330 likes | 478 Views
Threats in Cyberspace - 2008. Saumil Shah Evolvement of IPRs and its management seminar February 9, 2008 - Ahmedabad. About me. Founder & CEO Net-Square Solutions. Speaker at Blackhat, RSA, and many international security conferences. Author: Web Hacking – Attacks and Defense (2002)
E N D
Threats in Cyberspace - 2008 Saumil Shah Evolvement of IPRs and its management seminar February 9, 2008 - Ahmedabad
About me • Founder & CEO Net-Square Solutions. • Speaker at Blackhat, RSA, and many international security conferences. • Author: • Web Hacking – Attacks and Defense (2002) • The Anti-virus book (1996) • MS Computer Science – Purdue University.
Attack trends since 2000 AD • 2000: Networks and OS • 2001: HTTP, DDoS, Worms • 2002: Web apps, email, Worms, Databases • 2003: Apps, Bruteforcing • 2004: Apps, IE, Spyware, Phishing • 2005: Apps, ID thefts, Phishing, Malware • 2006: Large data stores, apps, IDs, etc. • 2007: App worms, Botnets, Pharming
Spam in 2007 • 90-95% of all emails sent were spam. • 13% of users >50 spam emails per day.
Spam in 2007 • Pump-and-dump stock scam. • Image and attachment spam. • surged but died towards the end of 2007. • News topics as subject lines. • Generated through botnets. • Fraud and Phishing.
Breaches in 2007 • TD Ameritrade: 6.3 million customer records. • Monster.com: 1.6 million job seekers' records. • Western Union: 20,000 credit card records. • Illinois Dept of Financial and Professional regulation: 3,00,000 records. • T J Maxx: 45.7 million credit card records. • Moneygram: 79,000 records.
We’ve all been victims of fraud • “I’ve never been to Japan!”
Hacking the Human Mind • Citibank “phishing” scam The email: http://antiphishing.org
Faking a bank • http://www.mycitibank.net/ http://antiphishing.org
Faking a bank • Who is mycitibank.net? Domain Name.......... mycitibank.net Creation Date........ 2004-06-22 Registration Date.... 2004-06-22 Expiry Date.......... 2005-06-22 Organisation Name.... Sharon J Warr Organisation Address. 4 Knotty Pine Place Organisation Address. Texarkana 75503, TX, UNITED STATES
Spyware • “Marketing delivered to your desktops”. • Advertisers pay for targeted advertising. • Adware companies: • 100-200 employees, $50-$200M revenues • How to get into desktops?…
Spyware • Digital Gluttony • “I want to download it all!” • Cater to users’ greed. • MP3s, Videos, Ringtones, Wallpapers, Smileys, Screensavers, Calendars, … • …as long as it is free.
Malware on the rise • 2005-2006: 172% increase. • 2006-2007: 800% increase. • MPack. • RBN. • Fast-flux Networks. • The Storm Botnet.
MPack • Exploit delivery mechanism. • Updated regularly with 0-day exploits. • IE VML bug. • IE Animated Cursor vulnerability. • QuickTime overflow. • Winzip ActiveX overflow. etc. • PHP based automatic website generator. • Sold for $500-$1000, with auto-exploit-updates.
Botnets • Large number of compromised systems. • Centrally controlled. • Spam marketing. • Identity theft, password theft. • DDoS threats. • Espionage.
The Storm Botnet • P2P controlled – no central "mother ship". • Event based campaigns • 2008 greetings, Thanksgiving/Xmas/Valentines • Operated by the RBN. • Purchase expired domains. • Domains resolve to fast-flux networks. • Continuously changing DNS records. • Point to infected hosts.
The Storm Botnet • A few infected hosts are special • P2P control relays. • DNS servers. • HTTP servers. • Rootkits, malware, hacked sites, etc. • various delivery mechanisms. • Running for more than a year. • We have NOT been able to shut it down.
Cyber warfare / terrorism? • China penetrated key US databases. • Dec 07/Jan 08 power blackouts in Central and South America. • 14 year old boy takes control of Tram network in Poland.
Effectiveness of Anti-Virus software • Makes computers sluggish. • False alarms. • "Most popular brands have an 80% miss rate" – AusCERT. • Heuristic recognition fell from 40-50% (2006) to 20-30% (2007) – HeiseOnline. • Signature based scanning does not work. • AI techniques can be easily beaten.
Web 2.0 attacks • MySpace worm – XSS goes the virus way. • Cross Site Request Forgery. • Predicted rise in Web 2.0 attacks in 2008. • as more generic APIs become popular.
Pharming • Hijacking DNS entries. • www.hsbc.com resolves to fraud site. • DNS server specified in broadband router. • Broadband routers have web administration interfaces. • and are typically on 192.168.1.1 • and have weak passwords: admin/admin. • Malicious sites contain an IFRAME to access web admin interface.
Resources • 20 Reasons the world hates Norton Antivirus http://www.dtgeeks.com/index.php/blogs/comment/20_reasons_the_world_hates_norton_anti_virus • Antivirus protection worse than a year ago http://www.heise-security.co.uk/news/print/100900 • Teen tram hack http://www.theregister.co.uk/2008/01/11/tram_hack/print.html • China has penetrated key US databases http://www.securecomputing.net.au/print.aspx?CIID=101491 • Trojan to attack bank sites http://www.symantec.com/enterprise/security_response/weblog/2008/01/banking_in_silence.html • The Russian Business Network http://rbnexploit.blogspot.com/
saumil@net-square.com Evolvement of IPRs and its management seminar February 9, 2008 - Ahmedabad