Web Defacement

Anh NguyenMay 6th , 2010

2

Organization

• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions

3

Introduction

• Introduction– Web Defacement – Hackers Motivation– Effects on Organizations

• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions

4

IntroductionWeb Defacement

• Occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequently offending data

• Exposes visitors to misleading information

5

IntroductionWeb Defacement

• http://www.attrition.org/mirror/attrition/– Tracks of defacement incidents and keeps a

“mirror” of defaced Web sites

6

IntroductionHackers Motivation• Look for credit card numbers and other valuable proprietary

information• Gain credibility in the hacking community, in some high

profile cases, 15 minutes of fame through media coverage of the incident

7

IntroductionEffects on Organizations• Organizations lose

– Credibility and reputation– Customer trust and revenue– E-retailers can lose considerable patronage if their customers feel their

e-business is insecure– Financial institutions may experience significant loss of business and

integrity

8

How Hackers Deface Web Pages

• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions

9

How Hackers Deface Web Pages

• Obtain usernames– Use information-gathering techniques– Make use of publicly available information• Domain registration records

– Use ‘social engineering’ tactics• Call an employee and pose as a system administrator

10

How Hackers Deface Web Pages (Cont.)

• Guess passwords– Go through a list of popular or default choices– Use intelligent guesses– Use ‘social engineering’ tactics• Birth dates• Names of family members

11

How Hackers Deface Web Pages (Cont.)

• Obtain administrator privileges • Perform additional information gathering to

find out useful tidbits– The exact version and patch levels of the OS– The versions of software packages installed on the

machine– Enabled services and processes

12

How Hackers Deface Web Pages (Cont.)

• Access well-known Web sites and locate hacks that exploit vulnerabilities existing in the software installed

• Gain control of the machine and modify the content of pages easily

13

How Hackers Deface Web Pages (Cont.) Sechole

• An example of a privilege escalation exploit on Windows NT4

• The attack modifies the instructions in memory of the OpenProcess API call so it can attach to a privileged process

• Once the privileged process runs, the code adds the user to the Administrators group

• The technique works if the code runs locally

14

How Hackers Deface Web Pages (Cont.) Sechole

• In the presence of Microsoft’s Internet Information Server (IIS) Web server and some other conditions, Sechole can be launched from a remote location

15

How Hackers Deface Web Pages (Cont.) Sechole

• Another approach is to exploit vulnerabilities in Internet servers that are listening to open ports– No need to log on to the server– Execute malicious code over an open legitimate

connection

16

How Hackers Deface Web Pages (Cont.) IIS Hack

• Well-known example for a remote attack on the IIS Web server

• Hackers exploit a buffer overflow weakness in lsm.dll, causing malicious code to execute in the security context of the System on the server

17

Solutions to Web Defacement

• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions

18

Solutions to Web Defacement

• Firewalls – Do not scan incoming HTTP packets– HTTP attacks (such as IIS Hack) are not detected

• Network-based Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS)– Listen to packets on the wire, but do not block them– In many cases, the packet reaches its destination before it

is being interpreted by the NIDS

19

Solutions to Web Defacement (Cont.)

• Integrity assessment– A hash code (similar to a checksum) for a Web

page reflecting the page’s content is computed– The saved hash code is periodically compared with

the freshly computed one to see if they match– The frequency of the hash code comparisons

needs to be high– The scheme collapses when pages are generated

dynamically

20

Solutions to Web Defacement (Cont.)

• Multi-layered protection system– Needed in order to effectively deal with Web

defacement– On-the-spot prevention• Attack s should be identified before their executions,

i.e. they should be identified at the service request level• Use system call and API call interception

21

Solutions to Web Defacement (Cont.)

• Multi-layered protection system (Cont.)– Administrator (root) resistant• Allow only specific predefined user (the Web master),

instead of the ‘Administrator’ account, to modify the Web site content and configuration

– Application access control• A single predefined program should be used to edit

and/or create Web pages

– OS level protection

22

Solutions to Web Defacement (Cont.)

• Multi-layered protection system (Cont.)– HTTP attack protection• A protection module that scans incoming HTTP

requests for malicious requests, even when the communication is encrypted, should be used

– Web server resources protection• Executables• Configuration files• Data files• Web server process

23

Solutions to Web Defacement (Cont.)

• Multi-layered protection system (Cont.)– Other Internet server attack protection• Bind (a DNS server)• Sendmail (an SMTP server)

24

Conclusions

• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions

25

Conclusions

• Thank you for your time• Questions and feedback are welcome

26

References

• Prevent Web Site Defacement– http://www.mcafee.com/us/local_content/

white_papers/wp_2000hollanderdefacement.pdf