ISSA Infraguard ISACA Tampa 06192009
-
Upload
guest9b14c31 -
Category
Technology
-
view
2.094 -
download
0
description
Transcript of ISSA Infraguard ISACA Tampa 06192009
Mo’ Money Mo’ Problems
© 2009 WhiteHat, Inc.
Jeremiah GrossmanFounder & Chief Technology Officer
06.19.2009
Making A LOT more money on the Web the black hat way
© 2009 WhiteHat, Inc. | Page
Jeremiah Grossman• Technology R&D and industry evangelist
(InfoWorld's CTO Top 25 for 2007)
• Frequent international conference speaker
• Co-founder of the Web Application Security Consortium
• Co-author: Cross-Site Scripting Attacks
• Former Yahoo! information security officer
2
© 2009 WhiteHat, Inc. | Page
WhiteHat Security
3
• 200+ enterprise customers • Start-ups to Fortune 500
• Flagship offering “WhiteHat Sentinel Service”• 1000’s of assessments performed annually
• Recognized leader in website security• Quoted hundreds of times by the mainstream press
© 2009 WhiteHat, Inc. | Page
Threats / Attackers
4
‘The Analyzer’, allegedly hacked into a multiple financial institutions using SQL Injection to steal credit and debit card numbers that were then used by thieves in several countries to withdraw more than $1 million from ATMs.Geeks.com, Guess, Petco, CardSystems, USC, etc.
Cyber criminals use XSS vulnerabilities to create very convincing Phishing scams that appear on the real-website as opposed to a fake. JavaScript malware steals victims session cookies and passwords.Y! Mail, PayPal, SunTrust, Italian Banks,etc
With Mass SQL Injection automated worms insert malicious JavaScript IFRAMEs (pointing to malware servers) into back-end databases and used the capability to exploit unpatched Web browsers. According to Websense, “75 percent of Web sites with malicious code are legitimate sites that have been compromised.”
Threat Capabilities
Fully Targeted
Discover unlinked / hidden functionality
Exercise business processes
Customize Business Logic Flaw Exploits
Leverage information leakage
Interact with other customers
Perform multi-stage attacks
Directed Opportunistic
Authenticated crawling
Authenticated attacks
Intelligent HTML form submission
Test for technical vulnerabilities
Customize exploits
SQL Injection (data extraction)
Cross-Site Scripting (Phishing)
Random Opportunistic
Unauthenticated crawling
Unauthenticated attacks
Test all attack surface discovered
Destructive attacks
Automated HTML form submission
SQL Injection (code insertion)
Persistent Cross-Site Scripting
Advanced Filter Evasion Techniques
Generic exploits
© 2009 WhiteHat, Inc. | Page
Website Classes of Attacks
5
Technical: Automation Can IdentifyCommand Execution• Buffer Overflow• Format String Attack• LDAP Injection• OS Commanding• SQL Injection• SSI Injection• XPath Injection
Information Disclosure• Directory Indexing• Information Leakage• Path Traversal• Predictable Resource Location
Client-Side• Content Spoofing• Cross-site Scripting• HTTP Response Splitting*
Business Logic: Humans RequiredAuthentication• Brute Force• Insufficient Authentication• Weak Password Recovery Validation• CSRF*
Authorization• Credential/Session Prediction• Insufficient Authorization• Insufficient Session Expiration• Session Fixation
Logical Attacks• Abuse of Functionality• Denial of Service• Insufficient Anti-automation• Insufficient Process Validation
WASC 24 (+2)* Classes of Attackshttp://www.webappsec.org/projects/threat/
© 2009 WhiteHat, Inc. | Page 6
Cross-Site ScriptingInformation LeakageContent SpoofingInsufficient AuthorizationSQL InjectionPredictable Resource LocationSession FixationCross-Site Request ForgeryInsufficient AuthenticationHTTP Response Splitting
WhiteHat Security Top TenPercentage likelihood of a website
having a vulnerability by class
Total Websites: 1,031Identified vulnerabilities: 17,888, Unresolved: 7,157 (60% resolution rate)Websites having had at least one HIGH, CRITICAL, or URGENT issue: 82%Lifetime average number of vulnerabilities per website: 17Websites currently with at least one HIGH, CRITICAL, or URGENT issue: 63%Current average of unresolved vulnerabilities per website: 7
WhiteHat Website Security Statistics Report (March 2009)http://www.whitehatsec.com/home/resource/stats.html
© 2009 WhiteHat, Inc. | Page
QA overlooks themTests what software should do, not what it can be made to do
Scanners can’t identify themLack intelligence and don’t know if something worked (or not)
WAFs / IDSs can’t defend themHTTP requests appear completely normal
Hackers exploit them230+ millions websites, 1+ million using SSL
7
© 2009 WhiteHat, Inc.
