Get documents about "Presentation Title
Document Sample
“What the Eyes See and the Ears Hear, the Mind
believes”
September 22, 2009
Kristof Philipsen, CISSP, CCSP
Principal Consultant
Verizon Business Security Solutions
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 1
Agenda
• Our Goal for this Presentation:
– Provide an overview of common Internet attacks targeting end users’
personal information and ways to tackle these threats.
• What and Why Personal Information?
• Trends in Cybercrime – The move towards end user attacks
• Examples of end user attacks targeting personal information
• Mitigating factors for end user attacks
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 3
What and Why Personal Information
Verizon Business 2009 Data Breach Investigations Report
• Payment Card Data – Credit Cards, Debit Cards, etc.
• Motivation: Direct Access to funds, wire transfer, etc.
• Personal Information – Social Security Numbers, Medical Records, Financial Records
• Motivation: Identity Theft allows organized crime to open bank accounts, obtain loans, passports, drivers licenses, etc
• Authentication Credentials – Online banking credentials, e-mail credentials, service providers
• Motivation: Authentication credentials are used to support identity theft, gain access to funds via online banking systems, etc
Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4
Trends in Cybercrime - Overview
Organizations and Financial Institutions are boosting their security levels, as such
cybercriminals look for new ways of gaining access to personal data.
• Attack Types:
• Opportunistic Random (ME against the WORLD)
• Opportunistic Directed (ME against a part of the WORLD)
• Fully Targeted (ME against YOU)
• Common Internet Attacks targeting end users’ personal data:
• Email Based: Phishing & Spear Phishing
• Web Based: Cross Site Scripting
• Browser Based: ClickJacking
• Browser Based: Drive By Attacks
Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 5
Trends in Cybercrime – Rise of the
Malware
Malware, or malicious software, is one of the most effective ways for attackers to
obtain all the personal data they need from end users.
•Customized Malware:
• Obtain Login Credentials
• Create “backdoor” on system
• Gather banking and payment
card details
Driven by the prospects of large hauls of valuable data, organized crime are investing
considerable amounts of time, money and expertise into customizing malware.
Source: 2009 Data Breach Investigations Report - http://www.verizonbusiness.com/resources/security/databreachreport.pdf
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 6
Phishing
Most attacks to obtain end user personal information at one point or another involve
a form of phishing.
Phishing is a method used in order to obtain personal
information, generally through email, by making the mail
appear to come from a trustworthy entity and fooling the
user into visiting a web site and / or giving up personal
information.
Phishing is now also entering the Social Networking space
in attempts to perform identity theft. (The ClickJacking
Attack shows how such attacks can be performed without
the user’s knowledge).
Phishing is generally an opportunistic directed or
opportunistic random attack, cases have been seen where
a specific organization or user has been the target of a
phishing attack. These targeted phishing attacks are
referred to as “spear phishing”.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 7
Spear Phishing
While Phishing are generally opportunistic random or directed attacks, Spear
Phishing is a fully targeted form of a phishing attack where attackers are carefully
choosing their victim end-users.
Spear Phishing attacks are generally launched in cases
where the cybercriminal already has certain information
regarding the victims, but wants to gain additional personal
information.
An example of Spear Phishing happened when hackers
had gained access to the customer database of online
broker firm TD Ameritrade and launched a follow up
phishing attack against the customer email addresses to
gather additional data.
A hot-of-the-press new type of Spear Phishing attack is
happening called “Chat-in-the-Middle”, where users of an
online banking site think they are speaking to customer
support and are asked to provide answers to security
questions. On the other end of the chat there is actually a
fraudster.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 8
Phishing - Examples
Phishing attacks are designed to create the look and feel of the real web site, but
often do not have a valid URL or valid SSL certificate.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 9
Cross Site Scripting
Attackers use insecure features in web sites which an end user trusts to trick them
into visiting another site or “lose” the connection to a web application to an attacker
Difficult to detect as an end user because Cross Site Scripting (XSS) attacks use
insecure features on “trusted” web sites to target a user. Cross Site Scripting attacks
are generally fully targeted as they are generally not helpful to the attacker if the
victim end user does not have any prior interaction with the site on which the
insecure features are exploited.
