Unethical hackers target web applications for several reasons including financial gain, ideology, fun, and espionage. They communicate and sell stolen data on dark web forums using cryptocurrency, with some data selling for as little as $10. To protect applications, developers should follow best practices like the OWASP Top 10, implement web application firewalls, conduct security scans and assessments, and formalize a secure software development lifecycle.
young call girls in kailash Nagar, 🔝 9953056974 🔝 escort Service
What Makes Web Applications Desirable For Hackers
1. 1
WHAT MAKES WEB APPLICATIONS
DESIRABLE FOR HACKERS
How To Protect Yours
CTO / Co-Founder at Venkon
JAIME MANTEIGA
2. 2
Agenda
01
02
03
To protect your applications, it is essential to know "how" web application
hacking techniques work.
What Techniques Do Attackers Use?
Data is the new "gold" and hackers know that — a glance into dark web
markets.
What’s The Value Of Stolen Data? — How They Make Money
Before asking the “how” it’s important to know the “why”.
What Motivates Unethical Hackers?
04Understanding and thinking like an attacker will give us a new perspective
on how to improve our web security posture.
How Can We Protect Ourselves?
05Sources and citations.
References
06Share your thoughts, fears, and doubts.
Questions?
3. 3
Introduction
What Makes Web Applications Desirable For Hackers — How To Protect Yours
Jaime Manteiga is a dynamic Information Security
Professional and Researcher who assists organizations
across the world by improving their information security
posture and cybersecurity challenges.
Additionally, Jaime Manteiga as an Information Security
Researcher holds public recognition from organizations
such as Tesla, Shopify, United Airlines and Spotify for
helping them to identify and mitigate information security
flaws.
Bio
@JaimeManteiga
Active Social Media Networks:
Get in touch
CTO / Co-Founder at Venkon
JAIME MANTEIGA
@JaimeManteiga
https://www.linkedin.com/in/jaimemanteiga/
https://medium.com/@jaime.manteiga
jaime.manteiga@Venkon.us
4. 4
There are hundreds of methods hackers can use to take advantage of the security vulnerabilities in your applications, but there are just a
few reasons to do it.
These are the top motives in descending order:
Motivation
IDEOLOGY
FUN
ESPIONAGE
FINANCIAL GAIN
What Motivates Unethical Hackers?
Before asking the “how” it’s important to know the “why”
* Sources of the stats will be exhibited at the references slide
5. 5
What Motivates Unethical Hackers?
Cybersecurity Breaches, Costs and Facts
* Sources of the stats will be exhibited at the references slide
2016 2017 2018
Marriott Hacking Exposes Data
of Up to 500 Million Guests.
Including names, addresses,
dates of birth, passport numbers,
email addresses and phone
numbers
Marriott Hotels
In 2016, 3 billion Yahoo
accounts were hacked in one
of the biggest breaches of all
time.
Yahoo
Uber reported that hackers
stole the information of over
57 million riders and drivers.
Uber
The average cost of a
cybersecurity attack on a
company is $2.4 million.
Under Armour reported that
its “My Fitness Pal” was
hacked, affecting 150 million
users.
Under Armour
147.9 million consumers were
affected by the Equifax
Breach.
Equifax
In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million
The most expensive component of a cyber attack is information loss, which represents 43 percent of costs
The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United
States ($225) and Canada ($190)
In companies with over 50k compromised records, the average cost of a data breach is $6.3 million
Damage related to cybercrime is projected to hit $6 trillion annually by 2021
6. 6
What Motivates Unethical Hackers?
Marriott Hotels
Security Breach
Nov. 30, 2018
Marriott Breach Exposes Data of Up to 500 Million Guests.
The hotel chain said that personal details including names,
addresses, dates of birth, passport numbers, email
addresses and phone numbers for hundreds of millions of
guests may have been compromised.
In the United States, the New York Attorney General's office
said it had opened an investigation into the data breach.
Marriott's (MAR) stock is plunging on the news, falling more
than 6% in trading. The combined company has 6,700
properties in more than 129 countries.
The next figure illustrates how the stock value was sinking
after the incident.
