Professional Information Security Association
SEP-2010
PISA Journal
●
Personal Data Privacy in Hong Kong
●
International Standard on ISM
●
DNSSEC: Deployment, DDoS Impact
●
Mobile Security: Jailbreak? Mobile App for Banks
●
Security Toolsmith: CATCI, Linux Terminal Server
●
CONS Reloaded
●
Secure Software
www.pisa.org.hk
Issue
12
Data Privacy 11 Data Privacy in Hong Kong - the OctopusGate and Beyond 13 Topical Issues with Hong Kong Privacy Law
DNSSEC 18 DNSSEC 的應用、運作及發展 21 DDoS impact on DNSSEC deployment
International Outlook 06 International Standards – Information Security Management 39 CONS Reloaded
Intranet 04 05 48 53 54 Page 2 of 54
Message from the Chair Call for Your Participation Event Snapshot Joining PISA Advertisement An Organization for Information Security Professionals
Editor: editor@pisa.org.hk
Copyright
2010
Professional Information Security Association
Mobile Security 31 Why you don’t want to JB your iPhone 33 Mobile Application for Financial Institutions
Security Toolsmith 26
Increasing Availability with CACTI
44
再談木馬程式與上網安全
App Security 36 Secure Software
Royalty free images used from www.sxc.hu: Cover : by DoortenJ of Canada #739973_17714216 TOC : by Eastop of Australia #881569_30572512 Page 3 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Message from the Chair
I
t is my honor and pleasure to re-take the PISA chairperson’s role recently after leaving the executive committee in 2005 when PISA was attaining her 5th year anniversary.
I recall what I wrote to PISA members in 2005: “PISA has been entering into her 5th year, not only this story has to be continued running, but we also need to inject new elements to make it good and more colorful. Instead of just sitting there and listening to others, I would like to challenge PISA members to take the initiative to write a better story…….”
Yes! You did it. PISA has already become one of the prominent professional associations in the information security arena nowadays both locally and in the region. We have established close connections with international professional institutions such as ISC2, CERT bodies, etc. In Hong Kong, PISA plays a leading role in various areas relevant to information security such as providing advisory supports to the IT professions, awareness education to the general public and address issues to respond to government public consultations. However, they could not be accomplished without your efforts and without your passion.
Nevertheless, being information security practitioners, we are all facing a common challenge. The challenge of keeping oneself moving forwarded, driven by emerging technologies and products. For example, while most of the people are still playing around with the new features of mobile phones or trying to learn what cloud computing is, we already need to address enquiries on their vulnerability and security. Being setup for information security practitioners, PISA is providing an important platform for us to learn and to be learnt.
Time is really running too fast, another 5 years are almost gone and PISA is entering into her 10th year. Let’s prepare for this new decade and expect for a great celebration in July 2011. Thank you!
Andy Ho CISA, CISSP, CISM, CBCP
Page 4 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Call for Your Participation
T
12
he new EXCO likes to invite your active participation to PISA activities. We will continue to organize interesting programs and project groups. We will have a delegation to Beijing to visit the information security community there. This is a first visit of this kind.
EXCO members: (From left) Alan Ho, James Chan, Frank Chow, Jim Shek, Raymond Tang, Andy Ho and WS Lam
Contribution to PISA Journal
• To join the Editorial Committee of this professional publication
• To contribute to the next issue and make your publication public
Next Issue: Issue 13 (Mar‐2011)
Page 5 of 54
SC Leung, Chief Editor editor@pisa.org.hk
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
International Standards – Information Security Management Dale Johnstone Partner Xione Group (dalej@xionegroup.com)
Synopsis
T
his article provides an update on the progress of work pertaining to ISO/IEC JTC1 SC27 with respect to the development of international standards for the protection of information and information communications technologies (ICT), in particular relating to the Information Security Management Systems
SC27 Background The SC27 Committee – IT Security techniques [1], consists of 5 working groups and has published in excess of 98 International Standards. SC27 functions through the representation from 41 participating countries [2] in addition to 18 observing countries [3]. The development of all International Standards within ISO is a collaborative process channeled via a consensus of the Participating and Observing countries. Everyone has an opportunity to contribute to the International Standards development work [4]. The work of SC27 includes generic methods, techniques and guidelines to address both security and privacy aspects. The work of SC27 also encapsulates [5]: ●
Cryptographic and other security mechanisms
●
Security aspects of identity management, biometrics and privacy
information security conformance assessment, accreditation and auditing requirements ● Security evaluation criteria and methodology Further details of the background to SC27 can be found in an article published in Issue 7 of the PISA magazine [6]. ●
ISMS Family of Standards The Information Security Management Systems and its supporting standards (also known as the ISMS Family of Standards) currently consist of 13 individual standards that are either published or under development. A 14th standard is expected to be included in the ISMS Family of Standards following the next meeting of SC27 to be held in Germany, October 2010. Working Group 1 within SC27 develops and maintains each of the following ISMS Family of Standards (Figure 1).
[1] http://www.iso.org/iso/iso_technical_committee?commid=45306 [2] See Annex A [3] See Annex B [4] Anyone interested in contributing to the development of International Standards should approach the representing Country entity responsible for coordinating membership to ISO. In Hong Kong this entity is the Innovation and Technology Commission, Quality Services Division, Product Standards Information Bureau www.itc.gov.hk [5] This additional work is not covered in this article [6] Chan, Lydia and Johnstone, Dale, “International Standard for Information Security”, PISA Journal, Issue 7, March 2008, pp 9-11, http://www.pisa.org.hk/pisa-journal/83-journal-issue-07.html (last accessed 25 August 2010)
Page 6 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
ISO/ IEC
Publish (ed)
Review
Title
27000
2009
In-Progress
Information security management systems -- Overview and vocabulary
27001
2005
In-Progress
Information security management systems -- Requirements
12
27002
2005
In-Progress
Code of practice for information security management
27003
2010
2012
Information security management system implementation guidance
27004
2009
2012
Information security management -- Measurement
27005
2008
In-Progress
Information security risk management
27006
2007
In-Progress
Requirements for bodies providing audit and certification of information security management
27007
2012 (E)
Development
Guidelines for information security management systems auditing
27008
2012 (E)
Development
Guidance for auditors on ISMS controls
27011
2008
2011
Information security management guidelines for telecommunications organizations based on ISO/IEC 27002
27013
2012 (E)
Development
Guidance on the integrated implementation of ISO/IEC 20000-1 and ISO/IEC 27001
27014 27015
2012 (E) 2012 (E)
Development Development
Governance of information security Information security management guidelines for financial and insurance services
270xx
2013 (E)
Development
Information security management – Organizational economics
Figure 1
2700x Supporting Control Standards The ISMS Family of Standards is additionally supported by 8 standards that are either published or under development. SC27 Working Group 4 develops and maintains each of these supporting Standards as shown in Figure 2.
ISO/IEC 27002 Development Initiatives The depth of the discussions and meetings to successfully progress an SC27 International Standard towards publication is very extensive, with the volume of the written comments being a measure of this interaction. Each new published version of a Standard goes through a drafting process consisting of a repeating three-month cycle of written commenting, which occurs between the six-month editing meetings. The document will repeat this cycle process until the maturity of the document reaches a point where there is a high level of consensus agreement among the
Page 7 of 54
Participating Countries. Using ISO/IEC 27002 as an example, the most recent commenting cycle (April 2010) resulted in 250 pages of comments from 16 National Bodies (countries). Current discussions being debated with respect to ISO/IEC 27002 include proposed additions and changes to controls, as an example: ● Authorization process for information processing facili-
ties ● Supply Chain Assurance ● Classification process for information and related assets ● Classification activity for information and related assets ● Mobile Devices ● Security requirements analysis and specification ● Initial training and education ● Information security awareness program ● Restrictions on software installation ● Prediction of instinctive responses in the face of emer-
gency situations ● Compliance with applicable legislation, contracts and
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
International Standards – Information Security Management
ISO/ IEC
Publish (ed)
Review
27031
2011 (E)
Development
Guidelines for ICT readiness for business continuity
27032
2012 (E)
Development
Guidelines for cybersecurity
Development
Network security Part 1: Overview and concepts Part 2: Guidelines for the design and implementation of network security Part 3: Reference networking scenarios -- Threats, design techniques and control issues Part 4: Securing communications between networks using security gateways -- Risks, design techniques and control issues Part 5: Securing virtual private networks -- Risks, design techniques and control issues Part 6: IP convergence Part 7: Wireless
2009 (Part 1) 27033 2011 (E) Other Parts
Title
27034
2012 (E)
Development
Application security Part 1: Overview and concepts Part 2: Organization normative framework Part 3: Application security management process Part 4: Application security validation Part 5: Protocols and application security controls
27035
2011 (E)
Development
Information security incident
27036
2013 (E)
Development
Guidelines for security of outsourcing
27037
2012 (E)
Development
Guidelines for identification, collection and/or acquisition and preservation of digital evidence
27038
2013 (E)
Development
Specification for Digital Redaction
Figure 2 external policies ● Identification of security policies and standards
A major challenge faced when reviewing a Requirements standard used for certification by accredited certification bodies throughout the world (i.e. ISO/IEC 27001) is backward compatibility. These same challenges are taken into consideration when reviewing all International Standards including ISO/IEC 27002.
ISO/IEC 27001 Global Certification Update To understand how the International Standards produced by SC27 are being accepted throughout different economies, our focus is now directed to ISO/IEC 27001. As a requirements-based standard recognised as being suitable
Page 8 of 54
for being certified against (i.e. by an organisation) a measure of the effective implementation and acceptance of this Standard in different countries can be ascertained. Organisations in 81 countries have successfully been certified as being compliant with ISO/IEC 27001 by an accredited certification body. These certifications have resulted in 6,572 certification certificates being issued. In total 93.5% of the global cates are held by the top 20 countries with Japan holding just over half the certificates with 54% of the total certificates issued. The top 20 countries and the total number of ISO/IEC 27001 certificates issued within the country are represented in Figure 3. The primary reason supporting the countries with the larger number of certificates is either as a result of regulatory mandates and/or the global recognition of the organisation is applying an internationally recognised information secu-
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Country
# 27001
Japan
3572
India
Country
# 27001
Italy
61
490
Poland
56
UK
448
Spain
43
Taiwan
373
Malaysia
39
China
373
Ireland
37
Germany
138
Austria
35
Korea
106
Thailand
34
USA
96
Hong Kong
32
Czech Republic
85
Romania
30
Hungary
71
Australia
29
Figure 3
12
rity management system. This recognition value-add produces benefits to the organisation, its various stakeholders and the clients whose information is more commonly being accessed and/or retained by the organisation. A full list of the number of ISO/IEC 27001 Certifications issued globally is contained within Annex 3.
