English THAILAND COMPUTER VERSION EMERGENCY RESPONSE TEAM (THAICERT) a MEMBER of ETDA

English THAILAND COMPUTER VERSION EMERGENCY RESPONSE TEAM (THAICERT) A MEMBER OF ETDA

ISBN : 978-616-91910-0-1

THAILAND COMPUTER EMERGENCY RESPONSE TEAM ELECTRONIC TRANSACTIONS DEVELOPMENT AGENCY (PUBLIC ORGANIZATION) MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY

The Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary, 120, Moo 3, Ratthaprasasanabhakti Building (Building B) 7th floor, Chaengwattana Road, Thung Song Hong, Lak Si, Bangkok 10210 Thailand

Tel : +66 2142 1160 Fax : +66 2143 8071 www.thaicert.or.th | www.etda.or.th | www.mict.go.th

JOINT PARTNERS : OFFICE OF THE ELECTRONIC TRANSACTIONS COMMISSION (ETC), MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY (MICT), NBTC THAILAND OFFICE OF THE NATIONAL BROADCASTING AND TELECOMMUNICATIONS COMMISSION (NBTC) 2 ThaiCERT Annual Report ThaiCERT Annual Report 3

Title: Thailand Computer Emergency Response Team (ThaiCERT) Annual Report By: Thailand Computer Emergency Response Team (ThaiCERT) Electronic Transactions Development Agency (Public Organization) ISBN: 978-616-91910-0-1 1st edition: November 2013 Volume: 1,000 issues Price: 200 Baht Copyright Act B.E. 2537, all rights reserved

Translated by International Scriberia Company Limited

Published and distributed by

Electronic Transactions Development Agency (Public Organization) Office of the Electronic Transactions Commission Ministry of Information and Communication Technology

The Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary, 5th December, B.E.2550 120 Moo 3 Chaengwattana Rd., Laksi, Bangkok 10210 Tel: +66 2142 2483 Fax: +66 2143 8071

ThaiCERT Website: http://www.thaicert.or.th ETC Website: http://www.etcommission.go.th ETDA Website: http://www.etda.or.th NBTC Website: http://www.nbtc.go.th MICT Website: http://www.mict.go.th

Faced with the inevitable need to transform Thailand from an analog to a digital world, we estimate that by 2013 we will have 2.6 million tablets deployed for education; by 2014, the value of e-commerce will be over 60,800 million baht; and by 2015, quality broadband will be available to more than 80% of the Thai populaton. It is the government’s responsibility to deal with threats that emerge along with new technology. Hence, the National Cybersecurity Committee was formed and supported by ETDA and ThaiCERT.

Yingluck Shinawatra Prime Minister 6 ThaiCERT Annual Report

ThaiCERT, one of the most significant organizations for cybersecurity, provides valuable support for the implementation of the national “Smart Thailand” policy. Mr. Anudit Nakorntub Minister of Department of Information and Communication Technology

I aim to see ThaiCERT play a proactive role in building confidence in Thailand’s electronic transactions. Mr. Charamporn Chotikasatien Chairman of the Executive Board of Directors Electronic Transactions Development Agency (Public Organization)

I don’t want people to remember the Ministry of ICT only for shutting down websites. We have an important role in behind-the-scenes security as well, with the support of ThaiCERT, ETDA.

Mr. Chaiyan Puengkiatpairote* Permanent Secretary, MICT *Dr. Surachai Srisarakham is the new permanent secretary since October 1, 2013. ThaiCERT Annual Report 7

We need to create awareness of hidden threats which are being transmitted through our telecommunication network along with regular communication data. I believe that ThaiCERT is a good partner to protect Thai online society. Mr. Thares Punsri Chairman National Broadcasting and Telecommunications Commission

NBTC is ready to support and strengthen security operations with ThaiCERT, ETDA. Mr. Takorn Tantasith Secretary General National Broadcasting and Telecommunications Commission

Originating from the National Electronics and Computer Technology Center (NECTEC), the National Science and Technology Development Agency (NSTDA), ThaiCERT has continued its mission to protect online transactions with the establishment of the Electronic Transactions Development Agency (Public Organization). ThaiCERT is, therefore, a priority for us as it is a key organization for national readiness to cope with online threats during AEC integration in 2015.

Mrs. Surangkana Wayuparb Executive Director, CEO Electronic Transactions Development Agency (Public Organization) 8 ThaiCERT Annual Report

Contents

Tables...... 10 Picture...... 11 Figures...... 12 Introduction...... 15 1. “Cybersecurity” Trust and Confidence in ICT Usage ...... 17 2. Current Status and Readiness of Thailand: Threats & Risks ...... 21 3. CERTs and ThaiCERT Background...... 29 4. ThaiCERT Annual Report 2012: Threats &Cybersecurity...... 33 4.1 Services of ThaiCERT ...... 33 4.1.1 Responding and Handling Security Incident Services...... 33 4.1.2 Security Information Updates...... 34 4.1.3 Academic-base Security Services ...... 34 4.2 Coordination for Cybersecurity Response and Incident Management...... 35 4.2.1 Conducting Triage...... 35 4.2.2 Analyzing and Handling Incidents...... 36 4.2.3 Providing Expert Opinion...... 36 4.2.4 Issuance of Notification and Follow-up Action...... 37 4.2.5 Record of Result and Feedback...... 37 4.3 Incidents reported to and handled by ThaiCERT...... 37 4.3.1 The Number of reported Incidents in Thailand via Automatic Feed...... 39 1.) The incident reports via Automatic Feed 2012 by Threat Types...... 40 2.) Incident Report via Automatic Feed Categorized by Internet Service Providers (ISP) in Thailand ...... 42 3.) Phishing...... 44 4.) Malware URL...... 47 5.) Spam...... 50 ThaiCERT Annual Report 9

6.) Scanning...... 51 7.) Botnet...... 54 8.) Open DNS Resolver...... 56 9.) Open Proxy Server...... 57 4.3.2 The Statistics of Directly Reported Incidents...... 58 4.4 Case studies...... 67 4.4.1 Intrusion of T.H.NIC Domain Name Management System...... 68 4.4.2 Dissemination of DNS Changer Malware...... 69 4.4.3 C&C of Malware Clan “Flame” Discovery...... 70 4.4.4 Hacking the Email Account of SMS Entrepreneur...... 71 4.4.5 Phishing in Thai Web Hosting...... 72 5. CERTs and AEC 2015...... 75 5.1 The Roles of CERTs in AEC 2015 ...... 75 5.2 The ASEAN Members’ CERT Reports...... 77 5.3 Strengthening Collaboration of CERTs Network...... 81 5.3.1 Building Networks...... 81 5.3.2 Point of Contact ...... 82 5.3.3 Threat Information Service...... 82 5.3.4 Standards on Threat Information...... 83 5.3.5 Incident Drill ...... 83 5.3.6 Deploying Network Sensors...... 84 6. Threats VS Privacy...... 87 7. Is Thailand prepared for cyber threat?...... 93 8. Appendix ...... 97 8.1 Appendix A...... 97 8.2 Appendix B ...... 99 8.3 Appendix C...... 102 List of Abbreviations ...... 106 10 ThaiCERT Annual Report

Tables

Table 1: Number of incident reports sorted by threat type...... 41 Table 2: The number of incident reports counted by unique IP and sorted by threat type during August – December 2012...... 41 Table 3: Number of incident reports counted by unique IP and sorted by ISP...... 42 Table 4: Number of IPs which have been registered by top 10 ISPs in Thailand....43 Table 5: Top 10 number of phishing reports sorted by country...... 44 Table 6: Number of phishing reports sorted by type of domain name...... 45 Table 7: Top 10 number of phishing reports sorted by ISP...... 46 Table 8: Top 10 number of malware URL reports sorted by ISP...... 47 Table 9: Top 10 number of unique malware URL reports sorted by ISP...... 48 Table 10: Top 10 number of malware URL reports counted by unique IP and sorted by ISP...... 48 Table 11: Top 10 number of malware URL reports counted by unique IP and sorted by type of domain name...... 49 Table 12: Top 10 number of unique malware URL reports sorted by domain name...... 49 Table 13: Top 10 number of spam reports sorted by ISP...... 50 Table 14: Top 10 number of scanning reports counted by unique IP and sorted by port number...... 52 Table 15: Top 10 number of scanning reports counted by unique IP and sorted by ISP...... 53 Table 16: Top 10 number of botnet reports sorted by ISP...... 55 Table 17: Top 10 number of open DNS resolver reports counted by unique IP and sorted by ISP...... 57 Table 18: Top 10 number of open proxy server reports counted by unique IP and sorted by ISP...... 58 Table 19: Cybersecurity threat type according to eCSIRT...... 59 Table 20: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type...... 60 ThaiCERT Annual Report 11

Table 21: Number of directly reported incidents sorted by type of relevant individuals and their location...... 61 Table 22: Number of fraud reports sorted by type of relevant individuals and their location...... 62 Table 23: Number of fraud reports sorted by type of relevant individuals and organizations...... 62 Table 24: Strategy 2: People Empowerment and Engagement ...... 75 Table 25: Strategy 4: Infrastructure Development...... 76 Table 26: List of ASEAN+3 CERTS members in APCERT...... 77 Table 27: The ASEAN+3 cyber attack types reported in the APCERT annual report 2011...... 80 Table 28: Classification of Threats according to eCSIRT.net...... 97 Table 29: Glossary...... 99

Picture

Picture 1: ThaiCERT procedures for cybersecurity response...... 35 Picture 2: DNS amplification attack technique...... 56 Picture 3: Structure of domain name modification system of T.H.NIC...... 68 12 ThaiCERT Annual Report

Figures

Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand compared to other countries (1997-2011) ...... 21 Figure 2: Percentage of Internet users in Thailand compared to other countries (1997-2011) ...... 22 Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in Thailand compared to other countries (1997-2011) ...... 22 Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012...... 24 Figure 5: Total number of CISSP certificate holders in Thailand compared to other ASEAN countries as of March 2013...... 25 Figure 6: Total number of GIAC certificate holders in Thailand compared to other ASEAN countries as of July 2012...... 25 Figure 7: Number of weekly incident reports sorted by threat type during August – December 2012...... 40 Figure 8: Number of weekly incident reports counted by unique IP and sorted by threat type and ISP during August – December 20122...... 40 Figure 9: Number of incident reports counted by unique IP and sorted by ISP and threat type...... 44 Figure 10: Top 10 number of scanning reports sorted by port number...... 51 Figure 11: Top 10 number of scanning reports sorted by ISP...... 53 Figure 12: Top 10 number of botnet reports counted by unique IP and sorted by malware name...... 54 Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type ...... 60 Figure 14: Percentage distribution of number of directly reported incidents sorted by type of relevant individuals and their location...... 61 ThaiCERT Annual Report 13

Figure 15: Percentage distribution of number of fraud reports sorted by type of relevant individuals and their location...... 62 Figure 16: Percentage distribution of number of fraud victims...... 63 Figure 17: Percentage distribution of number of fraud submitters...... 63 Figure 18: Percentage distribution of number of fraud attackers...... 64 Figure 19: Number of directly reported incidents during 2001-2012...... 64 Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP....65 Figure 22: Percentage distribution of number of repeatedly reported and non-repeated reported IPs from phishing reports...... 66 Figure 23: Percentage distribution of number of repeatedly reported IPs from phishing reports sorted by type of domain name...... 67 Figure 24: Number of reports of DNS changer infected in network of agencies or ISPs; information retrieved on 8 July 2012 from DCWG.org...... 69 Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs during 2007-2011...... 78 Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in the APCERT annual report 2011...... 80

Introduction

The Electronic Transactions Development Agency (ETDA), the Office of the Electronic Transactions Commission (ETC), and the Office of the Permanent Secretary of the Ministry of Information and Communication Technology (MICT) are pillar agencies responsible for developing, promoting, and enhancing trust and confidence in electronics transactions. The ETDA and the ETC serve to support the Electronic Transactions Committee which has a proactive role in building information technology security in order to reduce online transaction risks in the public and private sectors. Moreover, they collaborate closely with the Crime Prevention and Suppression Bureau, Ministry of Information and Communication Technology, the Information Technology Support Division, Technology Crime Suppression Division, the Royal Thai Police, and the Office of the National Broadcasting and Telecommunications Commission. Additionally, ETDA extends its support to the National Cybersecurity Committee overseeing cybersecurity threats, which have become more sophisticated than in the past. Such threats can be launched from many sources and cause large-scale damage to service providers and users. In order to deal with such threats, it is necessary to have timely coordination with both domestic and overseas agencies to implement immediate and comprehensive solutions.

ETDA has urged the Thailand Computer Emergency Response Team (ThaiCERT) to work proactively in its important role as the nation’s primary cybersecurity agency and act as the national focal point for coordination with foreign Computer Emergency Response Teams (CERTs). Such practice is directly inline with the ASEAN Economic Community Blueprint and ASEAN ICT Master Plan 2015, which aims to promote and enhance confidence in electronic transactions.

ETDA published the ThaiCERT Annual Report 2012 to highlight a collection of case studies from ThaiCERT operations and reported threats in 2012. The report presents a detailed analysis of cybersecurity threats including: types of threats, types of agencies submitting threat reports, and types of computer networks or Internet Service Providers (ISP) in Thailand in order to provide an overview of 2012 national cybersecurity landscape. It reflects the current status of these threats and provides valuable information to policy makers to develop mechanisms to prevent and combat threats among civil, business, and public stakeholders, particularly those in key infrastructures of the country.

