NetObservatory : Quelle sécurité IT pour nos PME Suisse ?

Jura Security Days 2011 François Buntschu

Pascal Gloor

Agenda

1. Présentation du NetObservatory

2. Quel sécurité pour nos PME ?

Surface d’attaque de l’Internet Suisse – situtation actuelle

3. Conclusions

Une entreprise typique

L’entreprise entreprise.ch

[email protected]

http://www.entreprise.ch

Serveur de

messagerie

Intranet Publications e-commerce

Accès au Réseau

Serveur DNS

Une entreprise dispose, avec la possession d’un nom de domaine

Internet, d’une foule de services qui lui permettent d’utiliser Internet en

tant qu’outil de communication et de production de valeurs ajoutées.

Qu’est-ce que le NetObservatory ?

• Un observatoire de l’Internet Suisse pour les PME qui réunit

les spécialistes de la sécurité informatique

Mesure de la surface d’attaque

Offrir aux PME ce que MELANI offre aux services de

la Confédération et entreprises stratégiques du

pays

• Un projet financé dans le cadre de la NPR (Nouvelle Politique

Régionale) du canton de Fribourg

Le 29 novembre 2009 au soir Votation sur les minarets: •Plusieurs sites suisses défacés (1ère page modifiée)

La surface d’attaque

Système fermé de caméra

Portes automatique, serrure high-tech

Entrées latérales

Fenêtres incassables

La surface d’attaque (2)

Une entreprise offre depuis l’Internet public une surface d’interactions plus ou moins grande.

Toute vulnérabilité ou «porte ouverte» augmente la surface d’attaque!

Derniers Résultats (NORA)

2ème trimestre 2011

Méthodes

• Récolte de données : – Recherches dans des bases publiques (whois, dns)

– Requêtes simples des services standards (www, e-mail) de tous les domaines suisses.

• Anonymisation des données récoltées

Données collectées (Q2 2011)

• Nous collectons et analysons en permanence :

Types d’informations : Etat :

Noms de domaine (.ch) - Plus de 1.3 millions - En propriété de 605’290 personnes

ou entreprises

Sites web - 724’145 sites web - Répartis sur 76’173 serveurs

Messagerie - 48’266 serveurs de messageries

Serveurs de noms (pour la résolution de noms)

- 32’869 serveurs DNS

NetObservatory NORA Report Q2/2011 6/36

2.3 DOMAIN NAMES

2.3.1 Domain names distribution

Legend

The figure above shows the distribution of CH domain names among the population, split

by cantons. The result is a CH domain names usage based on the geographic region

independently of the size of the canton.

Analysis

Languages, cultural regions, or economically strong cities do not influence the distribution

of Internet domain names usage. The usage is fairly distributed with very few exceptions.

Jura and Uri have clearly a lower usage, under 70 domains per 1’000 inhabitants and on the

other side Zug a higher usage with over 310 domains per 1’000 inhabitants.

Differences since Q1 2011

Minimal.

Répartition des domaines .ch

• Par canton et habitant (1 habitant sur 6 possède un domaine)

Presque uniforme

Répartition des domaines .ch

Pas de détenteurs dominants Changements minimes depuis décembre 2010

NetObservatory Aggregate Report 04.2011 7/37

2.3.2 Top 10 domain names holders

Legend

The figure above shows the top 10 domain names holders. The result is shown in percent

of the total number of registered CH domain names. These companies or individuals have

acquired the most CH domain names.

Analysis

The top holder has 8800 CH domain names. While the number could impress some, it is

worth noticing that this only represents a very small fraction (0.7%) of all CH domain

names. The result shows no market domination of any kind in the domain ownership.

Differences since December 2010

Minimal

0.09%

0.09%

0.1%

0.13%

0.14%

0.17%

0.33%

0.35%

0.36%

0.7%

0.0% 0.1% 0.2% 0.3% 0.4% 0.5% 0.6%

Dét

ente

urs

Répartition des serveurs web .ch

• Par réseaux (AS, Autonomous System) Pas d'hébergeurs dominants Changements minimes depuis décembre 2010

NetObservatory Aggregate Report 04.2011 8/37

2.4 WEB SERVERS

2.4.1 Top 10 ASN by number of hosted web sites

Legend

Top 10 network operator names sorted by number of web sites hosted under their IP

addresses. This does not mean that they directly host those sites; a hosting provider can

be customer of those network operators for their Internet access.

