ThaiCERT Annual report 2012 English version

Transcription

ThaiCERT Annual report 2012 English version
THAILAND COMPUTER
EMERGENCY RESPONSE TEAM
Eng
VER
lish
SIO
N
(T H A I C E R T ) A M E M B E R O F E T D A
JOINT PARTNERS : OFFICE OF THE ELECTRONIC TRANSACTIONS COMMISSION (ETC),
MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY (MICT),
OFFICE OF THE NATIONAL BROADCASTING AND TELECOMMUNICATIONS COMMISSION (NBTC)
2
ThaiCERT Annual Report
ThaiCERT Annual Report
Title:
Thailand Computer Emergency Response Team (ThaiCERT) Annual Report
By:
Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency (Public Organization)
ISBN:978-616-91910-0-1
1st edition: November 2013
Volume: 1,000 issues
Price:
200 Baht
Copyright Act B.E. 2537, all rights reserved
Translated by
International Scriberia Company Limited
Published and distributed by
Electronic Transactions Development Agency (Public Organization)
Office of the Electronic Transactions Commission
Ministry of Information and Communication Technology
The Government Complex Commemorating His Majesty the King’s 80th
Birthday Anniversary, 5th December, B.E.2550
120 Moo 3 Chaengwattana Rd., Laksi, Bangkok 10210
Tel: +66 2142 2483
Fax: +66 2143 8071
ThaiCERT Website: http://www.thaicert.or.th
ETC Website:
http://www.etcommission.go.th
ETDA Website:
http://www.etda.or.th
NBTC Website:
http://www.nbtc.go.th
MICT Website:
http://www.mict.go.th
3
Faced with the inevitable need to transform Thailand
from an analog to a digital world, we estimate that by 2013
we will have 2.6 million tablets deployed for education;
by 2014, the value of e-commerce will be over 60,800 million baht;
and by 2015, quality broadband will be available to more than 80%
of the Thai populaton.
It is the government’s responsibility to deal with threats that emerge
along with new technology. Hence, the National Cybersecurity
Committee was formed and supported by ETDA and ThaiCERT.
Yingluck Shinawatra
Prime Minister
6
ThaiCERT Annual Report
ThaiCERT, one of the most
significant organizations for
cybersecurity, provides valuable
support for the implementation of
the national “Smart Thailand” policy.
Mr. Anudit Nakorntub
Minister of Department of Information and
Communication Technology
I aim to see ThaiCERT play a
proactive role in building confidence
in Thailand’s electronic transactions.
Mr. Charamporn Chotikasatien
Chairman of the Executive Board of Directors
Electronic Transactions Development Agency (Public Organization)
I don’t want people to remember the
Ministry of ICT only for shutting down
websites. We have an important role
in behind-the-scenes security as well,
with the support of ThaiCERT, ETDA.
Mr. Chaiyan Puengkiatpairote*
Permanent Secretary, MICT
*Dr. Surachai Srisarakham is the new permanent secretary since October 1, 2013.
ThaiCERT Annual Report
We need to create awareness of hidden
threats which are being transmitted through our
telecommunication network along with regular
communication data. I believe that ThaiCERT is
a good partner to protect Thai online society.
Mr. Thares Punsri
Chairman
National Broadcasting and Telecommunications Commission
NBTC is ready to support and
strengthen security operations with
ThaiCERT, ETDA.
Mr. Takorn Tantasith
Secretary General
National Broadcasting and Telecommunications Commission
Originating from the National Electronics and Computer
Technology Center (NECTEC), the National Science and
Technology Development Agency (NSTDA), ThaiCERT
has continued its mission to protect online transactions
with the establishment of the Electronic Transactions
Development Agency (Public Organization). ThaiCERT is,
therefore, a priority for us as it is a key organization for
national readiness to cope with online threats during AEC
integration in 2015.
Mrs. Surangkana Wayuparb
Executive Director, CEO
Electronic Transactions Development Agency (Public Organization)
7
8
ThaiCERT Annual Report
Contents
Tables............................................................................................................................................................ 10
Picture........................................................................................................................................................... 11
Figures........................................................................................................................................................... 12
Introduction................................................................................................................................................. 15
1. “Cybersecurity” Trust and Confidence in ICT Usage ................................................................... 17
2. Current Status and Readiness of Thailand: Threats & Risks ....................................................... 21
3. CERTs and ThaiCERT Background....................................................................................................... 29
4. ThaiCERT Annual Report 2012: Threats &Cybersecurity............................................................... 33
4.1 Services of ThaiCERT ............................................................................................................. 33
4.1.1 Responding and Handling Security Incident Services........................................... 33
4.1.2 Security Information Updates..................................................................................... 34
4.1.3 Academic-base Security Services .............................................................................. 34
4.2 Coordination for Cybersecurity Response and Incident Management....................... 35
4.2.1 Conducting Triage.......................................................................................................... 35
4.2.2 Analyzing and Handling Incidents.............................................................................. 36
4.2.3 Providing Expert Opinion.............................................................................................. 36
4.2.4 Issuance of Notification and Follow-up Action...................................................... 37
4.2.5 Record of Result and Feedback................................................................................. 37
4.3 Incidents reported to and handled by ThaiCERT............................................................ 37
4.3.1 The Number of reported Incidents in Thailand via Automatic Feed................ 39
1.) The incident reports via Automatic Feed 2012 by Threat Types........................40
2.) Incident Report via Automatic Feed Categorized
by Internet Service Providers (ISP) in Thailand ........................................................42
3.) Phishing...........................................................................................................................44
4.) Malware URL.................................................................................................................47
5.) Spam...............................................................................................................................50
ThaiCERT Annual Report
6.) Scanning..........................................................................................................................51
7.) Botnet..............................................................................................................................54
8.) Open DNS Resolver......................................................................................................56
9.) Open Proxy Server........................................................................................................57
4.3.2 The Statistics of Directly Reported Incidents.......................................................... 58
4.4 Case studies.............................................................................................................................. 67
4.4.1 Intrusion of T.H.NIC Domain Name Management System.................................... 68
4.4.2 Dissemination of DNS Changer Malware.................................................................. 69
4.4.3 C&C of Malware Clan “Flame” Discovery................................................................ 70
4.4.4 Hacking the Email Account of SMS Entrepreneur.................................................. 71
4.4.5 Phishing in Thai Web Hosting...................................................................................... 72
5. CERTs and AEC 2015............................................................................................................................. 75
5.1 The Roles of CERTs in AEC 2015 .......................................................................................... 75
5.2 The ASEAN Members’ CERT Reports.................................................................................. 77
5.3 Strengthening Collaboration of CERTs Network............................................................... 81
5.3.1 Building Networks.......................................................................................................... 81
5.3.2 Point of Contact ........................................................................................................... 82
5.3.3 Threat Information Service............................................................................................ 82
5.3.4 Standards on Threat Information............................................................................... 83
5.3.5 Incident Drill .................................................................................................................. 83
5.3.6 Deploying Network Sensors......................................................................................... 84
6. Threats VS Privacy.................................................................................................................................. 87
7. Is Thailand prepared for cyber threat?............................................................................................. 93
8. Appendix ................................................................................................................................................. 97
8.1 Appendix A............................................................................................................................... 97
8.2 Appendix B .............................................................................................................................. 99
8.3 Appendix C.............................................................................................................................102
List of Abbreviations ..................................................................................................................106
9
10
ThaiCERT Annual Report
Tables
Table 1: Number of incident reports sorted by threat type.........................................41
Table 2: The number of incident reports counted by unique IP and sorted by
threat type during August – December 2012..................................................41
Table 3: Number of incident reports counted by unique IP and sorted by ISP.......42
Table 4: Number of IPs which have been registered by top 10 ISPs in Thailand....43
Table 5: Top 10 number of phishing reports sorted by country..................................44
Table 6: Number of phishing reports sorted by type of domain name.....................45
Table 7: Top 10 number of phishing reports sorted by ISP...........................................46
Table 8: Top 10 number of malware URL reports sorted by ISP.................................47
Table 9: Top 10 number of unique malware URL reports sorted by ISP...................48
Table 10: Top 10 number of malware URL reports counted
by unique IP and sorted by ISP..........................................................................48
Table 11: Top 10 number of malware URL reports counted
by unique IP and sorted by type of domain name.......................................49
Table 12: Top 10 number of unique malware URL reports sorted by domain
name.........................................................................................................................49
Table 13: Top 10 number of spam reports sorted by ISP.............................................50
Table 14: Top 10 number of scanning reports counted by unique IP and sorted by
port number............................................................................................................52
Table 15: Top 10 number of scanning reports counted
by unique IP and sorted by ISP..........................................................................53
Table 16: Top 10 number of botnet reports sorted by ISP...........................................55
Table 17: Top 10 number of open DNS resolver reports counted
by unique IP and sorted by ISP..........................................................................57
Table 18: Top 10 number of open proxy server reports counted
by unique IP and sorted by ISP..........................................................................58
Table 19: Cybersecurity threat type according to eCSIRT..............................................59
Table 20: Number of directly reported incidents to
ThaiCERT in 2012 sorted by threat type...........................................................60
ThaiCERT Annual Report
Table 21: Number of directly reported incidents sorted by type of relevant
individuals and their location..............................................................................61
Table 22: Number of fraud reports sorted by type of relevant individuals
and their location...................................................................................................62
Table 23: Number of fraud reports sorted by type of relevant individuals and
organizations...........................................................................................................62
Table 24: Strategy 2: People Empowerment and Engagement ..................................75
Table 25: Strategy 4: Infrastructure Development...........................................................76
Table 26: List of ASEAN+3 CERTS members in APCERT..................................................77
Table 27: The ASEAN+3 cyber attack types reported in
the APCERT annual report 2011.........................................................................80
Table 28: Classification of Threats according to eCSIRT.net..........................................97
Table 29: Glossary....................................................................................................................99
Picture
Picture 1: ThaiCERT procedures for cybersecurity response.........................................35
Picture 2: DNS amplification attack technique.................................................................56
Picture 3: Structure of domain name modification system of T.H.NIC.......................68
11
12
ThaiCERT Annual Report
Figures
Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand
compared to other countries (1997-2011) ......................................................21
Figure 2: Percentage of Internet users in Thailand compared to other countries
(1997-2011) .............................................................................................................22
Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in
Thailand compared to other countries (1997-2011) ....................................22
Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012...............24
Figure 5: Total number of CISSP certificate holders in Thailand compared
to other ASEAN countries as of March 2013....................................................25
Figure 6: Total number of GIAC certificate holders in Thailand compared
to other ASEAN countries as of July 2012.....................................................25
Figure 7: Number of weekly incident reports sorted by threat type during
August – December 2012.....................................................................................40
Figure 8: Number of weekly incident reports counted by unique IP and sorted
by threat type and ISP during August – December 20122...........................40
Figure 9: Number of incident reports counted by unique IP and sorted
by ISP and threat type..........................................................................................44
Figure 10: Top 10 number of scanning reports sorted by port number.....................51
Figure 11: Top 10 number of scanning reports sorted by ISP.......................................53
Figure 12: Top 10 number of botnet reports counted by unique IP and sorted
by malware name..................................................................................................54
Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted
by threat type ........................................................................................................60
Figure 14: Percentage distribution of number of directly reported incidents sorted
by type of relevant individuals and their location........................................61
ThaiCERT Annual Report
Figure 15: Percentage distribution of number of fraud reports sorted
by type of relevant individuals and their location........................................62
Figure 16: Percentage distribution of number of fraud victims....................................63
Figure 17: Percentage distribution of number of fraud submitters..............................63
Figure 18: Percentage distribution of number of fraud attackers.................................64
Figure 19: Number of directly reported incidents during 2001-2012..........................64
Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP....65
Figure 22: Percentage distribution of number of repeatedly reported and
non-repeated reported IPs from phishing reports.........................................66
Figure 23: Percentage distribution of number of repeatedly reported IPs from
phishing reports sorted by type of domain name.........................................67
Figure 24: Number of reports of DNS changer infected in network of agencies
or ISPs; information retrieved on 8 July 2012 from DCWG.org...................69
Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs
during 2007-2011....................................................................................................78
Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in
the APCERT annual report 2011.........................................................................80
13
Introduction
The Electronic Transactions Development Agency (ETDA), the Office of the Electronic Transactions
Commission (ETC), and the Office of the Permanent Secretary of the Ministry of Information and Communication
Technology (MICT) are pillar agencies responsible for developing, promoting, and enhancing trust and confidence
in electronics transactions. The ETDA and the ETC serve to support the Electronic Transactions Committee which
has a proactive role in building information technology security in order to reduce online transaction risks in
the public and private sectors. Moreover, they collaborate closely with the Crime Prevention and Suppression
Bureau, Ministry of Information and Communication Technology, the Information Technology Support Division,
Technology Crime Suppression Division, the Royal Thai Police, and the Office of the National Broadcasting and
Telecommunications Commission. Additionally, ETDA extends its support to the National Cybersecurity Committee
overseeing cybersecurity threats, which have become more sophisticated than in the past. Such threats can be
launched from many sources and cause large-scale damage to service providers and users. In order to deal with
such threats, it is necessary to have timely coordination with both domestic and overseas agencies to implement
immediate and comprehensive solutions.
ETDA has urged the Thailand Computer Emergency Response Team (ThaiCERT) to work proactively in its
important role as the nation’s primary cybersecurity agency and act as the national focal point for coordination
with foreign Computer Emergency Response Teams (CERTs). Such practice is directly inline with the ASEAN
Economic Community Blueprint and ASEAN ICT Master Plan 2015, which aims to promote and enhance confidence
in electronic transactions.
ETDA published the ThaiCERT Annual Report 2012 to highlight a collection of case studies from ThaiCERT
operations and reported threats in 2012. The report presents a detailed analysis of cybersecurity threats including:
types of threats, types of agencies submitting threat reports, and types of computer networks or Internet Service
Providers (ISP) in Thailand in order to provide an overview of 2012 national cybersecurity landscape. It reflects
the current status of these threats and provides valuable information to policy makers to develop mechanisms to
prevent and combat threats among civil, business, and public stakeholders, particularly those in key infrastructures
of the country.
Mrs. Surangkana Wayuparb
Executive Director, CEO
Electronic Transactions Development Agency (Public Organization)
16
ThaiCERT Annual Report
“CYBERSECURITY”
The First Chapter of IT Use Confidence
ThaiCERT Annual Report
1. “Cybersecurity”
Trust and
Confidence in ICT
Usage
Presently, computer networks, computer
systems, and electronic devices are widely utilized
to support business transactions, organizational
operations, and communication in order to enhance
efficiency and effectiveness. They also facilitate safe
transactions in the form of electronic documents,
electronic payments, and social media.
With legal authentication under the authority
of the Electronic Transaction Act B.E. 2544 (Revision
edition B.E. 2551), electronic transactions have
been utilized and widely accepted. Despite such
legal protection, transactions are still exposed to
various threats and remain vulnerability to forms
of direct internet-based crime (“cybercrime”) or
indirect internet- facilitated crime. Public and private
sectors, therefore, should be aware of the possible
harmful effects and damage that may occur when
conducting electronic transactions, and be prepared
to prevent, protect, and deal with incidents.
