2002. 5. 21 Yang, Kunwon (
advertisement
2002. 5. 21 Yang, Kunwon(yangkw@npa.go.kr) Superintendent Korea National Police Agency Cyber Terror Response Center Cyber Terror Roseponse Center Korean National Police Agency Table of Contents Introduction Present Status and Analysis of Cyber Terrorism in Korea Domestic Cyber Terrorism Cases Countermeasures against Cyber-Terrorism Cyber Terror Roseponse Center Korean National Police Agency Introduction Increasing Threats of Cyber Terrorism Critical Infrastructure’s Increasing Dependence on IT Administration, Finance, Communication, Transportations, etc. Integration of Information such as personal data etc. Wide use of Internet Increase of Damages by the Attacks such as System Destruction (Intrusion) Huge damages expected when Systems of Social Infrastructures attacked Outflow, Counterfeit, or Forgery of National or Industrial Secrets and Personal Data Using Cyber Terrorism as means of committing other crimes Connection with organized crimes such as Russian Mafia Hacktivism Possibilities of developing into Cyber war among countries For example, Hacker War between China and Japan Cyber Terror Roseponse Center Korean National Police Agency What is Cyber-Terrorism ? Necessity of Conceptualization Unique Characteristics of Cyber-Terrorism different from other cyber crimes and delinquencies Special policy and legislation are needed Opinions Unlawful attacks and threats of attack against computers, networks, and the information stored therein when done to intimidate or coerce a government or its people in furtherance of political or social objectives (Dorothy E. Denning) Intentional use or threat of use, without legally recognized authority, of violence, disruption or interference against cyber systems, (Stanford University CISAC) Manipulation of Information and Destruction of Network (National Counter-terrorism Activity Guideline) Infringement of Critical Information Communication Infrastructures (Information Communication Infrastructure Protection Act) Cyber Terror Roseponse Center Korean National Police Agency Con’t Cyber-Terrorism from the view point of Korean Police distinguished from ordinary cyber crime Attacks such as hacking and virus against Information Communication Network itself, which cause national or social disorder or uneasiness l Korean National Police -> classifying cyber-terrorism as cyber-terrorism type crime (formal statistics) Generally, cyber-terrorism is used as a wide concept which means aggressive activities against information communication network including cyber stalking Methods Hacking, Circulation of Virus, DoS, etc. Cyber Terror Roseponse Center Korean National Police Agency Methods of Cyber Terrorism 1472 1472 Hacking Intruder DoS Attack Mail Bomb Malicious Code 1472 Computer Virus Cyber Terror Roseponse Center Korean National Police Agency Present Status of Cyber-Terrorism in Korea Statistics; Arrests of Hacking, Virus Crimes Total TotalNumber NumberofofHacking, Hacking,Virus VirusArrests Arrests 7595 8000 6000 4000 2000 18 0 '98 23 '99 278 2000 2001 ☞ ☞ Hacking Hackingagainst againstPC PCand andNetwork NetworkGame GameSystems Systems 2000 2000: :192, 192, 2001 2001: :6,122 6,122 Number NumberofofCyber CyberTerror Terrorcases casesarrested arrested 1473 1500 1000 500 0 18 '98 23 '99 86 2000 2001 ☞ ☞17 17times timesofofincrease increaseinin2001 2001 comparing comparingtotothe theprevious previousyear year Cyber Terror Roseponse Center Korean National Police Agency Recent Major Case Summary Summary InInApril April2002, 2002,detecting detectinginternational internationalhackers hackerscompromising compromisingthe the systems systemsall allover overthe theworld worldusing usingWWcompany's company'sserver serveras asaaroute, route, investigators investigatorsofofCTRC CTRCtraced tracedthem themand andfound foundthat that they theycompromcompromised ised11,222 11,222systems systemsofof95 95countries countriesfrom fromAug. Aug.2001 2001totoMarch March2002 2002 Damage DamageAnalysis Analysissummary summary Identified Countries Index No. of Servers Total 11,222 Percentage Sub-total Korea Other Countries 6,387 2,497 3,890 100% 39% 61% Unidentified 4,835 ☞ the39% 39%ofoftotal totalvictim victimsystems systemsbelong belongtotoKorea, Korea,the thenumber numberofofKorean Koreansystems systems ☞IfIfthe compromised compromisedisis4,300 4,300 Cyber Terror Roseponse Center Korean National Police Agency Con’t