Safe(r) Web Browsing IT Security Roundtable


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Safe(r) Web Browsing IT Security Roundtable

  1. 1. Safe(r) Web Browsing IT Security Roundtable April 9, 2010 Harvard Townsend Chief Information Security Officer [email_address]
  2. 2. Agenda <ul><li>“ The Internet is a bad neighborhood.” </li></ul><ul><li>The dangers of web browsing </li></ul><ul><li>Helpful features built into web browsers </li></ul><ul><li>Tools you can add to your web browsers </li></ul><ul><li>Trend Micro is your friend </li></ul><ul><li>Misc. cautions/tips/tricks </li></ul><ul><li>Q&A </li></ul>
  3. 3. The Risks <ul><li>Computer infected with malicious software (malware) </li></ul><ul><li>Stolen, altered, and/or deleted K-State or personal information (do you have SSNs on your computer?) </li></ul><ul><li>Identity theft </li></ul><ul><li>Financial fraud – stolen credit card and/or bank account information </li></ul><ul><li>Your computer is used to send spam </li></ul><ul><li>Your computer stops working because of damage done by the malware </li></ul><ul><li>Your computer is used to infect other computers </li></ul><ul><li>Your computer’s network access is blocked by the security team to prevent further damage </li></ul>
  4. 4. <ul><li>Malicious links/sites – to click or not to click, that is the question. </li></ul><ul><li>Malicious advertisements </li></ul><ul><li>Drive-by Download (don’t even have to click!) </li></ul><ul><li>Search engines tricked to present malicious/bogus result near the top of your search results (aka Blackhat Search Engine Optimization (SEO) Poisoning ) </li></ul>The Threats
  5. 5. Real K-State Federal Credit Union web site Fake K-State Federal Credit Union web site used in spear phishing scam
  6. 6. Spear phishing scam received by K-Staters in January 2010
  7. 7. The malicious link in the email took you to an exact replica of K-State’s single sign-on web page hosted on a server in the Netherlands which will steal your eID and password if you enter it and “Sign in”. Note the URL highlighted in red – “”, which is obviously not
  8. 8. Real SSO web page Fake SSO web page
  9. 9. Real SSO web page – note “http s” Fake SSO web page – site not secure (http, not https) and hosted in the Netherlands (.nl)
  10. 10. Can I click on this? <ul><li>Watch for displayed URL (web address) that does not match the actual displayed: actual: </li></ul><ul><li>Beware of link that executes a program (like ldr.exe above) </li></ul><ul><li>Avoid numeric IP addresses in the URL </li></ul><ul><li>Some even use hexadecimal notation for the IP: http://0xca.0x27.0x30.0xdd/ </li></ul><ul><li>Watch for legitimate domain names embedded in an illegitimate one http:// /servicing. /c1/login.aspx/ </li></ul>
  11. 11. Can I click on this? <ul><li>Beware of email supposedly from US companies with URLs that point to a non-US domain (Kyrgyzstan in example below) From: Capital One bank <> URL in msg body: /onlineform/ </li></ul><ul><li>IE8 highlights the actual domain name to help you identify the true source. Here’s one from an IRS scam email that’s actually hosted in Pakistan: </li></ul>
  12. 12. Can I click on this? <ul><li>Beware of domains from unexpected foreign countries Kyrgyzstan: /onlineform/ Pakistan: http://static-host202-61-52-42. / Lithuania: http:// /~galaxy/card.exe Hungary: http:// /walmart/survey/ Romania: http://www / Russia: http://mpo3do. /thanks.html </li></ul><ul><li>MANY scams originate in China (country code = .cn) </li></ul><ul><li>Country code definitions available at: </li></ul>
  13. 13. Can I click on this? <ul><li>Analyze web links w/o clicking on them by copying the URL and testing them at these sites: </li></ul><ul><ul><li>Trend Micro’s Web reputation query – </li></ul></ul><ul><ul><li>McAfee SiteAdvisor (enter URL on this web page – you don’t have to install their software): </li></ul></ul>
  14. 14. Can I click on this? <ul><li>Watch for malicious URLs cloaked by URL shortening services like: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>
  15. 15. Can I click on this? <ul><li>TinyURL has a nice “preview” feature that allows you to see the real URL before going to the site. See to enable it in your browser (it sets a cookie) </li></ul><ul><li> has a Firefox add-on to preview shortened links: It also warns you if the site appears to be malicious: </li></ul>
  16. 16. Can I click on this?
