IEEE Fellow, IEEE ComSoC Distinguished Lecturer 從監聽門事件看資通訊安全演進 Evolution of ICT Security: A Perspective From Wiretapping 林盈達 IEEE Fellow, IEEE ComSoC Distinguished Lecturer 交通大學資訊工程系 ydlin@cs.nctu.edu.tw 11-28-2013

林盈達 Ying-Dar Lin B.S., NTU-CSIE, 1988; Ph.D., UCLA-CS, 1993 Professor (1999~)/Associate Professor (1993~1999), NCTU-CS; IEEE Fellow (2013); IEEE ComSoC Distinguished Lecturer (2014&2015) Founder and Director, III-NCTU Embedded Benchmarking Lab (EBL; www.ebl.org.tw), 2011~ Founder and Director, NCTU Network Benchmarking Lab (NBL; www.nbl.org.tw), 2002~ Editorial Boards: IEEE Wireless Comm. (2013~), IEEE Transactions on Computers (2011~), IEEE Computer (2012~), IEEE Network (2011~), IEEE Communications Magazine – Network Testing Series (2010~), IEEE Communications Letters (2010~), Computer Communications (2010~), Computer Networks (2010~) , IEEE Communications Surveys and Tutorials (2008~), IEICE Transactions on Information and Systems (11/2011~) Guest Editors of Special Issues: Open Source for Networking, IEEE Network, Mar 2014; Mobile Application Security, IEEE Computer, Mar 2014; Multi-Hop Cellular, IEEE Wireless Communications, Oct 2014; Deep Packet Inspection, IEEE JSAC, Q4 2014; Traffic Forensics, IEEE Systems Journal, early 2015. CEO, Telecom Technology Center (www.ttc.org.tw), 7/2010~5/2011 Director, Computer and Network Center, NCTU, 2007~2010 Consultant, ICL/ITRI, 2002~2010 Visiting Scholar, Cisco, San Jose, 7/2007-7/2008 Director, Institute of Network Engineering, NCTU, 2005~2007 Co-Founder, L7 Networks Inc. (www.L7.com.tw), 2002 Areas of research interests Deep Packet Inspection Attack, virus, spam, porno, P2P Software, algorithm, hardware, SoC Real traffic, beta site, botnet Internet security and QoS Wireless communications Test technologies of switch, router, WLAN, security, VoIP, 4G/LTE and smartphones Publications International journal: 95 International conference: 51 IETF Internet Draft: 1 Industrial articles: 153 Textbooks: 3 (Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011) Patents: 30 Tech transfers: 8 Well-cited paper: Multihop Cellular: A New Architecture for Wireless Communications, INFOCOM 2000, YD Lin and YC Hsu; #citations: 600; standardized into IEEE 802.11s, Bluetooth, WiMAX, and LTE

Ying-Dar Lin, Ren-Hung Hwang, Fred Baker, Computer Networks: An Open Source Approach, McGraw-Hill, Feb 2011. www.mhhe.com/lin; available now at amazon.com Facebook Q&A Communit: www.facebook.com/CNFBs ISBN: 0-07-337624-8 / 978-007-337624-0 Computer Networks: An Open Source Approach considers why a protocol, designed a specific way, is more important than how a protocol works. Key concepts and underlying principles are conveyed while explaining protocol behaviors. To further bridge the long-existing gap between design and implementation, it illustrates where and how protocol designs are implemented in Linux-based systems. A comprehensive set of fifty-six live open source implementations spanning across hardware (8B/10B, OFDM, CRC32, CSMA/CD, and crypto), driver (Ethernet and PPP), kernel (longest prefix matching, checksum, NAT, TCP traffic control, socket, shaper, scheduler, firewall, and VPN), and daemon (RIP/OSPF/BGP, DNS, FTP, SMTP/POP3/IMAP4, HTTP, SNMP, SIP, streaming, and P2P) are interleaved with the text. 3

