chapter 12 reporting security problems

7/30/2019 Chapter 12 Reporting Security Problems

1/26

Reporting Security Problems

Chapter

12


2/26

How do you know you had been hacked /

compromised?

Unrecognized IP addresses

Suspicious traffics

Unknown users

Abnormal traffics or logging patterns

Unethical words or pictures at the webpage

Unstable network / server / system


3/26

Introduction

If you found a security problems, you must decidewhether to fix your systems and move on, or you can tryto report findings to the vendor, or the computer

security community, or the public, or the press. Whom to inform first ?

When to inform ?

How much information to report ?


4/26

Who to report security problems ?

Deciding whom to contact depends on : the number ofpeople affected by the security problems, its severity, orwhether you can supply a workaround yourself or if thevendor must produce a patch.

So, you need to determine : what group of people andhow many of them are affected by the security problems.


5/26


If the problem only affects a small group of people, sono need to inform the public. Example : a vulnerablewebsite web site found, so you only need to informthe webmaster and to the forum of the website.

If the website is widely used such as Yahoo, you needto inform the webmaster and the public.

If the problems affects a large group of people, youshould inform the product or service vendors, and

also the public.


6/26


Figure 1 : Whom to contact about security problems?

Least PeopleAffected

Most PeopleAffected

Most Severe

Least Severe

The media

Security organizations

Forums

Vendor


7/26

Reporting Security Problems to Vendor

When reporting security problems to vendors,include as much information as possible :

1) what platform you run 2) your hardware configuration 3) the date and time you found the problem 4) other software you may have installed 5) What you were doing when you found the

problem

6) Version numbers 7) A way for the vendors to contact you


8/26

Reporting Security Problems to Vendor

You need to make sure youve not found an alreadyknown security problem by checking the vendorsknowledge base, bug reporting system, securityadvisories, and freely available vulnerability databases,such as Common Vulnerabilities and Exposures (CVE)

: http://cve.mitre.org, and SecurityFocus.comVulnerability Databases : www.securityfocus.com/bid. Dont set your expectations too high regarding how

long it will take a vendor to produce a fix. The largerthe company, the slower it can be.
http://cve.mitre.org/http://www.securityfocus.com/bidhttp://www.securityfocus.com/bidhttp://cve.mitre.org/


9/26

Reporting Security Problems to Forum

You can send your report to the Bugtraq mailing listat [email protected].

The purpose of Bugtraq : involve the distribution anddiscussion of computer security problems for any

platforms or application. CERTis an organization that collects security

incident information and puts out security advisoriesthat are read by large number of internet users.

Or you can email to cert : [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


10/26

Reporting Security Problems to Security

Organization

Example of Security Organization : MyCERTForensic Team.

There are 5 ways to report an incident to MyCERT:

online reporting, fax, email, sms, and phone(603 -89926969).

When you report an incident, please provideadequate information on the nature of the incident

and the timestamp in which include your localtimezone. This is important to avoid unnecessarydelay.


11/26


Organization


12/26


Organization

Print and fax it to MyCERT at 603-89453442 [Click Here For Printed Version] General Information

1 Incident number (to be assigned by MyCERT).................:2 Reporting site information

2.1 Name of Organization... ........... ................ .................... ...:2.2 Name of Domain (e.g., mycert.mimos.my).......................:

Contact Information1 Your contact information

1.1 Name..........................................................................:1.2 E-mail address.. ................... .................... .................. ..:1.3 Telephone number...... .................... .................. ..........:1.4 FAX number...... ................... .................. ....................:

Incident Categories1 Please indicate the incident catagories

1.1 Nework Abuse1.1.1 Intrusion......................................................:

1.1.2 Destruction.................................................:1.1.3 Denial of service attack..............................:1.1.4 Hack Threat..... ................ .................... .......:1.1.5 Probe/Scan.................................................:1.1.6 Spoofing.....................................................:

1.2 Email Abuse (please provide the full header)1.1.1 Mailbomb...................................................:1.1.2 Virus...........................................................:1.1.3 Email Forgery..... ........... ................... ..........:1.1.4 Harrassment................................................:1.1.5 Spamming...................................................:1.1.6 Others........... ...................... (please specify) :

Detail description of the incident1 Please complete in as much detail as possible

1.1 Suspected date and time of attack.............................:1.2 Suspected method of intrusion (e.g., name of virus,

name of exploit script, etc.).....................................:1.3 How you discovered the incident... ................. ...........:

1.4 The source of the attack (if known)............................:1.5 Steps taken to address the incident (e.g.,binaries reinstalled, patches applied)........................:

1.6 Planned steps to address the incident (if any)............:2 Please append any log information or directory listings

and time zone information relative to GMT to the end ofthis document...................................................................:

Other information1 What assistance would you like from MyCERT...............:2 Would you allow MyCERT to reveal your contact info...:3 Any additional information.............. .................... ..............:

Source :http://www.niser.org.my/reports.html

Report by Fax
http://www.niser.org.my/reports/printed_fax.htmlhttp://www.niser.org.my/reports/printed_fax.html


13/26

LAW

Citing Sources

If you incorporate somebody else's materials or ideas inyour own research, you must acknowledge the originalauthor or creator. Failure to provide citations to the sourcematerial is an unethical practice called plagiarism.


14/26

LAW

Full citations must be provided for all types of

sources including books, articles, government

documents, interviews, Internet sources, softwareand other nonprint material (videos, graphics, sound

recordings, etc.)


15/26

LAW

Citing Web and Other Electronic Information Information taken from the Web must also be

acknowledged. A Web citation should include an author (ifavailable), the title of the Web page, title of the complete work(if applicable), date created (if available), the complete URL, anddate visited.