The IT security Conceptual Framework is
specified in the ISO/IEC 27001:2005 Information
Security Management System (ISO/IEC 27001:2005).
Based on a risk assessment of possible damage due
to threats, the Framework places priority on the
fundamental factors of confidentiality, integrity and
system availability for IT security justification. For
example, customer databases under the Enterprise
Resource Planning System are considered confidential
and need to be completed and available at all times.
Another significant threat is flood at a data center,
causing an ICT system breakdown. Therefore, an
agency must be able to provide backup to customers
and be prepared for threats that might occur.
Various risk management measures are specified
in the ISO/IEC 27002 (ISO/IEC 7002 Information
Technology Security Techniques – Code of practice
for information security management) which has 11
classifications and a total of 133 measures. These
include IT security policies for ICT organization
management, human resource administration,
information technology administration and legal
compliance.
Despite awareness among agencies and
individuals, they remain exposed to cybersecurity
threats. Such threats highlight the need to have a
computer emergency response team (CERT) which
is solely dedicated for cybersecurity issues and
coordinates with domestic and international parties
in order to ensure prompt solutions to threats.
CERT is also specified as a framework in the ASEAN
Economic Community Blueprint stipulated in Article
B4 items 51 and 52.
ETDA has been continually implementing
ThaiCERT project since December 2011. During the
first year, ThaiCERT places priority on the two most
common threats: those originated from deceptive
websites (phishing) and botnet. Each month phishing
caused losses of hundreds of thousands of baht
from the bank accounts of numerous victims. Each
month, ThaiCERT received reports that there were
approximately fifty deceiving overseas websites
17
18
ThaiCERT Annual Report
overseas. Considering the impact of Phishing, it has
been concluded that ThaiCERT suppression of the
deceiving websites can mitigate losses of millions of
baht per month. Concerning the threat from botnet
such as Zeus, Rustock or Kelihos, over 100,000
computers in Thailand have been affected. Upon
installation, the affected computers involuntarily
attack other computers or even cause damage
to computer owners by sending frequent SPAM
messages, over 25,000 messages/hour, to others,
stealing online transaction data or attacking the
availability of other computers (DDoS).
penetration testing, system administration, and
network security. Such training is part of ThaiCERT‘s
long term personnel development program. This
program aims to enhance the capabilities of ThaiCERT
in terms of handling and managing internal threats
while preparing its human resources to cope with
threats at the national level, analyze malware and
provide pre- or post-damage solutions, analyze and
solve problems from phishing websites, analyze and
develop solutions to online transaction vulnerability
and the arrangement of prompt backup sites or
“hot-standby” services.
Phishing and botnet are only two of many
other threats reported to ThaiCERT, which include
widespread threats in different forms that have
become more complicated due to the advance and
rapid change of technology. In return, development
of cybersecurity needs to be well-prepared for any
unanticipated circumstances including well-known
and newly developed threats. Preparedness is very
important in order to support business continuity and
agency services especially in important infrastructures,
such as public utilities, energy, communication, health
and the like. These important infrastructures will
utilize technology more significantly in administration
which causes greater complications in information
technology. If an attack occurs, the Computer
Emergency Response Teams will handle threats and
help restore systems and services in the earliest
possible time. Additionally, they will examine and
analyze data to find the culprits.
ThaiCERT also focuses on enhancing its human
resources capacities in analyzing and managing threats
effectively by setting up several task-based teams
responsible for possible current threats. Such teams
include analyst team handling analysis of current
or emerging threats, surveillance team handling
network monitoring, IT incident management team
providing prompt solutions to possible IT incidents,
facilitation team in charge of sending alerts and
coordinating with domestic and foreign agencies,
and IT security promotion team in charge of raising
IT security awareness.
In terms of personnel development, ThaiCERT
has continuously trained and equipped its personnel
to be able to deal with recent threats through
training in incident handling, intrusion analysis,
To ensure effectiveness in handling threats,
ThaiCERT also works and collaborates closely with
various relevant domestic and international agencies.
For example, it has joined the Asia Pacific Computer
Emergency Response Team (APCERT) and the Forum
of Incident Response and Security Teams (FIRST)
which are internationally recognized as a pool of
experts as computer emergency response teams
(CERTs) or computer incident response teams (CSIRTs).
Those national bodies are in charge of response,
coordination, and handling any possible IT security
ThaiCERT Annual Report
or network violation. Upon receiving an alert from
CERTs or CSIRTs, APCERT or FIRST will coordinate
with those national agencies representing member
states to mitigate IT security infringement.
In response to a main provider system attack,
ThaiCERT needs to prepare its resources, personnel,
and information systems services in order to be
able to serve as the focal point in facilitating and
strengthening IT security management at national
and international levels. These efforts will directly
increase public confidence in electronic transactions
and reduce damage caused by any possible threats.
19
20
ThaiCERT Annual Report
Current Status and Readiness of
Thailand: Threats & Risks
ThaiCERT Annual Report
2. Current Status and Readiness of
Thailand: Threats & Risks
Nowadays, information technology plays a more significant role in our daily lives. According to
the Household Survey 2011 conducted by the National Statistical Office (NSO), 32.1 %1 of the Thai
population use computers, 24.72% use Internet2 , and 66.43% use mobile phones3 . Additionally, the
International Telecommunication Union (ITU) reported continuous growth in ICT usage as illustrated in
the graphs shown below:
Figure 1: Total wired broadband subscriptions per 100 inhabitants in Thailand compared to other
countries (1997-2011) 4
1
2
3
4
The key summary of the Household Survey 2011 in use of ICT
(http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf)
The key summary of the Household Survey 2011 in use of ICT
(http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf)
The key summary of the Household Survey 2011 in use of ICT
(http://service.nso.go.th/nso/nsopublish/download/files/ict_household54_pocketbook.pdf)
ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)
21
ThaiCERT Annual Report
22
Figure 2: Percentage of Internet users in Thailand compared to other countries (1997-2011) 5
Figure 3: Total number of mobile phone subscriptions per 100 inhabitants in Thailand compared
to other countries (1997-2011) 6
With such rapid growth in IT availability and usage, an evitable burden is placed on the organization’s ability
to protect and maintain its IT security. This situation requires the organization to exercise control and management
in order to eliminate threats and risks, or, at minimum, reduce them to acceptable levels.
5
6
ICT Data and Statistics (IDS) by International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)
ICT Data and Statistics (IDS), International Telecommunication Union (http://www.itu.int/ITU-D/ict/statistics/explorer/index.html)
ThaiCERT Annual Report
In the context of IT security, threats and risks
can be evaluated from several points of view. For
example, they can be classified as internal vs.
external depending on the source of the threat
and risk factors. Internal threats can occur due to
a lack of personnel capacity concerning technology
administration or improper use, lack of experiences,
skills and knowledge, individual omission, lack of
understanding of IT security importance, lack of
proper training, lack of clear policy or direction at
the organization level resulting in possible conflicting
implementation, or lack of appropriate tools.
External threats, however, occur due to external
factors such as attack from malicious users, natural
disasters, failure of service providers, and vulnerability
of software used in organizations. Although such
threats are often beyond local control and difficult
to foresee, they can be mitigated though proper
risk management strategies.
(8) Information System Acquisition,
Development and Maintenance
(9) Information Security Incident
Management
(10) Business Continuity Management
(11) Compliance
Following the mentioned auditing domains
presents the organization with an assessment of
the probability and impacts of threats on their
IT systems, the consequences that could follow,
and other possible impacts on other systems. That
information can ensure effective development
and determination of ICT security policies and
practices suitable for the organization’s operations
and to determine preventive and relief policies
when responding to threats and risks. Further, a
risk management strategic plan can be developed
In order to manage such threats and risks at a later stage.
effectively, an organization can apply an international
When analyzing the status and readiness of IT
standard ISO/IEC 27002 which consist of 11 domains:
security of Thai organizations, it is useful to compare
the number of the organizations receiving certificates
(1) Security Policy
under the international standard of information
(2) Organization of Information Security
security management system (ISMS) or ISO/IEC
27001:2005 certificates. The latest statistics collected
(3) Asset Management
by the International Register of ISMS Certificate in
(4) Human Resource Security
August 2012 found that Japan ranked first. It had
4,152 certified organizations, while Thailand had 59
(5) Physical and Environmental Security
such organizations7 and ranked second in the ASEAN
Community after Malaysia, and fifteenth on a global
(6) Communications and Operations
ranking. This demonstrates that Thai organizations
Management
(7) Access Control
7
International Register of ISMS Certificates
(http://www.iso27001certificates.com/Register%20Search.htm)
23
24
ThaiCERT Annual Report
afford information security management system at
higher priority compared to most organizations in
other ASEAN countries. Such success partly resulted
from the determination to implement practices
recommended by the electronic transactions and
information technology management regulations with
reference to the ISO/IEC 27001 standard. Examples
include the Royal Decree on Rules and Procedures
of the Public Sector’s Electronic Transactions
B.E. 2649 (2006) and the Royal Decree on Security
Techniques in Performing Electronic Transactions B.E.
2553 (2010). These measures helped organizations
realize the importance of ISMS and adjust their
security policy accordingly.
Figure 4: Total number of ISO/IEC 27001 organizations as of August 2012
Apart from the readiness of organizations,
it is important to consider the readiness of their
personnel as well. This factor can be measured by
the number of personnel granted internationally
accredited professional certificates in IT security
such as Certified Information System Security
Professional (CISSP) by ISC2. A survey in March 2013
8
found that there were 85,285 people worldwide
who had received CISSP Certificate in 144 countries.
8
(ISC)2, Inc (https://www.isc2.org/member-counts.aspx)
The country having the highest number of CISSP
experts was the United States (55,924 people); the
second was the United Kingdom (4,256 people);
the third was Canada (4,075 people) and the fourth
was South Korea. Thailand (153 people), was the
thirty-fourth on the global ranking and third in the
ASEAN Community, after Singapore (1,132 people)
and Malaysia (239 people).
ThaiCERT Annual Report
Figure 5: Total number of CISSP certificate holders in Thailand compared to other
ASEAN countries as of March 2013
Figure 6: Total number of GIAC certificate holders in Thailand compared
to other ASEAN countries 9 as of July 2012
Figure 6 shows the total number of security experts who received GIAC10 certificates. Singapore
ranked first with 336 certificate holders, followed by Malaysia with 183 certificate holders.
9
10
Information from SANS Asian Pacific representative as of July 2012
Global Information Assurance Certification (GIAC)
25
26
ThaiCERT Annual Report
Internationally recognized in IT accreditation,
the EC-Council Institute, which provides well-known
certificates such as the Certified Ethical Hacker
Certificate (C|EH) and the Certified Hacking Forensic
Investigator Certificate (CHFI), reported that there
are approximately 15,000 experts in Southeast
Asia with certificate from the EC-Council. Among
these recipients, over 90% are from Singapore and
Malaysia, while there are only about 400 experts
with such certificates11 in Thailand.
The data on the number of IT security experts
in the region indicates that Thailand ranks third
in ASEAN with a higher number of experts than
several other countries. However, Thailand still
has significantly fewer security experts than its
IT-advanced ASEAN neighbor, such as Singapore
and Malaysia. It remains, therefore, a challenge
to develop to international standards a sufficient
number of certified Thai security experts in order
to raise trust and confidence in IT security and to
achieve sustainable competitive edge in the region.
11
Information from delegates of EC-Council Asia-Pacific in
December 2012
ThaiCERT Annual Report
27
28
ThaiCERT Annual Report
CERTs and ThaiCERT Background
ThaiCERT Annual Report
3. CERTs and
ThaiCERT
Background
Computer Emergency Response Team or
CERT is a trade-registered term originally designated
by US-based Carnegie Mellon University, who
established the first CERT of the world and has
been in charge of responding and handling incidents
occurring within the country. The approach has
eventually been adopted by many other countries,
including Thailand, resulting in the establishment
of their own CERTs such as ThaiCERT for Thailand,
CERT-In for India, Sri Lanka CERT|CC for Sri Lanka,
and many more. Consequently, those CERTs have
created a tight network for information exchange
and collaboration.
For Thailand, the national computer emergency
response team (ThaiCERT) was established in 2000 by
the National Electronics and Computer Technology
Center (NECTEC) under the Ministry of Science and
Technology with the missions to respond and handle
cybersecurity incidents, provide support and guidance
on threats solutions, safeguard information including
monitor and publicize cybersecurity information to
the public as well as research and develop practical
guidelines in computer and internet security.
February 2011, the Cabinet of Thailand
made a decision to transfer the operation of
ThaiCERT to Electronic Transactions Development
Agency (Public Organization) or ETDA, the newly
established organization under the Ministry of
Information and Communication Technology with
the missions and visions to mitigate cyber threat,
secure electronic transactions, and enhance trust
and confidence among online users. To meet the
challenges, ThaiCERT has taken proactive measure
in capacity building of human resources regarding
the cybersecurity body of knowledge, techniques,
and practices. Furthermore, without direct legal
enforcement mandate, ThaiCERT has been fulfilling
its missions mainly through the collaboration
among network members and related agencies
both domestically and internationally. Examples
of ThaiCERT’s domestic partners include:
•Internet service providers
•The Royal Thai Police
•The Department of Special Investigation
•Thailand Information Security Association
•Thai Bankers’ Association
•Technology Crime Suppression Division,
Royal Thai Police (TCSD/RTP)
•Office of the Permanent Secretary, Ministry of
Information and Communication Technology
(MICT)
29
30
ThaiCERT Annual Report
At the international level, ThaiCERT has joined and actively participated
in various networks and forums. Besides, ThaiCERT has signed memorandum of
understanding (MOU) with many organizations for the purposes of exchanging
knowledge and information as well as effectively dealing with cybersecurity
threats which often impact multiple countries due to borderless characteristic
of internet. The organizations that have signed memorandum of understanding
with ThaiCERT include:
•Japan Computer Emergency Response Team Coordination Center (JPCERT/
CC). JPCERT/CC is the Japanese focal CERT agency that has been very successful
in managing incidents at local and international levels.
•Anti-Phishing Working Group (APWG) is a US non-profit agency which aims
to cope with information threats especially from improper use of internet as a
channel for conducting thefts and frauds where personal information such as
user account, credit card or electronic transactions details, are stolen.
•Team Cymru, a US-based non-profit agency, operates with missions of
IT security research and development in order to effectively dealing with new
threats. They provide cybersecurity incidents data collected and analyzed from
their own detection system. For regional and international collaboration, ThaiCERT
has participated as a full-right member of different regional and international
organizations including the Asia Pacific coordination center of Asia Pacific CERT
(APCERT) and the global coordination center of Forum of Incident Response and
Security Teams (FIRST).
•The APCERT is a collaborative effort of Computer Security and Incident
Response Team (CSIRTs) or CERTs of Asian Pacific country members. It aims to raise
an awareness of cybersecurity and enhance capacities of members in handling
cybersecurity incidents to meet international standard and other regional practices.
