Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Wreck-utation - CanSecWest 2008

2,343 views

Published on

  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yxufevpm } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Web Wreck-utation - CanSecWest 2008

  1. 1. Wreck-utation Dan Hubbard Stephan Chenette Websense Security Labs CanSec 2008
  2. 2. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization.It is an important factor in many fields, such as business, online communities or social status.
  3. 3. Reputation: is the opinion (more technically, a social evaluation) of the public toward a person, a group of people, or an organization. It is an important factor in many fields, such as business, online communities or social status. Online Reputation is a factor in any online communitywhere trust is important. Examples include eBay, an auction service which uses a system of customer feedback to publicly rate each members reputation.
  4. 4. Best thing since sliced bread?
  5. 5. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM”
  6. 6. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”
  7. 7. Best thing since sliced bread? “Reputation systems are the future defense against malicious code and SPAM” “You are only as good as your reputation”“Reputation is the next stage in the antivirus evolution”
  8. 8. Good *or* Bad
  9. 9. Good *or* BadMozilla.org
  10. 10. Good *or* BadMozilla.org Russian Business Network
  11. 11. Good *and* Bad
  12. 12. Good *and* BadMSNBC Sports
  13. 13. Good *and* BadMSNBC Sports MSNBC Sports Stats
  14. 14. Good *gone* Bad
  15. 15. Good *gone* BadSuper Bowl Site
  16. 16. Good *gone* BadSuper Bowl Site 0wned from China
  17. 17. Using Reputation for Security Decisions
  18. 18. Using Reputation for Security Decisions Web Reputation Email Reputation Domain Reputation Bonus: Binary Reputation
  19. 19. GEO AGE HISTORYLEXICAL REPUTATION NEIGHBORS COUSIN TYPOS TRAFFIC
  20. 20. Web ReputationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE
  21. 21. Web ReputationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  22. 22. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE PHISH, FRAUD, SPAM
  23. 23. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE HOSTING + REGIONAL + PHISH, COLLATERAL FRAUD, DAMAGE SPAM
  24. 24. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + COMPROMISES REGIONAL + PHISH, & SEO COLLATERAL FRAUD, DAMAGE SPAM
  25. 25. Web Wreck-utationTHE BLOG TAIL THE LONG TAIL TOP CURRENT REGIONAL PERSONAL 100 EVENTS & GENRE & GARBAGE BIG NAME HOSTING + EXPLOIT PHISH, COMPROMISES REGIONAL + 2.0 & SEO COLLATERAL FRAUD, DAMAGE SPAM
  26. 26. mysql>
  27. 27. mysql> SELECT COUNT  FROM vurldb WHERE hostname RLIKE (.+.)?(googlepages|geocities|yahoo| facebook|myspace|google|live).com AND category IN (Malicious Web Sites, Spyware, Keylogger) AND add_date BETWEEN 2008-02-01 AND 2008-02-29; mysql> 3032
  28. 28. The BLOG TAIL / WEB TWO DOT UH OH
  29. 29. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious code
  30. 30. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious code
  31. 31. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious codeGooglePages: allows upload of malicious code
  32. 32. The BLOG TAIL / WEB TWO DOT UH OHBlogger: Allows embedded URL’s to malicious codeCalendar + DOCS: allow embedded malicious codeGooglePages: allows upload of malicious codePicasso Albums: allow embedded URL’s tomalicious code
  33. 33. Using Reputation for Security Decisions
  34. 34. What’s the Problem ?The webs most visited sites are increasingly being used to host malicious code Spammers, and malcode groups have wised up to industry use of reputation and are exploiting it > 50% of malicious websites are compromised 70% of top 100 sites rely on user uploaded content Most top sites have poor, if any, input validation
  35. 35. eBay input validation eBay is unquestionably one of the most popular websites (high reputation)eBay does some input but not in real-time
  36. 36. Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
  37. 37. Seller ReputationWe blogged in the past of sellers makingtheir reputation go from 0 to “Power Seller”
  38. 38. “make me a power seller”• How did this user accomplish this?
  39. 39. Congrats, your have been 0wned
  40. 40. Adding malicious listings to eBay…
  41. 41. eBay Sploit
  42. 42. eBay Sploit
  43. 43. 90 minutes later.....
  44. 44. Easy as Pie?
