DOCSLIB.ORG

New Methods for Detecting Malware Infections and New Attacks Against Hardware Virtualization

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
New Methods for Detecting Malware Infections and New Attacks Against Hardware Virtualization BUDAPEST UNIVERSITY OF TECHNOLOGY AND ECONOMICS DEPARTMENT OF NETWORKED SYSTEMS AND SERVICES New Methods for Detecting Malware Infections and New Attacks against Hardware Virtualization Ph.D. Dissertation of Gabor´ Pek´ Supervisor: Levente Buttyan,´ Ph.D. Budapest, Hungary 2015 Alul´ırott Pek´ Gabor´ kijelentem, hogy ezt a doktori ertekez´ et´ magam kesz´ ´ıtettem es´ ab- ban csak a megadott forrasokat´ hasznaltam´ fel. Minden olyan reszt,´ amelyet szo´ szerint, vagy azonos tartalomban, de atfogalmazva´ mas´ forrasb´ ol´ atvettem,´ egyertelm´ uen,˝ a forras´ megadas´ aval´ megjeloltem.¨ I, the undersigned Gabor´ Pek´ hereby declare, that this Ph.D. dissertation was made by myself, and I only used the sources given at the end. Every part that was quoted word-for- word, or was taken over with the same content, I noted explicitly by giving the reference of the source. A dolgozat b´ıralatai´ es´ a ved´ esr´ ol˝ kesz´ ult¨ jegyzok˝ onyv¨ a Budapesti Muszaki˝ es´ Gazdasagtu-´ domanyi´ Egyetem Villamosmern´ oki¨ es´ Informatikai Karanak´ dek´ ani´ hivatalaban´ elerhet´ oek.˝ The reviews of the dissertation and the report of the thesis discussion are available at the Dean’s Office of the Faculty of Electrical Engineering and Informatics of the Budapest University of Technology and Economics. Budapest, :::::::::::::::::::::::: Gabor´ Pek´ iii Abstract In my dissertation, I address problems in two domains: (i) Detection of unknown malware and (ii) finding new attacks against hardware virtualization. Accordingly, this dissertation is divided into two parts. In the first part of the dissertation, I propose Membrane, a memory forensics tool to detect code injection attacks. Instead of trying to detect the code injection event itself, I focus on the changes it causes on the paging behavior of the Windows operating system. As my method focuses on the anomalies caused by code injection in paging events, I am able to detect a wide range of code injection techniques. My results indicate that on Windows XP we can detect malware behavior with 91-98% success. On Windows 7, a good detection rate is maintained except for malware injecting into explorer.exe where the success of detection decreases to 75-86%. My approach can detect stealthy malware attacks, even advanced targeted attacks using code injection. Still in the first part, I propose a new system monitoring framework that can serve as an enabler for automated malware detection on live systems. My approach takes advantage of the increased availability of hardware assisted virtualization capabilities of modern CPUs, and its basic novelty consists in launching a hypervisor layer on the live system without stopping and restarting it. This hypervisor runs at a higher privilege level than the OS itself, thus, it can be used to observe the behavior of the analyzed system in a transparent manner. For this purpose, I also propose a novel system call tracing method that is designed to be configurable in terms of transparency and granularity. In the second part of the dissertation, I shed light on VM related threats and defences by implementing, testing, and categorizing a wide range of known and unknown attacks based on directly assigned devices. I executed these attacks on an exhaustive set of VMM configurations to determine their potential impact. My experiments suggest that most of the previously known attacks are ineffective in current VMM setups. I also developed an automatic tool, called PTFuzz, to discover hardware-level problems that affect current VMMs. By using PTFuzz, I found several cases of unexpected hardware behaviour, and a major vulnerability on Intel platforms that potentially impacts a large set of machines used in the wild. These vulnerabilities affect unprivileged virtual machines that use a directly assigned device (e.g., network card) and have all the existing hardware protection mechanisms enabled. Such