A Malicious Code Perspective on Web
Application Privacy
Sept. 6, 2007
Blake Hartstein
Rapid-Response Engineer, VeriSign iDefense Security Intelligence Services
[email protected]
Web Application Privacy Agenda
+ Malicious Code Functionality
+ Confidentiality
▪
Stealing Private Information
– Masquerade
– Escalate
+ Integrity
▪
A Large Risk
– Persistent
– Large Scale
+ Availability
▪
▪
Denial of Service
Ransom
+ Developer and Administrator Preventative Actions
2
iDefense Team Background
+ The Leading Security Intelligence Research Team
▪
iDefense provides proactive notification of impending threats, including vulnerabilities and malicious code
+ Industry-Leading Services Offerings
▪
▪
Intelligence is all the iDefense team does
Completely vendor-agnostic
+ Marquee Customer and Partner Base
▪
▪
+
Government, financial services, insurance, healthcare, retail
Security software and services
Five Experienced Intelligence Teams
+ Actively Gathering Cyber Intelligence Since 1998
3
iDefense Teams
+ iDefense Has More Than 40 Full-Time Researchers and More Than
300 Contributors Worldwide
24X7 Operations
Intelligence Teams
Infiltration, Aggregation, Analysis
Coverage and Sources
iDefense
Labs
Vulnerability
Aggregation
Team
Malicious Code
Operations
Team
10,000+ Products and Technologies
1500+ Public Sources
1200+ Underground and Private Sources
35 Countries
12 Languages
Rapid-Response
Team
VCP Network
280+ Researchers
35+ Countries
Global
Threat
Team
Intelligence Reports
1,000+ Vulnerability Reports each Month
1,200+ Malicious Code Reports each Month
4
Summary of Service Bundles
Basic Service
+ iDefense Intelligence Reports (daily
alerts)
+ iDefense FLASH Reports
+ Public Vulnerability Feed
▪ iDefense Exclusives
▪ Weekly Version 1 Summary
+ Malicious Code Analysis Feed
Public-Only Vulnerability Feed
+ iDefense Public Vulnerability
Reports (daily alert)
▪ iDefense Public Vulnerabilities
5
Enhanced Service
+ iDefense Intelligence Reports (daily
alerts)
+ iDefense FLASH Reports
+ Public Vulnerability Feed
▪ iDefense Exclusives
▪ Weekly Version 1 Summary
+ Malicious Code Analysis Feed
+ iDefense Analyst Access
+ Bi-Monthly Threat Briefings
+ Weekly Threat Report (E-Mail and
Portal)
+ Bi-Weekly Malicious Code and
Vulnerability Reviews
+ Rapid-Response Intelligence
Reports
+ iDefense topical research reports
(including MS bulletin review)
+ Monthly Microsoft Bulletin PostRelease Analysis Report
Comprehensive Service
+ iDefense Intelligence Reports (daily
alerts)
+ iDefense FLASH Reports
+ Public Vulnerability Feed
▪ iDefense Exclusives
▪ Weekly Version 1 Summary
+ Malicious Code Analysis Feed
+ iDefense Analyst Access
+ Bi-Monthly Threat Briefings
+ Weekly Threat Report (E-Mail and
Portal)
+ Bi-Weekly Malicious Code and
Vulnerability Reviews
+ Rapid-Response Intelligence
Reports
+ iDefense Topical Research Reports
+ Monthly Microsoft Bulletin PostRelease Analysis Report
+ iDefense Focused Intelligence
Reports
+ Custom “analyst desk” with
Designated Analyst Contact
+ Phishing Take-Down Service
Confidentiality
+ Keystroke Logging
+ Form Grabbing
+ Browser Injection
+ Screenshots and Mouse Events
+ Stored Passwords
+ Certificates
6
Compromised Hosts
+ HTML Injection
▪
Transaction Authentication Numbers (TAN)
▪ Additional Personal Information
7
Nuklus
+ Spoofed Bank E-Mails
▪
8
Pre-Qualify Victims
Nuklus
+ Changes Behavior of Approximately 2,110 Pages
+ Modular Design and Evolving Functionality:
▪
▪
▪
▪
▪
▪
Steal Certificates
Firefox/IE Sniffers
Re-write URLs
Hook Connections
Proxy Traffic
Collect Credentials
+ Other Versions Delete Cookies, Capture Screens, Patch TCP/IP
Stack and Redirect Connections
9
Information Stealing made Easy
+ Gartner Estimates Banks Lost $2.4 billion
▪
Malicious Programs Steal Credentials and Phishing
▪ One-Year Period in 2004*
+ Pinch and LDPinch
▪
Compress and Encode
▪ Relay Confidential Information
▪ SMTP and HTTP
*http://www.microsoft.com/smallbusiness/resources/technology/security/3_major_online_threats_to_your_business.mspx
10
Integrity Affects the Whole Network
+ File Infectors: Chir.B (Nimda)
▪
Executables
▪ HTML
– <script language="JavaScript">window.open("readme.eml",
null,"resizable=no,top=6000,left=6000")</script>
+ ARP Spoofing
▪
Injection
▪ Eavesdropping
▪ Hijacking
▪ Man-in-the-Middle
+ Rootkits
▪
11
Hide from tools and users
Backdoors, Control Panels and Toolkits
+ Designed to Steal, Retrieve, and Abuse Credentials
+ Configurable and Custom
▪
▪
Metaphisher (aka Agent.dq)
Apophis
+ Increased Risk
▪
▪
▪
Attacker may target drop sites
Password file available
Weak or guessable passwords
+ Two-factor authentication
▪
12
Securing drop sites
Availability
+ Encrypt and Delete Original Data
+ Purchase Bots to use bandwidth
+ Denial of Service Ransom*
▪
$50,000.00 fee
▪ $10,000.00 for smaller organizations
*http://www.theregister.com/2007/06/13/black_hat_list/
13
The Good News and the Bad News
+ Which assets are valuable?
▪
Targeted emails work
▪ Monstres.A Trojan, Monster.com
+ Loss of Confidentiality
▪
Users and Applications are Often Unaware
▪ Risk to Assets
+ Attacks Evolve, but attack elements are often reused
▪
Tools, Techniques and Hosts
– Block Lists and Intrusion Detection
• http://www.spamhaus.org/drop/drop.lasso
• http://www.snort.org/
• http://www.bleedingthreats.net/
14
Prevent and Detect
+ Secure Coding is Half the Battle
+ Application Knows Best
▪
Behavioral Monitoring
▪ Thresholds, Statistics, and Timing
+ Multiple Communication Channels
▪
Varying Trust Levels
▪ Revoking and Alerting
+ Enforcing Password Requirements
▪
15
Protect Confidential Information
Prevent and Detect
+ Assume Infection and Loss of Credentials
▪
It IS a Developer’s Problem
– Reputation and User Experience
+ Procedural Plan
▪
Disaster Recovery and Business Continuity
▪ Which Assets are at Risk?
+ File and Database Integrity
▪
16
Change Monitoring
Q and A
Thank You
Blake Hartstein
[email protected]