Overview
7. 7
Hacking web applications is nothing new, but the methods used by attackers are constantly changing. There are several factors to
determine which techniques an attacker can attempt to use in order to compromise your application — such as, programming language,
web server version, server operative system, database type, etc. Hence, there is no -one answer- to determine which method they will use
to compromise your application.
The following illustration represents the paths that attackers can use to discover weaknesses; sometimes it takes multiples paths to
compromise an application, depending on its complexity.
What Techniques Do Attackers Use?
8. 8What Techniques Do Attackers Use?
OWASP TOP 10 Explained
A1 - Injection
A2 - Broken Authentication
A3 - Sensitive Data
A4 - XMLExternal Entities
(XXE)
A5 - Broken AccessControl
A6 - Security
Misconf guration
A7 - Cross-SiteScripting
(XSS)
A8 - Insecure
Deserialization
A9 - Using Componentswith
Known Vulnerabilities
A10 - Insuf cient Logging
&Monitoring
We summarized a list of the most critical web application security risks following OWASP Top 10 (Open Web Application Security
Project). This list focuses on identifying the most serious web application security risks for a broad array of organizations and industries.
9. 9
A2
A1
A3
A4
INJECTION
Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part
of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or
accessing data without proper authorization.
What Techniques Do Attackers Use?
OWASP TOP 10 Explained
Part 1
A5
Mixer
BROKEN AUTHENTICATION
Application functions related to authentication and session management are often implemented incorrectly, allowing
attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other
users’ identities temporarily or permanently.
.
SENSITIVE DATA EXPOSURE
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers
may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
XML EXTERNAL ENTITIES (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External
entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote
code execution, and denial of service attacks.
BROKEN ACCESS CONTROL
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these
flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify
other users’ data, change access rights, etc.
10. 10
A7
A6
A8
A9
SECURITY MISCONFIGURATION
Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations,
incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages
containing sensitive information.
What Techniques Do Attackers Use?
OWASP TOP 10 Explained
Part 2
A10
Mixer
CROSS-SITE SCRIPTING (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or
escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or
JavaScript.
INSECURE DESERIALIZATION
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code
execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
USING COMPONENTS WITH KNOWN VULNERABILITIES
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If
a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover.
INSUFFICIENT LOGGING & MONITORING
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers
to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data.
11. 11
We already know that the principal motivation for hackers is the financial gain — to know more in detail how much money they make, and
how they sell the stolen data, we have to examine their communication channels.
There are several ways for hackers to communicate, sell and exchange, but the most used is the "TOR Network," also known as "dark web
or deep web." Simply put, TOR is an uncensored internet network principally used by cybercriminals.
What’s The Value Of Stolen Data
How They Make Money
12. 12
Dark Web Forums are one of the places where cybercriminals trade their goods. They use underground forums as a safe interface to
advertise their products and services. It is extremely challenging to get access to most of these forums since they require extensive vetting
and trust from other cybercriminals.
For this presentation, we took a “safe dive” into the dark web with the purpose of examining cybercriminals trading methods:
What’s The Value Of Stolen Data
How They Make Money
Taking a Dive Into The “Deep Web”
Figure 1 – Most of the forums were either taken down or seized by international organizations such as FBI, Interpol, Europol, and the DEA. It is pleasing to find that
international government collaboration is in place to protect us from cybercriminals.
13. 13
What’s The Value Of Stolen Data
How They Make Money
Taking a Dive Into The “Deep Web”
Figure 2 – As previously mentioned, it is tough to get access to these forums. The figure above lists the rules to access the "unrestricted areas" of this forum.
14. 14
What’s The Value Of Stolen Data
How They Make Money
Taking a Dive Into The “Deep Web”
Figure 3 – We found another forum that used to have “free registration” — now you are required to be invited by a current member and pay a membership fee.