Mrs. Surangkana Wayuparb Executive Director, CEO Electronic Transactions Development Agency (Public Organization) 16 ThaiCERT Annual Report

“CYBERSECURITY” The First Chapter of IT Use Confidence ThaiCERT Annual Report 17

Resource Planning System are considered confidential 1. “Cybersecurity” and need to be completed and available at all times. Trust and Another significant threat is flood at a data center, causing an ICT system breakdown. Therefore, an Confidence in ICT agency must be able to provide backup to customers and be prepared for threats that might occur. Usage Various risk management measures are specified Presently, computer networks, computer in the ISO/IEC 27002 (ISO/IEC 7002 Information systems, and electronic devices are widely utilized Technology Security Techniques – Code of practice to support business transactions, organizational for information security management) which has 11 operations, and communication in order to enhance classifications and a total of 133 measures. These efficiency and effectiveness. They also facilitate safe include IT security policies for ICT organization transactions in the form of electronic documents, management, human resource administration, electronic payments, and social media. information technology administration and legal compliance. With legal authentication under the authority of the Electronic Transaction Act B.E. 2544 (Revision Despite awareness among agencies and edition B.E. 2551), electronic transactions have individuals, they remain exposed to cybersecurity been utilized and widely accepted. Despite such threats. Such threats highlight the need to have a legal protection, transactions are still exposed to computer emergency response team (CERT) which various threats and remain vulnerability to forms is solely dedicated for cybersecurity issues and of direct internet-based crime (“cybercrime”) or coordinates with domestic and international parties indirect internet- facilitated crime. Public and private in order to ensure prompt solutions to threats. sectors, therefore, should be aware of the possible CERT is also specified as a framework in the ASEAN harmful effects and damage that may occur when Economic Community Blueprint stipulated in Article conducting electronic transactions, and be prepared B4 items 51 and 52. to prevent, protect, and deal with incidents. ETDA has been continually implementing The IT security Conceptual Framework is ThaiCERT project since December 2011. During the specified in the ISO/IEC 27001:2005 Information first year, ThaiCERT places priority on the two most Security Management System (ISO/IEC 27001:2005). common threats: those originated from deceptive Based on a risk assessment of possible damage due websites (phishing) and botnet. Each month phishing to threats, the Framework places priority on the caused losses of hundreds of thousands of baht fundamental factors of confidentiality, integrity and from the bank accounts of numerous victims. Each system availability for IT security justification. For month, ThaiCERT received reports that there were example, customer databases under the Enterprise approximately fifty deceiving overseas websites 18 ThaiCERT Annual Report

overseas. Considering the impact of Phishing, it has penetration testing, system administration, and been concluded that ThaiCERT suppression of the network security. Such training is part of ThaiCERT‘s deceiving websites can mitigate losses of millions of long term personnel development program. This baht per month. Concerning the threat from botnet program aims to enhance the capabilities of ThaiCERT such as Zeus, Rustock or Kelihos, over 100,000 in terms of handling and managing internal threats computers in Thailand have been affected. Upon while preparing its human resources to cope with installation, the affected computers involuntarily threats at the national level, analyze malware and attack other computers or even cause damage provide pre- or post-damage solutions, analyze and to computer owners by sending frequent SPAM solve problems from phishing websites, analyze and messages, over 25,000 messages/hour, to others, develop solutions to online transaction vulnerability stealing online transaction data or attacking the and the arrangement of prompt backup sites or availability of other computers (DDoS). “hot-standby” services. Phishing and botnet are only two of many ThaiCERT also focuses on enhancing its human other threats reported to ThaiCERT, which include resources capacities in analyzing and managing threats widespread threats in different forms that have effectively by setting up several task-based teams become more complicated due to the advance and responsible for possible current threats. Such teams rapid change of technology. In return, development include analyst team handling analysis of current of cybersecurity needs to be well-prepared for any or emerging threats, surveillance team handling unanticipated circumstances including well-known network monitoring, IT incident management team and newly developed threats. Preparedness is very providing prompt solutions to possible IT incidents, important in order to support business continuity and facilitation team in charge of sending alerts and agency services especially in important infrastructures, coordinating with domestic and foreign agencies, such as public utilities, energy, communication, health and IT security promotion team in charge of raising and the like. These important infrastructures will IT security awareness. utilize technology more significantly in administration which causes greater complications in information To ensure effectiveness in handling threats, technology. If an attack occurs, the Computer ThaiCERT also works and collaborates closely with Emergency Response Teams will handle threats and various relevant domestic and international agencies. help restore systems and services in the earliest For example, it has joined the Asia Pacific Computer possible time. Additionally, they will examine and Emergency Response Team (APCERT) and the Forum analyze data to find the culprits. of Incident Response and Security Teams (FIRST) which are internationally recognized as a pool of In terms of personnel development, ThaiCERT experts as computer emergency response teams has continuously trained and equipped its personnel (CERTs) or computer incident response teams (CSIRTs). to be able to deal with recent threats through Those national bodies are in charge of response, training in incident handling, intrusion analysis, coordination, and handling any possible IT security ThaiCERT Annual Report 19

or network violation. Upon receiving an alert from CERTs or CSIRTs, APCERT or FIRST will coordinate with those national agencies representing member states to mitigate IT security infringement. In response to a main provider system attack, ThaiCERT needs to prepare its resources, personnel, and information systems services in order to be able to serve as the focal point in facilitating and strengthening IT security management at national and international levels. These efforts will directly increase public confidence in electronic transactions and reduce damage caused by any possible threats. 20 ThaiCERT Annual Report

Current Status and Readiness of Thailand: Threats & Risks ThaiCERT Annual Report 21

2. Current Status and Readiness of Thailand: Threats & Risks

Nowadays, information technology plays a more significant role in our daily lives. According to the Household Survey 2011 conducted by the National Statistical Office (NSO), 32.1 %1 of the Thai population use computers, 24.72% use Internet2 , and 66.43% use mobile phones3 . Additionally, the International Telecommunication Union (ITU) reported continuous growth in ICT usage as illustrated in the graphs shown below:

Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand compared to other countries (1997-2011) 4

1 The key summary of the Household Survey 2011 in use of ICT (http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf) 2 The key summary of the Household Survey 2011 in use of ICT (http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf) 3 The key summary of the Household Survey 2011 in use of ICT (http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf) 4 ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html) 22 ThaiCERT Annual Report

Figure 2: Percentage of Internet users in Thailand compared to other countries (1997-2011) 5

Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in Thailand compared to other countries (1997-2011) 6 With such rapid growth in IT availability and usage, an evitable burden is placed on the organization’s ability to protect and maintain its IT security. This situation requires the organization to exercise control and management in order to eliminate threats and risks, or, at minimum, reduce them to acceptable levels.

5 ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html) 6 ICT Data and Statistics (IDS), International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html) ThaiCERT Annual Report 23

In the context of IT security, threats and risks (8) Information System Acquisition, can be evaluated from several points of view. For Development and Maintenance example, they can be classified as internal vs. external depending on the source of the threat (9) Information Security Incident and risk factors. Internal threats can occur due to Management a lack of personnel capacity concerning technology (10) Business Continuity Management administration or improper use, lack of experiences, skills and knowledge, individual omission, lack of (11) Compliance understanding of IT security importance, lack of Following the mentioned auditing domains proper training, lack of clear policy or direction at presents the organization with an assessment of the organization level resulting in possible conflicting the probability and impacts of threats on their implementation, or lack of appropriate tools. IT systems, the consequences that could follow, External threats, however, occur due to external and other possible impacts on other systems. That factors such as attack from malicious users, natural information can ensure effective development disasters, failure of service providers, and vulnerability and determination of ICT security policies and of software used in organizations. Although such practices suitable for the organization’s operations threats are often beyond local control and difficult and to determine preventive and relief policies to foresee, they can be mitigated though proper when responding to threats and risks. Further, a risk management strategies. risk management strategic plan can be developed In order to manage such threats and risks at a later stage. effectively, an organization can apply an international When analyzing the status and readiness of IT standard ISO/IEC 27002 which consist of 11 domains: security of Thai organizations, it is useful to compare (1) Security Policy the number of the organizations receiving certificates under the international standard of information (2) Organization of Information Security security management system (ISMS) or ISO/IEC (3) Asset Management 27001:2005 certificates. The latest statistics collected by the International Register of ISMS Certificate in (4) Human Resource Security August 2012 found that Japan ranked first. It had 4,152 certified organizations, while Thailand had 59 (5) Physical and Environmental Security such organizations7 and ranked second in the ASEAN (6) Communications and Operations Community after Malaysia, and fifteenth on a global Management ranking. This demonstrates that Thai organizations (7) Access Control 7 International Register of ISMS Certificates (http://www.iso27001certificates.com/Register%20Search.htm) 24 ThaiCERT Annual Report

afford information security management system at include the Royal Decree on Rules and Procedures higher priority compared to most organizations in of the Public Sector’s Electronic Transactions other ASEAN countries. Such success partly resulted B.E. 2649 (2006) and the Royal Decree on Security from the determination to implement practices Techniques in Performing Electronic Transactions B.E. recommended by the electronic transactions and 2553 (2010). These measures helped organizations information technology management regulations with realize the importance of ISMS and adjust their reference to the ISO/IEC 27001 standard. Examples security policy accordingly.

Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012

Apart from the readiness of organizations, The country having the highest number of CISSP it is important to consider the readiness of their experts was the United States (55,924 people); the personnel as well. This factor can be measured by second was the United Kingdom (4,256 people); the number of personnel granted internationally the third was Canada (4,075 people) and the fourth accredited professional certificates in IT security was South Korea. Thailand (153 people), was the such as Certified Information System Security thirty-fourth on the global ranking and third in the Professional (CISSP) by ISC2. A survey in March 2013 ASEAN Community, after Singapore (1,132 people) 8found that there were 85,285 people worldwide and Malaysia (239 people). who had received CISSP Certificate in 144 countries.

8 (ISC)2, Inc (https://www.isc2.org/member-counts.aspx) ThaiCERT Annual Report 25

Figure 5: Total number of CISSP certificate holders in Thailand compared to other ASEAN countries as of March 2013

Figure 6: Total number of GIAC certificate holders in Thailand compared to other ASEAN countries 9 as of July 2012

Figure 6 shows the total number of security experts who received GIAC10 certificates. Singapore ranked first with 336 certificate holders, followed by Malaysia with 183 certificate holders.

9 Information from SANS Asian Pacific representative as of July 2012 10 Global Information Assurance Certification (GIAC) 26 ThaiCERT Annual Report

Internationally recognized in IT accreditation, the EC-Council Institute, which provides well-known certificates such as the Certified Ethical Hacker Certificate (C|EH) and the Certified Hacking Forensic Investigator Certificate (CHFI), reported that there are approximately 15,000 experts in Southeast Asia with certificate from the EC-Council. Among these recipients, over 90% are from Singapore and Malaysia, while there are only about 400 experts with such certificates11 in Thailand. The data on the number of IT security experts in the region indicates that Thailand ranks third in ASEAN with a higher number of experts than several other countries. However, Thailand still has significantly fewer security experts than its IT-advanced ASEAN neighbor, such as Singapore and Malaysia. It remains, therefore, a challenge to develop to international standards a sufficient number of certified Thai security experts in order to raise trust and confidence in IT security and to achieve sustainable competitive edge in the region.

11 Information from delegates of EC-Council Asia-Pacific in December 2012 ThaiCERT Annual Report 27 28 ThaiCERT Annual Report

CERTs and ThaiCERT Background ThaiCERT Annual Report 29

Information and Communication Technology with 3. CERTs and the missions and visions to mitigate cyber threat, ThaiCERT secure electronic transactions, and enhance trust and confidence among online users. To meet the Background challenges, ThaiCERT has taken proactive measure in capacity building of human resources regarding Computer Emergency Response Team or the cybersecurity body of knowledge, techniques, CERT is a trade-registered term originally designated and practices. Furthermore, without direct legal by US-based Carnegie Mellon University, who enforcement mandate, ThaiCERT has been fulfilling established the first CERT of the world and has its missions mainly through the collaboration been in charge of responding and handling incidents among network members and related agencies occurring within the country. The approach has both domestically and internationally. Examples eventually been adopted by many other countries, of ThaiCERT’s domestic partners include: including Thailand, resulting in the establishment • Internet service providers of their own CERTs such as ThaiCERT for Thailand, CERT-In for India, Sri Lanka CERT|CC for Sri Lanka, • The Royal Thai Police and many more. Consequently, those CERTs have created a tight network for information exchange • The Department of Special Investigation and collaboration. • Thailand Information Security Association For Thailand, the national computer emergency • Thai Bankers’ Association response team (ThaiCERT) was established in 2000 by the National Electronics and Computer Technology • Technology Crime Suppression Division, Center (NECTEC) under the Ministry of Science and Royal Thai Police (TCSD/RTP) Technology with the missions to respond and handle cybersecurity incidents, provide support and guidance • Office of the Permanent Secretary, Ministry of on threats solutions, safeguard information including Information and Communication Technology monitor and publicize cybersecurity information to (MICT) the public as well as research and develop practical guidelines in computer and internet security. February 2011, the Cabinet of Thailand made a decision to transfer the operation of ThaiCERT to Electronic Transactions Development Agency (Public Organization) or ETDA, the newly established organization under the Ministry of 30 ThaiCERT Annual Report

At the international level, ThaiCERT has joined and actively participated in various networks and forums. Besides, ThaiCERT has signed memorandum of understanding (MOU) with many organizations for the purposes of exchanging knowledge and information as well as effectively dealing with cybersecurity threats which often impact multiple countries due to borderless characteristic of internet. The organizations that have signed memorandum of understanding with ThaiCERT include: • Japan Computer Emergency Response Team Coordination Center (JPCERT/ CC). JPCERT/CC is the Japanese focal CERT agency that has been very successful in managing incidents at local and international levels. • Anti-Phishing Working Group (APWG) is a US non-profit agency which aims to cope with information threats especially from improper use of internet as a channel for conducting thefts and frauds where personal information such as user account, credit card or electronic transactions details, are stolen. • Team Cymru, a US-based non-profit agency, operates with missions of IT security research and development in order to effectively dealing with new threats. They provide cybersecurity incidents data collected and analyzed from their own detection system. For regional and international collaboration, ThaiCERT has participated as a full-right member of different regional and international organizations including the Asia Pacific coordination center of Asia Pacific CERT (APCERT) and the global coordination center of Forum of Incident Response and Security Teams (FIRST). • The APCERT is a collaborative effort of Computer Security and Incident Response Team (CSIRTs) or CERTs of Asian Pacific country members. It aims to raise an awareness of cybersecurity and enhance capacities of members in handling cybersecurity incidents to meet international standard and other regional practices. • Forum of Incident Response and Security Teams (FIRST), as a global association of cybersecurity and network, are responsible for responding, coordinating and managing cybersecurity breaches. Their members include representatives of participating countries and agencies around the world. ThaiCERT Annual Report 31