  17. 17. Malicious Advertisements <ul><li>Major ad networks (aka “ad aggregators”) affiliated with Google (e.g., Yahoo (, Fox and others, covering more than 50% of online ads, have been infiltrated with “poisoned ads” containing malicious code (Source: Avast! ) </li></ul><ul><li>Happened to the New York Times website last fall </li></ul>
  18. 18. NY Times incident <ul><li>Ad placed via phone call from person posing as Vonage, an intl phone company and regular advertiser on NY Times web site </li></ul><ul><li>Since Vonage well known, they allowed ads to be served by remote 3 rd party host (i.e., not the NY Times web server) </li></ul><ul><li>Legitimate Vonage ads displayed all week </li></ul><ul><li>During the weekend, legitimate ad switched to a malicious one that served up fake antivirus scareware which tried to get people to buy bogus security software with a credit card </li></ul>
  19. 19. Malicious Advertisements <ul><li>Isn’t just NY Times… </li></ul><ul><ul><li> (!!) </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul><ul><li>These legitimate sites are not in cahoots with the criminals, they’re just not careful enough in screening ads from third party ad networks </li></ul>
  20. 20. Drive-by Downloads <ul><li>The scary thing is you don’t even have to click on anything – just visiting a site with malicious code can initiate a download that installs malware on your computer without you knowing it. </li></ul><ul><li>Symantec claims every one of the top 100 websites in the world have served up malicious code at some point </li></ul><ul><li>JavaScript in the ad executes when the page is loaded and tries to exploit a vulnerability in Adobe PDF reader, Java, or Flash… or all three; this is why a tool like NoScript or something that blocks ads is effective </li></ul>
  21. 21. Drive-by Downloads <ul><li>Commonly used to promote fake antivirus software (aka “scareware” or “extortionware”) – make you believe your computer is infected with lots of malware, enticing the nervous user to “Click Here” to buy fake security software for $30-$100, plus they steal your credit card information </li></ul><ul><li>Can be used to infect your computer with any malware – keyloggers, Trojans, Torpig, … </li></ul><ul><li>Malware changes at a very rapid rate to escape detection by AV software; hackers test their malware against 40 popular AV products at before launching </li></ul>
  22. 22. Search Engine Poisoning <ul><li>Search engines, like Google, are tricked into presenting a malicious link in the top 10 results for popular searches </li></ul><ul><li>Known as “Blackhat Search Engine Optimization (SEO) Poisoning” </li></ul><ul><li>13% of Google searches for popular or trendy topics yield malicious links </li></ul><ul><li>Currently used mostly for fake antivirus scams </li></ul><ul><li>Exploit current events, popular topics </li></ul><ul><ul><li>January 2010 an all-time high with hackers capitalizing on Haitian earthquake, release of movie Avatar, and announcement of the iPad </li></ul></ul>
  23. 23. Blackhat SEO Poisoning Search for “ Oscars 2010 winners” Source: Sophos security blog March 8, 2010 Malicious pages that infect with FakeAV scareware
  24. 24. Blackhat SEO Poisoning <ul><li>Examples of exploited topics in 2010: </li></ul><ul><ul><li>Tiger Woods car wreck, affairs </li></ul></ul><ul><ul><li>Death of Patrick Swayze </li></ul></ul><ul><ul><li>Affair of Sandra Bullock’s husband with Michelle “Bombshell” McGee </li></ul></ul><ul><ul><li>Rumored death of Bill Cosby (pretty common to make up a sensational hoax) </li></ul></ul><ul><ul><li>Chilean earthquake </li></ul></ul><ul><ul><li>Moscow subway explosions </li></ul></ul><ul><ul><li>Plane crashing into IRS building in Austin, TX </li></ul></ul><ul><ul><li>Sea World killer whale attack </li></ul></ul><ul><ul><li>Sentencing of TJX hacker </li></ul></ul><ul><ul><li>Oscars </li></ul></ul><ul><ul><li>Kids’ Choice Awards </li></ul></ul><ul><ul><li>Olympics (esp. death of Georigian luge athlete) </li></ul></ul><ul><ul><li>March Madness basketball tournament </li></ul></ul><ul><ul><li>April Fools Day (a natural…) </li></ul></ul>