Online advertising campaigns distribute coupon and promo codes redeemable for discounts and other freebies. Some codes are more valuable than others.
Promo codes for cheapskates
© 2009 WhiteHat, Inc. | Page
•X% and $X off sales•Free Shipping•2 for 1 Specials•Add-Ons & Upgrades
9
© 2009 WhiteHat, Inc. | Page 10
MacWorld Hacker VIP
http://grutztopia.jingojango.net/2007/01/your-free-macworld-expo-platinum-pass_11.htmlhttp://grutztopia.jingojango.net/2008/01/another-free-macworld-platinum-pass-yes.htmlhttp://grutztopia.jingojango.net/2008/02/your-client-side-security-sucks.html
Client-Side HackingBack to Back Free MacWorld Platinum Pass ($1,695)
© 2009 WhiteHat, Inc. | Page 11
Free Pizza Tastes BetterMarch 31, 2009...
1. Go to the Domino's Pizza site.2. Order a medium one-topping pizza.3. Enter coupon code “BAILOUT”. FREE!
Still have to go pick it up!
© 2009 WhiteHat, Inc. | Page 12
Share the Knowledge
11,000 X $7.00 =
$70,000
http://consumerist.com/5193012/dominos-accidentally-gives-away-11000-pizzas-in-bailout-promotionhttp://news.cnet.com/8301-13845_3-10207986-58.htmlhttp://offtopics.com/sales-coupons-promo-codes/1797-free-papa-johns-pizza-coupon-code-hack.html
“Spoke to a Domino's rep, who told me the free-pizza code was created internally for a promotion that was never actually green-lit.”
Oops!
© 2009 WhiteHat, Inc. | Page
Other Tricks
13
•Guess / Brute Force • (No CAPTCHAs)
•Stacking Multiple Codes•Delete Cookies (Don’t Forget Flash)
© 2009 WhiteHat, Inc.
When Google becomes a major source of public record, interesting opportunities begin to arise.
Low-Tech Google Hacking
© 2009 WhiteHat, Inc. | Page
Super BlackHat SEO
15
http://www.bcheights.com/home/index.cfm?event=displayArticlePrinterFriendly&uStory_id=14cd304c-26e2-40ab-a51d-4a2d79274cd9
Target large universities with public webcams and redirect the feeds to a subscription website.
Call in bomb threats (hoax) to Boston College, Purdue, Clemson, University of North Carolina, and Florida State to drive traffic.
Advertise live police response video footage via Skype and profit ($?)
Juvenile male suspect arrested.
© 2009 WhiteHat, Inc. | Page
Google Earth ReconRoofer Tom Berge used the aerial photographs of towns across the world, to pinpoint museums, churches and schools across south London with lead roof tiles (darker colour). Berge and his accomplices used ladders and abseiling ropes to strip the roofs and took the lead away (£100,000) in a stolen vehicle to be sold for scrap. sentenced to eight months in prison – suspended for two years – after confessing to more than 30 offenses.
16
http://www.independent.co.uk/news/uk/crime/thief-googled-163100000-lead-roofs-1645734.htmlhttp://www.telegraph.co.uk/news/uknews/4995293/Google-Earth-used-by-thief-to-pinpoint-buildings-with-valuable-lead-roofs.html
© 2009 WhiteHat, Inc. | Page
Google Maps vs. Spammers
17
http://blumenthals.com/blog/2009/02/25/google-maps-vs-locksmiths-spammers-spammers-winning/http://thehollytree.blogspot.com/2008/02/scam-alert-phony-israeli-owned.html
© 2009 WhiteHat, Inc.
People order things online, then change their minds, and cancel. Strict management processes need to be in place.
Buyers Remorse
© 2009 WhiteHat, Inc. | Page 19
Woman admits fleecing shopping network of more than $412,000http://www.theregister.co.uk/2007/10/30/website_fraud_guilty_plea/http://consumerist.com/consumer/crime/woman-exploited-bug-on-qvc-website-to-steal-over-400k-in-merchandise-317045.phphttp://www.msnbc.msn.com/id/21534526/
Profited $412,000
Quantina Moore-Perry, 33, of Greensboro, N.C.,
Ordered (then cancelled) over 1,800 items online at QVC including handbags, housewares, jewelry and electronics
Products were shipped anyway
Auctioned off on eBay
© 2009 WhiteHat, Inc. | Page 20
“QVC became aware of the problem after being contacted by two people who bought the items, still in QVC packaging, on the online auction site.”
Pleaded guilty in federal court to wire fraud.
© 2009 WhiteHat, Inc. | Page 21
FTC - Unordered Merchandise http://www.ftc.gov/bcp/edu/pubs/consumer/products/pro15.shtm
© 2009 WhiteHat, Inc.
