ISSA Infraguard ISACA Tampa 06192009

Mo’ Money Mo’ Problems

© 2009 WhiteHat, Inc.

Jeremiah GrossmanFounder & Chief Technology Officer

06.19.2009

Making A LOT more money on the Web the black hat way

© 2009 WhiteHat, Inc. | Page

Jeremiah Grossman• Technology R&D and industry evangelist

(InfoWorld's CTO Top 25 for 2007)

• Frequent international conference speaker

• Co-founder of the Web Application Security Consortium

• Co-author: Cross-Site Scripting Attacks

• Former Yahoo! information security officer

2

http://www.webappsec.org

http://www.webappsec.org


WhiteHat Security

3

• 200+ enterprise customers • Start-ups to Fortune 500

• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually

• Recognized leader in website security• Quoted hundreds of times by the mainstream press


Threats / Attackers

4

‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.Geeks.com, Guess, Petco, CardSystems, USC, etc.

Cyber criminals use XSS vulnerabilities to create very convincing Phishing scams that appear on the real-website as opposed to a fake. JavaScript malware steals victims session cookies and passwords.Y! Mail, PayPal, SunTrust, Italian Banks,etc

With Mass SQL Injection automated worms insert malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability to exploit unpatched Web browsers. According to Websense, “75 percent of Web sites with malicious code are legitimate sites that have been compromised.”

Threat Capabilities

Fully Targeted

Discover unlinked / hidden functionality

Exercise business processes

Customize Business Logic Flaw Exploits

Leverage information leakage

Interact with other customers

Perform multi-stage attacks

Directed Opportunistic

Authenticated crawling

Authenticated attacks

Intelligent HTML form submission

Test for technical vulnerabilities

Customize exploits

SQL Injection (data extraction)

Cross-Site Scripting (Phishing)

Random Opportunistic

Unauthenticated crawling

Unauthenticated attacks

Test all attack surface discovered

Destructive attacks

Automated HTML form submission

SQL Injection (code insertion)

Persistent Cross-Site Scripting

Advanced Filter Evasion Techniques

Generic exploits


Website Classes of Attacks

5

Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection

Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location

Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*

Business Logic: Humans RequiredAuthentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*

Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation

Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation

WASC 24 (+2)* Classes of Attackshttp://www.webappsec.org/projects/threat/

http://www.webappsec.org/projects/threat/

http://www.webappsec.org/projects/threat/

© 2009 WhiteHat, Inc. |

Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting

WhiteHat Security Top TenPercentage likelihood of a website

having a vulnerability by class

Total Websites: 1,031Identified vulnerabilities: 17,888, Unresolved: 7,157 (60% resolution rate)Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%Lifetime average number of vulnerabilities per website: 17Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%Current average of unresolved vulnerabilities per website: 7

WhiteHat Website Security Statistics Report (March 2009)http://www.whitehatsec.com/home/resource/stats.html

http://www.whitehatsec.com/home/resource/stats.html

http://www.whitehatsec.com/home/resource/stats.html


QA overlooks themTests what software should do, not what it can be made to do

Scanners can’t identify themLack intelligence and don’t know if something worked (or not)

WAFs / IDSs can’t defend themHTTP requests appear completely normal

Hackers exploit them230+ millions websites, 1+ million using SSL

7


Online advertising campaigns distribute coupon and promo codes redeemable for discounts and other freebies. Some codes are more valuable than others.

Promo codes for cheapskates


•X% and $X off sales•Free Shipping•2 for 1 Specials•Add-Ons & Upgrades

9


MacWorld Hacker VIP

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.htmlhttp://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.htmlhttp://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html

Client-Side HackingBack to Back Free MacWorld Platinum Pass ($1,695)

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html

http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.html

http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html

http://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.html

http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html

http://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html


Free Pizza Tastes BetterMarch 31, 2009...