Summary SC27 continues to be a key stakeholder in the betterment of information security trends globally through its standards development process. Through its continued commitment to the developed of the ISMS Family of Standards, SC27 is promoting greater effectiveness in ensuring the security of an organisation’s information assets reflected in the ongoing development of information security management systems and related supporting International Standards.
Dale Johnstone ■
Annex 1 – SC27 Participating Algeria (IANOR) Australia (SA) Austria (ASI) Belgium (NBN) Brazil (ABNT) Canada (SCC) China (SAC) Cyprus (CYS) Czech Republic (UNMZ) Côte d'Ivoire (CODINORM) Denmark (DS) Finland (SFS) France (AFNOR) India (BIS) Ireland (NSAI) Italy (UNI) Japan (JISC) Kazakhstan (KAZMEMST) Kenya (KEBS) Korea, Republic of (KATS)
Page 9 of 54
Luxembourg (ILNAS) Malaysia (DSM) Morocco (SNIMA) Netherlands (NEN) New Zealand (SNZ) Norway (SN) Poland (PKN) Romania (ASRO) Russian Federation (GOST R) Singapore (SPRING SG) Slovakia (SUTN) South Africa (SABS) Spain (AENOR) Sri Lanka (SLSI) Sweden (SIS) Switzerland (SNV) USA (ANSI) Ukraine (DSSU) United Kingdom (BSI) Uruguay (UNIT)
Annex 2 – SC27 Observing Argentina (IRAM) Belarus (BELST) Bosnia and Herzegovina (BAS) Costa Rica (INTECO) El Salvador (CONACYT) (Correspondent member) Estonia (EVS)(Correspondent member) Ghana (GSB) Hong Kong, China (ITCHKSAR)(Correspondent member) Hungary (MSZT) Indonesia (BSN) Israel (SII) Lithuania (LST) Portugal (IPQ) Serbia (ISS) Slovenia (SIST) Swaziland (SWASA)(Correspondent member) Thailand (TISI) Turkey (TSE)
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
International Standards – Information Security Management
Annex 3 – List of ISO/IEC 27001 Certifications (Global) Country
# 27001
Country
# 27001
Country
# 27001
Japan
3572
Slovenia
16
Gibraltar
3
India
490
Philippines
15
Macau
3
UK
448
Pakistan
14
Peru
3
Taiwan
373
Iceland
13
Portugal
3
China
373
Saudi Arabia
13
Argentina
2
Germany
138
Netherlands
12
Belgium
2
Korea
106
Singapore
12
Bosnia Herzegovina
2
USA
96
Indonesia
11
Cyprus
2
Czech Republic
85
Bulgaria
10
Isle of Man
2
Hungary
71
Norway
10
Kazakhstan
2
Italy
61
Russian Federation
10
Morocco
2
Poland
56
Kuwait
9
Ukraine
2
Spain
43
Sweden
9
Armenia
1
Malaysia
39
Colombia
8
Bangladesh
1
Ireland
37
Iran
8
Belarus
1
Austria
35
Bahrain
7
Denmark
1
Thailand
34
Switzerland
7
Dominican Republic
1
Hong Kong
32
Croatia
6
Kyrgyzstan
1
Romania
30
Canada
5
Lebanon
1
Australia
29
South Africa
5
Luxembourg
1
Greece
28
Sri Lanka
5
Macedonia
1
Mexico
24
Vietnam
5
Mauritius
1
Brazil
23
Lithuania
4
Moldova
1
Turkey
21
Oman
4
New Zealand
1
UAE
20
Qatar
4
Sudan
1
Slovakia
19
Chile
3
Uruguay
1
France
18
Egypt
3
Yemen
1
TOTAL
Page 10 of 54
An Organization for Information Security Professionals
6572
P I S A J o u r n a l
SEP-2010
Issue
12
Data Privacy in Hong Kong - the OctopusGate and Beyond Charles Mok
T
he incident of Octopus selling customer personal information to third parties has aroused Hong Kong people's attention to their own privacy. The question worthy of being raised would be: Are those people who deal with personal data in public or private institutions, whether they are executives or rankand-file workers, aware of what to do with these data? Do institutions and enterprises know how to deal with personal information in a legal or reasonable way? For the citizens, how can they enforce their right to know and to protect themselves?
Privacy 101 First, when people talk about privacy, different people have different interpretation. But under Hong Kong law, the Personal Data (Privacy) Ordinance (PDPO) is applicable only to data that can be used "to effectively determine" the identity of any living person (data subject) in Hong Kong, and the control of the collection, holding, processing or use of such personal data. For example, my identity card number can be used to confirm my identity, and is covered under
the Ordinance. Alternatively, if you get a hold of the knowledge that I am alcoholic (assuming I don't want my friends to know about it), even though I may regard this as a “privacy matter,” it would not be something protected by this Ordinance.
Data Protection Principles of the Ordinance Summarizing the provisions on the handling of personal information by data users, there are six data protection principles (DPP), that basically summarizes the responsibilities of the data users: (DPP1) Purpose and manner of collection of information: that requires a lawful and fair collection of personal data and user specified data to the data subject
Page 11 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Data Privacy in Hong Kong - the OctopusGate and Beyond
when collecting personal information should the information provided by the parties. (For example, are the Octopus terms and conditions in fine prints reasonable and are made known to the customers?)
(DPP2) Accuracy of personal data and duration of retention: personal information must be accurately kept and in an updated manner, and kept no longer than necessary. (DPP3) Use of personal data: this provides that unless the data subject has given consent, otherwise personal data should only be used for the purposes mentioned or a directly related purpose stated during the collection of the information. (For example, did Octopus customers given informed consent to let Octopus sell these data?) (DPP4) Data Security: data user is required to take appropriate security measures to protect personal data. (For example, have institutions found to have leaked personal data of their subjects, such as the Hospital Authority, Fire Department, Police Department, and several banks, taken appropriate measures to ensure data security?) (DPP5) Information to be generally available: data user should state clearly categories of personal data held, and the main use made of the personal data. (For example, Octopus initially did not disclose what information was sold, to whom and for what purposes.)
Copyright & Disclaimer
(DPP6) Access to personal data: this provides that data subjects hold the right of access to and correct their personal data, which are kept by the data user. (For example, there were reported cases where MTR and Octopus were unable to provide transaction data to customers, when the customers made enquiries. Are such incidents violation of this principle?)
Is Corporate Social Responsibility that hard? These six data protection principles in fact are not difficult to understand. When I worked with an Internet service provider more than 10 years ago, as our company needed to collect customers' personal data, I did a little self-study, and that was sufficient for me to understand how to follow the law. As service providers, we have to care about users' rights and their privacy as if they are our own. That is the most basic corporate social responsibility, I believe. Unfortunately, the Octopus case may be only the tip of the iceberg. There are many other institutions and enterprises doing similar things.
What has gone wrong? We already have legislative protection for personal data and there are processes ongoing to review and improve the laws. However, when PDPO went through its long-overdue public consultation in the end of the last year, were people aware? Did the government sufficiently promote that importance of that consultation? There were numerous proposals by the former Privacy Commissioner, Mr Roderick Woo, that were brushed aside by our Government. Subsequently, the Government even appointed a new Commissioner who had a record of making privacy infringement when he headed Hong Kong Post in a previous job. In the end, we need more than a law to protect us. We need the right attitude toward privacy protection – from Government, institutions, enterprises, media and citizens. Without such a mindset, we would not take the proper steps toward risk management, and respond to the responsibilities and public expectation on properly handling personal data. If we do not act now, it may be too late. Charles Mok ■
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 12 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
Topical Issues with Hong Kong Privacy Ian Christofis
T
CISSP
his article looks at some privacy law issues currently causing debate in Hong Kong: ● ● ●
Trans-border flows of personal data Notification of breaches of privacy The EU Cookie Directive
I will briefly provide some background before talking about those issues specifically.
tomers, employees, patients, etc)
Privacy vs Security As Information Security professionals, we should take a strong interest in Privacy. It is a key issue that we are often involved with. However the terms “Privacy” and “Security” are often confused in the minds of the public and professionals. Privacy and Security are overlapping concepts. The area of overlap is securing personal data from unauthorised viewing (data confidentiality) or unauthorised change (integrity), but both Privacy and Security also cover other separate non-overlapping areas. Privacy is more than just Information Security: Privacy also covers other non-security issues such as: ●
what data to collect from people (consumers, cus-
●
the rights of the subject to know what data is held about them and to correct it if it is wrong
●
the requirement to keep personal data accurate
●
restricting the use of personal data to the purpose for which it was collected
●
when personal data should be destroyed
Information Security is more than just Privacy: “Privacy”, is more correctly called “Personal Data Privacy” and only concerns itself with personal data. Information security for other data, such as sensitive corporate financial data, is not a Privacy concern. Also, for both personal and
Information Security for Personal Data
Information Security for other data
• Data Confidentiality (Access Control)
•Data Confidentiality (Access Control)
•Integrity (Access Control)
•Integrity (Access Control)
•Availability
•Availability
•Non‐repudiation
•Non‐repudiation
Figure 1 - Intersection between Privacy and Security
Page 13 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Topical Issues with Hong Kong Privacy Law
non-personal data, Information Security areas such as availability and non-repudiation are also mostly separate to Privacy concerns.
Importance of Privacy Recent press in Hong Kong on the privacy issues surrounding sale of personal data by one of the Octopus companies is a useful reminder that Privacy is a critical issue that needs to be taken seriously by all organisations. However Privacy is a complex issue because people often give away personal information very easily, and there are many grey areas in regard to what is considered personal information. For example are IP addresses or location data personal information? A fundamental privacy issue is the ability of organisations or individuals to collate information about the subject. The ability to collate data is the important issue, rather than any specific type of data. The criticality of data like IP addresses depends on how much the IP address can be used as an index to collate data about a person.
Data Subject consumer, client, patient, employee, etc
function. Your browsing history is mostly on the record at your ISP. A key issue is that the subject should have control of how their personal data is used. As evidenced by Facebook and controversies around changes to its default Privacy settings, people will give away a lot of personal information provided they feel in control of it, but they react strongly when they feel they have lost control or that their wishes have been ignored. Privacy is not about secrecy, it is about respect for people. If an organisation breaches people’s trust, they will avoid using its services or actively provide misinformation. Businesses that show this respect by treating Privacy seriously will benefit from increased customer satisfaction and loyalty.
