• Save
Welcome To The Wild Wild Web
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Welcome To The Wild Wild Web

  • 1,033 views
Uploaded on

Security talk I gave at ConFoo in Montreal on March 10, 2010. ...

Security talk I gave at ConFoo in Montreal on March 10, 2010.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,033
On Slideshare
1,025
From Embeds
8
Number of Embeds
2

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 8

http://www.linkedin.com 5
http://www.slideshare.net 3

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Welcome to the Wild Wild Web Carl Mercier (@cmercier) Director of software development, Websense Inc. Founder, Defensio.com cmercier@websense.com O U T S M A R T I N G E V I L S PA M
  • 2. !"#$%&'()*+%)',")!+#&-.)/"0 We protect your website from spam, malicious content, unwanted URLs and profanity. O U T S M A R T I N G E V I L S PA M
  • 3. Stats provided by Websense’s Threat-Seeker Network • Patent-pending O U T S M A R T I N G E V I L S PA M
  • 4. Stats provided by Websense’s Threat-Seeker Network • Patent-pending • Discover & classify Internet threats and trends O U T S M A R T I N G E V I L S PA M
  • 5. Stats provided by Websense’s Threat-Seeker Network • Patent-pending • Discover & classify Internet threats and trends • One BILLION pieces of content O U T S M A R T I N G E V I L S PA M
  • 6. Stats provided by Websense’s Threat-Seeker Network • Patent-pending • Discover & classify Internet threats and trends • One BILLION pieces of content • Daily! O U T S M A R T I N G E V I L S PA M
  • 7. Stats provided by Websense’s Threat-Seeker Network • Patent-pending • Discover & classify Internet threats and trends • One BILLION pieces of content • Daily! • 40 million websites per HOUR scanned O U T S M A R T I N G E V I L S PA M
  • 8. Stats provided by Websense’s Threat-Seeker Network • Patent-pending • Discover & classify Internet threats and trends • One BILLION pieces of content • Daily! • 40 million websites per HOUR scanned • 50 million real-time data collecting systems O U T S M A R T I N G E V I L S PA M
  • 9. Today’s web is... wild. O U T S M A R T I N G E V I L S PA M
  • 10. ...and SCARY O U T S M A R T I N G E V I L S PA M
  • 11. Identify the threats O U T S M A R T I N G E V I L S PA M
  • 12. how to protect yourself... O U T S M A R T I N G E V I L S PA M
  • 13. Once upon a time... Web 1.0 This NeXT Computer used by Sir Tim Berners-Lee at CERN became the first web server. Year 1991. O U T S M A R T I N G E V I L S PA M
  • 14. Web 1.0 • Mostly informative, very little social interaction O U T S M A R T I N G E V I L S PA M
  • 15. Web 1.0 • Mostly informative, very little social interaction • Reminds me of an “online magazine” O U T S M A R T I N G E V I L S PA M
  • 16. Web 1.0 • Mostly informative, very little social interaction • Reminds me of an “online magazine” • Content was generated by webmasters O U T S M A R T I N G E V I L S PA M
  • 17. Web 1.0 • Mostly informative, very little social interaction • Reminds me of an “online magazine” • Content was generated by webmasters • Very static and rarely changing O U T S M A R T I N G E V I L S PA M
  • 18. Web 1.0 • Mostly informative, very little social interaction • Reminds me of an “online magazine” • Content was generated by webmasters • Very static and rarely changing • Only “experts” could publish to the Web O U T S M A R T I N G E V I L S PA M
  • 19. Web 1.0 • Mostly informative, very little social interaction • Reminds me of an “online magazine” • Content was generated by webmasters • Very static and rarely changing • Only “experts” could publish to the Web • Design was not a priority O U T S M A R T I N G E V I L S PA M
  • 20. O U T S M A R T I N G E V I L S PA M
  • 21. O U T S M A R T I N G E V I L S PA M
  • 22. Web 2.0 aka the Social Web O U T S M A R T I N G E V I L S PA M
  • 23. Web 2.0 aka the Social Web • Rich audio/video content O U T S M A R T I N G E V I L S PA M
  • 24. Web 2.0 aka the Social Web • Rich audio/video content • Highly dynamic content O U T S M A R T I N G E V I L S PA M
  • 25. Web 2.0 aka the Social Web • Rich audio/video content • Highly dynamic content • Social interaction is encouraged O U T S M A R T I N G E V I L S PA M
  • 26. Web 2.0 aka the Social Web • Rich audio/video content • Highly dynamic content • Social interaction is encouraged • Content is partially or entirely generated by users O U T S M A R T I N G E V I L S PA M