Analysis

The only really relevant information shown here, apart from the company names, is that

large hosting companies want to have their network independence and run their own

network infrastructure. Three of the first four are not Internet access providers but still

operate their own network infrastructure.

Differences since December 2010

Minimal

VTX−NETWORK

CYON

CABLECOM

WEBLAND−AS

ASN−GENOTEC

GREEN

Infomaniak−AS

SWISSCOM

HOSTPOINT−AS

ASN−METANET

0 50,000 100,000 150,000

Serveurs Web, données collectées

Gestionnaire de contenu

(CMS)

Joomla

Serveur Web IIS Apache nginx lighthttpd

Typo3

Contenu

Wordpress

Drupal

osCommerce

Squid Lotus IBM

Système d’exploitation

Linux Windows 2008

OSX Windows XP

Windows 7

others

DirectAdmin httpd

IBM HTTP Server

Squid webproxy

Zope

Lotus Domino httpd

lighttpd

MiniServ

nginx

Microsoft IIS

Apache

14%

78%

0% 20% 40% 60%

Répartition des serveurs web .ch

• Par logiciel du serveur web Apache domine le marché suisse encore plus qu'à l'étranger

Risques en cas de problème Apache

Changements minimes depuis décembre 2010

Qualité des sites sécurisés (HTTPS)

sha512

sha256

sha1

md5

dsa

88%

12%

0% 20% 40% 60% 80%

Déc. 2010

Juin 2011

• Distribution des algorithmes de hashage (identification d’un certificat)

12% des sites utilisent encore MD5, en diminution grâce au processus de renouvellement des certificats Lacunes connues depuis 2008

Vulnérabilités des serveurs Web

• Apache (données Microsoft pas disponibles)

La moitié des serveurs Apache ont des vulnérabilités documentées! Changements minimes depuis décembre 2010

Déc. 2010

JJuin 2011 not vulnerable

unknown

vulnerable

43%

56%

0% 10% 20% 30% 40% 50%

Répartition des CMS (Content Management System)

• Par type

Joomla, Typo3 et Wordpress représentent plus de 80% de part de marché

Plone

Magento

osCommerce

xtCommerce

CMS Made Simple

Contao

Drupal

WordPress

TYPO3

Joomla

4%

15%

29%

38%

0% 5% 10% 15% 20% 25% 30% 35%

Juin 2011

Déc. 2010

Wordpress dans le temps…


3.2.4 Timeline a WordPress release

Legend

On the 26th of December 2010, WordPress released a new version (3.0.4) due to a major

security issue (XSS in comments). This figure show how diligent Webmasters were with the

update.

Analysis

Just a few days after the update (4 days) less then 4% of the site were updated, a month

after the update about 20% and three months later a bit more than 30%. This figure shows

clearly that about 2/3 of the WordPress site are not taken care correctly and stay “ forever”

in their originally installed version. With 6 months backlog, we clearly see that about half of

the WordPress aren’t updated at all. About 20% are early adopters and follow new releases

very quickly.

Differences since Q1 2011 report

WordPress version 3.1 has been integrated in the graphic and an absolute values graphic

has been added.

Date

Nu

mb

er

of W

ord

Pre

ss C

MS

0%

20%

40%

60%

80%

100%

2010/12/30 2011/01/24 2011/03/30 2011/06/25

Version installed

< 3

< 3.0.4

>= 3.0.4

>= 3.1

Date

Nu

mb

er

of

Word

Pre

ss C

MS

0

2000

4000

6000

8000

10000

12000

14000

2010/12/30 2011/01/24 2011/03/30 2011/06/25

Version installed

< 3

< 3.0.4

>= 3.0.4

>= 3.1


3.2.4 Timeline a WordPress release

Legend

On the 26th of December 2010, WordPress released a new version (3.0.4) due to a major

security issue (XSS in comments). This figure show how diligent Webmasters were with the

update.

Analysis

Just a few days after the update (4 days) less then 4% of the site were updated, a month

after the update about 20% and three months later a bit more than 30%. This figure shows

clearly that about 2/3 of the WordPress site are not taken care correctly and stay “ forever”

in their originally installed version. With 6 months backlog, we clearly see that about half of

the WordPress aren’t updated at all. About 20% are early adopters and follow new releases

very quickly.


WordPress version 3.1 has been integrated in the graphic and an absolute values graphic

has been added.