  25. 25. Blackhat SEO Poisoning <ul><li>How does it work? </li></ul><ul><li>Legitimate web server compromised (often due to a vulnerability in a content management system) and SEO poisoning code loaded (usually a PHP script) </li></ul><ul><li>When the PHP script determines a search engine “crawler” (Google, Bing, MSN, Yahoo, AOL, etc.) is making the request for the web page, it returns content filled with lots of info appropriate for the event it’s trying to mimic (keywords, phrases, other high-ranking URLs about the event, images and videos copied high-ranking sites) </li></ul><ul><li>They’ll also harvest search engine results to extract popular phrases used to search hot topics (ie, they let the search engines do the research for them!) </li></ul>
  26. 26. Blackhat SEO Poisoning <ul><li>How does it work? </li></ul><ul><li>When PHP code determines it is a user, not a search engine, visiting the site, it redirects them to a malicious site to try to infect their computer or just pop-up bogus security warnings and try to get them to buy the fake antivirus software (i.e., you’re not always infected when you’re tricked into clicking on the link) </li></ul><ul><li>The redirection domain name can change as often as every 10 minutes, based on instructions from a “command & control” server making it harder to identify </li></ul>
  27. 27. Blackhat SEO Poisoning <ul><li>How do I prevent it? </li></ul><ul><ul><li>Be paranoid – think before you click! </li></ul></ul><ul><ul><li>Pay attention to the link – only visit reputable sites </li></ul></ul><ul><ul><li>Pay attention to warnings from anti-phishing filters, Trend Micro WRS, and other tools you might use to detect malicious links (see later slides) </li></ul></ul><ul><ul><li>If you click on a search result and security warnings like this pop-up, do NOT click on anything – contact your IT support person </li></ul></ul>
  28. 28. Blackhat SEO Poisoning <ul><li>How do I prevent it? </li></ul><ul><ul><li>Run antivirus software and keep it up-to-date (required to use Trend Micro on campus) </li></ul></ul><ul><ul><li>Keep ALL software patched, including the web browsers and plug-ins, Adobe products, Flash, and Java </li></ul></ul><ul><ul><ul><li>VERY challenging for IT staff, let alone your average user </li></ul></ul></ul><ul><ul><ul><li>Recent study found that average home user would have to patch 75 times per year (once every 5 days!) using 22 different patching mechanisms </li></ul></ul></ul>
  29. 29. What’s a feller to do? <ul><li>If you’re not scared by now, then I’m worried about you and I pity your IT support person </li></ul>
  30. 30. Browser features – IE8 <ul><li>Domain highlighting </li></ul><ul><li>SmartScreen filtering – block access to malicious sites and file downloads </li></ul>
  31. 31. Browser features – IE8 <ul><li>Pop-up blocker- if it causes a problem with an application, add a specific exception; don’t turn off the pop-up blocker </li></ul><ul><li>If you don’t see a malicious pop-up message, you won’t be duped by it. </li></ul>
  32. 32. Browser features – IE8 <ul><li>InPrivate Browsing – good if using a public computer in a lab or Internet Café since it leaves no trace of your browsing activity. The cache (“temporary Internet files” which are local copies of content from web sites you visited recently), cookies, and browser history (web address of sites you visited recently) are not stored. </li></ul>
  33. 33. Browser features - Firefox <ul><li>Anti-phishing and anti-malware protection – detects and blocks access to known malicious sites and downloads </li></ul>
  34. 34. Browser features - Firefox <ul><li>Pop-up Blocker </li></ul><ul><ul><li>Similar to IE; add exceptions at Tools->Options->Content </li></ul></ul><ul><li>Private browsing – cache, cookies, and history not saved, just like “InPrivate Browsing” in IE </li></ul><ul><li>Instant Website ID – provides detailed identity information, if available, about the site: </li></ul>
