Cyber Security and Internet Governance

SC Leung CISSP CISA CBCP

Who am I?

Director, Internet Society Hong Kong Work:

•  Information Security •  ISP • Banking • Telecom • Software Distributor • School Teacher

SC Leung�

Working Groups •  Internet Accessibility •  Internet technology, e.g. IPv6, DNSSEC •  Internet Security & Privacy • Copyright and Creativity • Startup

Activities • Seminar, conference, campaign (IPv6 in Action)

and workshops, startup award, policy paper

What can be hacked?�

Do you buy this argument?�

Source: Apple Daily July 27 2013�

Everything has a computer in it. Every computer can be hacked.�

Students faked GPS signals to “Hijack” $80M yacht�

Source: Networkworld July 29, 2013�

Can this be hacked?�

Which has more attack surfaces?�

Can this be hacked?�

What is Cyber Security Risks?�

TERMS Attacks – Explicit action to damage Threats – Dangers, Motives to attack Vulnerabilities – Security Holes Impacts – The damage done to the victim Risks -- Probability of damage/loss/negative effects

Hong Kong’s Internet Profile�

Internet and Economy of Hong Kong�

Internet’s contribution to HK economy (2009): USD12.4B (5.9% GDP) •  1/3 consumption •  1/3 govt. /private investment in Internet-related goods/ services •  1/3 net exports of e-commerce and hardware

Projected 7% per year� Source: Study by Boston Group, commissioned by Google

Hong Kong Communication Statistics�

Internet Services (2015 Jan, CenStatD) •  Internet penetration rate 73% (5.75M)

•  Household broadband penetration rate 83.2%

•  Public Wi-Fi access points 30,297

Mobile Services (2014 Nov, CenStatD)

•  Mobile subscribers 17.5M

•  Mobile penetration rate (Nov 2014) 241.7%

•  Smartphone users accessing Internet daily 96%

Facebook Users (2014 Jan, TNS) 4.4M�

Economies with fastest Internet speed • Hong Kong 1st: 84.6Mbps • Singapore 2nd : 83Mbps • South Korea 3rd : 74.2Mbps • Japan 4th : 65.1Mbps

Economies with highest portion of attack traffics

Internet Speed and Attack�

Source: Akamai 2014-Q3 Internet Report

The Attackers The Threat�

Traditional Attackers�

Script Kiddies Genius Hackers Disgruntled Workers Business Rivals�

Modern Attackers�

Image credits: Infographics of WatchGuard�

Nation State Hacktivist�

Cyber Criminal�

Modern Attackers�

Cyber Criminal�

Motive: $$$ • Underground economy • Crime-as-a-Service

Botnet infrastructure Advanced (banking) Trojan Moving to mobile and cloud

Image credits: Infographics of WatchGuard�

Cybercriminal Underground Economy

Sales ranking on underground economy Source: Symantec

Modern Attackers�

Hacktivist� }  Motive: Ideological

}  High profile

}  Crowdsourcing

}  Data leakage à DDoS

Image credits: Infographics of WatchGuard�

Anonymous Hacktivist Group�

Modern Attackers�

Nation State

Motive: Political/Military Targeted critical infrastructure Advanced malware / attacks Low profile Espionage

Image credits: Infographics of WatchGuard�

Critical infrastructure at Risk�

Stuxnet botnet (2010) • Designed to overcome the network gap • Targeted programmable logic controllers in

the Natanz nuclear facilities in Iran

Supervisory Control and Data Acquisition (SCADA)

• Water and sewage system • Hospital • Telecommunication • Transport

Critical infrastructure�

Targeted Attack on Critical Infrastructure of Trust

Stolen digital certificates by Stuxnet (Jan 2011) and Duqu (Oct 2011) RSA SecurID hacked (Mar 2011)

•  Cause a global replacement of tokens in years Certificate Authorities attacks

•  Comodo (Mar 2011), DigiNotar (Aug 2011), DigiCert Malaysia (Nov 2011) •  More Dutch CAs: Getronic KPN CA (Nov 2011) GenNet (Dec 2011)

Consequence •  Root certificate of these CAs are distrusted or removed from the browsers/OS •  Some out of business after attack •  Attack down to the root of trust of the Internet

Impacts of the new chemistry� Nation X� Nation Y�

Image credits: Infographics of WatchGuard�

collateral damages

Lower hurdle to access sophisticated attack technologies�

Provide attack services to hacktivists�

Vulnerabilities�

Image credit: http://www.acunetix.com/�

Software Vulnerabilities�

Source: Security bulletins in www.hkcert.org �

Mac OS Security Vulnerabilities

Some people think “We don’t need anti-virus for Mac OS” Is this true? Flashback Trojan for OS X

•  Appear in Sep 2011, pretended to be Adobe Flash installer •  Evolved to target Java runtime vulnerability of MAC computers in 2012 •  Said to have infected 500,000 Mac computers.

