If you are having trouble viewing this email, click here to view this online



   ISSUE 24

19 July  2013

Article of the Month Around the World

Benefits of Sensor Deployment at Internet Service Providers to Mitigate Cyber Threats

Part 01 


The explosive growth of connectivity options has driven the growth of a large number of Internet users across the globe. The situation is no different in our region. This can be further confirmed by the growth statistics available on the TRC website1. The types of malicious traffic generating to and from our local networks has a direct correlation to the threats to and from our local networks. In this context the deployment of sensors at the ISP gateway level has added benefits of monitoring and responding proactively to these threats.

What is a sensor

A sensor or a pod contains a live CD image or a Virtual Machine that is containing the sensor software. The target of deploying sensors is to build a network of pods or sensors to that can securely and anonymously help provide actionable intelligence to the Internet security community.It can act as a passive data collection facility for many common applications such as HTTP servers or if expressly permitted, can help actively monitor malicious Internet activity. No sensor partner or sensor specific information is ever shared outside the core network.



Types of sensors available

There are a number of organizations providing these sensors as a free service but the service is provided based on trustworthiness and reliability. The partners are screened by the sensor/pod provider to ensure the integrity of the network. The partners have a definite advantage over the general public regarding threat intelligence. Here are some of the organisations that deploy Sensors in order to provide intelligence to the internet security community;

1. The Dragon Research Group (DRG) 2

The DRG is a not-for-profit, non-revenue generating entity, comprised of a geographically dispersed set of trusted volunteers who are passionate about making the Internet more secure. Selected volunteers are part of a group that will have access to the data and tools that can really make a difference in the fight against online crime.

2. TSUBAME (Internet threat monitoring system) from JPCERT | CC

TSUBAME has a wide distributed arrangement of sensors, and observes various scan activities in the Asia Pacific region; worm infections, probing vulnerable systems, etc.JPCERT/CC provides summarized scan trends (graphs) by using the data observed in TSUBAME. Moreover, the observed data are used as a basis of JPCERT/CC activities for publishing alerts and advisories, security awareness documents, etc.

3. Shadow Server

Shadow Server Foundation collects data from its worldwide sensors and provides reports on malicious activities to the responsible network operators as a subscription service.


4. Team Cymru

Team Cymru Inc. is a specialized Internet security research firm dedicated to making the Internet more secure. Team Cymru helps organisations identify and eradicate problems in their networks, providing insights that improve lives.


How to deploy a sensor in your network

For example TSUBAME sensors are placed over various address blocks in the Asia Pacific region; on the edge of DSL lines, near the Internet Exchanges, etc. These sensors watch TCP, UDP, and ICMP packets coming through the Internet.

Figure 1: The method of collecting attack traffic and reporting

These sensors are to be placed outside the organization’s Firewall and a public IP is required for proper operation of the sensor.A threat monitoring system will correlate and analyze traffic from multiple sensors in-order to get a higher accuracy on the alert. This enables efficient coordinated response from the victim end

How a sensor identifies malicious traffic

Attack traffic or scans originate from multiple sources these could be intentional or unintentional. They include compromised servers, malicious attackers, infected network devices etc. In the case of the Shadow Server Network, they capture and filter data received from sensors across the world. These data are analyzed through an engine which defines the type of attack traffic. Figure 2 illustrates a similar report generated by the TSUBAME sensors.

Figure 2: The graph publicized on the web shows the top five accessed ports, based on the average number of packet counts per sensor by quarter and by year, respectively.A threat monitoring and visualization system (TMVS) could be deployed at the back-end to analyze and alert the relevant networks.

Kanishka Yapa
Senior Information Security Engineer
Sri Lanka CERT|CC


In bound Threats to Sri Lanka during June 2013

This graph was obtained from the Threat Visualization and Analysis System (TVAS) which monitors inbound and outbound threats to Sri Lanka. The graph shows a large increase of inbound threats during the first week of June. The largest number of threats amounting to 240 has come from mainland China. These include port scans targeting local IP's. The second largest threats are coming from USA and have recorded more than 40 during the first week. On the 13th of July this number has increased to more than 40. The other countries the threats are coming from include Germany, Korea, Russia and Taiwan.




  Brute Force Attacks on Internet Facing Control Systems

'....ICS-CERT received a report from a gas compressor station owner about an increase in brute force attempts to access their process control network.
ICS-CERT posted an alert on the US-CERT secure portal (Control Systems Center), containing 10 IP addresses, to warn other critical infrastructure asset owners, especially in the natural gas industry, to watch for similar activity. That alert elicited additional reports from critical infrastructure owners who, using the indicators in the alert, had discovered similar brute force attempts to compromise their networks. Those new reports yielded39 new IP addresses, which ICS-CERT included in an update to the original alert (also posted on the secure portal)......'