For over a decade, ThaiCERT has taken a major role in providing guidance and necessary support in dealing with security threats and incidents for both public and private sectors. Nowadays, ThaiCERT has been well recognized in regional and international levels resulting from its shared efforts in preventing and suppressing cybersecurity threats. In 2013, ThaiCERT and ETDA have been honored to co-host the 25th Annual FIRST Conference 2013 on 16-21 June 2013 at Conrad hotel, Bangkok. This was the second Annual FIRST Conference held in ASEAN, after the first one in Singapore in 2005. More than 500 information security specialists around the world attended this conference by the FIRST Steering Committee. Among those, half of them are from CERT agencies which are members of the FIRST. The conference was, therefore, a golden opportunity for ThaiCERT to demonstrate its capacities and receive recognition internationally while raising cybersecurity awareness among Thais and international experts and practitioners. 32 ThaiCERT Annual Report

ThaiCERT Annual Report 2012: Threats &Cybersecurity ThaiCERT Annual Report 33

cases, ThaiCERT are required to coordinate with 4. ThaiCERT any other national CERTs in order to response Annual Report and handle threats. ThaiCERT also provides an advisory service to both the organizations and 2012: Threats individuals, releasing cybersecurity alerts and news, and organizing academic trainings for the public to &Cybersecurity enhance knowledge and raise awareness of people on information security. 4.1 Services of ThaiCERT ThaiCERT has started serving under the Promoting secured e-society and confidence in Electronic Transactions Development Agency Public electronic transactions requires a security organization Organization (ETDA) in 2012. Its initial services to be well-prepared in handling any unforeseen include incident response and coordination, security incidents and managing incidents effectively. Such consultancy and advisory, and academic services capacities are vital mechanisms necessarily in securing emphasizing in cybersecurity. The digital Forensics and maintaining business or service continuity of is expected to be in full service by 2013. agencies, which is especially important to critical infrastructure agencies in domain of public utility 4.1.1 Responding and Handling and energy, communication, medicine and so Security Incident Services on. Information technology has been widely and ThaiCERT provides incident handling and increasingly utilized among those critical infrastructure response services via telephone and email to agencies for managing its operation. If the organization individual, educational institutions, research institutes, is attacked on its information system or network, its public and private agencies around the world. Upon Computer Emergency Response Team (CERT) shall receiving incident report, incident response team play a major role in handling incidents and providing will analyze and validate the reported incident. This resolutions, including investigation and conducting information will be taken further for investigation in an analysis particularly on digital forensic in order identifying the attacker and coordinating to related to identify possible attackers. organizations for damage mitigation. ThaiCERT is a Computer Security Incident ThaiCERT has implemented a system for tracking Response Team (CSIRT) service organization for the progress of incident resolution—ThaiCERT will Thailand, serving as an official point of contact for coordinate to any relevant agencies to update the dealing with incidents in Thai internet community. progress of incident resolution within 2 working days. ThaiCERT provides 24/7 operations in surveillance, Then, the unresolved incident will be followed handing and mitigation of cybersecurity incidents up in every 2 working days until resolution or a that have the potential to cause significant satisfactory result is obtained. ThaiCERT prepares damage against electronic transactions. In many 34 ThaiCERT Annual Report

two communicate channels for reporting incident: trend of computer security situation in Thailand. telephone with number 021422483 between 8.30 am – 5.30 pm for working days and email at report@ 4.1.3 Academic-base Security thaicert.or.th. When a reporter needs to send Services sensitive information to ThaiCERT via email, it is highly ThaiCERT provides technical and academic recommended to encrypt the email message using 12 services to domestic and international agencies in PGP technology by using the following ThaiCERT the forms of consultation, planning and IT security public key as below: policy preparation according to current IT legal Email: [email protected] requirements and international standards. Besides Key ID: 0x F2CB3EE1 providing cybersecurity consultation, ThaiCERT also conducts various capacity building and awareness Key Type: RSA raising activities including cybersecurity seminars Expiration: 2015-06-25 and trainings for general public and IT professional, cyber incident drill in private and public sectors, Key Size: 2048 and giving a talk in domestic and international Fingerprint:29B3 2C79 FB4A D4D7 E71A conferences. 71ED 5FFE F781 F2CB 3EE1

4.1.2 Security Information Updates One of ThaiCERT mission is to alert public about the threats or cybersecurity situation upon CERT or CSIRT notification to prepare in handling potential threats or cybersecurity incidents. ThaiCERT experts analyzes any high impacted threat(s) or cybersecurity incidents before giving suitable advice to properly respond, solve or protect system or network. In addition to threat alert, ThaiCERT has also collected reported incident data and published the reported incident statistics on www.thaicert. or.th on a monthly basis to illustrate the status and

12 Pretty Good Privacy (PGP) is technology, used to encrypt message using public key, invented by Philippe R. Zimmermann. It is also widely used for signing email with electronic signature. ThaiCERT Annual Report 35

4.2 Coordination for Cybersecurity Response and Incident Management

Picture 1: ThaiCERT procedures for cybersecurity response

In order to ensure effective resolutions to any reported incident with SLA (service-level agreement) assurance, ThaiCERT has set and followed incident response and coordination procedures as follows: 4.2.1 Conducting Triage Upon receiving an incident report, ThaiCERT firstly conducts a triage assessment to determine the validity of incident. At least one of following triage criteria must be met before further action: o The reported incident must be verified and within the constituent of ThaiCERT; o Victim(s) or reporters must be able to be identified; o The incident must be reported from sources that can be trusted such as the reliable sources, or existing agencies that have ever contacted ThaiCERT before. 36 ThaiCERT Annual Report

After conducting a triage, ThaiCERT personnel any incidents with mid-level impact and beyond will inform the reporter whether ThaiCERT or ETDA according to Notification of the Electronic Transactions shall take any further actions. This process shall Commission (ETC) Subject: on Impact Assessment follow below procedures: to Electronic Transaction 2012 or it could impact If accepted, ThaiCERT personnel shall highly to national security or public order. These classify the report into a legal or technical high-impact incidents require an immediate action consultation. For the legal consultation taken by ThaiCERT personnel as well as prompt request, it shall be submitted to ETDA legal notification to high-level management. for their expert opinion. For the technical Low-impact/general case. A low-impact or incident report, ThaiCERT personnel shall general case is an incident with organizational-base analyze the issue and proceed further to impact resulting in loses of property or confidential the next step of process; or information of their users or the organization itself. If denied, ThaiCERT shall inform the reporter The case shall be taken by ThaiCERT personnel with declining reasons such as the situation based on the incident response procedure with is out of its constituency and/or inability to standard SLA. verify the reported incident. All notification will be recorded in the system before Note: The details of the Impact assessment completing the process. criterion and escalation procedures are currently under consideration by authority. 4.2.2 Analyzing and Handling 4.2.3 Providing Expert Opinion Incidents In many cases, the incident reporter requests ThaiCERT incident response team is responsible for comments or recommendations to proceed any for handling any reported incidents through an acts under the relevant laws. ThaiCERT personnel approved incident response procedure. Additionally, will coordinate with ETDA legal officers who have other security incidents discovered or identified by the expertise in Computer Crime Act to comment ThaiCERT threat monitoring team are also handled and recommend on such cyber incident matters. by this same procedure. In case of sensitive issues or complicated matters, After investigating the incident, ThaiCERT ETDA legal officers may consult with external will assess the effect whether it is necessary to approved legal experts to obtain opinions on the escalate the threat to higher security measures or to related aspects in order to conclude and notify the escalate to high-level management for visibility and reporter for the comments or recommendations. immediate guidance. Impact assessment criterion can be divided into two categories as follows: High-impact case. The high-impact case is ThaiCERT Annual Report 37

4.2.4 Issuance of Notification 4.3 Incidents reported to and and Follow-up Action handled by ThaiCERT ThaiCERT incident response team is responsible In 2012, ThaiCERT receives reports of the for handling any reported incidents and provide an cybersecurity situation or incident from two channels. incident coordination service with the agencies or The first one is direct report to ThaiCERT through individuals registered in verified public database email or telephone and the second one is through such as system owner(s), Internet service providers, automatic feed. The information of automatic feed CERT agencies, governmental agencies, universities, is gathered from the international cybersecurity investigation agencies, justice agencies and others agencies coordinating with ThaiCERT such as Anti- relevant parties. ThaiCERT coordinates to any relevant Phishing Working Group (APWG), Team Cymru and agencies to handle and respond to reported incident. Microsoft. Then, the unresolved incident will be followed up in every 2 working days until resolution or a By receiving incident reports from such satisfactory result is obtained. channels, ThaiCERT has developed systematic analysis in coordination to cope, handle and 4.2.5 Record of Result and advice in order to solve the incident happened to Feedback the relevant entities. Moreover, all cybersecurity incidents received in 2012 were used for analyzing After the resolution or a satisfactory result the trend of cybersecurity threats in order to create is obtained, ThaiCERT personnel will record all the statistical report of cybersecurity situation in incident response activities with detailed analysis Thailand. The report can be concluded as follows: before notifying the reporter about the result. The malware with the highest number of reports was Zeus, which is the botnet13 malware targeting the Windows operating system for the purpose of stealing online transactions information of the user. The follow- up was Rustock14, which is capable

13 Botnet is a cybersecurity threat occurred from malware-infected computers. The botnet malware typically receives a command from a command and control server via Internet, where the command itself may be executed for the purpose of attacking other systems, sending spams or stealing information from the infected computers. 14 Spam is a cybersecurity threat occurred by the attacker sending a large amount of unsolicited messages to the others, where most spams are advertisements on products and services. 38 ThaiCERT Annual Report

of sending spams more than 25,000 percentage of 45.40% and 34.16% copies per hour and performing DDoS15 respectively. attack against computer systems. In Although DDoS attack had the least 2012, the number of reports regarding number of reports when compared botnet reached 4,404,089, mostly to the other threats, it could not be occurred in the network of Internet concluded that DDoS attack barely Service Providers in Thailand. occurred in Thailand since the There was a total of 1,523,469 spam detection and analysis of DDoS attack reports in which all of them were are more difficult than the others. submitted through automatic feed. Almost all type of attacks were More than 143,302 DNS servers in founded in the network under control Thailand were improperly configured, of major ISPs in Thailand, while botnet which could be used for DDoS attack. malware was also spreaded in mobile There was a total of 30,521 scanning telecommunications networks. reports, where the most targeted port, Fraud was the cybersecurity threat approximately 80% of all reports, was with the highest number of directly Windows remote administration port. reported incidents to ThaiCERT with When categorizing the reports by port 534 reports or 67.42% from a total of number, the two most targeted ports 792 reports. were port 489916 and 338917 with the

15 DDoS is a cybersecurity threat related to an attack against availability of the system. The attack itself may occur from different locations but aims to the same target. DDoS causes the targeted service ranging from the delay of response to the denial of service. 16 Port 4899 is used for TCP Radmin remote administration. 17 Port 3389 is used for TCP Windows Remote Desktop. ThaiCERT Annual Report 39

4.3.1 The Number of reported Incidents in Thailand via Automatic Feed Since August 2011, cybersecurity incidents originated from Thailand detected by international cybersecurity agencies in coordination with ThaiCERT will be submitted via automatic feed. The cybersecurity incidents can be categorized into 9 types, including botnet, brute force18, DDoS, malware URL19, open DNS resolver20, open proxy server21, phishing22, scanning23 and spam, which can be summarized into the statistics and analysis as follows:

18 Brute force is a cybersecurity threat in a form of an attack towards the targeted system by using an algorithm designed by the attacker for the purpose of obtaining important information. For example, the attacker attempts to log in as another user using randomly generated usernames and passwords. 19 Malware URL is a cybersecurity threat occurred by a website that distributes a malware. It generally occurs by the attacker gaining access to the targeted website and using it for distributing the malware, while tricking people to download such malware via a specific URL. 20 Open DNS resolver is a cybersecurity threat occurred from an improper configuration of DNS servers in which those servers can be used in DDoS attack. 21 Open proxy server is a cybersecurity threat occurred from an improper configuration of web proxy servers which allow anyone to be able to access to the website without authentication. As a result, the attacker may use it for malicious activities. 22 Phishing is a cybersecurity threat which can be considered as another kind of fraud. Its main objective is to steal important information from the user such as username, password or electronic transactions information, by luring the user to access into the fraudulent service. 23 Scanning is a cybersecurity threat occurred by discovering the basic information of the operating system or the service running on the server by sending information to the targeted system and analyze the response. The scanning result is often used for attacking the system. 40 ThaiCERT Annual Report

1.) The incident reports via Automatic Feed 2012 by Threat Types

Figure 7: Number of weekly incident reports sorted by threat type during August – December 2012

Figure 8: Number of weekly incident reports counted by unique IP and sorted by threat type and ISP during August – December 20122 ThaiCERT Annual Report 41

Table 1: Number of incident reports sorted by threat type

Table 2: The number of incident reports counted by unique IP and sorted by threat type during August – December 2012

Table 1 shows the number of incident reports received via automatic feed since August 2012 with a total number of 7,050,921, while Figure 7 shows the weekly incident reports by threat type. Notice that botnet had the highest number of reports with the weekly average of incident reports around 259,000, followed by spam with the weekly average around 100,000. Meanwhile, the combination of the other types of incident reports resulted in the weekly average less than 12,000. In respect to the incident reports received via automatic feed, ThaiCERT found that many reports were from the same IP addresses under the same threat types since some threats such as botnet and spam regularly send the information to the target. The number of incident reports was therefore higher than the actual number of IP addresses. 42 ThaiCERT Annual Report

Table 2 shows that there was a total of 1,077,017 reported IP addresses, which could be concluded that these were IP addresses in Thailand having a cybersecurity issue. It could clearly be seen that spam had the highest number of reported IP addresses with a total number of 636,461 or 62.7% of all reports, followed by botnet and open DNS resolver with 286,919 and 143,302 IP addresses respectively. Whereas the combination of IP addresses reported as brute force and DDoS were less than 100. The analysis detail of each threat will be presented in the next part.