Damage DamageAnalysis Analysisby bycountries countries Total Korea USA China Taiwan Romania India No. of Servers 6,387 2,497 801 413 322 285 242 Percentage 100% 39.0% 12.5% 6.5% 5.0% 4.5% 3.8% Japan Brasil Canada Hong Kong Italia Other Countries 196 160 115 107 91 1,158 3.1% 2.5% 1.8% 1.7% 1.4% 18.1% No. of Servers Percentage ☞ Farfrom fromannouncement announcementofofPredictive PredictiveCo. Co.ofofUSA, USA,Korea Koreaisisrather ratherthe thevictim victim ☞Far country countryofofhacking hackingnot notthe thehacker hackercountry countryaccording accordingtotothe thepercentages percentagesinin the thetable. table. ☞ wasfound foundthat thatgenerally, generally,victim victimsystem systemisisabused abusedas asroute route ☞ItItwas ☞ counterresult resultofofKorea’s Korea’srapid rapidincrease increaseininInformation InformationCommunication CommunicationInfras Infras ☞counter (Internet ’97 (Internetusers: users:1.6 1.6MMinin ’97toto22 22MMinin2002 2002) ) Cyber Terror Roseponse Center Korean National Police Agency Con’t Analysis AnalysisofofHackers’ Hackers’Nationalities Nationalities No. of Hackers Total Romania Australia Brazil Germany Russia 22 18 1 1 1 1 Characteristics Characteristics ☞ ☞Theft Theftofofcritical criticaldata dataincluding includingcredit creditcard cardinformation information ☞ ☞Used Usedautomatic automaticworm-style worm-styletoolkit toolkit Scan, Scan,intrusion, intrusion,Root Rootcompromising, compromising,sniffing, sniffing,hiding hidingprocesses, processes, Second Secondattack attacketc. etc. ☞ ☞Made MadeFirewall, Firewall,IDS IDSuseless useless (30% (30%ofofvictim victimsystem systemwere wereequipped equippedwith withsecurity securitysystem system) ) For Forsecurity, security,management managementisismore moreimportant importantthan thantechnology technology Cyber Terror Roseponse Center Korean National Police Agency Trends of Cyber-Terrorism in Korea Rapid Quantitative Increase of Damages as Information Communication Infrastructures grow International Hackers abuse Korean servers as routes rather than direct target l Hackers usually use Korean servers which are relatively easy to attack and has good networks as routes to hide their crime Many active domestic hacker community and script kiddies Increase in attacks against critical infras such as e-commerce network Huge, highly-integrated attacks against personal data Gathering the personal data using web services Abusing bugs in various web services such as cgi, php, asp International, organized hackers The advent of new attacking technologies which cannot be responded effectively with the traditional security systems New intrusion techniques against security systems Many intrusions resulted from improper management and administration of security systems Techniques for avoiding the tracing Cyber Terror Roseponse Center Korean National Police Agency Con’t Increase of vandalism against domestic and overseas government agencies and NGOs Increase of Vandalism such as repeating IE’s refresh(F5) key to cause overloads Many communities of Portal sites, Game sites lead those activities Difficult to regulate those activities legally or technically Not committed by computer experts Increase of attacks against PCs and using PCs as route IDC, super-high speed internet, PC Increase of property crimes using identity theft Increase of fraud using personal data stolen from internet banking, online shopping mall, and game servers Frauds through online P2P business Internet PC rooms ubiquitous all over the country makes it more difficult to trace the perpetrators Intimidation after theft of identity increased Cyber Terror Roseponse Center Korean National Police Agency Major Cases in Korea Attack against Financial Network Bank Network 4 Credit Card Network Exclusive Line Theft of Credit Card Informatio n Firewall Settlement Approval Data Process Web Server 2 Transaction Approval Server 3 DB Server Firewall 5 Hacker Cyber Terror Roseponse Center 1 Request o f Approval/Settlement of Internet Credit Card Transaction using PSTN,COLAN,Internet Member store Korean National Police Agency Con’t Analysis Analysis ☞ ☞Arrested ArrestedininApril. April.2001 2001 ☞ ☞Attacks Attackswere wereconcentrated concentratedon onsystems systemswhich whichmanages manages information informationofofhigh highvalue value ☞ ☞Locating Locatingweb webserver serverinside insideofoffirewall firewallnot noton onthe theseparate separate network