Statistics Alerts Published 350 308 300 178 200 138 119 150 86 100 50 239 242 232 220 250 18 17 20 100 25 108 8 0 0 0 0 20 01 20 02 20 03 20 04 20 05 20 06 20 07 20 08 20 09 20 11 20 (J 10 an -S ep ) 0 0 1 Security Virus 15 HKCERT Incidents 2010 400 382 350 300 298 Total = 1,153 250 200 162 153 150 77 100 68 50 Sp am mi ng Co de Inj ec tio n Sp yw ar e en t De fac em Vi ru s Ph ish ing Ha ck ing 0 11 Ot he rs 2 Source: HKCERT 16 In 2001 ... Hacking War May 3, 2001 HK Econ Times 18 Computer Virus 19 Code Red Worm July 26, 2001 HK Econ Times20 Nimda Worm 21 Slammer Worm February 17, 2003 Hong Kong Economic Times January 28, 2003 Ming Pao Oriental Daily 22 Blaster Worm 23 Summary The Age of Computer Virus Handled Major Virus Outbreak Awareness and Education Knowledgebase Detection and Cleaning Tools/Instructions 24 From 2005 ... HKCERT Statistics Phishing/Spyware Incidents 876 900 745 800 700 600 500 434 400 298 262 232 230 300 211 211 200 78 50 73 100 2 17 0 0 2004 2005 2006 2007 2008 2009 2010 2011 (JanSep) Phishing Spyware 26 27 28 28 29 Oriental Daily, March 17, 2005 Economic Times, April 1, 2005 30 Ming Pao, March 13, 2006 31 Summary From Virus to Malware Communication with Industry Security Vendors Victims - Warning & Education Clean PC Day 32 From 2006 ... HK Econ Journal 14 March, 2006 34 Information Leakage 35 Information Leakage 36 Ming Pao, 14 May 2007 37 37 Oriental Daily, 7 May 2008 Ming Pao, 4 July 2008 38 Ming Pao, 31 March, 2007 39 TJX Incident (Aug 08) Ming Pao 7 August 2008 40 41 Summary Information Leakage Personal Data Privacy People Issue Technology Advancement Active Hacking 42 From 2008 ... Apple Daily , 13 May 2007 44 45 46 47 Summary Proactive Discovery Web Defacement Code Injection Malware Detection and Analysis Cyber Criminal 48 Recently Web Application Security Ming Pao 16 December 2008 50 Econ Times 14 August 2008 51 Malware & Botnet Ming Pao 15 October 2010 Ming Pao 02 October 2010 52 Malware & Botnet Malware Targeted attack Variants, keep changing Infection through drive-by download (phishing websites); links in email, instant message, social media messages Botnet 5 million different botnets globally 53 Social Network Apple Daily 27 August 2010 Ming Pao 8 November 2010 Econ Times 30 July 2010 54 Apple Daily 8 October 2009 Econ Times 30 September 55 2009 Econ Times Daily 18 July 2009 Ming Pao 25 Oct 2007 56 Ming Pao 16 May 2009 57 Social Networks Personal Privacy Protection what information is kept in your profile Application Vulnerabilities and security settings Malicious Apps Facebook A popular platform (Worldwide over 500 million users) A lot of personal information kept An obvious attack target 58 Smartphone Security Ming Pao 1 January 2011 Apple Daily 2 January 2011 59 Smartphone Security Data Theft/Leakage Econ Times 14 August 2010 Ming Pao 28 July 2010 Ming Pao 2 October 2010 60 Smartphone Threats SMS Spam/Phishing Malicious Apps Vulnerabilities Malware Botnets on Smartphone Data Theft/Leakage 61 Wikileaks Econ Times 14 December 2010 Ming Pao 10 December 2010 Econ Journal 10 December 2010 62 Wikileaks November 28 - Over 250,000 U.S. Diplomatic Documents Released, Wikileaks site down November 29 - Wikileaks Moves to Amazon Web Services December 1 - Amazon stops hosting WikiLeaks December 3 - sympathizers mobilize to replicate its data December 4 - Paypal no longer handles Wikileaks donations, Later, MasterCard & Visa, etc December 8 - Anonymous launched DDoS attacks, Invited others to download software to attack December 9 - A Dutch teenager arrested, Later, another 2 arrested December 13 - Anonymous encourages sympathizers to63 send faxes Wikileaks Cyber Activists launched DDoS attacks Common mission A new trend in future attack - voluntary cyber army Risks for participants Is it legal? Is it anonymous? Is it a genuine software? Who are we attacking? 