Professional Informatio Page 1 of 36 Best Practicesfor Information Security intheWeb2.0Era A ReflectionofChina’sClean InternetInitiative China - Basic Standardfor Enterprise InternalControl P I S A J o u r n a l PISA Journal PISA Journal Domain NameSystemAmplification Attack n Security Association Reversing GreenDam 綠壩 An OrganizationAnfor Information Security Professionals AES-256 vs AES-128 AES-256 vs — 過濾功能的剖析 www.pisa.org.hk Issue SEP-2009 Issue Issue SEP-2009 10 10 Professional Information Security Association SEP-2009 Editor: [email protected] l l Issue 10 a a n n r r Copyright 2009 u u Professional Information Security Association o o J J Licensed under a Creative Commons Attribution-Noncommercial-Share Alike A A S S I I 4 綠壩— 過濾功能的剖析 P P 7 Reversing Green Dam – Uncover the Darkness and Truth 12 Green Dam - A Reflection of China’s Clean Internet Initiative 16 Cryptography AES-256 vs. AES-128: which provides more security control 19 Internet Security A Look at Domain Name System Amplification Attack 23 IT Governance and Compliance China - Basic Standard for Enterprise Internal Control 27 Websense Best Practices for Information Security in the Web 2.0 Era 30 SCWC2009 SC World Congress 2009 3 Message from the Chair 31 Program Snapshot 35 Active in External Affairs 36 Membership Benefits Page 2 of 36 SoftcopyAn availableOrganization at http://www.pisa.org.hk/publication/journal/ for Information Security Professionals Professional Information Security Association SEP-2009 l l Issue 10 a a n n r r u u o o Message from the Chair of PISA J J A A S S I I P P Antony Ma CISA, CISSP Chairperson ISA has been organizing Information From day one, PISA was built on the continuous PPsecurity events, technical research studies and unconditional contributions from our members. and policy comments since 2002. This basic theme We will continue this spirit in the coming years. has not been changed through the years while we When I meet members in our gathering, many new ideas were proposed. With the contribution from have more members and program committees members, I believe we are able to implement some joining us. In 2008, we had a change of the web sit of them and make PISA a more open, responsive led by our EXCO member George Chung. The and professional security association. current web site will be further enhanced to make PISA more responsive to the community. Let us work together to bring PISA a successful year in 2009/10! PISA had very prominent contribution to WiFi security of Hong Kong and school security management. A recently project we are putting in a lot of effort is the Honeynet project which we are cooperating with City University and IVE (Hacking Wong). This project is led by Program Antony Committee members Peter Cheung and Roland September 2009 Cheung. The newly elected PISA EXCO 2009/10 Jim Shek (left), Antony Ma, Raymond Tang, Frank Chow, Alan Ho, George Chung & James Chan Page 3 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009 l l Issue 10 Dissecting Green Dam a a n n r r u u o o 綠壩— 過濾功能的剖析 J J A A S S I I P P 楊和生 (Sang Young) CISSP CISA CEI ECSA CHFI CIFI CEH Program Committee 壩-花季護航(Green Dam Youth Escort)是中國一間位於杭洲的軟件公司所開發。