大綱 監聽門的來龍去脈 20 mins 電話與網路監聽的可能方式 20 mins 網路通訊安全的演進歷程 20 mins Q&A 20 min

監聽門的來龍去脈 0972節費電話能否監聽? 從電信機房到監聽機房 裁判vs.球員: 法院/監聽機房 vs. 調查單位 三個政府單位(調查局, 刑事警察局, NCC)三個答案: no(如果不事先知道是節費電話), yes, don‘t know! 用戶端線路與局端線路之差異 0972630235 vs. (02)2358-5858 從電信機房到監聽機房 符合RFC3924之監聽設備 裁判vs.球員: 法院/監聽機房 vs. 調查單位

Centrex + PBX架構 分機 1000 CHT 2358-XXXX Centrex NEC Switching PBX 中華電信 虛擬總機 1000 NEC PBX 立法院 交換總機 2358-XXXX 1001 1002 E1節費專線 (0972-630231~37) 1003 用戶撥2358-XXXX，Centrex會將目的碼送給交換機，交換機會根據後四碼判斷 是要響鈴哪一隻分機。 分機撥出時，交換機會將2358(局碼)加上分機碼送出。 分機撥”0”時，NEC交換機會去抓E1節費專線，經由E1專線將通話送至CHT交換機，撥出之電話雖設定為”沒有來話顯示“，但系統仍會紀錄為0972-630231~37的撥出號碼，計價為”節費電話“之費率。 分機撥”*0”時，NEC交換機會去抓Centrex線，按平常的通信路由，將通話送至CHT交換機，此時帶出的號碼會顯示Centrex的號碼，計價為“一般費率”。

0972630235 vs. (02)2358-5858 三種組合: 立法院內各分機立法院外:控制訊息攜帶0972630235 要監聽與側錄! 立法院外(02)2358-5858立法院內各分機 無監聽與側錄 立法院外0972630235立法院內各分機

電話監聽方式 無遠端監聽系統： 遠端監聽系統： 監聽單位直接拿監聽票進機房於MDF(配線架)或在測量台上直接掛線監聽。 所有一類電信公司(固網及手機運營商)及新的特二類業者(節費公司)均已有供調查局或刑事警察局之遠端監聽系統介接，但操作、管理、監聽內容儲存、處理之設備均建置於情治單位。 一類電信運營商：一般由調查局負責監聽。 特二類(節費公司)：一般由 刑事警察局負責監聽。

Administration Function IETF RFC 3924 / ETSI ES 201671 Lawful Intercept Architecture Reference Model Law Intercept Administration Function Law Enforcement Agency (LEA) HI1(a) b MD Provisioning Interface Intercept Related Information (IRI) IAP Mediation Device (MD) Content Intercept Access Point (IAP) HI2(g) c HI3(h) e IRI (e) d f Intercept Request (d) Intercepted Content ( f) User Content User Content Service Provider Functions

建置於情治單位 建置於固網或手機運營商機房 NEC PBX E1 專線 A100 AX CHT Centrex 虛擬總機 C7

監聽只有電話不含網路? 網路也被掛線 RFC3924也包含Data Services 大部分應用協定都沒加密 常見應用協定之封包辨識沒問題 可以錄製或即時同步播放 P2P應用之封包辨識與解譯之誤判與漏判較高

裁判vs.球員: 法院/監聽機房 vs. 調查單位 電話與網路掛線人數? 三萬… anytime! 若每人被掛線平均六個月, 一年應該有六萬張監聽票!! 但實際監聽票遠低於此數! 原因?? 檢察官一張監聽票吃到飽 (wild card) 加掛不相干人等 法院失職! 球員兼裁判 球員: 檢察體系、調查局、刑事警察局 裁判: 法院、調查局、刑事警察局 調查局與刑事局辦案人員 <-> 調查局與刑事局監聽機房管理人員 不能申請監聽票的情治監聽 機房應交給第三者管理!