1. Go to the Domino's Pizza site.2. Order a medium one-topping pizza.3. Enter coupon code “BAILOUT”. FREE!

Still have to go pick it up!


Share the Knowledge

11,000 X $7.00 =

$70,000

http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotionhttp://news.cnet.com/8301-13845_3-10207986-58.htmlhttp://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html

“Spoke to a Domino's rep, who told me the free-pizza code was created internally for a promotion that was never actually green-lit.”

Oops!

http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotion


http://news.cnet.com/8301-13845_3-10207986-58.html





Other Tricks

13

•Guess / Brute Force • (No CAPTCHAs)

•Stacking Multiple Codes•Delete Cookies (Don’t Forget Flash)


When Google becomes a major source of public record, interesting opportunities begin to arise.

Low-Tech Google Hacking


Super BlackHat SEO

15

http://www.bcheights.com/home/index.cfm?event=displayArticlePrinterFriendly&uStory_id=14cd304c-26e2-40ab-a51d-4a2d79274cd9

Target large universities with public webcams and redirect the feeds to a subscription website.

Call in bomb threats (hoax) to Boston College, Purdue, Clemson, University of North Carolina, and Florida State to drive traffic.

Advertise live police response video footage via Skype and profit ($?)

Juvenile male suspect arrested.






Google Earth ReconRoofer Tom Berge used the aerial photographs of towns across the world, to pinpoint museums, churches and schools across south London with lead roof tiles (darker colour). Berge and his accomplices used ladders and abseiling ropes to strip the roofs and took the lead away (£100,000) in a stolen vehicle to be sold for scrap. sentenced to eight months in prison – suspended for two years – after confessing to more than 30 offenses.

16

http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.htmlhttp://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-with-valuable-lead-roofs.html

http://www.securityfocus.com/news/8191


http://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-with-valuable-lead-roofs.html





Google Maps vs. Spammers

17

http://blumenthals.com/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winning/http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html

http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html







People order things online, then change their minds, and cancel. Strict management processes need to be in place.

Buyers Remorse


Woman admits fleecing shopping network of more than $412,000http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/http://consumerist.com/consumer/crime/woman-exploited-bug-on-qvc-website-to-steal-over-400k-in-merchandise-317045.phphttp://www.msnbc.msn.com/id/21534526/

Profited $412,000

Quantina Moore-Perry, 33, of Greensboro, N.C.,

Ordered (then cancelled) over 1,800 items online at QVC including handbags, housewares, jewelry and electronics

Products were shipped anyway

Auctioned off on eBay












“QVC became aware of the problem after being contacted by two people who bought the items, still in QVC packaging, on the online auction site.”

Pleaded guilty in federal court to wire fraud.


FTC - Unordered Merchandise http://www.ftc.gov/bcp/edu/pubs/consumer/products/pro15.shtm






Sometimes electronics break or are defective and customers would like to return the item. Online systems are designed to facilitate this process.

iCan fix you iPod


Nicholas Arthur Woodhams, 23 from Kalamazoo, Michigan sets up shop online to repair iPods.

Abuse Apple's Advance Replacement Program by guessing iPod serial numbers backed with Visa-branded gift cards ($1 pre-auth).

Repeat the process 9,075 times, resell the “replacements” at heavily discounted prices ($$49), and deny any Apple credit charges.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_headhttp://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.htmlhttp://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.htmlhttp://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html

Charged with trademark infringement, fraud, and money-laundering.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_head

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_head

http://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.html

http://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.html

http://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.html





Scams that scale

“Federal prosecutors have asked U.S. District Court Judge Robert Bell to let them seize real estate and personal property -- including a 2004 Audi and a 2006 drag racer -- as well as more than $571,000 in cash belonging to Woodhams, all alleged to be proceeds from his scam.”

24


Online merchants and advertisers enlist the services of affiliate networks to drive traffic and/or customers to their websites in exchange for a share of the revenue generate.