  45. 45. Easy as Pie?
  46. 46. Everything has a price!Buying good Reputation
  47. 47. Expired Domaindreamcast.com
  48. 48. IFRAME: Content Injection> 20,000 sites infected today (all had good reputation) ZDNet.com, news.com, history.com, usatoday.com, etc. The list goes onThis attack used search engine optimizationcaching within high reputable sites to cache malicious content
  49. 49. IFRAME:Content Injection
  50. 50. IFRAME: Content InjectionAttacks are using a bot to automaticallysearch inside Blogdigger search engine.In turn Blogdigger is caching the results.
  51. 51. IFRAME:Content InjectionIFRAME is able to escape the parent tag
  52. 52. IFRAME: Content Injection Unsuspecting user who trust the site isredirected automatically to this PUS site
  53. 53. Email Wreck-utation
  54. 54. Email Wreck-utation Has been around for a lot longer than Web Reputation Several sender technologies: (SPF, DKIM,SenderID) Reputation systems have helped move the problem
  55. 55. Email Wreck-utation
  56. 56. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around
  57. 57. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relay
  58. 58. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relayUse a webmail provider like Yahoo!, Gmail, Microsoft
  59. 59. Email Wreck-utation Start your own company and add SPF, SenderID, etc records, and move around Hijack a “good” open relayUse a webmail provider like Yahoo!, Gmail, Microsoft Spread wealth to BLOGS (Splogs)
  60. 60. Email Wreck-utation “Legit Sender”
  61. 61. Email: “Legit” SPF
  62. 62. Email: “Legit” SPF"Theres never been a better time to get a new car" mail.yakdrive.com [67.218.177.112] mail.jadeblond.com [67.218.177.54] mail.routevery.com [67.218.177.53] mail.filterwind.com [67.218.185.50] mail.routevery.com [67.218.177.53] mail.bendton.com [67.218.177.73] mail.wellcometo.com [67.218.185.76] mail.domesell.com [67.218.185.96] mail.smashoot.com [67.218.185.94] mail.arrivespark.com [67.218.185.117] mail.spearmine.com [67.218.185.74] mail.cleanfluff.com [67.218.171.33] mail.thirdground.com [67.218.171.20]
  63. 63. Email: “Legit” SPF
  64. 64. Email: “Legit” SPF
  65. 65. MS Live Sending SPAM
  66. 66. MS Live Captchas
  67. 67. Gmail Captchas
  68. 68. Cruel Irony: Google Redirectshttp://www.google.com/pagead/iclk?sa=3Dl&ai=3DoOfDzh&num= =3D07504&adurl=3Dhttp://visamedicalopinion.com/run.exe
  69. 69. Moving Targets
  70. 70. Moving Targets: SPLOG
  71. 71. Moving Targets: SPLOG
  72. 72. Moving Targets: SPLOG
  73. 73. Domain Reputation
  74. 74. Domain Reputation Mostly used for email Some people are re-factoring for Web Domain tasting best example (age) Cousin / Likeliness of other domains used We have something called LexiRep also
  75. 75. Domain Wreck-utation
  76. 76. Domain Wreck-utation Web 80 - 20 rule works against this Compromised sites are not accounted for Domain stealing, acquiring, breaks age and history algorithms DNS spoofing, hacks ,etc Do not account for URL’s, hostnames
  77. 77. Application reputation Packer heuristics are commonly used tocategorize a malicious binary, because 90% of all malicious binaries are packed. Malicious authors have increasingly started to try to fool application detection engines into thinking the binary in question is not a packed binary.
  78. 78. Storm Ecard Application reputationSections look normal
  79. 79. Storm EcardApplication reputationEntry point matches MinGW GCC
  80. 80. Storm Ecard Application reputation• Eventually a call to the packed code…
  81. 81. Storm Ecard Application reputation How did it do this? There are multipleprograms to scramble the true identity….i.e. DotFix Fake Signer, pseudo signer, etc
  82. 82. Conclusion
  83. 83. ConclusionReputation systems for security are effective in long tail of Internet
  84. 84. ConclusionReputation systems for security are effective in long tail of InternetReputation can be used with other parts of the equation to make better decisions
  85. 85. ConclusionReputation systems for security are effective in long tail of InternetReputation can be used with other parts of the equation to make better decisionsWeb reputation is less affective than email reputation based on the new dynamics of the web, the large numbers of compromised web-sites, and web two dot uh-oh
  86. 86. Conclusion
  87. 87. Conclusion
  88. 88. Conclusion
  89. 89. THANKS !dhubbard | schenette <at>websense.com

×