web defacement
DESCRIPTION
Web Defacement. Anh Nguyen May 6 th , 2010. Organization. Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions . Introduction. Introduction Web Defacement Hackers Motivation Effects on Organizations How Hackers Deface Web Pages - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/1.jpg)
Web Defacement
Anh NguyenMay 6th , 2010
![Page 2: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/2.jpg)
2
Organization
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
![Page 3: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/3.jpg)
3
Introduction
• Introduction– Web Defacement – Hackers Motivation– Effects on Organizations
• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
![Page 4: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/4.jpg)
4
IntroductionWeb Defacement
• Occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequently offending data
• Exposes visitors to misleading information
![Page 5: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/5.jpg)
5
IntroductionWeb Defacement
• http://www.attrition.org/mirror/attrition/– Tracks of defacement incidents and keeps a
“mirror” of defaced Web sites
![Page 6: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/6.jpg)
6
IntroductionHackers Motivation• Look for credit card numbers and other valuable proprietary
information• Gain credibility in the hacking community, in some high
profile cases, 15 minutes of fame through media coverage of the incident
![Page 7: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/7.jpg)
7
IntroductionEffects on Organizations• Organizations lose
– Credibility and reputation– Customer trust and revenue– E-retailers can lose considerable patronage if their customers feel their
e-business is insecure– Financial institutions may experience significant loss of business and
integrity
![Page 8: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/8.jpg)
8
How Hackers Deface Web Pages
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
![Page 9: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/9.jpg)
9
How Hackers Deface Web Pages
• Obtain usernames– Use information-gathering techniques– Make use of publicly available information• Domain registration records
– Use ‘social engineering’ tactics• Call an employee and pose as a system administrator
![Page 10: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/10.jpg)
10
How Hackers Deface Web Pages (Cont.)
• Guess passwords– Go through a list of popular or default choices– Use intelligent guesses– Use ‘social engineering’ tactics• Birth dates• Names of family members
![Page 11: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/11.jpg)
11
How Hackers Deface Web Pages (Cont.)
• Obtain administrator privileges • Perform additional information gathering to
find out useful tidbits– The exact version and patch levels of the OS– The versions of software packages installed on the
machine– Enabled services and processes
![Page 12: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/12.jpg)
12
How Hackers Deface Web Pages (Cont.)
• Access well-known Web sites and locate hacks that exploit vulnerabilities existing in the software installed
• Gain control of the machine and modify the content of pages easily
![Page 13: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/13.jpg)
13
How Hackers Deface Web Pages (Cont.) Sechole
• An example of a privilege escalation exploit on Windows NT4
• The attack modifies the instructions in memory of the OpenProcess API call so it can attach to a privileged process
• Once the privileged process runs, the code adds the user to the Administrators group
• The technique works if the code runs locally
![Page 14: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/14.jpg)
14
How Hackers Deface Web Pages (Cont.) Sechole
• In the presence of Microsoft’s Internet Information Server (IIS) Web server and some other conditions, Sechole can be launched from a remote location
![Page 15: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/15.jpg)
15
How Hackers Deface Web Pages (Cont.) Sechole
• Another approach is to exploit vulnerabilities in Internet servers that are listening to open ports– No need to log on to the server– Execute malicious code over an open legitimate
connection
![Page 16: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/16.jpg)
16
How Hackers Deface Web Pages (Cont.) IIS Hack
• Well-known example for a remote attack on the IIS Web server
• Hackers exploit a buffer overflow weakness in lsm.dll, causing malicious code to execute in the security context of the System on the server
![Page 17: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/17.jpg)
17
Solutions to Web Defacement
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
![Page 18: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/18.jpg)
18
Solutions to Web Defacement
• Firewalls – Do not scan incoming HTTP packets– HTTP attacks (such as IIS Hack) are not detected
• Network-based Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS)– Listen to packets on the wire, but do not block them– In many cases, the packet reaches its destination before it
is being interpreted by the NIDS
![Page 19: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/19.jpg)
19
Solutions to Web Defacement (Cont.)
• Integrity assessment– A hash code (similar to a checksum) for a Web
page reflecting the page’s content is computed– The saved hash code is periodically compared with
the freshly computed one to see if they match– The frequency of the hash code comparisons
needs to be high– The scheme collapses when pages are generated
dynamically
![Page 20: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/20.jpg)
20
Solutions to Web Defacement (Cont.)
• Multi-layered protection system– Needed in order to effectively deal with Web
defacement– On-the-spot prevention• Attack s should be identified before their executions,
i.e. they should be identified at the service request level• Use system call and API call interception
![Page 21: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/21.jpg)
21
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– Administrator (root) resistant• Allow only specific predefined user (the Web master),
instead of the ‘Administrator’ account, to modify the Web site content and configuration
– Application access control• A single predefined program should be used to edit
and/or create Web pages– OS level protection
![Page 22: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/22.jpg)
22
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– HTTP attack protection• A protection module that scans incoming HTTP
requests for malicious requests, even when the communication is encrypted, should be used
– Web server resources protection• Executables• Configuration files• Data files• Web server process
![Page 23: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/23.jpg)
23
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– Other Internet server attack protection• Bind (a DNS server)• Sendmail (an SMTP server)
![Page 24: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/24.jpg)
24
Conclusions
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
![Page 25: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/25.jpg)
25
Conclusions
• Thank you for your time• Questions and feedback are welcome
![Page 26: Web Defacement](https://reader033.vdocuments.site/reader033/viewer/2022061519/5681685a550346895dde90eb/html5/thumbnails/26.jpg)
26
References
• Prevent Web Site Defacement– http://www.mcafee.com/us/local_content/
white_papers/wp_2000hollanderdefacement.pdf