Review of the Privacy Ordinance and powers of the Commissioner
Hong Kong has a robust Privacy regime, including the “Personal Data (Privacy) Ordinance” (PDPO) [1] and a “Privacy Commissioner for Personal Data” (PCPD) [2]. This approach derives from the OECD [3] Privacy Principles developed in the 1970s and 1980s. It is similar to the Privacy regime in Data User about 50 other jurisdictions globally Government, bank, [4], mainly European and Asiahospital, doctor, lab, Pacific countries. Notably, the USA shop, online merchant, etc and China do not have Privacy law Data Processor following this model, but they do Outsourced provider, Cloud service, etc have some law relating to Privacy. (Data User is responsible)
Figure 2 - Privacy Actors Privacy issues have become more complex in the electronic information age as it is easier to collect, store, aggregate and process personal data. For example, the list of merchants, dates and amounts on your credit card statement tells a lot about your lifestyle. Your mobile phone is tracking your movements 24 hours/day – with or without a GPS
Page 14 of 54
The HKSAR Government conducted a review[5] of the Ordinance (PDPO) late last year (2009), including public consultation. This was initiated by the former Privacy Commissioner, Roderick Woo, after a few years of review work by his office. The aim was “to see the Ordinance brought up to date so that it provides stronger protection to the Hong Kong people in the new electronic era.”[6] Similar reviews of privacy law have
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
recently been conducted in other jurisdictions. This review was timely and a good thing, in my view. It is important to continue to update privacy regulation because the situation continues to evolve, most notably in that information is increasingly IT-focussed rather than on paper, and there continue to be significant changes to our environment, such as the rise of social networking sites and highly capable smartphones sending out our GPS location.
Regulation of trans-border flows of personal data However, a key area that was not included in the review was regulation of trans-border flows of personal data. Like similar legislation in other jurisdictions, the Ordinance (PDPO) contains a section on trans-border data flows – Section 33 “Prohibition against transfer of personal data to place outside Hong Kong except in specified circumstances”. However, Section 33 is the only Section of the Ordinance that has never been enacted. In essence, Section 33 aims to ensure that personal data collected in Hong Kong should not be transferred to any other jurisdiction, unless it has protection in that jurisdiction equivalent to the Privacy protections under Hong Kong law. The protection could either be from the Privacy law of the destination jurisdiction, or by the Data User in Hong Kong making sure that the off-shore Data Processor is protecting the personal data sufficiently (which may not be possible if this conflicts with law in the destination jurisdiction). Not having Section 33 enacted has the following negative implications:
Page 15 of 54
●
Hong Kong residents are not as well protected as they could be if their personal data is sent to a Data Processor outside Hong Kong. Without Section 33 personal data collected in Hong Kong could be processed and stored in any country regardless of how poor the Privacy protections of that country are.
●
Organisations in jurisdictions which have similar
12
Privacy law (e.g. European Union) cannot outsource data processing of personal data to Hong Kong, or use Cloud services based in Hong Kong. Because Section 33 is not enacted, Hong Kong would not qualify as an acceptable destination under Privacy law in those other jurisdictions. This may have a negative impact on the Information Technology industry in Hong Kong. However, enacting Section 33 would potentially impinge on the current practices of some large Hong Kong businesses that use Data Processors in mainland China, for example. It is possible that lobbying from vested interests has resulted in lack of enactment of Section 33 to date. Another argument against enacting Section 33 is that, in practice, the European Union (EU) has not accepted most jurisdictions as being acceptable destinations for personal data from Europe, even where they have similar Privacy legislation. The issue has been that the EU considers “reasonable grounds” wording to be insufficient, such as the following wording in Section 33 of the Hong Kong Ordinance, and in similar wording in the Privacy laws of other jurisdictions: “the user has reasonable grounds for believing that there is in force in that place any law which is substantially similar to, or serves the same purposes as, this Ordinance”. One approach that appears to be working better is the “Safe Harbor”[7] arrangements between the USA and the EU (and Switzerland), administered by the USA Department of Commerce. This allows US companies to opt-in to being certified as a “safe harbor” for EU personal data. I think the Hong Kong Government should resolve the issue of uncertainty around trans-border data flows. Hong Kong people deserve strong Privacy protection. It is misleading to have Section 33 in the Ordinance but not enacted. Either Section 33 should be enacted or is should be replaced by something else. The “Safe Harbor” approach may be a useful alternative approach for Hong Kong to consider. The Government tried hard to avoid debating this issue during the review. When pressed on this, the reasons given
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Topical Issues with Hong Kong Privacy Law
by Arthur Ho, Constitutional & Mainland Affairs Bureau, at a forum on 14 October 2009 were that this was left out of the review because no change to the law is required to enact Section 33, that the Government was in discussion with PDPC office on this issue, that it was mainly a matter of timing (e.g. of establishing the white list of acceptable jurisdictions), and the Government was unsure if business is ready. To my mind these are unsatisfactory reasons. The Ordinance has been in force since 1996, so there has already been around 14 years to sort this out. The opposition to enacting Section 33 seems hidden. If the Government is not comfortable enacting Section 33, there should be open debate about the pros and cons of Section 33 and the alternatives.
Privacy Breach Notification One of the areas covered in the review was data breach notification, and the question of whether notification should be voluntary or mandatory. Here is the summary from the review consultation document, which also contains a much more detailed discussion of the issue: “Proposal No. 3: Personal Data Security Breach Notification [8] Following the spate of personal data leakage incidents, questions have been raised on whether a personal data security breach notification (“privacy breach notification”) system should be instituted to require data users to notify the PCPD and affected individuals when a breach of data security leads to the leakage or loss of personal data so as to mitigate the potential damage to affected individuals. A mandatory notification requirement could impose undue burden on business operations. Bearing in mind that a number of overseas jurisdictions adopt voluntary guidelines on privacy breach notifications, we consider it more prudent to start with a voluntary breach notification system so that we can assess the impact of breach notifications more precisely, and fine-tune the notification requirements to make them reasonable and practicable, without causing onerous burden on the community. For this purpose, the PCPD can issue guidelines on voluntary privacy breach notifications.”
Page 16 of 54
As seen from the above, the Government took the view that a voluntary notification scheme was preferable to a mandatory notification scheme, at least initially. As security professionals, one of the difficulties we face is lack of clear objective evidence on which security controls are working effectively and which ones are having little effect. Most of our justifications are based on anecdotal evidence and fairly subjective risk-assessment. Adam Shostack and Andrew Stewart, in their book “The New School of Information Security”,[9] argue that money spent on security controls may be substantially misdirected and that we may well be better putting more money and effort into other controls, but we don’t know because we lack clear evidence. Data breach notifications are one of the few areas where more objective evidence is becoming available, and this is mainly coming from jurisdictions with mandatory notification requirements. Adam Shostack adds a thoughtful further comment, in a recent blog post,[10] that fines make organisations more inclined to hide breaches, to avoid the fine, and are thus counterproductive. Breach notification already costs companies money, so fines are unnecessary. It is my view that voluntary notification would be ineffective in acting as a deterrent, and also rob us of evidence that is very much needed.
EU Cookie Directive As you are probably aware, lack of session state in HTTP [11] led to the development of browser cookies as a way to maintain session state and context. However, cookies have become widely abused as spyware to track user browsing history across different domains, using 3rd party cookies. [12] This is a significant Privacy issue. An amendment to European Union Privacy law known as the “EU Cookie Directive” [13] was passed in October 2009 and must be operative in all EU states by April 2011. It requires the opt-in consent of internet users before cookies can be placed on their computers. Previously only an ability to opt-out was required. Whilst there has been some debate about whether the users’ browser settings in regard
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
to cookies can be deemed as sufficient “consent”, it seems that explicit prior consent from the user (e.g. a “Can I track you” dialogue) [14] will be required regardless of the browser settings. This has potentially very significant implications for the online advertising industry, which currently uses cookies for advertisement targeting and audience segmentation. The advertising industry is using the argument that it will limit user experience to try to rally opposition, but this is a feeble argument. Given the borderless nature of the Internet, it will be interesting to see how much this affects websites globally. The law could be interpreted to cover websites hosted outside the EU that are accessed by EU Internet users[15]. There is still some uncertainty in this area. Information Security professionals need to be aware of these changes and keep
12
up to date with the implications. I also think we should call on the Hong Kong Government to consider introducing similar requirements to the EU Cookie Directive, to protect Hong Kong internet users.
Conclusion The Government has a role to regulate when market forces will not adequately protect the interests of consumers, minority groups, and in other cases where there is a significant imbalance of power. Market forces cannot be relied on to protect consumers in relation to privacy and anticompetitive behaviour, so the Government has a significant role in these areas. Ian Christofis ■
References [1] Summarised at http://www.pcpd.org.hk/english/ ordinance/ordglance.html and available in full at http:// www.pcpd.org.hk/english/ordinance/ordfull.html
[9] See http://newschoolsecurity.com/about-the-book/. I recommend this book as it provides a very different and valuable perspective on Information Security.
[2] Website of the Office of the Commissioner is http:// www.pcpd.org.hk/
[10] See http://newschoolsecurity.com/2010/09/databreach-fines-will-prolong-the-rot/
[3] Organisation for Economic Co-operation and Development.
[11] Hyper Text Transfer Protocol
[4] See intprivacylaws.html
http://www.informationshield.com/
[5] See http://www.pcpd.org.hk/english/review_ordinance/ reviewordinance.html (accessed 9/9/2010). Copyright & Disclaimer
[6] Roderick Woo as quoted at http://www.pcpd.org.hk/ english/infocentre/press_20090828.html (accessed 9/9/2010). [7] See http://www.export.gov/safeharbor/ or en.wikipedia.org/wiki/Safe_Harbor_Principles.
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 17 of 54
http://
[8] From "Consultation Document on Review of the Personal Data (Privacy) Ordinance”, August 2009, http:// www.cmab.gov.hk/doc/issues/ PDPO_Consultation_Document_en.pdf (accessed 9/9/2010).
[12] See http://en.wikipedia.org/wiki/HTTP_cookie for further explanation. [13] See http://register.consilium.europa.eu/pdf/en/09/st03/ st03674.en09.pdf for the formal document. For a good introduction see “Consent will be required for cookies in Europe”, Pinsent Masons, http://www.out-law.com/page10510 (accessed 9/9/2010), and “Changes to cookie laws”, Pinsent Masons, http://www.out-law.com/page-10021 (accessed 9/9/2010). [14] See http://www.research-live.com/news/government/ ico-urges-easy-opt-out-of-online-tracking-but-eu-demandsopt-in/4003097.article (accessed 9/9/2010). [15] See “New EU telecoms framework mandates user consent before getting cookies”, http://www.betanews.com/ article/New-EU-telecoms-framework-mandates-userconsent-before-getting-cookies/1257963565 (accessed
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
DNSSEC 的應用、運作及發展 郭榮興先生 CISSP
2
活動項目委員
010 零年 7 月 15 日,互聯網域名系統 (Domain Name System) 最頂層的根域 (root zone) 加入了數碼簽 署,令整個互聯網域名基建能實施「域名系統安全延伸」 (Domain Name System Security Extensions
(DNSSEC)) 服務。今後,互聯網各類應用軟件,可透過各層域區所提供的數碼簽署,以識別網站是否真確。 這是互聯網歷史性的發展,也是電腦保安的重要成就。今期《PISA Journal》由總編輯親自訪問資深會員 郭榮興先生 (Mr Warren Kwok),暢談 DNSSEC 的應用、運作及發展。
編: DNSSEC 有甚麽功能 ?