  GCHQ director: Britain 'under attack' in cyberspace

'....Britain is seeing about 70 sophisticated cyber espionage operations a month against government or industry networks, British intelligence has told the BBC.GCHQ director Sir Iain Lobban said business secrets were being stolen on an "industrial scale".Foreign hackers have penetrated some firms for up to two years, he said.Foreign intelligence services are behind many of these attacks, according to Britain's Security Service MI5......'

njRAT Espionage Malware Targets Middle Eastern Governments, Telecoms and Energy


'....Government agencies, telecom and energy organizations in the Middle East are being targeted by espionage malware known as njRAT.The remote access Trojan is thorough in its data-stealing capabilities. Beyond dropping a keylogger, variants are capable of accessing a computer?s camera, stealing credentials stored in browsers, opening reverse shells, stealing files, manipulating processes and viewing the user?s desktop......'

France 'has vast data surveillance' - Le Monde report


'....France's foreign intelligence service intercepts computer and telephone data on a vast scale, like the controversial US Prism programme, according to the French daily Le Monde.The data is stored on a supercomputer at the headquarters of the DGSE intelligence service, the paper says.The operation is "outside the law, and beyond any proper supervision", Le Monde says.Other French intelligence agencies allegedly access the data secretly......'

Turkish Police Name RedHack a Cyber Terrorist Organization

'....RedHack has been highly involved in the protests that started in Turkey after authorities announced their intentions to destroy the Gezi Park in Istanbul. Over the past days, the hackers have breached the systems of Turkey?s Directorate of Religious Affairs and the ones of the Istanbul Special Provincial Administration.In light of recent events, Turkish police are said to have submitted a report to the Istanbul Prosecution?s Office in which they identify the hacktivist group as a ?cyber terrorist organization,?.....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in June  2013
 Fake + Harassment
  Gender wise
 Statistics - Sri Lanka CERT|CC


Twitter Wants to Start Tracking You on the Web, Here's How to Opt-Out

'....In a blog post today, Twitter announced that they're "experimenting with new ways of targeting ads," which is their way of saying they're planning to track you around the web?even when you leave Twitter?and relay that information to advertisers to craft better ads. Here's how to opt out......'

DropBox account hacking bypassing two-factor authentication

'....Q-CERT team found a critical vulnerability in DropBox that allows a hacker to bypass the two-factor authentication implemented by the popular file sharing service......'

This Is Not a Test: Emergency Broadcast Systems Proved Hackable

'....Several models of Emergency Alert System decoders, used to break into TV and radio broadcasts to announce public safety warnings, have vulnerabilities that would allow hackers to hijack them and deliver fake messages to the public,according to an announcement by a security firm on Monday.The vulnerabilities included a private root SSH key that was distributed in publicly available firmware images that would have allowed an attacker with SSH access to a device to log in with root privileges and issue fake alerts or disable the system.IOActive principal research scientist Mike Davis uncovered the vulnerabilities in the application servers of two digital alerting systems known as DASDEC-I and DASDEC-II. The servers are responsible for receiving and authenticating emergency alert messages......'

How Hackers Can Take Control of Your Car


'.... In March 2011, a team of scholars at the University of Washington joined with colleagues from the University of California-San Diego, in a technical paper entitled "Comprehensive Experimental Analyses of Automotive Attack Surfaces." They prepared it for the National Academy of Sciences (NAS) committee on electronic vehicle controls and unintended acceleration.Dirk Besenbruch, engineer, group leader of Systems & Applications, Automotive, at NXP Semiconductors, recalls the paper as a wakeup call. "It triggered our work at NXP" on automotive security, he said in a recent phone conversation with EE Times.The academics' point was to debunk automotive industry skepticism about the hackability of on-board electronics. The industry's conventional wisdom was that "to implement an attack, the attacker would need to physically connect attack hardware to the car's internal computer network."That got the university researchers going. They ran "a systematic and empirical analysis of the remote attack surface of late model mass-production sedan," according to the authors......'

POC code for critical Android bug published



'....Last week, researchers from Bluebox Security have made a disconcerting revelation: Google's Android mobile OS carries a critical bug that allows attackers to modify the code of any app without breaking its cryptographic signature, and thusly allows them to stealthily plant malicious apps on legitimate app stores and users' phones.The good news is that the bug hasn't, so far, been spotted being exploited in the wild, but that might soon change as security researcher Pau Oliva published has proof-of-concept code that can exploit it......'

Notice Board
  Training and Awareness Programmes - July 2013
Date EventVenue
- July 10-15
& July 15-19
Content Development for e-thaksalawa Learning Content Management Systemt ICT Branch, Ministry of Education
- July 28 – August 1 2D Animation Training  Center for Education Leadership Development,
National Institute of Education, Meepe






July 1 - 7

July 23-27

July 08 - 14

July 15-19

July 29 – August 04

July 11

Hardware Training Programme

Hardware Training Programme

Hardware Training Programme

Hardware Training Programme

Hardware Training Programme

Social Media Awareness Sessions for parents

NAITA, Katubedda

NAITA, Katubedda

NAITA, Katubedda

NAITA, Katubedda

NAITA, Katubedda

Bishops College

Brought to you by: