Upload
aldona
View
44
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Security Incident Handlings How can we work together to provide confidence for Internet users?. Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST). Overview. "Security Incidents" in the Internet - PowerPoint PPT Presentation
Citation preview
Security Incident HandlingsSecurity Incident HandlingsHow can we work together to provide confidence for Internet users?How can we work together to provide confidence for Internet users?
Suguru Yamaguchi, Ph.D.JPCERT/CC
(WIDE Project/NAIST)
APNIC OPM - August 2001 2
OverviewOverview "Security Incidents" in the Internet
– Security Incidents have been widely spread in the Internet, and increasing its number observed. Because of its expansion of applications to various areas of activities, security incidents may cause serious impacts on our society.
Fighting against these security incidents– Technical approaches
• Network operations, software development (OS, application)– Non-Technical approaches
• Law-enforcement• Regulations and Law• Incurrence
Current SituationCurrent Situation
APNIC OPM - August 2001 4
Def. Security IncidentsDef. Security IncidentsAny kinds of activities that directly interferer our
communication infrastructure– Intentional / malicious
• Intrusion from outside, information leakage, password theft, malicious code implanted from the outside, denial of service attack, ....
– Non-intentional• Misuse by customers, system down, power failure, ....
Network operators have to handle both activities and protect their system from any troubles.
APNIC OPM - August 2001 5
Security Incidents observed recentlySecurity Incidents observed recently Port Scanning & Probe
– This happen everyday in any environment.– Recognized as a prologue to more significant incidents
Intrusion, break-in– Using weak and/or cracked password to login directly to the system.
• But, it is quite rare in these days because of widely spread of usage of One Time Password system (challenge-response type).
– Using “Buffer Overflow” security hole to implant and execute “shell-code” on the targeted system.
• Almost all of the attack tools are using this method. Amplifier and Open relay
– SPAM, packet smurfing, … Denial of Services (DoS)
– Generate excessive load on the targeted system– Distributed DoS– Targeting major WWW, IRC server, and other services
APNIC OPM - August 2001 6
Statistics@JPCERT/CC (1)Statistics@JPCERT/CC (1)
0
200
400
600
800
1000
1200
96Q4 97Q2 97Q4 98Q2 98Q4 99Q2 99Q4 00Q2 00Q4 01Q2
Num
ber o
f Rep
orts
APNIC OPM - August 2001 7
Statistics@JPCERT/CC (2)Statistics@JPCERT/CC (2)
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
1996Q4 1997 1998 1999 2000 2001
Number of Reports Est. 2001
APNIC OPM - August 2001 8
Statistics@CERT/CCStatistics@CERT/CC
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
0
5000
10000
15000
20000
25000
30000
35000
Number of Reports Est. 2001 (2Q)
APNIC OPM - August 2001 9
Common ScenarioCommon Scenario① Scanning ports to know which port is open for remote access.② Finding out application servers that have buffer overflow security holes.
(sendmail, INN, phf, imap, pop, statd, named...)③ Try to implant “shell-code” and invoke shell program or other program on
the target. If succeeded, the intruder(s) can obtain the way to break-in to the system, without any evidence logged by the system.
④ Once break-in to the system, the intruder(s) can get /etc/passwd for password cracking and other configuration files on the system to know more details of its setup.
⑤ Sometimes, they try to obtain more access privilege, especially “root” access, by means of “Trojan horse” and other exploit codes.
⑥ Modify system log files to erase their “footprint”, and replace some programs on the system to protect their malicious activities, e.g. ps, ls, who, ….
⑦ It’s quite likely to install packet monitoring program to conduct wire-tapping to get passwords in plain-text exchanged over the local networks.
⑧ Try to spread their activities to other systems.
APNIC OPM - August 2001 10
Sophisticated Port ScanSophisticated Port Scan More sophisticated “Port Scanning” technique
– IDS (Intrusion Detection System) is widely installed
Random Access to the system– Attackers have to access the specific port in multiple times to know
if that port can be utilized for their break-in. The fundamental idea of IDS is to catch this phenomena.
– Random Access is a great help for attackers• Because IDS does not have enough memory space to record all the
event they sense.• It’s hard for IDS to sense the port scanning.