"非法"電話與網路監聽的可能方式 RFC3924標準監聽機房 直接與電信業者或網站業者合作 無線與有線攔截 後門程式 與調查局機房合作 直接由調查局拉線到自建機房 直接與電信業者或網站業者合作 A國政府向在A國經營的B國業者索取: 看A國市場大小 A國政府向在B國經營的A國業者索取: 最容易 A國政府向在B國經營的C國業者索取: 美國才作得到 無線與有線攔截 電纜攔截 無線攔截 IMSI Catcher: Rohde & Schwartz 2003年專利, 2012年英國法院宣告失效 Femtocatch: femtocell Bluejacking: Bluetooth, Wi-Fi, GPS, etc. 後門程式 手動: 安裝軟體(phone spy, call interception), 拷貝SIM卡 自動: 惡意程式 (malware)

直接與電信業者或網站業者合作 被電信業者或網站出賣? 電信業者已被RFC3924 用美國或日本的網站與社群較不會被出賣? 用當地國的業者一定被出賣 用敵對國的業者鐵定被出賣 用第三國的相對較不會 用Skype及Line絕對安全? 是的…. 如果它沒出賣你 乾脆用Bitmessage! Decentralized P2P 不會被出賣!

美國在各國之監聽 根據史諾登(Edward Snowden)給英國媒體的資料 有線與無線攔截? 後門程式? 與當地政府監聽機房合作 與業者機房與網站合作 有線與無線攔截? 後門程式?

無線攔截 IMSI Catcher IMSI (International Mobile Subscriber Identity) A false mobile tower – man-in-the-middle attack Identify IMSI number and intercept through protocol hacking – solicit/associate/configure/tap Masquerade as a base station and log IMSI numbers of nearby handsets No authentication of base station by handset Downgrade to GSM Disable encryption (A5/0 mode)

Defcon: Hacker shows how he can intercept cell phone calls with $1,500 device Chris Paget at Defcon in Las Vegas, 7-31-2010 Demo video at http://venturebeat.com/2010/07/31/hacker-shows-how-he-can-intercept-cell-phone-calls-for-1500/

Black Hat: Intercepting Calls and Cloning Phones with Femtocells Ritter and DePerry at Black Hat in Las Vegas on 8-1-2013 CDMA femtocell Femtocatch: 2.5-way call

後門程式 安裝軟體 拷貝SIM卡 惡意程式 StealthGenie Wireflex Call Interceptor Spyera Phone cloning Read crypto key by SIM reader Install spyware on the target phone 惡意程式 Repackaged applications Repackaged documents

StealthGenie Spy on their Calls Monitor their Internet Activities Spy on their SMS Messages Track their GPS Location Read their Emails Spy on their Instant Messengers View their Multimedia Files Monitor their Internet Activities View their Contacts and Calendar Activities Bug their phone Instant Alerts and Notifications Remotely Control their Phone

網路通訊安全的演進歷程 從伺服器到用戶端 從主動攻擊到被動傳播 從桌機與筆電到手機 從程式散播到文件搭載

General Security Issues Data security: protecting private data on the public Internet Encryption & authentication  Virtual Private Network (VPN) Access security: deciding who can access what TCP/IP firewall or application firewall System security: protecting system resources from hackers Intrusion detection and prevention Malware detection and prevention

Vulnerability Exploiting on “Servers” Buffer overflow attack Put more data to the specified buffer to cause buffer overflow Return address pointing to the cracked file to execute

Some Server Vulnerabilities Application Version Reason phf Remote Command Execution Vulnerability Apache Group Apache 1.0.3 Input Validation Error Multiple Vendor BIND (NXT Oveflow) Vulnerabilities ISC BIND 8.2.1 Buffer Overflow MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability Microsoft IIS 4.0 Univ. Of imapd Buffer Overflow Vulnerability imapd 12.264 ProFTPD Remote Buffer Overflow Professional FTP proftpd 1.2pre5 Sendmail Daemon Mode Vulnerability Eric Allman Sendmail 8.8.2 Input Validation Error RedHat Piranha Virtual Server Package Default Account and Password Vulnerability RedHat Linux 6.2 Configuration Error Wu-Ftpd Remote Format String Stack Overwrite Vulnerability wu-ftpd 2.6

Open Source Implementation 8.7: Snort Three modes Sniffer Read and decode network packets Packet logger Log packets to disk Intrusion detection system Analyze traffic based on pre-defined rules Perform actions based upon what it sees