vulnerabilities allow either an attacker to generate a host-side interrupt or hardware faults, violating expected isolation properties. These can cause host software (e.g., VMM) halt as well as they might open the door for practical VMM exploitations. I believe that my study can help cloud providers and researchers to better understand the limitations of their current architectures to provide secure hardware virtualization and prepare for future attacks. At the same time, security practitioners make heavy use of various virtualization techniques to create sandboxing environments that provide a certain level of isolation between the host and the code being anal- ysed. However, most of these are easy to be detected and evaded. The introduction of hardware assisted vir- tualization (Intel VT and AMD-V) made the creation of novel, out-of-the-guest malware analysis platforms possible. These allow for a high level of transparency by residing completely outside the guest operating system being examined, thus conventional in-memory detection scans are ineffective. Furthermore, such an- alyzers resolve the shortcomings that stem from inaccurate system emulation, in-guest timings, privileged operations and so on. Finally, I introduce novel approaches that make the detection of hardware assisted virtualization plat- v forms and out-of-the-guest malware analysis frameworks possible. To demonstrate my concepts, I imple- mented an application framework called nEther that is capable of detecting the out-of-the-guest malware analysis framework Ether [Dinaburg et al., 2008a]. vi Kivonat A disszertaci´ omban´ ket´ problemater´ ulettel¨ foglalkozom: (i) ismeretlen kart´ ekony´ kodok´ detekcioja´ es´ (ii) uj´ tamad´ asok´ vizsgalata´ hardver virtualizaci´ o´ ellen. Ebbol˝ adod´ oan´ a disszertaci´ o´ ket´ reszre´ bonthato.´ Az elso˝ reszben´ elosz˝ or¨ egy uj´ memoria´ forenics eszkozt¨ javaslok Membrane neven,´ melynek celja´ a kod´ injekcios´ tamad´ asok´ detektal´ asa.´ Ahelyett, hogy a kodinjekci´ o´ teny´ et´ detektaln´ am,´ a Windows operaci´ os´ rendszerben jelentkezo˝ laptabla´ esemenyv´ altoz´ asokat´ vizsgalom´ meg nagy alapossaggal.´ Mivel a laptabla-´ esemenyek´ altal´ okozott anomali´ akra´ fokusz´ alok,´ szeles´ spektrumban lehet detektalni´ kul¨ onb¨ oz¨ o˝ t´ıpusu´ injekcios´ eljar´ asokat.´ Az eredmenyek´ Windows XP operaci´ os´ rendszer eseten´ 91-98%-os pontossagot´ mu- tatnak, m´ıg Windows 7 rendszereknel´ meg´ a legzajosabb folyamatok eseten´ is (pl.: explorer. exe) 75- 86% a detekcios´ pontossag.´ Az eljar´ asomnak´ kosz¨ onhet¨ oen˝ lehetseges´ ilyen t´ıpusu´ rejtozk˝ od¨ o˝ kart´ ekony´ kodokat´ detektalni,´ meg´ ha celzott´ tamad´ asb´ ol´ vett kampanyr´ ol´ is van szo.´ Ezt kovet¨ oen˝ egy uj´ rendszer-monitorozo´ eszkozt¨ javaslok, amely automatikus malware detekciot´ tesz lehetov˝ e´ eles´ gepek´ eseten.´ A megkozel¨ ´ıtesem´ a modern CPU-kban elerhet´ o˝ hardverrel tamogatott´ virtu- alizaci´ os´ eljar´ ast´ hasznalja´ ki, illetve azt a tenyt,´ hogy ezaltal´ lehetos˝ eg´ van egy hypervisort telep´ıteni a futo´ operaci´ os´ rendszer ala´ anelk´ ul,¨ hogy le kene´ a gepet´ all´ ´ıtani, vagy ujra´ kene´ azt ind´ıtani. Ez a hypervisor magasabb privilegium´ szinten fut, mint az operaci´ os´ rendszer maga. Ennek kosz¨ onhet¨ oen˝ a rendszert tran- szparensebben lehet megfigyelni, mint mas´ modszerekkel.´ Ebbol˝ a celb´ ol´ javaslok tovabb´ a´ egy uj´ rendszer- monitorozo´ eljar´ ast,´ melyet a transzparencia es´ az elemzesi´ granularitas´ menten´ lehet finomhangolni. A disszertaci´ o´ masodik´ resz´ eben´ ravil´ ag´ ´ıtok a VM-ekhez kapcsolod´ o´ fenyegetesekre´ es´ vedelmi´ megol- dasokra´ azaltal,´ hogy a kozvetlen¨ eszkozcsatol¨ assal´ kapcsolatos tamad´ asok´ szeles´ skal´ aj´ at´ tervezem meg, implementalom´ le es´ kategorizalom.´ Ezeket a tamad´ asokat´ sok kul¨ onb¨ oz¨ o˝ VMM konfiguraci´ oval´ tesztel- tem, hogy kider´ıtsem a tenyleges´ hatasukat.