– “Slow scan” can masquerade malicious accesses to the system as a series of “mistakes”
• It’s also hard for IDS to determine intentional or non-intentional scans.
APNIC OPM - August 2001 11
Last 3 monthsLast 3 months Using buffer overflow is the main course to break-in. Microsoft IIS is causing major troubles.
– HUC attacks in 2001Q1 and Q2– CodeRed and CodeRed II– Since Windows NT/2kp/2k-as are installed on huge number of systems,
it’s fairly easy for attacks to make attacks as “pandemic”. Dedicated Internet circuit causes more troubles
– xDSL, FTTH services are getting more popular in many countries.– At home or small office, there are many “non-protected” system– Attackers are now using them as DoS handlers– Scanning port 137, 139– Promoting usage of “personal firewall” is required, but ….
Worm on UNIX– Very classic break-in method, e.g., RTM worm in 1988– Ramen, Lion, CodeRed– The break-in method uses “buffer overflow”
APNIC OPM - August 2001 12
Sadmind: traversing various operating systemsSadmind: traversing various operating systems
Windows
Solaris
① using “buffer overflow” security hole in sadmind on Solaris OS, then implant Worm program on the system
② Scan IIS on the local networks, and then put special code into the IIS in order to replace WWW pages and crash them
③ making their own copy to the other system on which sadimind on Solaris OS is working. This is an activities as Worm
APNIC OPM - August 2001 13
DDoS (1)DDoS (1)Distributed DoS Attack
– Preparing multiple DoS handler (agent) in the Internet, then simultaneously generating traffic from them.
– Even each DoS handler can generate small amount of traffic, but the aggregated traffic can be 100Mbps or more in many cases
– Automatic DDoS tools are now widely available on the Internet• Trinoo, TFM, TFM2K
Making serious impact on commercial Web sites– Yahoo!, CNN, eBay, Amazon, and etc. were attacked by this
method in Feb. 2000.– Many government recognized that DDoS is “top priority” threat
we have to consider.There is no major solution for this attack….
APNIC OPM - August 2001 14
DDoS (2)DDoS (2)
Attacker Target
Stop services
Agent1. Implant DoS code from outside2. Get trigger to start generating the traffic
APNIC OPM - August 2001 15
Protect Your SystemProtect Your SystemSetting up your “security policy” and operational rules
for all the people involved to the network / system operations– Continuously applying security patches submitted by
software vendors– Auditing and system updating in proper manner– It’s quite rare to face attacks by unknown method.
Making it as “business as usual”– Clearly defined procedures for all of us.
Using technology– IDS, Firewall, audit tools, ….
CSIRT: CSIRT: Computer Security Incident Response TeamComputer Security Incident Response Team
APNIC OPM - August 2001 17
BackgroundBackgroundProblem solution requires to work together with
– various organizations (universities, industries, government, law enforcement [detectives], ….)
– Technical analysis is always required– Organizations / Persons in other countries, because security
incidents may be caused by someone in other countries. Information Switchboard is good idea
– For smooth communication and collaboration– For wide-range analysis on information– As information repository
APNIC OPM - August 2001 18
CSIRTCSIRTComputer Security Incident Response Team
– Organization focused on computer security incidents– Technical professionals for analysis, assistance on problem
solution, and accelerating information exchange among organization involved to the specific security incident
– CERT/CC in US, 1988• Funded by DoD, but not fully involved to law enforcement
– Currently, many country has its own IRT as national contact point
• Sometimes government subsidiary, independent group, university, ….
• “There is” is much better than “there isn’t”• Stable contact point is key idea
APNIC OPM - August 2001 19
Ex. Activities in JPCERT/CCEx. Activities in JPCERT/CC Incident Response
– Gathering reports from users on the Internet– Analyze attack methods observed in our constituency– Exchange information with other IRTs in the world– Promote vendors to develop counter measures for attacks.
