Web Defacement Attack Case

8/17/2019 Web Defacement Attack Case

1/26

Web Defacement

Anh Nguyen

May 6th , 2010


2/26

Organization

• Introduction

• How Hackers Deface Web ages

•

!o"utions to Web Deface#ent• $onc"usions

2


3/26


4/26

IntroductionWeb Defacement

• (ccurs when an intruder #a"icious"ya"ters a Web +age by inserting orsubstituting +ro%ocati%e andfreuent"y o'ending data

• &-+oses %isitors to #is"eadinginfor#ation

.


5/26

IntroductionWeb Defacement

• htt+/wwwattritionorg#irrorattrition – racks of deface#ent incidents and

kee+s a 3#irror4 of defaced Web sites

5

http://www.attrition.org/mirror/attrition/http://www.attrition.org/mirror/attrition/http://www.attrition.org/mirror/attrition/http://www.attrition.org/mirror/attrition/


6/26

IntroductionHackers Motivation

• ook for credit card nu#bers and other %a"uab"e+ro+rietary infor#ation

• 7ain credibi"ity in the hacking co##unity, inso#e high +ro8"e cases, 15 #inutes of fa#ethrough #edia co%erage of the incident

6


7/26

IntroductionEects on Organizations

• (rgani)ations "ose – $redibi"ity and re+utation

– $usto#er trust and re%enue

– &9retai"ers can "ose considerab"e +atronage if their

custo#ers fee" their e9business is insecure – :inancia" institutions #ay e-+erience signi8cant "oss of

business and integrity

;


8/26

How Hackers Deface WebPages

• Introduction


•


<


9/26

How Hackers Deface WebPages

• (btain userna#es – =se infor#ation9gathering techniues

– Make use of +ub"ic"y a%ai"ab"einfor#ation• Do#ain registration records

– =se >socia" engineering? tactics•

$a"" an e#+"oyee and +ose as a syste#ad#inistrator

@


10/26

How Hackers Deface Web Pages(Cont!

• 7uess +asswords – 7o through a "ist of +o+u"ar or defau"t

choices

– =se inte""igent guesses

– =se >socia" engineering? tactics• irth dates

•

Na#es of fa#i"y #e#bers

10


11/26


• (btain ad#inistrator +ri%i"eges

• erfor# additiona" infor#ationgathering to 8nd out usefu" tidbits – he e-act %ersion and +atch "e%e"s of

the (!

– he %ersions of software +ackages

insta""ed on the #achine – &nab"ed ser%ices and +rocesses

11


12/26


• Access we""9known Web sites and"ocate hacks that e-+"oit%u"nerabi"ities e-isting in the

software insta""ed

• 7ain contro" of the #achine and#odify the content of +ages easi"y

12


13/26

How Hackers Deface Web Pages (Cont!"ec#o$e

• An e-a#+"e of a +ri%i"ege esca"atione-+"oit on Windows N.

• he attack #odi8es the instructionsin #e#ory of the (+enrocess AIca"" so it can attach to a +ri%i"eged+rocess

• (nce the +ri%i"eged +rocess runs, thecode adds the user to theAd#inistrators grou+

• he techniue works if the code runs1*


14/26


• In the +resence of Microsoft?sInternet Infor#ation !er%er BII!C Webser%er and so#e other conditions,

!echo"e can be "aunched fro# are#ote "ocation

1.


15/26


• Another a++roach is to e-+"oit%u"nerabi"ities in Internet ser%ers thatare "istening to o+en +orts – No need to "og on to the ser%er

– &-ecute #a"icious code o%er an o+en"egiti#ate connection

15


16/26

How Hackers Deface Web Pages (Cont!II" Hack

• We""9known e-a#+"e for a re#oteattack on the II! Web ser%er

• Hackers e-+"oit a bu'er o%erowweakness in "s#d"", causing#a"icious code to e-ecute in thesecurity conte-t of the !yste# on the

ser%er

16


17/26

"o$utions to WebDefacement

• Introduction


•


1;


18/26

"o$utions to Web Defacement

• :irewa""s

– Do not scan inco#ing H +ackets

– H attacks Bsuch as II! HackC are notdetected

• Network9based Intrusion Detection !yste#sBNID!C and Host9based Intrusion Detection!yste#s BHID!C

– isten to +ackets on the wire, but do not b"ockthe#

– In #any cases, the +acket reaches itsdestination before it is being inter+reted by theNID!

1<


19/26

"o$utions to WebDefacement (Cont!

• Integrity assess#ent – A hash code Bsi#i"ar to a checksu#C for

a Web +age reecting the +age?s

content is co#+uted – he sa%ed hash code is +eriodica""y

co#+ared with the fresh"y co#+utedone to see if they #atch

– he freuency of the hash codeco#+arisons needs to be high

– he sche#e co""a+ses when +ages are

generated dyna#ica""y1@


20/26


• Mu"ti9"ayered +rotection syste# – Needed in order to e'ecti%e"y dea" with

Web deface#ent

– (n9the9s+ot +re%ention• Attack s shou"d be identi8ed before their

e-ecutions, ie they shou"d be identi8ed atthe ser%ice reuest "e%e"

• =se syste# ca"" and AI ca"" interce+tion

20


21/26


• Mu"ti9"ayered +rotection syste#B$ontC – Ad#inistrator BrootC resistant

• A""ow on"y s+eci8c +rede8ned user Bthe Web#asterC, instead of the >Ad#inistrator?account, to #odify the Web site content andcon8guration

– A++"ication access contro"• A sing"e +rede8ned +rogra# shou"d be used

to edit andor create Web +ages

– (! "e%e" +rotection21


22/26


• Mu"ti9"ayered +rotection syste#B$ontC – H attack +rotection

• A +rotection #odu"e that scans inco#ingH reuests for #a"icious reuests, e%enwhen the co##unication is encry+ted,shou"d be used

– Web ser%er resources +rotection• &-ecutab"es

• $on8guration 8"es

• Data 8"es

•Web ser%er +rocess22


23/26


• Mu"ti9"ayered +rotection syste#B$ontC – (ther Internet ser%er attack +rotection

• ind Ba DN! ser%erC

• !end#ai" Ban !M ser%erC

2*


24/26

Conc$usions

• Introduction


•


2.


25/26

Conc$usions

• hank you for your ti#e

• Euestions and feedback are we"co#e

25


26/26

%eferences

• re%ent Web !ite Deface#ent – htt+/www#cafeeco#us"oca"Fcontent

whiteF+a+ersw+F2000ho""anderdeface

#ent+df

26

Documents

Web Defacement Attack Case