logging in or signing up 004 Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 177 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Internet Security Activities in Korea Wan-keun Jeon 2005.11.17 Korea Internet Security Center Contents: Contents I. Internet Status in Korea II. Internet Threat Status IV. Responding Web Hacking Incidents V. Further Works III. Responding Malicious Codes I. Internet Status in Korea (1/2): I. Internet Status in Korea (1/2) 1.4M Home Pages Internet Infrastructure Internet 12M Broadband Subscribers 87,000 Leased Line Subscribers (Enterprise/Orgs) 70+ ISPs 28M PCs Source :NIDA (KrNIC) I. Internet Status in Korea (2/2): I. Internet Status in Korea (2/2) Transition of Internet Usage Evolving into Broadband convergence Network : Data(Internet) + Voice(Telecom) + Broadcasting (DMB) Attacks Internet Voice Broadcasting Internet+Mobile+Voice+Broadcasting Mobile Secure Zone II. Internet Threat Status (1/3): II. Internet Threat Status (1/3) Worm/Virus Incidents Web Page Defacements Phishing cases PC Survival Time Source :KISA KISC Monthly Report II. Internet Threat Status (2/3): II. Internet Threat Status (2/3) 2000 2002 2004 2006 Worms DoS Attack Virus Threat Severity ’03.1.25 Slammer CIH (’97) Slammer Worm (1.25) Blaster /Welchia Windows XP/SP2 Windows Vista (Longhorn) Agobot Financial Windows Vista Mutants Windows Vista Bot bases Attackers BOT Root DNS DDoS Attack Trojans Amazon, ebay DDoS Attack Code-red Peep Game ID theft /Phishing AD/Spy-ware II. Internet Threat Status (3/3): II. Internet Threat Status (3/3) Focusing Areas BOTNet (Zombies) Responding Malicious Codes Sasser Worm Outbreak : ’04.5.1 Vulnerability Patch : ’04.4.13 'Only 20% of Windows users are up-to-date with patches' : ’04.1.27 Responding Web Hacking Vulnerability III. Responding Malicious Codes: III. Responding Malicious Codes Src: http://en.wikipedia.org/wiki/Botnet Botnet is one of the biggest threats for Internet Too many PCs in Korea get infected by BOT Abused for Spamming, Phishing, etc. III. Responding Malicious Codes: Working with ISP/NSP Nuking BOTNET Candamp;C(Command andamp; Control) Activity (Korea Only) Cooperation with Dynamic DNS Providers to terminate BOTNET Candamp;C DNS RR Cooperation with Foreign CERT/ISP/NSP to block and take down IP addresses, used as BOTNET Candamp;C server III. Responding Malicious Codes III. Responding Malicious Codes: Filtering Botnet Candamp;C IP Terminating Botnet Candamp;C DNS RR Collecting Bot Samples and sharing with AV Vendors Using ISP DNS for DNS Sinkhole So far 4,691 Botnet DNS RR entry Apply major KR ISP DNS Server Forcing users to patch Windows vulnerability with the help from major portal and on-line game sites III. Responding Malicious Codes andlt;Botnet sinkhole activityandgt; andlt;BOT infected Korean PCs worldwideandgt; III. Responding Malicious Codes: III. Responding Malicious Codes Mgmt Server Honeynet Analysis Lab Malicious codes which causing a high volume of garbage network traffic We analyze Our analysis focuses on Network Traffic Protocol and Ports Malicious behaviors (Registry operations, file operations, etc) Probability of information theft MC Sample sources How can we respond rapidly and effectively? Worm Attack III. Responding Malicious Codes: III. Responding Malicious Codes On-line analysis Combined analysis tool with honeypot for maximum effects System modifications Creation and deletion of Files Creation, modification and deletion of Registry entries Network impact Traffic Payload contents Detecting backdoors Before After System Information # of Processes, threads Termination of Processes (AV SW) System Modifications Creation, deletion of files Creation, modification, deletion of Registry Network impact Traffic and characteristics Backdoors Etc Timers (coordinated attack time) FileMon RegMon Sniffer, etc Netstat, etc New Analysis Tool Process’s Internal Behaviors Simple behavior report MCAT 30 Minutes Less than 5 Minutes III. Responding Malicious Codes: The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS) SAS