web-based attacks : offense
DESCRIPTION
Web-Based Attacks : Offense. Wild Wild West Bob, Jeff, and Junia. Agenda. Weaknesses of the paper Attacks not mentioned Future Trends. Weaknesses of the paper. Web-based Attacks: White Paper or Infomercial…?. Shameless plugs peppered throughout - PowerPoint PPT PresentationTRANSCRIPT
Web-Based Attacks: OffenseWild Wild WestBob, Jeff, and Junia
Agenda
Weaknesses of the paper
Attacks not mentioned
Future Trends
Weaknesses of the paper
Web-based Attacks: White Paper or Infomercial…?
Shameless plugs peppered throughout
No mention of non-Symantec solutions, like desktop virtualization
Well yes, but every body does it.
How else would they get funded…
Vulnerability of web-based applications
A topic for nerds, written by nerds…
Technical aptitude is needed to even understand the challenge/threat
This is likely one of the problems with getting people to pay attention to security
Compare with articles about ‘The Cloud’
• Articles about ‘The Cloud’ get noticed by execs because it speaks to them
• You can find them in In-flight magazines
• Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources
Attacks not mentioned
New ways of getting you to a malicious site
Blogs
Social Networkingurl shortnersTwitter and Facebook viruses exist
Google, How We Get To Most Sites:
We trust Google!
Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.
An Example of SEO Poisoning1) Find a legitimate website (http://jeffkimballwater.com)
An Example of SEO Poisoning2) Compromise the website. Easy!
3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-
card”
http://jeffkimballwater.com?r=discover-financial-serviceshttp://jeffkimballwater.com?r=discover-credit-cardshttp://jeffkimballwater.com?r=discover-card-factshttp://jeffkimballwater.com?r=apply-for-a-credit-card
??? http://jeffkimballwater.com?r=discover-financial-services??? http://jeffkimballwater.com?r=discover-credit-cards??? http://jeffkimballwater.com?r=discover-card-facts??? http://jeffkimballwater.com?r=apply-for-a-credit-card
An Example of SEO Poisoning4) When the search engine indexes this url a script is called.
Change the page to add a bunch of hidden, relevant links.Get the keywords for these links from another search engine
??? http://jeffkimballwater.com?r=discover-card
“discover card”
Discover Financial ServicesDiscover Credit CardsDiscover Card FactsApply for a credit card
An Example of SEO Poisoning
5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google.
6) Site looks normal to everyone else.
Attacking a website using Cross Site Forgery
Cross-Site Reference ForgeryXSRFCSRFSea Surfing Session RidingHostile LinkingOne-Click attacksA confused deputy attack on a website, where the website already trusts a user.
An Example of Cross Site Forgery
Bob Frazer logs into Bankbank.com
Bob then logs into FerrariOwnersClub.com
Mal posts a bad link as his signature picture, which Bob loads. <img src=http://bankbank.com/withdraw?account=bob&amount=1000&for=mallory>
Bob, who is still logged into Bankbank, executes the request.
Attacking You Through Your Phone
Not web based yet, but attackers are interested.
Trojan-SMS.AndroidOS.FakePlayer.a
Sends texts without user’s knowledge to premium rate numbers.
Android SpywareTip Calculator
Attacking You Through Your Phone
Symbian OSSkulls
Worm:iOS/IkeeProof of concept spreads through WiFi or 3G, sends financial information to server.
Future Trends
Future Trends - UsersIncreasingly young base users• More online Edu-taiment/games
More familiar and comfortable with the web worldLess knowledgeable in security risk
Future Trends - AttacksIncrease internet usersMove IPv4 to IPv6More attacks on the Web ServersMore sophisticated hackers
Future Trends - Companies Focus more on Web Security Getting better in locking down the web
Future Trends - Cloud Computing
Increase in IT budgetsMore Web-Applications hosted in the CloudLower cost comes higher security riskMore complex Security
Future Trends - Browsers will be more responsible
Google Chrome
FireFox
Future Trends – SpamsMore legits