Your SlideShare is downloading. ×
Hack miami emiliocasbas
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Hack miami emiliocasbas

1,134
views

Published on


2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total Views
1,134
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
3
Comments
2
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. RAISING SECURITY AWARENESSAMONG WEB OWNERS AND USERSEmilio Casbas
  • 2. The Presentation is about…BadwareandSecurity awarene
  • 3. The Problem is…
  • 4. Some numbers…30k new malicious URLs each day80% legitimate websSources:• http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf• http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/2 popular websites (alexa TOP 25k)Drive by downloads• http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
  • 5. Source: http://www.websense.com/content/websense-2013-threat-report.aspx
  • 6. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  • 7. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  • 8. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  • 9. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  • 10. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  • 11. HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf2.5h average lifetime
  • 12. HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf2.5h average lifetime44 daysaverage lifetimecompromised?
  • 13. Bussines model?
  • 14. Hot topic
  • 15. But…
  • 16. Some questions…What website software is targeted?How are the websites compromised?
  • 17. Some info…“Compromised websites: an owner’sperspective” (paper)Source:• http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
  • 18. Problem …Compromised web sites44 days average lifetime
  • 19. Due to…Lack of security awarenessofWeb owners
  • 20. Example…Lack of security awarenessofWeb owners
  • 21. Only small websites?http://www.eeye.comhttp://www.ey.comhttp://www.coverity.comhttp://www.imperva.comhttp://www.avaya.comhttp://www.natwest.comhttp://www.entrust.comhttp://www.safenet-inc.comhttp://www.secureworks.comhttp://www.rbs.co.ukhttp://www.mckinsey.comhttp://www.conocophillips.comhttp://www.ford.comhttp://www.chevron.comhttp://www.verisign.comhttp://www.vasco.comhttp://www.ingrammicro.comhttp://www.eset-la.com….
  • 22. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  • 23. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  • 24. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  • 25. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  • 26. Can we…Raise web security awareness
  • 27. Would it be possible?...Raise web security awarenessthrough an obtainablegoal for every website?
  • 28. Test time…Raise web security awareness(Proof of Concept)
  • 29. Example
  • 30. Example
  • 31. Example
  • 32. Example
  • 33. Example
  • 34. STATS:
  • 35. Compromised websites:
  • 36. Compromised websites:
  • 37. CMS SoftwareCompromised websites:
  • 38. Security awareness valueBAD BETTERApache/2.2.22(Unix) mod_ssl/2.2.22OpenSSL/0.9.8e-fips-rhel5PHP/4.3.10-22Microsoft-IIS/6.0MetaGenerator[Joomla! 1.5Index-OfUncommonHeaders[x-varnishX-Frame-Options[SAMEORIGINX-XSS-Protection[cloudflare-nginxgws
  • 39. Accuracy>=20<20
  • 40. Desenmascara.me features:• Show a security awareness value• Infrastructure details in plain words• Suspicious iframes• Check website blacklisted• Ranking best websites
  • 41. Desenmascara.me wishlist:• Implement AI• More passive checks• Public stats• Public API• Open Source project?
  • 42. Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
  • 43. Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
  • 44. THANK YOU !Questions ?ecasbas
  • 45. Thank you!“I’ve seen estimates that over 99% of allinternet attacks could be prevented if the websystems administrators would just use the mostcurrent versions”Bruche Schneier on <Secrets & Lies>“Webmasters need to ensure thattheir websites are running good codethat isn’t open to exploitation”Ian Fette, Google Security Team