64 Stuxnet and Infrastructure Attacks Ming Pao 1 October 2010 EFY Times 23 December 2010 SCMP 30 September 2010 65 Stuxnet and Infrastructure Attacks Stuxnet in existence since late 2009 Making use of MS Window vulnerabilities Propagate through removable media (USB disk) and Windows File Share Target to Siemens SIMATIC WinCC & Step 7 Read/write process and production data on the device 66 Stuxnet and Infrastructure Attacks Reported to have infected Iran’s Nuclear Plants High level of knowledge of Siemens systems “A large, well-funded team is responsible for its creation ..” CyberWar Possible infection targets Stuxnet variants 67 Attacks at National Level May 2007 - Estonia Denial-of-Service Attack Government Online Services disrupted Online Banking Stopped August 2008 - Georgia Computer Network, government websites hacked Some websites compromised/defaced July 2009 - South Korea, United States government websites disrupted services not available for a few days June 2011 - Malaysia 68 Other Attacks 2010 Amazon, Paypal, Master Card, Visa Card, New York Stock Exchange, London Stock Exchange ... 2011 Bank of America, Fox News, FBI, CIA, Sony, NATO, SEGA, Citibank, IMF, NASDAQ ... 69 Botnet/Infrastructure Takedown Jun 08 – FBI – “Operation Bot Roast” Oct 08 – Atrivo/Intercage unplugged Nov 08 – McColo unplugged Nov 08 – EstDomains “de-accredited” Jun 09 - Crime-friendly ISP 3FN Nov 09 - Mega-D, Ozdok botnet Feb 10 - Waledac Botnet (by Microsoft) Oct 10 - Bredolab Mar 11 - Rustock Apr 11 - Coreflood 70 Future Trends Trends of Attack Phishing and Social Engineering Botnet - compromised machines Cyber Criminal and Financial Incentives Smartphone and Social Networking Critical and Internet Infrastructure Cyber Conflicts and Cyber War 72 Malware & Botnet Will Continue to Grow Ming Pao 10 February 2011 73 Smartphone Security According to Gartner, by 2013, mobile phones will overtake PCs as the most common Web access device worldwide Mobile Application will increase exponentially Over 320,000 apps in Apple store Over 200,000 apps in Android Market Over 20 billion downloads in 2010 Apps in Banking, Shopping, Media, Games, etc. 74 Why Smartphones are Targets of Attack Popularity - increasing number of users “Open” environment - SDK available for all major platforms Security awareness is low Available Defense Limited 75 Ming Pao 5 March 2011 76 Social Network (Facebook) The number of attacks/incidents on Social Network (Facebook) will increase More Apps to collect & analyze personal information Malicious Apps Trojans to monitor Social Network activities 77 Econ. Times 8 August 2009 Ming Pao 8 August 2009 78 Ming Pao 22 September 2009 79 Active Hacking Econ. Times 07 September 2009 80 Our Defense Advice Awareness Personal Information Protection What is kept Impact if “stolen” Security measures Use Appropriate Technology Human Firewall Against Social Engineering Are you dealing with a legitimate person? Keep Updated 82 Mobile Device What Data are kept Impact if loss Password and encryption Security Tools 83 Social Networking What will be kept in your profile? Who will be shared? Do I need this App? Use appropriate security features 84 Keeping Current Subscribe to Email Security News HKCERT Other Security News Newspaper & Media Newsgroup Vendor Security Bulletin 85 Useful Resources HKCERT http://www.hkcert.org/ Government InfoSec Website http://www.infosec.gov.hk/ 86 Conclusions Conclusion It is Everybody’s Business Be Aware of Information Leakage Botnet & Malware (Phishing) Mobile Devices Social Networking Prevention is Better than Cure People is the Weakest Link Keep Updated Know where to get Assistance 88 Economic Times 3 November 2011 89 Thank You (royko@hkcert.org) Reporting Incidents: Hotline : (852) 8105 6060 Fax : (852) 8105 9760 Email : hkcert@hkcert.org Web Site : http://www.hkcert.org/