編: 你認為那些域名須要使用 DNSSEC ?
郭 : DNSSEC 技術會為域名加上識別簽署,瀏覽器到
郭 : 其實每個域名都可以受惠於
達網站時,便可透過各層域名伺服器所提供的識別簽
護。如果網站涉及財務、買賣、個人資料、醫療紀錄及
署, 知悉被訪的網站是否真確, 防止用户接觸偽冒網
任何高風險的網上活動,則域名更加須要進行 DNSSEC
站。
識別簽署。
編: 為甚麽根域推行 DNSSEC 至為重要 ?
編: 截 至 目 前 , 有 多 少 個 國 家 或 頂 層 域 名 啟 用 了
DNSSEC 的安全保
DNSSEC ? 郭 : DNSSEC 中的信任機制是從根域開始,由上到下 逐級驗証簽署的。如果根域不加入 DNSSEC,其它頂層
郭 : 到目前為此,巳有九個國家級域名啟用了
域區 (如 “.com”、 “.org”、及 “.uk”) 的識別簽署是無
DNSSEC,包括保家利亞 (“.bg”)、巴西 (“.br”)、捷克
法被確認等。另一方面,解析器 ( resolvers ) 亦必須存儲
(“.cz”) 、 丹麥 (“.dk”)、斯里籣加 (“.lk”) 、納米比亞
根域公鑰,然後才能驗証根域以下各域區的識別簽署是
(“.na”)、土庫曼 (“.tm”)、英國 (“.uk”) 及美國 (“.us”)。
否可以信任。
而通用頂層域名則有五個,包括 “.biz” 、 “.museum”、 “.org” 、 “.edu” 及 “.cat”。其實很多國家都正在密鑼 緊鼓,盡快推行 DNSSEC,目的是重點保護域名基建,
編: DNSSEC 的信任是如何建立的?是否像數碼證書 般有一個信任鏈?
提升網絡安全。預計到今年年尾,將有超過 50 個國家或 頂層域名會實施 DNSSEC。
郭 : DNSSEC 的信任是從根區開始的,進一步下放到 頂級域名 (TLD),然後進一步延伸。但 DNSSEC 沒有
編: 現時 DNSSEC 在香港的發展及使用情况如何 ?
任何核證機關。 郭 : 對於 DNSSEC 的應用, 香港比其它國家落後很 遠。 香港互聯網註冊管理有限公司(Hong Kong Internet
Page 18 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Registration Company) 還未公佈為 .hk 域名 推行 DNSSEC 的時間表,該公司打算在 2011 年年中架設測試平台,以評估 DNSSEC 的效能及在進一步研究實行計劃。 保守估計,香港可望於 2013 年第一季使用 DNSSEC 於 .hk 域名上。
編: 在巳實施 DNSSEC 的國家中, 那些 國家有特出成就? 郭 : 捷克共和國 (“.cz”) 共有 70 萬個註 冊 “.cz” 域名,其中超個 10 萬個已使用 DNSSEC,換言之該國有 七份之一的網站 難以被假冒,從資訊保安的角度來看,這是
圖一: DNSSEC 阻擋進入偽冒網站
非常難得成就。
編: 現時推行 DNSSEC 現時最大的障礙 是甚麽 ? 郭 : 現時最大的障礙是大部份應用程式 還末能支援 DNSSEC, 如瀏覧器和電郵軟 件等。瀏覧器是首要解决的難題,當瀏覧器 支援 DNSSEC 後,如果用户連接到偽冒網 站,瀏覧器會從解析器接收的信息中得知詐 騙,而瀏覧器地址欄會發出警號,通知用户 網站是可疑的,並禁止用户進入該網站,情 況如圖一所示 。 相反, 如果瀏覧器從解析器中知曉各層識 別簽署核對無誤,瀏覧器地址欄亦會發出適 當的指示標記,好讓用户放心進入該網站,
圖二: DNSSEC 為瀏覧器核實網站非偽冒
如圖二所示 。
Page 19 of 54
A Publication of Professional Information Security Association
12
P I S A J o u r n a l
Professional Information Security Association
DNSSEC 的應用、運作及發展
編: DNSSEC 需要更多的處理能力和更大的數據包,
亡都取决於根域的識別簽署,一旦駭客成功破壞根域的
服務器的性能下降和網絡擠塞會不會成為實施
保密私鑰,互聯網服務將全部停頂。但我們無需擔心,
DNSSEC 的障礙?
因為根域的私鑰並沒有存放於任何互聯網的伺服器上,
郭 : DNSSEC 雖然需要更多的處理能力和帶寬,但與 其他現有的互聯網應用相比,如視頻,VoIP 等,根本微 不足道。
編: 現時瀏覧器不知援 DNSSEC,DNSSEC 豈不是前
而是由十多位德高望重的網絡聖賢分散保管,世上駭客 要破壞都無從入手。他們一共有 14 位 Crypto Officer 和 7 位 Recovery Key Holder。
編: 你估計 DNSSEC 未來發展將會怎樣 ?
功盡廢?
郭 : 經過了 18 年的磨練, 今日 DNSSEC 的技術巳經
郭 : 不是。只要互聯網服務商能採用 DNSSEC 解析
非常成熟、穩定和可靠。很多政府、銀行、財經機構、
器,仍可以有效地保護用户。舉個例說 online-bank.com 是一家網上銀行,它的域名已加入 DNSSEC 數碼簽署, 若解析器發現該域名資料被冒充,解析器會拒絕把資料 傳送至客户端的瀏覧器上,客户便不能進入假網站。解 析器阻截雖然是一道好的防線,但長遠而言,瀏覧器支 援 DNSSEC 是最有利的,可讓用户得知網站的真偽。
科技公司及大學都會陸續採用 DNSSEC。 DNSSEC 下 一個大日子將會是 2011年 3月,因為美國 Verisign 公司 會把 “.com” 頂層域名加入 DNSSEC 行列。 現時全球 共有超過 8,000 萬個 “.com” 域名,很多擁有 “.com” 域 名的公司巳作好準備,利用 DNSSEC 保護他們的域名、 網站及商譽,屆時整個互聯網將會出現一番新景象,令 人鼓舞。
編: DNSSEC 有沒有保安上的弱點 ? 編輯室 ■ 郭 : 有的。 於解析器內,根域公鑰是預先儲存的,如 果駭客更改了該公鑰,整個信任機制將會遭到破壞,所 有域名都不能進行解析。對於這個問題,我們無需太担 心,互聯網服務商通常會配予兩台或以上解析器給用户 Copyright & Disclaimer
使用,若一台解析器被攻陷,另一台會即時補上。 編輯後記: 整個訪問歷時二十分鍾,對於 DNSSEC 的
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
應用及網絡保安,總編輯獲益良多,增加了不少認識。 編: 駭客能否摧毁根域的 DNSSEC 結構,癱瘓整個互
各會員如對 DNSSEC 有其它疑問或意見, 可直接與郭
聯網?
先生聯絡。
郭 : 理論上,實施 DNSSEC 後,整個互聯網的生死存
Page 20 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
DDoS impact on DNSSEC deployment George Chung
CISSP CISM CISA
Program Committee
A
fter the Kaminsky DNS vulnerability discovery, people become more aware of DNS problem. Although source port randomization and Transaction ID randomization make DNS cache poisoning harder, it is still possible for hackers to do so. Most people believe the ultimate solution is DNSSEC which has been designed for more than 15 years. Recently developments of DNSSEC is the Root zone was signed and VeriSign has announced to complete DNSSEC implementation on .net and .com by the first quarter of 2011. Deployment of DNSSEC seems unavoidable. DNSSEC no doubt is to solve cache poisoning problem. However, due to design flaw, it brings about other problems of which, I would discuss DDoS problem in this article.
One of the serious problems caused by DNSSEC is it makes DDoS attack a lot easier. DDoS is a serious problem nowadays. It is usually caused by sending a lot of network traffic from a herd of computers, usually zombies controlled by botnet operators, to a single server or a single network. The consequence is the victim server/network will not be able to provide service. There are several types of DDoS attack. The most diffucult to handle is bandwidth consumption DDoS attack. The attack is to consume all bandwidth of victim, making legitimate traffic unable to access service. To make such a attack successful, a botnet operator usually needs a lot of zombies to make the aggregated traffic high enough to saturate the victim's bandwidth. So to launch such attack, the attacker has to put time and effort to build a botnet. With DNSSEC, there is no need to build a botnet to launch bandwidth consumption DDoS attack. A single computer is enough to jam a victim's server. Several computers may consume all bandwidth of an ISP. The following diagram shows the bandwidth consumption attack. An attacker sends DNS request with forged source IP address to a DNS server. The forged IP address is the IP address of victim. Since DNS request is usually in UDP packet, forging source IP address is very easy and it is very difficult to trace the source of the hacker. When a DNS server replies, Figure 1
Page 21 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
DDoS impact on DNSSEC deployment
the packet will be send to victim. If the attacker does the same with a lot of DNS server at the same time and the DNS reply amplifying ratio is high, victim will receive very high traffic from DNS servers and the traffic will jam victim's network. In the following, I will show how DNSSEC will make DDoS much easier by comparing DNSSEC traffic and non-DNSSEC traffic.
Non-DNSSEC query Figure 2a show a normal DNS query without DNSSEC for host “www.isc.org” using a DNS client “dig”.
Figure 2a
The query and reply packet is captured by Wireshark The size of DNS request IP packet is 57 bytes (see Figure 2b) and the size of DNS reply packet is 73 bytes (see Figure 2c). The DNS reply amplifying ratio is 73/57 = 1.28. Although a carefully selected DNS request could result in a much bigger DNS reply, in this article, I assume hackers select random hostnames when submitting DNS query. It is easier to implement and the DNS server could be randomly selected. Since the traffic amplifying ratio is just 1.28, this type of DNS traffic is not good enough for hackers to launch the attack.
Figure 2b DNS request without DNSSEC
Figure 2c DNS reply without DNSSEC
Page 22 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
DNSSEC query Figure 3 shows a normal DNSSEC DNS request. By inspecting the packets captured by Wireshark, the size of IP packet for a DNSSEC DNS request is 68 bytes. It is close to that of nonDNSSEC DNS query request. However, the size of IP packet of DNS reply is 418 bytes which is significantly larger than non-DNSSEC packet. The DNS reply amplifying ratio is 418/68 = 6.15. The DNSSEC DNS reply packet is 5 times larger. The amplifying ratio is quite good for bandwidth consumption attack.
Figure 3
DNSSEC query of non-existing record Figure 4 shows a DNS query with nonexistence of DNS reply. The size of the DNS request IP packet is 63 and the size of DNS response is 117 bytes. The DNS reply amplifying ratio is 117/63 = 1.86. The amplifying ratio is low, not good enough for the attack.