Promoting development and deployment of security technologies– Gathering information on Internet technologies– Publish Warning and Security alerts– Organize symposiums, workshops, and conferences on
security technologies and engineering– Provide information on the Internet through WWW and E-
mail list
APNIC OPM - August 2001 20
Analysis on Attacks
Involved sites
Technical Corporation
Involved sitesAdvisorsVendors
Coordination (1)Coordination (1)
Providing help on problem solutions– Information– Coordination– confidentiality
APNIC OPM - August 2001 21
Analysis toknow current situation
Coordination (2)Coordination (2)Providing Information
– Technical Information– Warnings– Periodical Circulation
…
information
APNIC OPM - August 2001 22
Function of National IRTFunction of National IRT
Information Repository for Everybody
Industries
JPCERT/CC
NeutralCompactFocused on Analysis
Technology TransferHuman Resource DevelopmentGathering informationMutual benefits
ReportsRequest for help
UsersInfo. Repository
APNIC OPM - August 2001 23
FIRSTFIRSTForum of Incident Response and Security Teams
– International forum of CSIRTs– Membership based
• Mutual trust infrastructure for exchanging information among CSIRT in the world
• Membership requires annual fee, but it’s not too much– Annual conference
• In Hawaii in 2002– Technical Colloquia– http://www.first.org/
APNIC OPM - August 2001 24
Teams in AP regionTeams in AP region Australia AusCERT www.auscert.org.au China CERCERT www.edu.cn Indonesia ID-CERT www.paume.itb.ac.id/rahard/id-
cert Japan JPCERT/CC www.jpcert.or.jp Korea CERTCC-KR www.certcc.or.kr Malaysia MyCERT www.mycert.mimos.my Philippine PH-CERT www.phcert.org.ph Singapore SingCERT www.singcert.org.sg Taiwan TWCERT www.cert.org.tw
These teams are considered as national contact of IRT. You may have other contacts for incident response, such as security team in your organization, law enforcement, depends on your situation.
If you know other IRT not listed here, please give me information on it. Thanks!
APNIC OPM - August 2001 25
APSIRCAPSIRCAsia-Pacific Security Incident Response CentersVirtual forum for exchanging information / ideas
– Mailing list managed by APNG group• Major persons working in this area are registered.• Mail to [email protected], if you want to subscribe• There is few traffic on the list
– Promoting establishment of IRT in the countries where there is no national contact.
• Org. or persons as stable contact point is highly required.• The IRT does not have to be funded by government.
APNIC OPM - August 2001 26
IRT requires various informationIRT requires various information Information we need…
– Address allocation and domain allocation– Contact point to venders, ISPs, victims, suspects, ….
• Ask situation• Ask collaboration and corporation to solve the specific incident• Address smurf is our headake
– reliable WHOIS database• special access permission to WHOIS database• National and International level
– Contact point to the law enforcement• Security incident is banned in many countries.• Sometimes, contacting law enforcement is mandatory
APNIC has quite important role on maintaining databases for helping IRTS in AP region
APNIC OPM - August 2001 27
Government Activities (1)Government Activities (1) Inter-governmental Network for Law Enforcement
teams– 24/7– ICPO, G8 Lyon Group
Interaction between industries and governments are still under discussion– G8 subgroup on high-tech crime / professional workshop
• Held in Oct. 2000 in Berlin and May 2001 in Tokyo
APNIC OPM - August 2001 28
Government Activities (2)Government Activities (2)European Treaty for fight against High-Tech Crimes
– Discussed since 2000, public comment request in March 2001, finalize in July 2001.
– Will be effective through ratification process in each countries
– This treaty requires a country to maintain / create / modify laws to prepare consistent action against high-tech crimes
• E.g. all the countries ratified should have law to ban computer virus development as well as circulation.
APNIC OPM - August 2001 29
Government Activities (3)Government Activities (3)CSIRT have to work with the government in some
cases– Dialogue with government is very important, because we
does not have to be isolated from government.– Law enforcement is now major group who are working on
computer / network security issues in many countries– Collaborations ….
APNIC OPM - August 2001 30
SummarySummarySecurity Incidents: growing rapidlyCSIRT: always busyAPNIC and country registries: please work with
CSIRT in each member states for providing reliable information on who is using the address and domain.
Country who does not have CSIRT: make it!