•Forum of Incident Response and Security Teams (FIRST), as a global
association of cybersecurity and network, are responsible for responding, coordinating
and managing cybersecurity breaches. Their members include representatives of
participating countries and agencies around the world.
ThaiCERT Annual Report
For over a decade, ThaiCERT has taken a major
role in providing guidance and necessary support in
dealing with security threats and incidents for both
public and private sectors. Nowadays, ThaiCERT has
been well recognized in regional and international
levels resulting from its shared efforts in preventing
and suppressing cybersecurity threats. In 2013,
ThaiCERT and ETDA have been honored to co-host
the 25th Annual FIRST Conference 2013 on 16-21
June 2013 at Conrad hotel, Bangkok. This was the
second Annual FIRST Conference held in ASEAN,
after the first one in Singapore in 2005. More than
500 information security specialists around the world
attended this conference by the FIRST Steering
Committee. Among those, half of them are from
CERT agencies which are members of the FIRST. The
conference was, therefore, a golden opportunity for
ThaiCERT to demonstrate its capacities and receive
recognition internationally while raising cybersecurity
awareness among Thais and international experts
and practitioners.
31
32
ThaiCERT Annual Report
ThaiCERT Annual Report 2012:
Threats &Cybersecurity
ThaiCERT Annual Report
4. ThaiCERT
Annual Report
2012: Threats
&Cybersecurity
4.1 Services of ThaiCERT
Promoting secured e-society and confidence in
electronic transactions requires a security organization
to be well-prepared in handling any unforeseen
incidents and managing incidents effectively. Such
capacities are vital mechanisms necessarily in securing
and maintaining business or service continuity of
agencies, which is especially important to critical
infrastructure agencies in domain of public utility
and energy, communication, medicine and so
on. Information technology has been widely and
increasingly utilized among those critical infrastructure
agencies for managing its operation. If the organization
is attacked on its information system or network, its
Computer Emergency Response Team (CERT) shall
play a major role in handling incidents and providing
resolutions, including investigation and conducting
an analysis particularly on digital forensic in order
to identify possible attackers.
ThaiCERT is a Computer Security Incident
Response Team (CSIRT) service organization for
Thailand, serving as an official point of contact for
dealing with incidents in Thai internet community.
ThaiCERT provides 24/7 operations in surveillance,
handing and mitigation of cybersecurity incidents
that have the potential to cause significant
damage against electronic transactions. In many
cases, ThaiCERT are required to coordinate with
any other national CERTs in order to response
and handle threats. ThaiCERT also provides an
advisory service to both the organizations and
individuals, releasing cybersecurity alerts and news,
and organizing academic trainings for the public to
enhance knowledge and raise awareness of people
on information security.
ThaiCERT has started serving under the
Electronic Transactions Development Agency Public
Organization (ETDA) in 2012. Its initial services
include incident response and coordination, security
consultancy and advisory, and academic services
emphasizing in cybersecurity. The digital Forensics
is expected to be in full service by 2013.
4.1.1 Responding and Handling
Security Incident Services
ThaiCERT provides incident handling and
response services via telephone and email to
individual, educational institutions, research institutes,
public and private agencies around the world. Upon
receiving incident report, incident response team
will analyze and validate the reported incident. This
information will be taken further for investigation in
identifying the attacker and coordinating to related
organizations for damage mitigation.
ThaiCERT has implemented a system for tracking
the progress of incident resolution—ThaiCERT will
coordinate to any relevant agencies to update the
progress of incident resolution within 2 working days.
Then, the unresolved incident will be followed
up in every 2 working days until resolution or a
satisfactory result is obtained. ThaiCERT prepares
33
34
ThaiCERT Annual Report
two communicate channels for reporting incident:
telephone with number 021422483 between 8.30
am – 5.30 pm for working days and email at report@
thaicert.or.th. When a reporter needs to send
sensitive information to ThaiCERT via email, it is highly
recommended to encrypt the email message using
PGP technology12 by using the following ThaiCERT
public key as below:
Email: report@thaicert.or.th
Key ID: 0x F2CB3EE1
Key Type: RSA
Expiration: 2015-06-25
Key Size: 2048
Fingerprint:29B3 2C79 FB4A D4D7 E71A
71ED 5FFE F781 F2CB 3EE1
4.1.2 Security Information
Updates
One of ThaiCERT mission is to alert public
about the threats or cybersecurity situation upon
CERT or CSIRT notification to prepare in handling
potential threats or cybersecurity incidents. ThaiCERT
experts analyzes any high impacted threat(s) or
cybersecurity incidents before giving suitable advice
to properly respond, solve or protect system or
network. In addition to threat alert, ThaiCERT has
also collected reported incident data and published
the reported incident statistics on www.thaicert.
or.th on a monthly basis to illustrate the status and
12
Pretty Good Privacy (PGP) is technology, used to encrypt message
using public key, invented by Philippe R. Zimmermann. It is also
widely used for signing email with electronic signature.
trend of computer security situation in Thailand.
4.1.3 Academic-base Security
Services
ThaiCERT provides technical and academic
services to domestic and international agencies in
the forms of consultation, planning and IT security
policy preparation according to current IT legal
requirements and international standards. Besides
providing cybersecurity consultation, ThaiCERT also
conducts various capacity building and awareness
raising activities including cybersecurity seminars
and trainings for general public and IT professional,
cyber incident drill in private and public sectors,
and giving a talk in domestic and international
conferences.
ThaiCERT Annual Report
4.2 Coordination for Cybersecurity Response and Incident Management
Picture 1: ThaiCERT procedures for cybersecurity response
In order to ensure effective resolutions to any reported incident with SLA (service-level agreement)
assurance, ThaiCERT has set and followed incident response and coordination procedures as follows:
4.2.1 Conducting Triage
Upon receiving an incident report, ThaiCERT firstly conducts a triage assessment to determine the
validity of incident. At least one of following triage criteria must be met before further action:
oThe reported incident must be verified and within the constituent of ThaiCERT;
oVictim(s) or reporters must be able to be identified;
oThe incident must be reported from sources that can be trusted such as the reliable sources,
or existing agencies that have ever contacted ThaiCERT before.
35
36
ThaiCERT Annual Report
After conducting a triage, ThaiCERT personnel
will inform the reporter whether ThaiCERT or ETDA
shall take any further actions. This process shall
follow below procedures:
any incidents with mid-level impact and beyond
according to Notification of the Electronic Transactions
Commission (ETC) Subject: on Impact Assessment
to Electronic Transaction 2012 or it could impact
highly to national security or public order. These
high-impact incidents require an immediate action
taken by ThaiCERT personnel as well as prompt
notification to high-level management.
If accepted, ThaiCERT personnel shall
classify the report into a legal or technical
consultation. For the legal consultation
request, it shall be submitted to ETDA legal
for their expert opinion. For the technical
Low-impact/general case. A low-impact or
incident report, ThaiCERT personnel shall general case is an incident with organizational-base
analyze the issue and proceed further to impact resulting in loses of property or confidential
the next step of process; or
information of their users or the organization itself.
If denied, ThaiCERT shall inform the reporter The case shall be taken by ThaiCERT personnel
with declining reasons such as the situation based on the incident response procedure with
is out of its constituency and/or inability to standard SLA.
verify the reported incident. All notification
Note: The details of the Impact assessment
will be recorded in the system before
criterion and escalation procedures are currently
completing the process.
under consideration by authority.
4.2.2 Analyzing and Handling
Incidents
ThaiCERT incident response team is responsible
for handling any reported incidents through an
approved incident response procedure. Additionally,
other security incidents discovered or identified by
ThaiCERT threat monitoring team are also handled
by this same procedure.
After investigating the incident, ThaiCERT
will assess the effect whether it is necessary to
escalate the threat to higher security measures or to
escalate to high-level management for visibility and
immediate guidance. Impact assessment criterion
can be divided into two categories as follows:
High-impact case. The high-impact case is
4.2.3 Providing Expert Opinion
In many cases, the incident reporter requests
for comments or recommendations to proceed any
acts under the relevant laws. ThaiCERT personnel
will coordinate with ETDA legal officers who have
the expertise in Computer Crime Act to comment
and recommend on such cyber incident matters.
In case of sensitive issues or complicated matters,
ETDA legal officers may consult with external
approved legal experts to obtain opinions on the
related aspects in order to conclude and notify the
reporter for the comments or recommendations.
ThaiCERT Annual Report
4.2.4 Issuance of Notification
and Follow-up Action
ThaiCERT incident response team is responsible
for handling any reported incidents and provide an
incident coordination service with the agencies or
individuals registered in verified public database
such as system owner(s), Internet service providers,
CERT agencies, governmental agencies, universities,
investigation agencies, justice agencies and others
relevant parties. ThaiCERT coordinates to any relevant
agencies to handle and respond to reported incident.
Then, the unresolved incident will be followed
up in every 2 working days until resolution or a
satisfactory result is obtained.
4.3 Incidents reported to and
handled by ThaiCERT
In 2012, ThaiCERT receives reports of the
cybersecurity situation or incident from two channels.
The first one is direct report to ThaiCERT through
email or telephone and the second one is through
automatic feed. The information of automatic feed
is gathered from the international cybersecurity
agencies coordinating with ThaiCERT such as AntiPhishing Working Group (APWG), Team Cymru and
Microsoft.
By receiving incident reports from such
channels, ThaiCERT has developed systematic
analysis in coordination to cope, handle and
advice in order to solve the incident happened to
4.2.5 Record of Result and
the relevant entities. Moreover, all cybersecurity
Feedback
incidents received in 2012 were used for analyzing
After the resolution or a satisfactory result the trend of cybersecurity threats in order to create
is obtained, ThaiCERT personnel will record all the statistical report of cybersecurity situation in
incident response activities with detailed analysis Thailand. The report can be concluded as follows:
before notifying the reporter about the result.
The malware with the highest
number of reports was Zeus, which
is the botnet13 malware targeting the
Windows operating system for the
purpose of stealing online transactions
information of the user. The followup was Rustock14, which is capable
13
14
Botnet is a cybersecurity threat occurred from malware-infected
computers. The botnet malware typically receives a command
from a command and control server via Internet, where the command itself may be executed for the purpose of attacking other
systems, sending spams or stealing information from the infected
computers.
Spam is a cybersecurity threat occurred by the attacker sending a
large amount of unsolicited messages to the others, where most
spams are advertisements on products and services.
37
38
ThaiCERT Annual Report
of sending spams more than 25,000
copies per hour and performing DDoS15
attack against computer systems. In
2012, the number of reports regarding
botnet reached 4,404,089, mostly
occurred in the network of Internet
Service Providers in Thailand.
There was a total of 1,523,469 spam
reports in which all of them were
submitted through automatic feed.
More than 143,302 DNS servers in
Thailand were improperly configured,
which could be used for DDoS attack.
There was a total of 30,521 scanning
reports, where the most targeted port,
approximately 80% of all reports, was
Windows remote administration port.
When categorizing the reports by port
number, the two most targeted ports
were port 489916 and 338917 with the
15
16
17
DDoS is a cybersecurity threat related to an attack against availability of the system. The attack itself may occur from different
locations but aims to the same target. DDoS causes the targeted
service ranging from the delay of response to the denial of service.
Port 4899 is used for TCP Radmin remote administration.
Port 3389 is used for TCP Windows Remote Desktop.
percentage of 45.40% and 34.16%
respectively.
Although DDoS attack had the least
number of reports when compared
to the other threats, it could not be
concluded that DDoS attack barely
occurred in Thailand since the
detection and analysis of DDoS attack
are more difficult than the others.
Almost all type of attacks were
founded in the network under control
of major ISPs in Thailand, while botnet
malware was also spreaded in mobile
telecommunications networks.
Fraud was the cybersecurity threat
with the highest number of directly
reported incidents to ThaiCERT with
534 reports or 67.42% from a total of
792 reports.
ThaiCERT Annual Report
4.3.1 The Number of reported
Incidents in Thailand via
Automatic Feed
Since August 2011, cybersecurity incidents
originated from Thailand detected by international
cybersecurity agencies in coordination with
ThaiCERT will be submitted via automatic feed.
The cybersecurity incidents can be categorized
into 9 types, including botnet, brute force18, DDoS,
malware URL19, open DNS resolver20, open proxy
server21, phishing22, scanning23 and spam, which
can be summarized into the statistics and analysis
as follows:
18
19
20
21
22
23
Brute force is a cybersecurity threat in a form of an attack towards the targeted system by using an algorithm designed by the
attacker for the purpose of obtaining important information. For
example, the attacker attempts to log in as another user using
randomly generated usernames and passwords.
Malware URL is a cybersecurity threat occurred by a website that
distributes a malware. It generally occurs by the attacker gaining
access to the targeted website and using it for distributing the
malware, while tricking people to download such malware via a
specific URL.
Open DNS resolver is a cybersecurity threat occurred from an
improper configuration of DNS servers in which those servers can
be used in DDoS attack.
Open proxy server is a cybersecurity threat occurred from an
improper configuration of web proxy servers which allow anyone
to be able to access to the website without authentication. As a
result, the attacker may use it for malicious activities.
Phishing is a cybersecurity threat which can be considered as
another kind of fraud. Its main objective is to steal important
information from the user such as username, password or electronic transactions information, by luring the user to access into
the fraudulent service.
Scanning is a cybersecurity threat occurred by discovering the
basic information of the operating system or the service running
on the server by sending information to the targeted system
and analyze the response. The scanning result is often used for
attacking the system.
39
40
ThaiCERT Annual Report
1.) The incident reports via Automatic Feed 2012 by Threat
Types
Figure 7: Number of weekly incident reports sorted by threat type during
August – December 2012
Figure 8: Number of weekly incident reports counted by unique IP and sorted by threat type and
ISP during August – December 20122
ThaiCERT Annual Report
Table 1: Number of incident reports sorted by threat type
Table 2: The number of incident reports counted by unique IP and sorted by
threat type during August – December 2012
Table 1 shows the number of incident reports received via automatic
feed since August 2012 with a total number of 7,050,921, while Figure 7
shows the weekly incident reports by threat type. Notice that botnet had
the highest number of reports with the weekly average of incident reports
around 259,000, followed by spam with the weekly average around 100,000.
Meanwhile, the combination of the other types of incident reports resulted
in the weekly average less than 12,000.
In respect to the incident reports received via automatic feed, ThaiCERT
found that many reports were from the same IP addresses under the same
threat types since some threats such as botnet and spam regularly send
the information to the target. The number of incident reports was therefore
higher than the actual number of IP addresses.
41
42
ThaiCERT Annual Report
Table 2 shows that there was a total of 1,077,017 reported IP addresses,
which could be concluded that these were IP addresses in Thailand having
a cybersecurity issue. It could clearly be seen that spam had the highest
number of reported IP addresses with a total number of 636,461 or 62.7%
of all reports, followed by botnet and open DNS resolver with 286,919 and
143,302 IP addresses respectively. Whereas the combination of IP addresses
reported as brute force and DDoS were less than 100. The analysis detail
of each threat will be presented in the next part.