15. 15
What’s The Value Of Stolen Data
How They Make Money
Taking a Dive Into The “Deep Web”
Figure 4 – After an intensive research period, we were able to get access into one of the least used marketplace forums for cybercriminals. In this figure, we can appreciate a
few things:
1. The principal payment method used by cybercriminals is the cryptocurrency Bitcoin.
2. Stolen data is somewhat cheaper than expected: ~ $10 USD dollars for millions of stolen Dropbox records.
3. Cybercriminal Marketplaces are mostly organized.
This database appears to be from the security breach reported by Dropbox in 2016 — back then cybercriminals were selling this information for around $1500 USD.
16. 16
What’s The Value Of Stolen Data
How They Make Money
Taking a Dive Into The “Deep Web”
After our investigation in the deep web, we concluded that cybercriminals find very valuable and profitable our web applications. Below is a
list of the most offered services by cybercriminals:
This method provides direct
access to your application which
allows them to resell it.
Web Shells
They modify the integrity of the
code to distribute malware to the
users using an Exploit Kit.
Distributed Malware
For applications handling
payments, a code captures the
entered credit card data and
then stores it in some local file
for the hackers to access.
Credit Card Scraping
Installing a JS code in your
application will allow the
cybercriminals to start mining
cryptocurrencies for them.
Crypto mining
They sell traffic redirection of
your applications to other
cybercriminals.
Redirecting Traffic
They download a copy of the
database to categorize and sell
the information afterward.
Database
CYBERCRIMINALS
MARKETPLACE FOR
WEB APPLICATIONS
17. 17
Unethical hackers are restlessly trying to compromise web applications, and if we don't want to become one of their victims posted on the
dark web, we must ensure that our systems are appropriately secured.
There is more profitability in our web applications than we expected, even if no valuable data is present. Cybercriminals will use
compromised web apps for a variety of things — needless to say, all actions of cybercriminals regarding our apps will affect us significantly.
How can we protect ourselves?
Sadly, there is no "one-answer," it depends on several factors that apply to specific requirements of your application and organization. The
good news is, as we previously mentioned OWASP (Open Web Application Security Project) has an updated guideline created by
industry experts and leading organizations to ensure your application is properly secured. Below are some recommended steps for
improvements:
How Can We Protect Ourselves?
Recommendations For Improvements
OWASP have countless guidelines and best
practices documentation to improve your
applications overall security posture.
OWASP
This is the best foundation when testing for
security issues. Ensure that your tests follow
this methodology.
OWASP TOP 10
Formalize a process to perform regular
automated and manual security scans.
Security Scanning
Reduce security issues and raise the overall security
level for every stage of your application
development.
Formalize a Software Development
Lifecycle (SDLC)
WAF applies deep packet inspection (DPI) techniques to
scan every HTTP request and response to identify and
block any malicious content.
Implement a Web Application Firewall
Perform regular web application security assessment using
an independent contractor. This provides a degree of
autonomy to test controls that you could be missing and an
external view of potential security risks.
Independent Security Assessment
18. 18
Below are the sources and citations used in this presentation:
References
2018 Official Data Breach Investigations Report from Verizon:
https://enterprise.verizon.com/resources/reports/dbir/
2016 Uber Data Breach:
https://www.uber.com/newsroom/2016-data-incident/
2017 Equifax Data Breach:
https://www.equifaxsecurity2017.com/2018/03/01/equifax-releases-updated-information-2017-cybersecurity-incident/
2018 Under Armour Data Breach:
http://investor.underarmour.com/releasedetail.cfm?ReleaseID=1062368
Average cost of a data breach (Accenture)
https://www.accenture.com/us-en/event-cybertech-europe-2017?src=SOMS#block-insights-and-innovation
2016 Yahoo Data Breach:
https://www.oath.com/press/yahoo-provides-notice-to-additional-users-affected-by-previously/
2018 Marriot Hotels Data Breach:
http://news.marriott.com/2018/11/marriott-announces-starwood-guest-reservation-database-security-incident/
OWASP TOP 10 - 2017:
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
19. 19
THANKS FOR WATCHING
Questions, Thoughts, Fears or Doubts?
@JaimeManteiga
@JaimeManteiga
https://www.linkedin.com/in/jaimemanteiga/
https://medium.com/@jaime.manteiga
jaime.manteiga@Venkon.us