Writing Snort Rules Rule header alert tcp any any - > 10.1.1.0/24 80 Rule option (content: “/cgi-bin/phf”; msg: “PHF probe!”;) action protocol Source address and port number destination address and port number inspective part alert message

Open Source Implementation 8.6: ClamAV Introduction open-source package for virus scanning have detected over 570,000 malicious codes (viruses, worms and trojans, etc.) with the release of 0.95.2 version Types of signatures MD5 for a certain PE section (part of an executable file) basic signatures of fixed strings (to be scanned in the entire file) extended signatures (in a simplified form of regular expressions containing multiple parts logical signatures (multiple signatures combined with logical operators)

Block Diagrams of ClamAV for signature loading for signature matching

Performance Matters: Comparing Intrusion Detection, Antivirus, Anti-Spam, Content Filtering, and P2P Classification Snort DansGuardian ClamAV SpamAssassin L7-filter Percentage of string matching 62% 86% 57% 31% 70% Inspection depth Byte jump Http request / response All attachment content Mail header/ body First 10 packets

Distribution of Captured Malware: Active Collection vs Distribution of Captured Malware: Active Collection vs. Passive Collection Active collection and passive collection are quite disjoint.

Architecture of a Botnet

Distribution of Malware’s Capture Time More zero-day malware can be collected “actively”. Ying-Dar Lin, Chia-Yin Lee, Yu-Sung Wu, Pei-Hsiu Ho, Fu-Yu Wang, Yi-Lang Tsai, "How Different Are Malware Collected Actively and Passively?," IEEE Computer, to appear in 2014.

Behaviors by GFI Sandbox Some permissions are potentially more malicious than the others. 1 2 3 4 5 6 7 8 9 10 11 12

Top 20 Requested Permissions by Android Malware Again, some permissions are potentially more malicious than the others.

Malicious Behaviors Host behaviors Network behaviors Non-intrusive behaviors Network behaviors Intrusive behaviors Benign behaviors Suspicious behaviors Malicious network behaviors (intrusive behaviors) Malicious behaviors (non-intrusive behaviors)

PC與Android行為、傳播、偵測方式比較   PC Android 行為 用戶端行為 資料檔案破壞、隱私竊取、系統執行程序錯亂、佔用大量的電腦資源 網路端行為 網路擁塞 資料破壞、隱私竊取、 金融商業行為 傳播 超連結、電子郵件附件、P2P軟體、USB/磁片/光碟 APK檔案 偵測方式 Behavior-based detection & Signature-based detection Signature-based detection

APK檔案架構 APK檔案架構 說明 META-INF (Directory) Manifest.mf Manifest file Cert.rsa Application certification Cert.sf List of resources/SHA-1 Res (Directory) Resource used by APK(png/xml) Resources.arsc List of resource locations AndroidManifest.xml Android binary containing name, version, permissions Classes.dex Compiled source code

Android惡意程式行為及種類   Trojan Rootkit Spyware Adware PuA Backdoor Geinimi  PJApps ADRD DroidDream droidKungFu SMS.FakeInst GGTracker J.SMSHider DroidDreamLight BgServ RogueSPPush NickySpy Toolbar.MywebSearch Ropin Trojan(對使用者的資料，做惡意的行為)、Rootkit(權限的更動)、Spyware(監聽使用者隱私)、Adware(對使用者散播無意義廣告)、PuA(對使用者的手機資源惡意使用)、Backdoor(利用程式中的後門，在使用者執行程式時竊取資料)

APT 攻擊 vs. 傳統攻擊 APT Attacks Traditional Attacks Persistent Yes No   APT Attacks Traditional Attacks Persistent Yes No Targeted Planned Custom exploits Hidden Motivation Collect benefit information and Exfiltration Variable

最新網路駭客攻擊方式與解決技術 最新攻擊方式 解決技術 殭屍電腦網路(botnet) 重新打包之應用程式(repackaged app) 進階持續性威脅(APT, Advanced Persistent Threat) 解決技術 特徵碼比對(signature matching) 行為分析(behavior analysis) 逆向工程(reverse engineering)

