Computer Security Trend 2008 from Japan. SQL Injection, DNS cache poisoning, Phishing, Key logger Malware and Targeted Attacks

Transcription

1 Computer Security Trend 2008 from Japan SQL Injection, DNS cache poisoning, Phishing, Key logger Malware and Targeted Attacks JPCERT Coordination Center, Japan Manager of Watch and Warning Group Keisuke Kamata

2 Agendas SQL Injection incidents DNS Cache poisoning vulnerability Phishing incidents Key logger malware Targeted Attacks 1

3 JPCERT/CC activities to SQL Injection 1SQL Injection Attack 4Malware installation Attacker 2Use of web Malicious site 3Deliver Vulnerable websites Damage End user Take down ISP or Sys admins Notification Public alert Overseas CSIRT Coordination

4 SQL Injection incident JPCERT/CC told us about the web defacement. But we have no knowledge and budget... SQL Injection Victim Notify to SQL Injection incident victims about defacement of website. There is no person to handle security incident... There is no one who can do this. How to handle?? JPCERT/CC Even many kinds of of media was pick this incidents, there was no no knowledge about SQL Injection incidents in in this organization. They did not have security check for for their web server. They did not monitor, they did not know happening incident. 3

5 Summary of SQL injection incident Where is the problem? Not in web server s OS Not in web server program IN Web application vulnerability Why it happens? Insecure coding of web applications Need to have a secure coding of web applications Need to handle input data rightly. Who will become a victim? Users of your website! 4

6 DNS cache poisoning vulnerability

7 Overview of DNS cache poisoning vulnerability What is DNS cache poisoning? Mr A s DNS cache server DNS contents server of jpcert.or.jp Mr. A 6

8 Overview of DNS cache poisoning vulnerability What is DNS cache poisoning Mr.A s DNS cache server 1 Mofidy cache data of the cache server, by using cache poisoning vulnerability Attacker Mr. A Malicious site 7

9 Threats and mitigations for this vulnerability These people are victims with the situation of DNS cache server X is poisoned. DNS cache server X DNS contents server of company A LAN of Company A External user DNS cache server is needed to take action 8

10 JPCERT/CC activities for DNS cache poisoning vulnerability Vulnearble organization JPCERT/CC We have a list of vulnerable DNS cache servers. Notify for each system administrators about the vulnerability. We can not assign any budget about this... Have to wait until next year... Because this vulnerability is is difficult issue, some organization could not understand about this issue clearly. External system integrator refuse the request to to solve the problem. 9

11 Conclusion of DNS cache poisoning vulnerability At first, apply patch for the DNS cache server To reduce risk, how much can you use your resource? This problem is little complex and need to have good understanding for the right mitigations There are many other problems like this, that affect to basic specifications of Internet technology Protocol level issues has many specification problems, as you know 10

12 Phishing

13 Phishing Phishing Try to obtain ID/Password of users Internet banking, online game, and so on Those ID/PW are sold under the black markert What is Phighins site? Imitation of some actual website Ask users to input privacy information like ID and password It is very easy to make copy of some website 12

14 Black market is existing 13

15 Credit card numbers are 14

16 Bird view of Phishing incident Attacker Intrude Detection System admin of victim site JPCERT Bank Phishing site JPCERT Bank Real site ID/PW input Lose of customer End user 15

17 Summary Japanese cases Bank, ISP, contents provider Some cases got almost 1million USD of damage Japanese organization phishing site In overseas vulnerable web servers 件数 フィッシング年度別報告件数 2004 年度 2005 年度 2006 年度 2007 年度 Overseas organization phishing site In Japanese vulnerable web servers JPCERT/CC is working to take down those phishing sites 16

18 Key logger malware

19 Key logger malware incident overview Private information might be leaked through key logger malware Malicious person DB of Key logger data 18

20 Key logger malware incident Key logger incident cooridnation Japanese Orgs Japan Malicious Person JPCERT/CC Other country National CSIRT of Country A National CSIRT 19

21 Key logger malware incident Org B Org A How to handle this data? Who is suitable Point of Contacts for OrgA and OrgB? JPCERT/CC Handle customers private information come from JPCERT/CC Org B has no no Point of of Contact for for receiving and handling information security related incidents Some organizations took 1 or or 2 months to to start handling this incident. Long journey to to escalate this issue to to management level. 20

22 Targeted Attacks

23 Targeted attack Send malware, which is created only for Mr. B in Company A Company A Attacker Mr. B As a target 22

24 Mitigations for Targeted Attacks Technical Software level Check From: header Inside address should not come from outside of intranet SPF record, DKIM, sender domain authentication Monitor outbound traffic (not only inbound) Monitor intranet traffic Sign it!! (pgp or s/mime) Educational Seminar, Training, Alert, Documentation and so on. Inoculation = Social Engineering Drill JPCERT/CC Survey result Even security professional can not avoid! Other ways 23

25 Summary Targeted attack s are happens Government agencies are tend to become a target. Attached files are PDF MS Office Other office applications In some cases, Anti-virus software can not detect the attached malware 24

26 As you know, attacker s purpose is changed Attack range : Wide -> Narrow targeted attack Objectives : Fun -> Getting money Need to have cyber law to catch criminals 25

27 Incident Response overview 26

28 To Handle computer security Incident Effectively CERT/CSIRT: as an international operational cooperation As a national CERT/CSIRT in each country As a company organizational internal CERT/CSIRT Considering to cooperation in each different layer Government Legal party Law Enforcement Vendors ISPs CERT/CSIRT Technical Incident Handling Operation 27

29 Thank you for your attention. JPCERT Coordination Center Tel: Vulnerability Information : Incident Report info@jpcert.or.jp PGP Fingerprint: BA F4 D9 FA B8 FB F EE 3C 2B 13 F0 48 B8 28