consist of Survival time Analysis System (SAS) is a system to automate the measurement of survival time and a part of KISC Honeynet SAS consists of analysis mechanism and collection of PCs with unpatched WinXP/Sp1, Win2K/Sp4, and so on. III. Responding Malicious Codes Survival Time - Measuring Degree of Internet Attack Status IV. Responding Web Hacking Incidents: IV. Responding Web Hacking Incidents Web Hacking incidents in Korea Vulnerability in public domain BBS software has disclosed without patches Vulnerabilities in some security software Hackers armed with search engines and automated defacing tools More than 7,000 web pages have been defaced during Dec 2004 and Jan 2005 Mostly by Latin American Hackers Unpatched BBS sites run by individuals were targeted Multiple websites in one host(Virtual hosting sites) Hacking Increased Vulnerability IV. Responding Web Hacking Incidents : IV. Responding Web Hacking Incidents Web Hacking Prevention Activities Finding and patching vulnerabilities in public domain BBS software Found more than 100 unpatched vulnerabilities among 20 software and supported them patched Organized training courses for the Developers Etc. Vulnerability analysis support for more than 3,000 hosts resided in small web hosting companies IV. Further Works: IV. Further Works Web hacking skills have been evolving continuously and abused for information theft From June 2005, attempts to steal game site ID and password have been increasing These kinds of incidents are mostly related to web hacking Responding New Threats New ways of responding against emerging threats KISC Honeynet is also evolving for the proper response. Adware/Spyware problem Phishing for Korean Banks is an emerging threat getting much attention from civil society and the press. Slide17: Malicious codes, DDoS Cooperation with Neighbors Cooperation, Information Sharing, Cooperated Drills attack Q&A: Qandamp;A For more information Please contact jschoi@kisa.or.kr You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
004 Mahugani Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 177 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: June 16, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Internet Security Activities in Korea Wan-keun Jeon 2005.11.17 Korea Internet Security Center Contents: Contents I. Internet Status in Korea II. Internet Threat Status IV. Responding Web Hacking Incidents V. Further Works III. Responding Malicious Codes I. Internet Status in Korea (1/2): I. Internet Status in Korea (1/2) 1.4M Home Pages Internet Infrastructure Internet 12M Broadband Subscribers 87,000 Leased Line Subscribers (Enterprise/Orgs) 70+ ISPs 28M PCs Source :NIDA (KrNIC) I. Internet Status in Korea (2/2): I. Internet Status in Korea (2/2) Transition of Internet Usage Evolving into Broadband convergence Network : Data(Internet) + Voice(Telecom) + Broadcasting (DMB) Attacks Internet Voice Broadcasting Internet+Mobile+Voice+Broadcasting Mobile Secure Zone II. Internet Threat Status (1/3): II. Internet Threat Status (1/3) Worm/Virus Incidents Web Page Defacements Phishing cases PC Survival Time Source :KISA KISC Monthly Report II. Internet Threat Status (2/3): II. Internet Threat Status (2/3) 2000 2002 2004 2006 Worms DoS Attack Virus Threat Severity ’03.1.25 Slammer CIH (’97) Slammer Worm (1.25) Blaster /Welchia Windows XP/SP2 Windows Vista (Longhorn) Agobot Financial Windows Vista Mutants Windows Vista Bot bases Attackers BOT Root DNS DDoS Attack Trojans Amazon, ebay DDoS Attack Code-red Peep Game ID theft /Phishing AD/Spy-ware II. Internet Threat Status (3/3): II. Internet Threat Status (3/3) Focusing Areas BOTNet (Zombies) Responding Malicious Codes Sasser Worm Outbreak : ’04.5.1 Vulnerability Patch : ’04.4.13 'Only 20% of Windows users are up-to-date with patches' : ’04.1.27 Responding Web Hacking Vulnerability III. Responding Malicious Codes: III. Responding Malicious Codes Src: http://en.wikipedia.org/wiki/Botnet Botnet is one of the biggest threats for Internet Too many PCs in Korea get