2.) Incident Report via Automatic Feed Categorized by
Internet Service Providers (ISP) in Thailand
Table 3: Number of incident reports counted by unique IP and sorted by ISP
ThaiCERT Annual Report
Table 4: Number of IPs which have been registered by top 10 ISPs24 in Thailand
According to the incident reports received via automatic feed as shown
in Table 3, it shows that most of the reported IP addresses belonged to the
ISPs and mobile operators such as TOT, True, Triple T Broadband, AIS and
DTAC25 which are both wired and wireless broadband ISPs. Additionally,
most of the incident reports were related to spam and botnet as shown
in Figure 9.
From the entire 8,559,616 IP addresses registered in Thailand, the
information shown in the Table 4 indicates that the top 10 IP address holders
were ISPs. The first three providers owned half of the entire IP addresses,
while there were 872,206 IP addresses related to the cybersecurity threats,
which was higher than 10% of the total number of IP addresses registered
in Thailand. Furthermore, when concerning the common usage where a
number of computers usually access the Internet through the same public
IP address, the actual number of the computers related to the incidents
was likely to be higher than the number of reported IP addresses.
24
25
Directory Listing Data was distributed via FTP service (ftp.apnic.net/stats/apnic) by APNIC on 16 November 2012.
DTAC applied “Total Access Communication, Plc” as the name on the network provider registration.
43
44
ThaiCERT Annual Report
Figure 9: Number of incident reports counted by unique IP and sorted by ISP
and threat type
3.) Phishing
Table 5: Top 10 number of phishing reports sorted by country
According to Table 5, the United States was in the first rank with 64,064
reports or 30.44%, followed by Hong Kong and Germany having 32,910 and
25,217 reports or 15.64% and 11.98% respectively. Thailand was ranked in
the 14th with 2,474 reports.
ThaiCERT Annual Report
Table 6: Number of phishing reports sorted by type of domain name
In reference to the reported phishing URLs26 as shown in Table 6, it
shows that commercial websites had the highest number of reports with
64.50% of all reports, which could be categorized as .com (53.89%), .co.
th (10.33%) and .biz (0.28%). While the government agency (.go.th) and
academic institute (.ac.th) websites had 20.25%. Besides, there were other
phishing reports without domain name since such phishing URLs had only
IP addresses.
26
The information used to identify the location of phishing websites.
45
46
ThaiCERT Annual Report
Table 7: Top 10 number of phishing reports sorted by ISP
No.
ISP
AS
Number
Number
of
Reports
Number of
Unique IP
Addresses
Number
of Unique
URLs
Number of
Reports/Number of
Unique IP Addresses
1
CAT Telecom (Public) Co.,
Ltd.
9931
1,028
130
531
7.9
2
CS Loxinfo (Public) Co.,
Ltd
4750
7568
9891
407
62
254
6.6
3
Internet Thailand (Public)
Co., Ltd.
4618
175
22
131
8.0
4
Internet Solution & Service
Provider Co., Ltd.
24299
7654
130
19
99
6.8
5
Super Broadband Network
Co., Ltd.
45458
110
1
37
110.0
6
Metrabyte Co., Ltd.
56067
97
27
74
3.6
7
Government Information
Technology Services
9835
75
10
43
7.5
8
True Internet Co., Ltd.
7470
9287
64
8
31
8.0
9
Ministry of Education
23974
45
23
35
2.0
10
UniNet
4621
44
8
22
5.5
From Table 7, it is remarkable that most reports were from the
commercial ISPs except the ISPs servicing the government agencies (Government
Information Technology Services/GITS) and academic institutes (UniNet and
Ministry of Education) which were also ranked in the top 10. There might
be several reasons in case when the number of reports divided by the
number of unique IP addresses was more than 1. For instance, if a certain
web server hosts many websites and one of them was compromised, the
other websites could be compromised and used to distribute the phishing
pages as well. Another possible reason is that the website was used to
distribute the phishing page more than once.
ThaiCERT Annual Report
4.) Malware URL
Table 8: Top 10 number of malware URL reports sorted by ISP
ThaiCERT received a total of 30,153 malware URL reports. Regarding
the information in Table 8, it can be seen that most reports occurred in
the network of CAT Telecom with 56.67% of all reports followed by CS
Loxinfo with 19.07%, where most of the ISPs in top 10 in fact provide the
commercial Internet Data Center (IDC). Meanwhile, the academic institutes
and agencies such as Ministry of Education, Sripatum University and UniNet,
were also listed in the top 10.
47
48
ThaiCERT Annual Report
Table 9: Top 10 number of unique malware URL reports sorted by ISP
The information in Table 9 is the list of all unique malware URL reports. However,
the analysis of such information according to unique IP addresses resulted in subtle
changes in the ranking as shown in Table 10.
Table 10: Top 10 number of malware URL reports counted
by unique IP and sorted by ISP
IP Addresses
From Table 10, there were 840 IP addresses listed in the top 10 ranking according
to the number of reports and sorted by ISP. CAT Telecom was still ranked in the
first with only 298 IP addresses in contrast with 11,793 reports. Comparing with the
statistics in Table 9, it shows that malware URL incidents occurred in the average
of 39.6 reports per IP address
ThaiCERT Annual Report
Table 11: Top 10 number of malware URL reports counted
by unique IP and sorted by type of domain name
Table 11 indicates that commercial organizations (.com and .co.th) were reported
at 411 unique IP addresses, while academic institutes and government agencies
(.ac.th and .go.th) were also reported in the great numbers. It might be interpreted
that the computer systems of those organizations were insecure, giving a chance to
the attacker to get into those systems and use them for distributing the malware.
Table 12: Top 10 number of unique malware URL reports sorted by domain name
Table 12 shows the analysis of malware URL reports classified by domain
name. The first rank belonged to the website of Pichit Educational Service
Area Office 1 with 8,084 malware URLs, followed by www.energyfantasia.
com, the main website of the “Energy Fantasia” project launched by
49
50
ThaiCERT Annual Report
Ministry of Energy, with 1,418 malware URLs. The third is school.obec.
go.th which belongs to the Office of the Basic Education Commission with
1,216 malware URLs. It is noticeable that the first three websites belong to
government agencies.
5.) Spam
Table 13: Top 10 number of spam reports sorted by ISP
In 2012, ThaiCERT was reported that there were 1,522,224 computers in
Thailand used for sending spams. Most of them were sent from the network
of commercial ISPs such as TOT (46.50%), AIS (16.59%), DTAC (13.25%) and
True (11.36%). It is interesting that commercial ISPs were selected as the base
of sending spams because of a large amount of customers. Furthermore, the
ThaiCERT Annual Report
number of reported IP addresses also varied to the number of customers
of commercial ISPs.
It also shows that there was no correlation between the number of
reports divided by number of unique IP addresses and the ranking, probably
because some servers were rented or controlled by the attacker specifically
for sending spams.
6.) Scanning
Figure 10: Top 10 number of scanning reports sorted by port number
51
52
ThaiCERT Annual Report
Table 14: Top 10 number of scanning reports counted by unique IP and
sorted by port number
There was a total of 5,375 IP addresses where their top 10 ranking
was shown in Table 14 and Figure 10. Most targeted ports were related
to remote administration as can be seen that the top four were 4899/
TCP Radmin remote administration (45.40%), 3389/TCP Windows Remote
Desktop (34.16%), 445/TCP Windows RPC services (6.70%) and 22/TCP SSH
server (3.91%). Based on the statistics as mentioned, it can be concluded
that most attackers intended to collect the information and attempted to
access into the targeted system mainly via remote administration services.
Disabling the remote access on the server that is directly connected to the
Internet therefore would help reduce the risk from being attacked from
such channel.
ThaiCERT Annual Report
Table 15: Top 10 number of scanning reports counted
by unique IP and sorted by ISP
Figure 11: Top 10 number of scanning reports sorted by ISP
Regarding the scanning reports classified by ISP as illustrated in Table
15 and Figure 11, it can be seen that most IP addresses were from major
commercial ISPs in Thailand. The highest number of reported IP addresses
53
54
ThaiCERT Annual Report
belonged to True Internet with 1,847 IP addresses, followed by TOT and
Triple T Broadband with 1,642 and 1,320 IP addresses respectively. The
number of IP addresses from top 3 ISPs was approximately 90% of all
reported IP addresses.
7.) Botnet
Figure 12: Top 10 number of botnet reports counted by unique IP and sorted by malware name
As shown in Table 16, the botnet reports were founded on the
commercial ISPs offering a broadband Internet service such as TOT, True
and Triple T Broadband, with a total of 88% of all reports. It shows that
personal computers were mostly targeted and controlled by botnets, and
these computers were at risk of becoming the base for attacking the other
systems or being stolen the personal information.
ThaiCERT Annual Report
Table 16: Top 10 number of botnet reports sorted by ISP
No.
ISP
Number of Reports
1
TOT (Public) Co., Ltd.
161,402
2
True Internet Co., Ltd.
57,935
3
Triple T Broadband (Public) Co., Ltd.
57,458
4
Advanced Info Service (Public) Co., Ltd.
13,218
5
Total Access Communication (Public) Co., Ltd.
10,899
6
JasTel Network Co., Ltd.
4,904
7
Ministry of Education
2,658
8
UniNet
734
9
CS Loxinfo (Public) Co., Ltd.
407
10
True Move Co., Ltd.
348
As shown in Table 16, the botnet threats will be found mainly on the
commercial ISPs which offer Broadband Network Service such as TOT, True
and Triple T whose reports are calculated as 88% of the entire reports. It
shows that ordinary computers, like the home computers, have been mostly
targeted and controlled by botnets and these computers may be risky for
becoming the tool of attack by hackers for stealing personal information.
55
56
ThaiCERT Annual Report
8.) Open DNS Resolver
Open DNS resolver is basically an improperly configured DNS server
that allows a recursive query from the computer located on any other
networks, which might become the base for attacking other systems using
DNS amplification attack technique as described in Picture 2. The concept
of such attack is to send the DNS requests to many open DNS resolvers
simultaneously where the source IP address is forged to be the IP address
of the targeted system and let the open DNS resolvers respond back to
the target. Theoretically, the size of a DNS response is significantly larger
than the DNS request. The attacker then applies such principle to use the
open DNS resolver for performing DDoS attack. This kind of attack causes
the Internet bandwidth of the targeted system to be overutilized until the
system cannot communicate with the others or even become malfunction.
Picture 2: DNS amplification attack technique
ThaiCERT Annual Report
Table 17: Top 10 number of open DNS resolver reports counted
by unique IP and sorted by ISP
Number of
Unique
IP Addresses
There was a total of 143,255 IP addresses of open DNS resolvers in which their top 10 ranking
were listed in Table 17. Most of them belonged to the major commercial ISPs such as True, TOT and
Triple T Broadband with a total of 96% of all reports. The Ministry of Education is the only government
agency that was listed in the top 10 ranking.
9.) Open Proxy Server
Open proxy server is generally a web proxy server that can be used without authentication. The
attacker is then able to abuse the open proxy server by gaining an advantage on improper configuration
or accessing into the system and changing the configuration in order to be used for malicious purposes.
57
58
ThaiCERT Annual Report
Table 18: Top 10 number of open proxy server reports counted
by unique IP and sorted by ISP
Number of
Unique
IP Addresses
There was a total of 3,596 IP addresses reported as open proxy
servers where their ten highest number of reports were listed in Table 18.
Most reports unsurprisingly belonged to the major commercial ISPs such
as Triple T Broadband, TOT and True with a total of 98% of all reports,
where The Ministry of Education is the only government agency listed in
the top 10 ranking similar to open DNS resolver. Whereas the web proxy
service normally is running on a server, the analysis shows that most of the
reported IP addresses were under the network of broadband ISPs. Such issue
requires more supported information from the ISPs for further investigation.
4.3.2 The Statistics of Directly Reported Incidents
Apart from automatic feed, the incident can be directly reported
to ThaiCERT via email and telephone. Incident reports will be submitted
to the ticket management system called “Request Tracker”.The reported
incidents can be classified into nine categories according to the eCSIRT/The
European Computer Security Incident Response Team threat classification27.
27
http://www.ecsirt.net/cec/service/documents/wp4-clearinghouse-policy-v12.html#HEAD6
ThaiCERT Annual Report
The details are described in the Table 19;
Table 19: Cybersecurity threat type according to eCSIRT
No.
1
2
3
4
Types
Abusive Content
Description
Contents such as child Pornography, glorification of violence
and spam are considered as abusive contents.
Software that is intentionally included or inserted in a
system for a harmful purpose. A user interaction is
normally necessary to activate the code.
Information Gathering Gathering information of system in order to find its
vulnerability and use it to attack system. It also includes
information gathering from a human being in a nontechnical way (e.g. lies, tricks, bribes, or threats).
Intrusion Attempts
An attempt to compromise a system or to disrupt any
services by exploiting vulnerabilities with a
standardized identifier such as CVE name. Intrusion
attempts also include multiple login attempts such as
guessing/cracking of passwords, brute force.
Malicious Code
5
Intrusions
6
Availability
7
Information Security
8
Fraud
9
Other
Successful compromise of a system or application
(service). This can be caused remotely by a known or
new vulnerability, but also by an unauthorized local
access.
By this kind of an attack a system is bombarded with so
many packets that the operations are delayed or the
system crashes. Examples of a remote DoS are SYS- a
PING-flooding or email bombing (DDoS:TFN, Trinity,
etc). However, the availability also can be affected by
local actions (destruction, disruption or power supply,
etc.)
Besides a local abuse of data and systems the
information security can be endangered by a successful
account or application compromise. Furthermore
attacks are possible that intercepted and access
information
The use of internet services such as website, email to
defraud victims or to otherwise take advantage of them,
for example by stealing personal information, which
can even lead to identity theft .
If the number of incidents in this category increases, it
is an indicator that the classification scheme must be
revised.
59
60
ThaiCERT Annual Report
Table 20: Number of directly reported incidents to
ThaiCERT in 2012 sorted by threat type
Figure 13: Number of directly reported incidents to ThaiCERT in 2012 sorted by threat type
From the incidents reported to ThaiCERT via email and telephone as shown in the Table 20, it
is found that there were totally 792 reports in 2012. The table also shows that fraud dominated in
reported incident type with 534 reports, counted as 67.42%. The second is Malicious Code type with
10.35% and the third is Intrusions and Intrusion Attempts type with 17.30%.
ThaiCERT Annual Report
Table 21: Number of directly reported incidents sorted by type of relevant
individuals and their location
Figure 14: Percentage distribution of number of directly reported incidents sorted by type of
relevant individuals and their location
ThaiCERT has classified the relevant individuals into three types: Submitter, Attacker and Victim.
These types were further classified into Domestic, Foreign and Unknown location. According to the
table 21 and figure 14, it indicates that more than 90% submitters were from foreign countries. This
information relates to the number of foreign victims which are almost 90% as well. For the reports
which cannot identify location (Unknown), this means that there was not information to identify the
location of the victims and the attackers.
