Incident Handling

Insiden
•    Insiden merupakan bagian dari kehidupan elektronik
•    Tidak sengaja vs disengaja
•    Sering terjadi pada waktu yang kurang “pas” (misal: admin sedang tidak ada, sedang ada deadline)
Contoh
•    Wabah virus
•    Spam mail, mailbomb
•    Previlage attack, rootkit, intrusion
•    DoS attack
•    Harus dipikirkan skenario lain yang mungkin terjadi
•    Definisi dari “incident”
Apakah yang berikut ini termasuk insiden?
•    Ancaman (threat), hoax, virus
•    computer intrusion, DoS attack, insider theft information, any unathorized or unlawful network-based activity
Definisi
•    David Theunissen, “Corporate Incident Handling Guidelines”:
Incidents is “the act of violating or threatening to violate an explicit or implied security policy”
•    Kevin Mandia & Chris Prosise, “Incident Response”:
“Incidents are events that interrupt normal operating procedure and precipitate some level of crisis”
Tujuan dari “Incident Handling”
•    Memastikan bahwa insiden terjadi atau tidak terjadi
•    Melakukan pengumpulan informasi yang akurat
•    Melakukan pengambilan dan penanganan bukti-bukti
•    Menjaga agar kegiatan berada dalam kerangka hukum (misalnya masalah privacy, legal action)
•    Meminimalkan gangguan terhadap operasi bisnis dan jaringan
•    Membuat laporan yang akurat berserta rekomendasinya

Metodologi

•    From Kevin Mandia & Chris Prosise
“Incident Response”

•    Pre-incident preparation

•    Detection of incidents

•    Initial response

•    Response strategy formulation

•    Duplication (forensic backups)

•    Investigation

•    Security measure implementation

•    Network monitoring

•    Recovery

•    Follow-up

Permasalahan Incident Handling
Teknis
•    Apa saja yang harus dilaporkan?
•    Apakah ada informasi yang confidential?
(nomor IP, userid, password, data, files)
•    Perlunya packet scrubbing?
•    Terlalu sedikit/banyak data yang dilaporkan
•    Ketersediaan trouble ticketing system, help desk (24 jam?)
•    Data-data log sering tidak tersedia sehingga menyulitkan incident handling

Permasalahan Incident Handling 2

•    Non-teknis

•    Organisasi:

•    Kemana (kepada siapa) harus melapor jika terjadi insiden? Perlunya “Incident Response Team” (IRT)

•    Melapor ke organisasi yang lebih tinggi di luar institusi lokal? (misal ke ID-CERT, APSIRC, CERT)
Untuk keperluan statistik (ada wabah regional?)

•    Hubungan dengan policy & procedures, SOP yang seringkali tidak dimiliki oleh institusi

•    Ketersediaan SDM

•    Kualifikasi apa yang dibutuhkan?
budi.paume.itb.ac.id/courses/ec5010/incident-handling.ppt

Web Security

Web security
Web security merupakan bagian dari
Computer/Information security. Pertanyaan
yang muncul dalam computer security
ataupun web security yaitu: “apa yang harus
secure ?”
Electronic Assets
Electronic Assets adalah target dari serangan yang
mengancam keamanan sistem komputer atau
sistem informasi. Electronic Assets merupakan aset
yang paling berarti bagi suatu perusahaan atau
industri yang sehariharinya
bergantung pada
sistem komputer dan jaringan dalam menjalankan
transaksi bisnisnya. 'Electronic Assets adalah
data dan program'

The Difference Between Hackers
and Crackers
A hacker is a person intensely interested in the arcane
and recondite workings of any computer operating
system. Hackers are most often programmers. As such,
hackers obtain advanced knowledge of operating
systems and programming languages. They might
discover holes within systems and the reasons for such
holes. Hackers constantly seek further knowledge,
freely share what they have discovered, and never
intentionally damage data.

