1 / 25

Web-Based Attacks : Offense

Web-Based Attacks : Offense. Wild Wild West Bob, Jeff, and Junia. Agenda. Weaknesses of the paper Attacks not mentioned Future Trends. Weaknesses of the paper. Web-based Attacks: White Paper or Infomercial…?. Shameless plugs peppered throughout

tyne
Télécharger la présentation

Web-Based Attacks : Offense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia

  2. Agenda • Weaknesses of the paper • Attacks not mentioned • Future Trends

  3. Weaknesses of the paper

  4. Web-based Attacks: White Paper or Infomercial…? • Shameless plugs peppered throughout • No mention of non-Symantec solutions, like desktop virtualization • Well yes, but every body does it. • How else would they get funded…

  5. Vulnerability of web-based applications • A topic for nerds, written by nerds… • Technical aptitude is needed to even understand the challenge/threat • This is likely one of the problems with getting people to pay attention to security

  6. Compare with articles about ‘The Cloud’ • Articles about ‘The Cloud’ get noticed by execs because it speaks to them • You can find them in In-flight magazines • Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources

  7. Attacks not mentioned

  8. New ways of getting you to a malicious site • Blogs • Social Networking • urlshortners • Twitter and Facebook viruses exist

  9. Google, How We Get To Most Sites: • We trust Google! • Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.

  10. An Example of SEO Poisoning • 1) Find a legitimate website (http://jeffkimballwater.com)

  11. An Example of SEO Poisoning • 2) Compromise the website. Easy! • 3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-card”

  12. An Example of SEO Poisoning • 4) When the search engine indexes this url a script is called. • Change the page to add a bunch of hidden, relevant links. • Get the keywords for these links from another search engine ??? http://jeffkimballwater.com?r=discover-financial-services ??? http://jeffkimballwater.com?r=discover-credit-cards ??? http://jeffkimballwater.com?r=discover-card-facts ??? http://jeffkimballwater.com?r=apply-for-a-credit-card http://jeffkimballwater.com?r=discover-financial-services http://jeffkimballwater.com?r=discover-credit-cards http://jeffkimballwater.com?r=discover-card-facts http://jeffkimballwater.com?r=apply-for-a-credit-card ??? http://jeffkimballwater.com?r=discover-card “discover card” Discover Financial Services Discover Credit Cards Discover Card Facts Apply for a credit card

  13. An Example of SEO Poisoning • 5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google. • 6) Site looks normal to everyone else.

  14. Attacking a website using Cross Site Forgery • Cross-Site Reference Forgery • XSRF • CSRF • Sea Surfing • Session Riding • Hostile Linking • One-Click attacks • A confused deputy attack on a website, where the website already trusts a user.

  15. An Example of Cross Site Forgery • Bob Frazer logs into Bankbank.com • Bob then logs into FerrariOwnersClub.com • Mal posts a bad link as his signature picture, which Bob loads. • <imgsrc=http://bankbank.com/withdraw?account=bob&amount=1000&for=mallory> • Bob, who is still logged into Bankbank, executes the request.

  16. Attacking You Through Your Phone • Not web based yet, but attackers are interested. • Trojan-SMS.AndroidOS.FakePlayer.a • Sends texts without user’s knowledge to premium rate numbers. • Android Spyware • Tip Calculator

  17. Attacking You Through Your Phone • Symbian OS • Skulls • Worm:iOS/Ikee • Proof of concept spreads through WiFi or 3G, sends financial information to server.

  18. Future Trends

  19. Future Trends - Users • Increasingly young base users • More onlineEdu-taiment/games • More familiar and comfortable with the web world • Less knowledgeable in security risk

  20. Future Trends - Attacks • Increase internet users • Move IPv4 to IPv6 • More attacks on the Web Servers • More sophisticated hackers

  21. Future Trends - Companies • Focus more on Web Security • Getting better in locking down the web

  22. Future Trends - Cloud Computing • Increase in IT budgets • More Web-Applications hosted in the Cloud • Lower cost comes higher security risk • More complex Security

  23. Future Trends - Browsers will be more responsible • GoogleChrome • FireFox

  24. Future Trends –Spams • More legits

More Related