infected by BOT Abused for Spamming, Phishing, etc. III. Responding Malicious Codes: Working with ISP/NSP Nuking BOTNET Candamp;C(Command andamp; Control) Activity (Korea Only) Cooperation with Dynamic DNS Providers to terminate BOTNET Candamp;C DNS RR Cooperation with Foreign CERT/ISP/NSP to block and take down IP addresses, used as BOTNET Candamp;C server III. Responding Malicious Codes III. Responding Malicious Codes: Filtering Botnet Candamp;C IP Terminating Botnet Candamp;C DNS RR Collecting Bot Samples and sharing with AV Vendors Using ISP DNS for DNS Sinkhole So far 4,691 Botnet DNS RR entry Apply major KR ISP DNS Server Forcing users to patch Windows vulnerability with the help from major portal and on-line game sites III. Responding Malicious Codes andlt;Botnet sinkhole activityandgt; andlt;BOT infected Korean PCs worldwideandgt; III. Responding Malicious Codes: III. Responding Malicious Codes Mgmt Server Honeynet Analysis Lab Malicious codes which causing a high volume of garbage network traffic We analyze Our analysis focuses on Network Traffic Protocol and Ports Malicious behaviors (Registry operations, file operations, etc) Probability of information theft MC Sample sources How can we respond rapidly and effectively? Worm Attack III. Responding Malicious Codes: III. Responding Malicious Codes On-line analysis Combined analysis tool with honeypot for maximum effects System modifications Creation and deletion of Files Creation, modification and deletion of Registry entries Network impact Traffic Payload contents Detecting backdoors Before After System Information # of Processes, threads Termination of Processes (AV SW) System Modifications Creation, deletion of files Creation, modification, deletion of Registry Network impact Traffic and characteristics Backdoors Etc Timers (coordinated attack time) FileMon RegMon Sniffer, etc Netstat, etc New Analysis Tool Process’s Internal Behaviors Simple behavior report MCAT 30 Minutes Less than 5 Minutes III. Responding Malicious Codes: The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS) SAS consist of Survival time Analysis System (SAS) is a system to automate the measurement of survival time and a part of KISC Honeynet SAS consists of analysis mechanism and collection of PCs with unpatched WinXP/Sp1, Win2K/Sp4, and so on. III. Responding Malicious Codes Survival Time - Measuring Degree of Internet Attack Status IV. Responding Web Hacking Incidents: IV. Responding Web Hacking Incidents Web Hacking incidents in Korea Vulnerability in public domain BBS software has disclosed without patches Vulnerabilities in some security software Hackers armed with search engines and automated defacing tools More than 7,000 web pages have been defaced during Dec 2004 and Jan 2005 Mostly by Latin American Hackers Unpatched BBS sites run by individuals were targeted Multiple websites in one host(Virtual hosting sites) Hacking Increased Vulnerability IV. Responding Web Hacking Incidents : IV. Responding Web Hacking Incidents Web Hacking Prevention Activities Finding and patching vulnerabilities in public domain BBS software Found more than 100 unpatched vulnerabilities among 20 software and supported them patched Organized training courses for the Developers Etc. Vulnerability analysis support for more than 3,000 hosts resided in small web hosting companies IV. Further Works: IV. Further Works Web hacking skills have been evolving continuously and abused for information theft From June 2005, attempts to steal game site ID and password have been increasing These kinds of incidents are mostly related to web hacking Responding New Threats New ways of responding against emerging threats KISC Honeynet is also evolving for the proper response. Adware/Spyware problem Phishing for Korean Banks is an emerging threat getting much attention from civil society and the press. Slide17: Malicious codes, DDoS Cooperation with Neighbors Cooperation, Information Sharing, Cooperated Drills attack Q&A: Qandamp;A For more information Please contact jschoi@kisa.or.kr