A Malicious Code Perspective on Web Application Privacy Sept. 6, 2007 Blake Hartstein Rapid-Response Engineer, VeriSign iDefense Security Intelligence Services [email protected] Web Application Privacy Agenda + Malicious Code Functionality + Confidentiality ▪ Stealing Private Information – Masquerade – Escalate + Integrity ▪ A Large Risk – Persistent – Large Scale + Availability ▪ ▪ Denial of Service Ransom + Developer and Administrator Preventative Actions 2 iDefense Team Background + The Leading Security Intelligence Research Team ▪ iDefense provides proactive notification of impending threats, including vulnerabilities and malicious code + Industry-Leading Services Offerings ▪ ▪ Intelligence is all the iDefense team does Completely vendor-agnostic + Marquee Customer and Partner Base ▪ ▪ + Government, financial services, insurance, healthcare, retail Security software and services Five Experienced Intelligence Teams + Actively Gathering Cyber Intelligence Since 1998 3 iDefense Teams + iDefense Has More Than 40 Full-Time Researchers and More Than 300 Contributors Worldwide 24X7 Operations Intelligence Teams Infiltration, Aggregation, Analysis Coverage and Sources iDefense Labs Vulnerability Aggregation Team Malicious Code Operations Team 10,000+ Products and Technologies 1500+ Public Sources 1200+ Underground and Private Sources 35 Countries 12 Languages Rapid-Response Team VCP Network 280+ Researchers 35+ Countries Global Threat Team Intelligence Reports 1,000+ Vulnerability Reports each Month 1,200+ Malicious Code Reports each Month 4 Summary of Service Bundles Basic Service + iDefense Intelligence Reports (daily alerts) + iDefense FLASH Reports + Public Vulnerability Feed ▪ iDefense Exclusives ▪ Weekly Version 1 Summary + Malicious Code Analysis Feed Public-Only Vulnerability Feed + iDefense Public Vulnerability Reports (daily alert) ▪ iDefense Public Vulnerabilities 5 Enhanced Service + iDefense Intelligence Reports (daily alerts) + iDefense FLASH Reports + Public Vulnerability Feed ▪ iDefense Exclusives ▪ Weekly Version 1 Summary + Malicious Code Analysis Feed + iDefense Analyst Access + Bi-Monthly Threat Briefings + Weekly Threat Report (E-Mail and Portal) + Bi-Weekly Malicious Code and Vulnerability Reviews + Rapid-Response Intelligence Reports + iDefense topical research reports (including MS bulletin review) + Monthly Microsoft Bulletin PostRelease Analysis Report Comprehensive Service + iDefense Intelligence Reports (daily alerts) + iDefense FLASH Reports + Public Vulnerability Feed ▪ iDefense Exclusives ▪ Weekly Version 1 Summary + Malicious Code Analysis Feed + iDefense Analyst Access + Bi-Monthly Threat Briefings + Weekly Threat Report (E-Mail and Portal) + Bi-Weekly Malicious Code and Vulnerability Reviews + Rapid-Response Intelligence Reports + iDefense Topical Research Reports + Monthly Microsoft Bulletin PostRelease Analysis Report + iDefense Focused Intelligence Reports + Custom “analyst desk” with Designated Analyst Contact + Phishing Take-Down Service Confidentiality + Keystroke Logging + Form Grabbing + Browser Injection + Screenshots and Mouse Events + Stored Passwords + Certificates 6 Compromised Hosts + HTML Injection ▪ Transaction Authentication Numbers (TAN) ▪ Additional Personal Information 7 Nuklus + Spoofed Bank E-Mails ▪ 8 Pre-Qualify Victims Nuklus + Changes Behavior of Approximately 2,110 Pages + Modular Design and Evolving Functionality: ▪ ▪ ▪ ▪ ▪ ▪ Steal Certificates Firefox/IE Sniffers Re-write URLs Hook Connections Proxy Traffic Collect Credentials + Other Versions Delete Cookies, Capture Screens, Patch TCP/IP Stack and Redirect Connections 9 Information Stealing made Easy + Gartner Estimates Banks Lost $2.4 billion ▪ Malicious Programs Steal Credentials and Phishing ▪ One-Year Period in 2004* + Pinch and LDPinch ▪ Compress and Encode ▪ Relay Confidential Information ▪ SMTP and HTTP *http://www.microsoft.com/smallbusiness/resources/technology/security/3_major_online_threats_to_your_business.mspx 10 Integrity Affects the Whole Network + File Infectors: Chir.B (Nimda) ▪ Executables ▪ HTML – <script language="JavaScript">window.open("readme.eml", null,"resizable=no,top=6000,left=6000")</script> + ARP Spoofing ▪ Injection ▪ Eavesdropping ▪ Hijacking ▪ Man-in-the-Middle + Rootkits ▪ 11 Hide from tools and users Backdoors, Control Panels and Toolkits + Designed to Steal, Retrieve, and Abuse Credentials + Configurable and Custom ▪ ▪ Metaphisher (aka Agent.dq) Apophis + Increased Risk ▪ ▪ ▪ Attacker may target drop sites Password file available Weak or guessable passwords + Two-factor authentication ▪ 12 Securing drop sites Availability + Encrypt and Delete Original Data + Purchase Bots to use bandwidth + Denial of Service Ransom* ▪ $50,000.00 fee ▪ $10,000.00 for smaller organizations *http://www.theregister.com/2007/06/13/black_hat_list/ 13 The Good News and the Bad News + Which assets are valuable? ▪ Targeted emails work ▪ Monstres.A Trojan, Monster.com + Loss of Confidentiality ▪ Users and Applications are Often Unaware ▪ Risk to Assets + Attacks Evolve, but attack elements are often reused ▪ Tools, Techniques and Hosts – Block Lists and Intrusion Detection • http://www.spamhaus.org/drop/drop.lasso • http://www.snort.org/ • http://www.bleedingthreats.net/ 14 Prevent and Detect + Secure Coding is Half the Battle + Application Knows Best ▪ Behavioral Monitoring ▪ Thresholds, Statistics, and Timing + Multiple Communication Channels ▪ Varying Trust Levels ▪ Revoking and Alerting + Enforcing Password Requirements ▪ 15 Protect Confidential Information Prevent and Detect + Assume Infection and Loss of Credentials ▪ It IS a Developer’s Problem – Reputation and User Experience + Procedural Plan ▪ Disaster Recovery and Business Continuity ▪ Which Assets are at Risk? + File and Database Integrity ▪ 16 Change Monitoring Q and A Thank You Blake Hartstein [email protected]
© Copyright 2024 Paperzz