JAVA vulnerability targeted by Flashback •  Oracle announce in Nov 2011 •  Apple not patched till Apr 2012.

Conclusion •  Do not believe in this myth “Apple does not need antivirus”

Who are you really talking to?

Social Engineering uses a lot of identity theft�

Email Spoofing�

Risk Mitigations (Technology / Awareness)

Threats, Vulnerabilities, Risks and Risk Mitigations

Vulnerabilities (System / Human)

Your System / Data

Threats (Disasters, Attackers

Attacks

Your System / Data

Threats (Disasters, Attackers)

Compromised System / Data

Attacks Risks

Risks

Attacks�

Malware Propagation channels

Fake security software Fake video player codec

Executables Document Malware Website

Malware Propagation channels

Executables Document Malware

§ Embedded malware in PDF or Office files

§ Botnet served PDF malware�

Website

Image by Websense

Malware Propagation channels

Executables Document Malware Website

§ Legitimate and trusted websites compromised

§ Web admin incapable to detect and mitigate the risks

p  Exploits imported from other servers via iframes, redirects p  When compromised, dropper download and install the actual bot malware

Multi-stage infection (drive-by download)

Exploit server Web server (injected) Malware Hosting

Browser

Web request

victim victim

Threat: Botnet (roBot Network�

Bot Herder

bot bot bot

C&C

Command & Control Centre

Bots

attacks

Your computers!

Services § Manage § Update § Survive the adverse

Reflective DDoS using Open DNS resolvers�

Server B under attack�

(1) A wants to attack B without being identified�

(2) A spoofs a DNS query by Server B “domain.com TYPE = “ANY”

Packet size = 20 bytes

(3) Reply to query of unauthorized domain; Amplified DNS Reply

Packet size = 1,200 bytes

Misconfigured DNS open resolvers C�

Attacker A�

Bots�

Reflective DDoS using Open DNS resolvers�

Server under attack�

Misconfigured DNS open resolvers�

Hong Kong Security Profile�

Critical Attacks in Hong Kong

Recent Cases •  第一亞洲商人金銀業有限公司

(Feb-2012)

•  HK Stock Exchange 披露易 (Aug-2011)

Civil e-Voting Campaigns targeted �

2014 Attack bandwidth up to 400Gbps (source: CloudFlare)

2012�

Territory-wide attack no longer a myth�

Hong Kong came across a territory-wide attack in October 2014 -- the Operation Hong Kong campaign initiated by a hacktivist group

• Many websites targeted, both government and non-government

•  In form web defacement, DDoS attacks and intrusion of information system

• Also brought about collateral damages to other users in neighbouring networks.

2,223  

1,605  1,797  

1,255   1,304  1,153  

975  1,189  

1,694  

3,443  

2005   2006   2007   2008   2009   2010   2011   2012   2013   2014  

Security Incident Reports Handled in the past 10 years�

80% of incident reports in 2014 were referred by external parties�

+103%

Total 總數: 3,443�

l Botnet (殭屍網絡): 1,973 (57%) l Phishing (釣魚網站): 594 (17%) l Malware (惡意軟件): 298 (9%) l Defacement (網頁塗改) : 146 (4%) l Distributed Denial-of-Service (DDoS) (分散式阻斷服務攻擊): 125 (4%)�

�

�

�

�

Incident Reports Breakdown in 2014 2014年保安事故報告的分佈�

57% 17%

9% 4%

4% 9%

Botnet 殭屍網絡� Phishing 釣魚網站� Malware 惡意軟件� Web Defacement 網頁塗改�

Prediction�

Mobile Malware China statistics 2012, •  95 % of mobile malware targeting

Android (NQ Mobile)

•  Infected 32.8M smartphones

•  28% collect personal data for $$

•  Mostly from unofficial app store

•  Package malware into normal apps and put on app store

Mobile banking – is it secure?

