ThinkQuest2002 Suguru Yamaguchi (c) 2002 1 ThinkQuest2002 Suguru Yamaguchi (c) 2002 2 Internet: Global and Ubiquitous Infrastructure for Communication Society Internet Technology CATV Cable Modem TCP/IP ATM Optical Fiber Copper Cable WDM/SDH ThinkQuest2002 Suguru Yamaguchi (c) 2002 3 ISDN Communication Technology WWW Computer literacy, Non stop business on the Internet in domestic & international arena What is illegal offline remains illegal online Illegal and harmful content on the InternetCOMMUNICATION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS ThinkQuest2002 Suguru Yamaguchi (c) 2002 5 ThinkQuest2002 Suguru Yamaguchi (c) 2002 6 1
Computer Security Incidents. / / http://www.npa.go.jp/hightech/arrest_repo/kenkyo_2000.htm ThinkQuest2002 Suguru Yamaguchi (c) 2002 7 ThinkQuest2002 Suguru Yamaguchi (c) 2002 8 http://www.jpcert.or.jp/stat/reports.html Statistics@JPCERT/CC 3,000 2,500 2,000 1,500 96/10-96/12 97/04-97/06 97/10-97/12 98/04-98/06 98/10-98/12 99/04-99/06 99/10-99/12 00/04-00/06 00/10-00/12 01/04-01/06 01/10-01/12 1,000 500 0 1996Q4 1997 1998 1999 2000 2001 2002Q1 Number of Reports Est. 2002 ThinkQuest2002 Suguru Yamaguchi (c) 2002 9 ThinkQuest2002 Suguru Yamaguchi (c) 2002 10 Statistics@CERT/CC! 45000 40000 35000 30000 25000 20000 15000 10000 5000 0 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 38,000 ATTACKS 13,300 BLOCKED Protection 24,700 SUCCEED Detection 988 DETECTED 23,712 UNDETECTED Reaction 267 REPORTED 721 NOT REPORTED Number of Reports Est. 2001 (3Q) ThinkQuest2002 Suguru Yamaguchi (c) 2002 11 GAO/AIMD-96-84 Defense Information Security ThinkQuest2002 Suguru Yamaguchi (c) 2002 12 2
! Port Scanning & Probe. Port scanning shellcode SPAM Denial of Services (DoS) DoS ThinkQuest2002 Suguru Yamaguchi (c) 2002 13 ThinkQuest2002 Suguru Yamaguchi (c) 2002 14 CodeRed 15 ThinkQuest2002 Suguru Yamaguchi (c) 2002 15 ThinkQuest2002 Suguru Yamaguchi (c) 2002 16 Buffer Overflow Attack wuftp, Netscape Enterprise Server, Microsoft IIS,. (boundary check) Internet Worm (1988) Buffer Overflow Attack Buffer ( ) Boundary Check ThinkQuest2002 Suguru Yamaguchi (c) 2002 17 ThinkQuest2002 Suguru Yamaguchi (c) 2002 18 3
OS Solaris sadmindbuffer overflow Worm sadimind Solaris Worm Windows IIS IIS IIS ThinkQuest2002 Suguru Yamaguchi (c) 2002 19 ThinkQuest2002 Suguru Yamaguchi (c) 2002 20 DDoS Distributed DoS Attack DoS 20002: YahooCNN ebay, Amazon DDoS 19998 trinoo DDoS FBI ISP DDoS Zombie 1. 2. trigger ThinkQuest2002 Suguru Yamaguchi (c) 2002 21 ThinkQuest2002 Suguru Yamaguchi (c) 2002 22 DoS Growth of Internet Users in Japan CodeRed DoS DoS? DoS DoS Nimda? WIDE Project ThinkQuest2002 Suguru Yamaguchi (c) 2002 23 ThinkQuest2002 Suguru Yamaguchi (c) 2002 24 4