Magic Cookies


The Players

26

Merchant: Pays commissions to affiliates for customer clicks, account sign-ups, purchases, etc.Affiliate: Collects commissions for driving customers towards merchants in the form of cost per-click (CPC) or cost per-acquisition (CPA).Customer: The person who buys stuff or signs-up for promotions.Affiliate Network: Technology framework connecting and monitoring the merchant, affiliate, and customer.


The way it’s supposed to

28

1. Affiliate signs-up with an affiliate network and places special links on their web page(s)

<a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a>

2. When users click the link their browser is sent through affiliate network where they receive a special tracking cookie and then redirected to the merchant page.

Set-Cookie: AffiliateID=100

3.If the customer buys something within X time period (i.e. affiliate cookie still exists) the affiliate receives a commission.

Using effective SEO tactics...

http://Affiliate

http://Affiliate


“It was a check for 2 months because the first check they sent was so big it was rejected by his bank.”


Cookie-Stuffing Circa 2002

33

Nothing besides pesky affiliate networks terms of service requires the user to actually “click a link” to be cookied with an affiliate ID.

Instead of:

<a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a>

Use:

<img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>

or:

<iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/” width=”0” height=”0”></iframe>

Invisible!

Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud http://www.cgisecurity.org/2008/08/affiliate-progr.html

http://Affiliate

http://Affiliate

http://Affiliate

http://Affiliate

http://Affiliate

http://Affiliate






http://www.blackhatworld.com/blackhat-seo/http://www.seoblackhat.com/forum/

By 2005, Merchants and Affiliate Networks got wise to cookie stuffing, start monitoring referers and conversion rates, and began kicking out suspicious affiliates.

Aggressive affiliates figure out they can post their code anywhere online and not just on their own websites (message boards, guest books, social networks, etc).






Cookie-Stuffing Circa 2007

35

Affiliates start posting their code on SSL pages.

“Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” - RFC 2616

Bottom line: No referer is sent to the affiliate to be tracked. FYI: Not every browser behaves this way, but there are many other methods to do the same using meta-refreshes and JavaScript.

SEO Code Injectionhttp://technicalinfo.net/papers/SEOCodeInjection.html






Insider: someone with a fiduciary role within a company. A corporate executive, investment banker or attorney. Not a hacker.

Trading on Semi-public Information


Getting the word out...

37

Business Wire provides a service where registered website users receive a stream of up-to-date press releases. Press releases are funneled to Business Wire by various organizations, which are sometimes embargoed temporarily because the information may affect the value of a stock.

Press release files are uploaded to the Web server (Business Wire), but not linked, until the embargo is lifted. At such time, the press release Web pages are linked into the main website and users are notified with URLs similar to the following:

http://website/press_release/08/29/2007/00001.htmlhttp://website/press_release/08/29/2007/00002.htmlhttp://website/press_release/08/29/2007/00003.html

Before granting read access to the press release Web page, the system ensures the user is properly logged-in.

http://website/press_release/08/29/2007/00001.html







Just because you cannot see it does not mean it is not there...

38

An Estonian financial firm discovered that the press release Web page URLs were named in a predictable fashion.

And, while links might not yet exist because the embargo was in place, it didn’t mean a user couldn’t guess at the filename and gain access to the file. This method worked because the only security check Business Wire conducted was to ensure the user was properly logged-in, nothing more.

According to the SEC, which began an investigation, Lohmus Haavel & Viisemann profited over $8 million by trading on the information they obtained.

SEC Vs. The Estonian Spidershttp://www.webpronews.com/topnews/2005/11/02/sec-vs-the-estonian-spiders






A Ukrainian hacker breaks into Thomson Financial and steals a gloomy results announcement for IMS Health, hours before its release to the stock market ...

