Secure Web Surfing Secure Web Surfing and and

Hardening the Windows Hardening the Windows Operating SystemOperating System

ECE – 4112ECE – 4112Group 3Group 3

Varun ShahVarun ShahNikunj NemaniNikunj Nemani

Common Infection MethodsCommon Infection Methods

Web ExploitsWeb Exploits

1.1. Browser Exploits.Browser Exploits.

2.2. Email Attachments.Email Attachments.

3.3. Downloading files from the internet.Downloading files from the internet.

Operating System Exploits.Operating System Exploits.

Security Measures used earlier Security Measures used earlier for Browser Securityfor Browser Security

Secure Socket LayerSecure Socket Layer

1. Encrypts the data between the 1. Encrypts the data between the client andclient and

Server.Server.

2. However does not make the 2. However does not make the websiteswebsites

secure.secure.

Browser ExploitsBrowser Exploits

Phishing Phishing IFrames (Inline Frames) as an exploit IFrames (Inline Frames) as an exploit TyposquattersTyposquatters Some Javascripts with DOM accessSome Javascripts with DOM access

PhishingPhishing

Theft of Theft of identityidentity and or and or sensitive sensitive financial informationfinancial information..

Can cause a lots of $$$$$.Can cause a lots of $$$$$. Are usually Are usually spreadspread through Social through Social

Engineering. Engineering. Also by sending emails and in IM Also by sending emails and in IM

chats, etc.chats, etc.

Phishing continued….Phishing continued….

Can also be spread by performing URL Can also be spread by performing URL obfuscation e.g. obfuscation e.g. www.bank.com.chwww.bank.com.ch instead instead of of www.bank.comwww.bank.com

How do you prevent against such attacks?How do you prevent against such attacks?1. Install 1. Install antiphishingantiphishing filters. filters.2. Do not open links on email by clicking 2. Do not open links on email by clicking

them, instead paste them on the browser them, instead paste them on the browser bar and then search.bar and then search.

Phishing Filter - MozillaPhishing Filter - Mozilla

Paypal Phishing site Paypal Phishing site

http://dl2nym.dyndns.org/update/index.html

Phishing filter - OperaPhishing filter - Opera

http://dl2nym.dyndns.org/update/index.html

Phishing filter – IE 7Phishing filter – IE 7

http://dl2nym.dyndns.org/update/index.html

Comparison Comparison

BrowserBrowser Action performed when a Action performed when a phishing site visitedphishing site visited

MozillaMozilla Gives a Gives a popuppopup that it is a that it is a phishing sitephishing site

OperaOperaGives a small notification in the Gives a small notification in the toolbartoolbar. You need to click on it to . You need to click on it to see the popupsee the popup

IE 7IE 7

Gives a small notification in the Gives a small notification in the taskbartaskbar. When clicked it . When clicked it prevents the browser from prevents the browser from opening that page.opening that page.

IFrames as an exploitIFrames as an exploit

What are IFrames ?What are IFrames ?Ans: Allows one to Ans: Allows one to embedembed another HTML another HTMLdocument in a HTML document.document in a HTML document. Can be used by hackers to put in Can be used by hackers to put in their their

linkslinks by hacking legitimate websites. by hacking legitimate websites. Thus if a hacker inserts a link for online Thus if a hacker inserts a link for online

transfer on some site with advertisements transfer on some site with advertisements the consumer can be duped to access his the consumer can be duped to access his account by clicking that link.account by clicking that link.

IFrames as an exploit IFrames as an exploit ….continued….continued

Prevention against IFrames.Prevention against IFrames.

Instead of clicking on the link paste Instead of clicking on the link paste them on the browser bar and then them on the browser bar and then search.search.

e.g. 1. Iran Art News – e.g. 1. Iran Art News – www.iranartnews.comwww.iranartnews.com 2. Le Bowling en France – 2. Le Bowling en France – www.bowling-france.frwww.bowling-france.fr

Typosquatting.Typosquatting.

What are typosquatters?What are typosquatters?

Ans: It basically relies on Ans: It basically relies on typing typing mistakesmistakes done by the user. done by the user.

Hackers may Hackers may ownown the website with the website with the typo error.the typo error.

Can be a threat if hackers own such Can be a threat if hackers own such websites for different banks.websites for different banks.

Prevention from Prevention from TyposquattingTyposquatting

Strider Typo PatrolStrider Typo Patrol being developed being developed by Microsoft.by Microsoft.

