 I'm Bing Zhong, and this is Zanzhi, aka Cofit on the Internet, and this is Husky. And the left hand is Yan Mingcheng. He was in Fongstone now. Basically, we three are working for ISS Taiwan. And I'm happy to have this opportunity to present my little research about what I did about one and a half years ago. I did a country-wide survey with server security in Taiwan, and I did it again about half years ago. And I'm happy to have this chance to present a little comparison between these two surveys. And this is the outline of today's speech. I will tell you why I do this kind of research, basically, because it's fun. And also the methodology is what I use in the survey, and little analysis and conclusions. What I do for this kind of survey is one and a half years ago, I was writing my master paper in network security. And I like to know the status of the Internet security in my country. Because one and a half years ago, there's some e-commerce sites that are just rising. And on that time, I'd like to know how secure is the web service, because so many people do the transaction on the Internet. If the platform is not secure, how can people expect that their privacy and their information, they give the vendors on the Internet. This information could be stolen by hackers or other criminals. So I'd just like to know how secure the web server is. And this time, I did it again to compare the status one and a half years ago and six months ago. I'd like to know, is there significant improvement? Because for less years, there are so many attacks, hackers' events on the Internet, such as the DDOS to Yahoo and eBay. And also three months ago, the cyber war between US and China. And this happens after the cyber war. There's some university of the president in Taiwan. And we are very worried about that China strike Taiwan website because of political issues. So we did another survey on government website that I can give you some static numbers. Okay. Also, after my research, I proposed some remedies to government to accept to set up the policies and the standard to the e-commerce site or any government agencies who want to attach to the Internet. Also, this methodology may apply to other information warfare research. Okay. There's two different ways when we do the network security survey. The first is, we first, that means we survey a lot for single service around the Internet in Taiwan. And also there's steps first, that means we want to know the details of security in one, such as companies or companies network. We want the detailed information to scan all the vulnerabilities inside the network. And there's two kind of methods when we do this kind of survey. We can just grab the banners and tell them you are running IS server and you have this kind of vulnerabilities just grabbing the banner. Or you can use the security scanner, such as NASA's or IS's scanners or cybercuff scanners to scan all the vulnerabilities on the server. So what I basically, what I do is just banner grabbing for the country-wide server. And I sample about 500 servers for some intrusive tasks. Oh, well. Okay. Here we go. Okay. This is the methodology I used about one and a half years ago. I do some, this is the goal. We want to do some way security survey. And we have two kind of, there are two factors that affects the website security. One is that the administrator installed the vulnerable CGI's. So I did this kind of CGI surveys. And I also collect all the vulnerable CGI information and try to figure out that if the server contains this kind of vulnerable CGI's. And the other factor is that the server has some vulnerabilities such as buffer flows in IS server. And also I collect all the banners and conclude the survival rate of the web server. But this is one and a half year ago that I assume all the administrators didn't apply the proper patch of the remedies of some of the security related issues. And I figure out that most administrators are not careless of the security. So what I did basically is to survey the administrator's behavior to see if they apply the proper patch of the web server or CGI's. And I make my conclusion and suggestions. If there is any question please stop me. To know how serious the problem is, we have to classify all the internet attacks. Basically it is something like Unix command, rewrite, extrusion, the permissions. And the security information that the hacker can gather and know what the internal configuration of the web server is. This is security information leakage. Also some servers have denial service problems. They will acquire all the essential resources of the web server and cause the downgrade of the internet service or just stop them. And some people install some SOC server or proxy server that will relay the internet attack from the hackers. Such as finger D and proxy server, SOC 5 servers. They all have the same problem if you don't apply the assist control list to them. And some security vulnerabilities cause the remote file access includes a remote file read that the hacker will know the internal configuration of your server or other services. And remote file write is more serious because the attacker can simply just modify your configuration file. And change the server to whatever he wants. Also there is some remote command execution. Everybody knows the IS warms three months ago. That is a sample of remote command execution that echoes the patterns to your home page. This differs to different categories that will cause the attacker to get a user shell or get a trader shell. And the most serious one is that the attacker has already compromised the system and changed the... And installed the backdoor in the system that they can easily access the system in the future. Or the infiltrators are so careless that it kills the chosen host such as back office or other sub-severing these kind of backdoors that the attacker can easily just get the full control of the system. Why I do this classification because I just want to build a quantitative model when we do a network assessment. This may be helpful if you want to do this kind of survey. There are many security information on the internet. What I do is basically collect all the security related information about the web server in security focus or other mailing lists. Basically because the ISAs in Taiwan is not working so close to ISAs USA. And I started two years ago, I'm not working in ISAs yet. So what I do is basically grabbing all the information on the internet. This is a sample that we can know what the web server you are using. What I use is the head method that most of the ideas now will cause a lot of these ideas because head is not that common on the web browsing. And we can see the server is running apart and all the extensions were listed behind the web server. And this is an example that we can find out whether the CGI exists on the remote web server. We can just simply get the CGI by the HTTP 1.0 method. And if you fail to get the if you got 200LK, it means that the CGI do exist on the remote server. If you got a 40 or 4 not found, well it means the CGI is not installed on the remote server. Also you can get some extra information from the CGI, such as the server environment, etc. And this is the subject I have surveyed in this year. And