Cross Site Scripting attacks take advantage of insufficient security controls on the
targeted web site. Generally error messages are exploited where the user can
modify the content of this error message in the request and change the content of
the web site through this process.
Attackers use Cross Site Scripting attacks in the following ways to obtain personal
data:
Modify the content of a trusted web page to make a user to a certain action (i.e.
click a link, send an email with information, etc)
Obtain the necessary information to take control over an end user connection to
a web application.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 10
Cross Site Scripting – Demo Site
Cross Site Scripting “Victim Bank” an Demo
An attacker takes advantage of the trust XSSend user has in a web site and modifies
the appearance of the site to make the end user perform a certain action.
Regular Site XSSed Site
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
Cross Site Scripting – A Practical Example
In a Cross Site Scripting attack, cybercriminals exploit the end users’ trust in the site
to obtain certain personal information from the end user.
Original Web Page XSSed Web Page
http://testasp.acunetix.com/Search.asp http://testasp.acunetix.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr
%3EPlease+login+with+
the+form+below+before+proceeding%3A%3C
form+action%3D%22test.asp%22%3E%3C
table%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E
%3Cinput+type%3D
text+
length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3
Ctr%3E%3C
td%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput
+type%3Dtext+length%3D20
+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftabl
e%3E%3Cinput
+type%3Dsubmit+value %3DLOGIN%3E%3C%2Fform%3E
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Cross Site Scripting – Examples
Cross Site sites have been Bank” to be susceptible to XSS issues
High profile web Scripting “Victim known XSS Demo
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 13
ClickJacking Attacks
Attackers use “ClickJacking” to trick users into inadvertently clicking on objects within
web pages, possibly authorizing attacks to accessing personal data.
In ClickJacking attackers, a user is tricked into clicking on an object (i.e. picture,
button, online game), which appears to have little or no importance, however in
reality the user is inadvertently clicking on another object (which would have
importance to them or the attacker).
ClickJacking attacks are attacks that superimpose two or more zones (layers) on a
web page in order to get an end user to click the desired object for the attacker.
ClickJacking attacks are generally opportunistic directed or fully targeted attacks.
Attackers use ClickJacking for the following purposes:
Get users to change settings in their profiles
Get users to acknowledge transactions
Attackers could take control of a computer’s camera and microphone
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 14
ClickJacking Attacks – How do they work?
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
ClickJacking Attacks – An Example
Generally, the end user would never see the web site on the back, but only the
“front” web site (i.e. a clicking game) but would inadvertently change settings
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 16
Drive-By Attacks
Attackers use Drive-By attacks to load malware onto end user systems. Malware can
allow the attacker to control the victim’s system, log credentials such as usernames
and passwords and gather personal information such as credit card numbers.
Drive-By attacks generally come in the form of downloads, where a site is asking you
to trust applets. Other Drive-By-Download attacks don’t even warn the end user and
exploit weaknesses in browsers (Internet Explorer, Firefox, Opera, Safari, etc) to
install the malicious program automatically without any notification to the user.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 17
How to recognize these types of attacks?
All these attacks have one thing in common: they want to obtain your personal
information. Look with scrutiny at any attempt to request your personal information,
especially when the request is not end user initiated.
• Questionable URLs (i.e. www.logon.citibank.citibank.ru,
www.paypalpro.us)
• Invalid Certificate on SSL websites (Most browsers now
support web site rating based on valid certificates)
• Changed content on web sites (i.e. new links,
installers,..)
• Being asked to enter information which you generally
don’t need to supply
• Spelling and grammar mistakes can often rise suspicion
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 18
How to recognize these types of attacks?
“As a general rule, a trusted web site should never ask you to disclose your personal
information…”
When being asked to enter
information, ask yourself the following
questions:
1) Isn’t this information the company
should already have?
2) Have you seen the company ask for
this information before or is this the
first time?
3) If someone called you and claimed to
be from the company in question,
would you give them the same data
over the phone as the one you’re
being requested to provide online?
If you’re not sure, call your bank
branch or your customer care
representative.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 19
What can be done to thwart these attacks?
Good Awareness and Common Sense goes a long way!
• http://www.microsoft.com/protect/fraud/phishing/symptoms.aspx
• Also watch out for sites with typo squatting, for example:
• www.micosoft.com
• www.citbank.com
The devil can
be in the
details.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 20
What can be done to thwart these attacks?
