RAISING SECURITY AWARENESSAMONG WEB OWNERS AND USERSEmilio Casbas
The Presentation is about…BadwareandSecurity awarene
The Problem is…
Some numbers…30k new malicious URLs each day80% legitimate websSources:• http://www.sophos.com/medialibrary/PDFs/other/Sop...
Source: http://www.websense.com/content/websense-2013-threat-report.aspx
WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://csew...
WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://csew...
WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://csew...
WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://csew...
WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://csew...
HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/...
HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/...
Bussines model?
Hot topic
But…
Some questions…What website software is targeted?How are the websites compromised?
Some info…“Compromised websites: an owner’sperspective” (paper)Source:• http://www.stopbadware.org/files/compromised-websi...
Problem …Compromised web sites44 days average lifetime
Due to…Lack of security awarenessofWeb owners
Example…Lack of security awarenessofWeb owners
Only small websites?http://www.eeye.comhttp://www.ey.comhttp://www.coverity.comhttp://www.imperva.comhttp://www.avaya.comh...
What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
Can we…Raise web security awareness
Would it be possible?...Raise web security awarenessthrough an obtainablegoal for every website?
Test time…Raise web security awareness(Proof of Concept)
Example
Example
Example
Example
Example
STATS:
Compromised websites:
Compromised websites:
CMS SoftwareCompromised websites:
Security awareness valueBAD BETTERApache/2.2.22(Unix) mod_ssl/2.2.22OpenSSL/0.9.8e-fips-rhel5PHP/4.3.10-22Microsoft-IIS/6....
Accuracy>=20<20
Desenmascara.me features:• Show a security awareness value• Infrastructure details in plain words• Suspicious iframes• Che...
Desenmascara.me wishlist:• Implement AI• More passive checks• Public stats• Public API• Open Source project?
Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
THANK YOU !Questions ?ecasbas
Thank you!“I’ve seen estimates that over 99% of allinternet attacks could be prevented if the websystems administrators wo...
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Hack miami emiliocasbas
Upcoming SlideShare
Loading in …5
×

Hack miami emiliocasbas

3,437 views

Published on

2 Comments
1 Like
Statistics
Notes
No Downloads
Views
Total views
3,437
On SlideShare
0
From Embeds
0
Number of Embeds
1,717
Actions
Shares
0
Downloads
6
Comments
2
Likes
1
Embeds 0
No embeds

No notes for slide

Hack miami emiliocasbas

  1. 1. RAISING SECURITY AWARENESSAMONG WEB OWNERS AND USERSEmilio Casbas
  2. 2. The Presentation is about…BadwareandSecurity awarene
  3. 3. The Problem is…
  4. 4. Some numbers…30k new malicious URLs each day80% legitimate websSources:• http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf• http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/2 popular websites (alexa TOP 25k)Drive by downloads• http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
  5. 5. Source: http://www.websense.com/content/websense-2013-threat-report.aspx
  6. 6. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  7. 7. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  8. 8. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  9. 9. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  10. 10. WEB SECURITY IS BECOMING MORECHALLENGINGSource: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  11. 11. HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf2.5h average lifetime
  12. 12. HOW LONG malicious?Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf2.5h average lifetime44 daysaverage lifetimecompromised?
  13. 13. Bussines model?
  14. 14. Hot topic
  15. 15. But…
  16. 16. Some questions…What website software is targeted?How are the websites compromised?
  17. 17. Some info…“Compromised websites: an owner’sperspective” (paper)Source:• http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
  18. 18. Problem …Compromised web sites44 days average lifetime
  19. 19. Due to…Lack of security awarenessofWeb owners
  20. 20. Example…Lack of security awarenessofWeb owners
  21. 21. Only small websites?http://www.eeye.comhttp://www.ey.comhttp://www.coverity.comhttp://www.imperva.comhttp://www.avaya.comhttp://www.natwest.comhttp://www.entrust.comhttp://www.safenet-inc.comhttp://www.secureworks.comhttp://www.rbs.co.ukhttp://www.mckinsey.comhttp://www.conocophillips.comhttp://www.ford.comhttp://www.chevron.comhttp://www.verisign.comhttp://www.vasco.comhttp://www.ingrammicro.comhttp://www.eset-la.com….
  22. 22. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  23. 23. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  24. 24. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  25. 25. What could we do?Promote a safer web?Spend money on web security audits?Webmasters help for hacked sites?
  26. 26. Can we…Raise web security awareness
  27. 27. Would it be possible?...Raise web security awarenessthrough an obtainablegoal for every website?
  28. 28. Test time…Raise web security awareness(Proof of Concept)
  29. 29. Example
  30. 30. Example
  31. 31. Example
  32. 32. Example
  33. 33. Example
  34. 34. STATS:
  35. 35. Compromised websites:
  36. 36. Compromised websites:
  37. 37. CMS SoftwareCompromised websites:
  38. 38. Security awareness valueBAD BETTERApache/2.2.22(Unix) mod_ssl/2.2.22OpenSSL/0.9.8e-fips-rhel5PHP/4.3.10-22Microsoft-IIS/6.0MetaGenerator[Joomla! 1.5Index-OfUncommonHeaders[x-varnishX-Frame-Options[SAMEORIGINX-XSS-Protection[cloudflare-nginxgws
  39. 39. Accuracy>=20<20
  40. 40. Desenmascara.me features:• Show a security awareness value• Infrastructure details in plain words• Suspicious iframes• Check website blacklisted• Ranking best websites
  41. 41. Desenmascara.me wishlist:• Implement AI• More passive checks• Public stats• Public API• Open Source project?
  42. 42. Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
  43. 43. Desenmascara.me wishlist:• Raise web security awareness• Decrease numbers of compromisedwebsites
  44. 44. THANK YOU !Questions ?ecasbas
  45. 45. Thank you!“I’ve seen estimates that over 99% of allinternet attacks could be prevented if the websystems administrators would just use the mostcurrent versions”Bruche Schneier on <Secrets & Lies>“Webmasters need to ensure thattheir websites are running good codethat isn’t open to exploitation”Ian Fette, Google Security Team

×