Successfully reported this slideshow.

Hack miami emiliocasbas

1

Share

Loading in …3
×
1 of 57
1 of 57

Hack miami emiliocasbas

1

Share

Download to read offline

  1. 1. RAISING SECURITY AWARENESS AMONG WEB OWNERS AND USERS Emilio Casbas
  2. 2. The Presentation is about… Badware and Security awarene
  3. 3. The Problem is…
  4. 4. Some numbers… 30k new malicious URLs each day 80% legitimate webs Sources: • http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf • http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/ 2 popular websites (alexa TOP 25k) Drive by downloads • http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
  5. 5. Source: http://www.websense.com/content/websense-2013-threat-report.aspx
  6. 6. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  7. 7. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  8. 8. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  9. 9. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  10. 10. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  11. 11. HOW LONG malicious? Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2.5h average lifetime
  12. 12. HOW LONG malicious? Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2.5h average lifetime44 daysaverage lifetime compromised?
  13. 13. Bussines model?
  14. 14. Hot topic
  15. 15. But…
  16. 16. Some questions… What website software is targeted? How are the websites compromised?
  17. 17. Some info… “Compromised websites: an owner’s perspective” (paper) Source: • http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
  18. 18. Problem … Compromised web sites 44 days average lifetime
  19. 19. Due to… Lack of security awareness of Web owners
  20. 20. Example… Lack of security awareness of Web owners
  21. 21. Only small websites? http://www.eeye.com http://www.ey.com http://www.coverity.com http://www.imperva.com http://www.avaya.com http://www.natwest.com http://www.entrust.com http://www.safenet-inc.com http://www.secureworks.com http://www.rbs.co.uk http://www.mckinsey.com http://www.conocophillips.com http://www.ford.com http://www.chevron.com http://www.verisign.com http://www.vasco.com http://www.ingrammicro.com http://www.eset-la.com ….
  22. 22. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  23. 23. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  24. 24. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  25. 25. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  26. 26. Can we… Raise web security awareness
  27. 27. Would it be possible?... Raise web security awareness through an obtainable goal for every website?
  28. 28. Test time… Raise web security awareness (Proof of Concept)
  29. 29. Example
  30. 30. Example
  31. 31. Example
  32. 32. Example
  33. 33. Example
  34. 34. STATS:
  35. 35. Compromised websites:
  36. 36. Compromised websites:
  37. 37. CMS Software Compromised websites:
  38. 38. Security awareness value BAD BETTER Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 PHP/4.3.10-22 Microsoft-IIS/6.0 MetaGenerator[Joomla! 1.5 Index-Of UncommonHeaders[x-varnish X-Frame-Options[SAMEORIGIN X-XSS-Protection[ cloudflare-nginx gws
  39. 39. Accuracy >=20 <20
  40. 40. Desenmascara.me features: • Show a security awareness value • Infrastructure details in plain words • Suspicious iframes • Check website blacklisted • Ranking best websites
  41. 41. Desenmascara.me wishlist: • Implement AI • More passive checks • Public stats • Public API • Open Source project?
  42. 42. Desenmascara.me wishlist: • Raise web security awareness • Decrease numbers of compromised websites
  43. 43. Desenmascara.me wishlist: • Raise web security awareness • Decrease numbers of compromised websites
  44. 44. THANK YOU ! Questions ? ecasbas
  45. 45. Thank you! “I’ve seen estimates that over 99% of all internet attacks could be prevented if the web systems administrators would just use the most current versions” Bruche Schneier on <Secrets & Lies> “Webmasters need to ensure that their websites are running good code that isn’t open to exploitation” Ian Fette, Google Security Team
  1. 1. RAISING SECURITY AWARENESS AMONG WEB OWNERS AND USERS Emilio Casbas
  2. 2. The Presentation is about… Badware and Security awarene
  3. 3. The Problem is…
  4. 4. Some numbers… 30k new malicious URLs each day 80% legitimate webs Sources: • http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf • http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/ 2 popular websites (alexa TOP 25k) Drive by downloads • http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf
  5. 5. Source: http://www.websense.com/content/websense-2013-threat-report.aspx
  6. 6. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  7. 7. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  8. 8. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  9. 9. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  10. 10. WEB SECURITY IS BECOMING MORE CHALLENGING Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf
  11. 11. HOW LONG malicious? Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2.5h average lifetime
  12. 12. HOW LONG malicious? Source: Manufacturing compromise: The emergence of Exploit-as-a-service http://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf 2.5h average lifetime44 daysaverage lifetime compromised?
  13. 13. Bussines model?
  14. 14. Hot topic
  15. 15. But…
  16. 16. Some questions… What website software is targeted? How are the websites compromised?
  17. 17. Some info… “Compromised websites: an owner’s perspective” (paper) Source: • http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf
  18. 18. Problem … Compromised web sites 44 days average lifetime
  19. 19. Due to… Lack of security awareness of Web owners
  20. 20. Example… Lack of security awareness of Web owners
  21. 21. Only small websites? http://www.eeye.com http://www.ey.com http://www.coverity.com http://www.imperva.com http://www.avaya.com http://www.natwest.com http://www.entrust.com http://www.safenet-inc.com http://www.secureworks.com http://www.rbs.co.uk http://www.mckinsey.com http://www.conocophillips.com http://www.ford.com http://www.chevron.com http://www.verisign.com http://www.vasco.com http://www.ingrammicro.com http://www.eset-la.com ….
  22. 22. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  23. 23. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  24. 24. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  25. 25. What could we do? Promote a safer web? Spend money on web security audits? Webmasters help for hacked sites?
  26. 26. Can we… Raise web security awareness
  27. 27. Would it be possible?... Raise web security awareness through an obtainable goal for every website?
  28. 28. Test time… Raise web security awareness (Proof of Concept)
  29. 29. Example
  30. 30. Example
  31. 31. Example
  32. 32. Example
  33. 33. Example
  34. 34. STATS:
  35. 35. Compromised websites:
  36. 36. Compromised websites:
  37. 37. CMS Software Compromised websites:
  38. 38. Security awareness value BAD BETTER Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 PHP/4.3.10-22 Microsoft-IIS/6.0 MetaGenerator[Joomla! 1.5 Index-Of UncommonHeaders[x-varnish X-Frame-Options[SAMEORIGIN X-XSS-Protection[ cloudflare-nginx gws
  39. 39. Accuracy >=20 <20
  40. 40. Desenmascara.me features: • Show a security awareness value • Infrastructure details in plain words • Suspicious iframes • Check website blacklisted • Ranking best websites
  41. 41. Desenmascara.me wishlist: • Implement AI • More passive checks • Public stats • Public API • Open Source project?
  42. 42. Desenmascara.me wishlist: • Raise web security awareness • Decrease numbers of compromised websites
  43. 43. Desenmascara.me wishlist: • Raise web security awareness • Decrease numbers of compromised websites
  44. 44. THANK YOU ! Questions ? ecasbas
  45. 45. Thank you! “I’ve seen estimates that over 99% of all internet attacks could be prevented if the web systems administrators would just use the most current versions” Bruche Schneier on <Secrets & Lies> “Webmasters need to ensure that their websites are running good code that isn’t open to exploitation” Ian Fette, Google Security Team

More Related Content

Related Audiobooks

Free with a 30 day trial from Scribd

See all

×