Web-Based Attacks:
Offense
Wild Wild West
Bob, Jeff, and Junia
Agenda
Weaknesses of the paper
Attacks not mentioned
Future Trends
Weaknesses of the paper
Web-based Attacks: White Paper
or Infomercial…?
Shameless plugs peppered throughout
No mention of non-Symantec solutions, like desktop
virtualization
Well yes, but every body does it.
How else would they get funded…
Vulnerability of web-based
applications
A topic for nerds, written by nerds…
Technical aptitude is needed to even understand the
challenge/threat
This is likely one of the problems with getting people to pay
attention to security
Compare with articles about ‘The
Cloud’
• Articles about ‘The Cloud’ get noticed by execs because
it speaks to them
• You can find them in In-flight magazines
• Their message: A credit card, a few mouse clicks, and
voila! Provisioned IT resources
Attacks not mentioned
New ways of getting you to a
malicious site
Blogs
Social Networking
url shortners
Twitter and Facebook viruses exist
Google, How We Get To Most
Sites:
We trust Google!
Search Engine
Optimization(SEO) poisoning
aims to boost malicious websites
to the top of the list.
An Example of SEO Poisoning
1) Find a legitimate website (http://jeffkimballwater.com)
An Example of SEO Poisoning
2) Compromise the website. Easy!
3) Submit a special url to a search engine
“http://jeffkimballwater.com?r=discover-card”
An Example of SEO Poisoning
4) When the search engine indexes this url a script is called.
Change the page to add a bunch of hidden, relevant links.
Get the keywords for these links from another search engine
???
http://jeffkimballwater.com?r=discover-financial-services
http://jeffkimballwater.com?r=discover-financial-services
???
http://jeffkimballwater.com?r=discover-card
???
http://jeffkimballwater.com?r=discover-credit-cards
http://jeffkimballwater.com?r=discover-credit-cards
???
http://jeffkimballwater.com?r=discover-card-facts
http://jeffkimballwater.com?r=discover-card-facts
???
http://jeffkimballwater.com?r=apply-for-a-credit-card
http://jeffkimballwater.com?r=apply-for-a-credit-card
“discover card”
Discover Financial Services
Discover Credit Cards
Discover Card Facts
Apply for a credit card
An Example of SEO Poisoning
5) Highly ranked “Discover Card Application” delivers malicious
payload to people from Google.
6) Site looks normal to everyone else.
Attacking a website using Cross
Site Forgery
Cross-Site Reference Forgery
XSRF
CSRF
Sea Surfing
Session Riding
Hostile Linking
One-Click attacks
A confused deputy attack on a website, where the website
already trusts a user.
An Example of Cross Site
Forgery
Bob Frazer logs into Bankbank.com
Bob then logs into
FerrariOwnersClub.com
Mal posts a bad link as his signature
picture, which Bob loads.
<img
src=http://bankbank.com/withdraw?account=bob&amoun
t=1000&for=mallory>
Bob, who is still logged into
Bankbank, executes the request.
Attacking You Through Your Phone
Not web based yet, but
attackers are interested.
TrojanSMS.AndroidOS.FakePl
ayer.a
Sends texts without
user’s knowledge to
premium rate numbers.
Android Spyware
Tip Calculator
Attacking You Through Your Phone
Symbian OS
Skulls
Worm:iOS/Ikee
Proof of concept
spreads through
WiFi or 3G, sends
financial
information to server.
Future Trends
Future Trends - Users
Increasingly young base users
• More online Edu-taiment/games
More familiar and comfortable with the web world
Less knowledgeable in security risk
Future Trends - Attacks
Increase internet users
Move IPv4 to IPv6
More attacks on the Web Servers
More sophisticated hackers
Future Trends - Companies
Focus more on Web Security
Getting better in locking down the web
Future Trends - Cloud
Computing
Increase in IT budgets
More Web-Applications hosted in the Cloud
Lower cost comes higher security risk
More complex Security
Future Trends - Browsers will be
more responsible
Google Chrome
FireFox
Future Trends – Spams
More legits