networkconsequently consequentlycaused causedthe theexposure exposureofofall allnetwork network totothe theattacks attacks ☞ ☞ InInspite spiteofofsecurity securitycontrol controlservice, service,they theywere wereattacked attacked because becausethe thenetwork networkIDS IDScannot cannotdetect detectthe theattack attackthrough through web webservices services Cyber Terror Roseponse Center Korean National Police Agency Large-scale Identity Theft Hacker 1472 Management of 7 M Management of 7 M people’s personal data people’s personal data 1472 1472 DB serve r Cyber Terror Roseponse Center First Attack : Establish bridgehead Second Attack : DB Server, Data outlow Korean National Police Agency Con’t Analysis Analysis ☞ ☞Arrested ArrestedininApril April2001 2001 ☞ ☞Used Usedthe thevulnerability vulnerabilityofofinevitable inevitableconnection connectionbetween betweenweb web server serveroutside outsideofoffirewall firewalland andDB DBsystem systeminside insideofoffirewall firewall ☞ ☞The Thefact factthat thatcgi, cgi,php, php,and andasp, asp,which whichare arewidely widelyused used recently, recently,have haveso somany manysecurity securityproblems problemsisisabused abusedand and web webserver serverwas wasattacked attackedfirst firstand andthen thenDB DBserver serverwas was compromised compromised Miscellaneous Miscellaneous ☞ ☞2000. 2000.12 12 ☞ ☞Arrested Arrestedsuspect suspectwho whostole stole6.5 6.5million millionpersonal personaldata datafrom froman an alumni alumniassociation associationsite site Cyber Terror Roseponse Center Korean National Police Agency International Attack Case International InternationalHacking HackingGroup GroupWHP WHP ☞ ☞Arrested ArrestedininApril April2001 2001 International InternationalHacking Hackinggroup group WHP WHP(one (oneofofits itsmember member was wasaaservice serviceman manofofUS US Army ArmyininKorea) Korea) compromised compromised113 113domestic domestic systems systemsindiscriminately. indiscriminately. And Andthe theUS USservice serviceman man was wasarrested arrestedfor forthe the hacking hackingcharge. charge. Cyber Terror Roseponse Center Korean National Police Agency Organized Attack Case Organized OrganizedHacking Hackingby byResearchers Researchersofofcomputer computersecurity securitycompany company ☞ ☞99were werearrested arrestedininDec. Dec. 2000 2000 AAdomestic domesticcomputer computersecurity security company’s company’sresearchers researchers(Tiger (Tiger Team) Team)were werearrested arrestedfor forthe the hacking hackingcharge. charge.They They compromised compromisedabout about80 80 business businesssites sitesincluding including banks banksand andstole stoleinformation informationinin order ordertototake takesecurity security consulting consultingorders ordersfrom fromthose those victim victimcompanies companies Cyber Terror Roseponse Center Korean National Police Agency DDOS Attack Stacheldraht StacheldrahtAttack AttackAttempt Attempt Attacker Daemon 127 (Domestic13,Overseas114) 209.xxx.44.35 Xxfoobar..com 211.x2.xx1.130 00네트워크 Daemon 198 (Domestic13,Overseas185) 00컴퓨터 21x.48.xx4.6x 에00성회 040.xx.rcsis.com 2xx.x8.25x.66 00축구단 Total 325 Daemons found ( Domestic 26, Overseas 299) Cyber Terror Roseponse Center Mxxod.com 2xx.4x.1x.81 00초등학교 Target 00인터넷 Mater 00음악방송 2x1.x6.2xx.103 …. Daemons Master (mserv), Daemon(td,t0rntd) Analyzing ICMPPackets between Mater & Agents) Korean National Police Agency DDOS Attack Trinoo TrinooAttack AttackAttempt Attempt ☞ ☞Found Foundaamaster masterinside insideofofaalinux linuxserver serverininaaInternet InternetPC PC room roomlocated locatedininGangrung Gangrung ☞ ☞AAfile filewhich whichcontained contained250 250IPIPlist listused usedas asagents agentswas wasfound found After Afterchecking checkingout out250 250IPs, IPs,we wefound found97 97servers serverswere were compromised compromisedand andTrinoo Trinoodeamons deamonswere wereinstalled installedinin30 30 servers servers ☞ ☞Automated AutomatedTootkit Tootkitwas wasinstalled installed Synscan, Synscan,Master, Master,Agent, Agent,Wipe, Wipe,and and Kernel Kernelbased basedRootkit Rootkit Cyber Terror Roseponse Center Korean National Police Agency Creating the computer virus Arrest ArrestofofaaVirus VirusCreating CreatingGroup Group ☞ ☞77members membersofofCVC(Corean CVC(CoreanVirus VirusClub) Club)were werearrested arrestedininFeb. Feb. ’98 ’98and andininJan. Jan.