It aims to scan and show third party It aims to scan and show third party domains that are allegedly domains that are allegedly typosquatting.typosquatting.

Some examples: Some examples: www.myspacce.comwww.myspacce.com instead of instead of www.myspace.comwww.myspace.com

JAVA script DOM AccessJAVA script DOM Access

Javascript has complete access to Javascript has complete access to the DOM and is capable of modifying the DOM and is capable of modifying anything.anything.

It can present the following threats:It can present the following threats:1. 1. Direct echoDirect echo – It requires the victim – It requires the victim

to click on the link and once the user to click on the link and once the user does it the Javascript code executes does it the Javascript code executes and hacker can steal the cookies.and hacker can steal the cookies.

JAVA script DOM Access …. JAVA script DOM Access …. continuedcontinued

2. 2. HTML InjectionHTML Injection It does not require a user to even click a It does not require a user to even click a

link. link. Thus if a user just visits the page or opens Thus if a user just visits the page or opens

the email the javascript code executes the email the javascript code executes And the attacker retrieves the cookies And the attacker retrieves the cookies

from the user’s web browser and can from the user’s web browser and can hijack its session or simulate this session hijack its session or simulate this session elsewhere.elsewhere.

Prevention from JavascriptsPrevention from Javascripts

Use “HTTP only” cookie flagUse “HTTP only” cookie flagIt makes the cookie inaccessible using It makes the cookie inaccessible using

script.script.

Use “secure” cookie flagUse “secure” cookie flagIt means the browser should only It means the browser should only

make secure SSL URL requests when make secure SSL URL requests when sending the cookie.sending the cookie.

Email AttachmentsEmail Attachments

Links Links to sites that actually phish for to sites that actually phish for data.data.

AttachmentsAttachments that have malwares. that have malwares.

Email sent with link of a Email sent with link of a phishing sitephishing site

GenuineGenuine Email sent by a Email sent by a bankbank

Downloading files from the Downloading files from the internet.internet.

The files can be The files can be masqueradedmasqueraded as a as a software but may include a virus/trojan.software but may include a virus/trojan.

Also now there areAlso now there are fake fake security softwares security softwares available that are actually viruses/trojans.available that are actually viruses/trojans.

e.g. e.g. www.antivirusfiable.comwww.antivirusfiable.com www.antivirusmagique.comwww.antivirusmagique.com

Prevention:Prevention:1. Download softwares only from known 1. Download softwares only from known

legitimate sites.legitimate sites.

Windows RegistryWindows Registry

It contains information and settings It contains information and settings for all the hardware, operating for all the hardware, operating system software, most non-operating system software, most non-operating system software, users, preferences system software, users, preferences of the PC, etc. of the PC, etc.

Working with Windows Working with Windows RegistryRegistry

The Registry is split into a number of The Registry is split into a number of logical sections called hives.logical sections called hives.

Registry is divided into two partsRegistry is divided into two parts KeysKeys

The keys all begin with HKEY and they are on left of The keys all begin with HKEY and they are on left of the windowthe window

ValuesValues They are the actual values inside the registry folders, They are the actual values inside the registry folders,

and they are on the right side of the window.and they are on the right side of the window.

Keys of Registry EditorKeys of Registry Editor

There are 5 main keysThere are 5 main keys HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT HKEY_CURRENT_USERHKEY_CURRENT_USER HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE HKEY_USERSHKEY_USERS HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG

HKEY_CLASS_ROOTHKEY_CLASS_ROOT

Stores information about registered Stores information about registered applications, such as Associations applications, such as Associations from File Extensions and OLE Object from File Extensions and OLE Object Class IDs Class IDs

Software configuration information Software configuration information from the HKEY_LOCAL MACHINE\from the HKEY_LOCAL MACHINE\SOFTWARE\Classes keySOFTWARE\Classes key

HKEY_CURRENT_USERHKEY_CURRENT_USER

Currently logged on user profile Currently logged on user profile informationinformation

The HKCU key is a link to the subkey of The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; HKEY_USERS that corresponds to the user; the same information is reflected in both the same information is reflected in both location location

HKEY_LOCAL MACHINEHKEY_LOCAL MACHINE

Local system hardware, device drivers, Local system hardware, device drivers, services, and machine-specific application services, and machine-specific application data information.data information.