61
62
ThaiCERT Annual Report
Table 22: Number of fraud reports sorted by type of relevant individuals
and their location
Submitters
Percentage
(%)
Victims
Percentage
(%)
Attackers
Percentage
(%)
Domestic
18
3.37
15
2.81
515
96.44
Foreign
516
96.63
519
97.19
19
3.56
Unknown
0
0
0
0
0
0
Figure 15: Percentage distribution of number of fraud reports sorted by type of relevant
individuals and their location
Table 23: Number of fraud reports sorted by type of relevant individuals and organizations
Individuals
CSIRT/Infosec agencies
Internet Service Providers
Company/Business/Private
agencies
Academic Institutes
Government agencies
Others
Number of
Submitters
Percentage
(%)
Percentage
(%)
0.75
65.36
0.19
33.52
Number
of
Victims
0
0
0
519
4
349
1
179
0
1
0
Percentage
(%)
0
0
0
97.19
Number
of
Attackers
0
0
0
345
0
0.19
0
0
0
15
0
0
2.81
45
85
59
8.43
15.92
11.05
0
0
0
64.61
ThaiCERT Annual Report
Table 23 presents the number of fraud reports categorized by type of
relevant individuals and organizations, where an attacker could be either the
phishing page itself or the system owner who intended to host a fraudulent
website. According to Table 23, relevant entities can be categorized into 7
types including individuals, CSIRT/Infosec agencies, Internet Service Providers,
company/business/private agencies, academic institutes, government
agencies and the others.
Figure 16: Percentage distribution of number of fraud victims
Figure 17: Percentage distribution of number of fraud submitters
Figure 16 shows that most of fraud victims were in the group of
companies/businesses/private agencies with the ratio higher than 90% of
all fraud reports. The rest are in other type which could not identify the
actual victim because the phishing pages were already deleted or changed
during the incident investigation and there was not enough information
to further identify the target of the attack. According to the submitters in
fraud incidents as shown in the figure 17, 65.36% of submitters were from
the CERT organizations around the world, followed by Company/business/
private agencies type like banks or the financial institutions with 33.52%.
63
ThaiCERT Annual Report
The rest of submitters are individual, ISPs and Government agencies were
about 1.13%
Figure 18: Percentage distribution of number of fraud attackers
The percentage distribution of fraud attackers shown in Figure 18
indicates that most of the attackers about 64% belonged to the group
of companies/businesses/individuals while 24% belonged to government
agencies and academic institutes. In reference to the information obtained
during analysis, ThaiCERT found that all phishing pages were not created
by the website owners. They were instead the victims of the attackers
who compromised the web servers in order to create the phishing pages,
and the website administrators were unaware of these malicious activities.
This finding shows that most websites of companies/businesses/individuals
in Thailand still require stronger security measures to protect against the
attackers.
Number of Reported IncidentsThreats
64
Percentage (%)
Figure 19: Number of directly reported incidents during 2001-2012
Figure 19 shows the number of directly reported incidents since 2001
- 2012. The red bars indicate the number of incident reports during 2001 -
ThaiCERT Annual Report
2010 while ThaiCERT was operated under Thailand’s National Electronics
and Computer Technology Center (NECTEC), in which the number of
incident reports in the past years was extracted from Asia Pacific Computer
Emergency Response Team (APCERT) annual reports. The graph itself did
not show the number of incident reports in 2009 since ThaiCERT did not
submit the report to APCERT.
The blue bars represent the number of directly reported incidents
during 2011 - 2012 after ThaiCERT was transferred to be operated under
Electronic Transactions Development Agency (ETDA). The number of incident
reports in 2011 is 792, which was higher than the number of incident reports
in 2013 with 646 incident reports approximately 22%.
Number of Unique IP Addresses
Apart from automatic feed and email as channels to receive incident
reports, ThaiCERT also collaborated with Microsoft to gather information
and handle cybersecurity incidents related to Rustock and Zeus malwares.
The statistics can be concluded as following.
Months
Figure 20: Number of unique IPs infected by Rustock sorted by month and ISP
Figure 20 represents the number of unique IP addresses infected by
Rustock in Thailand which was collected from January 13th to June 20th,
2012 with a total of 71,719 IP addresses. After ThaiCERT analyzed the incident
reports and coordinated with relevant ISPs to handle such incidents, the
number of reports was continuously decreased since January 2012 from
approximately 4,500 to under 3,000 per week. Such decreased amount was
65
ThaiCERT Annual Report
the IP addresses of TOT and True.
35,000
30,000
Number of Unique IP Addresses
66
25,000
20,000
15,000
10,000
5,000
Jun
Jul
Aug
Sep
Oct
Nov
Months
Figure 21: Number of unique IPs infected by Zeus sorted by month and ISP
In June 2012, Microsoft announced to stop providing the incident
reports regarding the Rustock and provided the Zeus reports instead since
Microsoft took down the command and control servers of Zeus botnet and
found that there were much more IP addresses infected by Zeus. ThaiCERT
therefore received the incident reports of Zeus during June - November
2012 as shown in Figure 21.
According to Figure 21, it shows that there was a total of 88,708
unique IP addresses infected by Zeus, where the number of reported IP
addresses reached the topmost in July at 32,217. Similar to the Rustock
case, the number of reported IP addresses graph went down after ThaiCERT
analyzed the incident reports and coordinated with relevant ISPs
Repeated
Not repeated
Figure 22: Percentage distribution of number of repeatedly reported and non-repeated reported
IPs from phishing reports
ThaiCERT Annual Report
Figure 23: Percentage distribution of number of repeatedly reported IPs from phishing reports
sorted by type of domain name
According to the number of reported IP addresses on phishing reports
as shown in Figure 22 and Figure 23, it can be seen that the proportion of
repeatedly reported IP addresses was 19%, and most were from commercial
agencies (.com) with 44.6% or 124 IP addresses, followed by educational
institutes (.ac.th) combined with governmental agencies (.go.th) with 26.9% or
75 IP addresses. These statistics represent the efficiency of the organizations
in fixing vulnerabilities of their websites after receiving reports.
4.4 Case studies
In 2012, ThaiCERT handle the incidents and had the interesting cases studies such as Domain
Intrusions of T.H. NIC, undesirable DNS Changer programs, discovering of C&C for Flame Malwares, Email
account hacking and Phishing threats on Web Hosting in Thailand and etc.
67
68
ThaiCERT Annual Report
4.4.1 Intrusion of T.H.NIC
Domain Name Management
System
In June 30th 2012, ThaiCERT received a report
from an international cybersecurity organization
that IP addresses of many multinational companies
in Thailand were changed likely by malicious
intent. It was known as domain hijacking attack,
but the attacking method was unknown. After the
coordination with T.H.NIC, a national domain name
registrar in Thailand (ccTLD/ Country Code - Top
Level Domain), ThaiCERT found that T.H.NIC’s domain
name database was compromised. Moreover, there
were number of stolen domain names which the
owners of domain names were unaware of.
Picture 3: Structure of domain name modification system of T.H.NIC
After analyzing the reports and close
coordination to T.H.NIC for suggestion and assistance
during the month of June 31st 2012 to July 2nd,
2012, ThaiCERT found that the suspicious individual
uses IP address in Eastern Europe countries to attack
a vulnerability of Content Management System
(CMS) in T.H.NIC’s publishing page. Because of this,
the suspicious individual can access main database
system and also to the source code of system
that manage domain name register’s information.
Since all systems share the same server and database,
server’s log shows that the malicious person got
all passwords of the domain name register and
the database administrator’s password. Therefore,
the hacker can change all domain name register’s
information in system of T.H.NIC.
With all information on hand, ThaiCERT
helped T.H.NIC identify the causes of the domain
name management problems and advise how to
improve the system for operation.
From this case, ThaiCERT acknowledge the
importance of capability of intrusion detection that
is needed to be developed to international standard
level in order to be able to handle incident response
which may happen to system of organizations that
are responsible for internet infrastructure. Moreover,
the Digital Forensics capability is not only important
to the investigation of police but it can be used to
identify vulnerability of compromised information
system in order to develop measure of prevention
efficiently and promptly.
ThaiCERT Annual Report
4.4.2 Dissemination of DNS
Changer Malware
DNS Changer malware was first discovered
in 2007 and can infect both Windows and Mac OS
X computers. DNS Changer malware will change
the DNS server records in infected computers
to the IP address of rogue DNS servers set up by
criminals. Whenever users of infected computers try
to access a website from an infected computer, it
will contact to the rogue DNS servers operated by
a criminal instead of their legitimate DNS servers.
Subsequently, users are redirected to fraudulent
website or user’s online activities are interfered.
In November 2011, the FBI (United States Federal
Bureau of Investigation) reported that currently
more than 4 million computers around the world
were infected with DNS Changer malware28.
The FBI arrested the criminals responsible
for spreading DNS Changer malware and running the
rogue DNS servers, allowing them to manipulate
the victim’s online activities. Although the FBI had
attempted to disable the rogue DNS servers, they
were unable to do so because it would cause the
infected computers unable to access the internet
since those computers rely on the rogue DNS services
for internet access. According to an investigative
report dating from March 2012, there were about
450,000 computers around the world infected by
DNS changer malware, including many government
computers.
By April 23, 2012, the FBI had sent list
of the IP addresses of all infected computers to
the responsible ISPs in each country to clean up
computers infected with DNS changer malware
before the set deadline of July 9, 2012, the date
that the FBI will shut down the clean DNS servers
for the infected victims.
Figure 24: Number of reports of DNS changer infected in network of agencies or ISPs; information
retrieved on 8 July 2012 from DCWG.org
28
http://www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf
69
ThaiCERT Annual Report
70
ThaiCERT received the list of infected
computers with DNS changer malware in Thailand
from (DCWG)29 to cooperate with Thai ISPs in order
to notify the infected victims. Upon July 8, 2012,
a day before the FBI shut down the clean DNS
servers for the infected victims, there were 2,023
infected computers in Thailand. These could be
roughly divided up into ten groups based on their
associated ISP networks, as shown in figure 24.
From the chart, it can be seen that the infected
computers could be found among major ISPs such
as TOT, Triple-T and CAT, as well as in the networks
of government sector, e.g. the Ministry of Education.
This is an interesting case study, because even
the IP addresses of infected computers were known,
but ThaiCERT was not able to track down the victims
by their IP addresses. This is owed to the fact that
IP addresses are owned directly by the ISPs, which
makes it impossible for ThaiCERT to contact and
notify the victims directly. Thus, ThaiCERT had to
coordinate with ISPs so they can notify their clients
about the infected computers. Therefore, despite
ThaiCERT being capable of all necessary tracking
processes to follow up problems, the efficiency of
the process largely depends on the cooperation,
customer service approach of each ISP.
C&C (Command and Control) server30 of Botnet
malware which is most probably a new variant of
malware called “Flame” in Thailand. In the past,
Flame was most commonly known as a malware
targeting government agencies in Middle East
countries. ThaiCERT’s investigation revealed that
the reported C&C computer was hosted in a web
hosting provider in Thailand.
ThaiCERT coordinated with the informant (the
security partner) and requested more information
for further analysis and investigation, and then
confirmed that the reported C&C server indeed
existed. Moreover, they informed ThaiCERT that
there was possibility that the owners of the C&C
server may have involved in some illegal activities
and they may delete all data in the server if there
was an attempt to seize the C&C server, which
happened before in many cases in other countries.
The informant advised ThaiCERT to initiate legal
actions to obtain a warrant regarding confiscation
of C&C server.
ThaiCERT went on to discuss the case with the
legal authorities both from the Technology Crime
Suppression Division, Royal Thai Police and the IT
Crime Prevention and Suppression Bureau, Ministry
of Information and Communication Technology. In
practice, a crime can be not be prosecuted by an
4.4.3 C&C of Malware Clan
authority unless a victim files a complaint against the
“Flame” Discovery
criminals in Thailand. As in this case, there was no
ThaiCERT was informed on June 19, 2012 identified victim, prosecution criteria under Thai laws
by a security partner that they had found the cannot be fulfilled for legal proceeding. ThaiCERT
30
29
DNS Changer Working Group
Command Control Center (C&C) is the computer which is created
and used by malware developer to control and command malware in infected computers to serve his needs.
ThaiCERT Annual Report
has taken steps recommending legal amendments
that would mitigate official limitations in existing
law-enforcement. This is a long-term mission and
there still persists significant lack of short-term
measures. Therefore, improving security measures
should be emphasized. In trying to do so, the
National Cybersecurity Committee was established,
having Prime Minister as the Chairperson.
4.4.4 Hacking the Email
Account of SMS Entrepreneur
transactions, which was found in content of email
between the fraudster and the victim clients? The
fact that the fraudster apparently could access these
details from the entrepreneur email account explains
why the fraudster possessed sufficient information
to deceive the clients into thinking that they are
dealing with the real entrepreneur.
ThaiCERT investigated the entrepreneur’s
email access log because we assumed that the
fraudster may be in possession of username and
password of the entrepreneur’s email account,
thus being able to access personal information
like client names, client emails or old purchase
orders. However, it turned out that the incident
happened over a very long period of time, which
made it extremely difficult to investigate the fraudster
activities. ThaiCERT coordinated with the email
service provider and related CERTs for helps to
investigate the fraudster activities and to disable the
fraudulent email account. Unfortunately, the email
service provider requested legal documents as a
precondition to take any further action. Responding
to such demands, ThaiCERT coordinated with the
Technology Crime Suppression Division who could
assist the entrepreneur on the requested documents
to legal proceeding.
ThaiCERT was reported by an SME-exporter
entrepreneur that their main email used to correspond
with international clients was compromised, this
case involved fraud, having victim as the clients of
SME entrepreneur. In addition, they found that the
fraudster set up a new email account using similar
address to their original SME’s email to deceive their
clients into believing that the email was not false
or deceptive. Then the fraudster, impersonating
the entrepreneur, informed the clients that the
entrepreneur had changed the bank account number
for trading, and tried to trick the clients to transfer
money to this fraudulent account. Some clients
fell for this scam and transferred money to this
fraudulent account. After became aware of being a
victim of this fraudulent scheme, the entrepreneur
The interesting point from this case is
reported to Technology Crime Suppression Division,
that even the SME entrepreneur took extensive
Royal Thai Police and the Ministry of Information
precautions in using computers and Internet, e.g.
and Communication Technology then they were
by only using licensed and updated software and
referred to consult with ThaiCERT.
by not accessing their email account from public
Interestingly, the evidences threw up some computers; they also used long and complex
questions: How did the fraudster know the email passwords that are difficult to guess, the fraudster
addresses of the victims? How did the fraudster know was still able to access in to their email account.
about details of the business activities, like detail
of orders in terms of product types and payment
71
72
ThaiCERT Annual Report
4.4.5 Phishing in Thai Web
Hosting
real difference in mitigating the problem. It can be
concluded that success in preventing such incident
highly depends on the coordination between both
Between July 2011 and August 2012, ThaiCERT sides and incidents should be reported immediately
had been receiving several reports from Bradesco after attack was found.
bank in Brazil about phishing web pages that imitate
Bradesco web page in order to steal personal
information from visitors. The cases appeared to
be linked to a web hosting in Thailand and 34.7 %
of all phishings targeting Bradesco bank were from
this web hosting. Although each websites with
phishing pages on web hosting were created using
different technologies, created phishing pages had
common signature. This led the analysts to suspect
that these websites were attacked by same person.
