Presentation on theme: "Security Incident Handlings How can we work together to provide confidence for Internet users? Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST)"— Presentation transcript:
Security Incident Handlings How can we work together to provide confidence for Internet users? Suguru Yamaguchi, Ph.D. JPCERT/CC (WIDE Project/NAIST)
APNIC OPM - August 20012 Overview "Security Incidents" in the Internet –Security Incidents have been widely spread in the Internet, and increasing its number observed. Because of its expansion of applications to various areas of activities, security incidents may cause serious impacts on our society. Fighting against these security incidents –Technical approaches Network operations, software development (OS, application) –Non-Technical approaches Law-enforcement Regulations and Law Incurrence
APNIC OPM - August 20014 Def. Security Incidents Any kinds of activities that directly interferer our communication infrastructure –Intentional / malicious Intrusion from outside, information leakage, password theft, malicious code implanted from the outside, denial of service attack,.... –Non-intentional Misuse by customers, system down, power failure,.... Network operators have to handle both activities and protect their system from any troubles.
APNIC OPM - August 20015 Security Incidents observed recently Port Scanning & Probe –This happen everyday in any environment. –Recognized as a prologue to more significant incidents Intrusion, break-in –Using weak and/or cracked password to login directly to the system. But, it is quite rare in these days because of widely spread of usage of One Time Password system (challenge-response type). –Using Buffer Overflow security hole to implant and execute shell- code on the targeted system. Almost all of the attack tools are using this method. Amplifier and Open relay –SPAM, packet smurfing, … Denial of Services (DoS) –Generate excessive load on the targeted system –Distributed DoS –Targeting major WWW, IRC server, and other services
APNIC OPM - August 20016 Statistics@JPCERT/CC (1)
APNIC OPM - August 20017 Statistics@JPCERT/CC (2)
9 Common Scenario Scanning ports to know which port is open for remote access. Finding out application servers that have buffer overflow security holes. (sendmail, INN, phf, imap, pop, statd, named...) Try to implant shell-code and invoke shell program or other program on the target. If succeeded, the intruder(s) can obtain the way to break-in to the system, without any evidence logged by the system. Once break-in to the system, the intruder(s) can get /etc/passwd for password cracking and other configuration files on the system to know more details of its setup. Sometimes, they try to obtain more access privilege, especially root access, by means of Trojan horse and other exploit codes. Modify system log files to erase their footprint, and replace some programs on the system to protect their malicious activities, e.g. ps, ls, who, …. Its quite likely to install packet monitoring program to conduct wire- tapping to get passwords in plain-text exchanged over the local networks. Try to spread their activities to other systems.
APNIC OPM - August 200110 Sophisticated Port Scan More sophisticated Port Scanning technique –IDS (Intrusion Detection System) is widely installed Random Access to the system –Attackers have to access the specific port in multiple times to know if that port can be utilized for their break-in. The fundamental idea of IDS is to catch this phenomena. –Random Access is a great help for attackers Because IDS does not have enough memory space to record all the event they sense. Its hard for IDS to sense the port scanning. –Slow scan can masquerade malicious accesses to the system as a series of mistakes Its also hard for IDS to determine intentional or non-intentional scans.
APNIC OPM - August 200111 Last 3 months Using buffer overflow is the main course to break-in. Microsoft IIS is causing major troubles. –HUC attacks in 2001Q1 and Q2 –CodeRed and CodeRed II –Since Windows NT/2kp/2k-as are installed on huge number of systems, its fairly easy for attacks to make attacks as pandemic. Dedicated Internet circuit causes more troubles –xDSL, FTTH services are getting more popular in many countries. –At home or small office, there are many non-protected system –Attackers are now using them as DoS handlers –Scanning port 137, 139 –Promoting usage of personal firewall is required, but …. Worm on UNIX –Very classic break-in method, e.g., RTM worm in 1988 –Ramen, Lion, CodeRed –The break-in method uses buffer overflow
APNIC OPM - August 200112 Sadmind: traversing various operating systems Windows Solaris using buffer overflow security hole in sadmind on Solaris OS, then implant Worm program on the system Scan IIS on the local networks, and then put special code into the IIS in order to replace WWW pages and crash them making their own copy to the other system on which sadimind on Solaris OS is working. This is an activities as Worm
APNIC OPM - August 200113 DDoS (1) Distributed DoS Attack –Preparing multiple DoS handler (agent) in the Internet, then simultaneously generating traffic from them. –Even each DoS handler can generate small amount of traffic, but the aggregated traffic can be 100Mbps or more in many cases –Automatic DDoS tools are now widely available on the Internet Trinoo, TFM, TFM2K Making serious impact on commercial Web sites –Yahoo!, CNN, eBay, Amazon, and etc. were attacked by this method in Feb. 2000. –Many government recognized that DDoS is top priority threat we have to consider. There is no major solution for this attack….
APNIC OPM - August 200114 DDoS (2) Attacker Target Stop services Agent 1. Implant DoS code from outside 2. Get trigger to start generating the traffic
APNIC OPM - August 200115 Protect Your System Setting up your security policy and operational rules for all the people involved to the network / system operations –Continuously applying security patches submitted by software vendors –Auditing and system updating in proper manner –Its quite rare to face attacks by unknown method. Making it as business as usual –Clearly defined procedures for all of us. Using technology –IDS, Firewall, audit tools, ….
