Joongsup CHOI KISC/KrCERT

1. Joongsup CHOI KISC/KrCERT AVAR 2004, 25-26, Nov. 2004 Network Security in Korea

2. Contents I. Positive Aspects of Internet II. Negative Aspects of Internet III. Big BANG, Triggering Point IV. KISC’s Role V. Hand-on Experience

3. I. Positive Aspects of Internet Network & Connectivity Src. : www.caida.org AS Path Length Graph `Yearly' Graph (1 Day Average) Max  avg. length 5.0 Average  avg. length 4.0 Current  avg. length 5.0 Max  max. length 33.0 Average  max. length 29.0 Current  max. length 30.0 Src. : http://www.cymru.com/BGP/asnpalen01.html

4. I. Positive Aspects of Internet Application Change Client/Server Type Pure Distributed Type Peer Server Peer Peer Peer Peer Client Client Client Peer Peer Src. : www.boardwatch.com

5. I. Positive Aspects of Internet Volume Size of Internet Src.: www.internetstats.com & etc.

6. I. Positive Aspects of Internet Korea Internet Infrastructure Internet 70+ ISPs 11+ Million High Speed Internet 86,000+ Leased Line

7. I. Negative Aspects of Internet Worldwide Malicious Codes RAT: [Remote Administration Tool] is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a "client" in the attacker's machine, and a "server" in the Victim's machine. Src. : www.pestpetrol.com

8. II. Negative Aspects of Internet Vulnerability Points among Internet RP IOS/JuNOS B-O/F CPE Dial-Up KRNET ISP1 Peering D/UModem Hijacking, Conf. Error ISP2 Home ISP3 …. ISP …. ISP4 Cable Modem Home ISP5 ONU GigaPOP ISP N Splitter BGP4 ISP Network CATV Head End GigaPOP International Internet Gateway Foreign ISP CM DSLAM 2W BIND DNS HDSL-RT GigaPOP 4W FTP L/L Router Server Farm SendMail Mail Video Web WLL DBMS MS : Patch !! Apache/ IIS SQL Web Mail Explorer

9. II. Negative Aspects of Internet Incidents depending on OS Windows Incidents are increasing now and malicious traffic are overwhelming …. 2003 2002 Src. : www.krcert.org

10. III. Big Bang - Triggering Point Slammer Worm (’03.1/25) Some Parts of Slammer Source Code PSEUDO_RAND_SEND: mov eax, [ebp-4Ch] lea ecx, [eax+eax*2] lea edx, [eax+ecx*4] shl edx, 4 add edx, eax shl edx, 8 sub edx, eax lea eax, [eax+edx*4] add eax, ebx mov [ebp-4Ch], eax • [Worldwide Phenomena] • Too fast to Response : Warhol • Too many impacted Server • Too wide-spread to co-ordinate • Too many re-tries to connect • → Most Effective WORM ! Src: www.internetpulse.net

11. III. Big Bang - Triggering Point Lessons from Slammer Worm Gov. :Law Enforcement & Sec. Awareness PR Agency : On-Line Surveillance System ISP : Network Security Investment & Enhancement Secure Internet Home: Up-to-date Patch Corp.: Security Awareness & CERT SW Vender : More Secure SW and Application

12. III. Big Bang - Triggering Point What Korean Government Have Done Law Enforcement • : 2004. 1 .29, Rev. 2004.7.30 • Security Inspection (ISP, IDC, Main Portal..) • Information Sharing Obligation with KISC • Emergency Response to Block Malicious Port # Launching KISC • : 2003. 12. 17 • 24h X 7d Operation • 5 min. Information Analysis (Traffic, port, incidents) • Korea Internet Security Coordination (KrCERT/CC) Security Awareness • : 2003 – 2004 • Security Inspection for the SME ( Free of Charge ) • Incidents Handling Manual for PC, ISP, IDC, Corp. • Monthly Information Security Campaign

13. IV. KISC’s Role National Cyber-Security Framework Public Sector Gov. Agencies Private Sector ISPs,AV, MSSP NIS Incident Reports & Case Study Information Sharing Info. Sharing System Co-Work SPPO Technology & Information NPA Public Sectors : *NIS : National Information Service *SPPO : Supreme Public Prosecutors’ Office *NPA : National Police Agency Private Sectors : *ISP : KT, DACOM, Hanaro .. MSSP : Coconut.. AV : Ahnlab, Hauri

14. IV. KISC’s Role KISC’s Task and Job Flow Analysis KISC Propa gation Detect Remote Agent Recovery IDS/Firewall Notice Mail FAX TRS Mail Web. SMS User Detect Analysis Propagation ISP Hot Liners Major ISPs & MSSP ISP/ESM Worm Detc. Private Sectors KISC Vul. Foreign Ptn Foreign Info. Home Users S/W,H/W Notification Messenger Press & TV/Radio AV/Vaccine

15. IV. KISC’s Role KISC’s Today & Tomorrow Unix/Linux Vul OSS Ctr. For Ststem Vul. Net/ Vul Foreign Organization Maker Sec. Info. Exchange Net/ Vul BackUp Windows Vul. US, Jp.Cn CERT Nat’l Cyber Help Desk www.krcert.org Foreign Agency Patch Info. Global co-work APEC,Global VC HoneyNet VC 1 VC 2 IDC/SO/IDC Telecom ISAC Domestic Agency Virus/Attack Sample Bank/Stock ISAC Home Users I S Ps Security ASP Cororate. Hacker/Intruder

16. V. Hand-on Experience Phishing Scam Reported by : foreign CERTs or victim organizations, Response with ISPs Major Victim : US-Bank, City Bank, Bank of America, Brazilian Bank ITAU etc No. of Incidents reported to KISC

17. V. Hand-on Experience Anti-SPAM Activities Procedure : Reported by Users or ISP(Mail Service Providers) Countermeasure : On-site Inspection and Criminal Inspection with Prosecutors Users ⑥ SPAM Mail Server Over Load Abettor 과부하 DNS Server ① Zombie Server ⑤ SPAMMing Mail Server DNS Query ④ ③ Lists Update , ② Malicious Code Instal Spammer Compromised PCs

18. V. Hand-on Experience Sec. Awareness and Support Security Awareness Activity 1). Security Education for : Security Divide Sector ( SME, PC Plaza, Users etc. ) 2). Publishing Cyber Security Manuals (Manual + CDs ) Individual User, Corporate Network Operator ISP, IDC, PC-Plaza Operator Encouraging to establish CERT Operation of CONCERT ( CONsortium of CERT : 228 in Korea ) On-Site Security Inspection for the SME ( ~ 2004 ) Target : 1,000 SME with Security Divide Sectors Inspection and Training ( Free of Charge )

19. V. Q&A For any further information Please contact: Choi, Joongsup : jschoi@kisa.or.kr Thanks !