Furthermore, there was possibility that attacker
hacked into the websites by directly hacking into
the management system of web hosting instead
of hacking into each websites created by different
technologies, as stated above.
In an attempt to solve the case, ThaiCERT
contacted the administrators of web hosting service
provider to inform them on the investigation
and gave advice on how to enhance the system
security to prevent intrusion. The suggestions led
to improvement. Between July to December 2012,
there were no reports of phishing pages of Bradesco
bank on attacked web hosting. We can therefore
assume that attacker prefer attacking vulnerable
management system of web hosting. This way of
attack is very effective since even if websites are
sufficiently protected, vulnerability within the central
management system of web hosting make them
likely to be compromised. However, a quick response
by the web hosting to such a situation can make
ThaiCERT Annual Report
73
74
ThaiCERT Annual Report
CERTS and AEC 2015
ThaiCERT Annual Report
5. CERTs and AEC 2015
5.1 The Roles of CERTs in AEC 2015
For over 10 years, ASEAN telecommunication and information
technology infrastructure has continuously been developed by its member states
with the purpose of improving the quality of life for the region’s more than 500
million people. These technological progresses have been welcomed and pushed
forward by telecommunication and IT ministers of all ASEAN member states in
attempts of making businesses more competitive, attracting more investment,
and increasing ASEAN citizens’ potentials to achieve a state of readiness for the
advent of the AEC in 2015. In order to reach their goals, ASEAN member states
drafted the “ASEAN ICT Masterplan 2015” and ratified it at the “10th ASEAN
Telecommunication and IT Ministers Meeting” during January 13-14, 2011 with the
vision of moving towards an empowering and transformational ICT and creating
an inclusive, vibrant and integrated ASEAN. To achieve the vision, the Masterplan
identifies 6 strategic thrusts with concrete work plans, focusing on economic
transformation, people empowerment and engagement, innovation and infrastructure
development, human capital development and bridging the digital divide.
Strategy 2: People Empowerment and Engagement
Table 24: Strategy 2: People Empowerment and Engagement
Initiation 2.4 Confidence Reinforcement
Work Plan
Explanation
Encourage Safe ASEAN
• developing Mutual Recognition Arrangements (MRA) for the use of comTransactions
mon ASEAN electronic certifications within ASEAN member states.
• promoting the use of two-faction authentication in order to identify
personal characteristics.
Promote Cyber Security Awareness
• building public awareness on online system security.
to ASEAN citizen
• creating and fostering close cooperation between the private sector and
the public.
75
76
ThaiCERT Annual Report
Strategy 4: Infrastructure Development
Table 25: Strategy 4: Infrastructure Development
Initiation 4.2 Promote safe and stable network and information systems, information protection, and Computer
Emergency Response Team (CERT) cooperation
Work Plan
Explanation
Network Security Development
• establishing minimum standards of cooperative security to guarantee
ASEAN network stability and readiness.
• monitoring network security by setting up and applying the so-called
“ASEAN Health Screening” for networks and information systems
Safety Information Development
• exchanging information on telecommunication infrastructure protection
methods between ASEAN members
Both strategies 2 and 4 of the ASEAN ICT Masterplan 2015 indicate
the importance of the processes of fostering safe and secure cyberspace
through creating cybersecurity awareness among people, business sector,
and other relevant organizations, as well as developing telecommunication
infrastructure with appropriate cybersecurity measures.
In order to reach these targets, the Electronic Transactions
Development Agency (Public Organization) or ETDA has been assigned by
the Ministry of Information and Communication Technology to become one
of the country’s main institutions to take on these challenges. ThaiCERT
has represented ETDA in many ASEAN activities conducted under the
Masterplan, including being an active member of ASEAN Network Security
Action Council (ANSAC).
ThaiCERT Annual Report
5.2 The ASEAN Members’ CERT Reports
The cross-border nature of cyber attacks makes it important to share
cybersecurity information and intelligence. They are often shared at the
level of CERT operations through a trusted network of incident responders.
Cyber-attack patterns can potentially be extracted from data shared by the
CERTs. We have selected ASEAN+3 Cyber-attack data from the APCERT
annual report 2011 and elaborate them here to illustrate cybersecurity
trends in this region, where ASEAN+3 means ASEAN + the Republic of
China, Japan and the Republic of Korea, and APCERT stands for Asia Pacific
Computer Emergency Response Team. APCERT is a cooperation of 22 Asia
Pacific organizations from 19 economic zones. All 16 organizations from 11
countries in ASEAN+3 are shown in Table 26.
Table 26: List of ASEAN+3 CERTS members in APCERT
Name
Country
Bach Khoa Internetwork Security Center (BKIS)
Vietnam
Brunei Computer Emergency Response Team (BruCERT)
Brunei
CERNET Computer Emergency Response Team (CCERT)
China
National Computer network Emergency Response technical Team /
Coordination Center of China
People’s Republic of China (CNCERT/CC)
Indonesia Computer Emergency Response Team (ID-CERT)
China
Indonesia Security Incident Response Team on Internet Infrastructure Coordination
Center (ID-SIRTII/CC)
Japan Computer Emergency Response Team / Coordination Center (JPCERT / CC)
Korea Internet Security Center (KrCERT/CC)
Indonesia
Indonesia
Japan
Korea
Malaysian Computer Emergency Response Team (MyCERT)
Malaysia
Philippine Computer Emergency Response Team (PHCERT)
Philippins
Singapore Computer Emergency Response Team (SingCERT)
Singapore
Thailand Computer Emergency Response Team (ThaiCERT)
Thailand
77
78
ThaiCERT Annual Report
Vietnam Computer Emergency Response Team (VNCERT)
Vietnam
Government Computer Security and Incident Response Team (GCSIRT)
Philippins
Myanmar Computer Emergency Response Team (mmCERT)
Myanmar
National University of Singapore Computer Emergency Response Team (NUSCERT)
Singapore
Note that LaoCERT (Laos) and CamCERT (Cambodia) were not members of APCERT
at the time of APCERT annual report 2011 publication.
Figure 25: Number of cyber attacks reported to ASEAN+3 CERTs during 2007-2011
This graph displays the number of reported cyber attacks within ASEAN+3 countries from 2007 up to
2011 (5 years). It shows that the attacks tended to increase continuously over that 5-year period. CERTS having
reported more than 10,000 cases per year are MyCERT, CNCERT/CC, JPCERT/CC and KRCERT/CC while BruCERT,
ID-SERTII, PHCERT, ThaiCERT, and VNCERT reported fewer than number of cases, with the number of cases
below 5,000 cases in 2011.
ThaiCERT Annual Report
Table 27 illustrates the percentage of various
types of cyber attack with respect to the number of
reported cases for ASEAN+3 CERT. Note that the data
presented are from BruCERT, ID-SERTII, MyCERT, ThaiCERT,
VNCERT, CNCERT/CC, JPCERT/CC, and KRCERT/CC.
The information that ThaiCERT contributed
to the APCERT annual report 2011 included all attack
cases reported during July-December 2011 under the
management of the Electronic Transactions Development
Agency (Public Organization). However, CNCERT/CC and
JPCERT/CC did not submit any information on SPAM
cases found in their auto-feed systems.
Remarks: PHCERT did not contribute to the 2011
annual report, and SingCERT did not reveal its threat
cases but only stated that fraud cases were the most
reported attacks in the APCERT 2011 annual report.
79
80
ThaiCERT Annual Report
Table 27: The ASEAN+3 cyber attack types reported in
the APCERT annual report 2011
Figure 26: Proportion of threats, sorted by ASEAN+3 countries as shown in
the APCERT annual report 2011
From Table 27 and Figure 26, we can see that malicious code cases had the highest percentage
(more than 50%) compared to other types of attacks for Brunei and South Korea in 2011. For Indonesia
and Japan, the majority of more than 80% and 60% of the reported cases, respectively, are information
gathering and intrusion attempt attacks. For Malaysia, Thailand, Vietnam, and China, fraud cases were
reported the most.
All the data in year 2011 leads to the conclusion that cyber attacks within ASEAN+3 are on the
rise, and the top types of attacks are information gathering, intrusion attempts, and fraud.
ThaiCERT Annual Report
5.3 Strengthening Collaboration of CERTs
Network
assessment of severity of system vulnerabilities. The
Metrics SIG is responsible for creating guideline for
evaluation of incident handling effectiveness. The
5.3.1 Building Networks
Network Monitoring SIG promotes the collection
and analysis of data from sensor network and looks
Coping with cyber threats effectively requires
for malicious activities in computer networks. The
relevant parties to collaborate, particularly those
Malware Analysis SIG aims to promote tools and
directly in charge of IT security administration.
methods for malware analysis.
Most of the time, CERTs do not have legal power
to enforce any law. They rely on collaboration and
All these initiatives are beneficial for CERTs
create their networks such as FIRST, APCERT, and communities and their constituencies globally
OICCERT. As members of network, CERTs together as they promote collaboration among members,
can exchange information and deal with threats enhance capacities in handling threats and ensure
more effectively. Thailand saw the global benefits of international standard of incident handling practice.
such collaboration and has been an active member
of APCERT, FIRST and other CERT communities.
Asia Pacific Computer Emergency Response
(APCERT) consists of more than 22 members from
19 zones. Their visions are to promote cybersecurity
and feasibility among members through international
cooperation. APCERT members meet annually to
share information and lessons learned on dealing
with cybersecurity incidents. Additionally, they
conduct annual incident drills to test efficiency
and revise their guidelines of incident handling if
necessary.
The Forum of Incident Response and Security
Teams (FIRST) has more than 260 members. It aims
to promote collaboration among members in dealing
with threats effectively by using shared guidelines,
tools and secured communication channels. Members
of FIRST can create their joint taskforce to carry out
collaborative work of interests using their expertise.
For example, the CVSS Special Interest Group
(CVSS SIG) is responsible for creating a guideline for
81
82
ThaiCERT Annual Report
5.3.2 Point of Contact
Handling cybersecurity incidents require
extensive coordination at both organizational
and national levels. A key element of success
of incident handling is the Point of Contact (PoC),
an organization representative who needs to be
sufficiently IT-competent and well-equipped with
tools to ensure prompt and effective coordination
when the organization faces threats.
As the PoC is a vital role in incident handling,
PoC information must always be updated when
there are changes such as change of a coordinator
or change of communication channels. The PoC
information should be made available to the public.
At present, CERT networks have initiated several
measures to consolidate the PoC information and
keep public updated. For example, the FIRST PoC
is published at http://www.first.org/members/teams
31
, It lists more than 260 entries. The list enables
information sharing to the PoCs by telephone,
facsimile and email. The PGP technology is employed
to identify senders and recipients. It also allows
message encryption for communicating sensitive
information.
31
http://www.first.org/members/teams
accessible from 31 August, 2012
5.3.3 Threat Information
Service
Successful threat management requires an
organization to be proactive. Some organizations
have ability in to monitor their network activities
while the others are unable to do so. Nevertheless,
several independent institutions have initiated
threat data collection and provide the data to
their members. With that data, the members
can promptly take actions against the threats. For
example, the Anti-Phishing Working Group (APWG)
or the Phishtank, operated by OpenDNS, collects
and distributes information about phishing attacks.
Information includes phishing URL which can be
used by relevant CERTs for instant incident handling.
In addition, CERTs also exchange threat
information among themselves. Information includes
threat origins and characteristics, possible prevention
measures and solutions. Any organization can use
this type information to alert other organizations
that may possibly be a target of similar threat. Such
initiatives help enhance awareness and prepare
many organizations for tacking cyber threats.
ThaiCERT Annual Report
5.3.4 Standards on Threat
Information
One of the main problems of information
exchange on cyber attack is that the formation of
the information to be shared is not standardized.
This requires additional work of consolidating
and preparing data so that it can be shared to
other parties. To tackle such issue, CERT networks
initiated a common information standard to increase
effectiveness. Among these is the Incident Object
Description Exchange Format (IODEF) as documented
as RFC 507032 approved by the Internet Engineering
Task Force (IETF). Furthermore, the Common
Vulnerability Scoring System (CVSS) was developed
as a common evaluation standard measuring severity
of vulnerability. The CVSS create a common
understanding of severity levels.
32
http://www.ietf.org/rfc/rfc5070.txt
accessible from 31 August, 2012
5.3.5 Incident Drill
Incident drill is one of the regular CERT practice.
It aims to test the existing threat management process
and decision making of relevant personnel by using a
mock situation. This activity can enhance confidence
at organizational level by helping an organization
prepare their staffs to react to cybersecurity incidents
effectively. The preparedness theoretically reduces
cybersecurity risks and will help limit any damages
that might result from an incident.
The drill can be conducted at different levels.
The most basic form of the drill can be done by
inviting relevant staff members in and assigning
them with different roles in a scenario. They then
have to discuss and make decisions on how to
handle the incident in the scenario. The exercise
can also be conducted in a more realistic setting,
with simulated incidents using real computer and
network systems. The result of the exercise could
be used to improve incident handling procedures..
83
84
ThaiCERT Annual Report
5.3.6 Deploying Network
Sensors
Some CERTs create their own surveillance
system to detect anomaly within computer networks
by using log monitoring software or sensors. These
sensors are normally installed around the world to
analyze unusual data flows. For instance, a sensor
detects high Denial of Service (DoS) attack traffic
from different countries, the surveillance system
can send out an alert to a designated person.
JPCERT/CC invented Tsubame, a Japanese
sensor network with worldwide coverage. It collects
originating IP addresses, originating port numbers,
and arrival time. The traffic data are processed and
animated to help understand the situation visually
and help anticipate other possible incidents. The
Tsubame project was developed to reduce cyber
risks. The development of such tools for scanning,
detecting, and tracing attacks should be a priority
for Thailand. This highlights the importance of
research and development in cybersecurity.
ThaiCERT Annual Report
85
86
ThaiCERT Annual Report
Threats VS Privacy.
ThaiCERT Annual Report
6. Threats VS
Privacy
Threats often come in forms of privacy
violations such as personal data thefts, which stolen
data is used for frauds. According to threat statistics,
the trend shows significant growth. Personal data
protection or privacy has been a critical issue and
rose in various international arenas such as United
Nations, APEC, ASEAN, and the Organization for
Economic Co-operation and Development (OECD)
conferences. This highlights the need of prevention
measures both legal and practical ones (soft law)
as well as raising awareness among public regarding
the threats, prevention measures and impacts of
threat such as identity thefts, personal data abuse.
For example, spam or phishing can be used to steal
one’s personal data and attacker can use stolen data
to impersonate victim to gain financial information.
More serious case that can post life and death would
be accessing and modification of medical diagnosis or
prescriptions information. However, not many people
in Thailand and other Asian countries are aware of
the threats and its potential consequences. People
still believe that it is not involving their lives directly,
even though many of their daily activities are recorded
and processed on computers and social networks.