Figure 4
Page 23 of 54
A Publication of Professional Information Security Association
12
P I S A J o u r n a l
Professional Information Security Association
DDoS impact on DNSSEC deployment
DNSSEC query of non-existing record using NSEC For non-existence of DNS reply in DNSSEC, it comes with two favours. One is NSEC. Figure 5 shows the DNS resposnse with NSEC record. The size of the DNS request IP packet is 74 and the size of DNS response is 1215 bytes. The DNS reply amplifying ratio is 1215/74 = 16.42. It is already large enough to be used as DDoS weapon.
DNSSEC query of non-existing record using NSEC3 DNSSEC comes with another favor for non-existence of DNS response, NSEC3 record. With NSEC, hackers can do zone enumeration, all DNS records could be revealed very quickly. It causes privacy issue. NSEC3 uses hashing method to protect from zone enumeration. It almost solves privacy issue (dictionary attack could be used against NSEC3 records). However, the DNS response usually becomes bigger. Figure 6 shows a DNSSEC response with NSEC3 record. The size of the DNS request IP packet is 77 and the size of DNS response is 2785 bytes. The DNS reply amplification ratio is 2785/77 = 36.17. It is much larger than NSEC record. Obviously, it is the best choice of hackers to be the weapon used in DDoS attack.
Hacker’s forumla By comparing all these DNS records, hackers will choose authoritative DNS servers with NSEC3 support as the packet amplifying servers in DDoS attack. From the above example, the largest amplification factor is 36. In Hong
Page 24 of 54
Figure 5 Kong, 100Mbps home broadband connections are becoming popular. Some broadband vendors guarantee 80Mbps local bandwidth and 20Mbps international bandwidth. If a local hacker with 100Mbps broadband connection, he/she can generate 80Mps query traffic and thus 2.88Gbps (80Mbps x 36) reply traffic to a local victim, which can make a medium size local ISP stop functioning. If he/she wants to attack an international server, 720Mbps (20Mbps x 36) traffic could be generated, a single server or single network could be easily taken down. What if the hacker
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
controls a small botnet with 10 zombies, the traffic generated could be huge enough to take down any network.
12
Mitigating the Risk From the above example, I will expect DDoS will become much popular in the near future. DDoS tools particular for DNSSEC could be downloaded from the Internet very soon. Almost everyone could take down a network without in-depth knowledge. It is a huge risk for network infrastructure. What can we do to mitigate the risk? For end users, the first thing is to prepare for the attack. Prepare a contact list of your ISP. Make sure your ISP can handle DDoS attack and have a 24x7 anti-DDoS team standby each day. Define a SLA in DDoS response with your ISP when signing contract. Exercise the response plan with your ISP. The second thing is DDoS monitoring tool. We need to know as early as possible when a DDoS attack occurs . The tool could notify network administrators by out-of-band method, such as SMS. After we receive DDoS attack alert, upper stream ISP must be contacted to filter the DDoS traffic. For ISPs, an anti-DDoS cooperation team should be built among ISPs. When an ISP is being attacked, the traffic usually is flown from its peer ISPs or upper stream ISP. So an anti-DDoS cooperation team can help to response quickly. For government, some regulations should be enforced to prevent Hong Kong from becoming a DDoS attacking center. Since Hong Kong has a very good network infrastructure, it is a good target for hackers to act it as a traffic amplification center. ISPs and broadband providers should be regulated to implement source IP address verification for out-going traffic, packets with forged source IP address should be dropped. International operation could be organized to handle cross-border DDoS attack. DNSSEC is good infrastructure but we need to prepare for its side effect.
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 25 of 54
George Chung ■
Figure 6
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Increasing Availability with CACTI Wallace Wong Program Committee
T
here will be inevitably that you may need to demonstrate the availability instead of security of your networks and systems to the non-technical audiences. In addition, you may also need to justify the cost of the expenses or to support the budgets in the proposal. Thus, a tool to turn the bits and bytes into graphs can help to achieve these objectives.
There will be inevitably that you may need to demonstrate the availability instead of security of your networks and systems to the non-technical audiences. In addition, you may also need to justify the cost of the expenses or to support the budgets in the proposal. Thus, a tool to turn the bits and bytes into graphs can help to achieve these objectives.
CACTI also poll services at predetermined intervals and graph the resulting data (e.g. utilization of CPU and network). The principles of operation can be clearly divided into three tasks on the left according to CACTI Manual [1] or on the right with reference to a JoeCen’s blog [2].
Origin of CACTI Traditionally, Multi Router Traffic Graphic (MRTG) is an open source software for monitoring traffic loads on a network over time in graphical format. It has also been used by many web hosting providers to display bandwidth statistics for their customers. Since the original author of MRTG, Tobi Oetiker, wrote the RRDTool (acronym for round-robin database tool) as a replacement for MRTG and licensed it as a free software under the terms of the GNU General Public License (GPL), a group of developers has created another open source web-based tool designed as a front-end to RRDTools’ data storage with graphing functionality called “CACTI”.
Data Retrieval: It uses an operating system’s scheduler, Poller (as crontab for Unix), to retrieve data from remote targets/hosts through Simple Network Management Protocol (SNMP) using Net-SNMP. Data Storage: It uses RRDTool to store and display timeseries data as well as to combine raw data into a consolidated data to save space. Data Presentation: It also uses RRDTool to allow graphing one or many items in one graph or stack items onto another with auto-scaling with the help of MySQL database.
Workflow of CACTI Its front-end is a PHP which can allow users to view the statistics and can also allow administrator to configure without any manual configuration of RRDtool. Its back-end can be a PHP script “cmd.php” suitable for a single network or a C-based poller “spine” for large scale deployment. The workflow of CACTI [3] could be summarized as follows:
Page 26 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
1. Net-SNMP collects the data periodically. 2. The data are stored into the RRDtool for logging and graphing. 3. When user checks the bandwidth of a managed device, he logs into the CACTI website for selection. 4. CACTI system connects to MySQL database to search filenames with extension RRA for that device. 5. CACTI system requests the RRDTool to draw the graphs. 6. Requested graphs are displayed on the website to users.
Regarding the managed device, it is required to be added into CACTI by entering a hostname using Fully Qualified Domain Name (FQDN) or IP address with the selection of Ping and/or SNMP. Moreover, pre-defined “Host Template” (such as “Cisco Router”) and add-on templates (such as “X MySQL Server HT”) can be used to add all the related counters for monitoring as shown on the right hand side. After the addition of required host templates (such as “Local Linux Machine”), required “Graph Template” and “Data Query” (such as “SNMP – Interface Statistics) are required to checked in order to create the graphs into RRDTool. For example, a network interface (eth0) has already been added for graphing while another network interface (lo) can be checked now to create for logging and graphing.
Page 27 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Increasing Availability with CACTI
Once the monitoring has been started, the bandwidth utilization of this network interface can be viewed in a page with details from hourly, daily, weekly, monthly, yearly or whatever you want by zooming into a region over the graph or entering the exact start and end timestamps to view the specified data at once. Moreover, you can also export the figures for that graph to CSV for further processing if required.
For all managed devices and counters, the graphs can be displayed in thumbnail view with pre-defined refresh intervals with layout as follows:
Page 28 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
Alternatively, you can select a managed device in a tree view to display all its counters in a page.
On the other hand, thresholds can also be created with alerts on each monitored counter to perform corrective actions before performance degradation or disaster scenario. For example, this device will be slow down or malfunction if the used space of real memory is 100 percent for a long time. Thus, a high threshold of 90 and beach over 1 hour must be addressed with alerts to administrator for every 5 minutes as follows:
Since the CACTI system supports importing templates, plugins and scripts with customization, the scalability can be greatly extended with the resources in official CACTI documentation site (http://docs.cacti.net/).
Page 29 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Increasing Availability with CACTI
Additional module (other than graphs) can also be used such as “Monitor” module which can show the availability of up/down in a logical manner.
Last but not least, advanced programming [4] for CACTI can monitor any source via shell scripts and executables such as tracking twitter followers or solar hot water system which may be already out of our imagination for monitoring the availability.
Wallace Wong ■
Copyright & Disclaimer
Reference [1] http://www.cacti.net/documentation.php
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 30 of 54
[2] http://www.joecen.com/article/cacti/installcacti/ [3] http://www.joecen.com/article/cacti/installcacti/ [4] http://thingelstad.com/tracking-twitter-followers-with-cacti/
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Why you don’t want to JB your iPhone Alan Tam CISSP CISA Program Committee
P
eople like JB (Jail Break) because it frees their iPhone such that they can install software from places other than Apple’s appstore. On the Internet, there are plenty of resources and tutorials teaching how to free your iPhone. If you are skeptical, googling “iPhone jailbreak disadvantage” will remind you like JB may void warranty, make your iPhone a brick (i.e. cannot boot up and function normally). However, there are more search results telling you that JB is safe and easy now. How easy? as easy as visiting a webpage by Safari.
Besides, an interesting thing happened on 26 July 2010: jailbreaking iPhone is no longer illegal under DMCA of the United States (Note 1). So, everyone is doing it, why don’t you? If you ask me, I would prefer a smartphone that:
be made by a third party because they cannot access the “real” file system. Furthermore, Apple usually censor software that they think are “not appropriate” to be running on iPhone. Disappointing programmers started to find other ways to run their Apple-rejected code.
(1) can function stably (2) is reasonably secure that I don’t need to worry about installing antivirus software, and finally (3) is entertaining.