根據中國工業及信 息化部的指令，原本會在2009年7月1日開始，必須在每一部新電腦上安裝才可出售。可是，由於軟 綠綠 件的質量、推行時間和國內海外的企業和網民的強烈反應，工業及信息化部在2009年6月底把這項 指令推遲執行，直到另行通知。官方把綠壩定位為保護未成年人上網之軟件，可以識別網站的色情圖片和文 章，從而作出過濾。我們嘗測試綠壩的各項功能和「其他功能」。 功能測試 我們是使用家用版版本3.17，打開綠壩系統，它顯示內建綠 的幾個過濾功能，其中較主要的有： • URL過濾 • 關鍵字過濾 • 圖像過濾 • 屏幕文字 以下是綠壩的技術方法的測試結果： URL過濾 綠壩有一個可定期更新的URL資料庫，假如使用者到訪一些網站的URL，而該URL是被列在資料庫時，便會出 現「DNS錯誤」的信息，而不能探訪。 在我們的測試中，成功被過濾的URL有 http://www.playboy.com 等，但是，基於URL資料庫的缺點，有很多色 情網站的URL還是不能過濾。更且，有很多正當的網站卻被錯誤過濾，例如微軟 SysInternals 保安工具 http://www.sysinternals.com 也被綠壩定為不能探訪的網址) ，造成URL過濾的效能低兼誤多。 關鍵字過濾 綠壩也會基於網頁出現的關鍵字作出過濾，該關鍵字庫也有能力定期更新。 經過我們的測試，如果關鍵字出現的話，Web Browser 也同樣會出現「DNS 錯誤」的信息。例如 http://www.sex141.com，這網址不在URL資料庫中，但是因為網頁上有一些色情有關的關鍵字，綠壩也會把這 網站過濾。 很可惜，關鍵字庫同樣地有嚴重的的缺點，使很多正當的網站被錯誤過濾，例如，香港家計會 (http://www.famplan.org.hk) 的網站因為有一些類似的關鍵字而成了陪葬品。關鍵字過濾還有其他的的缺點，例 如不懂辨別非中文字及英文字，初步的測試是網頁出現有關日文的色情字時，綠壩便不能過濾。 Page 4 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009 l l Issue Dissecting Green Dam 10 a a n n 綠壩 — 過濾功能的剖析 r r u u o o J J A A 圖像過濾 S S I I 另一個綠壩號稱功能強大的為智能過濾色情圖像，其技術 是基於膚色辨認 (Skin Tone Detection)。該技術早在10年前 P P 已經有廠家應用互聯網過濾方面，可是Skin Tone Detection技術限制很多，例如只可以識別白及黃皮膚等， 因此而沒有大行其道。 在預設的情況下，綠壩的過濾圖像功能是關閉的，我們把 這功能啟動並進行測試，結果是白人和黃種人的色情照片 成功過濾，不成功的主要是較暗或黑人照片。 成功過濾的有: http://www.wsyoung.com/f/123.bmp，但是亦有不少照未被過濾，計有: http://www.wsyoung.com/f/456.bmp 及 http://gdghdshadh1.blog116.fc2.com/blog-entry-244.html。 不但如此，綠壩也錯誤過濾了大量的非色情照片，例如:嬰兒頭部、胡錦濤面部和中國國旗、黨徽等。 Page 5 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009 l l Issue Dissecting Green Dam 10 a a n n 綠壩 — 過濾功能的剖析 r r u u o o J J A A 屏幕文字過濾 S S 屏幕文字過濾是指綠壩會過濾出現關鍵字的 I I 應用程式如Microsoft Office, Notepad等。 P P 我們嘗試把”sex”、”fuck”、「愛」、「屠 殺」等字輸入Notepad 當中，發覺可以成功輸 入；可是當我們輸入「六四屠殺」、 「六四 屠城」、「陷害法輪功」等字時，綠壩會立 即把Notepad關閉，同時顯示「此信息不良！ 將被過濾掉！」 ，因為用戶的文件尚未貯 存，會導致未儲存的數據損失。經過測試， 會被關閉的應用程式還包括Wordpad 、 Editpro、Internet Explorer 和 Firefox。 有趣的是，我們衹要把 notepad 的程式改名，便可以把綠壩屏幕文字過濾這個覇道的功能繞過了。 其他測試結果 綠壩的其他功能，包括可以定期擷取用戶的電腦畫面 (screen capture)，預設是 每3分鐘一次，最密的設定為1分鐘 ，畫面以時序儲存。其保安威脅是可能錄下敏感的 畫面，例如網上銀行帳戶處理情形、經解密後的文件的內容、私人的通訊等，無論由 綠壩上傳到伺服器，或電腦遭非法存取，擷取的畫面都是敏感的用戶行為的資料庫 過濾圖像方面，不同的敏感度可供設定。 當我們使用Firefox時，過濾功能大打折扣，有時發現不能成功過濾，如果成功過濾， 在Firefox的環境下，並沒有任何錯誤或提示信息，只有網頁是空白一片。 綠壩的語言只設定在中文簡體字的工作環境之下，如果要安裝或更改相關設定，必須 使用簡體字版的Windows或把系統預設語言設定為簡中。在測試期間，綠壩還出現了校 園版本和伺服器版本，據稱校園版跟我們測試的家用版是相同的，而伺服器版本是一 個Microsoft IIS的 plug-in，原意是供網絡內容供應商使用。 Copyright & 總結 Disclaimer 我們使用的綠壩版本為家用3.17版，它能過濾網站色情內容，同時亦會把非色情內容網站過濾。當有一些政治敏 Copyright owned by the 感內容時，綠壩會把應用程式殺掉，不會把用戶輸入的資料儲存。綠壩亦有紀錄功能，能把用戶瀏覽的網址和屏 author. This article is the 幕畫面儲存。綠壩也有對外通訊的功能，可以用作更新資料庫的用途。 views of the author and does not necessarily 楊和生, 2009 ■ reflect the opinion of PISA. Page 6 of 36 An Organization for Information Security Professionals Professional Information Security Association SEP-2009 l l Issue 10 a Dissecting Green Dam a n n r r u u Reversing Green Dam o o J J – Uncover the Darkness and Truth A Photo A S S I I Anthony Lai CISSP, CSSLP, CEH P P Program Committee, PISA Founder and Security Researcher, Valkyrie-X Security Research Group ou may already study the dynamic behavior of the Green Dam Software from Sang Young’s article. I have YY