2.) Incident Report via Automatic Feed Categorized by Internet Service Providers (ISP) in Thailand

Table 3: Number of incident reports counted by unique IP and sorted by ISP ThaiCERT Annual Report 43

Table 4: Number of IPs which have been registered by top 10 ISPs24 in Thailand

According to the incident reports received via automatic feed as shown in Table 3, it shows that most of the reported IP addresses belonged to the ISPs and mobile operators such as TOT, True, Triple T Broadband, AIS and DTAC25 which are both wired and wireless broadband ISPs. Additionally, most of the incident reports were related to spam and botnet as shown in Figure 9. From the entire 8,559,616 IP addresses registered in Thailand, the information shown in the Table 4 indicates that the top 10 IP address holders were ISPs. The first three providers owned half of the entire IP addresses, while there were 872,206 IP addresses related to the cybersecurity threats, which was higher than 10% of the total number of IP addresses registered in Thailand. Furthermore, when concerning the common usage where a number of computers usually access the Internet through the same public IP address, the actual number of the computers related to the incidents was likely to be higher than the number of reported IP addresses.

24 Directory Listing Data was distributed via FTP service (ftp.apnic.net/stats/apnic) by APNIC on 16 November 2012. 25 DTAC applied “Total Access Communication, Plc” as the name on the network provider registration.

44 ThaiCERT Annual Report

Figure 9: Number of incident reports counted by unique IP and sorted by ISP and threat type

3.) Phishing Table 5: Top 10 number of phishing reports sorted by country

According to Table 5, the United States was in the first rank with 64,064 reports or 30.44%, followed by Hong Kong and Germany having 32,910 and 25,217 reports or 15.64% and 11.98% respectively. Thailand was ranked in the 14th with 2,474 reports. ThaiCERT Annual Report 45

Table 6: Number of phishing reports sorted by type of domain name

In reference to the reported phishing URLs26 as shown in Table 6, it shows that commercial websites had the highest number of reports with 64.50% of all reports, which could be categorized as .com (53.89%), .co. th (10.33%) and .biz (0.28%). While the government agency (.go.th) and academic institute (.ac.th) websites had 20.25%. Besides, there were other phishing reports without domain name since such phishing URLs had only IP addresses.

26 The information used to identify the location of phishing websites. 46 ThaiCERT Annual Report

Table 7: Top 10 number of phishing reports sorted by ISP

No. ISP AS Number Number of Number Number of Number of Unique IP of Unique Reports/Number of Reports Addresses URLs Unique IP Addresses

1 CAT Telecom (Public) Co., 9931 1,028 130 531 7.9 Ltd.

2 CS Loxinfo (Public) Co., 4750 407 62 254 6.6 Ltd 7568 9891

3 Internet Thailand (Public) 4618 175 22 131 8.0 Co., Ltd.

4 Internet Solution & Service 24299 130 19 99 6.8 Provider Co., Ltd. 7654

5 Super Broadband Network 45458 110 1 37 110.0 Co., Ltd.

6 Metrabyte Co., Ltd. 56067 97 27 74 3.6

7 Government Information 9835 75 10 43 7.5 Technology Services

8 True Internet Co., Ltd. 7470 64 8 31 8.0 9287

9 Ministry of Education 23974 45 23 35 2.0

10 UniNet 4621 44 8 22 5.5

From Table 7, it is remarkable that most reports were from the commercial ISPs except the ISPs servicing the government agencies (Government Information Technology Services/GITS) and academic institutes (UniNet and Ministry of Education) which were also ranked in the top 10. There might be several reasons in case when the number of reports divided by the number of unique IP addresses was more than 1. For instance, if a certain web server hosts many websites and one of them was compromised, the other websites could be compromised and used to distribute the phishing pages as well. Another possible reason is that the website was used to distribute the phishing page more than once. ThaiCERT Annual Report 47

4.) Malware URL Table 8: Top 10 number of malware URL reports sorted by ISP

ThaiCERT received a total of 30,153 malware URL reports. Regarding the information in Table 8, it can be seen that most reports occurred in the network of CAT Telecom with 56.67% of all reports followed by CS Loxinfo with 19.07%, where most of the ISPs in top 10 in fact provide the commercial Internet Data Center (IDC). Meanwhile, the academic institutes and agencies such as Ministry of Education, Sripatum University and UniNet, were also listed in the top 10. 48 ThaiCERT Annual Report

Table 9: Top 10 number of unique malware URL reports sorted by ISP

The information in Table 9 is the list of all unique malware URL reports. However, the analysis of such information according to unique IP addresses resulted in subtle changes in the ranking as shown in Table 10.

Table 10: Top 10 number of malware URL reports counted by unique IP and sorted by ISP

IP Addresses

From Table 10, there were 840 IP addresses listed in the top 10 ranking according to the number of reports and sorted by ISP. CAT Telecom was still ranked in the first with only 298 IP addresses in contrast with 11,793 reports. Comparing with the statistics in Table 9, it shows that malware URL incidents occurred in the average of 39.6 reports per IP address ThaiCERT Annual Report 49

Table 11: Top 10 number of malware URL reports counted by unique IP and sorted by type of domain name

Table 11 indicates that commercial organizations (.com and .co.th) were reported at 411 unique IP addresses, while academic institutes and government agencies (.ac.th and .go.th) were also reported in the great numbers. It might be interpreted that the computer systems of those organizations were insecure, giving a chance to the attacker to get into those systems and use them for distributing the malware.

Table 12: Top 10 number of unique malware URL reports sorted by domain name

Table 12 shows the analysis of malware URL reports classified by domain name. The first rank belonged to the website of Pichit Educational Service Area Office 1 with 8,084 malware URLs, followed by www.energyfantasia. com, the main website of the “Energy Fantasia” project launched by 50 ThaiCERT Annual Report

Ministry of Energy, with 1,418 malware URLs. The third is school.obec. go.th which belongs to the Office of the Basic Education Commission with 1,216 malware URLs. It is noticeable that the first three websites belong to government agencies. 5.) Spam Table 13: Top 10 number of spam reports sorted by ISP

In 2012, ThaiCERT was reported that there were 1,522,224 computers in Thailand used for sending spams. Most of them were sent from the network of commercial ISPs such as TOT (46.50%), AIS (16.59%), DTAC (13.25%) and True (11.36%). It is interesting that commercial ISPs were selected as the base of sending spams because of a large amount of customers. Furthermore, the ThaiCERT Annual Report 51

number of reported IP addresses also varied to the number of customers of commercial ISPs. It also shows that there was no correlation between the number of reports divided by number of unique IP addresses and the ranking, probably because some servers were rented or controlled by the attacker specifically for sending spams.

6.) Scanning

Figure 10: Top 10 number of scanning reports sorted by port number 52 ThaiCERT Annual Report

Table 14: Top 10 number of scanning reports counted by unique IP and sorted by port number

There was a total of 5,375 IP addresses where their top 10 ranking was shown in Table 14 and Figure 10. Most targeted ports were related to remote administration as can be seen that the top four were 4899/ TCP Radmin remote administration (45.40%), 3389/TCP Windows Remote Desktop (34.16%), 445/TCP Windows RPC services (6.70%) and 22/TCP SSH server (3.91%). Based on the statistics as mentioned, it can be concluded that most attackers intended to collect the information and attempted to access into the targeted system mainly via remote administration services. Disabling the remote access on the server that is directly connected to the Internet therefore would help reduce the risk from being attacked from such channel. ThaiCERT Annual Report 53

Table 15: Top 10 number of scanning reports counted by unique IP and sorted by ISP

Figure 11: Top 10 number of scanning reports sorted by ISP

Regarding the scanning reports classified by ISP as illustrated in Table 15 and Figure 11, it can be seen that most IP addresses were from major commercial ISPs in Thailand. The highest number of reported IP addresses 54 ThaiCERT Annual Report

belonged to True Internet with 1,847 IP addresses, followed by TOT and Triple T Broadband with 1,642 and 1,320 IP addresses respectively. The number of IP addresses from top 3 ISPs was approximately 90% of all reported IP addresses. 7.) Botnet

Figure 12: Top 10 number of botnet reports counted by unique IP and sorted by malware name

As shown in Table 16, the botnet reports were founded on the commercial ISPs offering a broadband Internet service such as TOT, True and Triple T Broadband, with a total of 88% of all reports. It shows that personal computers were mostly targeted and controlled by botnets, and these computers were at risk of becoming the base for attacking the other systems or being stolen the personal information. ThaiCERT Annual Report 55

Table 16: Top 10 number of botnet reports sorted by ISP

No. ISP Number of Reports

1 TOT (Public) Co., Ltd. 161,402

2 True Internet Co., Ltd. 57,935

3 Triple T Broadband (Public) Co., Ltd. 57,458

4 Advanced Info Service (Public) Co., Ltd. 13,218

5 Total Access Communication (Public) Co., Ltd. 10,899

6 JasTel Network Co., Ltd. 4,904

7 Ministry of Education 2,658

8 UniNet 734

9 CS Loxinfo (Public) Co., Ltd. 407

10 True Move Co., Ltd. 348

As shown in Table 16, the botnet threats will be found mainly on the commercial ISPs which offer Broadband Network Service such as TOT, True and Triple T whose reports are calculated as 88% of the entire reports. It shows that ordinary computers, like the home computers, have been mostly targeted and controlled by botnets and these computers may be risky for becoming the tool of attack by hackers for stealing personal information. 56 ThaiCERT Annual Report

8.) Open DNS Resolver Open DNS resolver is basically an improperly configured DNS server that allows a recursive query from the computer located on any other networks, which might become the base for attacking other systems using DNS amplification attack technique as described in Picture 2. The concept of such attack is to send the DNS requests to many open DNS resolvers simultaneously where the source IP address is forged to be the IP address of the targeted system and let the open DNS resolvers respond back to the target. Theoretically, the size of a DNS response is significantly larger than the DNS request. The attacker then applies such principle to use the open DNS resolver for performing DDoS attack. This kind of attack causes the Internet bandwidth of the targeted system to be overutilized until the system cannot communicate with the others or even become malfunction.

Picture 2: DNS amplification attack technique ThaiCERT Annual Report 57

Table 17: Top 10 number of open DNS resolver reports counted by unique IP and sorted by ISP

Number of Unique IP Addresses

There was a total of 143,255 IP addresses of open DNS resolvers in which their top 10 ranking were listed in Table 17. Most of them belonged to the major commercial ISPs such as True, TOT and Triple T Broadband with a total of 96% of all reports. The Ministry of Education is the only government agency that was listed in the top 10 ranking. 9.) Open Proxy Server Open proxy server is generally a web proxy server that can be used without authentication. The attacker is then able to abuse the open proxy server by gaining an advantage on improper configuration or accessing into the system and changing the configuration in order to be used for malicious purposes. 58 ThaiCERT Annual Report

Table 18: Top 10 number of open proxy server reports counted by unique IP and sorted by ISP

Number of Unique IP Addresses

There was a total of 3,596 IP addresses reported as open proxy servers where their ten highest number of reports were listed in Table 18. Most reports unsurprisingly belonged to the major commercial ISPs such as Triple T Broadband, TOT and True with a total of 98% of all reports, where The Ministry of Education is the only government agency listed in the top 10 ranking similar to open DNS resolver. Whereas the web proxy service normally is running on a server, the analysis shows that most of the reported IP addresses were under the network of broadband ISPs. Such issue requires more supported information from the ISPs for further investigation.

4.3.2 The Statistics of Directly Reported Incidents Apart from automatic feed, the incident can be directly reported to ThaiCERT via email and telephone. Incident reports will be submitted to the ticket management system called “Request Tracker”.The reported incidents can be classified into nine categories according to the eCSIRT/The European Computer Security Incident Response Team threat classification27.

27 http://www.ecsirt.net/cec/service/documents/wp4-clearinghouse-policy-v12.html#HEAD6 ThaiCERT Annual Report 59

The details are described in the Table 19; Table 19: Cybersecurity threat type according to eCSIRT

No. Types Description 1 Abusive Content Contents such as child Pornography, gloriﬁcation of violence and spam are considered as abusive contents. 2 Malicious Code Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code. 3 Information Gathering Gathering information of system in order to find its vulnerability and use it to attack system. It also includes information gathering from a human being in a non- technical way (e.g. lies, tricks, bribes, or threats). 4 Intrusion Attempts An attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a standardized identifier such as CVE name. Intrusion attempts also include multiple login attempts such as guessing/cracking of passwords, brute force.

5 Intrusions Successful compromise of a system or application (service). This can be caused remotely by a known or new vulnerability, but also by an unauthorized local access. 6 Availability By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. Examples of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:TFN, Trinity, etc). However, the availability also can be affected by local actions (destruction, disruption or power supply, etc.) 7 Information Security Besides a local abuse of data and systems the information security can be endangered by a successful account or application compromise. Furthermore attacks are possible that intercepted and access information 8 Fraud The use of internet services such as website, email to defraud victims or to otherwise take advantage of them, for example by stealing personal information, which can even lead to identity theft. 9 Other If the number of incidents in this category increases, it is an indicator that the classification scheme must be revised.

