SlideShare a Scribd company logo
1 of 57
Download to read offline
RAISING SECURITY AWARENESS
AMONG WEB OWNERS AND USERS
Emilio Casbas
The Presentation is about…
Badware
and
Security awarene
The Problem is…
Some numbers…
30k new malicious URLs each day
80% legitimate webs
Sources:
• http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf
• http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/
2 popular websites (alexa TOP 25k)
Drive by downloads
• http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
Source: http://www.websense.com/content/websense-2013-threat-report.aspx
Hack miami emiliocasbas
WEB SECURITY IS BECOMING MORE
CHALLENGING
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
WEB SECURITY IS BECOMING MORE
CHALLENGING
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
WEB SECURITY IS BECOMING MORE
CHALLENGING
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
WEB SECURITY IS BECOMING MORE
CHALLENGING
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
WEB SECURITY IS BECOMING MORE
CHALLENGING
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
HOW LONG malicious?
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
2.5h average lifetime
HOW LONG malicious?
Source: Manufacturing compromise: The emergence of Exploit-as-a-service
http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
2.5h average lifetime44 daysaverage lifetime
compromised?
Bussines model?
Hot topic
But…
Some questions…
What website software is targeted?
How are the websites compromised?
Some info…
“Compromised websites: an owner’s
perspective” (paper)
Source:
• http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
Hack miami emiliocasbas
Hack miami emiliocasbas
Problem …
Compromised web sites
44 days average lifetime
Due to…
Lack of security awareness
of
Web owners
Example…
Lack of security awareness
of
Web owners
Only small websites?
http://www.eeye.com
http://www.ey.com
http://www.coverity.com
http://www.imperva.com
http://www.avaya.com
http://www.natwest.com
http://www.entrust.com
http://www.safenet-inc.com
http://www.secureworks.com
http://www.rbs.co.uk
http://www.mckinsey.com
http://www.conocophillips.com
http://www.ford.com
http://www.chevron.com
http://www.verisign.com
http://www.vasco.com
http://www.ingrammicro.com
http://www.eset-la.com
….
What could we do?
Promote a safer web?
Spend money on web security audits?
Webmasters help for hacked sites?
What could we do?
Promote a safer web?
Spend money on web security audits?
Webmasters help for hacked sites?
What could we do?
Promote a safer web?
Spend money on web security audits?
Webmasters help for hacked sites?
What could we do?
Promote a safer web?
Spend money on web security audits?
Webmasters help for hacked sites?
Can we…
Raise web security awareness
Would it be possible?...
Raise web security awareness
through an obtainable
goal for every website?
Test time…
Raise web security awareness
(Proof of Concept)
Hack miami emiliocasbas
Example
Hack miami emiliocasbas
Hack miami emiliocasbas
Example
Hack miami emiliocasbas
Hack miami emiliocasbas
Example
Example
Hack miami emiliocasbas
Hack miami emiliocasbas
Example
Hack miami emiliocasbas
Hack miami emiliocasbas
STATS:
Compromised websites:
Compromised websites:
CMS Software
Compromised websites:
Security awareness value
BAD BETTER
Apache/2.2.22(Unix) mod_ssl/2.2.22
OpenSSL/0.9.8e-fips-rhel5
PHP/4.3.10-22
Microsoft-IIS/6.0
MetaGenerator[Joomla! 1.5
Index-Of
UncommonHeaders[x-varnish
X-Frame-Options[SAMEORIGIN
X-XSS-Protection[
cloudflare-nginx
gws
Accuracy
>=20
<20
Desenmascara.me features:
• Show a security awareness value
• Infrastructure details in plain words
• Suspicious iframes
• Check website blacklisted
• Ranking best websites
Desenmascara.me wishlist:
• Implement AI
• More passive checks
• Public stats
• Public API
• Open Source project?
Desenmascara.me wishlist:
• Raise web security awareness
• Decrease numbers of compromised
websites
Desenmascara.me wishlist:
• Raise web security awareness
• Decrease numbers of compromised
websites
THANK YOU !
Questions ?
ecasbas
Thank you!
“I’ve seen estimates that over 99% of all
internet attacks could be prevented if the web
systems administrators would just use the most
current versions”
Bruche Schneier on <Secrets & Lies>
“Webmasters need to ensure that
their websites are running good code
that isn’t open to exploitation”
Ian Fette, Google Security Team

More Related Content

What's hot

How to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedHow to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedmounika k
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Avi Aryan
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityHTS Hosting
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Dzhengis 93098 ajax - security
Dzhengis 93098   ajax - securityDzhengis 93098   ajax - security
Dzhengis 93098 ajax - securitydzhengo44
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businessesebusinessmantra
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web SiteFrom SQL Injection & XSSProtecting Your Web SiteFrom SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareMichael Hendrickx
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginnersSamvel Gevorgyan
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS ApplicationPhilippe De Ryck
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 

What's hot (20)

How to avoid your website from keep getting hacked
How to avoid your website from keep getting hackedHow to avoid your website from keep getting hacked
How to avoid your website from keep getting hacked
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Dzhengis 93098 ajax - security
Dzhengis 93098   ajax - securityDzhengis 93098   ajax - security
Dzhengis 93098 ajax - security
 
Cyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium BusinessesCyber security considerations for Small and Medium Businesses
Cyber security considerations for Small and Medium Businesses
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web SiteFrom SQL Injection & XSSProtecting Your Web SiteFrom SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
ECrime presentation - A few bits about malware
ECrime presentation - A few bits about malwareECrime presentation - A few bits about malware
ECrime presentation - A few bits about malware
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilities
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Websecurity fundamentals for beginners
Websecurity fundamentals for beginnersWebsecurity fundamentals for beginners
Websecurity fundamentals for beginners
 
AJAX: How to Divert Threats
AJAX:  How to Divert ThreatsAJAX:  How to Divert Threats
AJAX: How to Divert Threats
 
Securing your AngularJS Application
Securing your AngularJS ApplicationSecuring your AngularJS Application
Securing your AngularJS Application
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application security
 

Similar to Hack miami emiliocasbas

The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...Thomas Witt
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in CybersecurityTeri Radichel
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxHichamNiamane1
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trendsbeched
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar GanievOWASP Russia
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSheri Elliott
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your BrowserAchim D. Brucker
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Cenzic
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)PacSecJP
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 

Similar to Hack miami emiliocasbas (20)

The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
The state of CMS in 2019: Headless, JAMstack and ReactJS – or: If your Conten...
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Top 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptxTop 10 Azure Security Best Practices (1).pptx
Top 10 Azure Security Best Practices (1).pptx
 
Owasp web application security trends
Owasp web application security trendsOwasp web application security trends
Owasp web application security trends
 
[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev[2.1] Web application Security Trends - Omar Ganiev
[2.1] Web application Security Trends - Omar Ganiev
 
B&W Netsparker overview
B&W Netsparker overviewB&W Netsparker overview
B&W Netsparker overview
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
 
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
Top 10 Ways To Win Budget For Application Security - Cenzic.2013.05.22
 
Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)Akila srinivasan microsoft-bug_bounty-(publish)
Akila srinivasan microsoft-bug_bounty-(publish)
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 

Hack miami emiliocasbas