Winterboard WinterBoard is a nice add-on to JB iPhone, giving better accessibility and appearance. However, its working mechanism involve a platform for system hacks to run, injecting code into iPhone OS. This is good to programmer as it provides flexibility to program launch, but it is also bad to operation system as it introduces risk to system crash on badly written system hacks. Newer desktop operating system is starting to prohibit system hooking (e.g. Patch Guard in 64-bit M$ Windows)\
Escaping from the Jail Jail breaking, is derived from the idea of escaping from “chroot” jail. chroot is a Unix command to prevent a process from accessing the whole filesystem, thus protecting the system files from unauthorized modification - a security feature used by well-designed software, e.g. openssh, postfix mail transfer agent. As iPhone OS is also based on Unix, chroot jail for all applications is a therefore a default behaviour. The only bad thing is that system utility cannot
Page 31 of 54
12
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 32 of 54
Why you don’t want to JB your iPhone
Cydia Cydia is another nice addon to JB iPhone, allowing a user to browse and download applications that need not be authorized by Apple, in other words the “underground appstore”. Cydia was originally designed to work as a repository aggregator but theoretically anyone can put up software on it, allowing others to download. There is no stability test / code checking when compared to the more restrictive Apple appstore. In November 2009, the first worm targeting JB iPhone surfaced. Its name is “Ikee” and it proves that JB iPhone using Unix SSH utility for connecting to iPhone remotely over Internet with the default password are vulnerable to hackers. Ikee scans random IP ranges and also specifically targets Optus, Vodafone, and Telstra's IP ranges, which are the common telephony providers in Australia. Once a vulnerable iPhone is found, the worm changes the wallpaper to a picture of Rick Astley (a prank known as Rickrolling), deletes the SSH daemon, and begins scanning the network for other vulnerable phones. If you seems like one of these victim, you may want to install MobileTerminal and change the password to something complex, long, easy to
forget, and difficult to remember. If your phone ask you the old password, try “alpine”. Things really changed in recent years. In the old days, authors of computer virus, if caught, are subjected to criminal charges. According to rumors, the author of Ikee, who was an unemployed programmer, has been getting a job because it wrote the first iPhone virus... One more strange thing: remember I said people like JB and it can be done by simply visiting webpage? The webpage is actually containing downloadable content which would trigger a buffer overflow and exploiting a security hole in iPhone firmware. In the old days, computer users seek to avoid / prohibit buffer overflow. Nowadays, people like buffer overflow because it frees their iPhone. In iPhone OS 4, the buffer overflow is the infamous “PDF exploits”. Visiting the JB webpage actually allow it to inject code into your iPhone. I know, I know, everyone is doing it, so it must be safe!? Here is the description from Apple’s knowledge-base about these exploits: “A stack buffer overflow exists in FreeType's handling of CFF opcodes. Viewing a PDF document with maliciously crafted embedded fonts may allow arbitrary code execution; An integer overflow exists in the handling of IOSurface properties, which may allow malicious code running as the user to gain system privileges.” Hmmm... I am not quite comfortable in visiting a webpage with these contents, especially on a production machine - a mobile phone with my contact list and other personal data. Note 1: Note that Apple still voids product warranty if our iPhone is found jailbroken. Alan Tam ■
(references to be continued on pag e 33)
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Mobile Application for Financial Institutions Patrick Liu CISSP ISSAP CIA CISA CGEIT ABCP Program Committee
A
round 14 years ago when I had my first mobile phone,the device was nothing more than a phone. It did not have any fancy features or even a color screen. It is amazing that our mobile phones are capable to do so many things that used to be ran on our desktop.
More powerful devices Like any other technology, mobile devices are getting more powerful than before. They provide a multi channel communications within our palm. We can store more data or even remote access to our company desktop. The processing power also opens a door for computer virus in multiple directions (i.e. SMS, Email, Instant messager, Internet browsing and Wi-Fi network). It is expected mobile Internet population will growth exponentially faster than any previous computing technology cycle [1]. As an Information Security professional, what is the challenging to us?
End point device security However, the anti-virus software for mobile device is not mature that it is capable to detect virus on real-time basis without affecting the device’s performance. Apart from computer virus, self owned end point device is always a problem for financial institutions. We cannot enforce security measures to our customers. Some worms (e.g. Ikee) are target for jailbroken iPhone. A jailborken iPhone can allow the user have full access to the device such that they can install software on it. Thus, it is possible for intruder to install software to steal data. Don’t forget all iPhone share the same root password! I bet not much user will change the root password.
(continued from page 32)
Reference & Credits: http://www.wired.com/threatlevel/2010/07/feds-ok-iPhone-jailbreaking/ http://en.wikipedia.org/wiki/Digital_Millennium_Copyright_Act http://www.copyrightnote.org/crnote/bbs.php?board=35&act=read&id=15 http://theappleblog.com/2009/03/11/jailbreak-five-things-you-need-to-know/ http://www.boxcounter.com/?action=show&id=87 http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-bosse_eriksson-kernel_patching_on_osx.pdf http://en.wikipedia.org/wiki/Cydia_(application) http://www.computerweekly.com/Articles/2009/11/09/238469/First-ever-iPhone-worm-Ikee-unleashed-by-Aussie-hacker.htm http://www.symantec.com/connect/blogs/ikee-worm-rickrolls-jailbroken-iPhones http://www.vupen.com/english/advisories/2010/1992 http://www.jailbreakme.com http://support.apple.com/kb/HT4291
Page 33 of 54
12
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Mobile Application for Financial Institutions
Impacts to two-factor authentication
application data, auto-completed word library) Financial institutions should seek user’s agreement before using these data and handle with extra care.
Some financial institutions use SMS or software token on mobile device to provide additional authentication for customers or users in addition to PIN. When mobile devices provide multi communication channel capability and allow customer to login a system and receive the SMS login token on the same device, the two factors of authentication PIN (something you know) and SMS or software token (something you have) can be compromised at the same spot. This weakens the foundation of two factor authentication.
Network security issues around the use of Wi-Fi It is common that telecom will offer free Wi-Fi access to their high end customers. The problem is that most of their Wi-Fi spots are not protected by encryption. We always educate our users not to use public PC for financial transactions as intruder can capture your user credential by tapping into the Wi-Fi network. Alternatively, an intruder can install a wireless access point at the proximity of a financial institution branch to spoof as a legitimate Wi-Fi spot. Customer may unknowingly associate with this “evil twin” access point and be under attackers’ control.
Personal data privacy Mobile devices hold tons of personal data. Global positioning system becomes a standard feature for high end mobile device. (Even without GPS, Wi-Fi access log may give a general idea where the user has been) Accessing user’s GPS data allows service provider to provide very specific information to the user nearby. However, if anything goes wrong, it will be a media catching issue. Besides GPS data, there are couple of data are very sensitive. (E.g. Phone Book, SMS messages, social networking
Page 34 of 54
Cache Auto-complete is a very user friendly feature. Mobile device will remember what you have inputted and stored in a word library. However, this feature captures your username as well! Mobile user may also input their personal information (e.g. address, home phone no., credit card number) on online shopping websites. As a financial institution, their website can use some technique to prevent the device to cache a whole sequence of credit card number by breaking a field into several shorter fields.
Lack of experienced developer Another challenge is that it is not easy to hire experienced developer in the market. It just takes too long to train up a group of developer within financial institutions to meet
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
schedule of product and service launch to the market. Development outsourcing may become a sensible direction. The next question will be how to ensure the quality of development outsourcing. It is important for application specification to go down to functional level details to give direction to programmers on function and data they should or should not use.
Publishing the mobile applications Some mobile platforms have a controlled environment for application publishing. For instance, in the case of iPhone App Store, applications are screened by a team before re-
12
leased to the public. Imagine there are over 1000 new application screening requests everyday, may be some malware are going to sneak through the eyesight. In order to ensure the published mobile application’s origin and to control the patch level, financial institution should own the publishing operation. They should also detect any phishing apps or related apps in the application market. An intruder can publish an instant mortgage application targeting customers of a specific financial institution to lure customers to enter personal data, resulting a damage to the reputation of the financial institution.
Getting mobile is the trend for next Internet age. If we do not understand the game, we are going to lost the game. The better we understand the mobile device, the easier for us to design controls to protect our customers and users. Nicolas Seriot did a very interesting research paper on iPhone Privacy [2]. I hope this article will benefit you.
Patrick Liu ■
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
Page 35 of 54
Reference [1] Morgan Stanley, The Mobile Internet Report - 15 Dec, 2009 [2] http://seriot.ch/resources/talks_papers/iPhonePrivacy.pdf
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Secure Software Otto Lee CISA CISSP CSSLP Program Committee
H
ave you seen Die Hard 4? It talked about: ●
Terrorists shut down the US computer infrastructure by crashing the stock market, traffic systems,…else
●
In case of a total computer systems failure, all critical personal and financial records in US were sent to servers in a FACILITY to create a backup
●
Terrorists took over the FACILITY and downloaded a copy of the backup
What are the security concerns here?
Drivers of Secure Software There can be many factors driving Secure Software, and 3 of them will be described in the following sections:
Page 36 of 54
●
Customers
●
Regulatory Obligations
●
Threats
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
Customers It was difficult to relate a multi-function machine with software security. Multi-function machine is a machine that can copy, print, fax and scan. In early 2010, an article [1] described that digital copy machine after 2002 contains a hard disk, which stored every document copied, scanned or faxed by the machine. From that point onwards, customers are aware that their confidential document may have left a trace on the machine. They then push for higher security requirement in a multi-function machine, e.g., expecting the software to erase the image immediately after scanning or copying, or else no hard disk should be included in the machine.
Regulations Secondly, as you can observe that more and more regulations have required to have security built into the products. In addition, the regulators would make public their findings and judgment. For example, SEC fined a US broker-dealer hundred thousands US dollars over computer security failures in 2009.
Threats Finally, as you find in the past few years, more professional and organized cybercrimes emerged and they exploit every vulnerabilities they found on systems. The number of security incidents had heightened. Most of them can be avoided by having better security design and coding.
Relative Cost of Fixing Defects On the other hand, as you should know, but once again it has to be mentioned in here that it can cost 30 to 100 times more expensive if fixing the software detects in production.
Real Cost of Insecure Software Bridge is an infrastructure that you can see, while, software is an infrastructure that you can’t see. But, do you think their quality affect you differently?
Page 37 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Secure Software
Here I like to introduce a book named “GEEKONOMIC – THE REAL COST OF INSECURE SOFTWARE”, this was introduced by Kitty from ISC 2. It talked about …. In 1996, software defects in a Boeing 757 caused a crash that killed 70 people. While in 2003, a software vulnerability caused the largest U.S. power outage in decades. Recently, a news told that a malware implicated in a fatal Spanair plane crash [2].
Copyright & Disclaimer
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
during Requirement and Design phases, working out riskbased security tests, enforcing secure coding and code review during the Code phase, performing black/gray/white box security tests, risk analysis and penetration testing in the Test phase, and finally collecting feedbacks through continuous monitoring in the Production phase Otto Lee ■.
Reference
Secure Software
[1] Digital Photocopiers Loaded With Secrets:
Nowadays, hackers are attacking at the application level, and it is not enough to just build a robust system. Security has to be ensured throughout the entire software development lifecycle. Otherwise, it could take 30 to 100 times more expensive to correct the software after development.
[2] Malware implicated in fatal Spanair plane crash:
http://www.cbsnews.com/stories/2010/04/19/eveningnews/ main6412439.shtml http://www.msnbc.msn.com/id/38790670/ns/ technology_and_science-security/?gt1=43001
It’s about adding security requirements and risk analysis
Page 38 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
CONS Reloaded Anthony Lai
20
SANS GREM (Gold), GWAPT, GCFA Founder and Security Researcher, VXRL, Program Committee
-day CON Experience
I have spent nearly 20 days on attending four conferences including HIT (Hack In Taiwan)/BoT2010, Blackhat/ DEFCON and XCON in Taiwan, Las Vegas and Beijing correspondingly in July. Be frank, hard-core and insightful technical security and hacking conferences and training are missing in Hong Kong, I would like to share what I have experienced and, hopefully, you could pick your favorite conferences and mark them down in your calendar.
titioners. I still recalled a few critical sessions in Day 1 particularly.