  • 27. Web 2.0 aka the Social Web • Rich audio/video content • Highly dynamic content • Social interaction is encouraged • Content is partially or entirely generated by users • Anybody can publish to the web for free O U T S M A R T I N G E V I L S PA M
  • 28. Typepad WordPress Blogs Blogger Wikis Wikipedia Movable Type O U T S M A R T I N G E V I L S PA M
  • 29. Twitter LinkedIn Ning Social Networks MySpace Facebook YouTube O U T S M A R T I N G E V I L S PA M
  • 30. UserVoice Discussion & Support Forums Google Groups Yahoo! Finance O U T S M A R T I N G E V I L S PA M
  • 31. ¡Viva La Revolución! O U T S M A R T I N G E V I L S PA M
  • 32. UGC is GREAT... User-Generated Content Encourage it. O U T S M A R T I N G E V I L S PA M
  • 33. It gets your users involved O U T S M A R T I N G E V I L S PA M
  • 34. Build communities O U T S M A R T I N G E V I L S PA M
  • 35. Users can generate new content faster than you ever could O U T S M A R T I N G E V I L S PA M
  • 36. They’ll want to come back reddit.com is a great example of this O U T S M A R T I N G E V I L S PA M
  • 37. But like with many great things of this world, Protect Yourself! O U T S M A R T I N G E V I L S PA M
  • 38. Security threat if not recognized as such O U T S M A R T I N G E V I L S PA M
  • 39. Protection on the web is often overlooked O U T S M A R T I N G E V I L S PA M
  • 40. 2 big families of unwanted content O U T S M A R T I N G E V I L S PA M
  • 41. Viagra Male Enhancement Casino Steroids Ringtones SPAM Vicodin Pr0n Xanax O U T S M A R T I N G E V I L S PA M
  • 42. Phishing Malware Trojans Rogue AV Malicious Content Viruses Worms Fraud O U T S M A R T I N G E V I L S PA M
  • 43. ~90-95% of all UGC is unwanted O U T S M A R T I N G E V I L S PA M
  • 44. 71% of websites with malicious code are legitimate sites that have been compromised. O U T S M A R T I N G E V I L S PA M
  • 45. 13.7% of the top 100 Google results for hot/trending topics are malicious O U T S M A R T I N G E V I L S PA M
  • 46. O U T S M A R T I N G E V I L S PA M
  • 47. Malicious websites increase 233% increase H2 2009 O U T S M A R T I N G E V I L S PA M
  • 48. Malicious websites increase 233% increase H2 2009 671% increase in 2009 O U T S M A R T I N G E V I L S PA M
  • 49. Who’s at risk? O U T S M A R T I N G E V I L S PA M
  • 50. Top web properties • my.barackobama.com • LinkedIn • Digg • Friendster • Sony Pictures • Washington Post • Google • Reddit • YouTube • bit.ly • Microsoft Live • del.icio.us • Yahoo! • Zillow O U T S M A R T I N G E V I L S PA M
  • 51. ...and just about any website O U T S M A R T I N G E V I L S PA M
  • 52. ...and just about any website including yours. O U T S M A R T I N G E V I L S PA M
  • 53. washingtonpost.com O U T S M A R T I N G E V I L S PA M
  • 54. washingtonpost.com All junk! O U T S M A R T I N G E V I L S PA M
  • 55. digg.com O U T S M A R T I N G E V I L S PA M
  • 56. digg.com O U T S M A R T I N G E V I L S PA M
  • 57. Posted 15 days ago, links to a site that did not yet exist. Target site registered 13 days ago! O U T S M A R T I N G E V I L S PA M
  • 58. my.barackobama.com O U T S M A R T I N G E V I L S PA M
  • 59. my.barackobama.com O U T S M A R T I N G E V I L S PA M
  • 60. my.barackobama.com O U T S M A R T I N G E V I L S PA M
  • 61. Are you legally liable? O U T S M A R T I N G E V I L S PA M
  • 62. Are you legally liable? Talk to your attorney... O U T S M A R T I N G E V I L S PA M
  • 63. Why? I don’t deserve this! It’s a cruel world. O U T S M A R T I N G E V I L S PA M
  • 64. Why? • Money. Big Money. O U T S M A R T I N G E V I L S PA M
  • 65. Why? • Money. Big Money. • Additional vector for spreading Vi@gra, pr0n, ringt0nes O U T S M A R T I N G E V I L S PA M
  • 66. Why? • Money. Big Money. • Additional vector for spreading Vi@gra, pr0n, ringt0nes • Inexpensive O U T S M A R T I N G E V I L S PA M
  • 67. Why? • Money. Big Money. • Additional vector for spreading Vi@gra, pr0n, ringt0nes • Inexpensive • Less defense vs email: easy to break in O U T S M A R T I N G E V I L S PA M
  • 68. Why? • Money. Big Money. • Additional vector for spreading Vi@gra, pr0n, ringt0nes • Inexpensive • Less defense vs email: easy to break in • “Google-Juice” (tm) aka Blackhat SEO O U T S M A R T I N G E V I L S PA M
  • 69. The average semi-active blog • 10,000 to 50,000 unwanted comments / mo O U T S M A R T I N G E V I L S PA M
  • 70. The average semi-active blog • 10,000 to 50,000 unwanted comments / mo • Over 100,000 spam or malicious URLs O U T S M A R T I N G E V I L S PA M
