Sample Title Slide Standard Template
Download
Report
Transcript Sample Title Slide Standard Template
GvIB
Threats & Trends
Tom Welling, CISSP
Erik van Veen, CISSP
18 maart 2008
Agenda
1
Introduction
2
Sneak Preview ISTR #13
3
Virtualization & Security
4
Electronic Banking
5
Future Trends
6
Tingling Questions?
[email protected]
2
Sneak Preview
Spam & Phishing
Internet Security Threat Report #13
(Early April 2008)
[email protected]
3
ISTR13 Sneak Preview (H2-2007)
• Symantec Internet Security Threat Report provides a six-month update of Internet threat activity:
– network-based attacks
– known vulnerabilities
– malicious code
– phishing and spam activity
– recommendations for protection
• Symantec™ Global Intelligence Network:
– Over 40,000 sensors monitoring networks in over 180 countries
– Symantec gathers malicious code reports from over 120 million client, server, and gateways
– Security Focus Vulnerability Database & BugTraq™ mailing list community
– Symantec Probe Network, over two million decoy accounts in over 30 countries
– Symantec Phish Report Network, an extensive antifraud community
– Global spam and phishing activity
• Analyst & research information
[email protected]
4
Spam & Phishing
Virtualization & Security
[email protected]
5
Virtualization & Security
Why should I care?
Detection
Denial-of-service
Escape!
[email protected]
6
Virtualization & Security
Detection
• The goal is to detect the virtual machine
• This can be either for attack or defense:
– Attack: attacker knows of a vulnerability in the virtualization
environment and wants to identify in order to exploit
– Defense: malicious code wants to shut down immediately or
behave differently if in the presence of a virtual machine could be a honey pot
• Software virtual machines are relatively trivial to detect
[email protected]
7
Virtualization & Security
Detection
[email protected]
8
Virtualization & Security
Denial-Of-Service
• Where an attacker can crash the VM or component of it
• Can lead to complete or partial Denial of Service
• Analogous to finding a CPU or network card firmware bug
• Impact significant if it can be triggered either remotely or by an
unprivileged user
[email protected]
9
Virtualization & Security
Denial-Of-Service
[email protected]
10
Virtualization & Security
Escape!
• The worse case scenario
– Guest to Host compromise
– Guest to Guest hop (jump the soft air gap)
• Can be achieved in a number of ways
– persistent storage is used between hosts
– Vulnerability in the guest to host communications
– Vulnerability in the hardware emulation
– Vulnerabilty in a supporting service (NAT, DHCP etc.)
– Vulnerability exists in native hardware drivers - which can be
exploited from the guest
[email protected]
11
Virtualization & Security
Escape!
[email protected]
12
Virtualization & Security
Hackers using VM technology
• Originally a research project (SubVirt)
• Now considered one of the more advanced rootkit methods
• A host on native hardware is compromised
• The malicious code/attacker then installs a new O/S with
supporting VMM – adjusts the boot order etc..
• The guest O/S is then demoted into a virtualised environment
• The result is potentially a difficult compromise to detect
• Hardware virtualization in newer AMD and Intel chips
[email protected]
13
Virtualization & Security
Virtualization & Security Summary
• Virtualization is good for business as it lowers costs and increases
equipment utilization
• But significant risks exist with such a “young” technology, the
security implications of these risks are only now starting to be
understood
• If your security architecture is built upon a virtualised environment
what mitigations are there in place?
• In the short to medium terms perform through risk analyses of
processes/applications moving to virtualized environments
• Virtualization is also being adopted for malicious code purposes to
further hinder detection
[email protected]
14
Spam & Phishing
E-banking risks?
[email protected]
15
E-banking risks
What drives the hacker?
• Focus shifted over the last few years:
– Remember the ‘good old days’?: Ex. Iloveyou-virus?
– 10 minutes of fame not that important anymore!
– Codewriters & hackers now co-operate with hard-core criminals
• Growing number of E-banking related threats
• Threats are getting very sophisticated! Trojan.Silentbanker?
[email protected]
16
E-banking risks
Example: Trojan.Silentbanker
• January 2008
• Parses all browser requests performed by user
• Follow-up action depends on a updatable URL database
– Remote Man-in-the-Middle
– Local Man in the Middle / HTML Altering
– Targeted Information Stealing
– Password Stealing
– Information Gathering
– Screen Capture
– Porn Site Requests
[email protected]
17
E-banking risks
Remote Man-in-the-Middle attack
• If the user visits a certain website they will silently be directed an
attacker controlled site instead.
[email protected]
18
E-banking risks
Local Man-in-the-Middle attack with page altering
• Can re-use / steal user Cookie and Certificate
• Changes transaction data on-the-fly
• If information is missing to conduct a transaction, extra HTML can
be added to the page to ask the user for that extra information.
[email protected]
19
E-banking risks
Targeted Information Stealing
• The Trojan can steal specific information from specific sites.
• The Trojan contains a list of URLs and associated keywords. When
such a URL is visited the Trojan will log the information associated
with that keyword and send it to the attacker.
• The information targeted here includes:
– bank balance
– account number
– account type
– PIN
– etc.
[email protected]
20
E-banking risks
Password Stealing
• The Trojan monitors all requests containing user names and
passwords and logs all this data to various log files.
• The Trojan can capture:
– FTP (file transfer)
– POP3 (e-mail)
– Webmail passwords
– etc.
• The Trojan also steals passwords from Windows Protected
Storage.
• These log files are periodically sent to the attackers.
[email protected]
21
E-banking risks
Information Gathering
• The Trojan gathers the following information from the victims’
computer:
– Cookies
– Adobe .sol files
– Software installed
– Computer name, OS, and patches installed
– Browsing and search history
– Current URL being visited
– Digital certificates
• Various reasons: future target profiling, adware etc.
[email protected]
22
E-banking risks
Screen Capturing
• Takes a screen shot when specific banking
URLs are visited.
[email protected]
23
E-banking risks
Porn Site Requests
• A list of over 600 porn URL's.
• List is updateable.
• Contains referrer information.
• The attackers appear to be generating
money from directing users to these
porn sites and collecting the referral
money.
[email protected]
24
Future?
Spam & Phishing
[email protected]
25
Future
What can we expect? just a few...
• Malicious code and virtual worlds
– Real Money Transactions
– Intra-world Money Exchanges
– Money laundry
• Automated evasion processes
– X-morphing
– virtual machine technology
• Advanced usage of personal networking sites
– Hyves, Myspace, Linkedin etc.
• Even more low-profile targeted attacks
[email protected]
26
Tingling Questions..
• The Information Security Management Process:
– Automated or Standardized Information Categorization and Classification?
– Organizations adopt standard frameworks ISO27001?
– Organizations benchmarking their policy against standard frameworks and industry
pears?
• Data in Transit:
– A Central Dutch SOC, according the flower model?
• Data in Rest
– Encryption, integrated in backup and archiving tools?
– More focus on Incident Management, Business Continuity and DR?
• At the end-point:
– Broad adoption of Jericho?
– Standardization of a security framework at the endpoint to quickly extinguish very
specific attacks?
– Much more focus on Data Leakage Prevention?
[email protected]
27
Thank You!
Erik Van Veen, CISSP
[email protected]
Tom Welling, CISSP
[email protected]
Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to
the maximum extent allowed by law. The information in this document is subject to change without notice.
[email protected]
28