Cyber Security and Internet Governance - HKUST HKUST Cybersecurity.pdf · What is Cyber Security...
Transcript of Cyber Security and Internet Governance - HKUST HKUST Cybersecurity.pdf · What is Cyber Security...
Who am I?
Director, Internet Society Hong Kong Work:
• Information Security • ISP • Banking • Telecom • Software Distributor • School Teacher
SC Leung�
Working Groups • Internet Accessibility • Internet technology, e.g. IPv6, DNSSEC • Internet Security & Privacy • Copyright and Creativity • Startup
Activities • Seminar, conference, campaign (IPv6 in Action)
and workshops, startup award, policy paper
Do you buy this argument?�
Source: Apple Daily July 27 2013�
Everything has a computer in it. Every computer can be hacked.�
What is Cyber Security Risks?�
TERMS Attacks – Explicit action to damage Threats – Dangers, Motives to attack Vulnerabilities – Security Holes Impacts – The damage done to the victim Risks -- Probability of damage/loss/negative effects
Internet and Economy of Hong Kong�
Internet’s contribution to HK economy (2009): USD12.4B (5.9% GDP) • 1/3 consumption • 1/3 govt. /private investment in Internet-related goods/ services • 1/3 net exports of e-commerce and hardware
Projected 7% per year� Source: Study by Boston Group, commissioned by Google
Hong Kong Communication Statistics�
Internet Services (2015 Jan, CenStatD) • Internet penetration rate 73% (5.75M)
• Household broadband penetration rate 83.2%
• Public Wi-Fi access points 30,297
Mobile Services (2014 Nov, CenStatD)
• Mobile subscribers 17.5M
• Mobile penetration rate (Nov 2014) 241.7%
• Smartphone users accessing Internet daily 96%
Facebook Users (2014 Jan, TNS) 4.4M�
Economies with fastest Internet speed • Hong Kong 1st: 84.6Mbps • Singapore 2nd : 83Mbps • South Korea 3rd : 74.2Mbps • Japan 4th : 65.1Mbps
Economies with highest portion of attack traffics
Internet Speed and Attack�
Source: Akamai 2014-Q3 Internet Report
Modern Attackers�
Image credits: Infographics of WatchGuard�
Nation State Hacktivist�
Cyber Criminal�
Modern Attackers�
Cyber Criminal�
Motive: $$$ • Underground economy • Crime-as-a-Service
Botnet infrastructure Advanced (banking) Trojan Moving to mobile and cloud
Image credits: Infographics of WatchGuard�
Modern Attackers�
Hacktivist� } Motive: Ideological
} High profile
} Crowdsourcing
} Data leakage à DDoS
Image credits: Infographics of WatchGuard�
Modern Attackers�
Nation State
Motive: Political/Military Targeted critical infrastructure Advanced malware / attacks Low profile Espionage
Image credits: Infographics of WatchGuard�
Critical infrastructure at Risk�
Stuxnet botnet (2010) • Designed to overcome the network gap • Targeted programmable logic controllers in
the Natanz nuclear facilities in Iran
Supervisory Control and Data Acquisition (SCADA)
• Water and sewage system • Hospital • Telecommunication • Transport
Critical infrastructure�
Targeted Attack on Critical Infrastructure of Trust
Stolen digital certificates by Stuxnet (Jan 2011) and Duqu (Oct 2011) RSA SecurID hacked (Mar 2011)
• Cause a global replacement of tokens in years Certificate Authorities attacks
• Comodo (Mar 2011), DigiNotar (Aug 2011), DigiCert Malaysia (Nov 2011) • More Dutch CAs: Getronic KPN CA (Nov 2011) GenNet (Dec 2011)
Consequence • Root certificate of these CAs are distrusted or removed from the browsers/OS • Some out of business after attack • Attack down to the root of trust of the Internet
Impacts of the new chemistry� Nation X� Nation Y�
Image credits: Infographics of WatchGuard�
collateral damages
Lower hurdle to access sophisticated attack technologies�
Provide attack services to hacktivists�
Mac OS Security Vulnerabilities
Some people think “We don’t need anti-virus for Mac OS” Is this true? Flashback Trojan for OS X
• Appear in Sep 2011, pretended to be Adobe Flash installer • Evolved to target Java runtime vulnerability of MAC computers in 2012 • Said to have infected 500,000 Mac computers.