60 ThaiCERT Annual Report

Table 20: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type

Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type

From the incidents reported to ThaiCERT via email and telephone as shown in the Table 20, it is found that there were totally 792 reports in 2012. The table also shows that fraud dominated in reported incident type with 534 reports, counted as 67.42%. The second is Malicious Code type with 10.35% and the third is Intrusions and Intrusion Attempts type with 17.30%. ThaiCERT Annual Report 61

Table 21: Number of directly reported incidents sorted by type of relevant individuals and their location

Figure 14: Percentage distribution of number of directly reported incidents sorted by type of relevant individuals and their location

ThaiCERT has classified the relevant individuals into three types: Submitter, Attacker and Victim. These types were further classified into Domestic, Foreign and Unknown location. According to the table 21 and figure 14, it indicates that more than 90% submitters were from foreign countries. This information relates to the number of foreign victims which are almost 90% as well. For the reports which cannot identify location (Unknown), this means that there was not information to identify the location of the victims and the attackers. 62 ThaiCERT Annual Report

Table 22: Number of fraud reports sorted by type of relevant individuals and their location

Submitters Percentage Victims Percentage Attackers Percentage (%) (%) (%)

Domestic 18 3.37 15 2.81 515 96.44

Foreign 516 96.63 519 97.19 19 3.56

Unknown 0 0 0 0 0 0

Figure 15: Percentage distribution of number of fraud reports sorted by type of relevant individuals and their location

Table 23: Number of fraud reports sorted by type of relevant individuals and organizations

Number of Percentage Number Percentage Number Percentage Submitters (%) of (%) of (%) Victims Attackers Individuals 4 0.75 0 0 0 0 CSIRT/Infosec agencies 349 65.36 0 0 0 0 Internet Service Providers 1 0.19 0 0 0 0 Company/Business/Private 179 33.52 519 97.19 345 64.61 agencies Academic Institutes 0 0 0 0 45 8.43 Government agencies 1 0.19 0 0 85 15.92 Others 0 0 15 2.81 59 11.05

ThaiCERT Annual Report 63

Table 23 presents the number of fraud reports categorized by type of relevant individuals and organizations, where an attacker could be either the phishing page itself or the system owner who intended to host a fraudulent website. According to Table 23, relevant entities can be categorized into 7 types including individuals, CSIRT/Infosec agencies, Internet Service Providers, company/business/private agencies, academic institutes, government agencies and the others.

Figure 16: Percentage distribution of number of fraud victims

Figure 17: Percentage distribution of number of fraud submitters

Figure 16 shows that most of fraud victims were in the group of companies/businesses/private agencies with the ratio higher than 90% of all fraud reports. The rest are in other type which could not identify the actual victim because the phishing pages were already deleted or changed during the incident investigation and there was not enough information to further identify the target of the attack. According to the submitters in fraud incidents as shown in the figure 17, 65.36% of submitters were from the CERT organizations around the world, followed by Company/business/ private agencies type like banks or the financial institutions with 33.52%. 64 ThaiCERT Annual Report

The rest of submitters are individual, ISPs and Government agencies were about 1.13%

Figure 18: Percentage distribution of number of fraud attackers

The percentage distribution of fraud attackers shown in Figure 18 indicates that most of the attackers about 64% belonged to the group of companies/businesses/individuals while 24% belonged to government agencies and academic institutes. In reference to the information obtained during analysis, ThaiCERT found that all phishing pages were not created by the website owners. They were instead the victims of the attackers who compromised the web servers in order to create the phishing pages, and the website administrators were unaware of these malicious activities. This finding shows that most websites of companies/businesses/individuals in Thailand still require stronger security measures to protect against the attackers.

Number of Reported IncidentsThreats Percentage (%)

Figure 19: Number of directly reported incidents during 2001-2012

Figure 19 shows the number of directly reported incidents since 2001 - 2012. The red bars indicate the number of incident reports during 2001 - ThaiCERT Annual Report 65

2010 while ThaiCERT was operated under Thailand’s National Electronics and Computer Technology Center (NECTEC), in which the number of incident reports in the past years was extracted from Asia Pacific Computer Emergency Response Team (APCERT) annual reports. The graph itself did not show the number of incident reports in 2009 since ThaiCERT did not submit the report to APCERT. The blue bars represent the number of directly reported incidents during 2011 - 2012 after ThaiCERT was transferred to be operated under Electronic Transactions Development Agency (ETDA). The number of incident reports in 2011 is 792, which was higher than the number of incident reports in 2013 with 646 incident reports approximately 22%. Apart from automatic feed and email as channels to receive incident reports, ThaiCERT also collaborated with Microsoft to gather information and handle cybersecurity incidents related to Rustock and Zeus malwares. The statistics can be concluded as following. Number of Unique IP Addresses

Months

Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP

Figure 20 represents the number of unique IP addresses infected by Rustock in Thailand which was collected from January 13th to June 20th, 2012 with a total of 71,719 IP addresses. After ThaiCERT analyzed the incident reports and coordinated with relevant ISPs to handle such incidents, the number of reports was continuously decreased since January 2012 from approximately 4,500 to under 3,000 per week. Such decreased amount was 66 ThaiCERT Annual Report

the IP addresses of TOT and True.

35,000

30,000

25,000

20,000

15,000

10,000 Number of Unique IP Addresses

5,000

Jun Jul Aug Sep Oct Nov

Months Figure 21: Number of unique IPs infected by Zeus sorted by month and ISP

In June 2012, Microsoft announced to stop providing the incident reports regarding the Rustock and provided the Zeus reports instead since Microsoft took down the command and control servers of Zeus botnet and found that there were much more IP addresses infected by Zeus. ThaiCERT therefore received the incident reports of Zeus during June - November 2012 as shown in Figure 21. According to Figure 21, it shows that there was a total of 88,708 unique IP addresses infected by Zeus, where the number of reported IP addresses reached the topmost in July at 32,217. Similar to the Rustock case, the number of reported IP addresses graph went down after ThaiCERT analyzed the incident reports and coordinated with relevant ISPs

Repeated Not repeated

Figure 22: Percentage distribution of number of repeatedly reported and non-repeated reported IPs from phishing reports ThaiCERT Annual Report 67

Figure 23: Percentage distribution of number of repeatedly reported IPs from phishing reports sorted by type of domain name

According to the number of reported IP addresses on phishing reports as shown in Figure 22 and Figure 23, it can be seen that the proportion of repeatedly reported IP addresses was 19%, and most were from commercial agencies (.com) with 44.6% or 124 IP addresses, followed by educational institutes (.ac.th) combined with governmental agencies (.go.th) with 26.9% or 75 IP addresses. These statistics represent the efficiency of the organizations in fixing vulnerabilities of their websites after receiving reports. 4.4 Case studies In 2012, ThaiCERT handle the incidents and had the interesting cases studies such as Domain Intrusions of T.H. NIC, undesirable DNS Changer programs, discovering of C&C for Flame Malwares, Email account hacking and Phishing threats on Web Hosting in Thailand and etc. 68 ThaiCERT Annual Report

4.4.1 Intrusion of T.H.NIC intent. It was known as domain hijacking attack, Domain Name Management but the attacking method was unknown. After the System coordination with T.H.NIC, a national domain name registrar in Thailand (ccTLD/ Country Code - Top In June 30th 2012, ThaiCERT received a report Level Domain), ThaiCERT found that T.H.NIC’s domain from an international cybersecurity organization name database was compromised. Moreover, there that IP addresses of many multinational companies were number of stolen domain names which the in Thailand were changed likely by malicious owners of domain names were unaware of.

Picture 3: Structure of domain name modification system of T.H.NIC

After analyzing the reports and close With all information on hand, ThaiCERT coordination to T.H.NIC for suggestion and assistance helped T.H.NIC identify the causes of the domain during the month of June 31st 2012 to July 2nd, name management problems and advise how to 2012, ThaiCERT found that the suspicious individual improve the system for operation. uses IP address in Eastern Europe countries to attack a vulnerability of Content Management System From this case, ThaiCERT acknowledge the (CMS) in T.H.NIC’s publishing page. Because of this, importance of capability of intrusion detection that the suspicious individual can access main database is needed to be developed to international standard system and also to the source code of system level in order to be able to handle incident response that manage domain name register’s information. which may happen to system of organizations that Since all systems share the same server and database, are responsible for internet infrastructure. Moreover, server’s log shows that the malicious person got the Digital Forensics capability is not only important all passwords of the domain name register and to the investigation of police but it can be used to the database administrator’s password. Therefore, identify vulnerability of compromised information the hacker can change all domain name register’s system in order to develop measure of prevention information in system of T.H.NIC. efficiently and promptly. ThaiCERT Annual Report 69

4.4.2 Dissemination of DNS rogue DNS servers, allowing them to manipulate Changer Malware the victim’s online activities. Although the FBI had attempted to disable the rogue DNS servers, they DNS Changer malware was first discovered were unable to do so because it would cause the in 2007 and can infect both Windows and Mac OS infected computers unable to access the internet X computers. DNS Changer malware will change since those computers rely on the rogue DNS services the DNS server records in infected computers for internet access. According to an investigative to the IP address of rogue DNS servers set up by report dating from March 2012, there were about criminals. Whenever users of infected computers try 450,000 computers around the world infected by to access a website from an infected computer, it DNS changer malware, including many government will contact to the rogue DNS servers operated by computers. a criminal instead of their legitimate DNS servers. Subsequently, users are redirected to fraudulent By April 23, 2012, the FBI had sent list website or user’s online activities are interfered. of the IP addresses of all infected computers to In November 2011, the FBI (United States Federal the responsible ISPs in each country to clean up Bureau of Investigation) reported that currently computers infected with DNS changer malware more than 4 million computers around the world before the set deadline of July 9, 2012, the date were infected with DNS Changer malware28. that the FBI will shut down the clean DNS servers for the infected victims. The FBI arrested the criminals responsible for spreading DNS Changer malware and running the

Figure 24: Number of reports of DNS changer infected in network of agencies or ISPs; information retrieved on 8 July 2012 from DCWG.org

28 http://www.fbi.gov/news/stories/2011/november/mal- ware_110911/DNS-changer-malware.pdf 70 ThaiCERT Annual Report

ThaiCERT received the list of infected C&C (Command and Control) server30 of Botnet computers with DNS changer malware in Thailand malware which is most probably a new variant of from (DCWG)29 to cooperate with Thai ISPs in order malware called “Flame” in Thailand. In the past, to notify the infected victims. Upon July 8, 2012, Flame was most commonly known as a malware a day before the FBI shut down the clean DNS targeting government agencies in Middle East servers for the infected victims, there were 2,023 countries. ThaiCERT’s investigation revealed that infected computers in Thailand. These could be the reported C&C computer was hosted in a web roughly divided up into ten groups based on their hosting provider in Thailand. associated ISP networks, as shown in figure 24. ThaiCERT coordinated with the informant (the From the chart, it can be seen that the infected security partner) and requested more information computers could be found among major ISPs such for further analysis and investigation, and then as TOT, Triple-T and CAT, as well as in the networks confirmed that the reported C&C server indeed of government sector, e.g. the Ministry of Education. existed. Moreover, they informed ThaiCERT that there was possibility that the owners of the C&C This is an interesting case study, because even server may have involved in some illegal activities the IP addresses of infected computers were known, and they may delete all data in the server if there but ThaiCERT was not able to track down the victims was an attempt to seize the C&C server, which by their IP addresses. This is owed to the fact that happened before in many cases in other countries. IP addresses are owned directly by the ISPs, which The informant advised ThaiCERT to initiate legal makes it impossible for ThaiCERT to contact and actions to obtain a warrant regarding confiscation notify the victims directly. Thus, ThaiCERT had to of C&C server. coordinate with ISPs so they can notify their clients about the infected computers. Therefore, despite ThaiCERT went on to discuss the case with the ThaiCERT being capable of all necessary tracking legal authorities both from the Technology Crime processes to follow up problems, the efficiency of Suppression Division, Royal Thai Police and the IT the process largely depends on the cooperation, Crime Prevention and Suppression Bureau, Ministry customer service approach of each ISP. of Information and Communication Technology. In practice, a crime can be not be prosecuted by an 4.4.3 C&C of Malware Clan authority unless a victim files a complaint against the “Flame” Discovery criminals in Thailand. As in this case, there was no ThaiCERT was informed on June 19, 2012 identified victim, prosecution criteria under Thai laws by a security partner that they had found the cannot be fulfilled for legal proceeding. ThaiCERT

30 Command Control Center (C&C) is the computer which is created and used by malware developer to control and command mal- 29 DNS Changer Working Group ware in infected computers to serve his needs. ThaiCERT Annual Report 71

has taken steps recommending legal amendments transactions, which was found in content of email that would mitigate official limitations in existing between the fraudster and the victim clients? The law-enforcement. This is a long-term mission and fact that the fraudster apparently could access these there still persists significant lack of short-term details from the entrepreneur email account explains measures. Therefore, improving security measures why the fraudster possessed sufficient information should be emphasized. In trying to do so, the to deceive the clients into thinking that they are National Cybersecurity Committee was established, dealing with the real entrepreneur. having Prime Minister as the Chairperson. ThaiCERT investigated the entrepreneur’s 4.4.4 Hacking the Email email access log because we assumed that the fraudster may be in possession of username and Account of SMS Entrepreneur password of the entrepreneur’s email account, ThaiCERT was reported by an SME-exporter thus being able to access personal information entrepreneur that their main email used to correspond like client names, client emails or old purchase with international clients was compromised, this orders. However, it turned out that the incident case involved fraud, having victim as the clients of happened over a very long period of time, which SME entrepreneur. In addition, they found that the made it extremely difficult to investigate the fraudster fraudster set up a new email account using similar activities. ThaiCERT coordinated with the email address to their original SME’s email to deceive their service provider and related CERTs for helps to clients into believing that the email was not false investigate the fraudster activities and to disable the or deceptive. Then the fraudster, impersonating fraudulent email account. Unfortunately, the email the entrepreneur, informed the clients that the service provider requested legal documents as a entrepreneur had changed the bank account number precondition to take any further action. Responding for trading, and tried to trick the clients to transfer to such demands, ThaiCERT coordinated with the money to this fraudulent account. Some clients Technology Crime Suppression Division who could fell for this scam and transferred money to this assist the entrepreneur on the requested documents fraudulent account. After became aware of being a to legal proceeding. victim of this fraudulent scheme, the entrepreneur The interesting point from this case is reported to Technology Crime Suppression Division, that even the SME entrepreneur took extensive Royal Thai Police and the Ministry of Information precautions in using computers and Internet, e.g. and Communication Technology then they were by only using licensed and updated software and referred to consult with ThaiCERT. by not accessing their email account from public Interestingly, the evidences threw up some computers; they also used long and complex questions: How did the fraudster know the email passwords that are difficult to guess, the fraudster addresses of the victims? How did the fraudster know was still able to access in to their email account. about details of the business activities, like detail of orders in terms of product types and payment 72 ThaiCERT Annual Report

