View
1.184
Download
0
Category
Preview:
DESCRIPTION
Présentation de François Buntschu, Professeur en Réseaux et Sécurité des réseaux, Ecole d'ingénieurs et d'architectes de Fribourg et Pascal Gloor, Senior Network Security Engineer, Dreamlab lors de la conférence First du 26 août au Centre Paroissial l'Avenir à Delémont sur le thème de la sécurité informatique des utilisateurs privés et professionnels en Suisse
Citation preview
Jura Security Days 2011 François Buntschu
Pascal Gloor
Agenda
1. Présentation du NetObservatory
2. Quel sécurité pour nos PME ?
Surface d’attaque de l’Internet Suisse – situtation actuelle
3. Conclusions
Une entreprise typique
L’entreprise entreprise.ch
employe@entreprise.ch
http://www.entreprise.ch
Serveur de
messagerie
Intranet Publications e-commerce
Accès au Réseau
Serveur DNS
Une entreprise dispose, avec la possession d’un nom de domaine
Internet, d’une foule de services qui lui permettent d’utiliser Internet en
tant qu’outil de communication et de production de valeurs ajoutées.
Qu’est-ce que le NetObservatory ?
• Un observatoire de l’Internet Suisse pour les PME qui réunit
les spécialistes de la sécurité informatique
Mesure de la surface d’attaque
Offrir aux PME ce que MELANI offre aux services de
la Confédération et entreprises stratégiques du
pays
• Un projet financé dans le cadre de la NPR (Nouvelle Politique
Régionale) du canton de Fribourg
Le 29 novembre 2009 au soir Votation sur les minarets: •Plusieurs sites suisses défacés (1ère page modifiée)
La surface d’attaque
Système fermé de caméra
Portes automatique, serrure high-tech
Entrées latérales
Fenêtres incassables
La surface d’attaque (2)
Une entreprise offre depuis l’Internet public une surface d’interactions plus ou moins grande.
Toute vulnérabilité ou «porte ouverte» augmente la surface d’attaque!
Derniers Résultats (NORA)
2ème trimestre 2011
Méthodes
• Récolte de données : – Recherches dans des bases publiques (whois, dns)
– Requêtes simples des services standards (www, e-mail) de tous les domaines suisses.
• Anonymisation des données récoltées
Données collectées (Q2 2011)
• Nous collectons et analysons en permanence :
Types d’informations : Etat :
Noms de domaine (.ch) - Plus de 1.3 millions - En propriété de 605’290 personnes
ou entreprises
Sites web - 724’145 sites web - Répartis sur 76’173 serveurs
Messagerie - 48’266 serveurs de messageries
Serveurs de noms (pour la résolution de noms)
- 32’869 serveurs DNS
NetObservatory NORA Report Q2/2011 6/36
2.3 DOMAIN NAMES
2.3.1 Domain names distribution
Legend
The figure above shows the distribution of CH domain names among the population, split
by cantons. The result is a CH domain names usage based on the geographic region
independently of the size of the canton.
Analysis
Languages, cultural regions, or economically strong cities do not influence the distribution
of Internet domain names usage. The usage is fairly distributed with very few exceptions.
Jura and Uri have clearly a lower usage, under 70 domains per 1’000 inhabitants and on the
other side Zug a higher usage with over 310 domains per 1’000 inhabitants.
Differences since Q1 2011
Minimal.
Répartition des domaines .ch
• Par canton et habitant (1 habitant sur 6 possède un domaine)
Presque uniforme
Répartition des domaines .ch
Pas de détenteurs dominants Changements minimes depuis décembre 2010
NetObservatory Aggregate Report 04.2011 7/37
2.3.2 Top 10 domain names holders
Legend
The figure above shows the top 10 domain names holders. The result is shown in percent
of the total number of registered CH domain names. These companies or individuals have
acquired the most CH domain names.
Analysis
The top holder has 8800 CH domain names. While the number could impress some, it is
worth noticing that this only represents a very small fraction (0.7%) of all CH domain
names. The result shows no market domination of any kind in the domain ownership.
Differences since December 2010
Minimal
0.09%
0.09%
0.1%
0.13%
0.14%
0.17%
0.33%
0.35%
0.36%
0.7%
0.0% 0.1% 0.2% 0.3% 0.4% 0.5% 0.6%
Dét
ente
urs
Répartition des serveurs web .ch
• Par réseaux (AS, Autonomous System) Pas d'hébergeurs dominants Changements minimes depuis décembre 2010
NetObservatory Aggregate Report 04.2011 8/37
2.4 WEB SERVERS
2.4.1 Top 10 ASN by number of hosted web sites
Legend
Top 10 network operator names sorted by number of web sites hosted under their IP
addresses. This does not mean that they directly host those sites; a hosting provider can
be customer of those network operators for their Internet access.