DDoS Host Network link Lessons from our reports (rootkit ) () ( ) ThinkQuest2002 Suguru Yamaguchi (c) 2002 25 ThinkQuest2002 Suguru Yamaguchi (c) 2002 26 DoS Computer Literacy Scripty kids?»»»» ThinkQuest2002 Suguru Yamaguchi (c) 2002 27 ThinkQuest2002 Suguru Yamaguchi (c) 2002 28 TFM2K CodeRed, Nimda ISP DDoS Agent MTA SPAM ThinkQuest2002 Suguru Yamaguchi (c) 2002 29 ThinkQuest2002 Suguru Yamaguchi (c) 2002 30 5
ThinkQuest2002 Suguru Yamaguchi (c) 2002 31 ThinkQuest2002 Suguru Yamaguchi (c) 2002 32 (audit) Integrity management ThinkQuest2002 Suguru Yamaguchi (c) 2002 33 ThinkQuest2002 Suguru Yamaguchi (c) 2002 34 CISO (Chief Information and Security Officer) CISO HRM (Human Resource Management) and other RM Public Relations and Publicity activities. ThinkQuest2002 Suguru Yamaguchi (c) 2002 35 ThinkQuest2002 Suguru Yamaguchi (c) 2002 36 6
ThinkQuest2002 Suguru Yamaguchi (c) 2002 37 ThinkQuest2002 Suguru Yamaguchi (c) 2002 38 RFC 2196 Site Security Handbook (threat) ThinkQuest2002 Suguru Yamaguchi (c) 2002 39 ThinkQuest2002 Suguru Yamaguchi (c) 2002 40 GAO report [AIMD -98-68] Executive guide Information Security Management -- Learning from Leading Organizations -- 1. 2. 3. (accountable) 4. 5. 10 12 13 6. 14 15 16 7. ThinkQuest2002 Suguru Yamaguchi (c) 2002 41 ThinkQuest2002 Suguru Yamaguchi (c) 2002 42 7
ThinkQuest2002 Suguru Yamaguchi (c) 2002 43 / (risk assessment) : {Tn} : P(Tn) : V(Tn) V(Tn)P(Tn) ThinkQuest2002 Suguru Yamaguchi (c) 2002 44 (1). / / ThinkQuest2002 Suguru Yamaguchi (c) 2002 45 ThinkQuest2002 Suguru Yamaguchi (c) 2002 46 (2) : Web..»». (3) (passive attack) (eavesdropping, wire tapping) (traffic analysis) (active attack) (packet stream modification) (Denial of Service) (masquerading) (unauthorized access),, replay attack. ThinkQuest2002 Suguru Yamaguchi (c) 2002 47 ThinkQuest2002 Suguru Yamaguchi (c) 2002 48 8
(4).. ThinkQuest2002 Suguru Yamaguchi (c) 2002 49 ThinkQuest2002 Suguru Yamaguchi (c) 2002 50,,,,... 1 ThinkQuest2002 Suguru Yamaguchi (c) 2002 51 ThinkQuest2002 Suguru Yamaguchi (c) 2002 52 (1) ThinkQuest2002 Suguru Yamaguchi (c) 2002 53 9
(2) Incident Response, response ThinkQuest2002 Suguru Yamaguchi (c) 2002 55 ThinkQuest2002 Suguru Yamaguchi (c) 2002 56 JPCERT/CC http://www.jpcert.or.jp/ed/ ThinkQuest2002 Suguru Yamaguchi (c) 2002 57 ThinkQuest2002 Suguru Yamaguchi (c) 2002 58 Firewall VPN NAT Proxy clearing house WWW etc. Firewall VPN Proxy NAT ThinkQuest2002 Suguru Yamaguchi (c) 2002 59 ThinkQuest2002 Suguru Yamaguchi (c) 2002 60 10
Firewall(1) Firewall (2) "Choke & Gate" style Choke Filtering Gate Services Access Control Firewall-segment DMZ (Demilitarized Zone) DNS httpd sendmail Firewall ( ) filtering gateway external gateway Filtering Gateway socks VPN (Virtual Private Network) VPN VPN FireWall A B C VPN FireWall D ThinkQuest2002 Suguru Yamaguchi (c) 2002 64 TCP TCP SMTP(mail), NNTP(news) UDP DNS, phone FTP FTP PASV FTP Ncftp control control FTP client data FTP server FTP client data FTP server Firewall Firewall 11
