suguru.PDF

Size: px

Start display at page:

Download "suguru.PDF"

めぐのしもとり
6 years ago
Views:

1 ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Internet: Global and Ubiquitous Infrastructure for Communication Society Internet Technology CATV Cable Modem TCP/IP ATM Optical Fiber Copper Cable WDM/SDH ThinkQuest2002 Suguru Yamaguchi (c) ISDN Communication Technology WWW Computer literacy, Non stop business on the Internet in domestic & international arena What is illegal offline remains illegal online Illegal and harmful content on the InternetCOMMUNICATION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

2 Computer Security Incidents. / / ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Statistics@JPCERT/CC 3,000 2,500 2,000 1,500 96/10-96/12 97/04-97/06 97/10-97/12 98/04-98/06 98/10-98/12 99/04-99/06 99/10-99/12 00/04-00/06 00/10-00/12 01/04-01/06 01/10-01/12 1, Q Q1 Number of Reports Est ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Statistics@CERT/CC! ,000 ATTACKS 13,300 BLOCKED Protection 24,700 SUCCEED Detection 988 DETECTED 23,712 UNDETECTED Reaction 267 REPORTED 721 NOT REPORTED Number of Reports Est (3Q) ThinkQuest2002 Suguru Yamaguchi (c) GAO/AIMD Defense Information Security ThinkQuest2002 Suguru Yamaguchi (c)

3 ! Port Scanning & Probe. Port scanning shellcode SPAM Denial of Services (DoS) DoS ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) CodeRed 15 ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Buffer Overflow Attack wuftp, Netscape Enterprise Server, Microsoft IIS,. (boundary check) Internet Worm (1988) Buffer Overflow Attack Buffer ( ) Boundary Check ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

OS Solaris sadmindbuffer overflow Worm sadimind Solaris Worm Windows IIS IIS IIS ThinkQuest2002 Suguru Yamaguchi (c) 2002 19 ThinkQuest2002 Suguru Yamaguchi (c) 2002 20 DDoS Distributed DoS Attack

4 OS Solaris sadmindbuffer overflow Worm sadimind Solaris Worm Windows IIS IIS IIS ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) DDoS Distributed DoS Attack DoS 20002: YahooCNN ebay, Amazon DDoS trinoo DDoS FBI ISP DDoS Zombie trigger ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) DoS Growth of Internet Users in Japan CodeRed DoS DoS? DoS DoS Nimda? WIDE Project ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

5 DDoS Host Network link Lessons from our reports (rootkit ) () ( ) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) DoS Computer Literacy Scripty kids?»»»» ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) TFM2K CodeRed, Nimda ISP DDoS Agent MTA SPAM ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

6 ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (audit) Integrity management ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) CISO (Chief Information and Security Officer) CISO HRM (Human Resource Management) and other RM Public Relations and Publicity activities. ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

7 ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) RFC 2196 Site Security Handbook (threat) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) GAO report [AIMD ] Executive guide Information Security Management -- Learning from Leading Organizations (accountable) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

8 ThinkQuest2002 Suguru Yamaguchi (c) / (risk assessment) : {Tn} : P(Tn) : V(Tn) V(Tn)P(Tn) ThinkQuest2002 Suguru Yamaguchi (c) (1). / / ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (2) : Web..»». (3) (passive attack) (eavesdropping, wire tapping) (traffic analysis) (active attack) (packet stream modification) (Denial of Service) (masquerading) (unauthorized access),, replay attack. ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

9 (4).. ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) ,,,,... 1 ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (1) ThinkQuest2002 Suguru Yamaguchi (c)

10 (2) Incident Response, response ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) JPCERT/CC ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Firewall VPN NAT Proxy clearing house WWW etc. Firewall VPN Proxy NAT ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

11 Firewall(1) Firewall (2) "Choke & Gate" style Choke Filtering Gate Services Access Control Firewall-segment DMZ (Demilitarized Zone) DNS httpd sendmail Firewall ( ) filtering gateway external gateway Filtering Gateway socks VPN (Virtual Private Network) VPN VPN FireWall A B C VPN FireWall D ThinkQuest2002 Suguru Yamaguchi (c) TCP TCP SMTP(mail), NNTP(news) UDP DNS, phone FTP FTP PASV FTP Ncftp control control FTP client data FTP server FTP client data FTP server Firewall Firewall 11

FTP Proxy HTTP HTTP control data WWW client Proxy Server Firewall WWW Serve WWW VPN SSH ThinkQuest2002 Suguru Yamaguchi (c) 2002 69 ThinkQuest2002 Suguru

12 FTP Proxy HTTP HTTP control data WWW client Proxy Server Firewall WWW Serve WWW VPN SSH ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (authentication) (entity) Entity: ( ) ID (bio -metrics) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