  • 71. The average semi-active blog • 10,000 to 50,000 unwanted comments / mo • Over 100,000 spam or malicious URLs • 5% is phishing or fraud O U T S M A R T I N G E V I L S PA M
  • 72. The average semi-active blog • 10,000 to 50,000 unwanted comments / mo • Over 100,000 spam or malicious URLs • 5% is phishing or fraud • 1% is malicious exploit O U T S M A R T I N G E V I L S PA M
  • 73. Differences to e-mail spam • Follows current events more closely • Barack Obama • Superbowl • NCAA March Madness O U T S M A R T I N G E V I L S PA M
  • 74. Differences to e-mail spam • Follows current events more closely • Barack Obama • Superbowl • NCAA March Madness • Target large web properties • Helps their Google Juice • More people see & click O U T S M A R T I N G E V I L S PA M
  • 75. Differences to e-mail spam • Use of BOT is less • Outsourced to humans O U T S M A R T I N G E V I L S PA M
  • 76. Differences to e-mail spam • Use of BOT is less • Outsourced to humans • Your site will likely be spammed within 10 days O U T S M A R T I N G E V I L S PA M
  • 77. Differences to e-mail spam • Use of BOT is less • Outsourced to humans • Your site will likely be spammed within 10 days • Higher likelihood to link to malicious, phishing, fraud O U T S M A R T I N G E V I L S PA M
  • 78. Differences to e-mail spam • Use of BOT is less • Outsourced to humans • Your site will likely be spammed within 10 days • Higher likelihood to link to malicious, phishing, fraud • Much less distributed than e-mail spam O U T S M A R T I N G E V I L S PA M
  • 79. Similarities to e-mail spam • Email and web spam often link to the same sites O U T S M A R T I N G E V I L S PA M
  • 80. Similarities to e-mail spam • Email and web spam often link to the same sites • Similar motives, likely same people O U T S M A R T I N G E V I L S PA M
  • 81. Similarities to e-mail spam • Email and web spam often link to the same sites • Similar motives, likely same people • Sometimes use same obfuscation tricks for URLs and hostnames O U T S M A R T I N G E V I L S PA M
  • 82. Ok, I’m convinced. How do I protect myself? O U T S M A R T I N G E V I L S PA M
  • 83. You could... Block China... Not really. O U T S M A R T I N G E V I L S PA M
  • 84. Where malicious sites are hosted December 2009 O U T S M A R T I N G E V I L S PA M
  • 85. Require login... O U T S M A R T I N G E V I L S PA M
  • 86. Captcha O U T S M A R T I N G E V I L S PA M
  • 87. Captchas DON’T WORK. see http://caca.zoy.org/wiki/PWNtcha O U T S M A R T I N G E V I L S PA M
  • 88. JavaScript detection O U T S M A R T I N G E V I L S PA M
  • 89. Doing it yourself is a bad idea. O U T S M A R T I N G E V I L S PA M
  • 90. You should deal with experts. O U T S M A R T I N G E V I L S PA M
  • 91. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application O U T S M A R T I N G E V I L S PA M
  • 92. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network O U T S M A R T I N G E V I L S PA M
  • 93. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network • Protects against 0-day attacks O U T S M A R T I N G E V I L S PA M
  • 94. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network • Protects against 0-day attacks • Asynchronous: doesn’t slow down your site O U T S M A R T I N G E V I L S PA M
  • 95. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network • Protects against 0-day attacks • Asynchronous: doesn’t slow down your site • Learns and improves based on your content O U T S M A R T I N G E V I L S PA M
  • 96. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network • Protects against 0-day attacks • Asynchronous: doesn’t slow down your site • Learns and improves based on your content • Completely transparent to users O U T S M A R T I N G E V I L S PA M
  • 97. O U T S M A R T I N G E V I L S PA M • Spam & malicious code protection for your web application • Leveraging Websense’s awesome Threat-Seeker Network • Protects against 0-day attacks • Asynchronous: doesn’t slow down your site • Learns and improves based on your content • Completely transparent to users • Facebook protection O U T S M A R T I N G E V I L S PA M
  • 98. Other: Akismet & Mollom • Spam only O U T S M A R T I N G E V I L S PA M
  • 99. Other: Akismet & Mollom • Spam only • No malware or 0-day protection O U T S M A R T I N G E V I L S PA M
  • 100. O U T S M A R T I N G E V I L S PA M
  • 101. Questions? Twitter: @cmercier and @defensio Email: cmercier@websense.com Web: www.defensio.com O U T S M A R T I N G E V I L S PA M