A Malicious Code Perspective on Web Application Privacy Sept. 6, 2007

1. A Malicious Code Perspective on Web Application PrivacySept. 6, 2007 Blake HartsteinRapid-Response Engineer, VeriSign iDefense Security Intelligence Servicesbhartstein@verisign.com

2. Web Application Privacy Agenda • Malicious Code Functionality • Confidentiality • Stealing Private Information • Masquerade • Escalate • Integrity • A Large Risk • Persistent • Large Scale • Availability • Denial of Service • Ransom • Developer and Administrator Preventative Actions

3. iDefense Team Background • The Leading Security Intelligence Research Team • iDefense provides proactive notification of impending threats, including vulnerabilities and malicious code • Industry-Leading Services Offerings • Intelligence is all the iDefense team does • Completely vendor-agnostic • Marquee Customer and Partner Base • Government, financial services, insurance, healthcare, retail • Security software and services • Five Experienced Intelligence Teams • Actively Gathering Cyber Intelligence Since 1998

4. iDefense Has More Than 40 Full-Time Researchers and More Than 300 Contributors Worldwide iDefense Teams 24X7 Operations Infiltration, Aggregation, Analysis 10,000+ Products and Technologies 1500+ Public Sources 1200+ Underground and Private Sources 35 Countries 12 Languages 1,000+ Vulnerability Reports each Month 1,200+ Malicious Code Reports each Month Intelligence Teams Coverage and Sources iDefense Labs Malicious Code Operations Team Vulnerability Aggregation Team Intelligence Reports Global Threat Team Rapid-Response Team VCP Network 280+ Researchers 35+ Countries

5. Summary of Service Bundles Basic Service Enhanced Service Comprehensive Service • iDefense Intelligence Reports (daily alerts) • iDefense FLASH Reports • Public Vulnerability Feed • iDefense Exclusives • Weekly Version 1 Summary • Malicious Code Analysis Feed • iDefense Intelligence Reports (daily alerts) • iDefense FLASH Reports • Public Vulnerability Feed • iDefense Exclusives • Weekly Version 1 Summary • Malicious Code Analysis Feed • iDefense Analyst Access • Bi-Monthly Threat Briefings • Weekly Threat Report (E-Mail and Portal) • Bi-Weekly Malicious Code and Vulnerability Reviews • Rapid-Response Intelligence Reports • iDefense topical research reports (including MS bulletin review) • Monthly Microsoft Bulletin Post-Release Analysis Report • iDefense Intelligence Reports (daily alerts) • iDefense FLASH Reports • Public Vulnerability Feed • iDefense Exclusives • Weekly Version 1 Summary • Malicious Code Analysis Feed • iDefense Analyst Access • Bi-Monthly Threat Briefings • Weekly Threat Report (E-Mail and Portal) • Bi-Weekly Malicious Code and Vulnerability Reviews • Rapid-Response Intelligence Reports • iDefense Topical Research Reports • Monthly Microsoft Bulletin Post-Release Analysis Report • iDefense Focused Intelligence Reports • Custom “analyst desk” with Designated Analyst Contact • Phishing Take-Down Service Public-Only Vulnerability Feed • iDefense Public Vulnerability Reports (daily alert) • iDefense Public Vulnerabilities

6. Confidentiality • Keystroke Logging • Form Grabbing • Browser Injection • Screenshots and Mouse Events • Stored Passwords • Certificates

7. Compromised Hosts • HTML Injection • Transaction Authentication Numbers (TAN) • Additional Personal Information

8. Nuklus • Spoofed Bank E-Mails • Pre-Qualify Victims

9. Nuklus • Changes Behavior of Approximately 2,110 Pages • Modular Design and Evolving Functionality: • Steal Certificates • Firefox/IE Sniffers • Re-write URLs • Hook Connections • Proxy Traffic • Collect Credentials • Other Versions Delete Cookies, Capture Screens, Patch TCP/IP Stack and Redirect Connections

10. Information Stealing made Easy • Gartner Estimates Banks Lost $2.4 billion • Malicious Programs Steal Credentials and Phishing • One-Year Period in 2004* • Pinch and LDPinch • Compress and Encode • Relay Confidential Information • SMTP and HTTP *http://www.microsoft.com/smallbusiness/resources/technology/security/3_major_online_threats_to_your_business.mspx

11. Integrity Affects the Whole Network • File Infectors: Chir.B (Nimda) • Executables • HTML • <script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script> • ARP Spoofing • Injection • Eavesdropping • Hijacking • Man-in-the-Middle • Rootkits • Hide from tools and users

12. Backdoors, Control Panels and Toolkits • Designed to Steal, Retrieve, and Abuse Credentials • Configurable and Custom • Metaphisher (aka Agent.dq) • Apophis • Increased Risk • Attacker may target drop sites • Password file available • Weak or guessable passwords • Two-factor authentication • Securing drop sites

13. Availability • Encrypt and Delete Original Data • Purchase Bots to use bandwidth • Denial of Service Ransom* • $50,000.00 fee • $10,000.00 for smaller organizations *http://www.theregister.com/2007/06/13/black_hat_list/

14. The Good News and the Bad News • Which assets are valuable? • Targeted emails work • Monstres.A Trojan, Monster.com • Loss of Confidentiality • Users and Applications are Often Unaware • Risk to Assets • Attacks Evolve, but attack elements are often reused • Tools, Techniques and Hosts • Block Lists and Intrusion Detection • http://www.spamhaus.org/drop/drop.lasso • http://www.snort.org/ • http://www.bleedingthreats.net/

15. Prevent and Detect • Secure Coding is Half the Battle • Application Knows Best • Behavioral Monitoring • Thresholds, Statistics, and Timing • Multiple Communication Channels • Varying Trust Levels • Revoking and Alerting • Enforcing Password Requirements • Protect Confidential Information

16. Prevent and Detect • Assume Infection and Loss of Credentials • It IS a Developer’s Problem • Reputation and User Experience • Procedural Plan • Disaster Recovery and Business Continuity • Which Assets are at Risk? • File and Database Integrity • Change Monitoring

17. Q and A Thank You Blake Hartstein bhartstein@verisign.com