´ A vizsgalataim´ megmutattak,´ hogy a futtatott tamad´ asok´ egy jo´ resze´ tulajdonkeppen´ hatastalan´ a mai VMM beall´ ´ıtasok´ mellett. Kifejlesztettem azonban egy automatikus eszkozt,¨ amit PTFuzz-nak neveztem el, hogy hardver szintu,˝ VMM-hez kapcsolod´ o´ problem´ akat´ fedezzek fel. A PTFuzz seg´ıtseg´ evel´ szamos´ varatlan´ hardverviselkedest,´ tovabb´ a´ egy Intel platformhoz kothet¨ o˝ komoly ser´ ul¨ ekenys´ eget´ talaltam,´ mely rengeteg Intel chipsetre es´ ezaltal´ gepre´ hatassal´ van a mai napig. Ez a ser´ ul¨ ekenys´ eg´ minden olyan nem privilegizalt´ virtualis´ gepet´ erint,´ mely kozvetlen¨ eszkozcsatol¨ assal´ rendelkezik minden letez´ o˝ hardveres biztonsagi´ vedelem´ mellett. Egy tamad´ o´ a ser´ ul¨ ekenys´ eg´ seg´ıtseg´ evel´ hosztoldali interrupt-ot vagy hardver hibat´ tud generalni´ megsertve´ ezaltal´ az elvart´ izolaci´ os´ muk˝ od¨ est.´ Ez elobbi˝ elmeleti´ szinten tenyleges´ virtualizaci´ os´ kitor¨ est´ is lehetov˝ e´ tehet, m´ıg a masodik´ a hoszt szoftver (pl.: VMM) teljes leall´ as´ at´ idezheti´ elo.˝ Hiszem, hogy a tanulmanyom´ seg´ıt a felho˝ szolgaltat´ oknak´ es´ ku- tatoknak´ jobban megerteni´ a jelenlegi architektura´ korlatait,´ hogy biztonsagos´ hardver virtualizaci´ os´ plat- formot hozzanak letre´ es´ felkesz´ uljenek¨ jov¨ obeli˝ tamad´ asokra.´ Ugyanakkor a biztonsagi´ szakert´ ok˝ nagy mert´ ekben´ tamaszkodnak´ a kul¨ onb¨ oz¨ o˝ virtualizaci´ os´ tech- nikakra,´ hogy sandboxing kornyezeteket¨ hozzanak letre,´ melyek valamilyen szintu˝ izolaci´ ot´ biztos´ıtanak a hoszt es´ az analizalt´ kod´ koz¨ ott.¨ Azonban ezek nagy resz´ et´ nagyon konny¨ u˝ detektalni´ es´ kikerulni.¨ A hard- verrel tamogatott´ virtualizaci´ o´ bevezetese´ (Intel VT es´ AMD-V) lehetov˝ e´ tette az
Load more

Recommended publications
  • Iocage Documentation Release 1.2
    iocage Documentation Release 1.2 Brandon Schneider and Peter Toth Sep 26, 2019 Contents 1 Documentation: 3 1.1 Install iocage...............................................3 1.2 Basic Usage...............................................6 1.3 Plugins.................................................. 10 1.4 Networking................................................ 11 1.5 Jail Types................................................. 14 1.6 Best Practices............................................... 15 1.7 Advanced Usage............................................. 16 1.8 Using Templates............................................. 20 1.9 Create a Debian Squeeze Jail (GNU/kFreeBSD)............................ 21 1.10 Known Issues............................................... 22 1.11 FAQ.................................................... 23 1.12 Indices and tables............................................ 24 Index 25 i ii iocage Documentation, Release 1.2 iocage is a jail/container manager written in Python, combining some of the best features and technologies the FreeBSD operating system has to offer. It is geared for ease of use with a simplistic and easy to learn command syntax. FEATURES: • Templates, basejails, and normal jails • Easy to use • Rapid thin provisioning within seconds • Automatic package installation • Virtual networking stacks (vnet) • Shared IP based jails (non vnet) • Dedicated ZFS datasets inside jails • Transparent ZFS snapshot management • Binary updates • Export and import • And many more! Contents 1 iocage Documentation,
    [Show full text]
  • Oracle Solaris: the Carrier-Grade Operating System Technical Brief
    An Oracle White Paper February 2011 Oracle Solaris: The Carrier-Grade Operating System Oracle White Paper—Oracle Solaris: The Carrier-Grade OS Executive Summary.............................................................................1 ® Powering Communication—The Oracle Solaris Ecosystem..............3 Integrated and Optimized Stack ......................................................5 End-to-End Security ........................................................................5 Unparalleled Performance and Scalability.......................................6 Increased Reliability ........................................................................7 Unmatched Flexibility ......................................................................7 SCOPE Alliance ..............................................................................7 Security................................................................................................8 