4.4.5 Phishing in Thai Web real difference in mitigating the problem. It can be Hosting concluded that success in preventing such incident highly depends on the coordination between both Between July 2011 and August 2012, ThaiCERT sides and incidents should be reported immediately had been receiving several reports from Bradesco after attack was found. bank in Brazil about phishing web pages that imitate Bradesco web page in order to steal personal information from visitors. The cases appeared to be linked to a web hosting in Thailand and 34.7 % of all phishings targeting Bradesco bank were from this web hosting. Although each websites with phishing pages on web hosting were created using different technologies, created phishing pages had common signature. This led the analysts to suspect that these websites were attacked by same person. Furthermore, there was possibility that attacker hacked into the websites by directly hacking into the management system of web hosting instead of hacking into each websites created by different technologies, as stated above. In an attempt to solve the case, ThaiCERT contacted the administrators of web hosting service provider to inform them on the investigation and gave advice on how to enhance the system security to prevent intrusion. The suggestions led to improvement. Between July to December 2012, there were no reports of phishing pages of Bradesco bank on attacked web hosting. We can therefore assume that attacker prefer attacking vulnerable management system of web hosting. This way of attack is very effective since even if websites are sufficiently protected, vulnerability within the central management system of web hosting make them likely to be compromised. However, a quick response by the web hosting to such a situation can make ThaiCERT Annual Report 73 74 ThaiCERT Annual Report

CERTS and AEC 2015 ThaiCERT Annual Report 75

5. CERTs and AEC 2015 5.1 The Roles of CERTs in AEC 2015 For over 10 years, ASEAN telecommunication and information technology infrastructure has continuously been developed by its member states with the purpose of improving the quality of life for the region’s more than 500 million people. These technological progresses have been welcomed and pushed forward by telecommunication and IT ministers of all ASEAN member states in attempts of making businesses more competitive, attracting more investment, and increasing ASEAN citizens’ potentials to achieve a state of readiness for the advent of the AEC in 2015. In order to reach their goals, ASEAN member states drafted the “ASEAN ICT Masterplan 2015” and ratified it at the “10th ASEAN Telecommunication and IT Ministers Meeting” during January 13-14, 2011 with the vision of moving towards an empowering and transformational ICT and creating an inclusive, vibrant and integrated ASEAN. To achieve the vision, the Masterplan identifies 6 strategic thrusts with concrete work plans, focusing on economic transformation, people empowerment and engagement, innovation and infrastructure development, human capital development and bridging the digital divide.

Strategy 2: People Empowerment and Engagement Table 24: Strategy 2: People Empowerment and Engagement

Initiation 2.4 Confidence Reinforcement Work Plan Explanation Encourage Safe ASEAN • developing Mutual Recognition Arrangements (MRA) for the use of com- Transactions mon ASEAN electronic certifications within ASEAN member states. • promoting the use of two-faction authentication in order to identify personal characteristics. Promote Cyber Security Awareness • building public awareness on online system security. to ASEAN citizen • creating and fostering close cooperation between the private sector and the public.

76 ThaiCERT Annual Report

Strategy 4: Infrastructure Development Table 25: Strategy 4: Infrastructure Development

Initiation 4.2 Promote safe and stable network and information systems, information protection, and Computer Emergency Response Team (CERT) cooperation Work Plan Explanation Network Security Development • establishing minimum standards of cooperative security to guarantee ASEAN network stability and readiness. • monitoring network security by setting up and applying the so-called “ASEAN Health Screening” for networks and information systems Safety Information Development • exchanging information on telecommunication infrastructure protection methods between ASEAN members

Both strategies 2 and 4 of the ASEAN ICT Masterplan 2015 indicate the importance of the processes of fostering safe and secure cyberspace through creating cybersecurity awareness among people, business sector, and other relevant organizations, as well as developing telecommunication infrastructure with appropriate cybersecurity measures.

In order to reach these targets, the Electronic Transactions Development Agency (Public Organization) or ETDA has been assigned by the Ministry of Information and Communication Technology to become one of the country’s main institutions to take on these challenges. ThaiCERT has represented ETDA in many ASEAN activities conducted under the Masterplan, including being an active member of ASEAN Network Security Action Council (ANSAC). ThaiCERT Annual Report 77

5.2 The ASEAN Members’ CERT Reports The cross-border nature of cyber attacks makes it important to share cybersecurity information and intelligence. They are often shared at the level of CERT operations through a trusted network of incident responders. Cyber-attack patterns can potentially be extracted from data shared by the CERTs. We have selected ASEAN+3 Cyber-attack data from the APCERT annual report 2011 and elaborate them here to illustrate cybersecurity trends in this region, where ASEAN+3 means ASEAN + the Republic of China, Japan and the Republic of Korea, and APCERT stands for Asia Pacific Computer Emergency Response Team. APCERT is a cooperation of 22 Asia Pacific organizations from 19 economic zones. All 16 organizations from 11 countries in ASEAN+3 are shown in Table 26. Table 26: List of ASEAN+3 CERTS members in APCERT

Name Country Bach Khoa Internetwork Security Center (BKIS) Vietnam

Brunei Computer Emergency Response Team (BruCERT) Brunei

CERNET Computer Emergency Response Team (CCERT) China

National Computer network Emergency Response technical Team / China Coordination Center of China People’s Republic of China (CNCERT/CC) Indonesia Computer Emergency Response Team (ID-CERT) Indonesia

Indonesia Security Incident Response Team on Internet Infrastructure Coordination Indonesia Center (ID-SIRTII/CC) Japan Computer Emergency Response Team / Coordination Center (JPCERT / CC) Japan

Korea Internet Security Center (KrCERT/CC) Korea

Malaysian Computer Emergency Response Team (MyCERT) Malaysia

Philippine Computer Emergency Response Team (PHCERT) Philippins

Singapore Computer Emergency Response Team (SingCERT) Singapore

Thailand Computer Emergency Response Team (ThaiCERT) Thailand 78 ThaiCERT Annual Report

Vietnam Computer Emergency Response Team (VNCERT) Vietnam

Government Computer Security and Incident Response Team (GCSIRT) Philippins

Myanmar Computer Emergency Response Team (mmCERT) Myanmar

National University of Singapore Computer Emergency Response Team (NUSCERT) Singapore

Note that LaoCERT (Laos) and CamCERT (Cambodia) were not members of APCERT at the time of APCERT annual report 2011 publication.

Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs during 2007-2011

This graph displays the number of reported cyber attacks within ASEAN+3 countries from 2007 up to 2011 (5 years). It shows that the attacks tended to increase continuously over that 5-year period. CERTS having reported more than 10,000 cases per year are MyCERT, CNCERT/CC, JPCERT/CC and KRCERT/CC while BruCERT, ID-SERTII, PHCERT, ThaiCERT, and VNCERT reported fewer than number of cases, with the number of cases below 5,000 cases in 2011. ThaiCERT Annual Report 79

Table 27 illustrates the percentage of various types of cyber attack with respect to the number of reported cases for ASEAN+3 CERT. Note that the data presented are from BruCERT, ID-SERTII, MyCERT, ThaiCERT, VNCERT, CNCERT/CC, JPCERT/CC, and KRCERT/CC. The information that ThaiCERT contributed to the APCERT annual report 2011 included all attack cases reported during July-December 2011 under the management of the Electronic Transactions Development Agency (Public Organization). However, CNCERT/CC and JPCERT/CC did not submit any information on SPAM cases found in their auto-feed systems. Remarks: PHCERT did not contribute to the 2011 annual report, and SingCERT did not reveal its threat cases but only stated that fraud cases were the most reported attacks in the APCERT 2011 annual report. 80 ThaiCERT Annual Report

Table 27: The ASEAN+3 cyber attack types reported in the APCERT annual report 2011

Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in the APCERT annual report 2011

From Table 27 and Figure 26, we can see that malicious code cases had the highest percentage (more than 50%) compared to other types of attacks for Brunei and South Korea in 2011. For Indonesia and Japan, the majority of more than 80% and 60% of the reported cases, respectively, are information gathering and intrusion attempt attacks. For Malaysia, Thailand, Vietnam, and China, fraud cases were reported the most. All the data in year 2011 leads to the conclusion that cyber attacks within ASEAN+3 are on the rise, and the top types of attacks are information gathering, intrusion attempts, and fraud. ThaiCERT Annual Report 81

5.3 Strengthening Collaboration of CERTs assessment of severity of system vulnerabilities. The Network Metrics SIG is responsible for creating guideline for evaluation of incident handling effectiveness. The 5.3.1 Building Networks Network Monitoring SIG promotes the collection and analysis of data from sensor network and looks Coping with cyber threats effectively requires for malicious activities in computer networks. The relevant parties to collaborate, particularly those Malware Analysis SIG aims to promote tools and directly in charge of IT security administration. methods for malware analysis. Most of the time, CERTs do not have legal power to enforce any law. They rely on collaboration and All these initiatives are beneficial for CERTs create their networks such as FIRST, APCERT, and communities and their constituencies globally OICCERT. As members of network, CERTs together as they promote collaboration among members, can exchange information and deal with threats enhance capacities in handling threats and ensure more effectively. Thailand saw the global benefits of international standard of incident handling practice. such collaboration and has been an active member of APCERT, FIRST and other CERT communities. Asia Pacific Computer Emergency Response (APCERT) consists of more than 22 members from 19 zones. Their visions are to promote cybersecurity and feasibility among members through international cooperation. APCERT members meet annually to share information and lessons learned on dealing with cybersecurity incidents. Additionally, they conduct annual incident drills to test efficiency and revise their guidelines of incident handling if necessary. The Forum of Incident Response and Security Teams (FIRST) has more than 260 members. It aims to promote collaboration among members in dealing with threats effectively by using shared guidelines, tools and secured communication channels. Members of FIRST can create their joint taskforce to carry out collaborative work of interests using their expertise. For example, the CVSS Special Interest Group (CVSS SIG) is responsible for creating a guideline for 82 ThaiCERT Annual Report

5.3.2 Point of Contact 5.3.3 Threat Information Service Handling cybersecurity incidents require extensive coordination at both organizational Successful threat management requires an and national levels. A key element of success organization to be proactive. Some organizations of incident handling is the Point of Contact (PoC), have ability in to monitor their network activities an organization representative who needs to be while the others are unable to do so. Nevertheless, sufficiently IT-competent and well-equipped with several independent institutions have initiated tools to ensure prompt and effective coordination threat data collection and provide the data to when the organization faces threats. their members. With that data, the members can promptly take actions against the threats. For As the PoC is a vital role in incident handling, example, the Anti-Phishing Working Group (APWG) PoC information must always be updated when or the Phishtank, operated by OpenDNS, collects there are changes such as change of a coordinator and distributes information about phishing attacks. or change of communication channels. The PoC Information includes phishing URL which can be information should be made available to the public. used by relevant CERTs for instant incident handling. At present, CERT networks have initiated several In addition, CERTs also exchange threat measures to consolidate the PoC information and information among themselves. Information includes keep public updated. For example, the FIRST PoC threat origins and characteristics, possible prevention is published at http://www.first.org/members/teams measures and solutions. Any organization can use 31, It lists more than 260 entries. The list enables this type information to alert other organizations information sharing to the PoCs by telephone, that may possibly be a target of similar threat. Such facsimile and email. The PGP technology is employed initiatives help enhance awareness and prepare to identify senders and recipients. It also allows many organizations for tacking cyber threats. message encryption for communicating sensitive information.

31 http://www.first.org/members/teams accessible from 31 August, 2012 ThaiCERT Annual Report 83

5.3.4 Standards on Threat 5.3.5 Incident Drill Information Incident drill is one of the regular CERT practice. One of the main problems of information It aims to test the existing threat management process exchange on cyber attack is that the formation of and decision making of relevant personnel by using a the information to be shared is not standardized. mock situation. This activity can enhance confidence This requires additional work of consolidating at organizational level by helping an organization and preparing data so that it can be shared to prepare their staffs to react to cybersecurity incidents other parties. To tackle such issue, CERT networks effectively. The preparedness theoretically reduces initiated a common information standard to increase cybersecurity risks and will help limit any damages effectiveness. Among these is the Incident Object that might result from an incident. Description Exchange Format (IODEF) as documented The drill can be conducted at different levels. as RFC 507032 approved by the Internet Engineering The most basic form of the drill can be done by Task Force (IETF). Furthermore, the Common inviting relevant staff members in and assigning Vulnerability Scoring System (CVSS) was developed them with different roles in a scenario. They then as a common evaluation standard measuring severity have to discuss and make decisions on how to of vulnerability. The CVSS create a common handle the incident in the scenario. The exercise understanding of severity levels. can also be conducted in a more realistic setting, with simulated incidents using real computer and network systems. The result of the exercise could be used to improve incident handling procedures..