Despite a misconception on “Right to Privacy”, which
many still understand that it only refers to personal
data, Article 35 of the Thai Constitution states that
“A person’s family rights, dignity, reputation
and the right of privacy shall be protected. The
assertion or circulation of a statement or picture by
any means to the public which violates or affects a
person’s family rights, dignity, reputation or the right
of privacy, shall not be made except in the case which
is beneficial to the public. A person shall have the
right to be protected from illegal use of his or her
personal information as provided by law.”
According to the above statement, “personal
data” can be observed in four (4) different perspectives
of the following:
•Communication Privacy. This refers to
legal protection on security and privacy regarding
correspondence, telephone, emails or other private
communication means;
•Territorial Privacy refers to prohibiting other
intrusions or trespassing of personal area including
CCTV installation, ID pass inspection for resident
access;
•Bodily Privacy focuses protection on one’s
physical body. For example, genetic testing, drug
testing are prohibited; and
•Information Privacy concerns data protection
of an individual. It governs procedures regarding
personal data collection and management.
87
88
ThaiCERT Annual Report
Privacy violation is not a new threat. Over
the past decades organizations and governments
in many countries have attempted to establish
universal standards for the protection of privacy and
the prevention of privacy violations under mutual
agreements, e.g. outlined in section 1233 of the Universal
Declaration of Human Rights 1948, which states that;
“No one shall be subjected to arbitrary interference
with his privacy, family, home or correspondence, nor
to attacks upon his honor and reputation. Everyone
has the right to the protection of the law against
such interference or attacks.” Such statement set a
milestone to develop sufficient privacy protection
for their own citizen.
In response to personal data protection in
Thailand, several Articles in Thai laws govern privacy.
However “Personal Information” is defined in different
contexts resulting in misunderstanding. Generally,
personal information includes any forms of data which
can directly or indirectly be related to its owner e.g. ID
card number, last name, telephone number, address,
images, emails, banking statements, transcripts etc.
This information is often used and publicized without
permission making it very necessary to expedite
the Data Protection Law, which has been in review
process for more than 10 years. The draft is aimed
to be mutual legal framework and enhance public
confidence in establishment of standard for storing
and using data securely. The urgency of the matter
has led many countries, such as Malaysia and South
33
Article 12 of the Universal Declaration of Human Rights 1948 “No
one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honor
and reputation. Everyone has the right to the protection of the
law against such interference or attacks”
Korea, to appoint responsible agencies taking charge
of personal data and security under the same agency.
Technology has become a major part to our
lives. It offers us conveniences in our daily life with
borderless network for information exchange and access
to popular social network. Despite such conveniences,
there is risk of privacy of large amount of personal
information. Information technology makes it more
viable for intrusion or privacy violation without being
noticed. The following examples reflect some of
these violations;
1. Three US telecommunication giants
Bellsouth, Verizon and AT&T, had
been sued by 26 people in 18 states
for compensation worth $200,000 for
their violations of personal data, which
the companies had signed contract
agreements to reveal telephone usage
data to the National Security Agency
(NSA) without permission. The data was
supposedly to facilitate constitutional
telephone tracking projects to track
down terrorist networks. To do this
the NSA depends on spying methods
such as intercepting telephone, radio,
internet, and other communication
channels.
2. Several tracking measures have been
implemented for online personal
tracking occurred through the use
Cookies Web Bugs, Web Tracking
Spy Ware, Packer Sniffer, Keystroke
Logger or FBI Carnivore system. These
programs can easily track the personal
computer usage and spy on the private
data online.
ThaiCERT Annual Report
3. An employee of the Social Security
Office had been fired for the reason of
leaking personal information of factory
employees to debt-collectors, whom
being hired to push debtors to settle
their payments.
platforms such as Facebook, Instgram,
and Twitter etc. Such activities cause
anxiety and fear in the security of
property and life among internet
users which negatively affect mental
conditions.
4. It is common practice among financial
institutions from both the banking and
non-banking sector to ask their clients
to sign a form for approval of using
their personal information when they
apply for credit card. Those companies
will eventually sell their clients’
personal information at a rate of 1-1.5
Bt. Per person. Then the institute will
sort the names and data according to
client’s preferences before sending
their clients marketing materials of
such products along with an invoice.
Besides the cases mentioned above, there are
many other methods in use for infringement such
as popup advertisements, identity thefts, usage
of Spyware for the purpose of stealing personal
information, email marketing, sending spam, which
also disturbs users, fraud, counterfeit, or risk of
being victim of information warfare and terrorism
using cyber attack.
5. Growth of Data trading websites is
significant. The traded data are mainly
official data such as criminal records,
civil registration, arrest warrants,
pictures or video of extramarital
affair, debt collecting records, or
past mobile phone records. Those
websites requires the clients to leave
their contact to hide themselves from
police investigation. Service fee is also
stated on the page.
6. Cyber stalking is another internetbased infringement. It is an action of
observing, threatening or disturbing
certain Internet users by sending
emails, posting texts or images on web
boards, chat rooms or social network
Hence, it is obvious that privacy violation tend
to exponentially increase in number and severance.
This is in many ways considered as a type of threat
which causes damage, no less severe than other
threats. The impact of such personal data violation
affects as widely as cybersecurity threat. Violation
of personal data can negatively impact on security
of life and properties or even a society’s security.
Concerning such violations, many countries have
initiated strong legal standards such as a personal
data protection Law34 or law to tighten offence
regulation, promotion of social standard to enhance
awareness among citizen. However, when taking a
look at the situation in Thailand, it becomes obvious
that public awareness is still on the way. This is true
despite the fact that several laws on privacy rights
do exist, such as Section 35 of Thai Constitution;
34
The Organization for Economic Co-operation and Development
(OECD) determined the guidelines on the protection of Privacy
and Trans-border Data Flows of Personal Data, helping countries
to create standard. For details, please visit
http://www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsof-personaldata.htm
89
90
ThaiCERT Annual Report
Government Information Act 1997 (B.E.540), which
determines the measures for the protection of
personal data for governmental agencies; the
Business Credit Information Act 2002 (B.E. 2545),
which determines the measures of protection for
personal data in possession of financial institutions;
the Electronic Transactions Act 2001 (B.E.2544),
which includes a guideline and policy of personal
data protection within government agencies 2010
(B.E.2553). However, these laws in overall are not
inclusive, specific and comprehensive enough to
sufficiently be able to control all the agencies which
are collecting personal data. Measures taken in some
of these laws do not meet international standards.
For the public sector, in response to the
announcement of the Electronic Transactions
Commission on personal data protection, only a
very small number of agencies submitted its policy
on personal information protection to the Electronic
Transactions Commission. Some agencies collect
high amounts of personal data. This may impact
on level of confidence in the administration of
government if personal data is stolen.
Therefore, all sectors should engage and
collaborate in order to solve these problems. The
government has to implement a strict measure
to ensure and protect privacy of their citizen. In
addition, the private sector should implement a
self-regulation by promoting awareness among
social network users regarding rights to privacy
or introducing technical measures such as setting
privacy for their social network account in order to
reduce violations. Last but not least, users should
also be aware and recognize their privacy as their
basic rights. Such attitude together with cooperation
among different authorities can ensure effective
protection and reduce damage for the people
of Thailand.
ThaiCERT Annual Report
91
92
ThaiCERT Annual Report
Is Thailand prepared
for cyber threat?
ThaiCERT Annual Report
7. Is Thailand
prepared for cyber
threat?
Since ThaiCERT’s establishment under ETDA
in 2010, it has implemented two incident report
channels: auto-feeds from partner’s networks, and
email reports from general users. Analysis of the
collected statistics indicates that the main cause
of IT Security issues comes primarily from a lack of
awareness or knowledge about information security
among users.
a.) System Administrator
Most threats faced by administrators are related
to either servers being attacked or servers being used
by hackers to attack other computer systems. This
includes, for instance, sending spam email, Denial of
Service (DoS) attack and using servers for fraudulent
purpose. Such problems are facilitated by incapable
administration and outdated maintenance leading
to vulnerability which allows attackers to access
systems without authorization and continue with
their infringing activities.
b.) General Users
This behavior makes the computer susceptible to
malicious malware, and, in some cases, enables
attackers to take control of the computer and start
sending spam emails or intercepting information
transmitted by the user.
In addition, compromised computers and
computer systems can spread security risks in
various forms and cause damage to individuals,
organizations and national infrastructure. There is
the case, for example, of a web server in Thailand
that was hacked and used to create a phishing site
because the network administrators ignored to
secure the operating system and software, close
all unnecessary ports and keep the software up to
date. Subsequently, the system was vulnerable to
attackers who committed crimes by creating web
pages to steal others’ personal information.
Cyber threats can cause severe consequences
if users are not aware of the importance of IT
security. Technology is advancing continuously and
rapidly along with the growth and consumerization
of mobile devices together with the trend of “bring
your own device (BYOD)”. Furthermore, cyber threats
not only pose risks to various aspects of IT security
(e.g., confidentiality, integrity, availability), but also
impact personal information privacy.
For effective protection of security information,
In general, the main cause of a computer being Thailand has to prepare the following:
infected by malware is due to the use of pirated
operating system and software which prevents
regular updates to remove system vulnerabilities.
Lack of awareness concerning protection and risk
taking behavior also play and important role and
frequently lead to vulnerability, including visiting
suspicious websites and executing software download
or opening email attachments without pre-verification.
93
94
ThaiCERT Annual Report
Development of necessary infrastructure
Develop and enhance capacities of officers in charge of IT security and train security
personnel to internationally recognized standards together with awareness promotion
among users of possible threats of system attacks.
Develop a legal framework that is viable for law enforcement so that relevant officers,
such as the police, judicial officials or other competent officers, can suppress and prosecute criminals efficiently..
Preparation
Promote IT security research and development in order to prepare for possible threats
and to reduce dependency on foreign security technology.
Establish an institution or organization to support key national agencies to respond to
threats.
Create an agency to support key national agencies for threat management and to
support the National IT Security Plan, which provides directions and integration of
public and private operations regarding threat responses and management.
Strengthen cooperation with foreign institutions in responding to and resolving threats
which attack the systems of national agencies.
Build national capacity and competitiveness in preparation for the AEC.
Integration
Integrate IT security awareness raising activities for users, consumers, policy makers,
regulators and relevant agencies.
Create mechanisms among relevant agencies to ensure unified threat response.
As illustrated above, current IT security operations are being restructured to facilitate upgrading to
international standards. This situation is reflected in the publication of the Royal Decree on Rules and
Procedures of the Public Sector’s Electronic Transactions B.E. 2649 (2006) and the Royal Decree on Security
Techniques in Performing Electronic Transactions B.E. 2553 (2010). As of December 2012, there are 56 approved
agencies which issued policies and regulations regarding IT security between 1990 and 2012. In response to MICT
instructions to promote and implement IT security policy, the Office of the Electronic Transactions Committee
has implemented several measures to promote such instructions through activities such as seminars, which
have been well-attended. To ensure effectiveness, the National Cybersecurity Committee, on which the
ThaiCERT Annual Report
Prime Minister serves as chair, was setup to draft the
National Cybersecurity Policy Framework as well as the
National Cybersecurity Master plan. The committee
serves as an integration mechanism for information
exchange and collaboration among different agencies
and sectors. Presently, the crucial challenge is the lack
of knowledge and awareness among executives and
their employees. Such issues make it more difficult
to promptly respond to threats that can potentially
occur at any given time. Since human resources are the
most important mechanism to prevent and respond to
threats, all personnel should be trained to recognize
cyber threats and be able to react appropriately in a
collaborative manner to ensure efficiency. Success
depends not only on government agencies or private
institutions, but also on collaboration with civil society
to help spread useful information to the general public.
The mentioned initiatives highlights the importance
of capable human resources and the urgent need to
develop IT security professional in order for Thailand to
be better prepared in threat prevention, suppression,
and collaboration among involved parties.
In summary, the ETDA has appointed ThaiCERT
to be a key mechanism in the cybersecurity arena and
aims to work proactively to ensure safe and security.
During its initial four years, ETDA has prepared itself
to serve as key mechanism in Thailand cyber threat
response, as well as, to build and coordinate collaboration
among involved domestic and international entities.
ETDA aims to ensure Thailand readiness and capacity
in responding to any future threats.
95
96
ThaiCERT Annual Report
Appendix
ThaiCERT Annual Report
8. Appendix
8.1 Appendix A
Classification of Threats
The Electronic Computer Security Response Team network (eCSIRT.net)
categorizes threats into 8 types. Some threats can possibly be overlapped
but they can be sorted into one main category. For example, if there is
an intruder accessing the system and was able to go further to the Root
Privilege, which results in stealing of important information, the intrusion
will be categorized as Privileged Account Compromise. Table 28 below
defines eCSIRT ’s classification of threats.
Table 28: Classification of Threats according to eCSIRT.net
Incident Class
(mandatory
input field)
Incident Type
(optional but desired input field)
Spam
Abusive Content
harassment
Child/sexual/violence
Description / Examples
Or “unsolicited bulk email”, this means that the recipient has not
granted verifiable permission for the message to be sent and that
the message is sent as part of a large collection of messages, all
having identical content.
Discrimination of somebody (i.e.cyberstalking)
Child pornography, glorification of violence, …
virus
Worm
Malicious Code
Trojan
spyware
Software that intentionally included or inserted in a system for a
harmful purpose. A user interaction is normally necessary to activate
the code..
dialer
Information
gathering
scanning
Attacks that send requests to a system to discover weak points. This
includes also some kind of testing processes to gather information
about hosts, services and accounts. Examples: fingerd, DNS querying,
ICMP, SMTP (EXPN, RCPT)
sniffing
Observing and recording of network traffic (wiretapping).
Social engineering
Gathering information from a human being in a non-technical way
(e.g. lies, tricks, bribes, or threats).
97
98
ThaiCERT Annual Report
Incident Class
(mandatory
input field)
Incident Type
(optional but desired input field)
Exploiting of known Vulnerabilities
Intrusion Attempts
Locking attempts
New attack signature
Privileged account compromise
Un Privileged account compromise
Intrusions
Application compromise
DoS
DDoS
Availability
Sabotage
Unauthorised access to information
Information Security
Unauthorised modification of information
Unauthorized use of resources
Fraud
Other
Description / Examples
An attempt to compromise a system or to disrupt any services by
exploiting vulnerabilities with a standardized identifier such as CVE
name (e.g. buffer overflow, backdoors, cross side scripting, etc.)
Multiple login attempts (guessing/cracking of passwords, brute force).
An attempt using an unknown exploit.
Successful compromise of a system or application (service). This can
be caused remotely by a known or new vulnerability, but also by an
unauthorized local access.
By this kind of an attack a system is bombarded with so many packets that the operations are delayed or the system crashes. Examples
of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:TFN, Trinity, etc). However, the availability also can be affected by
local actions (destruction, disruption or power supply, etc.)
Besides a local abuse of data and systems the information security
can be endangered by a successful account or application compromise. Furthermore attacks are possible that intercepted and access
information during transmission (wiretapping, spoofing, or hijacking).