Keep your systems current with the most recent patches (e.g. Automatic Updates)
• Automatic updating ensures that the most recent
patches are installed
• Knowing that your PC is being updated on an
automated and regular basis limits the exposure to
known vulnerabilities affecting operating systems,
browsers and email clients.
• Creating awareness around automatic updating
may change the mind set of persons clicking on
web sites offering “software updates”.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 21
What can be done to thwart these attacks?
Install a Desktop Firewall and enable the Firewall on your DSL / Cable Modem
• DSL / Cable Modem firewall protects your home
network by limiting exposure to Internet based
attacks such as worms and common Trojans.
• Desktop Firewall protects your individual desktops
and laptops from attacks by other systems (for
example an infected or compromised system on
your own network).
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 22
What can be done to thwart these attacks?
Keep your Anti-virus software and signatures up to date.
• Keeping Antivirus software and signatures up to
date ensures that you are safe from the latest
publicly known threats.
• Generally, antivirus software also includes anti-
phishing, anti-spam, anti-malware, anti-drive-by-
download, and other similar preventions.
• These antivirus vendors generally also maintain
lists of known malicious and potentially dangerous
sites and provide warnings on these.
• Integration with browsers and email clients limit end
user exposure to these attacks.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 23
What can be done to thwart these attacks?
Use Browser Anti-Phishing features
• Browser Anti-Phishing features look out for and
alert upon suspicious patterns within web pages
that may be indicative of phishing attempts.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 24
What can be done to thwart these attacks?
Use Browser Anti-Threat features
• Most popular browsers and threat protection
software nowadays contain features to detect and
prevent the following threats:
• ClickJacking
• Malware
• Malicious scripts
• Malicious code
• Pop-Ups
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 25
What can be done to thwart these attacks?
Configure Browser High Security
• Configuring Browser High Security:
• Disables Scripting
• Disables launching applications from browser
• Disables installation of desktop items
• On the down side, Browser High Security may limit
your ability to run properly view certain web sites.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 26
What can be done to thwart these attacks?
Turn off Third Party Cookies
• Third Party Cookies allow an external party to track
your surfing habits across the Internet.
• In order to limit exposure to mass spamming or
disclosure of your privacy on surfing habits, Third
Party Cookies should be disabled
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 27
What can be done to thwart these attacks?
Validate Web Site Certificates and check EV SSL Certificates
• Attackers oftentimes use self created certificates.
Your browser will alert on these. When you see a
message of an “invalid certificate”, this may indicate
a potentially malicious web site.
• Recently, Certificate Authorities (trusted companies
which give out certificates) have introduced
Extended Validation SSL Certificates (EVC’s), for
which the Certificate Authority does additional
checks to ensure the company requesting the
certificate are indeed who they say they are. This
limits the exposure to malicious sites.
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 28
What can be done to thwart these attacks?
Some useful tips and web sites to know about
• If you think you may be dealing with a Phishing
incident, why not take a dive into the PhishTank?
http://www.phishtank.com/
• You can search the PhishTank website to identify
any “known” phishing web sites as well as to add
any phishing web sites you may have come across.
• Another great web site to check out is the Anti
Phishing Working Group who have put online a
collection of interesting links at
http://www.antiphishing.org/resources.html
• More information about Extended Validation SSL
Certificates can be found at
http://www.cabforum.org
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 29
Conclusion
• Cybercriminals are lurking around the corner to steal your personal
information driven by prospects of large hauls of valuable data
• It’s important to stay one step ahead of these cybercriminals by…
– Keeping your systems up to date (Patching, Anti-Virus, Anti-Spam)
– Enabling a desktop and DSL / Cable Modem Firewall
– Enabling Browser Security Features (Anti-Phishing, Anti-Threat, High Security
Zones)
– Validating web site SSL certificate
• … and to know how to act when these attacks occur:
– Maintain a skeptical, but healthy, attitude towards any site requesting your
personal information
– Beware of invalid certificates on SSL websites
– Watch out for questionable URLs and suspicious changed content on web sites
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 30
Questions
Confidential and proprietary material for authorized Verizon personnel only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 31
