http, web browsers and web 2.0: a …cna.mikkeliamk.fi/public/tturva/tturva2011/doc/scott...fbi...
TRANSCRIPT
![Page 1: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/1.jpg)
Cisco Confidential 1© 2011 Cisco and/or its affiliates. All rights reserved.
HTTP, Web Browsers and Web 2.0:A Cybercriminal’s Dream
Scott Olechowski
Manager, Threat Research
Security Technology Business Unit
![Page 2: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/2.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Cybercrime in 2011: Entering a new phase of global business capabilities
• Business balance and challenges
• Cisco 2010 Annual Security Report
Trends and highlights
Social engineering
Banking Trojans
• Cisco SIO
![Page 3: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/3.jpg)
Cisco Confidential 3© 2011 Cisco and/or its affiliates. All rights reserved.
Anonymous profits
Incredible, anonymous profits.
![Page 4: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/4.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
How does a Webpage work?
1. Site HTML: Web site “recipe” Browser then fetches all “ingredients”
2. Ingredients: Web Resources
3. Retrieved, per the HTML, from any specified location.
• Images
• Scripts
• Executable objects (“plug-ins”)
• Other web pages
![Page 5: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/5.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
BoingBoing.net, a popular blog
• URLs in browser: 1
• HTTP Gets: 162
• Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images
• Scripts: 87 from 7domains
• Cookies: 118 from 15 domains
• 8 Flash objects from 4 domains
![Page 6: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/6.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
• Exploited web sites are responsible for over 87% of all Web-based threats today*
• Over 79% of web sites hosting malicious code are Legitimate**
• 9 out of 10 web sites vulnerable to attack**
• Cross-site Scripting & SQL Injection rank amongst the highest method of infections
Cross-Site Scripting (7 out of 10 websites)**
SQL Injection (1 in 5 websites)** *Source: IronPort TOC
**Source: White Hat Security, Website Sec Statistics Report 10/2007 & PPT 8/2008
![Page 7: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/7.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• For the criminals, it is a simple matter of discovering and exploiting software vulnerabilities
• Almost all software is exploitable, including popular software
![Page 8: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/8.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Huge
>1 Trillion Unique URLs
Growing
>231 Millionactive websites
Transient
30% domain-level churn
every year
Num
be
r o
f W
ebpa
ges
Static WebTraditional Content Publishers
Legacy URL Filtering Focus
Dynamic WebUser Generated &
Web 2.0 Content
1998
28 Million
webpages
2000
1 Billion
pages
2011
>80 Billion
webpages
2005: Web 2.0
tipping point
Source: Multiple, including Cisco SIO, Google, Wikipedia
![Page 9: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/9.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
The Known Web~20% covered by URL lists
The Dark Web80% of the web is uncategorized, highly dynamic
or unreachable by web crawlers
– Botnets
– Dynamic content
– Password protected sites
– User generated content
– Short life sites
Acceptable Use Violations
Malware
![Page 10: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/10.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Complexity with Lack of Visibility
Business Pipeline
Social Networking
Webmail
Apps
Hotmail
![Page 11: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/11.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Specialized
• Complex
• Well organized but loose affiliations
• Targeted
• Highly competitive
• Extremely profitable
![Page 12: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/12.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
“Installs” for Sale - Monetizing Botnets
![Page 13: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/13.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Rogue AV
![Page 14: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/14.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
![Page 15: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/15.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
![Page 16: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/16.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
![Page 17: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/17.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
• Bakasoftware “scareware spyware” affiliate business
• Affiliates load “scareware”onto their bots.
• Affiliates paid commission when consumers purchase
• This #2 Affiliate earned $147k in 10 days -$5M/year!
154,825 installations and 2,772 purchases
Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2
Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate
Day 10
Day 1
Day 2
Day 3
Day 4
Day 5
Day 6
Day 7
Day 8
Day 9
Total
![Page 18: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/18.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
• Makes browser hacking easy
• Pre-written exploits
• Graphical reporting
• Affiliate management
• Off-the-shelf: $800
![Page 19: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/19.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1919
![Page 20: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/20.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
![Page 21: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/21.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
![Page 22: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/22.jpg)
Cisco Confidential 22© 2011 Cisco and/or its affiliates. All rights reserved.
![Page 23: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/23.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
![Page 24: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/24.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
![Page 25: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/25.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
![Page 26: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/26.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
![Page 27: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/27.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
• Links are posted to (or sent from) hijacked social networking accounts
• The link leads to a fake video site that ask the user to install a new Flash player / codec to view the video
![Page 28: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/28.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
![Page 29: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/29.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
“Antivirus XP has found 2794
threats. It is recommended to
proceed with removal”
![Page 30: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/30.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
CAPTCHA: Completely Automated Public Turing Test to tell Computers
and Humans Apart
![Page 31: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/31.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
![Page 32: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/32.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
![Page 33: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/33.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
![Page 34: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/34.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
![Page 35: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/35.jpg)
Criminals are perfecting the art of remotely stealing millions and millions of dollars directly out of bank accounts.
![Page 36: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/36.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Courtesy Silver Tail Systems
Your browser NOT on Zeus:
Your browser on Zeus:
![Page 37: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/37.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
• Modify web pages as displayed in the browser.
• Add extra fields to forms.
• Customize to steal *any* credential.
• Collect info from form submissions.
![Page 38: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/38.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
username=123456
password=1234qwert
tan=125
![Page 39: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/39.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Actual transaction log:
![Page 40: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/40.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Zeus transaction log, hiding transactions and changing balances:
![Page 41: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/41.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Why bother with stealing credentials, security challenges, and out-of-band codes?