Security Hardening and Monitoring .................................................8 Process and User Rights Management...........................................9 Network Security and Encrypted Communications .......................10 Virtualization ......................................................................................13 Oracle VM Server for SPARC .......................................................13 Oracle Solaris Zones .....................................................................14 Virtualized Networking...................................................................15
    [Show full text]
  • Tampere University Research Portal
    Tampereen teknillinen yliopisto. Julkaisu 800 Tampere University of Technology. Publication 800 Francis Tam Service Availability Standards for Carrier-Grade Platforms: Creation and Deployment in Mobile Networks Thesis for the degree of Doctor of Technology to be presented with due permission for public examination and criticism in Tietotalo Building, Auditorium TB222, at Tampere University of Technology, on the 15th of May 2009, at 12 noon. Tampereen teknillinen yliopisto - Tampere University of Technology Tampere 2009 ISBN 978-952-15-2134-8 (printed) ISBN 978-952-15-2158-4 (PDF) ISSN 1459-2045 Abstract The rapid development of the mobile network industry has raised considerably the expectations and requirements of the whole chain of stakeholders, from the end users through the mobile network operators and ultimately to the network equipment providers. A key expectation from an end user is service availability, which is a perception that services are continuously operational even in the presence of failures in the mobile network. Network equipment providers have been using carrier-grade platforms to provide various support functions including high availability as reusable assets for products creation. The term carrier-grade refers to a class of systems used in public telecommunications network that deliver up to five nines or six nines (99.999% or 99.9999%) availability. The convergence of communications and information technology in the industry has led to more competition and pressure to reduce development efforts. By creating a service availability standard, Commercial Off-The-Shelf (COTS) software can be bought and integrated into a carrier-grade platform, enabling a company to focus on the core business and concentrate the resource investment onto new innovations.
    [Show full text]
  • Interrupts and Exceptions CPU Modes and Address Spaces Dual-Mode Of
    CPU Modes and Address Spaces There are two processor (CPU) modes of operation: • Kernel (Supervisor) Mode and • User Mode The processor is in Kernel Mode when CPU mode bit in Status Interrupts and Exceptions register is set to zero. The processor enters Kernel Mode at power-up, or as result of an interrupt, exception, or error. The processor leaves Kernel Mode and enters User Mode when the CPU mode bit is set to one (by some instruction). Memory address space is divided in two ranges (simplified): • User address space – addresses in the range [0 – 7FFFFFFF16] Studying Assignment: A.7 • Kernel address space Reading Assignment: 3.1-3.2, A.10 – addresses in the range [8000000016 – FFFFFFFF16] g. babic Presentation B 28 g. babic 29 Dual-Mode of CPU Operation MIPS Privilege Instructions • CPU mode bit indicates the current CPU mode: 0 (=kernel) With CPU in User Mode, the program in execution has access or 1 (=user). only to the CPU and FPU registers, while when CPU operates • When an interrupt occurs, CPU hardware switches to the in Kernel Mode, the program has access to the full capabilities kernel mode. of processor including CP0 registers. • Switching to user mode (from kernel mode) done by setting CPU mode bit (by an instruction). Privileged instructions can not be executed when the Exception/Interrupt processor is in User mode, they can be executed only when the processor is in Kernel mode. kernel user Examples of MIPS privileged instructions: Set user mode • any instruction that accesses Kernel address space • all instructions that access any of CP0 registers, e.g.