39

• Hacker enters ~$42,000 in sell orders betting the stock will fall

• The stock fell sharply making the hacker ~$300,000

• Red flags appear and the SEC freezes the funds

• Funds are ordered to be released, “Dorozhko’s alleged ‘stealing and trading’ or ‘hacking and trading’ does not amount to a violation” of securities laws, Judge Naomi Reice Buchwald

• The Times speculates that the DoJ has simply deemed the case not worth pursuing - probably due to the difficulties involved in gaining cooperation from local authorities to capture criminals in Ukraine.

Ukrainian Hacker Makes a Killing in Stock Market Fraudhttp://blog.wired.com/27bstroke6/2008/02/ukrainian-hacke.html

Ukrainian hacker may get to keep profitshttp://www.vnunet.com/vnunet/news/2209899/hacker-keep-profits












http://blog.wired.com/27bstroke6/2008/09/six-year-old-st.htmlhttp://consumerist.com/5048362/google-placed-wrong-date-on-ual-story-stock-yo+yo-ensueshttp://www.forbes.com/2008/09/08/ual-tribune-bankruptcy-biz-media-cz_ja_tvr_0908ualstory.htmlhttp://www.theregister.co.uk/2008/09/10/ua_bankruptcy_farce/

A large traffic spike on a Sunday night pushed a 2002 story of a bankruptcy filling by United Airlines to the most viewed business story category on the South Florida Sun Sentinel's Web site.

Google indexed the new link and the story appeared on Google News.

Pump and Dump Scams Evolve

A Miami advisory firm performed a Google search for bankruptcies Monday morning that returned the 2002 UAL story, which they mistook as being current, and was subsequently distributed through the Bloomberg News Service.

United Airlines' stock price sank more than 75%, slipping down from $12 to a $3 level before trading was suspended. After the dust settled, shares returned to near normal levels.










The cybercrime industry posses sophisticated business models that include Software-as-a-Service, SLA agreements, and discrete distribution of services. Hackers and Botnets can be easily rented.

Hackers for Hire


Online Permit ManagementIn 2006, the Brazilian environment ministry did away with paper dockets and implemented an online program to issue permits documenting how much land a company could legally log and tracking the timber leaving the Amazon state of Para.

"We've pointed out before that this method of controlling the transport of timber was subject to fraud.”

André MuggiatiCampaigner Amazon office in ManausGreenpeace International

Allegedly 107 logging companies hired hackers to compromised the system, falsifying online records to increase the timber transport allocations. Police arrested 30 ring leaders.

As a result an estimated 1.7 million cubic metres of illegal timber have been smuggled out of the Amazon, enough to fill 780 Olympic-sized swimming pools.


Amazonian Rainforest Hack

http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazohttp://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16






Tip of the iceberg: same computer system is used in two other Brazilian states.

$833,000,000

http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazohttp://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16






Other Permits Managers

46


Hiring the Good Guys

“By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems.”

KPMG audited 70 FAA Web applications and identified 763 high-risk vulnerabilities

http://news.cnet.com/8301-1009_3-10236028-83.htmlhttp://www.darkreading.com/security/government/showArticle.jhtmlhttp://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf

http://www.darkreading.com/security/government/showArticle.jhtml







Business logic flaws = $$$Prime target for the bad guys.

Test often, test everywhereThreat Model. Not all vulnerabilities can be identified in the design phase, by analyzing the code, or even during QA.

Detect attacks by profilingHTTP requests appear legitimate, but active attacks will appear anomalous. He who has the most points, credits, or in-system cash is probably a cheater.

48


Google Hacking - $ low six figures

Scamming eCommerce - $ mid six figures

Exploiting Affiliate Networks - $ seven figures

Gaming the stock market - $ high seven figures

PRICELESS

Manipulating return policy systems - $ high six figures

defrauding online permits - $ high nine figures

Free pizza with secret coupon codes...

49


Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]

WhiteHat Securityhttp://www.whitehatsec.com/

Questions?Why aren’t you doing this?

http://www.whitehatsec.com














ISSA Infraguard ISACA Tampa 06192009

Technology

Transcript of ISSA Infraguard ISACA Tampa 06192009