Web Attacks—Offense…

The Whole Story

Yuri & The CheeseheadsMark Glubisz, Jason Kemble, Yuri Serdyuk, Kandyce Giordano

Introduction

White paper was informative Contained a few weaknesses

Cited a study that focused on two areas that Symantec was strongest in combating

Lacked detail regarding legitimate web site threats

Missed risks presented by Social Networking sites

Stated Goals

Educate end users to make them more secure

Explain types of attacks Drive by Downloads Clickjacking Fake CODECS Malicious peer-to-peer files Malicious Advertisements Fake Scanner Web Pages Blog Spam

Offer solutions to minimize risk

Symantec Funded Study

Cascadia Labs Tested Two Types of Attack

Drive by download Fake CODECs

What About Other Threats? Clickjacking Fake Scanner Web pages Peer to Peer Blog Spam

Lasting Perception of Results

Results of Study Presented at End of Paper Based on two types of Attacks Reader is aware of all threats Reader is left with false sense of confidence

Infection of Legitimate Websites

White paper lacked statistics Spoke in generalities regarding level of threat

by legitimate websites We found more specific information

70% of the 100 most popular websites Malicious content or hidden redirect

16% increase over the 1st half of 2008

Legitimate websites compromised Exceeds the amount of sites created by criminals

Web Site Infection Details cont’d

45% of the top 100 web sites allow user generated content Most active distributors of malicious content

Enable criminals to post malicious links, multimedia files, or send malicious e-mails to users

Top 100 web sites in terms of traffic are predominantly two categories Search Engines Social Networking Sites

Missed Risk Identification

Social Networking Sites Treasure trove of personal data

Birthdays, location, and employment history

66% of phishing attacks in the U.S. were directed towards social-networking sites

Impersonating someone else and building up a network

Creating an on-line profile prior to the real person creating one

Using the network to extract personal information to access financial data

Social Networking Sites’ Risks cont’d

A means for distributing worms Koobface

Distributed in 2008 through Facebook Notes to friends of someone whose PC has been

infected “See how great you look in this video”

Directs recipients to a website that asks them to download a version of Flash Player – infects computer

Takes them to contaminated sites when they try to use search engines like Google, Yahoo, MSN and Live.com

Worms through Social Networking

Twitter Stalkdaily and Mikeyy

Tricked users into clicking on a link to a rival social network

17 year old created the worm “out of boredom” Second worm exploited the original flaw

After Twitter claimed to have closed the holes

These sites are vulnerable

Conclusion

Overall white paper is informative Weaknesses

Limited study presented in article Lack of details regarding legitimate web site

risks Missed risk

Social Networking Sites

Existing Countermeasure Missed(from T’Bone and Tonic) Plethora of third party security tools that exist

to prevent some of such attacks the “No Script” extension for the Mozilla

browser Lavasoft Ad-Aware and Spybot S&D

References

Number of compromised websites at all-time high http://www.securecomputing.net.au/News/

135019,websense-number-of-compromised-websites-at-alltime-high.aspx

Phishers Attack Social Networking Generation http://software.silicon.com/malware/

0,3800003100,39185353,00.htm Destructive Koobface Virus Turns Up On Facebook

http://www.reuters.com/article/newsOne/idUSTRE4B37LV20081204

Teen Takes Responsibility for Twitter Worms http://news.cnet.com/8301-1009_3-10217684-83.html

Fake Social Network Profiles: a New Form of Identity Theft http://www.readwriteweb.com/archives/

fake_social_network_profiles_a.php

Questions?