secure web surfing and hardening the windows operating system ece – 4112 group 3 varun shah nikunj...
TRANSCRIPT
Secure Web Surfing Secure Web Surfing and and
Hardening the Windows Hardening the Windows Operating SystemOperating System
ECE – 4112ECE – 4112Group 3Group 3
Varun ShahVarun ShahNikunj NemaniNikunj Nemani
Common Infection MethodsCommon Infection Methods
Web ExploitsWeb Exploits
1.1. Browser Exploits.Browser Exploits.
2.2. Email Attachments.Email Attachments.
3.3. Downloading files from the internet.Downloading files from the internet.
Operating System Exploits.Operating System Exploits.
Security Measures used earlier Security Measures used earlier for Browser Securityfor Browser Security
Secure Socket LayerSecure Socket Layer
1. Encrypts the data between the 1. Encrypts the data between the client andclient and
Server.Server.
2. However does not make the 2. However does not make the websiteswebsites
secure.secure.
Browser ExploitsBrowser Exploits
Phishing Phishing IFrames (Inline Frames) as an exploit IFrames (Inline Frames) as an exploit TyposquattersTyposquatters Some Javascripts with DOM accessSome Javascripts with DOM access
PhishingPhishing
Theft of Theft of identityidentity and or and or sensitive sensitive financial informationfinancial information..
Can cause a lots of $$$$$.Can cause a lots of $$$$$. Are usually Are usually spreadspread through Social through Social
Engineering. Engineering. Also by sending emails and in IM Also by sending emails and in IM
chats, etc.chats, etc.
Phishing continued….Phishing continued….
Can also be spread by performing URL Can also be spread by performing URL obfuscation e.g. obfuscation e.g. www.bank.com.chwww.bank.com.ch instead instead of of www.bank.comwww.bank.com
How do you prevent against such attacks?How do you prevent against such attacks?1. Install 1. Install antiphishingantiphishing filters. filters.2. Do not open links on email by clicking 2. Do not open links on email by clicking
them, instead paste them on the browser them, instead paste them on the browser bar and then search.bar and then search.
Phishing Filter - MozillaPhishing Filter - Mozilla
Paypal Phishing site Paypal Phishing site
http://dl2nym.dyndns.org/update/index.html
Phishing filter - OperaPhishing filter - Opera
http://dl2nym.dyndns.org/update/index.html
Phishing filter – IE 7Phishing filter – IE 7
http://dl2nym.dyndns.org/update/index.html
Comparison Comparison
BrowserBrowser Action performed when a Action performed when a phishing site visitedphishing site visited
MozillaMozilla Gives a Gives a popuppopup that it is a that it is a phishing sitephishing site
OperaOperaGives a small notification in the Gives a small notification in the toolbartoolbar. You need to click on it to . You need to click on it to see the popupsee the popup
IE 7IE 7
Gives a small notification in the Gives a small notification in the taskbartaskbar. When clicked it . When clicked it prevents the browser from prevents the browser from opening that page.opening that page.
IFrames as an exploitIFrames as an exploit
What are IFrames ?What are IFrames ?Ans: Allows one to Ans: Allows one to embedembed another HTML another HTMLdocument in a HTML document.document in a HTML document. Can be used by hackers to put in Can be used by hackers to put in their their
linkslinks by hacking legitimate websites. by hacking legitimate websites. Thus if a hacker inserts a link for online Thus if a hacker inserts a link for online
transfer on some site with advertisements transfer on some site with advertisements the consumer can be duped to access his the consumer can be duped to access his account by clicking that link.account by clicking that link.
IFrames as an exploit IFrames as an exploit ….continued….continued
Prevention against IFrames.Prevention against IFrames.
Instead of clicking on the link paste Instead of clicking on the link paste them on the browser bar and then them on the browser bar and then search.search.
e.g. 1. Iran Art News – e.g. 1. Iran Art News – www.iranartnews.comwww.iranartnews.com 2. Le Bowling en France – 2. Le Bowling en France – www.bowling-france.frwww.bowling-france.fr
Typosquatting.Typosquatting.
What are typosquatters?What are typosquatters?
Ans: It basically relies on Ans: It basically relies on typing typing mistakesmistakes done by the user. done by the user.
Hackers may Hackers may ownown the website with the website with the typo error.the typo error.
Can be a threat if hackers own such Can be a threat if hackers own such websites for different banks.websites for different banks.
