http, web browsers and web 2.0: a …cna.mikkeliamk.fi/public/tturva/tturva2011/doc/scott...fbi...

Cisco Confidential 1© 2011 Cisco and/or its affiliates. All rights reserved.

HTTP, Web Browsers and Web 2.0:A Cybercriminal’s Dream

Scott Olechowski

Manager, Threat Research

Security Technology Business Unit

© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

• Cybercrime in 2011: Entering a new phase of global business capabilities

• Business balance and challenges

• Cisco 2010 Annual Security Report

Trends and highlights

Social engineering

Banking Trojans

• Cisco SIO


Anonymous profits

Incredible, anonymous profits.


How does a Webpage work?

1. Site HTML: Web site “recipe” Browser then fetches all “ingredients”

2. Ingredients: Web Resources

3. Retrieved, per the HTML, from any specified location.

• Images

• Scripts

• Executable objects (“plug-ins”)

• Other web pages


BoingBoing.net, a popular blog

• URLs in browser: 1

• HTTP Gets: 162

• Images: 66from 18 domains including 5 separate 1x1 pixel invisibletracking images

• Scripts: 87 from 7domains

• Cookies: 118 from 15 domains

• 8 Flash objects from 4 domains


• Exploited web sites are responsible for over 87% of all Web-based threats today*

• Over 79% of web sites hosting malicious code are Legitimate**

• 9 out of 10 web sites vulnerable to attack**

• Cross-site Scripting & SQL Injection rank amongst the highest method of infections

Cross-Site Scripting (7 out of 10 websites)**

SQL Injection (1 in 5 websites)** *Source: IronPort TOC

**Source: White Hat Security, Website Sec Statistics Report 10/2007 & PPT 8/2008


• For the criminals, it is a simple matter of discovering and exploiting software vulnerabilities

• Almost all software is exploitable, including popular software


Huge

>1 Trillion Unique URLs

Growing

>231 Millionactive websites

Transient

30% domain-level churn

every year

Num

be

r o

f W

ebpa

ges

Static WebTraditional Content Publishers

Legacy URL Filtering Focus

Dynamic WebUser Generated &

Web 2.0 Content

1998

28 Million

webpages

2000

1 Billion

pages

2011

>80 Billion

webpages

2005: Web 2.0

tipping point

Source: Multiple, including Cisco SIO, Google, Wikipedia


The Known Web~20% covered by URL lists

The Dark Web80% of the web is uncategorized, highly dynamic

or unreachable by web crawlers

– Botnets

– Dynamic content

– Password protected sites

– User generated content

– Short life sites

Acceptable Use Violations

Malware


Complexity with Lack of Visibility

Business Pipeline

Social Networking

Webmail

Apps

Hotmail


• Specialized

• Complex

• Well organized but loose affiliations

• Targeted

• Highly competitive

• Extremely profitable


“Installs” for Sale - Monetizing Botnets


Rogue AV


• Bakasoftware “scareware spyware” affiliate business

• Affiliates load “scareware”onto their bots.

• Affiliates paid commission when consumers purchase

• This #2 Affiliate earned $147k in 10 days -$5M/year!

154,825 installations and 2,772 purchases

Source: http://www.secureworks.com/research/threats/rogue-antivirus-part-2/?threat=rogue-antivirus-part-2

Bakasoftware Dashboard Showing 10 Days Revenue for #2 Affiliate

Day 10

Day 1

Day 2

Day 3

Day 4

Day 5

Day 6

Day 7

Day 8

Day 9

Total


• Makes browser hacking easy

• Pre-written exploits

• Graphical reporting

• Affiliate management

• Off-the-shelf: $800


• Links are posted to (or sent from) hijacked social networking accounts

• The link leads to a fake video site that ask the user to install a new Flash player / codec to view the video


“Antivirus XP has found 2794

threats. It is recommended to

proceed with removal”


CAPTCHA: Completely Automated Public Turing Test to tell Computers

and Humans Apart

Criminals are perfecting the art of remotely stealing millions and millions of dollars directly out of bank accounts.


Courtesy Silver Tail Systems

Your browser NOT on Zeus:

Your browser on Zeus:


• Modify web pages as displayed in the browser.

• Add extra fields to forms.

• Customize to steal *any* credential.

• Collect info from form submissions.


username=123456

password=1234qwert

tan=125


Actual transaction log:


Zeus transaction log, hiding transactions and changing balances:


Why bother with stealing credentials, security challenges, and out-of-band codes?