Two factor authentication using SMS? • Some banks start to use as the client tool • Loss of out-of-band communication when using SMS

as soft token à token device is recommended Unauthenticated mobile Apps Hackers ported Zeus botnet to mobile

• Zeus: botnet targeting financial institutions • Man in the Mobile attack (Mitmo)

More iOS malware�

Wirelurker infected JB & non-JB devices Infections via synchronization with desktop

• Host Mac malware on piracy app store 麥芽地 • Mac malware monitor USB connection, and sync with

iOS device to infect it with WireLurker Use Enterprise provision profile to install malware not published on Apple app store

Security Implications of Internet of Things�

IoT Security Outlook�

l Hackers now control Internet devices to steal data, or use them to launch attacks

•  IP Camera – leaking personal privacy • Broadband routers – launch DDoS • TV Box – compromised by preloaded malware

l Potential threats for “Internet of Things” (物聯網) • Smart Home, Smart Watch or Industrial Control

System (ICS) connected to the Internet�

Remote Control • Mobile Devices

Personal Cloud

• Managed Service Home Gateway Home Devices �

Reference: http://www.gsma.com/connectedliving/wp-content/uploads/2012/05/Marcos-Zart-Amdocs_Connected_Home-SmartCity-2012-June.pdf

Smart Home�

Smart Home�

Google Nest thermostat hacked (Researchers @ University of Central Florida)

•  Can boot via USB to bypass verification and install any code •  Can read log file that contains local Wifi credentials in plaintext •  Can block sending log back to server

https://www.blackhat.com/docs/us-14/materials/us-14-Jin-Smart-Nest-Thermostat-A-Smart-Spy-In-Your-Home.pdf �

Smart Car security�

BMW Issues Security Patch for ConnectedDrive after Unlocking Hack Discovered (Feb 2015)

•  Hack: use fake cellphone base to intercept mobile network traffic to send forged command to BMW server to open the car window http://grahamcluley.com/2015/02/bmw-security-patch/

CyberSecurity Freedom and Privacy�

The Internet 911 ?�

Cybersecurity •  A national defense strategy •  Countries want more control

Internet Freedom and Privacy •  Human Rights

Edward Snowden on digital surveillance �

General Surveillance justified for National Security? Data Privacy concerns

• Data in transmission • Data in storage • Snowden said “strong encryption helps”

Data sovereignty issue

• Brazil regulating cloud firms to open local data centre for Brazil citizens (Nov 2013)

•  http://www.computing.co.uk/ctg/analysis/2309148/why-brazil-s-privacy-push-could-cost-firms-dear

Risks to Privacy�

Big Data Lenovo SuperFish Adware Preinstalled adware leaking personal data GreyFish Disk Firmware leaking personal data

http://thehackernews.com/2015/02/hard-drive-firmware-hacking.html

Xiaomi phone update data to cloud http://www.lowyat.net/2014/08/f-secure-confirms-new-xiaomi-miui-update-fixes-discreet-user-data-uploads/

Some trend worth to note�

Internet had contributed greatly to Globalization Lack of Trust à Localization is emerging? •  Use our digital products •  Train our own professional •  Do our own research and not sharing •  Mandate code review of foreign products

Fragmented Internet •  Filtering content

Arab Spring 2010 and afterwards�

•  Most popular Twitter hashtags in the Arab region: “Egypt”, “Jan25”, “Libya”, “Bahrain” and “protest” in 2010, 2011

•  Arab Social Media Report 2011 March

•  9 in 10 Egyptians and Tunisians used Facebook to organise protests or spread awareness

Image credit: http://blogs.worldbank.org/publicsphere/media-revolutions-43-million-arab-users-facebook �

43 Million Arab Users on Facebook

Internet Governance becomes hot debate�

Internet Governance: currently a distributed model ITU World Conference on International Telecom (WCIT) December 2012 •  Debate on the new International Telecomm

Regulation (ITR) to include regulation of the Internet

WCIT 2012 Dubai�

The Dubai meeting became a hotspot -- some member states tabled very controversial proposals, including:

•  Extending ITU’s regulatory authority from telecommunication to include the Internet. Some African member states even proposed to expand further to anything relating “ICT”.

•  Requiring the member states to address cyber security and anti-spam issues

•  Permitting member states to impose restrictions on the routing of Internet traffic and collect subscriber identity information

�

“Cold War” in the Dubai Meeting�

One camp proposed to regulate the Internet -- included Russia, China, some Arab and African countries. Another insisted to maintain a multi-stakeholder governance model for open and free Internet. camp including United States, Canada, EU countries and their allies The two camps stalled in a tug-of-war. Finally, The Chairman then announced the new regulations with effect on January 1, 2015. �

Signature of the Final Acts�

89 signed, 55 not signed�

After the Dubai Meeting�

Internet Society published the report of “Global Internet User Survey 2012” •  83% agreed or agreed strongly that access to the Internet

should be considered a basic human right. •  89% agreed or agreed strongly that Internet access allows

freedom of expression on all subjects, and •  86% agreed or agreed strongly that freedom of expression

should be guaranteed.

The European Union published the Cyber Security Strategy in February 2013 •  Human rignts being a fundamental of cybersecurity

�

Internet Governance�

ICANN: a distributed governance model with inputs from multiple stakeholders: governments, public organizations and the netizens. �

Governments, Public Organizations, Business, Common People�

Thank You