CSIRT: Computer Security Incident Response Team
APNIC OPM - August 200117 Background Problem solution requires to work together with – various organizations (universities, industries, government, law enforcement [detectives], ….) –Technical analysis is always required –Organizations / Persons in other countries, because security incidents may be caused by someone in other countries. Information Switchboard is good idea –For smooth communication and collaboration –For wide-range analysis on information –As information repository
APNIC OPM - August 200118 CSIRT Computer Security Incident Response Team –Organization focused on computer security incidents –Technical professionals for analysis, assistance on problem solution, and accelerating information exchange among organization involved to the specific security incident –CERT/CC in US, 1988 Funded by DoD, but not fully involved to law enforcement –Currently, many country has its own IRT as national contact point Sometimes government subsidiary, independent group, university, …. There is is much better than there isnt Stable contact point is key idea
APNIC OPM - August 200119 Ex. Activities in JPCERT/CC Incident Response –Gathering reports from users on the Internet –Analyze attack methods observed in our constituency –Exchange information with other IRTs in the world –Promote vendors to develop counter measures for attacks. Promoting development and deployment of security technologies –Gathering information on Internet technologies –Publish Warning and Security alerts –Organize symposiums, workshops, and conferences on security technologies and engineering –Provide information on the Internet through WWW and E- mail list
APNIC OPM - August 200120 Analysis on Attacks Involved sites Technical Corporation Involved sites Advisors Vendors Coordination (1) Providing help on problem solutions –Information –Coordination –confidentiality
APNIC OPM - August 200121 Analysis to know current situation Coordination (2) Providing Information –Technical Information –Warnings –Periodical Circulation … information
APNIC OPM - August 200122 Function of National IRT Information Repository for Everybody Industries JPCERT/CC Neutral Compact Focused on Analysis Technology Transfer Human Resource Development Gathering information Mutual benefits Reports Request for help Users Info. Repository
APNIC OPM - August 200123 FIRST Forum of Incident Response and Security Teams –International forum of CSIRTs –Membership based Mutual trust infrastructure for exchanging information among CSIRT in the world Membership requires annual fee, but its not too much –Annual conference In Hawaii in 2002 –Technical Colloquia –http://www.first.org/
APNIC OPM - August 200124 Teams in AP region AustraliaAusCERTwww.auscert.org.au ChinaCERCERT www.edu.cn IndonesiaID-CERTwww.paume.itb.ac.id/rahard/id-cert JapanJPCERT/CCwww.jpcert.or.jp KoreaCERTCC-KRwww.certcc.or.kr MalaysiaMyCERTwww.mycert.mimos.my PhilippinePH-CERTwww.phcert.org.ph SingaporeSingCERTwww.singcert.org.sg TaiwanTWCERTwww.cert.org.tw These teams are considered as national contact of IRT. You may have other contacts for incident response, such as security team in your organization, law enforcement, depends on your situation. If you know other IRT not listed here, please give me information on it. Thanks!
APNIC OPM - August 200125 APSIRC Asia-Pacific Security Incident Response Centers Virtual forum for exchanging information / ideas –Mailing list managed by APNG group Major persons working in this area are registered. Mail to firstname.lastname@example.org, if you want to subscribe There is few traffic on the list –Promoting establishment of IRT in the countries where there is no national contact. Org. or persons as stable contact point is highly required. The IRT does not have to be funded by government.
APNIC OPM - August 200126 IRT requires various information Information we need… –Address allocation and domain allocation –Contact point to venders, ISPs, victims, suspects, …. Ask situation Ask collaboration and corporation to solve the specific incident Address smurf is our headake –reliable WHOIS database special access permission to WHOIS database National and International level –Contact point to the law enforcement Security incident is banned in many countries. Sometimes, contacting law enforcement is mandatory APNIC has quite important role on maintaining databases for helping IRTS in AP region
APNIC OPM - August 200127 Government Activities (1) Inter-governmental Network for Law Enforcement teams –24/7 –ICPO, G8 Lyon Group Interaction between industries and governments are still under discussion –G8 subgroup on high-tech crime / professional workshop Held in Oct. 2000 in Berlin and May 2001 in Tokyo
APNIC OPM - August 200128 Government Activities (2) European Treaty for fight against High-Tech Crimes –Discussed since 2000, public comment request in March 2001, finalize in July 2001. –Will be effective through ratification process in each countries –This treaty requires a country to maintain / create / modify laws to prepare consistent action against high-tech crimes E.g. all the countries ratified should have law to ban computer virus development as well as circulation.
APNIC OPM - August 200129 Government Activities (3) CSIRT have to work with the government in some cases –Dialogue with government is very important, because we does not have to be isolated from government. –Law enforcement is now major group who are working on computer / network security issues in many countries –Collaborations ….
APNIC OPM - August 200130 Summary Security Incidents: growing rapidly CSIRT: always busy APNIC and country registries: please work with CSIRT in each member states for providing reliable information on who is using the address and domain. Country who does not have CSIRT: make it!