I do some reverse lookup for the domain name. Make sure that they are in .com.edu.net.org. These servers are all in Taiwan because I think I don't want to get into the international trouble. And amazingly I find that about 60% of the servers don't have the FQDN. Some people just say it's not a good idea to have an FQDN because you pose more information to the attacker. But in some incident response point of view it is more easily to know where the server belongs to and you got the contact information to the remote site. And I randomly select the IPs in Taiwan network. There is about 140,000 servers in Taiwan two years ago. And I just randomly select some of them in this survey. It's probably because they don't have the reverse lookup, FQDNs. Because most of the education domains and government domains, they have built FQDN two years ago. And also the .net. And I guess most of the .com falls into the not verified part. First I choose these four CGI because there are some time sequence. First I begin the research and I just like to know if there is some trend that as the time goes by maybe the security information is more common to the animitators and they know how to apply the proper patches to these CGI's or remove these CGI's. And after I complete this survey I just figure out that this is not objective to select these four CGI's because they are not correlated and comparing these CGI's are meaningless. I pick these four well-known vulnerabilities such as MSADC, co-browse, and co-browse to these three CGI's can cause the attacker to view an execution or command or CGI's SP files or any kind of files on the remote site. And IS unicode is a remote buffer flow that will cause the attacker to execute any command on the remote site. And this is the web server survey from the netcraft.com. Probably many of you know this institute do the continuous survey for the servers on the web server on the internet. That we see most of the servers on the internet run the Apache server. But I think in most Asia countries they are not running Apache. They are choosing IS server from Microsoft because it's cheaper and the hardware is cheaper too. Yeah, because most managers in Taiwan or in Asia countries they just trust Microsoft. And if you tell them why don't you run Linux 3BSD with Apache server, they will tell you that they never heard of that, they don't trust the vendor. Yeah, it's weird but it's a truth. Yeah, what do you mean? Well, in some part of, in mainland China, yes, in some of Asia countries, probably. And also because of such a Solaris, the price is, I think it's more, I think Microsoft is cheaper than Solaris. Is it? Yeah. Okay, so this is a web server in Taiwan. About 50% of them is running NT or Windows 2000 with IS server. And about 25% of them is Apache server. Oh, shit. Yeah. And this is the result of the sample that I drew in this January. I didn't include the web server version in this information leakage. I just focused on the code browse and MSADC, this kind of vulnerability that will show the code or the files in remote server. And I have a complete list for these vulnerabilities in my paper. But it is written in Chinese so I don't think you guys have the interest to read these Chinese papers. And amazingly, about 60% of the IS web server has vulnerabilities. This is for the only web banner grabbing. Sorry. I'm a little nervous because I've never speak to so many people before. Yeah. Yeah. Because all the information I gather that is IS servers 4.0, 3.0, and 5.0, they all have the vulnerability that will get the remote route. Yeah. But you have to survey the patch behavior from the M Trader. Because if you do just default install and didn't install any patch, they do have vulnerabilities. Yeah. In this survey, I didn't use them. I just grabbed the banners. Yeah. And this is for vulnerabilities. Basically, I don't think the unit code is CGI problem. And this is the false CGI I do. I survey in this research. And I give the vulnerability name and description in the slide. And also the publish date. And I randomly choose the 500 server in the Taiwan web server and try to find out how many of them has vulnerable CGIs. And what I do basically is from the sample of all the servers I surveyed, and I randomly choose 500 of them. And from this 500, I choose another 30 of them to see if the CGIs are really vulnerable. Or some servers just can fake information that give you 200 OK, even if they don't have these CGIs on the web server. And you see the star here because most of some of the animator didn't use the default install of the MSADC IS server. I think we find 11 of them are available to this kind of tech. But I think if we have enough information or we try some other default path, the 11 servers may be 20 of them or 25 of them. We didn't have enough time to try all the possible folders on the remote side. As we can see, 99 out of 120, that means 82.5% of the CGIs are vulnerable. So I think the animator didn't pay enough attention on the security because they didn't apply the proper patch of the remote server. And here's the conclusion. The most important is about 55% of the remote web server can make the root assist to the attacker. And I do some comparison between 2000 and 2001. And I didn't see significant improvement of the security overview. And probably because of the environment change, when I do the research on year 2000, the Apache server and IS server is about one to one. 40% of the Apache server and 40% of IS server. And in this year, we can see that in the survey in Y2K, the information leakage is about 45. And 2001 is about 33% that will reveal your code to remote attacker. And as for the denial survey, it's about 25 in year 2000 and 34 in year 2001. As for the unauthorized remote assist, including remote user share and remote file read and remote file write, it's 34% in year 2003, in year 2001. And these data are very close and didn't see any significant difference between these two years. But for the administrator's privilege that will pose the attacker can execute any command in administrator's privilege. In year 2000, it's about 45% and in 2001, it's about 55. So I don't think the web server is more secure in Taiwan for two years. And I'm going to make my conclusion on the presentation about the web server. I think FQDN is important to internet infrastructure when we do some incident response. The percentage of the available FQDN is less than 40%. So I think there's a lot of room for improvement. As for the CGI surveys, I think many administrators didn't pay enough attention on the vulnerability information that they didn't remove the vulnerable CGI or they didn't apply the proper patch to the CGI. About administrator behavior, I just want to know if they are too stupid or too lazy. If they are too stupid, we can do some education to let them know your server has problem. There's problem in your server. If they are too lazy, we can set up the standard or SOPS as companies to set up the proper policy for their server security. I find out that most administrators are not care about the internet security. And I think it's more important to let them know what the problem is in their servers. So I propose to the government that we should set up the education course to the administrators.