Information about system hardware Information about system hardware drivers and services are located under the drivers and services are located under the SYSTEM subkey, whilst the SOFTWARE SYSTEM subkey, whilst the SOFTWARE subkey contains software and windows subkey contains software and windows settings. settings.

HKEY_USERSHKEY_USERS

Pre-logon default user profile Pre-logon default user profile information and information and HKEY_CURRENT_USER keyHKEY_CURRENT_USER key

The HKCU key is a link to the subkey The HKCU key is a link to the subkey of HKEY_USERS that corresponds to of HKEY_USERS that corresponds to the user; the same information is the user; the same information is reflected in both location reflected in both location

HKEY_CURRENT _CONFIGHKEY_CURRENT _CONFIG

Abbreviated HKCC, HKEY_CURRENT_CONFIG Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; contains information gathered at runtime; information stored in this key is not information stored in this key is not permanently stored on disk, but rather permanently stored on disk, but rather regenerated at boot time. regenerated at boot time.

Hardware information from the Hardware information from the HKEY_LOCAL MACHINE\SOFTWARE and HKEY_LOCAL MACHINE\SOFTWARE and HKEY_LOCAL MACHINE\ SYSTEM keysHKEY_LOCAL MACHINE\ SYSTEM keys

Regkey BackupRegkey Backup

It is a very useful tool to back up It is a very useful tool to back up important data in the registry.important data in the registry.

If we happen to delete an If we happen to delete an application, we can restore it, so as application, we can restore it, so as to make sure that the system is not to make sure that the system is not infected.infected.

Registry FixRegistry Fix

The scanner allows to scan for invalid entries The scanner allows to scan for invalid entries that might be affecting the PC.that might be affecting the PC.

Registryfix will scan for errors related to Registryfix will scan for errors related to ActiveX controls, DLL issues, Windows ActiveX controls, DLL issues, Windows explorer errors, Windows installer issues, explorer errors, Windows installer issues, Internet Explorer errors, Iexpore and Internet Explorer errors, Iexpore and System32 errors, Runtime errors, Outlook System32 errors, Runtime errors, Outlook and Outlook Express Errors, EXE errors, and Outlook Express Errors, EXE errors, Svchost errors and a wide variety of other Svchost errors and a wide variety of other system issues. system issues.

RegCureRegCure

PC freezing is a result of bad operating PC freezing is a result of bad operating system RegCure seeks out the remnants system RegCure seeks out the remnants left behind on your registry.left behind on your registry.

registry from failed installations, registry from failed installations, incomplete un-installations, disabled incomplete un-installations, disabled drivers, and spyware applications.drivers, and spyware applications.

You can enable and disable applications in You can enable and disable applications in the Manage Startup list with a few simple the Manage Startup list with a few simple clicks clicks

Anti Spyware botAnti Spyware bot

Delaying the removal of trojans, Delaying the removal of trojans, cookies etc may cause a number of cookies etc may cause a number of problems, such as slow performance, problems, such as slow performance, loss of data or leakage of private loss of data or leakage of private information to websites.information to websites.

This software runs a scan to detect This software runs a scan to detect and remove any spyware on our PC.and remove any spyware on our PC.

Record cleanerRecord cleaner

It cleans recent files of various It cleans recent files of various software tools.software tools.

Clearing of recent files list makes Clearing of recent files list makes impossible for intruder to recover impossible for intruder to recover any traces of recently accessed files.any traces of recently accessed files.

Recent Cleaner has reporting Recent Cleaner has reporting feature. feature.

LAN MonitorLAN Monitor

Monitor your computer's connections Monitor your computer's connections to other computers (on your LAN, to other computers (on your LAN, and on the Internet). and on the Internet).

See real-time traffic statistics. See real-time traffic statistics. You'll see the name and IP address of You'll see the name and IP address of

the remote computer, and the type the remote computer, and the type of connection (HTTP, POP3, FTP, etc) of connection (HTTP, POP3, FTP, etc) that's being made! that's being made!

Vembu StoreGridVembu StoreGrid

It is a client-server and remote It is a client-server and remote backup.backup.

It is lot flexible than other forms of It is lot flexible than other forms of backup.backup.

It help utilize the free space in the It help utilize the free space in the network to take back ups.network to take back ups.

ReferencesReferences

http://http://www.registryfix.comwww.registryfix.com// http://whitehatsec.comhttp://whitehatsec.com http://www.karenware.comhttp://www.karenware.com http://www.findprotected.comhttp://www.findprotected.com http://http://www.softplatz.comwww.softplatz.com