13 UNIX Password System 8 (/etc/passwd) weak password) 2 Reusable Password replay attack One Time Password ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Challenge-Response System challenge response Challenge Response System (2) challenge response response Message Digest (e.g. S/KEY) response SecureID ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Message Digest 16 Secure Hashing Algorithm MD4, MD5, SHA1 S/KEY MD n+1 (k) MD n (k) Pass-phrase Seed pass-phrase Seed pass-phrase UNIX Password sult k: pass-phrase seed 13

14 S/KEY S/KEY Challenge-Reply system MD n (k) Challenge: n-1 Seed Reply: MD n-1 (k) Dictionary Mapping 16 User ID suguru Count and Seed 29 vax15 One Time Password cat sun gaur tuft noun soon host: vax S/KEY database suguru: 30 vax15 tang fun fish moon smug gray Token Card ( SecurID (by Security Dynamics) SafeWord (by Secure Computing) Challenge/Response X9.9 SecureNetKey (by AssureNet) Challenge/Response ( ) ThinkQuest2002 Suguru Yamaguchi (c) ( public key) ( secret key) Digital Signature WWW HTTP HTTPS HTTPSSSL(Secure Socket Layer) / TLS (Transport Layer Security) ThinkQuest2002 Suguru Yamaguchi (c)

15 SSL Secure Socket Layer 2 DES, Triple DES, RC2, RC4 MD5, SHA1 RSA SSL - 1 X.509 ID ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) SSL - 2 Biometrics ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Biometrics (2) biometrics Token card password system (authentication) (authorization) PKIX ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

16 SSH1 & SSH2 SSH1(MITM BSD r command full compatible port forwarding SSH ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) DES/RSA SSH SSH Protocol Architecture draft-ietf-secsh-architecture-07.txt encryption, integrity, compression host authentication user authentication ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) ssh2 /home/suguru/.ssh2/id_dsa_1024_a /home/suguru/.ssh2/id_dsa_1024_a.pub passphrase SSH passphrase Port Forwarding SSH SSH client/ssh server SSH firewall outbound ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

17 Port Forwarding SSH client Application Server SSH server Application Server SSH BSD r command rlogin rsh SSH CVS SSH Port Forwarding firewall friendly ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) PGP (Pretty Good Privacy) S/MIME Ssh ThinkQuest2002 Suguru Yamaguchi (c) Monitoring Monitoring IDS (Intrusion Detection System) Footprint IDS ThinkQuest2002 Suguru Yamaguchi (c)

18 : ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) ,,,... /, (JPCERT/CC),...,,, etc...!? ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (1) (2) JPCERT/CC ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

19 (), ),,,,, /,,,,... JPCERT/CC ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) JPCERT/CC Japan Computer Emergency Response Team Coordination Center FIRST CSIRT CSIRT Computer Security Incident Response Team Morris worm CERT/CC (Computer Emergency Response Team Coordination Center) CERTCC-KR ( ) AusCERT ( ) CERT -Renater ( ) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) FIRST Forum of Incident Response and Security Teams 1990CERT/CC CSIRT (Incident Response) JPCERT/CC (Web/FTP) ML ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

20 NORTH A S I A 4 0 AMERICA PACIFIC 30 TROPICOFCANCER TROPICOFCANCER OCEAN P A C I F I C 10 AFRICA EQUATOR INDIAN O C E A N SOUTH OCEAN AMERICA TROPICOFCAPRICORN TROPOFCAPRICORN 20 AUSTRALIA GREENLAND O C E A N GREENLAND E U R O P E EQUATOR JPCERT/CC : ( ) : JPCERT/CC Structure of JPCERT/CC JPCERT/CC board committee steering committee secretariat 12 full-time staff (9 engineers) Two way communications advisory Vendors Leaders from the Public and Private Sectors Internet Service Providers ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) Security Response Process (1) FIRST member A T L A N T I C JPCERT/CC Incident Response JPNIC (Whois DB ) ISPs & Vendors Private Sector Constituency Bulletin Alerts Knowledge Base Patches Web / Coordination Research Development IPA/ISEC ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c) (2) ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

21 JPCERT/CC JPCERT/CC Our Contact Hotline: Fax: WWW: Mailing List: ThinkQuest2002 Suguru Yamaguchi (c) ThinkQuest2002 Suguru Yamaguchi (c)

2-20030509.PDF

2-20030509.PDF JPCERT/CC 1 Firewall 2 Security Incident 3 Cgi-bin Cross Site Scripting (CSS) 4 Statistics@JPCERT/CC 3,000 2,500 2,000 1,500 1,000 500 0 1996Q4 1997 1998 1999 2000 2001 2002 Number of Reports 5 2002 JPCERT/CC