Analysis
The only really relevant information shown here, apart from the company names, is that
large hosting companies want to have their network independence and run their own
network infrastructure. Three of the first four are not Internet access providers but still
operate their own network infrastructure.
Differences since December 2010
Minimal
VTX−NETWORK
CYON
CABLECOM
WEBLAND−AS
ASN−GENOTEC
GREEN
Infomaniak−AS
SWISSCOM
HOSTPOINT−AS
ASN−METANET
0 50,000 100,000 150,000
Serveurs Web, données collectées
Gestionnaire de contenu
(CMS)
Joomla
Serveur Web IIS Apache nginx lighthttpd
Typo3
Contenu
Wordpress
Drupal
osCommerce
Squid Lotus IBM
Système d’exploitation
Linux Windows 2008
OSX Windows XP
Windows 7
others
DirectAdmin httpd
IBM HTTP Server
Squid webproxy
Zope
Lotus Domino httpd
lighttpd
MiniServ
nginx
Microsoft IIS
Apache
14%
78%
0% 20% 40% 60%
Répartition des serveurs web .ch
• Par logiciel du serveur web Apache domine le marché suisse encore plus qu'à l'étranger
Risques en cas de problème Apache
Changements minimes depuis décembre 2010
Qualité des sites sécurisés (HTTPS)
sha512
sha256
sha1
md5
dsa
88%
12%
0% 20% 40% 60% 80%
Déc. 2010
Juin 2011
• Distribution des algorithmes de hashage (identification d’un certificat)
12% des sites utilisent encore MD5, en diminution grâce au processus de renouvellement des certificats Lacunes connues depuis 2008
Vulnérabilités des serveurs Web
• Apache (données Microsoft pas disponibles)
La moitié des serveurs Apache ont des vulnérabilités documentées! Changements minimes depuis décembre 2010
Déc. 2010
JJuin 2011 not vulnerable
unknown
vulnerable
43%
56%
0% 10% 20% 30% 40% 50%
Répartition des CMS (Content Management System)
• Par type
Joomla, Typo3 et Wordpress représentent plus de 80% de part de marché
Plone
Magento
osCommerce
xtCommerce
CMS Made Simple
Contao
Drupal
WordPress
TYPO3
Joomla
4%
15%
29%
38%
0% 5% 10% 15% 20% 25% 30% 35%
Juin 2011
Déc. 2010
Wordpress dans le temps…
NetObservatory NORA Report Q2/2011 22/36
3.2.4 Timeline a WordPress release
Legend
On the 26th of December 2010, WordPress released a new version (3.0.4) due to a major
security issue (XSS in comments). This figure show how diligent Webmasters were with the
update.
Analysis
Just a few days after the update (4 days) less then 4% of the site were updated, a month
after the update about 20% and three months later a bit more than 30%. This figure shows
clearly that about 2/3 of the WordPress site are not taken care correctly and stay “ forever”
in their originally installed version. With 6 months backlog, we clearly see that about half of
the WordPress aren’t updated at all. About 20% are early adopters and follow new releases
very quickly.
Differences since Q1 2011 report
WordPress version 3.1 has been integrated in the graphic and an absolute values graphic
has been added.
Date
Nu
mb
er
of W
ord
Pre
ss C
MS
0%
20%
40%
60%
80%
100%
2010/12/30 2011/01/24 2011/03/30 2011/06/25
Version installed
< 3
< 3.0.4
>= 3.0.4
>= 3.1
Date
Nu
mb
er
of
Word
Pre
ss C
MS
0
2000
4000
6000
8000
10000
12000
14000
2010/12/30 2011/01/24 2011/03/30 2011/06/25
Version installed
< 3
< 3.0.4
>= 3.0.4
>= 3.1
NetObservatory NORA Report Q2/2011 22/36
3.2.4 Timeline a WordPress release
Legend
On the 26th of December 2010, WordPress released a new version (3.0.4) due to a major
security issue (XSS in comments). This figure show how diligent Webmasters were with the
update.
Analysis
Just a few days after the update (4 days) less then 4% of the site were updated, a month
after the update about 20% and three months later a bit more than 30%. This figure shows
clearly that about 2/3 of the WordPress site are not taken care correctly and stay “ forever”
in their originally installed version. With 6 months backlog, we clearly see that about half of
the WordPress aren’t updated at all. About 20% are early adopters and follow new releases
very quickly.
Differences since Q1 2011 report
WordPress version 3.1 has been integrated in the graphic and an absolute values graphic
has been added.