  35. 35. Browser add-ons <ul><li>NoScript from </li></ul><ul><li>Extension for Firefox (not available for IE) </li></ul><ul><li>Prevents execution of JavaScript, Java, and Flash – the most common culprits for web-based attacks </li></ul><ul><li>Can selectively allow trusted sites </li></ul><ul><li>Often able to view content of interest without enabling all scripts – you don’t need to see the ads or that cute Flash animation! </li></ul><ul><li>Takes some getting used to and it takes a while to build up the exceptions for trusted sites so it’s not always getting in the way of your productive use of the web </li></ul>
  36. 36. Browser add-ons <ul><li>Web of Trust from </li></ul><ul><li>Available for Firefox, IE, Google Chrome </li></ul><ul><li>Rates web sites on </li></ul><ul><ul><li>Trustworthiness </li></ul></ul><ul><ul><li>Vendor reliability </li></ul></ul><ul><ul><li>Privacy </li></ul></ul><ul><ul><li>Child safety </li></ul></ul><ul><li>Warns you if about to visit a poorly rated site </li></ul><ul><li>Tags ratings in Google search results , which is really helpful for detecting Blackhat SEO Poisoning </li></ul><ul><li>Also tags links in web-based email like K-State’s Zimbra Webmail and Gmail </li></ul><ul><li>Provides user comments about the site and its rating </li></ul>
  37. 37. Browser add-ons <ul><li>Adblock Plus from </li></ul><ul><li>Again, only for Firefox (IE is not nearly as extensible as Firefox!) </li></ul><ul><li>I haven’t used this tool but others have recommended it for blocking advertisements </li></ul><ul><li>Some have argued against blocking ads since they provide the revenue that allows so much free content on the web </li></ul>
  38. 38. Help from Trend Micro <ul><li>Web Reputation Services (WRS) </li></ul><ul><ul><li>Blocks access to known disreputable sites </li></ul></ul><ul><ul><li>Enabled in both Windows and Mac versions </li></ul></ul><ul><ul><li>K-State IT security team regularly reports new malicious links to Trend to add to the block list </li></ul></ul><ul><li>Also provides traditional “antivirus” malware protection </li></ul>
  39. 39. Trend Micro WRS is your friend
  40. 40. Recognizing Fake Antivirus Alerts <ul><li>Actual pop-up alert from Trend Micro OfficeScan: </li></ul>
  41. 41. Recognizing Fake Antivirus Alerts <ul><li>Example of a Fake AV “scareware” alert that tries trick you into buying worthless software to fix a non-existent infections: </li></ul>
  42. 42. Misc. Tips/Tricks <ul><li>Use a Mac  </li></ul><ul><li>Firefox vs. Internet Explorer (IE)? </li></ul><ul><ul><li>Both have vulnerabilities </li></ul></ul><ul><ul><li>Both have helpful security features </li></ul></ul><ul><ul><li>ActiveX in IE historically been a security concern but is less of a target these days </li></ul></ul><ul><ul><li>If you use IE6 or IE7, upgrade to IE8 because of significant security improvements plus application compatibility </li></ul></ul><ul><li>Stay away from questionable sites </li></ul><ul><ul><li>Pornography </li></ul></ul><ul><ul><li>Gambling </li></ul></ul><ul><ul><li>Some gaming sites </li></ul></ul><ul><li>Peer-to-peer file sharing applications are dangerous since they too have been infiltrated with malware; the movie you download may also have malware attached to it that will infect your computer when you try to run the movie. </li></ul>
  43. 43. Misc. Tips/Tricks <ul><li>“… because that’s where the money is.” Willie Sutton, famous 19 th century bank robber on why he robs banks </li></ul><ul><li>Beware of where you do your online banking – cybercriminals are actively hunting you online and targeting your computer because “that’s where the money is” </li></ul><ul><li>49 instances of Torpig malware at K-State thus far in 2010, 34 in 2009 – steals username/passwords and banking info </li></ul><ul><li>The American Bankers Association recommends using a dedicated computer for online banking since malware typically gets on a computer via web surfing or email </li></ul><ul><li>A low-end $500 PC or netbook good for this, or re-purpose the old computer when you upgrade </li></ul><ul><li>Make sure your banking computer is protected with a strong password </li></ul><ul><li>At the very least, don’t do online banking on the same home computer your children (and their friends) use! </li></ul>
