1 / 79

Attacking Windows Stack and How to Protect against These Attacks

Attacking Windows Stack and How to Protect against These Attacks. Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313 . Session Objectives & Takeaways . To learn and understand: Current Attack Trends that Microsoft is seeing Attack Vectors

misha
Download Presentation

Attacking Windows Stack and How to Protect against These Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attacking Windows Stack and How to Protect against These Attacks Graham Calladine, David Hoyle Security Center of Excellence Microsoft Session Code: SIA313

  2. Session Objectives & Takeaways • To learn and understand: • Current Attack Trends that Microsoft is seeing • Attack Vectors • Mitigation Strategies with Windows Products

  3. 10 Years… • We have come a long way since Melissa • 2003-2004 difficult times • Blaster/Slammer – Was horrible – Hit Home Users hard • Conficker emerged in a different s/w industry – Did not hit home users hard • Partnerships • MS Response Alliance & Internet Consortium for Advanced Security on the Internet & CWG

  4. WW Threat Trends • Not a simple trend – Geographically Diverse • Miscellaneous Trojans (inc rouge s/w) most prevalent • WORMS 2nd most prevalent • Password Stealers & Monitoring tools • Breaches – Data Scarce – (datalossdb.org) • Top is stolen equipment, twice as many incidents as intrusion • But equipment loss is easily reported! Data: Microsoft SIR v7 Report

  5. Geographical Trends • 8 Locations with most infected machines • USA,UK,France,Italy – Trojans • China, language specific browser threats • Brazil, malware targeting online banking • Spain, Korea, WORMS targeting online gamers Data Source: SIR V7 Report Pg 40

  6. Threat Landscape is getting better? • Improvement in Software Development Practice • Software Development Lifecycle (SDL) • Geoff 1min Video • Increased Availability of Automatic Patch Update Process • Patch Tuesday and Auto Updates • However, unpatched client is primary initial infection vector • Social engineering techniques to mislead Victims • Attacker still finds success with a variety of techniques for manipulating people

  7. SANS Analysis • The Top Cyber Security Risks” 2009 September • Application Vulnerabilities Exceed OS Vulnerabilities • Web Application Attacks • Cross Site Scripting, PHPFile Include, and SQL Injection • Windows: • Conficker/Downadup Cited from SANS “The Top Cyber Security Risks” 2009 September, http://www.sans.org/top-cyber-security-risks/

  8. Attackers use social engineering techniques – Human Emotion FEAR I want: Protection I got: Rogue Software Desire I wanWebSurfing, Free Stuff Games, etc I got: fake contents, malicious downloads, etc Trust I want: Online Banking, Email, Social Networking etc. I got: Banking Malware, Phishing, Spam, and File Format Infections, etc. Microsoft Security Intelligence Report, 2008 July through December 2008

  9. Attack Vectors and Trends • Current attacks in the wild • Rogue Security Software and Worm • Browser Based Attacks • Phishing • Cross Site Scripting • Clickjacking • File Format Attacks

  10. Attack Vectors and Trends • Rogue Security Software and Worms • Browser Based Attacks • File Format Attack

  11. Rogue Unwanted Software Win32/Renos Win32/FakeXPA

  12. Rogue Security Software 1 • Use Fear to convince victims • Win32/Renos Family

  13. Rogue Security Software 2 • Use the same logic • Win32/FakeXPA Family

  14. A Rogue Software Real Sample http://blogs.technet.com/mmpc/archive/2009/08/20/winwebsec-on-youtube.aspx • Use your Desire There is no security issue or vulnerability in YouTube.com.