The Difference Between Hackers
and Crackers (cont'd)
A cracker is one who breaks into or otherwise
violates the system integrity of remote
machines with malicious intent. Having
gained unauthorized access, crackers
destroy vital data, deny legitimate users
service, or cause problems for their targets.
Crackers can easily be identified because
their actions are malicious.

Risks of Web security
Loss of customer confidence, trust and reputation with
the consequent harm to brand equity and consequent
effects on revenue and profitability;
Possible loss of the ability to accept certain payment
instruments e.g. VISA, Mastercard
Negative impact on revenues and profits arising from
any falsified transactions and from employee downtime;

Risks of Web security (cont'd)
 Website downtime which is in effect the closure of one
of the most important sales channels for an ebusiness;
 The expenditure involved in repairing the damage
done and building contingency plans for securing
compromised websites and web applications;
and,
 Legal battles and related implications from Web
application attacks and lax security measures including
fines and damages to be paid to victims.



Web security Attack
 Passive attack
 Sniffing(capture message)
 Trapper web (web penjebak)
 Active attack
 Denial of Service (DoS)
 Buffer OverFlow
 SQL injection
 Cross Site Scripting
 Session Hijacking
 Directory Traversal attack
 Authentication Attack (Brute Force attack)

http://overflow.web.id/source/Web-Security.pdf

Blaster worm

Sebuah kode / program kecil yang membuat windows tersebut menjadimusuh dari windows yang lain. Blaster biasanya menyerang port 135 RPC(remote procedure call) salah satu komponen pada windows selain menyerangport 135 RPC, Blaster merupakan worm virus yang menyerang langsungpengguna PC (user). Penyebaran Blaster melalui pencarian port 135 RPC. 5. VirusSasser Secara definisi sama dengan blaster dan nachi hanya beda cara menyerangnyadimana sasser menyerang LSASS (Local Security Authority Subsystem Service)yaitu lisensi windows atau protokol lisensi window. Penyebarannya melalui TCPPort 445 (netbios) yang ada di PC, dimana bila ada kelemahan pada TCP port 445tersebut akan diserang, sama halnya dengan Blaster dan Nachi, Sasser jugamerupakan worm virus yang menyerang langsung pengguna PC (user).

http://www.scribd.com/doc/52688344/TUGAS-KEAMANAN-SIFO 

Code Red II

CODE RED, Memanfaatkan vulnerability pada Index Server ISAPI tersebut, pada tanggal 12 Juli 2001 muncul sebuah worm dengan nama “Code Red” yang menyerang semua IIS webserver, dengan aksi mengubah tampilan awal website pada server yang tertular. Tidak begitu lama pada tanggal 19 Juli 2001, muncul Code Red I yang merupakan versi kedua dari worm Code Red dengan penyebaran yang lebih cepat. Banyak perbaikan pada program worm sehingga mampu menginfeksi 359.000 unit komputer hanya dalam waktu 14 jam, seperti versi pertama worm ini juga membuat dirinya dalam kondisi dormant pada tanggal 20 Juli secara permanen. Di bulan Agustus 2001, kembali Code Red muncul dengan versi berbeda “Code Red II”, muncul dengan payload yang sangat berbahaya. Worm ini masih memanfaatkan vulnerability yang sama dengan versi sebelumnya, sedikit perubahan pada program, worm ini akan membuat suatu trojan “explorer.exe” dan ditempatkan pada direktori root.
http://alanisa.comyr.com/2007/11/06/perkembangan-worm-non-lokal/

