Title: How to counter web-based attacks on the Internet in Korea
1How to counter web-based attacks on the Internet
in Korea
Global Standards Collaboration (GSC) 14
DOCUMENT GSC14-GTSC-026
FOR Presentation
SOURCE TTA
AGENDA ITEM GTSC 4.2
CONTACT(S) hyyoum_at_sch.ac.kr
- Heung Youl YOUM
- Chairman of Korea ITU-T SG17 Committee, TTA
2What is web-based attacks?
- It is very surprise if you realize that just
visiting your favorite web site can either lead
to malware to be silently installed on your
computer without your knowledge or clicking
anything, or being annoyed by misleading
applications, such as fake antivirus software. - What is web-based attacks?
- A type of attacks in which the attackers try to
compromise the legitimate websites resulting in
malicious code to be injected which in turn can
be used to infect a users computer visiting
those web sites.
3Web-based attacks
- According to Google survey released in May 2007,
- one in 10 web sites contained malicious codes
which were capable of launching so-called
drive-by download type web-based attacks. - In the web-based attacks
- The administrators are not aware that they are
hacked, have resulted injecting the malicious
codes and used to disseminate malicious codes - Users also are not aware that their computers get
infected by malicious codes from the sites they
have visited - Installing anti-virus S/W can prevent some
incidents, but, they are not providing ultimate
solutions.
4Top Web Threats for 2008
- In the Symantic threats Report-2008
- Drive-by downloads from mainstream Web site are
increasing - Attacks are heavily obfuscated and dynamically
changing making traditional antivirus solutions
ineffective - Attacks are targeting browser plug-ins
- SQL injection attacks are being used to infect
mainstream Web sites - Mal advertisements are redirecting users to
malicious Web sites - Explosive growth in unique and targeted malware
samples
5Typical scenarios for web-based attack in Korea
1,000 legitimate web sites
1. Compromise the legitimate web sites.
ltiframegt lt/iframegt
attacker
6. Personal information such as ID/Password is
transferred to attacker.
3. Redirect users to the malicious web site.
2. Visit their favorite web sites.
5. 92,000 PCs with MS06-014 Vul. infected by
malicious code.
Malicious code injected web site
- Attempts to attack the PCs using 620,000 IPs.
Users
6Korea use case MC-finder scheme(1/2)
- MC-finder scheme
- Developed by KISA (Korea Information Security
Agency) and put in place since 2006. - A scheme to search for the malicious
code-injected web sites, malicious web site, and
the web sites which redirect users to the
malicious injected code, the transit web site. - More than 140,000 sites in Korea are being
monitored by MC-finder scheme, as of June 30,
2009. - During 2008, in Korea,
- 1,324 web sites founded as malicious code
injected web sites, 7,654 web sites turned up as
the transit web sites redirecting users to the
malicious injected web sites.
7Korea use case MC-finder scheme(2/2)
- Web sites to be monitored
- Major web sites for enterprise/orgs, etc. sites,
Top 20,000 sites according to number of visiting
users - Sites which have already experienced the web
pages defacement. - Inspect web documents to check whether an
malicious code is injected. - List up the infected URLs.
- It has provided the following services
- Inform the administrators by SMS, e-mail, or
phone to take necessary actions - Maintain and track the history of the MC-infected
sites
8Challenges
- Nearly impossible to search for all global web
sites therefore, it needs to develop a global
collaboration framework. However, - Lack of framework for sharing security
information - Lack of globally interoperable framework or
technologies - No standardization activity on how to counter
this web-based attacks. Therefore, it needs to - Identify various web-based attack scenarios, the
requirements and generic framework - Identify the relevant information exchange
format
9Next Steps/Actions
- Korea continue to upgrade the MC-finder scheme to
reflect the fast changing attack environments. - Need for a globally interoperable framework and
technologies which can combat the web-based
attacks effectively - ITU-T and global SDOs are required to develop
standards or guideline for a globally
interoperable scheme against the web-based
attacks on the Internet. - TTA plans to contribute to launching the
standardization activities on the countering
scheme against the web-based attacks in the near
future.
10Proposed Resolution
- Generally needs to reaffirm the existing
Resolution GSC11/13. - However, update is required as follows
- In recognizing clause, item i)
- that new cyber attacks such as phishing,
pharming, web-based attacks and Botnets are
emerging and spreading rapidly - In Resolves clause, item 4)
- work with the ITU and others to develop standards
or guidelines to protect against Botnet attacks
and web-based attacks and facilitate tracing
the source of an attack