Instead:

- Use the malware to inject (via Javascript) transactions in the banking user’s LIVE session

- How?

1. Zeus waits until the banking user logs in.

2. Look for the user to perform a banking transaction.

3. Zeus injects a site-specific transaction via Javascript without the user knowing.

4. If an out-of-band code is required, the user will provide themselves (thinking it is for their own transaction).


Multi-Million Dollar Problem

-Shawn Henry

FBI Assistant Director, Cyber Division

8 Nov 2010 CBS “60 Minutes”

“…Criminals have used the

Internet to steal more than

$100 million from U.S.

banks so far this year

[2010] and they did it

without ever having to draw

a gun or pass a note to a

teller…

…I've seen attacks where

there's been $10 million lost

in one 24-hour period.”


Criminals are more sophisticated and organized

Criminals command more (stolen) resources than ever before

Criminals have mastered how to profit from their skills

We are now targets:Our enterprises. Our users. Our resources. Our data. Our money.

How do we combat this new sophistication?


46

Has anyone seen my silver bullet?


47

Security needs to move at the speed of crime.

Threat Operations Center Advanced AlgorithmsCisco SensorBase

Global Context: Data Makes a Difference

GlobalThreat

Telemetry

GlobalThreatTelemetry

8:10 GMT All Cisco Customers Protected

Bank Branch in Chicago

ISP Datacenter in Moscow

Ad Agency HQ in London

8:03 GMT IPS Detects Hacker Probing

8:07 GMT Web Security Detects

New Botnet

8:00 GMT Email Security Detects Compromised Server

SensorBase Threat Operations Center Dynamic Updates

WEB REQUESTS

5BEMAIL MESSAGES

100MWORLDWIDE TRAFFIC

35%

GLOBALLY DEPLOYED DEVICES

700,000+DATA RECEIVED PER DAY

1 TB

Management

Endpoint Cloud

Trusted Systems

ServicesPartners Enterprise Licenses

The Whole Offer

Cisco Security Architecture

Global Intelligence

Local Intelligence

Security Filters: Industry’s Most Effective Security Features

Cisco Products and Services: Proactive Protection, High-Performance

Cisco SIO: Threat Identification, Analysis, and Automated Defense

Powering Cisco Security Products and Services

!

IPS

Reputation

& Signature

Filters

Firewall

Botnet Traffic

Filters

Alert

Aggregation

Filters

Virus

Outbreak

FiltersAnti-Spam

Email and

Web

Reputation

Filters

Live

Reputation

Scores

New and

Updated

Signatures

Authored

and Dynamic

Rule Sets

Auto

Updates

Every 5

Minutes

Customized

Alerts Every

5 Minutes

NETWORK

Advanced Data Loss

Prevention SystemsAcceptable Use

Enforcement

Advanced Anti-malware

and Reputation Analysis

SECURE BORDERLESS NETWORK

Thank you.


56

0,80 %

0,20 %

0,08 % 0,07 %

0,17 %

0,00 %

0,10 %

0,20 %

0,30 %

0,40 %

0,50 %

0,60 %

0,70 %

0,80 %

0,90 %

Javascript Flash PDF Image Binary


• The web vector has become the #1 weakness targeted by criminals for profit

• The web browser ecosystem is vulnerable

• Web 2.0 exacerbates these problems

More active content from disparate, uncontrolled sources

• Anti-virus is not an adequate solution

• Web servers are attacked and use to spread malware via legitimate sites

• A different approach is required


58


• Host-level

Patch browser and applications regularly

Use system to monitor use of insecure applications on desktops (eg Secunia)

“Lock down” hosts where applicable

Consider virtual desktops

59


• Network-level security

Usability vs. security issues

Over-eager blocking of entire sites – Google’s safe search is a good example.

Not always the fault of the site leading to the infection – look at Doubleclickexample.

Wipe out individual bad parts of the web page, leave the good. E.g. block the connection to tejary.net, leave brookeseidl.com alone.

Secure HTTPS

60


• Secure web application development (OWASP)

• Consider Web Application Firewall

• Consider vendor to monitor site security

• Google safe browsing is your friend

61


• Secure web server credentials!!!

FTP access to manage server content is insecure

Recommend using two-factor authentication and/or restricting access to web server administration to local enterprise network

If you must use SFTP or SSH password-based access use robust passwords, protect them and rotate

Look for more robust methods of uploading content.

62

http, web browsers and web 2.0: a …cna.mikkeliamk.fi/public/tturva/tturva2011/doc/scott...fbi...

Documents