Prevention from Prevention from TyposquattingTyposquatting
Strider Typo PatrolStrider Typo Patrol being developed being developed by Microsoft.by Microsoft.
It aims to scan and show third party It aims to scan and show third party domains that are allegedly domains that are allegedly typosquatting.typosquatting.
Some examples: Some examples: www.myspacce.comwww.myspacce.com instead of instead of www.myspace.comwww.myspace.com
JAVA script DOM AccessJAVA script DOM Access
Javascript has complete access to Javascript has complete access to the DOM and is capable of modifying the DOM and is capable of modifying anything.anything.
It can present the following threats:It can present the following threats:1. 1. Direct echoDirect echo – It requires the victim – It requires the victim
to click on the link and once the user to click on the link and once the user does it the Javascript code executes does it the Javascript code executes and hacker can steal the cookies.and hacker can steal the cookies.
JAVA script DOM Access …. JAVA script DOM Access …. continuedcontinued
2. 2. HTML InjectionHTML Injection It does not require a user to even click a It does not require a user to even click a
link. link. Thus if a user just visits the page or opens Thus if a user just visits the page or opens
the email the javascript code executes the email the javascript code executes And the attacker retrieves the cookies And the attacker retrieves the cookies
from the user’s web browser and can from the user’s web browser and can hijack its session or simulate this session hijack its session or simulate this session elsewhere.elsewhere.
Prevention from JavascriptsPrevention from Javascripts
Use “HTTP only” cookie flagUse “HTTP only” cookie flagIt makes the cookie inaccessible using It makes the cookie inaccessible using
script.script.
Use “secure” cookie flagUse “secure” cookie flagIt means the browser should only It means the browser should only
make secure SSL URL requests when make secure SSL URL requests when sending the cookie.sending the cookie.
Email AttachmentsEmail Attachments
Links Links to sites that actually phish for to sites that actually phish for data.data.
AttachmentsAttachments that have malwares. that have malwares.
Email sent with link of a Email sent with link of a phishing sitephishing site
GenuineGenuine Email sent by a Email sent by a bankbank
Downloading files from the Downloading files from the internet.internet.
The files can be The files can be masqueradedmasqueraded as a as a software but may include a virus/trojan.software but may include a virus/trojan.
Also now there areAlso now there are fake fake security softwares security softwares available that are actually viruses/trojans.available that are actually viruses/trojans.
e.g. e.g. www.antivirusfiable.comwww.antivirusfiable.com www.antivirusmagique.comwww.antivirusmagique.com
Prevention:Prevention:1. Download softwares only from known 1. Download softwares only from known
legitimate sites.legitimate sites.
Windows RegistryWindows Registry
It contains information and settings It contains information and settings for all the hardware, operating for all the hardware, operating system software, most non-operating system software, most non-operating system software, users, preferences system software, users, preferences of the PC, etc. of the PC, etc.
Working with Windows Working with Windows RegistryRegistry
The Registry is split into a number of The Registry is split into a number of logical sections called hives.logical sections called hives.
Registry is divided into two partsRegistry is divided into two parts KeysKeys
The keys all begin with HKEY and they are on left of The keys all begin with HKEY and they are on left of the windowthe window
ValuesValues They are the actual values inside the registry folders, They are the actual values inside the registry folders,
and they are on the right side of the window.and they are on the right side of the window.
Keys of Registry EditorKeys of Registry Editor
There are 5 main keysThere are 5 main keys HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT HKEY_CURRENT_USERHKEY_CURRENT_USER HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE HKEY_USERSHKEY_USERS HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG
HKEY_CLASS_ROOTHKEY_CLASS_ROOT
Stores information about registered Stores information about registered applications, such as Associations applications, such as Associations from File Extensions and OLE Object from File Extensions and OLE Object Class IDs Class IDs
Software configuration information Software configuration information from the HKEY_LOCAL MACHINE\from the HKEY_LOCAL MACHINE\SOFTWARE\Classes keySOFTWARE\Classes key
HKEY_CURRENT_USERHKEY_CURRENT_USER
Currently logged on user profile Currently logged on user profile informationinformation
The HKCU key is a link to the subkey of The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; HKEY_USERS that corresponds to the user; the same information is reflected in both the same information is reflected in both location location
HKEY_LOCAL MACHINEHKEY_LOCAL MACHINE
Local system hardware, device drivers, Local system hardware, device drivers, services, and machine-specific application services, and machine-specific application data information.data information.