FTP Proxy HTTP HTTP control data WWW client Proxy Server Firewall WWW Serve WWW VPN SSH ThinkQuest2002 Suguru Yamaguchi (c) 2002 69 ThinkQuest2002 Suguru Yamaguchi (c) 2002 70 (authentication) (entity) Entity: ( ) ID (bio -metrics) ThinkQuest2002 Suguru Yamaguchi (c) 2002 71 ThinkQuest2002 Suguru Yamaguchi (c) 2002 72 12
UNIX Password System 8 (/etc/passwd) weak password) 2 Reusable Password replay attack One Time Password ThinkQuest2002 Suguru Yamaguchi (c) 2002 73 ThinkQuest2002 Suguru Yamaguchi (c) 2002 74 Challenge-Response System 1234543 challenge response Challenge Response System (2) challenge response response Message Digest (e.g. S/KEY) response SecureID ThinkQuest2002 Suguru Yamaguchi (c) 2002 75 ThinkQuest2002 Suguru Yamaguchi (c) 2002 76 Message Digest 16 Secure Hashing Algorithm MD4, MD5, SHA1 S/KEY MD n+1 (k) MD n (k) Pass-phrase Seed pass-phrase Seed pass-phrase UNIX Password sult k: pass-phrase seed 13
S/KEY S/KEY Challenge-Reply system MD n (k) Challenge: n-1 Seed Reply: MD n-1 (k) Dictionary Mapping 16 User ID suguru Count and Seed 29 vax15 One Time Password cat sun gaur tuft noun soon host: vax S/KEY database suguru: 30 vax15 tang fun fish moon smug gray Token Card ( SecurID (by Security Dynamics) SafeWord (by Secure Computing) Challenge/Response X9.9 SecureNetKey (by AssureNet) Challenge/Response ( ) ThinkQuest2002 Suguru Yamaguchi (c) 2002 81 ( public key) ( secret key) Digital Signature WWW HTTP HTTPS HTTPSSSL(Secure Socket Layer) / TLS (Transport Layer Security) ThinkQuest2002 Suguru Yamaguchi (c) 2002 84 14
SSL Secure Socket Layer 2 DES, Triple DES, RC2, RC4 MD5, SHA1 RSA SSL - 1 X.509 ID ThinkQuest2002 Suguru Yamaguchi (c) 2002 85 ThinkQuest2002 Suguru Yamaguchi (c) 2002 86 SSL - 2 Biometrics ThinkQuest2002 Suguru Yamaguchi (c) 2002 87 ThinkQuest2002 Suguru Yamaguchi (c) 2002 88 Biometrics (2) biometrics Token card password system (authentication) (authorization) PKIX ThinkQuest2002 Suguru Yamaguchi (c) 2002 89 ThinkQuest2002 Suguru Yamaguchi (c) 2002 90 15
SSH1 & SSH2 SSH1(MITM BSD r command full compatible port forwarding SSH ThinkQuest2002 Suguru Yamaguchi (c) 2002 91 ThinkQuest2002 Suguru Yamaguchi (c) 2002 92 DES/RSA SSH SSH Protocol Architecture draft-ietf-secsh-architecture-07.txt encryption, integrity, compression host authentication user authentication ThinkQuest2002 Suguru Yamaguchi (c) 2002 93 ThinkQuest2002 Suguru Yamaguchi (c) 2002 94 ssh2 /home/suguru/.ssh2/id_dsa_1024_a /home/suguru/.ssh2/id_dsa_1024_a.pub passphrase SSH passphrase Port Forwarding SSH SSH client/ssh server SSH firewall outbound ThinkQuest2002 Suguru Yamaguchi (c) 2002 95 ThinkQuest2002 Suguru Yamaguchi (c) 2002 96 16