JAVA vulnerability targeted by Flashback • Oracle announce in Nov 2011 • Apple not patched till Apr 2012.
Conclusion • Do not believe in this myth “Apple does not need antivirus”
Risk Mitigations (Technology / Awareness)
Threats, Vulnerabilities, Risks and Risk Mitigations
Vulnerabilities (System / Human)
Your System / Data
Threats (Disasters, Attackers
Attacks
Your System / Data
Threats (Disasters, Attackers)
Compromised System / Data
Attacks Risks
Risks
Malware Propagation channels
Fake security software Fake video player codec
Executables Document Malware Website
Malware Propagation channels
Executables Document Malware
§ Embedded malware in PDF or Office files
§ Botnet served PDF malware�
Website
Image by Websense
Malware Propagation channels
Executables Document Malware Website
§ Legitimate and trusted websites compromised
§ Web admin incapable to detect and mitigate the risks
p Exploits imported from other servers via iframes, redirects p When compromised, dropper download and install the actual bot malware
Multi-stage infection (drive-by download)
Exploit server Web server (injected) Malware Hosting
Browser
Web request
victim victim
Threat: Botnet (roBot Network�
Bot Herder
bot bot bot
C&C
Command & Control Centre
Bots
attacks
Your computers!
Services § Manage § Update § Survive the adverse
Reflective DDoS using Open DNS resolvers�
Server B under attack�
(1) A wants to attack B without being identified�
(2) A spoofs a DNS query by Server B “domain.com TYPE = “ANY”
Packet size = 20 bytes
(3) Reply to query of unauthorized domain; Amplified DNS Reply
Packet size = 1,200 bytes
Misconfigured DNS open resolvers C�
Attacker A�
Bots�
Reflective DDoS using Open DNS resolvers�
Server under attack�
Misconfigured DNS open resolvers�
Critical Attacks in Hong Kong
Recent Cases • 第一亞洲商人金銀業有限公司
(Feb-2012)
• HK Stock Exchange 披露易 (Aug-2011)
Territory-wide attack no longer a myth�
Hong Kong came across a territory-wide attack in October 2014 -- the Operation Hong Kong campaign initiated by a hacktivist group
• Many websites targeted, both government and non-government
• In form web defacement, DDoS attacks and intrusion of information system
• Also brought about collateral damages to other users in neighbouring networks.
2,223
1,605 1,797
1,255 1,304 1,153
975 1,189
1,694
3,443
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
Security Incident Reports Handled in the past 10 years�
80% of incident reports in 2014 were referred by external parties�
+103%
Total 總數: 3,443�
l Botnet (殭屍網絡): 1,973 (57%) l Phishing (釣魚網站): 594 (17%) l Malware (惡意軟件): 298 (9%) l Defacement (網頁塗改) : 146 (4%) l Distributed Denial-of-Service (DDoS) (分散式阻斷服務攻擊): 125 (4%)�
�
�
�
�
Incident Reports Breakdown in 2014 2014年保安事故報告的分佈�
57% 17%
9% 4%
4% 9%
Botnet 殭屍網絡� Phishing 釣魚網站� Malware 惡意軟件� Web Defacement 網頁塗改�
Mobile Malware China statistics 2012, • 95 % of mobile malware targeting
Android (NQ Mobile)
• Infected 32.8M smartphones
• 28% collect personal data for $$
• Mostly from unofficial app store
• Package malware into normal apps and put on app store
Mobile banking – is it secure?