w32.sircam worm

W32/Sircam-A is a network-aware worm. The worm spreads via email and by using open network shares. The worm arrives in an email with a random subject and body text. The attached filename is also randomly chosen, but it has a double extension (for instance, .doc.com or .mpg.pif).
If the attachment is opened, the worm copies itself into the Windows System directory with the filename scam32.exe. The worm also copies itself as a file called sirc32.exe to the Recycled files directory with its file attributes set to hidden. The worm changes the registry key:
        HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\Driver32
so that it runs on Windows startup. The registry key:  
        HKLM\SOFTWARE\Classes\exefile\shell\open\command  
is also changed so that the worm runs before any other executable file is opened. If the worm finds any open network share, it will attempt to copy itself into the Windows directory on the machine with an open share, with the filename rundll32.exe. The original rundll32.exe file is renamed to run32.exe. If this is successful, the worm changes the file autoexec.bat so that it includes a command to run the worm file previously dropped to the Windows directory.
The worm contains its own SMTP routine, which is used to send email messages to email addresses found in the Windows address book and the temporary internet folder, where cached internet files are kept.
When a recipient opens this attachment, his system gets infected and then the included document is displayed. This way the worm's activity is disguised. Messages sent by the worm look like this:
Subject: Document file name (without extension)
From: [user_of_infected_machine@...]
To: [random@...]
Hi! How are you?
I send you this file in order to have your advice
See you later! Thanks
http://antivirus.about.com/library/weekly/aa071801a.htm
In Microsoft® Windows, the 'My Documents' folders is one of the most accessible, whether from the desktop, Windows Explorer, or the default save to location in many programs. As a result, many use it as a repository for all their data files - even those which contain sensitive or confidential information. This practice has never been a good idea as it gives ill-intentioned intruders a virtual roadmap to your personal and work output. The SirCam worm takes the vulnerability one step further, using the contents of the folder to package and disguise itself to others.
Sircam, (a.k.a. I-Worm.Sircam, W32.Sircam, and W32/SircCam) mass mails itself using addresses found in the Windows Address Book and in cached email addresses found on the system. The attachment it sends is a compilation of its infection routine and a file found in the My Documents folder. The original name of the file is left intact, with an executable extension appended to it. For example, .PIF, .COM, or .EXE would be added to the orginal filename, thus myphoto.jpg would become myphoto.jpg.exe. Users who did not have file extension viewing enabled would see only the original extension and in the example above, could be tricked into believing an executable file was actually a harmless image file.
The worm then mails itself in an email with following message body:  
Hi! How are you?  
I send you this file in order to have your advice  
See you later! Thanks  
The subject line of the email is the name of the orginal file. When the infected attachment is executed, whatever file was "lifted" from the sender's My Document folder is displayed, thus disguising the SirCam worm's actions. This is particularly risky, as an infected user who stores confidential data in the My Documents folder could easily find proprietary and sensitive data mass-mailed to others.
SirCam then copies itself to the Recycle Bin, C:\recycled\SirC32.exe, in an attempt to avoid detection by some antivirus scanners. The worm modifies the registry, [HKEY_CLASSES_ROOT\exefile\shell\open\command], so that the worm is run first when any .EXE on the system is run. This method makes improper removal of the worm a dangerous proposition. If the worm is deleted before the registry modification is corrected, no .EXE on the system will run.
http://groups.yahoo.com/group/asidharta/message/616

Morris worm

The Morris worm or Internet worm of November 2, 1988 was one of the first computer worms distributed via the Internet. It is considered the first worm and was certainly the first to gain significant mainstream media attention. It also resulted in the first conviction in the US under the 1986 Computer Fraud and Abuse Act.^[1] It was written by a student at Cornell University, Robert Tappan Morris, and launched on November 2, 1988 from MIT.

Contents  [hide]  1 Architecture of the worm 2 The mistake 3 Effects of the worm 4 See also 5 Notes and references 6 External links

[edit] Architecture of the worm

Disk containing the source code for the Morris Worm held at the Boston Museum of Science.

According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. However, the worm was released from MIT to disguise the fact that the worm originally came from Cornell. Additionally, the Morris worm worked by exploiting known vulnerabilities in Unix sendmail, finger, and rsh/rexec, as well as weak passwords ^[2] . Due to reliance on rsh (normally disabled on untrusted networks) it should not succeed with the recent properly configured system.
A supposedly unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable. This would have the same effect as a fork bomb and crash the computer. The main body of the worm could only infect DEC VAX machines running 4BSD, and Sun-3 systems. A portable C "grappling hook" component of the worm was used to pull over (download) the main body, and the grappling hook could run on other systems, loading them down and making them peripheral victims.