  15. Rogue Software • Win32/FakeVimes and Win32/PrivacyCenter have become more prevalent in the last 2 months • Distributed via fake online scanners

  16. Worms: Win32/Conficker.A to E • Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE) • On October 23, 2008, Microsoft released critical security update MS08-067 • Allow remote code execution if an affected system received a specially crafted Remote Procedure Call (RPC) request • On November 21, 2008, the first significant worm that exploits MS08-067 was discovered • The first variant discovered, Worm:Win32/Conficker.A, only uses MS08-067 exploits to propagate • On December 29 2008, a significantly more dangerous variant, Win32/Conficker.B, was discovered • Exploits the MS08-067 vulnerability but uses additional methods to propagate.It attempts to spread itself to other computers on the network • Combining the vulnerability with social engineering to introduce and spread the worm in an organization • Continues… http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

  17. Social Engineering by e-mailing infected files with official-sounding names to people at a company like “Corporate Policy.PDF”

  18. Worms: Win32/Conficker.A to E • Release D, monitors 500/50,000 domain names/day for payloads… • Still is • Conficker Working Group (CWG) formed Jan09 • Many people from well know sec groups/researchers • Implemented defense DNS strategy • Kaspersky & OpenDNS – calc’ed 1Y of names • All 110 TLDs involved & signed up • Rapid, effective collaboration – keeps Confickerconstrained

  19. Published Articles for Conficker • Knowledge Base article • KB962007 • MMPC blog (http://blogs.technet.com/mmpc) • Get Protected, Now! (October 23, 2008) • A Quick Update About MS08-067 Exploits (November 17, 2008) • Just in Time for New Year’s… (December 31, 2008) • MSRA Released Today Addressing Conficker and Banload(January 13, 2009) • Centralized Information About the Conficker Worm (January 22, 2009) • Information about Worm:Win32/Conficker.D(March 27, 2009)

  20. Mitigations • Get the latest computer updates • Install and update anti-malware signatures • Run an up-to-date scanning and removal tool • Use caution with attachments and file transfers • Use caution when clicking on links to web pages • Standard user rights • Protect yourself from social engineering attacks • User Security Best Practices such as strong Password Policy • Keep eye on vulnerabilities and follow the guideline from the trusted source • Use recent technologies and systems that can reduce the risk on exploiting

  21. Attack Vectors and Trends • Rogue Security Software and worms • Browser BasedAttacks • File Format Attack

  22. Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking

  23. Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking

  24. Phishing: Overview • Phishing is a method of identity theft that tricks Internet users into revealing personal or financial information online.

  25. Phishing Scam Samples • Social engineering techniques • “Verify your account” • “If you don't respond within 48 hours, your account will be closed” • “Dear Valued Customer” • “Click the link below to gain access to your account”

  26. Spear Phishing and Whaling • Spear phishing - highly targeted phishing • Send email messages that appear genuine to all employees and members within a community • Whaling - involves targeted attacks on senior executives and other high ranking people

  27. Phishing Trends in Industry • APWG: Anti Phishing Working Group Report, 2009 1H http://www.antiphishing.org/reports/apwg_report_h1_2009.pdf

  28. Phish Tank: Current Phish Sites • Live Phish site can be found http://www.phishtank.com/

  29. Phishing with Hotmail • Illegally acquired by a phishing scheme and exposed to a website • Microsoft Recommends: • Renew their passwords for Windows Live IDs every 90 days • For administrators, make sure you approve and authenticate only users that you know and can verify credentials • As phishing sites can also pose additional threats, install and keep anti-virus software up to date

  30. Techniques • Man-in-the-middle attacks • Proxies, • DNS Cache Poisoning, etc • URL Obfuscation attacks • Bad Domain Name, • Friendly Login URL’s, • Host Name/URL Obfuscation, etc • Etc…

  31. demo Anti-Phishing IE 8 SmartScreen

  32. Mitigations • Use an up-to-date anti-malware product from a known, trusted source, and keep it updated. • Use the most recent version of your Web browser, and keep it up to date by applying security updates and service packs in a timely fashion. • Use a robust spam filter to guard against fraudulent and dangerous e-mail. • You can add sites you trust to the Trusted Sites zone with more than middle security level. • Follow the guidance to take actions • http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