BoT2010 [1] In BoT2010, it is a 2-day conference, which targets to share about Botnet trend, defense and investigation techniques. I do appreciate that this conference content comprises researches and studies from both academia and industry prac-
Page 39 of 54
Mr Yung (a.k.a Sscan) from Trendmicro has run through how to investigate into Advanced Persistent Threat, which is a type of targeted attack against national infrastructure and government systems; Alan Lee, who is a IT and security consultant in a Taiwan Telecom company and a PhD student in University of Taiwan. He has shared about how to construct a public malware dataset for scientific research.
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
CONS Reloaded
HIT [2]
Blackhat [3]
This conference has been held for 9 years. I am pleasure to be their keynote speaker and discuss over two different topics about Crimeware and Internet Censorship. It comprises a single track of programs. In another room, it holds CTF game and I have joined it when I don’t need to present indeed as there is a live presentation broadcasting in the game room. I like the sessions about how to hack the Kiosk in the convenient store by planting a PDF exploit and open it up there. It is because most of the time vendor has not updated the Adobe reader in those kiosks and Zha0 has successfully changed a product name shown in the kiosk as “0-day”, it got our surprises and claps.
It is a 2-day conference held every year in Las Vegas. It comprises more than 10 tracks and you could reach different topics. Blackhat got commercial sponsorship and vendors could show their solutions and products there. Apart from various technical tracks, I would like to highlight an important attempt they have made this year. Blackhat has set up an area called Arsenal. Researchers/practitioners could subscribe a stand-size booth and demonstrate their tool/software there. This year, it is my honor to partner with Val Smith and Colin Ames to talk about China-made malware and carry out analysis against various samples. The paper is still being wrapped up with additional details, however you could download it from Blackhat site or VXRL [4] web site. I have met my friends who have a class with me before like Gary who worked in Department of Defense and Kim from
Colin Ames, Val Smith and Anthony Lai (From left to right)
Page 40 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Denmark Army, their experience and sharing are readily insightful to me; Mati and Chris, who are my Backtrack penetration training mentor who share latest update on penetration test and its techniques with me; Eugene, who is a Hong Konger and work in Microsoft in Redmond and talk about his live there. For me, I like the session titled with Jackpotting ATM Redux, please take a look over the video (http:// www.youtube.com/watch?v=qwMuMSPW3bU) or simply download it from here (http://www.blackhat.com/html/bhus-10/bh-us-10-archives.html#Jack) and I am sure you will love it. Another session is about Return-oriented exploit from, the concept is similar to the “Return-To-libc” concept to manipulate the pointer in DLL to point to the attacker-controlled memory and execute the shellcode reliably. You could find his presentation from here:https:// www.blackhat.com/html/bh-us-10/bh-us-10archives.html#Daizovi
DEFCON [5] I like DEFCON a lot as it comprises various games to let people to join and enjoy. There are only 5 tracks and there is a FAQ session held in another room after each presentation. The interaction between speakers and audience are much more higher than in Blackhat. Most of the time, intensive collaboration and sharing are found in the FAQ session instead. There are lots of games including Capture The Flag, social engineering and lock picking, which facilitates many people to enjoy and master their hacking techniques. One of the most interesting games is that a team of hackers need to code program according to various question in 10 minutes. However, the programming language decided by throwing a Octagon-shaped dice, you could get C++, C, Python, etc. If you get a Drink++ from the dice, all teams need to drink a beer; If the program cannot be compiled, displays warning or even cannot fulfill the question’s requirement, the
Page 41 of 54
12
Joining DEFCON CTF with GoN x PLUS
team needs to drink as well. For me, I have replicated my presentation with Val and Colin in DEFCON. Meanwhile, I have partnered with Jacob Appelbaum who is one of the core members in Tor project and Jon Oberheide who is from University of Michigan to talk about Internet Censorship in China. I have participated CTF game with a Korean team called GoN x PLUS. As we have connected to PLUS for a while, this is golden opportunity to join them in the war room to against other opponents by reverse engineering any possible vulnerability in the daemons. As I said, Blackhat and DEFCON are with various contents and sessions, you and your company could simply purchase a set of DVD with presentation and audio recording as a reference.
XCON [6] XCON has been held for 9 years and it comprises a single track. I visited there with my research partners, Val Smith and Colin Ames so as to explore more about security research
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
CONS Reloaded
and hacking studies in China. There are no presentation materials available for download but each paid audience could get a conference book with presentation content. Contents are both written in Chinese and English. During the presentation, they support real-time interpretation, which facilitates both foreign and local audience very well. There are two sessions that I would like to highlight: One is about PDF exploit analysis, the speaker, Funnywei, has shown us various analysis methodologies to find out and analyse PDF exploit, it is creative and original, however, the presentation has not been available for download and he will keep me posted once his team has published the research paper about it. Another session conducted by two researchers from Mcafee is about exploiting the browser. The explanation and demonstration for each exploit case is detailed and clear. At the same, I, Val and Colin have met Wei from Knownsec and he has nicely greeted us with spicy food and brought us to a pub with excellent bank folk music and, of course, our sharing and discussion over exploits is always our main dish.
What I have learnt? From the conferences, I have learnt and got to know my focus, interest and the latest exploit of various technologies. I could trigger topics to dig into it and, hopefully, I could discover vulnerabilities as well as provide solution. The learning process is no longer a one-man bank; team learning and research are more important to our knowledge and experience growth. In fact, we could seek and attend to some other famous conference including Hack-In-TheBox [7] in Malaysia, which is another leading security and hacking conference in Asia.
Whom I have met? I could meet various hackers, experts and researchers who work on malware analysis, exploit writing, 0-day discovery and reverse engineering. The idea is we could explore any opportunity to work with them on research area.
Page 42 of 54
What “jetso” I have got? You may ask me whether I have got any “Jetso” after speaking and attending to various conferences. I could say, if you simply want to grab business opportunities in the conference, I am sorry you have made a mistake. Most of the time I worked with others is about how to hack and detect the vulnerabilities as well as solve the problems. Of course, people will approach me for research, job and project opportunities as I have spoken at there; however, passion and eager to learn always run first in my mind.
Next target I and other researchers and practitioners will keep research in Malware analysis and code flaws. Of course, I and my VX fellows will keep on sharing in exploit, reverse engineering, malware analysis, penetration test and joining CTF
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
game. At the same time, we always keep us connected to the globe. To certain extent, I also target to earn a PhD degree, however, as advised by Professor Rocky Chang, the way of learning how to research is to do it with them, otherwise, I need to sacrifice my time and resources in industry. In other words, researches are not just the toy for academia, we could work on it, too!
Final words
Acknowledgement I would like to be thankful to my research partners including Val, Colin, Jake and Jon; my and VX's mentors including Byoungyoung, Junho, Nyam Nyam and other PLUS fellows, Birdman and PK and other VX fellows; as well as PISA and other security fellows’ support during my studies. Of course, I appreciate generous support from my wife and my Pomeranian family, as I need to sacrifice some jogging time with them.
After attending to various global conferences, you will understand sit-and-listen culture is no longer valid and effective to our learning. We need to learn via participating in various studies, gaming and sharing sessions. In addition, apart from solutions-oriented/product road show, in Hong Kong, we do need technical hacking conferences, facilitating more researches and studies between academia and industry practitioners. I suggest universities in Hong Kong and industry should be proactive to initiate. If everyone could squeeze little bit of time, the ecology here will become better but I cannot change it alone.
Reference [1] BoT2010, Taiwan http://www.anti-botnet.edu.tw/content/confs/bot2010PDF.php [2] HIT, Taiwan http://www.hitcon.org Photo album: http://picasaweb.google.com.tw/hitcon/hit2010# [3] Blackhat, USA http://www.blackhat.com
Copyright & Disclaimer
[4] VXRL http://www.vxrl.org [5] DEFCON, USA http://www.defcon.org
Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
[6] XCON, Beijing http://xcon.xfocus.org/ [7] Hack in the box, Malaysia http://www.hitb.org
Page 43 of 54
12
A Publication of Professional Information Security Association
Anthony Lai ■
P I S A J o u r n a l
Professional Information Security Association
再談木馬程式與上網安全 簡正修 (Bernard Kan)
CISSP GCIA
Program Committee
筆
者 8 月份看到報導,英國某間銀行,有超過 3000 名客戶,被有組織的黑客入侵個人電腦,由 7 月 5 日至 8 月 4 日短短 30 日間,被黑客從網上盜取了至少 67 萬 5 千英磅。以近期的匯率計 算,這個數字相當於 810 萬港元。
程式。大多數的防病毒軟件,都是靠檢查程式碼中的某
黑客的手法
些「特徵」(Signature)來判別程式碼是否病毒或木馬程
黑客看似十分厲害,但其實背後的手法並不新奇。他們
式。但其實聰明的黑客,可以透過特別的程序,把病毒
只是透過不同渠道,誘使銀行用戶從瀏覽器上感染木馬
或木馬程式壓縮,又或者打亂程式內裡的編碼(所謂
程式。當受感染的銀行用戶使用網上銀行的時候,木馬
Obfuscation),而避開防病毒軟件的檢測。
程式便從銀行用戶的戶口,把存款轉走。 在國內這個步驟叫做「免殺」。據說只要花費數百元人 有份參與入侵鑑証的英國安全顧問公司
M86 Security
民幣, 一些這方面的黑客高手, 便可以為你提供木馬
發表了一份 White Paper, 詳細解說了今次黑客的手法
「免殺」的服務。另外,還有一種叫做「掛馬」的服務,
技巧,有興趣的讀者可以到 http://www.m86security.com
可以為你入侵別人的網站,把木馬程式種進別人的網頁
看看。
伺服器上。據說現在地下的黑客世界中,惡意程式的開 發,對別人伺服器的入侵,偷取有價值的資料,套現黑
為什麼還經常有人"中招" 呢?