DateN
um
ber
of
Word
Pre
ss C
MS
0%
20%
40%
60%
80%
100%
2010/12/30 2011/01/24 2011/03/30 2011/06/25
Version installed
< 3
< 3.0.4
>= 3.0.4
>= 3.1
Date
Num
be
r o
f W
ord
Pre
ss C
MS
0
2000
4000
6000
8000
10000
12000
14000
2010/12/30 2011/01/24 2011/03/30 2011/06/25
Version installed
< 3
< 3.0.4
>= 3.0.4
>= 3.1
NetObservatory NORA Report Q2/2011 21/36
3.2.3 Updated releases of WordPress and TYPO3
Legend
Comparison of used software versions. This graphic shows the amount of web sites
running CMS versions known to have security issues compared to the ones being up-to-
date.
Analysis
This is one of the most shocking results of the project. 96% of the TYPO3 versions actually
running are known to have security issues.
Differences since Q1 2011 report
WordPress has a significant improvement in updated version from 30% to 43%. TYPO3
also increased from 6% to 15%.
typo3
wordpress
85%
57%
15%
43%
0% 20% 40% 60% 80%
Status
updated
not updated
Vulnérabilité des CMS
85% des Typo3 ne sont pas à jour, 57% de Wordpress non plus, soit plus de 30’000 sites !
Déc. 2010
Juin 2011
IPv6
NetObservatory NORA Report Q2/2011 31/36
5.2 IPV6 RELATIONS
IPv6 is the Internet Protocol version 6. It exists for over 10 years and its usage was very
low, if not only experimental, until recently. IPv4, the current and globally used Internet
Protocol, is slowly but surely reaching its limitation; the maximum number of simultaneous
computers connected to the Internet. The IANA (Internet Assigned Numbers Authority) pool
is now exhausted and also the APNIC (responsible to delegate IP addresses in the Asia /
Pacific region) pool is exhausted. The European registry, RIPE, expects its pool to hold for
another 6 to 9 months. Adoption of the new IPv6 protocol is urgent, especially for service
and access providers.
5.2.1 IPv6 adoption in standard DNS entries
Legend
Percentage of domain names having an IPv4 and/or an IPv6 record for standard DNS
entries.
Analysis
22% of the domains have DNS servers reachable in IPv6. Mail and web records are almost
inexistent. Further analysis and historical data will be shown in the automated reports to
follow the progression of IPv6.
Differences since Q1 2011 report
A significant increase of NS records from 15% to 22% occurred in the last 3 months. This
is due to Hostpoint AG who enabled IPv6 NS records for all their customers. At the same
time MX records went from less than 1% to 4%. This is due to Infomaniak SA who enabled
IPv6 MX for all their mail service customers.
ns
a
mx
100%
90%
70%
22%
4%
0% 20% 40% 60% 80%
IP Version
6
4
!!
NetObservatory! Aggregate!Report!12.2010! 24/29!
!
4.2 IPv6'relations'
IPv6!is!the!Internet!Protocol!version!6.!It!exists!for!over!10!years!and!its!usage!was!very!low,!if!not!only!experimental,!until!recently.!IPv4,!the!current!and!globally!used!Internet!Protocol,! is! slowly! but! surely! reaching! its! limitation;! the! maximum! number! of!simultaneous! computers! connected! to! the! Internet.! Projections! show! that! IPv4!will!reach!its!limit!between!2011!and!2012.!!
!!
4.2.1 IPv6'adoption'in'standard'DNS'entries'!!
!
Legend'
Percentage!of!domain!names!having!also!an!IPv6!record!for!standard!DNS!entries.!
Analysis'
Almost!10%!of!the!domains!have!DNS!servers!reachable!in!IPv6.!Mail!and!web!records!are! almost! inexistent.! Further! analysis! and! historical! data! will! be! shown! in! the!automated!reports!to!follow!the!progression!of!IPv6.!
MX
NS
WWW
99%
91%
97%
9%
0% 20% 40% 60% 80%
IP Version
IPv6
IPv4
A
Déc. 2010
Juin 2011
• Migration, configuration de IPv6 suite à la pénurie des adresses IPv4 Augmentation considérable suite à l’implémentation d’IPv6
par deux hosters (Hostpoint et Infomaniak)
Business Development
Business Development
• Création d’un institut NetObservatory
• Focalisation sur la sécurité de l’Internet
Suisse
– Rapports réguliers
– Produits pour les PME
– Education & Information
Conclusions
o L’Internet est toujours plus agressif
o La Confédération et les services critiques disposent
d’une centrale de surveillance et d’alerte
o Les PME sont livrées à elles-mêmes et ne disposent
pas des compétences techniques nécessaires
NetObservatory va combler cette lacune et
offrir des prestations uniques aux PME Suisses
Merci de votre attention
Recommended