32 http://www.ietf.org/rfc/rfc5070.txt accessible from 31 August, 2012 84 ThaiCERT Annual Report

5.3.6 Deploying Network Sensors Some CERTs create their own surveillance system to detect anomaly within computer networks by using log monitoring software or sensors. These sensors are normally installed around the world to analyze unusual data flows. For instance, a sensor detects high Denial of Service (DoS) attack traffic from different countries, the surveillance system can send out an alert to a designated person. JPCERT/CC invented Tsubame, a Japanese sensor network with worldwide coverage. It collects originating IP addresses, originating port numbers, and arrival time. The traffic data are processed and animated to help understand the situation visually and help anticipate other possible incidents. The Tsubame project was developed to reduce cyber risks. The development of such tools for scanning, detecting, and tracing attacks should be a priority for Thailand. This highlights the importance of research and development in cybersecurity. ThaiCERT Annual Report 85 86 ThaiCERT Annual Report

Threats VS Privacy. ThaiCERT Annual Report 87

6. Threats VS Privacy

Threats often come in forms of privacy person’s family rights, dignity, reputation or the right violations such as personal data thefts, which stolen of privacy, shall not be made except in the case which data is used for frauds. According to threat statistics, is beneficial to the public. A person shall have the the trend shows significant growth. Personal data right to be protected from illegal use of his or her protection or privacy has been a critical issue and personal information as provided by law.” rose in various international arenas such as United Nations, APEC, ASEAN, and the Organization for According to the above statement, “personal Economic Co-operation and Development (OECD) data” can be observed in four (4) different perspectives conferences. This highlights the need of prevention of the following: measures both legal and practical ones (soft law) • Communication Privacy. This refers to as well as raising awareness among public regarding legal protection on security and privacy regarding the threats, prevention measures and impacts of correspondence, telephone, emails or other private threat such as identity thefts, personal data abuse. communication means; For example, spam or phishing can be used to steal one’s personal data and attacker can use stolen data • Territorial Privacy refers to prohibiting other to impersonate victim to gain financial information. intrusions or trespassing of personal area including More serious case that can post life and death would CCTV installation, ID pass inspection for resident be accessing and modification of medical diagnosis or access; prescriptions information. However, not many people in Thailand and other Asian countries are aware of • Bodily Privacy focuses protection on one’s the threats and its potential consequences. People physical body. For example, genetic testing, drug still believe that it is not involving their lives directly, testing are prohibited; and even though many of their daily activities are recorded • Information Privacy concerns data protection and processed on computers and social networks. of an individual. It governs procedures regarding Despite a misconception on “Right to Privacy”, which personal data collection and management. many still understand that it only refers to personal data, Article 35 of the Thai Constitution states that “A person’s family rights, dignity, reputation and the right of privacy shall be protected. The assertion or circulation of a statement or picture by any means to the public which violates or affects a 88 ThaiCERT Annual Report

Privacy violation is not a new threat. Over Korea, to appoint responsible agencies taking charge the past decades organizations and governments of personal data and security under the same agency. in many countries have attempted to establish universal standards for the protection of privacy and Technology has become a major part to our the prevention of privacy violations under mutual lives. It offers us conveniences in our daily life with agreements, e.g. outlined in section 1233 of the Universal borderless network for information exchange and access Declaration of Human Rights 1948, which states that; to popular social network. Despite such conveniences, “No one shall be subjected to arbitrary interference there is risk of privacy of large amount of personal with his privacy, family, home or correspondence, nor information. Information technology makes it more to attacks upon his honor and reputation. Everyone viable for intrusion or privacy violation without being has the right to the protection of the law against noticed. The following examples reflect some of such interference or attacks.” Such statement set a these violations; milestone to develop sufficient privacy protection 1. Three US telecommunication giants for their own citizen. Bellsouth, Verizon and AT&T, had been sued by 26 people in 18 states In response to personal data protection in for compensation worth $200,000 for Thailand, several Articles in Thai laws govern privacy. their violations of personal data, which However “Personal Information” is defined in different the companies had signed contract contexts resulting in misunderstanding. Generally, agreements to reveal telephone usage personal information includes any forms of data which data to the National Security Agency can directly or indirectly be related to its owner e.g. ID (NSA) without permission. The data was card number, last name, telephone number, address, supposedly to facilitate constitutional images, emails, banking statements, transcripts etc. telephone tracking projects to track This information is often used and publicized without down terrorist networks. To do this permission making it very necessary to expedite the NSA depends on spying methods the Data Protection Law, which has been in review such as intercepting telephone, radio, process for more than 10 years. The draft is aimed internet, and other communication to be mutual legal framework and enhance public channels. confidence in establishment of standard for storing 2. Several tracking measures have been and using data securely. The urgency of the matter implemented for online personal has led many countries, such as Malaysia and South tracking occurred through the use Cookies Web Bugs, Web Tracking Spy Ware, Packer Sniffer, Keystroke 33 Article 12 of the Universal Declaration of Human Rights 1948 “No Logger or FBI Carnivore system. These one shall be subjected to arbitrary interference with his privacy, programs can easily track the personal family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the computer usage and spy on the private law against such interference or attacks” data online. ThaiCERT Annual Report 89

3. An employee of the Social Security platforms such as Facebook, Instgram, Office had been fired for the reason of and Twitter etc. Such activities cause leaking personal information of factory anxiety and fear in the security of employees to debt-collectors, whom property and life among internet being hired to push debtors to settle users which negatively affect mental their payments. conditions. 4. It is common practice among financial Besides the cases mentioned above, there are institutions from both the banking and many other methods in use for infringement such non-banking sector to ask their clients as popup advertisements, identity thefts, usage to sign a form for approval of using of Spyware for the purpose of stealing personal their personal information when they information, email marketing, sending spam, which apply for credit card. Those companies also disturbs users, fraud, counterfeit, or risk of will eventually sell their clients’ being victim of information warfare and terrorism personal information at a rate of 1-1.5 using cyber attack. Bt. Per person. Then the institute will sort the names and data according to Hence, it is obvious that privacy violation tend client’s preferences before sending to exponentially increase in number and severance. their clients marketing materials of This is in many ways considered as a type of threat such products along with an invoice. which causes damage, no less severe than other threats. The impact of such personal data violation 5. Growth of Data trading websites is affects as widely as cybersecurity threat. Violation significant. The traded data are mainly of personal data can negatively impact on security official data such as criminal records, of life and properties or even a society’s security. civil registration, arrest warrants, Concerning such violations, many countries have pictures or video of extramarital initiated strong legal standards such as a personal affair, debt collecting records, or data protection Law34 or law to tighten offence past mobile phone records. Those regulation, promotion of social standard to enhance websites requires the clients to leave awareness among citizen. However, when taking a their contact to hide themselves from look at the situation in Thailand, it becomes obvious police investigation. Service fee is also that public awareness is still on the way. This is true stated on the page. despite the fact that several laws on privacy rights do exist, such as Section 35 of Thai Constitution; 6. Cyber stalking is another internet- based infringement. It is an action of observing, threatening or disturbing 34 The Organization for Economic Co-operation and Development certain Internet users by sending (OECD) determined the guidelines on the protection of Privacy and Trans-border Data Flows of Personal Data, helping countries emails, posting texts or images on web to create standard. For details, please visit boards, chat rooms or social network http://www.oecd.org/internet/ieconomy/oecdguidelinesonthe- protectionofprivacyandtransborderflowsof-personaldata.htm 90 ThaiCERT Annual Report

Government Information Act 1997 (B.E.540), which to ensure and protect privacy of their citizen. In determines the measures for the protection of addition, the private sector should implement a personal data for governmental agencies; the self-regulation by promoting awareness among Business Credit Information Act 2002 (B.E. 2545), social network users regarding rights to privacy which determines the measures of protection for or introducing technical measures such as setting personal data in possession of financial institutions; privacy for their social network account in order to the Electronic Transactions Act 2001 (B.E.2544), reduce violations. Last but not least, users should which includes a guideline and policy of personal also be aware and recognize their privacy as their data protection within government agencies 2010 basic rights. Such attitude together with cooperation (B.E.2553). However, these laws in overall are not among different authorities can ensure effective inclusive, specific and comprehensive enough to protection and reduce damage for the people sufficiently be able to control all the agencies which of Thailand. are collecting personal data. Measures taken in some of these laws do not meet international standards. For the public sector, in response to the announcement of the Electronic Transactions Commission on personal data protection, only a very small number of agencies submitted its policy on personal information protection to the Electronic Transactions Commission. Some agencies collect high amounts of personal data. This may impact on level of confidence in the administration of government if personal data is stolen. Therefore, all sectors should engage and collaborate in order to solve these problems. The government has to implement a strict measure ThaiCERT Annual Report 91 92 ThaiCERT Annual Report

Is Thailand prepared for cyber threat? ThaiCERT Annual Report 93

This behavior makes the computer susceptible to 7. Is Thailand malicious malware, and, in some cases, enables attackers to take control of the computer and start prepared for cyber sending spam emails or intercepting information threat? transmitted by the user. In addition, compromised computers and Since ThaiCERT’s establishment under ETDA computer systems can spread security risks in in 2010, it has implemented two incident report various forms and cause damage to individuals, channels: auto-feeds from partner’s networks, and organizations and national infrastructure. There is email reports from general users. Analysis of the the case, for example, of a web server in Thailand collected statistics indicates that the main cause that was hacked and used to create a phishing site of IT Security issues comes primarily from a lack of because the network administrators ignored to awareness or knowledge about information security secure the operating system and software, close among users. all unnecessary ports and keep the software up to date. Subsequently, the system was vulnerable to a.) System Administrator attackers who committed crimes by creating web Most threats faced by administrators are related pages to steal others’ personal information. to either servers being attacked or servers being used Cyber threats can cause severe consequences by hackers to attack other computer systems. This if users are not aware of the importance of IT includes, for instance, sending spam email, Denial of security. Technology is advancing continuously and Service (DoS) attack and using servers for fraudulent rapidly along with the growth and consumerization purpose. Such problems are facilitated by incapable of mobile devices together with the trend of “bring administration and outdated maintenance leading your own device (BYOD)”. Furthermore, cyber threats to vulnerability which allows attackers to access not only pose risks to various aspects of IT security systems without authorization and continue with (e.g., confidentiality, integrity, availability), but also their infringing activities. impact personal information privacy. b.) General Users For effective protection of security information, In general, the main cause of a computer being Thailand has to prepare the following: infected by malware is due to the use of pirated operating system and software which prevents regular updates to remove system vulnerabilities. Lack of awareness concerning protection and risk taking behavior also play and important role and frequently lead to vulnerability, including visiting suspicious websites and executing software download or opening email attachments without pre-verification. 94 ThaiCERT Annual Report

Development of necessary infrastructure Develop and enhance capacities of officers in charge of IT security and train security personnel to internationally recognized standards together with awareness promotion among users of possible threats of system attacks. Develop a legal framework that is viable for law enforcement so that relevant officers, such as the police, judicial officials or other competent officers, can suppress and pros- ecute criminals efficiently..

Preparation Promote IT security research and development in order to prepare for possible threats and to reduce dependency on foreign security technology. Establish an institution or organization to support key national agencies to respond to threats. Create an agency to support key national agencies for threat management and to support the National IT Security Plan, which provides directions and integration of public and private operations regarding threat responses and management. Strengthen cooperation with foreign institutions in responding to and resolving threats which attack the systems of national agencies. Build national capacity and competitiveness in preparation for the AEC. Integration Integrate IT security awareness raising activities for users, consumers, policy makers, regulators and relevant agencies. Create mechanisms among relevant agencies to ensure unified threat response.

As illustrated above, current IT security operations are being restructured to facilitate upgrading to international standards. This situation is reflected in the publication of the Royal Decree on Rules and Procedures of the Public Sector’s Electronic Transactions B.E. 2649 (2006) and the Royal Decree on Security Techniques in Performing Electronic Transactions B.E. 2553 (2010). As of December 2012, there are 56 approved agencies which issued policies and regulations regarding IT security between 1990 and 2012. In response to MICT instructions to promote and implement IT security policy, the Office of the Electronic Transactions Committee has implemented several measures to promote such instructions through activities such as seminars, which have been well-attended. To ensure effectiveness, the National Cybersecurity Committee, on which the ThaiCERT Annual Report 95

Prime Minister serves as chair, was setup to draft the The mentioned initiatives highlights the importance National Cybersecurity Policy Framework as well as the of capable human resources and the urgent need to National Cybersecurity Master plan. The committee develop IT security professional in order for Thailand to serves as an integration mechanism for information be better prepared in threat prevention, suppression, exchange and collaboration among different agencies and collaboration among involved parties. and sectors. Presently, the crucial challenge is the lack of knowledge and awareness among executives and In summary, the ETDA has appointed ThaiCERT their employees. Such issues make it more difficult to be a key mechanism in the cybersecurity arena and to promptly respond to threats that can potentially aims to work proactively to ensure safe and security. occur at any given time. Since human resources are the During its initial four years, ETDA has prepared itself most important mechanism to prevent and respond to to serve as key mechanism in Thailand cyber threat threats, all personnel should be trained to recognize response, as well as, to build and coordinate collaboration cyber threats and be able to react appropriately in a among involved domestic and international entities. collaborative manner to ensure efficiency. Success ETDA aims to ensure Thailand readiness and capacity depends not only on government agencies or private in responding to any future threats. institutions, but also on collaboration with civil society to help spread useful information to the general public. 96 ThaiCERT Annual Report

Appendix ThaiCERT Annual Report 97

8. Appendix 8.1 Appendix A Classification of Threats The Electronic Computer Security Response Team network (eCSIRT.net) categorizes threats into 8 types. Some threats can possibly be overlapped but they can be sorted into one main category. For example, if there is an intruder accessing the system and was able to go further to the Root Privilege, which results in stealing of important information, the intrusion will be categorized as Privileged Account Compromise. Table 28 below defines eCSIRT ’s classification of threats. Table 28: Classification of Threats according to eCSIRT.net

Incident Class Incident Type Description / Examples (mandatory (optional but desired input field) input field) Or “unsolicited bulk email”, this means that the recipient has not granted verifiable permission for the message to be sent and that Spam the message is sent as part of a large collection of messages, all having identical content. Abusive Content Discrimination of somebody (i.e.cyberstalking) harassment

Child/sexual/violence Child pornography, glorification of violence, … virus Worm Software that intentionally included or inserted in a system for a Malicious Code Trojan harmful purpose. A user interaction is normally necessary to activate spyware the code.. dialer Attacks that send requests to a system to discover weak points. This includes also some kind of testing processes to gather information scanning about hosts, services and accounts. Examples: fingerd, DNS querying, Information ICMP, SMTP (EXPN, RCPT) gathering sniffing Observing and recording of network traffic (wiretapping). Gathering information from a human being in a non-technical way Social engineering (e.g. lies, tricks, bribes, or threats). 98 ThaiCERT Annual Report

Incident Class Incident Type Description / Examples (mandatory (optional but desired input field) input field) An attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a standardized identifier such as CVE Exploiting of known Vulnerabilities name (e.g. buffer overflow, backdoors, cross side scripting, etc.)

Intrusion Attempts Multiple login attempts (guessing/cracking of passwords, brute force). Locking attempts

An attempt using an unknown exploit. New attack signature

Privileged account compromise Successful compromise of a system or application (service). This can be caused remotely by a known or new vulnerability, but also by an Intrusions Un Privileged account compromise unauthorized local access. Application compromise DoS By this kind of an attack a system is bombarded with so many pack- DDoS ets that the operations are delayed or the system crashes. Examples of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:T- Availability FN, Trinity, etc). However, the availability also can be affected by Sabotage local actions (destruction, disruption or power supply, etc.)