    [Show full text]
  • Freebsd's Jail(2) Facility
    Lousy virtualization, Happy users: FreeBSD's jail(2) facility Poul-Henning Kamp [email protected] CHROOT(2) FreeBSD System Calls Manual CHROOT(2) NAME chroot -- change root directory LIBRARY Standard C Library (libc, -lc) SYNOPSIS #include <unistd.h> int chroot(const char *dirname); Calling chroot(2) in ftpd(1) implemented ”anonymous FTP” without the hazzle of file/pathname parsing and editing. ”anonymous FTP” became used as a tool to enhance network security. By inference, chroot(2) became seen as a security enhancing feature. ...The source were not strong in those. Exercise 1: List at least four ways to escape chroot(2). Then the Internet happened, ...and web-servers, ...and web-hosting Virtual hosts in Apache User get their own ”virtual apache” but do do not get your own machine. Also shared: Databases mailprograms PHP/Perl etc. Upgrading tools (PHP, mySQL etc) on virtual hosting machines is a nightmare. A really bad nightmare: Cust#1 needs mySQL version > N Cust#2 cannot use mySQL version <M (unless PHP version > K) Cust#3 does not answer telephone Cust#4 has new sysadmin Cust#5 is just about ready with new version Wanted: Lightweight virtualization Same kernel, but virtual filesystem and network address plus root limitations. Just like chroot(2) with IP numbers on top. Will pay cash. Close holes in chroot(2) Introduce ”jail” syscall + kernel struct Block jailed root in most suser(9) calls. Check ”if jail, same jail ?” in strategic places. Fiddle socket syscall arguments: INADDR_ANY -> jail.ip INADDR_LOOPBACK -> jail.ip Not part of jail(2): Resource restriction Hardware virtualization Covert channel prevention (the hard stuff) Total implementation: 350 changed source lines 400 new lines of code FreeBSD without jail usr Resources of various sorts / home var process process process process process process Kernel FreeBSD with jail usr Resources of various sorts / home var process process process process* process process Kernel error = priv_check_cred( cred, PRIV_VFS_LINK, SUSER_ALLOWJAIL); if (error) return (error); The unjailed part One jailed part of the system.
    [Show full text]
  • Sandboxing 2 Change Root: Chroot()
    Sandboxing 2 Change Root: chroot() Oldest Unix isolation mechanism Make a process believe that some subtree is the entire file system File outside of this subtree simply don’t exist Sounds good, but. Sandboxing 2 2 / 47 Chroot Sandboxing 2 3 / 47 Limitations of Chroot Only root can invoke it. (Why?) Setting up minimum necessary environment can be painful The program to execute generally needs to live within the subtree, where it’s exposed Still vulnerable to root compromise Doesn’t protect network identity Sandboxing 2 4 / 47 Root versus Chroot Suppose an ordinary user could use chroot() Create a link to the sudo command Create /etc and /etc/passwd with a known root password Create links to any files you want to read or write Besides, root can escape from chroot() Sandboxing 2 5 / 47 Escaping Chroot What is the current directory? If it’s not under the chroot() tree, try chdir("../../..") Better escape: create device files On Unix, all (non-network) devices have filenames Even physical memory has a filename Create a physical memory device, open it, and change the kernel data structures to remove the restriction Create a disk device, and mount a file system on it. Then chroot() to the real root (On Unix systems, disks other than the root file system are “mounted” as a subtree somewhere) Sandboxing 2 6 / 47 Trying Chroot # mkdir /usr/sandbox /usr/sandbox/bin # cp /bin/sh /usr/sandbox/bin/sh # chroot /usr/sandbox /bin/sh chroot: /bin/sh: Exec format error # mkdir /usr/sandbox/libexec # cp /libexec/ld.elf_so /usr/sandbox/libexec # chroot /usr/sandbox
    [Show full text]
  • Wireless Network Virtualization: Ensuring Carrier Grade Availability
    ™ AN INTEL COMPANY Wireless Network Virtualization: Ensuring Carrier Grade Availability WHEN IT MATTERS, IT RUNS ON WIND RIVER WIRELESS NETWORK VIRTUALIZATION: ENSURING CARRIER GRADE AVAILABILITY EXECUTIVE SUMMARY The wireless industry’s battle to acquire new subscribers and retain existing ones is accelerating the need for new services. Profit margins are under pressure from the increased infrastructure and operations costs required to satisfy the growing demand. Network functions virtualization (NFV), a rapidly growing initiative in telecom networks, promises to revolutionize how networks are architected and managed. It allows communications service providers (CSPs) to virtualize network functions and consolidate them on standard off-the-shelf servers. Although 4G LTE is effective at meeting the increasing bandwidth demands at lower costs than its predecessors, its mobile base station, E-UTRAN Node B (eNB), located at the edge of the radio access network (RAN), is underutilized at certain times of the day and has grown in complexity, resulting in higher downtime and field maintenance costs. As a result, the eNB is a good candidate for NFV. Cloud-RAN (C-RAN) is the virtualization of the eNB’s control plane and data plane functions, consolidating it in one or more data centers. The result is significantly higher equipment utilization, cost-efficient redundancy to achieve high availability, and lower operations and maintenance costs. However, to realize these benefits, the foundation for virtualized eNBs must be a robust, carrier grade NFV platform that incorporates advanced fault management features. Poor implementation results in lower quality execution with excessive outage and maintenance costs. Wind River® Titanium Cloud is the industry’s first NFV-ready solution that incorporates advanced carrier grade fault, security, performance, and network management features.