DateN

um

ber

of

Word

Pre

ss C

MS

0%

20%

40%

60%

80%

100%

2010/12/30 2011/01/24 2011/03/30 2011/06/25

Version installed

< 3

< 3.0.4

>= 3.0.4

>= 3.1

Date

Num

be

r o

f W

ord

Pre

ss C

MS

0

2000

4000

6000

8000

10000

12000

14000

2010/12/30 2011/01/24 2011/03/30 2011/06/25

Version installed

< 3

< 3.0.4

>= 3.0.4

>= 3.1


3.2.3 Updated releases of WordPress and TYPO3

Legend

Comparison of used software versions. This graphic shows the amount of web sites

running CMS versions known to have security issues compared to the ones being up-to-

date.

Analysis

This is one of the most shocking results of the project. 96% of the TYPO3 versions actually

running are known to have security issues.


WordPress has a significant improvement in updated version from 30% to 43%. TYPO3

also increased from 6% to 15%.

typo3

wordpress

85%

57%

15%

43%

0% 20% 40% 60% 80%

Status

updated

not updated

Vulnérabilité des CMS

85% des Typo3 ne sont pas à jour, 57% de Wordpress non plus, soit plus de 30’000 sites !

Déc. 2010

Juin 2011

IPv6


5.2 IPV6 RELATIONS

IPv6 is the Internet Protocol version 6. It exists for over 10 years and its usage was very

low, if not only experimental, until recently. IPv4, the current and globally used Internet

Protocol, is slowly but surely reaching its limitation; the maximum number of simultaneous

computers connected to the Internet. The IANA (Internet Assigned Numbers Authority) pool

is now exhausted and also the APNIC (responsible to delegate IP addresses in the Asia /

Pacific region) pool is exhausted. The European registry, RIPE, expects its pool to hold for

another 6 to 9 months. Adoption of the new IPv6 protocol is urgent, especially for service

and access providers.

5.2.1 IPv6 adoption in standard DNS entries

Legend

Percentage of domain names having an IPv4 and/or an IPv6 record for standard DNS

entries.

Analysis

22% of the domains have DNS servers reachable in IPv6. Mail and web records are almost

inexistent. Further analysis and historical data will be shown in the automated reports to

follow the progression of IPv6.


A significant increase of NS records from 15% to 22% occurred in the last 3 months. This

is due to Hostpoint AG who enabled IPv6 NS records for all their customers. At the same

time MX records went from less than 1% to 4%. This is due to Infomaniak SA who enabled

IPv6 MX for all their mail service customers.

ns

a

mx

100%

90%

70%

22%

4%

0% 20% 40% 60% 80%

IP Version

6

4

!!

NetObservatory! Aggregate!Report!12.2010! 24/29!

!

4.2 IPv6'relations'

IPv6!is!the!Internet!Protocol!version!6.!It!exists!for!over!10!years!and!its!usage!was!very!low,!if!not!only!experimental,!until!recently.!IPv4,!the!current!and!globally!used!Internet!Protocol,! is! slowly! but! surely! reaching! its! limitation;! the! maximum! number! of!simultaneous! computers! connected! to! the! Internet.! Projections! show! that! IPv4!will!reach!its!limit!between!2011!and!2012.!!

!!

4.2.1 IPv6'adoption'in'standard'DNS'entries'!!

!

Legend'

Percentage!of!domain!names!having!also!an!IPv6!record!for!standard!DNS!entries.!

Analysis'

Almost!10%!of!the!domains!have!DNS!servers!reachable!in!IPv6.!Mail!and!web!records!are! almost! inexistent.! Further! analysis! and! historical! data! will! be! shown! in! the!automated!reports!to!follow!the!progression!of!IPv6.!

MX

NS

WWW

99%

91%

97%

9%

0% 20% 40% 60% 80%

IP Version

IPv6

IPv4

A

Déc. 2010

Juin 2011

• Migration, configuration de IPv6 suite à la pénurie des adresses IPv4 Augmentation considérable suite à l’implémentation d’IPv6

par deux hosters (Hostpoint et Infomaniak)

Business Development

Business Development

• Création d’un institut NetObservatory

• Focalisation sur la sécurité de l’Internet

Suisse

– Rapports réguliers

– Produits pour les PME

– Education & Information

Conclusions

o L’Internet est toujours plus agressif

o La Confédération et les services critiques disposent

d’une centrale de surveillance et d’alerte

o Les PME sont livrées à elles-mêmes et ne disposent

pas des compétences techniques nécessaires

NetObservatory va combler cette lacune et

offrir des prestations uniques aux PME Suisses

Merci de votre attention