惡意程式偵測方法 Three methodologies for malware detection Static Analysis Behavior Analysis Reverse Engineering Attributes Methods Execute File Fast/Slow Information Overhead Example tools Static Analysis No Fast General Low ClamAV Behavior Analysis Yes Slow High ViCheck.ca Joe Sandbox Reverse Engineering Partial Detailed Xecure

樣本收集 300 APT samples CVE Number File Type # Samples Product Vulnerability CVE-2010-0188 PDF 48 Acrobat Reader Adobe Reader PDF LibTiff Integer Overflow CVE-2010-2883 24 Acrobat & Acrobat Reader Adobe CoolType SING Table Stack Buffer Overflow CVE-2010-3333 RTF 52 Microsoft Office MS Office 2010 RTF Header Stack Overflow CVE-2011-2462 25 Adobe Reader U3D Memory Corruption CVE-2012-0158 131 Stack Buffer Overflow in MSCOMCTL.OCX CVE-2013-0640 20 Adobe Reader Unspecified Buffer Overflow

Heap spraying After heap spraying Normal heap layout Used memory : 300 MB 300 MB 200 MB 200 MB 100 MB 100 MB 0 MB 0 MB Used memory : Used memory : Free memory : Free memory : Shellcode :

Experiment 1: 逆向工程 Classifying samples by malware region malicious pFragments 42% Outside structure 7% 2 regions Datastore+ outside structure 2% + outside structure 18% Objdata 1% Datastore 2% 3 regions pFragments+ outside structure 10% benign 13% Error 2% CVE-2010-3333

Experiment 2: 逆向工程 Classifying samples by malware region benign 3.3% malicious pFragments 0.6% Outside structure 19.6% 2 regions +outside structure 0.3% Datastore +Objdata datastore+ outside structure 0.3% Themedata +outside structure 1% Themedata +Objdata 5.6% Objdata 39.6% 7.3% Themedata 21% CVE-2012-0158

Experiment 3: 正向工程 Embedding malware into normal RTF After embedding: malware is detected context does not change context Normal RTF file context shellcode Embedded malicious code RTF shellcode Malicious RTF Sample

APT總結 APT的特點: 客製化樣本、匿蹤 偵測方法: 靜態、動態、逆向工程 在RTF文件塞惡意程式 加shellcode Where: pFragments, OBJDATA, Themedata, Datastore, Outside structures 不同惡意程式用不同區塊 相同CVE的惡意程式也會用不同區塊

結論 電話與網路監聽氾濫 更高層次之資通訊安全 個人自保之道? 法規要將球員與裁判釐清 技術方法多元: RFC3924, 索取, 攔截, 後門 相關正反向產品有市場潛力 更高層次之資通訊安全 從伺服器到用戶端 從主動攻擊到被動傳播 從桌機與筆電到手機 從程式散播到文件搭載 個人自保之道?

Q&A Q1: 0972節費電話之分機不能被RFC3924監聽機房監聽。 Q2: 電信業者不知道RFC3924監聽機房所監聽之對象為何。 Q6: 防毒軟體常常抓不到APT是因為: (1)沒有取得病毒樣本、(2)病毒會變形以至於病毒碼比對不到、(3)沒有去動態執行文件檔中的macro程式、(4)以上都可能。 Q7: Honeypot收集惡意程式的特性: (1)主動收集主動傳播、(2)主動收集被動傳播、(3)被動收集主動傳播、(4)被動收集被動傳播。 Q8: 手機病毒目前最常見的傳播方式為: (1)主動傳播之程式、(2)主動傳播之文件、(3)被動傳播之程式、(4)被動傳播之文件。 Q9: 特徵碼比對、行為分析與逆向工程三者中何者有執行病毒程式: (1)特徵碼比對、(2)行為分析、(3)逆向工程、(4)行為分析與逆向工程、(5)特徵碼比對與行為分析、(6)特徵碼比對與逆向工程。 Q10: 哪些資通訊產品使用習慣是高度危險的 (複選): (1)手機之Bluetooth的default設定是打開、(2)手機借朋友、(3)別人可以看到你Facebook的好友有哪些、(4)使用Line或Skype通訊、(5)使用WeChat通訊、(6)在P2P網路尋找程式、音樂與遊戲。