    [Show full text]
  • Carrier Grade Virtualization
    Carrier Grade Virtualization Leveraging virtualization in Carrier Grade Systems Abstract Network Equipment Providers (NEPs) have been building networking infrastructure equipment able to deliver “carrier grade” services, typically mission-critical services such as voice telephony. In decades past, NEPs have achieved high degrees of availability through purpose-built hardware and software implementations. Today they increasingly build on COTS (Commercial Off The Shelf) hardware and Open Source Software (OSS), freeing their engineering resources to focus on core telephony competencies. The move to COTS and OSS requires that these hardware and software components be available from an ecosystem of suppliers, and that they interoperate seamlessly. Bodies such as The Linux Foundation (LF), the Service Availability Forum (SA Forum) and PICMG have defined standards and specifications such as carrier grade OSes (CGLinux), Service Availability Forum APIs and AdvancedTCA hardware to target carrier grade applications. Recent advances have made virtualization appealing for carrier class equipment by permitting significant cost reduction through consolidation of workloads and of physical hardware. Virtualization also transparently lets NEPs and other OEMs (Original Equipment Manufacturers) leverage multi-core processors to run legacy software designed for uniprocessor hardware. However, virtualization needs to meet specific requirements to enable network equipment deploying this technology to meet industry expectations for carrier grade systems. This
    [Show full text]
  • Energy Efficiency in Office Computing Environments
    Fakulät für Informatik und Mathematik Universität Passau, Germany Energy Efficiency in Office Computing Environments Andreas Berl Supervisor: Hermann de Meer A thesis submitted for Doctoral Degree March 2011 1. Reviewer: Prof. Hermann de Meer Professor of Computer Networks and Communications University of Passau Innstr. 43 94032 Passau, Germany Email: [email protected] Web: http://www.net.fim.uni-passau.de 2. Reviewer: Prof. David Hutchison Director of InfoLab21 and Professor of Computing Lancaster University LA1 4WA Lancaster, UK Email: [email protected] Web: http://www.infolab21.lancs.ac.uk Abstract The increasing cost of energy and the worldwide desire to reduce CO2 emissions has raised concern about the energy efficiency of information and communica- tion technology. Whilst research has focused on data centres recently, this thesis identifies office computing environments as significant consumers of energy. Office computing environments offer great potential for energy savings: On one hand, such environments consist of a large number of hosts. On the other hand, these hosts often remain turned on 24 hours per day while being underutilised or even idle. This thesis analyzes the energy consumption within office computing environments and suggests an energy-efficient virtualized office environment. The office environment is virtualized to achieve flexible virtualized office resources that enable an energy-based resource management. This resource management stops idle services and idle hosts from consuming resources within the office and consolidates utilised office services on office hosts. This increases the utilisation of some hosts while other hosts are turned off to save energy. The suggested architecture is based on a decentralized approach that can be applied to all kinds of office computing environments, even if no centralized data centre infrastructure is available.
    [Show full text]
  • Internet Infrastructure Review Vol.15 -Infrastructure Security
    1. Infrastructure Security The Revised Unauthorized Computer Access Law In this volume we examine the revised Unauthorized Computer Access Law, and discuss the DNS Changer malware as well as the Ghost Domain Name issue relating to DNS. Infrastructure Security 1.1 Introduction This report summarizes incidents to which IIJ responded, based on general information obtained by IIJ itself related to the stable operation of the Internet, information from observations of incidents, information acquired through our services, and information obtained from companies and organizations with which IIJ has cooperative relationships. This volume covers the period of time from January 1 to March 31, 2012. Following on from the previous period, with an increase in the number of smartphone users, there have been an increasing number of problems related to the handling of information on the devices and user information. Hacktivism-based attacks such as those by Anonymous also continued to occur, and the number of attacks on companies and government agencies remained at a high level. In Middle-Eastern countries and Israel there were a series of hacking incidents and information leaks, as well as DDoS attacks on websites including critical infrastructure. Regarding vulnerabilities, an issue was discovered and fixed in multiple cache DNS server implementations including BIND. As seen above, the Internet continues to experience many security-related incidents. 1.2 Incident Summary Here, we discuss the IIJ handling and response to incidents Other 19.7% Vulnerabilities 20.6% that occurred between January 1 and March 31, 2012. Figure 1 shows the distribution of incidents handled during this period*1.