錢等等,已經發展成為一個能夠自給自足的經濟體系。
"特洛依木馬" (Trojan Horse) 或者木馬程式, 在資訊安
第二個令到木馬程式仍然盛行的原因,便是瀏覽器和相
全這個範疇裡,其實都已經有很久歷史了。從什麼
關軟件的漏洞問題。已經這麼多年了,但大家還是經常
Netbus 啦,BO2K 啦,灰鴿子等等算起,至今都有 10 年
會聽說 Internet Explorer 被發現有嚴重漏洞的情況。 漏
了,但電腦用戶感染木馬的情況,仍然十分普遍。
洞嚴重的程度,甚至迫使微軟要在每月正常發佈系統補
問題是,這個年頭大多數的電腦用戶的防病毒意識都已 經比多年前好,完全在電腦上沒有安裝防病毒軟件的用 戶應該也不多了,為什麼還經常有人"中招" 呢? 筆者想,其中原因最少有兩個。 第一,防病毒軟件並不能完全防止用戶感染病毒或木馬
Page 44 of 54
丁的排程以外,為 Internet Explorer 發佈特別的漏洞補 丁。 近年, Adobe 的 PDF Reader 或有關的 Plugin 也被發現 了不少安全漏洞,成為了黑客入侵途徑的新寵。前面提 到英國銀行客戶被入侵的例子,便利用 Adobe Reader 中的漏洞。
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
不能上網的工作站 上網工作站
互聯網 防火牆 資訊伺服器
圖一 上網的工作站和處理敏感資料工作站網絡分離
怎樣才可以安全地使用互聯網? 這個問題,對於一些擁有並使用大量敏感資料的企業 (例如銀行),更特別重要。如果企業內的員工,因為感染
犧牲了很大的「方便」,而達到某程度上的「安全」。 這個安排的好處是,即使有員工,在上網過程中感染了 病毒或木馬程式,也較低機會做成敏感資料外洩。
了木馬程式,令敏感的客戶資料外洩,將會對企業的商
但試想像,每個用戶枱上都有兩台電腦,左邊的電腦是
譽做成重大打擊。
上網和收發電郵,右邊的電腦則連接公司的系統和處理
一些安全性要求高的企業,會索性把可以上網的工作 站,與其他企業內部處理敏感資料的工作站,在網絡上 完全分離 (所謂 Network Segregation)。如圖一。 筆者以前講授資訊安全課程時常說,「安全」和「方便」
敏感資料。要把工作需要的資料和其他工作夥伴交換, 則不知要怎樣做才好? 最要命的,可能是 IT 管理人員。在一人兩機的情況下, 所有網絡維修又或軟件 License 都要雙計。
是一條線上的兩端。 要「安全」,便往往犧牲了「方便」。返之,要「方便」,
另外一個比較容易管理的,是使用 Terminal Server 的方
便往往犧牲了「安全」。
案。如圖二。
上面那個把上網網絡和企業的資訊網絡分離的方案,便
Page 45 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
再談木馬程式與上網安全
安全工作站 防火牆 互聯網
資訊伺服器
Terminal Server 圖二 防火牆禁止工作站直接連互聯網,但工作站可以透過Remote Desktop 遙控Terminal Server 上網,工作站感染病毒或木馬機會較低
用戶枱頭的電腦並不連接互聯網,可以安全地處理企業
目前盡大多數的病毒和木馬程式, 都是針對 Windows
內的敏感資訊,感染病毒或木馬程式的機會相對地低。
平台和 Internet Explorer 而設計的。即使安裝了防病毒軟
如果用戶須要瀏覽互聯網找尋資訊或收發電郵,可以透
件,在 Windows 平台的 Terminal Server 上,仍然同樣面
過 Remote Desktop 的形式,登入 Terminal Server,在上
對從互聯網上感染病毒或木馬程式的可能。
面操作。用戶枱頭的電腦,如果要與 Terminal Server 上 傳或下傳檔案,可以透過 Drive Mapping 或 FTP 達成。對 於 IT 管理人員來說,這個方案無論硬件,軟件或者使用 監控上,都十分容易處理。
Linux Terminal Server 方案 筆者近年留意到開放源碼軟件中,有一套叫做 XRDP 的 軟件。它可以讓裝設有 X-Windows 環境的 Linux 伺服 器,變成一台可供多人同時登入使用的 Linux Terminal Server。Windows 上的 Remote Desktop 用戶端可以直接
但有一個問題未能處理的,是 Terminal Server 也可能會
連線使用,不須另外安裝其他軟件。
中毒的啊!!
Page 46 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
12
圖三
如果應用在企業裡,我們可以把 XRDP 安裝在 Linux 伺 服器上,使它變成一台專供用戶上網的 Appliance。
Copyright & Disclaimer
tube,便變成看黙劇一樣。 但是這樣一個無須花費太高的方案,換來較高程度的上
由於是 Linux 平台是配搭 Firefox 瀏覽器的關係,對互聯
網安全,少許犧牲和不便,看來還是值得的。據筆者經
網上針對 Windows 平台及 Internet Explorer 的病毒及木
驗, 一台裝設有 8GB 記憶體的 Linux Terminal Server,
馬程式, 對這個 Linux Terminal Server 來說是免疫的,
已經可以為 40 位以上的用戶提供同時上網的服務。你說
也可以說是一個十分强悍的安全上網方案。圖三顯示用
化不化算?
戶的電腦透過 Linux Terminal Server 上網的情況。 當然,這個 Terminal Server 的上網方案也有缺點。因為
既然有這樣好的方案,筆者下篇文章,將會為大家介紹 Linux Terminal Server 的安裝步驟,讀者請勿錯過。
用戶是透過 Remote Desktop 遙控 Terminal Server 上網的 Copyright owned by the author. This article is the views of the author and does not necessarily reflect the opinion of PISA
原故,一些特別的輸入裝置,例如中文手寫板便無法使 用了。你不可能在枱頭電腦的手寫板上寫字,令中文字 在 Terminal Server 上識別出來。另外,目前 XRDP 的版 本並不支援聲音的傳送,在 Terminal Server 上看 You-
Page 47 of 54
A Publication of Professional Information Security Association
簡正修 ■
P I S A J o u r n a l
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
Seminar: Cloud Computing (17-Sep-2010)
Allen Ho
Simone Brunozzi
Mr. Allen Ho from Microsoft and Mr. Simone Brunozzi from Amazon gave us a fruitful evening talk on Cloud Computing
ICT Discussion Forum: Perspectives on Policy Address (2-Sep-2010) PISA was a supporting organization to this forum organized by the Professional Commons, IT Voice and Internet Socity Hong Kong. Ian Christofis was the PISA representative. He delivered his view on the legislation of data privacy. He has written an article in this issue elaborating his view.
Panelists and Moderators:(From left) Lento Yip (HKISPA) Charles Mok (Professional Commons), SC Leung (IT Voice), Michael Yung (ISACA), Dale Johnstone and Ian Christofis (PISA)
Page 48 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Event
12
Snapshot We Share. We Progress.
The 4th Macau Wi-Fi War Driving (4-Sep-2010) Jointly organized by the Macau teams (ISACA Macao Chapter & MANETIC) & Hong Kong teams (PISA & WTIA), the Macau war-driving survey was held on September 4, 2010. It was the 4th Macau war-driving event since the first one in 2007. To better arouse public awareness of the Wi-Fi security, Macau organizers arranged press conference and included university students to participate the event. This year, the war-driving teams gathered at Macao Science Center to start the event. We took 3 mini-bus to collect security setting data of Wi-Fi access points along the bus route 6 & 15. The statistics will be benchmarked with past years and will be published via a press conference in the coming 2 months. Similar to the HK statistics, we have been seeing a continuous improvement of the Wi-Fi security awareness in Macau.
The big group photo of all participants
Page 49 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
PISA AGM (28-Aug-2010) Theme Seminar: Deployment of Domain System Security
Warren Kwok presented his view on DNSSEC security in the theme seminar of PISA AGM. He pointed to the problem solved and new issues of DNSSEC. He also advised that Hong Kong should speed up the implementation to catch up with other economies.
Group photo of participants after the AGM
Page 50 of 54
An Organization for Information Security Professionals
P I S A J o u r n a l
SEP-2010
Issue
Event
12
Snapshot We Share. We Progress.
Workshop: Honeynet 2010 (26-Jul-2010)
Alan Lam
Peter Cheung
Roland Cheung
Alan Lam, Peter Cheung and Roland Cheung conducted a workshop on honeynet to a class of PISA members and IVE students. The workshop was filled with intense knowledge of analysis of honeynet collected attack samples, installation and configuration of a working honeynet.
Honeynet Insight (10-Apr-2010) The 3 professionals conducted another presentation on their findings on Honeynet to PISA members, staff and students of IVE and CityU on IRC botnet and malware honeypot.
Workshop: Secret of Hardware Lock (10 Jul 2010) Sang Young delivered a workshop on hardware lock security and lockpicking. The class was chosen to be a small size that everyone can participte. Some participants did manage to break the lock in the class.
Page 51 of 54
A Publication of Professional Information Security Association
P I S A J o u r n a l
Professional Information Security Association
Event Snapshot We Contribute. We Achieve.
Seminar: Armament Race in Internet Content Filtering (8-May-2010) PISA co-organized with Internet Society Hong Kong and Valkyrie-X Security Research Group a very interested seminar on Internet Content Filtering and Bypassing Technologies.
Sang Young
Anthony Lai
Jacky Tsoi
Charles Lo
There was a very interactive floor discussion on different perspectives of the topic, including enterprise content filtering policy, filtering technology and Internet freedom .
Page 52 of 54
An Organization for Information Security Professionals
Charles Mok
P I S A J o u r n a l
SEP-2010
Professional Information Security Association Vision to be the prominent body of professional information security practitioners, and utilize expertise and
Successful Career
Be up-to-date and be more competitive in the info-sec community – line up yourself with the resources you need to expand your technical competency and move forward towards a more successful career.
Many Ways
Networking
Continued Education
Enjoy networking and collaboration opportunities with other in-the-field security professionals and exchange technical inform-ation and ideas for keeping your knowledge up to date
Check out job listings information provided by members. Get information on continuing education and professional certification
Sharing of Information Find out the solution to your technical problems from our email groups and connections with our experienced members and advisors.
Enjoy the discounted or free admissions to association activities - including seminars, discussions, open forum, IT related seminars and conferences organized or supported by the Association.
You Can Benefit
Membership Information
Enquiry email: membership@pisa.org.hk
Membership
Realize Your Potential
Professional Recognition
Develop your potentials and capabilities in proposing and running project groups such as Education Sector Security, WLAN & Bluetooth Security, Honeynet, Public Policy Committee and others and enjoy the sense of achievement and recognition of your potentials
Benefit from the immediate access to professional recognition by using post-nominal designation
Membership Requirements Annual Membership Fee (HK$) Type Full
500
Associate
300
Affiliate
300
Student
100
Application Form: http://www.pisa.org.hk/ membership/member.htm
Code of Ethics: http://www.pisa.org.hk/ ethics/ethics.htm
Qualifications
Requirements Relevant Experience
Recognized Degree in Computing discipline, OR other appropriate educational / professional qual. Tertiary Education Interested in furthering any of the objects of the society Full-time student over 18 years old
3 years Info-Sec working experience Info-Sec related experience Nil Nil
•Relevant computing experience (post-qualifications) will be counted, and the recognition of professional examinations / membership is subject to the review of the Membership Committee. •All members must commit to the Code of Ethics of the Association, pay the required fees and abide by
Page 53 of 54
P I S A J o u r n a l
Professional Information Security Association
Page 54 of 54
SEP-2010