Two factor authentication using SMS? • Some banks start to use as the client tool • Loss of out-of-band communication when using SMS
as soft token à token device is recommended Unauthenticated mobile Apps Hackers ported Zeus botnet to mobile
• Zeus: botnet targeting financial institutions • Man in the Mobile attack (Mitmo)
More iOS malware�
Wirelurker infected JB & non-JB devices Infections via synchronization with desktop
• Host Mac malware on piracy app store 麥芽地 • Mac malware monitor USB connection, and sync with
iOS device to infect it with WireLurker Use Enterprise provision profile to install malware not published on Apple app store
IoT Security Outlook�
l Hackers now control Internet devices to steal data, or use them to launch attacks
• IP Camera – leaking personal privacy • Broadband routers – launch DDoS • TV Box – compromised by preloaded malware
l Potential threats for “Internet of Things” (物聯網) • Smart Home, Smart Watch or Industrial Control
System (ICS) connected to the Internet�
Remote Control • Mobile Devices
Personal Cloud
• Managed Service Home Gateway Home Devices �
Reference: http://www.gsma.com/connectedliving/wp-content/uploads/2012/05/Marcos-Zart-Amdocs_Connected_Home-SmartCity-2012-June.pdf
Smart Home�
Smart Home�
Google Nest thermostat hacked (Researchers @ University of Central Florida)
• Can boot via USB to bypass verification and install any code • Can read log file that contains local Wifi credentials in plaintext • Can block sending log back to server
https://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest-Thermostat-A-Smart-Spy-In-Your-Home.pdf �
Smart Car security�
BMW Issues Security Patch for ConnectedDrive after Unlocking Hack Discovered (Feb 2015)
• Hack: use fake cellphone base to intercept mobile network traffic to send forged command to BMW server to open the car window http://grahamcluley.com/2015/02/bmw-security-patch/
The Internet 911 ?�
Cybersecurity • A national defense strategy • Countries want more control
Internet Freedom and Privacy • Human Rights
Edward Snowden on digital surveillance �
General Surveillance justified for National Security? Data Privacy concerns
• Data in transmission • Data in storage • Snowden said “strong encryption helps”
Data sovereignty issue
• Brazil regulating cloud firms to open local data centre for Brazil citizens (Nov 2013)
• http://www.computing.co.uk/ctg/analysis/2309148/why-brazil-s-privacy-push-could-cost-firms-dear
Risks to Privacy�
Big Data Lenovo SuperFish Adware Preinstalled adware leaking personal data GreyFish Disk Firmware leaking personal data
http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html
Xiaomi phone update data to cloud http://www.lowyat.net/2014/08/f-secure-confirms-new-xiaomi-miui-update-fixes-discreet-user-data-uploads/
Some trend worth to note�
Internet had contributed greatly to Globalization Lack of Trust à Localization is emerging? • Use our digital products • Train our own professional • Do our own research and not sharing • Mandate code review of foreign products
Fragmented Internet • Filtering content
Arab Spring 2010 and afterwards�
• Most popular Twitter hashtags in the Arab region: “Egypt”, “Jan25”, “Libya”, “Bahrain” and “protest” in 2010, 2011
• Arab Social Media Report 2011 March
• 9 in 10 Egyptians and Tunisians used Facebook to organise protests or spread awareness
Image credit: http://blogs.worldbank.org/publicsphere/media-revolutions-43-million-arab-users-facebook �
43 Million Arab Users on Facebook
Internet Governance becomes hot debate�
Internet Governance: currently a distributed model ITU World Conference on International Telecom (WCIT) December 2012 • Debate on the new International Telecomm
Regulation (ITR) to include regulation of the Internet
WCIT 2012 Dubai�
The Dubai meeting became a hotspot -- some member states tabled very controversial proposals, including:
• Extending ITU’s regulatory authority from telecommunication to include the Internet. Some African member states even proposed to expand further to anything relating “ICT”.
• Requiring the member states to address cyber security and anti-spam issues
• Permitting member states to impose restrictions on the routing of Internet traffic and collect subscriber identity information
�
“Cold War” in the Dubai Meeting�
One camp proposed to regulate the Internet -- included Russia, China, some Arab and African countries. Another insisted to maintain a multi-stakeholder governance model for open and free Internet. camp including United States, Canada, EU countries and their allies The two camps stalled in a tug-of-war. Finally, The Chairman then announced the new regulations with effect on January 1, 2015. �
After the Dubai Meeting�
Internet Society published the report of “Global Internet User Survey 2012” • 83% agreed or agreed strongly that access to the Internet
should be considered a basic human right. • 89% agreed or agreed strongly that Internet access allows
freedom of expression on all subjects, and • 86% agreed or agreed strongly that freedom of expression
should be guaranteed.
The European Union published the Cyber Security Strategy in February 2013 • Human rignts being a fundamental of cybersecurity
�
Internet Governance�
ICANN: a distributed governance model with inputs from multiple stakeholders: governments, public organizations and the netizens. �