highlighted some important findings after carrying out reverse engineering over a few critical modules in Green Dam to understand what it functions as well as its architecture. Finally, we have provided summary and recommendation as well as the room of further research on Green Dam. 1. Commander of Installation and Process We have found that XNet2.exe is the major Green Dam service. It is for installation and register software key to the system and responsible for password check and reset. Meanwhile, it acts as a commander of XDaemon.exe and gn.exe and Kick start a number of processes with the following executables: Xdaemon, gn, HTAnalyzer, MPSVCC, HNCENG, HH, Looklog and LookPic Figure 1.1: Creating the process Page 7 of 36 An Organization for Information Security Professionals Professional Informatio Page 8 of 36 P I S A J o u r n a l You could be amazed it is architected lik is architected it amazed be could You process/thread any received tomonitor messages fro finding that,from acritical It is 2. Application executablemonitoring – Uncover theDarknessandTruth Reversing GreenDam Dissecting n Security Association Figure 2.1: The relationship between injlib32.dll andHandle.dll betweeninjlib32.dll relationship The Figure 2.1: executable names loaded before for monitoring. before for executable namesloaded Figure 2.2: Following into memory addre memory into Following Figure 2.2: Green An OrganizationAnfor Information Security Professionals Dam injlib32.dll e a Malware. This is our proposed mode This isour e aMalware. ss of loc_100008918, we could have list of havelist loc_100008918, wecould ss of , it is injected to every critical process. process. critical every to injected is it , m injectedDLL.(Asit m l how they interact with each other. each with interact l howthey supports string). transmit Handle.dll Issue Issue is to create create to is SEP-2009 10 Professional Informatio Page 9 of 36 P I S A J o u r n a l and Technology) in UnitedStates States. The use of timeserver is to synchronize the the synchronize to is timeserver of use The States. network several setup to Damtrying Green We foundout 3. Connecting to remotetimeserverfr – Uncover theDarknessandTruth Reversing GreenDam Dissecting computer n Security Association Figure 3.1: Setting up and openingnetworksocket Settingupand Figure 3.1: Green Figure 2.3a & 2.3b: Display of monitored existe &2.3b:Displayof monitored Figure 2.3a An OrganizationAnfor Information Security Professionals Dam (a) time across the time zone for logging and downloading. and logging time zonefor the time across om NIST(NationalIn sockets and connect ISP and NIST's time server in United in United time server ISP andNIST's connect and sockets nt running service at the Green Dam installed Green Daminstalled at the runningservice nt (b) stitute ofScience Issue Issue SEP-2009 10 Professional Informatio Page 10 of 36 P I S A J o u r n a l Figure 3.2: List of IPaddresse List Figure 3.2: I decrypted the word list file with theinformat with word listfile the I decrypted violation4. Suspicious piracy an – Uncover theDarknessandTruth Reversing GreenDam Dissecting copyright