    [Show full text]
  • Darpa Starts Sleuthing out Disloyal Troops
    UNCLASSIFIED (U) FBI Tampa Division CI Strategic Partnership Newsletter JANUARY 2012 (U) Administrative Note: This product reflects the views of the FBI- Tampa Division and has not been vetted by FBI Headquarters. (U) Handling notice: Although UNCLASSIFIED, this information is property of the FBI and may be distributed only to members of organizations receiving this bulletin, or to cleared defense contractors. Precautions should be taken to ensure this information is stored and/or destroyed in a manner that precludes unauthorized access. 10 JAN 2012 (U) The FBI Tampa Division Counterintelligence Strategic Partnership Newsletter provides a summary of previously reported US government press releases, publications, and news articles from wire services and news organizations relating to counterintelligence, cyber and terrorism threats. The information in this bulletin represents the views and opinions of the cited sources for each article, and the analyst comment is intended only to highlight items of interest to organizations in Florida. This bulletin is provided solely to inform our Domain partners of news items of interest, and does not represent FBI information. In the JANUARY 2012 Issue: Article Title Page NATIONAL SECURITY THREAT NEWS FROM GOVERNMENT AGENCIES: American Jihadist Terrorism: Combating a Complex Threat p. 2 Authorities Uncover Increasing Number of United States-Based Terror Plots p. 3 Chinese Counterfeit COTS Create Chaos For The DoD p. 4 DHS Releases Cyber Strategy Framework p. 6 COUNTERINTELLIGENCE/ECONOMIC ESPIONAGE THREAT ITEMS FROM THE PRESS: United States Homes In on China Spying p. 6 Opinion: China‟s Spies Are Catching Up p. 8 Canadian Politician‟s Chinese Crush Likely „Sexpionage,‟ Former Spies Say p.
    [Show full text]
  • RTA-OSEK Binding Manual: TMS470/TI
    RTA-OSEK Binding Manual: TMS470/TI Contact Details ETAS Group www.etasgroup.com Germany USA ETAS GmbH ETAS Inc. Borsigstraße 14 3021 Miller Road 70469 Stuttgart Ann Arbor, MI 48103 Tel.:+49 (711) 8 96 61-102 Tel.: +1 (888) ETAS INC Fax:+49 (711) 8 96 61-106 Fax: +1 (734) 997-94 49 www.etas.de www.etasinc.com Japan France ETAS K.K. ETAS S.A.S. Queen's Tower C-17F, 1, place des États-Unis 2-3-5, Minatomirai, Nishi-ku, SILIC 307 Yokohama, Kanagawa 94588 Rungis Cedex 220-6217 Japan Tel.: +33 (1) 56 70 00 50 Tel.: +81 (45) 222-0900 Fax: +33 (1) 56 70 00 51 Fax: +81 (45) 222-0956 www.etas.fr www.etas.co.jp Korea Great Britain ETAS Korea Co. Ltd. ETAS UK Ltd. 4F, 705 Bldg. 70-5 Studio 3, Waterside Court Yangjae-dong, Seocho-gu Third Avenue, Centrum 100 Seoul 137-889, Korea Burton-upon-Trent Tel.: +82 (2) 57 47-016 Staffordshire DE14 2WQ Fax: +82 (2) 57 47-120 Tel.: +44 (0) 1283 - 54 65 12 www.etas.co.kr Fax: +44 (0) 1283 - 54 87 67 www.etas-uk.net Copyright Notice © 2001 - 2007 LiveDevices Ltd. All rights reserved. Version: M00088-001 No part of this document may be reproduced without the prior written consent of LiveDevices Ltd. The software described in this document is furnished under a license and may only be used or copied in accordance with the terms of such a license. Disclaimer The information in this document is subject to change without notice and does not represent a commitment on any part of LiveDevices.
    [Show full text]