  44. 44. Misc. Tips/Tricks <ul><li>Risks of social network sites </li></ul><ul><ul><li>People tend to reveal too much personal information </li></ul></ul><ul><ul><li>Pay careful attention to the security configurations, esp. for privacy </li></ul></ul><ul><ul><li>Beware of third party applications and advertisements </li></ul></ul><ul><ul><li>Beware of unusual friend requests </li></ul></ul><ul><li>Application whitelisting (specify the programs that can run on the computer – everything else is prohibited) </li></ul>
  45. 45. Misc. Tips/Tricks <ul><li>Remove administrator rights from users </li></ul><ul><li>Recent study of 2009 Microsoft security vulnerabilities claims removing administrator rights would prevent exploitation of: </li></ul><ul><ul><li>90% of the “critical” vulnerabilities found in Windows 7 </li></ul></ul><ul><ul><li>100% of the 55 vulnerabilities found in Microsoft Office </li></ul></ul><ul><ul><li>100% of Internet Explorer 8 vulnerabilities </li></ul></ul><ul><ul><li>94% of the vulnerabilities in all versions of IE </li></ul></ul><ul><ul><li>81% of all critical vulnerabilities announced/patched by Microsoft in 2009 </li></ul></ul><ul><li>With admin privileges, hacker can: </li></ul><ul><ul><li>Install or remove/disable any software </li></ul></ul><ul><ul><li>Change security settings, disable AV software </li></ul></ul><ul><ul><li>Create new accounts </li></ul></ul><ul><ul><li>View/copy/change/delete all files </li></ul></ul><ul><ul><li>Have complete control of the computer </li></ul></ul><ul><li>Running as a regular user limits the damage to that user’s account </li></ul><ul><li>Create a separate regular user account for your children on your home computer(s)!! </li></ul>
  46. 46. Misc. Tips/Tricks <ul><li>Don’t let your browser store/remember important passwords like: </li></ul><ul><ul><li>eID </li></ul></ul><ul><ul><li>Financial accounts </li></ul></ul><ul><li>38% of bank account or username/password information stolen by Torpig malware came from the browser’s password store on the compromised computer </li></ul><ul><li>Password-protect the browser password store </li></ul>
  47. 47. Misc. Tips/Tricks <ul><li>Don’t keep yourself logged into important accounts </li></ul><ul><li>Similar to letting the browser store username/password; effect is the same – anyone with access to the computer has access to those accounts </li></ul><ul><li>Never do either on a public computer </li></ul>
  48. 48. Misc. Tips/Tricks <ul><li>Use a password manager </li></ul><ul><ul><li>Windows: Password Safe - </li></ul></ul><ul><ul><ul><li>Many useful features, easy to use </li></ul></ul></ul><ul><ul><li>Macs: Password Gorilla - </li></ul></ul><ul><ul><ul><li>Also available for Windows and Linux </li></ul></ul></ul><ul><ul><ul><li>Can read Password Safe database </li></ul></ul></ul><ul><ul><li>Multi-OS and multi-computer: LastPass - </li></ul></ul><ul><ul><ul><li>Passwords stored on server so can access them from multiple computers </li></ul></ul></ul><ul><ul><ul><li>Premium version @ $1/month provides mobile device support (iPhone, Blackberry, Android, etc.), no ads, and multi-factor authN support </li></ul></ul></ul>
  49. 49. Conclusion <ul><li>There’s no way to be 100% secure surfing the web these days </li></ul><ul><li>Use multi-faceted approach to reduce your risk (browser security features, browser add-ons, Trend Micro security software, educate yourself) </li></ul><ul><li>These tools and techniques make your browsing experience less convenient and may frustrate you at times, but they are necessary in today’s hostile online climate </li></ul><ul><li>Think before you click! </li></ul>
  50. 50. What’s on your mind?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.