250 likes | 411 Views
Web-Based Attacks : Offense. Wild Wild West Bob, Jeff, and Junia. Agenda. Weaknesses of the paper Attacks not mentioned Future Trends. Weaknesses of the paper. Web-based Attacks: White Paper or Infomercial…?. Shameless plugs peppered throughout
E N D
Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia
Agenda • Weaknesses of the paper • Attacks not mentioned • Future Trends
Web-based Attacks: White Paper or Infomercial…? • Shameless plugs peppered throughout • No mention of non-Symantec solutions, like desktop virtualization • Well yes, but every body does it. • How else would they get funded…
Vulnerability of web-based applications • A topic for nerds, written by nerds… • Technical aptitude is needed to even understand the challenge/threat • This is likely one of the problems with getting people to pay attention to security
Compare with articles about ‘The Cloud’ • Articles about ‘The Cloud’ get noticed by execs because it speaks to them • You can find them in In-flight magazines • Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources
New ways of getting you to a malicious site • Blogs • Social Networking • urlshortners • Twitter and Facebook viruses exist
Google, How We Get To Most Sites: • We trust Google! • Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.
An Example of SEO Poisoning • 1) Find a legitimate website (http://jeffkimballwater.com)
An Example of SEO Poisoning • 2) Compromise the website. Easy! • 3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-card”
An Example of SEO Poisoning • 4) When the search engine indexes this url a script is called. • Change the page to add a bunch of hidden, relevant links. • Get the keywords for these links from another search engine ??? http://jeffkimballwater.com?r=discover-financial-services ??? http://jeffkimballwater.com?r=discover-credit-cards ??? http://jeffkimballwater.com?r=discover-card-facts ??? http://jeffkimballwater.com?r=apply-for-a-credit-card http://jeffkimballwater.com?r=discover-financial-services http://jeffkimballwater.com?r=discover-credit-cards http://jeffkimballwater.com?r=discover-card-facts http://jeffkimballwater.com?r=apply-for-a-credit-card ??? http://jeffkimballwater.com?r=discover-card “discover card” Discover Financial Services Discover Credit Cards Discover Card Facts Apply for a credit card
An Example of SEO Poisoning • 5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google. • 6) Site looks normal to everyone else.
Attacking a website using Cross Site Forgery • Cross-Site Reference Forgery • XSRF • CSRF • Sea Surfing • Session Riding • Hostile Linking • One-Click attacks • A confused deputy attack on a website, where the website already trusts a user.
An Example of Cross Site Forgery • Bob Frazer logs into Bankbank.com • Bob then logs into FerrariOwnersClub.com • Mal posts a bad link as his signature picture, which Bob loads. • <imgsrc=http://bankbank.com/withdraw?account=bob&amount=1000&for=mallory> • Bob, who is still logged into Bankbank, executes the request.
Attacking You Through Your Phone • Not web based yet, but attackers are interested. • Trojan-SMS.AndroidOS.FakePlayer.a • Sends texts without user’s knowledge to premium rate numbers. • Android Spyware • Tip Calculator
Attacking You Through Your Phone • Symbian OS • Skulls • Worm:iOS/Ikee • Proof of concept spreads through WiFi or 3G, sends financial information to server.
Future Trends - Users • Increasingly young base users • More onlineEdu-taiment/games • More familiar and comfortable with the web world • Less knowledgeable in security risk
Future Trends - Attacks • Increase internet users • Move IPv4 to IPv6 • More attacks on the Web Servers • More sophisticated hackers
Future Trends - Companies • Focus more on Web Security • Getting better in locking down the web
Future Trends - Cloud Computing • Increase in IT budgets • More Web-Applications hosted in the Cloud • Lower cost comes higher security risk • More complex Security
Future Trends - Browsers will be more responsible • GoogleChrome • FireFox
Future Trends –Spams • More legits