Information about system hardware Information about system hardware drivers and services are located under the drivers and services are located under the SYSTEM subkey, whilst the SOFTWARE SYSTEM subkey, whilst the SOFTWARE subkey contains software and windows subkey contains software and windows settings. settings.
HKEY_USERSHKEY_USERS
Pre-logon default user profile Pre-logon default user profile information and information and HKEY_CURRENT_USER keyHKEY_CURRENT_USER key
The HKCU key is a link to the subkey The HKCU key is a link to the subkey of HKEY_USERS that corresponds to of HKEY_USERS that corresponds to the user; the same information is the user; the same information is reflected in both location reflected in both location
HKEY_CURRENT _CONFIGHKEY_CURRENT _CONFIG
Abbreviated HKCC, HKEY_CURRENT_CONFIG Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; contains information gathered at runtime; information stored in this key is not information stored in this key is not permanently stored on disk, but rather permanently stored on disk, but rather regenerated at boot time. regenerated at boot time.
Hardware information from the Hardware information from the HKEY_LOCAL MACHINE\SOFTWARE and HKEY_LOCAL MACHINE\SOFTWARE and HKEY_LOCAL MACHINE\ SYSTEM keysHKEY_LOCAL MACHINE\ SYSTEM keys
Regkey BackupRegkey Backup
It is a very useful tool to back up It is a very useful tool to back up important data in the registry.important data in the registry.
If we happen to delete an If we happen to delete an application, we can restore it, so as application, we can restore it, so as to make sure that the system is not to make sure that the system is not infected.infected.
Registry FixRegistry Fix
The scanner allows to scan for invalid entries The scanner allows to scan for invalid entries that might be affecting the PC.that might be affecting the PC.
Registryfix will scan for errors related to Registryfix will scan for errors related to ActiveX controls, DLL issues, Windows ActiveX controls, DLL issues, Windows explorer errors, Windows installer issues, explorer errors, Windows installer issues, Internet Explorer errors, Iexpore and Internet Explorer errors, Iexpore and System32 errors, Runtime errors, Outlook System32 errors, Runtime errors, Outlook and Outlook Express Errors, EXE errors, and Outlook Express Errors, EXE errors, Svchost errors and a wide variety of other Svchost errors and a wide variety of other system issues. system issues.
RegCureRegCure
PC freezing is a result of bad operating PC freezing is a result of bad operating system RegCure seeks out the remnants system RegCure seeks out the remnants left behind on your registry.left behind on your registry.
registry from failed installations, registry from failed installations, incomplete un-installations, disabled incomplete un-installations, disabled drivers, and spyware applications.drivers, and spyware applications.
You can enable and disable applications in You can enable and disable applications in the Manage Startup list with a few simple the Manage Startup list with a few simple clicks clicks
Anti Spyware botAnti Spyware bot
Delaying the removal of trojans, Delaying the removal of trojans, cookies etc may cause a number of cookies etc may cause a number of problems, such as slow performance, problems, such as slow performance, loss of data or leakage of private loss of data or leakage of private information to websites.information to websites.
This software runs a scan to detect This software runs a scan to detect and remove any spyware on our PC.and remove any spyware on our PC.
Record cleanerRecord cleaner
It cleans recent files of various It cleans recent files of various software tools.software tools.
Clearing of recent files list makes Clearing of recent files list makes impossible for intruder to recover impossible for intruder to recover any traces of recently accessed files.any traces of recently accessed files.
Recent Cleaner has reporting Recent Cleaner has reporting feature. feature.
LAN MonitorLAN Monitor
Monitor your computer's connections Monitor your computer's connections to other computers (on your LAN, to other computers (on your LAN, and on the Internet). and on the Internet).
See real-time traffic statistics. See real-time traffic statistics. You'll see the name and IP address of You'll see the name and IP address of
the remote computer, and the type the remote computer, and the type of connection (HTTP, POP3, FTP, etc) of connection (HTTP, POP3, FTP, etc) that's being made! that's being made!
Vembu StoreGridVembu StoreGrid
It is a client-server and remote It is a client-server and remote backup.backup.
It is lot flexible than other forms of It is lot flexible than other forms of backup.backup.
It help utilize the free space in the It help utilize the free space in the network to take back ups.network to take back ups.
ReferencesReferences
http://http://www.registryfix.comwww.registryfix.com// http://whitehatsec.comhttp://whitehatsec.com http://www.karenware.comhttp://www.karenware.com http://www.findprotected.comhttp://www.findprotected.com http://http://www.softplatz.comwww.softplatz.com