  33. Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking

  34. Cross Site Scripting: Overview • Cross-Site Scripting (XSS): Occurs whenever an application reads user data, and embeds that user data in Web responses without encoding or validating the user data • Common vulnerabilities that make Web-based applications susceptible to cross-site scripting attacks: • Improper input validation • Failing to encode output • Trusting data from shared resources

  35. Cross Site Scripting in News • October 2005 MySpace “Samy” worm • February 2006 Facebook • June 2008 Yahoo Mail • December 2008 American Express • April 2009 Twitter http://twittercism.com/remove-stalkdaily/

  36. http://xssed.com/ - live XSSed

  37. Types of Cross-Site Scripting • Two major types of cross-site scripting attacks: • Type 1: Non-Persistent • Often referred to as reflected cross-site scripting • Requires some level of social engineering • Type 2: Persistent • Stored cross-site scripting • One attack can affect multiple users • Type 0: DOM-Based

  38. Type 1: Non-PersistentCross-Site Scripting <html> <head> <title>Hello</title> </head> <body> [malicious code] </body> … Web Server Congratulations! You won a prize, please click hereto claim your prize! http://www.contoso.com? id=[malicious code] Malicious User User

  39. Type 2: PersistentCross-Site Scripting Database Web Server Blog Comment: Hello, this article was helpful! [malicious code] Thanks, Kevin Blog Comment: Hello, this article was helpful! [malicious code] Thanks, Kevin Malicious User User User User

  40. Mitigation Strategies • Server Sides • Validate all untrusted input • Encode any Web response data that could contain user or other untrusted input • Use built-in ASP.NET protection via the ValidateRequest option • Use the System.Web.HttpCookie.HttpOnly property • Use the <frame>, <iframe> IE6 and above security attribute • Use the Microsoft Anti-Cross Site Scripting Library (AntiXSS)

  41. Microsoft Anti-Cross Site Scripting Library V3.1 • New features • An expanded white list that supports more languages • Performance improvements • Performance data sheets (in the online help) • Support for Shift_JIS encoding for mobile browsers • A sample application • Security Runtime Engine (SRE) HTTP module

  42. Security Runtime Engine (SRE) HTTP moduleIdeally, you do not need to change your code! In your yourweb.config, <httpModules> <addname="AntiXssModule" type="Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/> </httpModules> In antixssmodule.config, <ControlEncodingContexts> <ControlEncodingContextFullClassName="System.Web.UI.Page"PropertyName="Title"EncodingContext="Html" /> <ControlEncodingContextFullClassName="System.Web.UI.WebControls.Label" PropertyName="Text"EncodingContext="Html" /> <ControlEncodingContextFullClassName="System.Web.UI.WebControls.CheckBox"PropertyName="Text"EncodingContext="Html" /> </ControlEncodingContexts>

  43. demo Anti-Cross Site Scripting in Action Microsoft Anti-Cross Site Scripting Library V3.1

  44. Mitigation Strategies • Client Sides • IE8 XSS Filter

  45. demo Anti-Cross Site Scripting in Action IE8 XSS Filter with Microsoft Application Compatibility Tool Kit

  46. Browser Based Attacks • Phishing • Cross Site Scripting • ClickJacking

  47. ClickJacking: Overview • Clickjacking is : • an attack that tricks the victim into initiating commands on a website that they did not intend. • Use iframes and web page layers in DHTML such that you overlay a potentially malicious button (for example) on top of an existing legitimate web page.

  48. A ClickJacking Example • Suppose that a hacker site has the following source code…

  49. Mitigation • Use FrameBreaker Script • <script>if (top!=self) top.location.href=self.location.href</script> • Use X-Frame-Options Header for IE8 • HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed • The OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame • Add X-FRAME-OPTIONS and Deny to HTTP Response Headers using IIS Manager, • In html, insert <meta http-equiv="X-FRAME-OPTIONS" content="DENY" /> in <head> section, or • Using ASP.Net, you can insert Response.AddHeader("X-Frame-Options", "Deny”).

More Related