‘99 ‘99 Korea’s Korea’sbiggest biggestvirus viruscreating creatinggroup groupSince Since1996, 1996,they they introduced introducedtechniques techniquesofofPhalcon/SKIM(USA), Phalcon/SKIM(USA), NuKE NuKE(International), (International),‘29A’ ‘29A’Virus VirusGroup(Spain) Group(Spain)and andcreated created and andspread spreadvarious variouscomputer computerviruses viruses Arrest ArrestofofWorm WormVirus VirusCreator Creator ☞ ☞Arrested Arrestedwhite whitevirus viruscreator creatorininJan. Jan.2000 2000 ☞ ☞Spread Spreadititusing usingMS MSOutlook OutlookExpress Express ☞ ☞While WhileMelissa Melissavirus virusrefer refertotoaddress addressbook bookofofOutlook OutlookExpress, Express, White Whitevirus virusrefer refertotoinbox, inbox,send sendthe theinfected infectedmessages messagesevery every 15 15minutes, minutes,and anddestroy destroythe thesystem systemon on31th, 31th,his hisbirthday. birthday. Cyber Terror Roseponse Center Korean National Police Agency Countermeasures against Cyber-Terrorism Factors to consider Object ObjectofofProtection Protection ☞ ☞Many Manyvulnerable vulnerablesystems systemsare areabused abusedbefore beforethe thedirect directattack attack totothe thecritical criticalinformation informationcommunication communicationnetwork network ☞ ☞Case Caseby bycase casecountermeasures countermeasuresare areneeded needed Techniques Techniquestotoevade evadetracing tracing ☞ ☞InInaddition additiontotosubstantial substantiallegal legalcountermeasures, countermeasures,ititisisnecessary necessary totohave haveseparate separateprocedural procedurallaws lawstotorespond respondcyber-terrorism cyber-terrorism (Kernel-based (Kernel-basedRootkit, Rootkit,Web-based Web-basedattack, attack,Back Backdoor, door,Proxy, Proxy, Anonymous AnonymousWeb, Web,Browsing, Browsing,IPIPSpoofing, Spoofing,PC PCRoom, Room,Free Freetelnet telnetaccount) account) Cyber Terror Roseponse Center Korean National Police Agency Con’t International InternationalCooperation Cooperation ☞ ☞Legal Legalcountermeasures countermeasuresininaccordance accordancewith withinternational internationallegal legal order order ☞ ☞Cooperation Cooperationsystem systemconsidering consideringlegal legalrights, rights,tracing(pursuit), tracing(pursuit), and andquick quickresponse responsecomprehensively comprehensively Information Informationsharing sharing ☞ ☞Information Informationsharing sharingand andcooperation cooperationwith withlaw lawenforcement enforcement agencies, agencies,ISPs, ISPs,ISAC, ISAC,CERT, CERT,etc. etc. Cyber Terror Roseponse Center Korean National Police Agency International cooperation paradigm •Internet and cybercrime are global things •Countermeasures of law enforcement also need global paradigm Paradigm •Korean Police establish policies based on that global paradigm Factors Dimensions •Laws •Standardization •Technologies •Securing Legal validity •Procedures •Existing Cooperation System regarding criminal matters •Guaranteeing Practical Effect Organization Work Force Equipments Technology Operation Cyber Terror Roseponse Center Obstructions International Discussion •Globalization •The matters of privacy and human rights •New Cooperation System for responding cyber crime Korean National Police Agency Organization Response ResponseAgencies Agencies ☞ ☞NPA(Interpol NPA(InterpolNCB-Cyber NCB-CyberTerror TerrorResponse ResponseCenter), Center),MIC, MIC,NIS NIS ☞ ☞KISA, KISA,ETRI ETRI Police Force dedicated to Cyber Crime: 651 persons KNPA (HQ) CTRC (69 persons) Responsible for the local cyber crime Supervising local agencies Establishing Policies 24/7 responding system Metropolitan/Provincial Police Agencies (Interpol Korea within NPA) H/V unit, Professional Investigators Cyber Crime Investigation Squad (14Agiencies 87persons) Combination of computer expert investigators and professional investigators Tech. Development, Analysis lab Investigation of major crimes Police Stations Cyber Crime Investigators (232 stations 495persons) Cyber Terror Roseponse Center Korean National Police Agency Legal Countermeasures Legal LegalCountermeasures Countermeasures ☞ ☞Penal PenalCodes Codes Information InformationCommunication CommunicationInfrastructure InfrastructureProtection ProtectionAct, Act,Act Acton onPromotion Promotionofof Utilization UtilizationofofInformation Informationand andcommunications communicationsnetwork networkAnd AndInformation Information Protection ProtectionLegislation Legislationofofregulating regulatingcyber cybercrime crimewas