Using resources for unauthorized purposes including profit-making
ventures (E.g. the use of email to participate in illegal profit chain
letters or pyramid schemes).
Copyright
Selling or Installing copies of unlicensed commercial software or
other copyright protected materials (Warez).
Masquerade
Type of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.
All incidents which don’t fit in one of the
given categories should be put into this
class..
If the number of incidents in this category increases, it is an indicator
that the classification scheme must be revised.
Source: (http://www.ecsirt.net/cec/service/documents/wp4-pub-userguide-v10.html
accessed on 10 November, 2012)
ThaiCERT Annual Report
8.2 Appendix B
Table 29: Glossary
Word
Abusive Content
Malicious Code
Information Gathering
Intrusion Attempts
Intrusions
Availability
Fraud
DDoS
Brute Force
Phishing
Meaning
Contents such as child Pornography, glorification of violence and spam are considered as abusive
contents.
Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction
is normally necessary to activate the code.
Gathering information of system in order to find its vulnerability and use it to attack system. It also
includes information gathering from a human being in a non-technical way (e.g. lies, tricks, bribes, or
threats).
An attempt to compromise a system or to disrupt any services by exploiting vulnerabilities with a
standardized identifier such as CVE name. Intrusion attempts also include multiple login attempts such
as guessing/cracking of passwords, brute force.
Successful compromise of a system or application (service). This can be caused remotely by a known or
new vulnerability, but also by an unauthorized local access.
By this kind of an attack a system is bombarded with so many packets that the operations are delayed
or the system crashes. Examples of a remote DoS are SYS- a PING-flooding or email bombing (DDoS:TFN,
Trinity, etc). However, the availability also can be affected by local actions (destruction, disruption or
power supply, etc.)
The use of internet services such as website, email to defraud victims or to otherwise take advantage of
them, for example by stealing personal information, which can even lead to identity theft.
DDoS is a kind of technique to attack the availability of system by attacking from many computers at
the same time. DDoS makes services run improperly causing services to be delayed or down. For example, Web server cannot provide services because it receives too many requests from clients.
Attack to gain password, username by checking all possible values until the correct one is found. This
kind of attack is only effective to the system with improper configuration such as username and password that are easy to guess. Captcha is one measure to protect website from brute force.
The act of attempting to acquire information such as usernames, passwords, and credit card details (and
sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.
99
100
ThaiCERT Annual Report
Word
Botnet
Rustock
Kelihos
Feodo
DDoS_dirtjumper
Conficker
Zeus
Virut
TDSS
Worm_boinberg
Torpig
Carberp
Spyeye
Ramnit
Meaning
Malware that can be controlled from attackers to do malicious activities such as DDoS attack or stealing
secret data.
Botnet malware installed on Windows operating system. It’s capable of DDoS attack and has main function as spamming. Statistics show that this malware can send over 25,000 emails per hour. According to
Microsoft, there were around 2.5 million computers attacked worldwide.
Botnet malware installed on Windows operating system and has ability of DDoS attack and sending
spam.
Botnet malware installed on Windows operating system aiming to steal online transaction information.
Botnet malware installed on Windows operating system and has ability of DDoS attack.
Worm malware installed on Windows operating system aiming to interrupt the availability of the system.
For example, it can disable logging in to windows, automatic windows update and windows defender.
It also causes response of the network slower than normal. It can spread to other computers through
network share and attack via the vulnerability MS08-067.
Botnet malware installed on Windows operating system aiming to steal online transaction information
of users.
Botnet malware installed on Windows operating system aiming to download and install other malwares
on computers.
Botnet malware installed on Windows operating system aiming to download and install other malwares
on computers.
Worm malware installed on Windows operating system controlled by IRC Server. Generally they spread
over Windows Live Messenger, USB drives and compressed files such as RAR and ZIP. Malware will make
computer work slowly, and steal information: username and password.
Botnet malware installed on Windows operating systems aiming to steal users’ online transaction
information.
Botnet malware installed on Windows operating system aiming to steal users’ online transaction information.
Botnet malware installed on Windows operating systems aiming to steal users’ online transaction
information
Botnet malware installed on Windows operating systems and created in 2010 The first period of this
Botnet Malware was not dangerous but nowadays, it can steal online transaction and information as
well. Ramnit can spread through USB drive.
ThaiCERT Annual Report
Word
Gozi
Gbot
C&C Server
Domain Name
Corporate
Broadband
Stormworm
Meaning
Botnet malware installed on Windows operating systems aiming to steal users’ online transaction
information.
Botnet malware installed on Windows operating systems and is capable of DDoS attack, download and
install other malwares for the purpose of fraud and stealing online transaction information.
Stands for Command and Control Server and has ability to contact malware Botnet and attack other
computer in the form of DDoS.
A domain name (for instance, “example.com”) is an identification string that defines a realm of administrative autonomy, authority, or control on the Internet. It can be used instead of IP address.
Internet network for agencies or organizations with fixed IP address.
Internet network with dynamic IP addresses which vary upon network of ISPs. Broadband is used in the
house or small offices.
Storm worm is botnet malware but unlike other botnet malwares that use server-client model, storm
worm uses peer-to-peer model and spread via spam mails by themselves.
101
102
ThaiCERT Annual Report
8.3 Appendix C
Subordinate Laws having Security Maintenance-Related Measure
Law
Law Enforcement Mechanisms
regulation prevention suppression
√
Penal Code Title V. Offence
Relating to The Electronic
Card
Principle
At present, there are pervasive increase by number and
application type in the usage of any of documents or
materials or data made in the form of electronic card,
such as credit card and debit card, for the purpose of
goods, services and other kinds of debt payment. In
addition, there are commitments of many crimes and
personal data stolen, which vastly affect the economy
and consumer. Hence, it is appropriate to initiate the
criminal offence on electronic card and electronic
data-related crime, in order that any form of crimes
are covered under the law and suitable rate of penalty
according to crime severity is provided.
Laws on Information Technology
Electronic transaction Act
B.E.2544 (2001) (Revised 2nd
version) B.E.2551 (2008).
√
To promote the construction of a credible electronic
transaction and certify the validity of electronic
transaction as equal to ones of paper based.
The Royal Decree prescribing
criteria and procedures for
Electronic Transactions of the
Government Sector B.E. 2549
(2006).
√
To establish important rules and procedures on
electronic transaction to be conducted by public
sectors in order to promote and support the capacity of
public sectors to develop electronic transactions of the
same standard and to be in the same direction.
The Royal Decree on Security
Procedures for Electronic
Transactions B.E. 2553(2010)
√
The Royal Decree applies to the electronic transactions
that affect national security, public order, or the general
public and that of an agency or an organization which
deems to be the country’s critical infrastructure.
It stipulates the levels of security techniques and
information security standards in accordance with
security procedures for each level.
Notification of the Electronic
Transactions Commission
on Category of electronic
transactions and Criteria for
assessment of impact level
of electronic transactions
pursuant to Security
Procedure B.E. 2555 (2012)
√
To specify the categories of electronic transactions
and criteria for assessment of level of impact of the
electronic transactions for correct and appropriate
application of information security procedures.
ThaiCERT Annual Report
Law
Law Enforcement Mechanisms
regulation prevention suppression
Principle
Notification of the Electronic
Transactions Commission
on Information Security
Standards in accordance with
the Security Procedures B.E.
2555 (2012)
√
To set out information security standards in accordance
with each level of security procedures acquired from
impact assessment of electronic transactions.
Notification of the Electronic
Transactions Commission on
Policy and Practice Guideline
on Information Security of a
State Agency B.E. 2553 (2010)
√
To set out a preliminary guideline for state agencies
to establish policy and practice on maintenance of
information security in order to make any of their
operations done by electronic means reliable and meet
international standard.
Notification of the Electronic
Transactions Commission
on Policy and Practice in
protection of personal
information of the State
agency 2553 (2010)
√
To set out a preliminary guideline for state agencies,
which collect, maintain, use, disseminate or proceed
by other means in relation to personal data of the
electronic transactions’ subscriber, to establish policy
and practice on the protection of personal information
in electronic transactions.
√
Computer-Related Crime Act
B.E. 2550 (2007)
√
The act aimed at preventing and suppressing
computer-related crime. It provides criminal penalties,
investigation procedure, authority of the competent
official, and the duty of service providers to store
computer traffic data.
Laws relating to Telecommunication
Telecommunications
Business Act B.E. 2544 (2001)
√
To prescribe the criteria for the application for
operation license of the telecommunication business,
qualifications of applicant for telecommunication
business provider, and provision of telecommunication
network business.
Notification of National
Telecommunications
Commission on measures
for protection of
telecommunication users’
right relating to personal
information, rights of
privacy and freedom of
communication through
telecommunication
√
Due to the fact that personal information of the users
through telecommunication could be easily processed
and disseminated to the public in a short period of
time, which would affect the rights of privacy and
freedom in communication through telecommunication,
legal measure is provided for protecting the personal
information, the rights of privacy and the freedom in
communication through telecommunication.
Regulation of
National Broadcasting
Telecommunications
Commission on the exposure
of information technology
B.E. 2548 (2005)
√
To set out rule on information organization obviously
and in compliance with the Official Information Act 1997
(B.E. 2540)
103
104
ThaiCERT Annual Report
Law
Law Enforcement Mechanisms
regulation prevention suppression
Principle
√
To set out the rules and procedures for management
of information technology in the area of
telecommunication business.
The Royal Decree on
Supervision of Electronic
Payment Service Business
B.E. 2551 (2008)
√
To regulate the business operation of electronic
payment services in order to maintain financial and
commercial stability. The Royal Decree forms the
regulation model and categorizes the appropriate types
of electronic payment service business.
Notification of the Electronic
Transactions Commission
on Rules, Procedures and
Conditions for the Operation
of Electronic Payment
Service Business B.E. 2555
(2012)
√
To stipulate rules, procedures and conditions for the
operation of electronic payment service business in
addition to the rules provided under the Royal Decree
on Supervision of Electronic Payment Service Business
B.E. 2551 (2008). The Notification provides additional
qualifications of electronic payment service providers
and set out details of the electronic payment service
providers according to the table attached to the Royal
Decree on Supervision of Electronic Payment Service
Business B.E. 2551.
Notification of the Bank of
Thailand No. Sor Ror Khor
3/2552 on Information
Security Policy and Measures
for Operation of Electronic
Payment Services Business
√
To be a guideline for prescribing policy and practice
on information security and procedures for examination
and maintenance of information security for electronic
payment service providers.
√
To set up the structure of an agency regulating activities
of capital market, rules regulating the offering of
securities to support the development of establishment
form of securities issuer, as well as internationalized
rules for securities market regulations, including the
provision on business transactions in the securities
market, i.e. pledge of listed securities. The purpose of
the Act is for the flow of activities in capital market as
well as to level up the protection of investor.
Regulation of
National Broadcasting
Telecommunications
Commission on Information
Technology relating to
Telecommunication Business
B.E. 2550 (2007)
Finance and Banking Laws
Securities Laws
Securities and Exchange Act
B.E.2535 (1992)
ThaiCERT Annual Report
Law
Notification of the Office
of Securities and Exchange
Commission No. Sortor/
Nor 32/2552 regulating
operation and maintenance
of information security of of
securities companies (2009)
Law Enforcement Mechanisms
regulation prevention suppression
√
Principle
To establish rules for operation and maintenance of
information security for securities companies.
Insurance Laws
Emergency Decree
Establishing Fund For
Promotion of Catastrophic
Insurance, B.E. 2555 (2012)
√
Insurance Commission Act
B.E.2550 (2007)
√
√
To set up measures for management of catastrophe
risks by means of insurance and reinsurance and to
provide financial aids to non-life insurer.
As the insurance business is a monetary transaction
which directly affect economic financial system of
Thailand including an insured which is a consumer, the
agency responsible for supervision of the insurance
business should be flexible to be able to keep up
with the development of the business and should be
independent for effective of supervision of insurance
business and protection of the insured’s right. It is
appropriate to set up the Insurance Commission which
is independent and have flexibility in supervising the
insurance business.
105
106
ThaiCERT Annual Report
List of Abbreviations
NECTEC
National Electronics and Computer Technology Center
NSTDA
National Science and Technology Development Agency
ETDA
Electronic Transactions Development Agency (Public Organization)
ThaiCERT
Thailand Computer Emergency Response Team
AEC
ASEAN Economic Community
ASEAN
Association of Southeast Asian Nations
APCN
Asia-Pacific Collaboration Network
APCERT
Asia Pacific Computer Emergency Response Team
CISSP
Certified Information Systems Security Professional
ETC
Electronic Transactions Committee
CSIRT
Computer Security Incident Response Team
NSO
National Statistical Office
ITU
International Telecommunication Union
MICT
Ministry of Information and Communication Technology
TCSD/RTP
Technology Crime Suppression Division, Royal Thai Police
ISP
Internet Service Provider
MOE
Ministry of Energy
IODEF
Incident Object Description Exchange Format
IETF
Internet Engineering Task Force
ThaiCERT Annual Report
107
Report Compilation Team
Creative
Directors
Chaichana Mitrpant
Assistant Executive Director
(Security Content)
Surangkana Wayuparb
Executive Director, CEO
(Policy Overview)
Kachida Meetortharn
Director of Legal Affairs Office
(Law Content)
Atcharaphorn Mutraden
Director of Policy Office
(Policy Content)
Working Group
Editorial Staff
Law Content Staff
Art Directors
Coordinators
Phaichayont Vimuktanandana
Pornprom Prapakittikul
Supakorn Lerkditheeporn
Setthawhut Saennam
Jetsada Changsisang
Wisan Prasongsook
Thongchai Silpavarangkura
Sanchai Tinothai
Chotika Sinno
Kannika Pataravisitsan
Nuttachot Dusitanont
and ThaiCERT Team
Ploy Charoensom
Phichayaluk Kamthongsuk
Nattawat Sukwongtrakul
Ployphatchara Chouchai
Nattapong Worapivut
Napadol Utsanaboonsiri
Nattanai Roudreiw
Rojana Lamlert
Wipaporn Butmek
Suchayapim Siriwat
Khemiga Sakulphat
Phanwadee Kowintasate
Soranun Jiwasurat
Director of Security Office
(Security Content)
Thongchai Sangsiri
Identification Expert Testimony Specialist
(Security Content)
ISBN : 978-616-91910-0-1
THAILAND COMPUTER EMERGENCY RESPONSE TEAM
ELECTRONIC TRANSACTIONS DEVELOPMENT AGENCY (PUBLIC ORGANIZATION)
MINISTRY OF INFORMATION AND COMMUNICATION TECHNOLOGY
The Government Complex Commemorating His Majesty the King’s 80th Birthday Anniversary,
120, Moo 3, Ratthaprasasanabhakti Building (Building B) 7th floor,
Chaengwattana Road, Thung Song Hong, Lak Si, Bangkok 10210 Thailand
Tel : +66 2142 1160 Fax : +66 2143 8071
www.thaicert.or.th | www.etda.or.th | www.mict.go.th
NBTC
THAILAND