Port Forwarding SSH client Application Server SSH server Application Server SSH BSD r command rlogin rsh SSH CVS SSH Port Forwarding firewall friendly ThinkQuest2002 Suguru Yamaguchi (c) 2002 97 ThinkQuest2002 Suguru Yamaguchi (c) 2002 98 PGP (Pretty Good Privacy) S/MIME Ssh ThinkQuest2002 Suguru Yamaguchi (c) 2002 100 Monitoring Monitoring IDS (Intrusion Detection System) Footprint IDS ThinkQuest2002 Suguru Yamaguchi (c) 2002 102 17
: - - - ThinkQuest2002 Suguru Yamaguchi (c) 2002 103 ThinkQuest2002 Suguru Yamaguchi (c) 2002 104,,,... /, (JPCERT/CC),...,,, etc...!? ThinkQuest2002 Suguru Yamaguchi (c) 2002 105 ThinkQuest2002 Suguru Yamaguchi (c) 2002 106 (1) (2) JPCERT/CC ThinkQuest2002 Suguru Yamaguchi (c) 2002 107 ThinkQuest2002 Suguru Yamaguchi (c) 2002 108 18
(), ),,,,, /,,,,... JPCERT/CC ThinkQuest2002 Suguru Yamaguchi (c) 2002 109 ThinkQuest2002 Suguru Yamaguchi (c) 2002 110 JPCERT/CC Japan Computer Emergency Response Team Coordination Center 199610 1992 FIRST CSIRT CSIRT Computer Security Incident Response Team 198811 Morris worm CERT/CC (Computer Emergency Response Team Coordination Center) CERTCC-KR ( ) AusCERT ( ) CERT -Renater ( ) ThinkQuest2002 Suguru Yamaguchi (c) 2002 111 ThinkQuest2002 Suguru Yamaguchi (c) 2002 112 FIRST http://www.first.org/ Forum of Incident Response and Security Teams 1990CERT/CC CSIRT http://www.first.org/team-info/ (Incident Response) JPCERT/CC (Web/FTP) ML ThinkQuest2002 Suguru Yamaguchi (c) 2002 113 ThinkQuest2002 Suguru Yamaguchi (c) 2002 114 19
80 80 80 80 7 0 7 0 70 70 6 0 6 0 60 60 50 5 0 50 5 0 40 NORTH 40 4 0 A S I A 4 0 AMERICA PACIFIC 30 TROPICOFCANCER 3 0 30 TROPICOFCANCER OCEAN 20 20 10 P A C I F I C 10 AFRICA EQUATOR INDIAN O C E A N SOUTH OCEAN 10 10 AMERICA 10 10 20 TROPICOFCAPRICORN 20 20 TROPOFCAPRICORN 20 AUSTRALIA 3 0 30 0 303 0 30 40 40 40 50 50 50 60 70 60 40 50 GREENLAND 40 50 60 70 O C E A N GREENLAND E U R O P E 60 60 70 70 70 50 60 30 40 40 5 0 60 60 30 20 EQUATOR 3 40 50 JPCERT/CC : ( ) : JPCERT/CC Structure of JPCERT/CC JPCERT/CC board committee steering committee secretariat 12 full-time staff (9 engineers) Two way communications advisory Vendors Leaders from the Public and Private Sectors Internet Service Providers ThinkQuest2002 Suguru Yamaguchi (c) 2002 115 ThinkQuest2002 Suguru Yamaguchi (c) 2002 116 Security Response Process (1) FIRST member A T L A N T I C JPCERT/CC Incident Response JPNIC (Whois DB ) ISPs & Vendors info @jpcert.or.jp Private Sector Constituency Bulletin Alerts Knowledge Base Patches Web / E-Mail Coordination Research Development IPA/ISEC ThinkQuest2002 Suguru Yamaguchi (c) 2002 117 ThinkQuest2002 Suguru Yamaguchi (c) 2002 118 (2) ThinkQuest2002 Suguru Yamaguchi (c) 2002 119 ThinkQuest2002 Suguru Yamaguchi (c) 2002 120 20
JPCERT/CC JPCERT/CC Our Contact E-mail: info@jpcert.or.jp Hotline: 03-5575-7762 Fax: 03-5575-7764 WWW: http://www.jpcert.or.jp/ Mailing List: http://www.jpcert.or.jp/announce.html ThinkQuest2002 Suguru Yamaguchi (c) 2002 121 ThinkQuest2002 Suguru Yamaguchi (c) 2002 122 21