wasinintime timeconsidering considering International Internationaltrend trend ☞ ☞Countermeasures Countermeasuresofofcriminal criminalprocedural procedurallaw law Not Notsufficient sufficientprocedural proceduralprovisions provisionsespecially especiallyfor forcyber cyberterrorism, terrorism, applies appliesthe the same sameprovisions provisionsas asgeneral generalcriminal criminalprocedural procedurallaw law ☞ ☞Alternative Legalcountermeasures countermeasurescorresponding correspondingtotointernational internationalstandards standards Alternative: :Legal (quickness, (quickness,mobility, mobility,easiness easinesstotodestroy destroyevidence) evidence) Meeting Meetingofofthe theJustice Justiceand andInterior InteriorMinisters MinistersofofThe TheEight EightDec. Dec.9-10, 9-10,1997 1997 - “PRINCIPLES - “PRINCIPLESTO TOCOMBAT COMBATHIGH-TECH HIGH-TECHCRIME” CRIME” On OnNovember November23, 23,2001, 2001,ininBudapest, Budapest,Hungary, Hungary,the theUnited UnitedStates Statesand and29 29other other countries countriessigned signedthe theCouncil CouncilofofEurope EuropeCybercrime CybercrimeConvention Convention Cyber Terror Roseponse Center Korean National Police Agency Con’t Countermeasures Countermeasuresofofcriminal criminalprocedural procedurallaw law(supplementary) (supplementary) ☞ ☞Preservation Preservationofofdata datasaved savedon oncomputer computersystem system(G8 (G8Meeting) Meeting) ☞ ☞Method Methodofofacquiring acquiringdata datainintransmission transmission(G8 (G8Meeting) Meeting) ☞ ☞Real-time Real-timecollection collectionofoftraffic trafficdata data(G8 (G8Meeting, Meeting,Convention Conventionon onCyber CyberCrime) Crime) International InternationalCooperation CooperationSystem System ☞ ☞International InternationalCooperation Cooperationisisone oneofoflaw lawenforcement enforcementactivities activities KNPA KNPAhave have24/7 24/7cooperation cooperationsystem systemwith withinterpol interpoland and99countries countriesofofAsia Asia th (hosted (hostedthe the55thInternational InternationalConference Conferenceon onComputer ComputerCrime CrimeininOct. Oct.2002.) 2002.) Need Needtotoestablish establishcooperation cooperationwith withprivate privatesectors sectors ☞ ☞Council CouncilofofEurope EuropeConvention Conventionon onCyber CyberCrime Crimeput putemphasis emphasis on onthe theimportance importanceofofquick quickinternational internationalcooperation cooperation Minimize Minimizethe thepossibility possibilityofofrapid rapidinternational internationalmovement movementofofcriminal criminalevidences evidences through throughthe theclose closecooperation cooperationamong amongmember membercountries countries Cyber Terror Roseponse Center Korean National Police Agency International Cooperation Special Specialregulations regulationson onInternational InternationalCooperation Cooperation ☞ ☞Council CouncilofofEurope EuropeConvention Conventionon onCyber CyberCrime Crime provided provided special specialmechanism mechanismconcerning concerningelectronic electronicevidence evidence - -Quick Quickpreservation preservationofofstored storedcomputer computerdata data - -Open preserved traffic data to public quickly Open preserved traffic data to public quickly - -Cooperation Cooperationon onaccess accesstotothe thestored storedcomputer computerdata data - -Access Accesstotothe theany anycountry’s country’sstored storedcomputer computerdata dataformally formallyororwith withconsent consent - -Cooperation Cooperationon onreal realtime timecollection collectionofoftraffic trafficdata data - -Establish Establish24/7 24/7Network Network ☞ ☞Korean Koreanpolice policefollows followsinternational internationalparadigm paradigmregardless regardlessofof compelling compellingpower powerofofinternational internationallaw lawwith withthe theview viewpoint pointofof reciprocity reciprocity ☞ ☞However, However,European Europeancountries, countries,Canada, Canada,USA, USA,and andJapan Japanare are participating participatingininthe theconvention conventionso sothat thatthis thisconvention conventionisis expected expectedtotobe bean aninternational internationalstandard. standard. Therefore, Therefore,Korea Koreahas has totohurry hurryup uptotoprepare preparelegislation legislationininaccordance accordancewith withthis this convention convention Cyber Terror Roseponse Center Korean National Police Agency Thank you ! Cyber Terror Roseponse Center Korean National Police Agency
