Web-Based Attacks: OffenseWild Wild WestBob, Jeff, and Junia

Agenda

Weaknesses of the paper

Attacks not mentioned

Future Trends

Weaknesses of the paper

Web-based Attacks: White Paper or Infomercial…?

Shameless plugs peppered throughout

No mention of non-Symantec solutions, like desktop virtualization

Well yes, but every body does it.

How else would they get funded…

Vulnerability of web-based applications

A topic for nerds, written by nerds…

Technical aptitude is needed to even understand the challenge/threat

This is likely one of the problems with getting people to pay attention to security

Compare with articles about ‘The Cloud’

• Articles about ‘The Cloud’ get noticed by execs because it speaks to them

• You can find them in In-flight magazines

• Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources

Attacks not mentioned

New ways of getting you to a malicious site

Blogs

Social Networkingurl shortnersTwitter and Facebook viruses exist

Google, How We Get To Most Sites:

We trust Google!

Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.

An Example of SEO Poisoning1) Find a legitimate website (http://jeffkimballwater.com)

An Example of SEO Poisoning2) Compromise the website. Easy!

3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-

card”

http://jeffkimballwater.com?r=discover-financial-serviceshttp://jeffkimballwater.com?r=discover-credit-cardshttp://jeffkimballwater.com?r=discover-card-factshttp://jeffkimballwater.com?r=apply-for-a-credit-card

??? http://jeffkimballwater.com?r=discover-financial-services??? http://jeffkimballwater.com?r=discover-credit-cards??? http://jeffkimballwater.com?r=discover-card-facts??? http://jeffkimballwater.com?r=apply-for-a-credit-card

An Example of SEO Poisoning4) When the search engine indexes this url a script is called.

Change the page to add a bunch of hidden, relevant links.Get the keywords for these links from another search engine

??? http://jeffkimballwater.com?r=discover-card

“discover card”

Discover Financial ServicesDiscover Credit CardsDiscover Card FactsApply for a credit card

An Example of SEO Poisoning

5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google.

6) Site looks normal to everyone else.

Attacking a website using Cross Site Forgery

Cross-Site Reference ForgeryXSRFCSRFSea Surfing Session RidingHostile LinkingOne-Click attacksA confused deputy attack on a website, where the website already trusts a user.

An Example of Cross Site Forgery

Bob Frazer logs into Bankbank.com

Bob then logs into FerrariOwnersClub.com

Mal posts a bad link as his signature picture, which Bob loads. <img src=http://bankbank.com/withdraw?account=bob&amount=1000&for=mallory>

Bob, who is still logged into Bankbank, executes the request.

Attacking You Through Your Phone

Not web based yet, but attackers are interested.

Trojan-SMS.AndroidOS.FakePlayer.a

Sends texts without user’s knowledge to premium rate numbers.

Android SpywareTip Calculator

Attacking You Through Your Phone

Symbian OSSkulls

Worm:iOS/IkeeProof of concept spreads through WiFi or 3G, sends financial information to server.

Future Trends

Future Trends - UsersIncreasingly young base users• More online Edu-taiment/games

More familiar and comfortable with the web worldLess knowledgeable in security risk

Future Trends - AttacksIncrease internet usersMove IPv4 to IPv6More attacks on the Web ServersMore sophisticated hackers

Future Trends - Companies Focus more on Web Security Getting better in locking down the web

Future Trends - Cloud Computing

Increase in IT budgetsMore Web-Applications hosted in the CloudLower cost comes higher security riskMore complex Security

Future Trends - Browsers will be more responsible

Google Chrome

FireFox

Future Trends – SpamsMore legits