Unauthorised access to information Besides a local abuse of data and systems the information security can be endangered by a successful account or application compro- Information Security mise. Furthermore attacks are possible that intercepted and access Unauthorised modification of information information during transmission (wiretapping, spoofing, or hijacking).

Using resources for unauthorized purposes including profit-making ventures (E.g. the use of email to participate in illegal profit chain Unauthorized use of resources letters or pyramid schemes).

Selling or Installing copies of unlicensed commercial software or Fraud Copyright other copyright protected materials (Warez).

Type of attacks in which one entity illegitimately assumes the identi- Masquerade ty of another in order to benefit from it.

All incidents which don’t fit in one of the If the number of incidents in this category increases, it is an indicator Other given categories should be put into this that the classification scheme must be revised. class..

Source: (http://www.ecsirt.net/cec/service/documents/wp4-pub-userguide-v10.html accessed on 10 November, 2012) ThaiCERT Annual Report 99 8.2 Appendix B

Table 29: Glossary

Word Meaning Abusive Content Contents such as child Pornography, glorification of violence and spam are considered as abusive contents.

Malicious Code Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.

Information Gathering Gathering information of system in order to find its vulnerability and use it toattack system. It also includes information gathering from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).

Intrusion Attempts An attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a standardized identifier such as CVE name. Intrusion attempts also include multiple login attempts such as guessing/cracking of passwords, brute force.

Intrusions Successful compromise of a system or application (service). This can be caused remotely by a known or new vulnerability, but also by an unauthorized local access.

Availability By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. Examples of a remote DoS are SYS- a PING-flooding oremail bombing (DDoS:TFN, Trinity, etc). However, the availability also can be affected by local actions (destruction, disruption or power supply, etc.)

Fraud The use of internet services such as website, email to defraud victims or to otherwise take advantage of them, for example by stealing personal information, which can even lead to identity theft.

DDoS DDoS is a kind of technique to attack the availability of system by attacking from many computers at the same time. DDoS makes services run improperly causing services to be delayed or down. For example, Web server cannot provide services because it receives too many requests from clients.

Brute Force Attack to gain password, username by checking all possible values until the correct one is found. This kind of attack is only effective to the system with improper configuration such as username and password that are easy to guess. Captcha is one measure to protect website from brute force.

Phishing The act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. 100 ThaiCERT Annual Report

Word Meaning Botnet Malware that can be controlled from attackers to do malicious activities such as DDoS attack or stealing secret data.

Rustock Botnet malware installed on Windows operating system. It’s capable of DDoS attack and has main func- tion as spamming. Statistics show that this malware can send over 25,000 emails per hour. According to Microsoft, there were around 2.5 million computers attacked worldwide.

Kelihos Botnet malware installed on Windows operating system and has ability of DDoS attack and sending spam.

Feodo Botnet malware installed on Windows operating system aiming to steal online transaction information.

DDoS_dirtjumper Botnet malware installed on Windows operating system and has ability of DDoS attack.

Conficker Worm malware installed on Windows operating system aiming to interrupt the availability of the system. For example, it can disable logging in to windows, automatic windows update and windows defender. It also causes response of the network slower than normal. It can spread to other computers through network share and attack via the vulnerability MS08-067.

Zeus Botnet malware installed on Windows operating system aiming to steal online transaction information of users.

Virut Botnet malware installed on Windows operating system aiming to download and install other malwares on computers.

TDSS Botnet malware installed on Windows operating system aiming to download and install other malwares on computers.

Worm_boinberg Worm malware installed on Windows operating system controlled by IRC Server. Generally they spread over Windows Live Messenger, USB drives and compressed files such as RAR and ZIP. Malware will make computer work slowly, and steal information: username and password.

Torpig Botnet malware installed on Windows operating systems aiming to steal users’ online transaction information.

Carberp Botnet malware installed on Windows operating system aiming to steal users’ online transaction information.

Spyeye Botnet malware installed on Windows operating systems aiming to steal users’ online transaction information

Ramnit Botnet malware installed on Windows operating systems and created in 2010 The first period of this Botnet Malware was not dangerous but nowadays, it can steal online transaction and information as well. Ramnit can spread through USB drive. ThaiCERT Annual Report 101

Word Meaning Gozi Botnet malware installed on Windows operating systems aiming to steal users’ online transaction information.

Gbot Botnet malware installed on Windows operating systems and is capable of DDoS attack, download and install other malwares for the purpose of fraud and stealing online transaction information.

C&C Server Stands for Command and Control Server and has ability to contact malware Botnet and attack other computer in the form of DDoS.

Domain Name A domain name (for instance, “example.com”) is an identification string thatdefines a realm of adminis- trative autonomy, authority, or control on the Internet. It can be used instead of IP address.

Corporate Internet network for agencies or organizations with fixed IP address.

Broadband Internet network with dynamic IP addresses which vary upon network of ISPs. Broadband is used in the house or small offices.

Stormworm Storm worm is botnet malware but unlike other botnet malwares that use server-client model, storm worm uses peer-to-peer model and spread via spam mails by themselves. 102 ThaiCERT Annual Report 8.3 Appendix C Subordinate Laws having Security Maintenance-Related Measure

Law Enforcement Mechanisms Law Principle regulation prevention suppression Penal Code Title V. Offence √ At present, there are pervasive increase by number and Relating to The Electronic application type in the usage of any of documents or Card materials or data made in the form of electronic card, such as credit card and debit card, for the purpose of goods, services and other kinds of debt payment. In addition, there are commitments of many crimes and personal data stolen, which vastly affect the economy and consumer. Hence, it is appropriate to initiate the criminal offence on electronic card and electronic data-related crime, in order that any form of crimes are covered under the law and suitable rate of penalty according to crime severity is provided.

Laws on Information Technology

Electronic transaction Act √ To promote the construction of a credible electronic B.E.2544 (2001) (Revised 2nd transaction and certify the validity of electronic version) B.E.2551 (2008). transaction as equal to ones of paper based.

The Royal Decree prescribing √ To establish important rules and procedures on criteria and procedures for electronic transaction to be conducted by public Electronic Transactions of the sectors in order to promote and support the capacity of Government Sector B.E. 2549 public sectors to develop electronic transactions of the (2006). same standard and to be in the same direction.

The Royal Decree on Security √ The Royal Decree applies to the electronic transactions Procedures for Electronic that affect national security, public order, or the general Transactions B.E. 2553(2010) public and that of an agency or an organization which deems to be the country’s critical infrastructure. It stipulates the levels of security techniques and information security standards in accordance with security procedures for each level.

Notification of the Electronic √ To specify the categories of electronic transactions Transactions Commission and criteria for assessment of level of impact of the on Category of electronic electronic transactions for correct and appropriate transactions and Criteria for application of information security procedures. assessment of impact level of electronic transactions pursuant to Security Procedure B.E. 2555 (2012) ThaiCERT Annual Report 103

Law Enforcement Mechanisms Law Principle regulation prevention suppression Notification of the Electronic √ To set out information security standards in accordance Transactions Commission with each level of security procedures acquired from on Information Security impact assessment of electronic transactions. Standards in accordance with the Security Procedures B.E. 2555 (2012)

Notification of the Electronic √ To set out a preliminary guideline for state agencies Transactions Commission on to establish policy and practice on maintenance of Policy and Practice Guideline information security in order to make any of their on Information Security of a operations done by electronic means reliable and meet State Agency B.E. 2553 (2010) international standard.

Notification of the Electronic √ To set out a preliminary guideline for state agencies, Transactions Commission which collect, maintain, use, disseminate or proceed on Policy and Practice in by other means in relation to personal data of the protection of personal electronic transactions’ subscriber, to establish policy information of the State and practice on the protection of personal information agency 2553 (2010) in electronic transactions.

Computer-Related Crime Act √ √ The act aimed at preventing and suppressing B.E. 2550 (2007) computer-related crime. It provides criminal penalties, investigation procedure, authority of the competent official, and the duty of service providers to store computer traffic data.

Laws relating to Telecommunication

Telecommunications √ To prescribe the criteria for the application for Business Act B.E. 2544 (2001) operation license of the telecommunication business, qualifications of applicant for telecommunication business provider, and provision of telecommunication network business.

Notification of National √ Due to the fact that personal information of the users Telecommunications through telecommunication could be easily processed Commission on measures and disseminated to the public in a short period of for protection of time, which would affect the rights of privacy and telecommunication users’ freedom in communication through telecommunication, right relating to personal legal measure is provided for protecting the personal information, rights of information, the rights of privacy and the freedom in privacy and freedom of communication through telecommunication. communication through telecommunication

Regulation of √ To set out rule on information organization obviously National Broadcasting and in compliance with the Official Information Act 1997 Telecommunications (B.E. 2540) Commission on the exposure of information technology B.E. 2548 (2005) 104 ThaiCERT Annual Report

Law Enforcement Mechanisms Law Principle regulation prevention suppression Regulation of √ To set out the rules and procedures for management National Broadcasting of information technology in the area of Telecommunications telecommunication business. Commission on Information Technology relating to Telecommunication Business B.E. 2550 (2007)

Finance and Banking Laws

The Royal Decree on √ To regulate the business operation of electronic Supervision of Electronic payment services in order to maintain financial and Payment Service Business commercial stability. The Royal Decree forms the B.E. 2551 (2008) regulation model and categorizes the appropriate types of electronic payment service business.

Notification of the Electronic √ To stipulate rules, procedures and conditions for the Transactions Commission operation of electronic payment service business in on Rules, Procedures and addition to the rules provided under the Royal Decree Conditions for the Operation on Supervision of Electronic Payment Service Business of Electronic Payment B.E. 2551 (2008). The Notification provides additional Service Business B.E. 2555 qualifications of electronic payment service providers (2012) and set out details of the electronic payment service providers according to the table attached to the Royal Decree on Supervision of Electronic Payment Service Business B.E. 2551.

Notification of the Bank of √ To be a guideline for prescribing policy and practice Thailand No. Sor Ror Khor on information security and procedures for examination 3/2552 on Information and maintenance of information security for electronic Security Policy and Measures payment service providers. for Operation of Electronic Payment Services Business

Securities Laws

Securities and Exchange Act √ To set up the structure of an agency regulating activities B.E.2535 (1992) of capital market, rules regulating the offering of securities to support the development of establishment form of securities issuer, as well as internationalized rules for securities market regulations, including the provision on business transactions in the securities market, i.e. pledge of listed securities. The purpose of the Act is for the flow of activities in capital market as well as to level up the protection of investor. ThaiCERT Annual Report 105

Law Enforcement Mechanisms Law Principle regulation prevention suppression Notification of the Office √ To establish rules for operation and maintenance of of Securities and Exchange information security for securities companies. Commission No. Sortor/ Nor 32/2552 regulating operation and maintenance of information security of of securities companies (2009)

Insurance Laws

Emergency Decree √ √ To set up measures for management of catastrophe Establishing Fund For risks by means of insurance and reinsurance and to Promotion of Catastrophic provide financial aids to non-life insurer. Insurance, B.E. 2555 (2012)

Insurance Commission Act √ As the insurance business is a monetary transaction B.E.2550 (2007) which directly affect economic financial system of Thailand including an insured which is a consumer, the agency responsible for supervision of the insurance business should be flexible to be able to keep up with the development of the business and should be independent for effective of supervision of insurance business and protection of the insured’s right. It is appropriate to set up the Insurance Commission which is independent and have flexibility in supervising the insurance business. 106 ThaiCERT Annual Report List of Abbreviations NECTEC National Electronics and Computer Technology Center

NSTDA National Science and Technology Development Agency

ETDA Electronic Transactions Development Agency (Public Organization)

ThaiCERT Thailand Computer Emergency Response Team

AEC ASEAN Economic Community

ASEAN Association of Southeast Asian Nations

APCN Asia-Paciﬁc Collaboration Network

APCERT Asia Paciﬁc Computer Emergency Response Team

CISSP Certiﬁed Information Systems Security Professional

ETC Electronic Transactions Committee

CSIRT Computer Security Incident Response Team

NSO National Statistical Ofﬁce

ITU International Telecommunication Union

MICT Ministry of Information and Communication Technology

TCSD/RTP Technology Crime Suppression Division, Royal Thai Police

ISP Internet Service Provider Surangkana Wayuparb Executive Director, CEO MOE Ministry of Energy (Policy Overview)

IODEF Incident Object Description Exchange Format

IETF Internet Engineering Task Force ThaiCERT Annual Report 107

Report Compilation Team

Creative Directors

Chaichana Mitrpant Soranun Jiwasurat Assistant Executive Director Director of Security Office (Security Content) (Security Content)

Surangkana Wayuparb Kachida Meetortharn Atcharaphorn Mutraden Thongchai Sangsiri Executive Director, CEO Director of Legal Affairs Office Director of Policy Office Identification Expert Testimony Specialist (Policy Overview) (Law Content) (Policy Content) (Security Content) Working Group Editorial Staff Law Content Staff Art Directors Coordinators Phaichayont Vimuktanandana Ploy Charoensom Nattapong Worapivut Rojana Lamlert Pornprom Prapakittikul Phichayaluk Kamthongsuk Napadol Utsanaboonsiri Wipaporn Butmek Supakorn Lerkditheeporn Setthawhut Saennam Nattawat Sukwongtrakul Nattanai Roudreiw Suchayapim Siriwat Jetsada Changsisang Ployphatchara Chouchai Khemiga Sakulphat Wisan Prasongsook Phanwadee Kowintasate Thongchai Silpavarangkura Sanchai Tinothai Chotika Sinno Kannika Pataravisitsan Nuttachot Dusitanont and ThaiCERT Team

English THAILAND COMPUTER VERSION EMERGENCY RESPONSE TEAM (THAICERT) A MEMBER OF ETDA

ISBN : 978-616-91910-0-1

THAILAND COMPUTER EMERGENCY RESPONSE TEAM ELECTRONIC TRANSACTIONS DEVELOPMENT AGENCY (PUBLIC ORGANIZATION) MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY

Tel : +66 2142 1160 Fax : +66 2143 8071 www.thaicert.or.th | www.etda.or.th | www.mict.go.th