Instead:
- Use the malware to inject (via Javascript) transactions in the banking user’s LIVE session
- How?
1. Zeus waits until the banking user logs in.
2. Look for the user to perform a banking transaction.
3. Zeus injects a site-specific transaction via Javascript without the user knowing.
4. If an out-of-band code is required, the user will provide themselves (thinking it is for their own transaction).
![Page 42: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/42.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Multi-Million Dollar Problem
-Shawn Henry
FBI Assistant Director, Cyber Division
8 Nov 2010 CBS “60 Minutes”
“…Criminals have used the
Internet to steal more than
$100 million from U.S.
banks so far this year
[2010] and they did it
without ever having to draw
a gun or pass a note to a
teller…
…I've seen attacks where
there's been $10 million lost
in one 24-hour period.”
![Page 43: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/43.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
![Page 44: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/44.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
![Page 45: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/45.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Criminals are more sophisticated and organized
Criminals command more (stolen) resources than ever before
Criminals have mastered how to profit from their skills
We are now targets:Our enterprises. Our users. Our resources. Our data. Our money.
How do we combat this new sophistication?
![Page 46: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/46.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
46
Has anyone seen my silver bullet?
![Page 47: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/47.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
47
Security needs to move at the speed of crime.
![Page 48: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/48.jpg)
Threat Operations Center Advanced AlgorithmsCisco SensorBase
Global Context: Data Makes a Difference
GlobalThreat
Telemetry
GlobalThreatTelemetry
8:10 GMT All Cisco Customers Protected
Bank Branch in Chicago
ISP Datacenter in Moscow
Ad Agency HQ in London
8:03 GMT IPS Detects Hacker Probing
8:07 GMT Web Security Detects
New Botnet
8:00 GMT Email Security Detects Compromised Server
![Page 49: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/49.jpg)
SensorBase Threat Operations Center Dynamic Updates
WEB REQUESTS
5BEMAIL MESSAGES
100MWORLDWIDE TRAFFIC
35%
GLOBALLY DEPLOYED DEVICES
700,000+DATA RECEIVED PER DAY
1 TB
![Page 50: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/50.jpg)
Management
Endpoint Cloud
Trusted Systems
ServicesPartners Enterprise Licenses
The Whole Offer
Cisco Security Architecture
Global Intelligence
Local Intelligence
![Page 51: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/51.jpg)
Security Filters: Industry’s Most Effective Security Features
Cisco Products and Services: Proactive Protection, High-Performance
Cisco SIO: Threat Identification, Analysis, and Automated Defense
Powering Cisco Security Products and Services
!
IPS
Reputation
& Signature
Filters
Firewall
Botnet Traffic
Filters
Alert
Aggregation
Filters
Virus
Outbreak
FiltersAnti-Spam
Email and
Web
Reputation
Filters
Live
Reputation
Scores
New and
Updated
Signatures
Authored
and Dynamic
Rule Sets
Auto
Updates
Every 5
Minutes
Customized
Alerts Every
5 Minutes
![Page 52: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/52.jpg)
NETWORK
Advanced Data Loss
Prevention SystemsAcceptable Use
Enforcement
Advanced Anti-malware
and Reputation Analysis
SECURE BORDERLESS NETWORK
![Page 53: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/53.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
![Page 54: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/54.jpg)
Thank you.
![Page 55: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/55.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
![Page 56: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/56.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
56
0,80 %
0,20 %
0,08 % 0,07 %
0,17 %
0,00 %
0,10 %
0,20 %
0,30 %
0,40 %
0,50 %
0,60 %
0,70 %
0,80 %
0,90 %
Javascript Flash PDF Image Binary
![Page 57: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/57.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
• The web vector has become the #1 weakness targeted by criminals for profit
• The web browser ecosystem is vulnerable
• Web 2.0 exacerbates these problems
More active content from disparate, uncontrolled sources
• Anti-virus is not an adequate solution
• Web servers are attacked and use to spread malware via legitimate sites
• A different approach is required
![Page 58: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/58.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
58
![Page 59: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/59.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
• Host-level
Patch browser and applications regularly
Use system to monitor use of insecure applications on desktops (eg Secunia)
“Lock down” hosts where applicable
Consider virtual desktops
59
![Page 60: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/60.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
• Network-level security
Usability vs. security issues
Over-eager blocking of entire sites – Google’s safe search is a good example.
Not always the fault of the site leading to the infection – look at Doubleclickexample.
Wipe out individual bad parts of the web page, leave the good. E.g. block the connection to tejary.net, leave brookeseidl.com alone.
Secure HTTPS
60
![Page 61: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/61.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
• Secure web application development (OWASP)
• Consider Web Application Firewall
• Consider vendor to monitor site security
• Google safe browsing is your friend
61
![Page 62: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/62.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
• Secure web server credentials!!!
FTP access to manage server content is insecure
Recommend using two-factor authentication and/or restricting access to web server administration to local enterprise network
If you must use SFTP or SSH password-based access use robust passwords, protect them and rotate
Look for more robust methods of uploading content.
62
![Page 63: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/63.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
![Page 64: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/64.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
![Page 65: HTTP, Web Browsers and Web 2.0: A …cna.mikkeliamk.fi/Public/TTurva/TTurva2011/doc/scott...FBI Assistant Director, Cyber Division 8 Nov 2010 CBS “60 Minutes” “…Criminals have](https://reader035.vdocuments.site/reader035/viewer/2022070718/5ede3791ad6a402d66698732/html5/thumbnails/65.jpg)
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65