16/26

Cybercrime in Malaysia

The following are some examples of common news items concerningcybercrime that appeared in Malaysian newspapers:

Hackers targeting the government websites - the Social SecurityOrganization (Socso) by posting an image of a covered skull on its site at:http://www.perkeso.gov.my (26th June 2001).

Sixty government websites have been hacked between February 1, 1999

and April 3 this year, with a total of 89 actual hacking incidents takingplace. Dec 29, 2001: A hacker intrusion on the Malaysian Parliaments website

has reportedly generated criticism from some officials who claim thegovernment has taken a slapdash approach to internet security.

22nd August 2000: A hacker is believed to have tried to dupe internet

users into giving away their private financial information by posing as anonline executive at Maybank Bhd.

http://www2.unescobkk.org/elib/publications/ethic_in_asia_pacific

/239_325ETHICS.PDF


17/26

Cyberlaw in Malaysia

Malaysia government has come up with lots of securitymeasures to increase the ethical culture to all ICT userswith the cooperation of the private sectors.

Below are some underline laws and policies Malaysia has

adopted to prevent malicious activities:


18/26


Malaysian Government has already approved and passedits own set of cyberlaws:

Digital Signature Act 1997

Computer Crimes Act 1997

Telemedicine Act 1997 Communications and Multimedia Act 1998


19/26


Communications and Multimedia Act 1998 (CMA)

To ensure information security and network reliability and integrity, underthe CMA, the Commission is entrusted to ensure information security andthe reliability and integrity of the network.

MCMC is a statutory body established under the MalaysianCommunications and Multimedia Commission Act 1998 to regulate andnurture the communications and multimedia industry in Malaysia inaccordance with the national policy objectives set out in theCommunications and Multimedia Act 1998 (CMA).

MCMC is also the Controller for the Certification Authorities under theDigital Signature Act 1998.


20/26


Computer Crimes Act 1997 (CCA) This Act serves to ensure that misuse of computers is

an offence. Under the Computer Crimes Act 1997,acts such as unauthorized access to computer

material with intent to commit or facilitate thecommission of a further offence, unauthorizedmodification of contents of any computer and/orwrongful communications, abetment and presumptionare addressed.

The Computer Crimes Act was brought into force on1 June 2000


21/26

Law in Malaysia

Part II of Cyber Crime Act 1997, defines : A person shall be guilty of an offence if he causes a computer

to perform any function with intent to secure access to anyprogram or data held in any computer.

The person is also guilty if the access he intends to secure isunauthorised; and he knows at the time when he causes the

computer to perform the function that is the case. The intent a person has to have to commit an offence under

this section need not be directed at any particular program ordata, a program or data of any particular kind; or a program ordata held in any particular computer.

A person guilty of an offence under this section shall onconviction be liable to a fine not exceeding RM50,000 or toimprisonment not exceeding five years or both.

Source : http://www.niser.org.my/news/2004_11_22_01.html


22/26


Digital Signature Act 1997

Transactions conducted via the internet are increasing. As identities incyberspace can be falsified and messages tampered with, there is a need fortransacting parties to ascertain each others identity and the integrity of themessages, thereby removing doubt and the possibility of fraud/unethicalmanners when conducting transactions online.

The Act mainly provides for the licensing and regulation of CertificationAuthorities (CA). CAs issue Digital Signatures and will certify the identity(within certain limits) of a signor by issuing a certificate.

The Act also makes a digital signature as legally valid and enforceable as atraditional signature. The Digital Signature

Act was brought into force on 1 October 1998


23/26

Cyberlaw in Malaysia The Copy Right Act 1997

Copyright serves to protect the expression of thoughts andideas from unauthorized copying and/or alteration.

With the convergence of Information and Communication

Technologies (ICT), creative expression is now being captured andcommunicated in new forms (example: multimedia products,broadcast of movies over the Internet and cable TV).

The Copyright (Amendment) Act 1997 was brought into force on 1

April 1999


24/26

Cyberlaw in Malaysia The Telemedicine Act 1997

Healthcare systems and providers around the world are becominginterconnected.

People and local healthcare providers can gain access to quality

healthcare advice and consultation from specialists from around theworld, independent of geographical location.

The Act serves to regulate the practice of teleconsultations in themedical profession.The Act provides that any registered doctor may

practise telemedicine, but other healthcare providers (such as amedical assistant, nurse or midwife) must first obtain a license to doso. Patients consent and regulations must be handled in an ethicalmanner


25/26

Cyberlaw in Malaysia Malaysian Administrative Modernization and Management Planning Unit

(MAMPU)

Security issues in the public sector is administered by MAMPU (MalaysianAdministrative Modernization and Management Planning Unit).

They had launched The Malaysian Public sector Management of Informationand Communications Technology Security Handbook (myMIS).

The handbook is a set of guidelines concerning compliance and adherenceto best practices and measures leading to information and networksecurity.


26/26


The National IT Council (NITC) and National ICT Security and EmergencyResponse Centre (NISER)

The National Information Technology Council of Malaysia (NITC Malaysia) functionsas the primary advisor and consultant to the Government on matters pertaining toIT in Malaysias national development. Its main objectives are to:

Promote the sustainable growth of IT development and application via R&Dplanning and technology acquisition strategies;

Ensure the smooth integration of new technologies into social and economicdevelopment;

Determine the likely impact of IT on the economy and society; and Explain and promote the potential of IT in transforming societies in its entire

dimension

NISER responsibility is to address e-security issues of the nation and as to act asMalaysias CERT (MyCERT).

They also offer their services in research in vulnerability detection, intrusiondetection and forensic technology.

chapter 12 reporting security problems

Documents