[edit] The mistake

The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times.^[3] This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Morris remarked, when he heard of the mistake, that he "should have tried it on a simulator first."

[edit] Effects of the worm

It is usually reported that around 6,000 major UNIX machines were infected by the Morris worm. Paul Graham has claimed^[4] that

"I was there when this statistic was cooked up, and this was the recipe: someone guessed that there were about 60,000 computers attached to the Internet, and that the worm might have infected ten percent of them."

The U.S. GAO put the cost of the damage at $10M–100M.^[5]
The Morris worm prompted DARPA to fund the establishment of the CERT/CC at Carnegie Mellon University to give experts a central point for coordinating responses to network emergencies.^[6] Gene Spafford also created the Phage mailing list to coordinate a response to the emergency.
Robert Morris was tried and convicted of violating United States Code: Title 18 (18 U.S.C. § 1030), the Computer Fraud and Abuse Act.^[7] in United States v. Morris. After appeals he was sentenced to three years probation, 400 hours of community service, and a fine of $10,000.^[8]
The Morris worm has sometimes been referred to as the "Great Worm", because of the devastating effect it had on the Internet at that time, both in overall system downtime and in psychological impact on the perception of security and reliability of the Internet. The name was derived from the "Great Worms" of Tolkien: Scatha and Glaurung.^[9]

[edit] See also

Computer security portal

• Notable computer viruses and worms
• Buffer overflow

[edit] Notes and references

1. ^ Dressler, J. (2007). "United States v. Morris". Cases and Materials on Criminal Law. St. Paul, MN: Thomson/West. ISBN 9780314177193.
2. ^ US vs. Morris
3. ^ Court Appeal of Morris
4. ^ The Submarine
5. ^ During the Morris appeal process, the U.S. Court of Appeals estimated the cost of removing the virus from each installation was in the range of $200 - 53,000. Possibly based on these numbers, Harvard spokesman Clifford Stoll estimated the total economic impact was between $100,000 - 10,000,000. http://www.bs2.com/cvirus.htm#anchor111400
6. ^ Security of the Internet. CERT/CC
7. ^ United States v. Morris, 928 F.2d 504, 505 (2d Cir. 1991).
8. ^ "Computer Intruder is Put on Probation and Fined" by John Markoff, New York Times. The total fine ran to $13,326, which included a $10,000 fine, $50 special assessment, and $3,276 cost of probation oversight.
9. ^ Great Worm from The Jargon File

[edit] External links

• Cornell commission findings – in the ACM Digital Library ((from the abstract: "sheds new light and dispels some myths"))
• the full text of The Cornell commission findings (.pdf) is also available via paid subscription from the ACM Digital Library
• Archive of worm material, incl. papers and code
• An analysis of the worm by Eugene Spafford
• An analysis of the worm by Mark Eichin and Jon Rochlis
• "The Morris Internet Worm" by Charles Schmidt and Tom Darby
• RFC 1135 – "Helminthiasis of the Internet" – an analysis of the worm infestation
• A Report On The Internet Worm, by Bob Page, University of Lowell
• "A Tour of the Worm" by Donn Seeley, Department of Computer Science University of Utah This paper provides a chronology for the outbreak and presents a detailed description of the internals of the worm, based on a C version produced by decompiling.
• "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988" by Mark W. Eichin and Jon A. Rochlis, Massachusetts Institute of Technology dated February 9, 1989 We present the chronology of events as seen by our team at MIT...  http://en.wikipedia.org/wiki/Morris_worm 

Melissa-availabitity-1999

virus Melissa yang menjangkiti Microsoft E-mail outlook, virus ini meyebarkan dirinya dan melakukan pengiriman email. Kemudian pengguna tidak mengetahui bahwa itu adalah virus karena di pos email tertulis pesan bahwa program tersebut tidak berbahaya. Karean pengguna mempercayai pesan dari E-mail outlook tersebut, pengguna membuka pesan maka virus tesebut akan masuk dan mengeksekusi dirinya.