Sometimes electronics break or are defective and customers would like to return the item. Online systems are designed to facilitate this process.
iCan fix you iPod
© 2009 WhiteHat, Inc. | Page 23
Nicholas Arthur Woodhams, 23 from Kalamazoo, Michigan sets up shop online to repair iPods.
Abuse Apple's Advance Replacement Program by guessing iPod serial numbers backed with Visa-branded gift cards ($1 pre-auth).
Repeat the process 9,075 times, resell the “replacements” at heavily discounted prices ($$49), and deny any Apple credit charges.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130136&intsrc=news_ts_headhttp://www.macworld.com/article/139522/23yearold_michigan_man_busted_for_ipod_fraud.htmlhttp://www.appleinsider.com/articles/08/06/26/apple_makes_example_of_ipod_repairman_in_lawsuit.htmlhttp://launderingmoney.blogspot.com/2009/03/money-laundering-charges-for-kalamazoo.html
Charged with trademark infringement, fraud, and money-laundering.
© 2009 WhiteHat, Inc. | Page
Scams that scale
“Federal prosecutors have asked U.S. District Court Judge Robert Bell to let them seize real estate and personal property -- including a 2004 Audi and a 2006 drag racer -- as well as more than $571,000 in cash belonging to Woodhams, all alleged to be proceeds from his scam.”
24
© 2009 WhiteHat, Inc.
Online merchants and advertisers enlist the services of affiliate networks to drive traffic and/or customers to their websites in exchange for a share of the revenue generate.
Magic Cookies
© 2009 WhiteHat, Inc. | Page
The Players
26
Merchant: Pays commissions to affiliates for customer clicks, account sign-ups, purchases, etc.Affiliate: Collects commissions for driving customers towards merchants in the form of cost per-click (CPC) or cost per-acquisition (CPA).Customer: The person who buys stuff or signs-up for promotions.Affiliate Network: Technology framework connecting and monitoring the merchant, affiliate, and customer.
© 2009 WhiteHat, Inc. | Page 27
© 2009 WhiteHat, Inc. | Page
The way it’s supposed to
28
1. Affiliate signs-up with an affiliate network and places special links on their web page(s)
<a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a>
2. When users click the link their browser is sent through affiliate network where they receive a special tracking cookie and then redirected to the merchant page.
Set-Cookie: AffiliateID=100
3.If the customer buys something within X time period (i.e. affiliate cookie still exists) the affiliate receives a commission.
Using effective SEO tactics...
© 2009 WhiteHat, Inc. | Page 29
© 2009 WhiteHat, Inc. | Page 30
© 2009 WhiteHat, Inc. | Page 31http://hubpages.com/hub/Google_Adsense_King_-_1_Million_Dollars_Check_-_Markus_Frind_Exclusive_Interview
© 2009 WhiteHat, Inc. | Page 32
“It was a check for 2 months because the first check they sent was so big it was rejected by his bank.”
© 2009 WhiteHat, Inc. | Page
Cookie-Stuffing Circa 2002
33
Nothing besides pesky affiliate networks terms of service requires the user to actually “click a link” to be cookied with an affiliate ID.
Instead of:
<a href=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>really cool product!</a>
Use:
<img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>
or:
<iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/” width=”0” height=”0”></iframe>
Invisible!
Affiliate Programs Vulnerable to Cross-site Request Forgery Fraud http://www.cgisecurity.org/2008/08/affiliate-progr.html
© 2009 WhiteHat, Inc. | Page 34
http://www.blackhatworld.com/blackhat-seo/http://www.seoblackhat.com/forum/
By 2005, Merchants and Affiliate Networks got wise to cookie stuffing, start monitoring referers and conversion rates, and began kicking out suspicious affiliates.
Aggressive affiliates figure out they can post their code anywhere online and not just on their own websites (message boards, guest books, social networks, etc).
© 2009 WhiteHat, Inc. | Page
Cookie-Stuffing Circa 2007
35
Affiliates start posting their code on SSL pages.
“Clients SHOULD NOT include a Referer header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” - RFC 2616
Bottom line: No referer is sent to the affiliate to be tracked. FYI: Not every browser behaves this way, but there are many other methods to do the same using meta-refreshes and JavaScript.
SEO Code Injectionhttp://technicalinfo.net/papers/SEOCodeInjection.html
© 2009 WhiteHat, Inc.
Insider: someone with a fiduciary role within a company. A corporate executive, investment banker or attorney. Not a hacker.
Trading on Semi-public Information
© 2009 WhiteHat, Inc. | Page
Getting the word out...
37
Business Wire provides a service where registered website users receive a stream of up-to-date press releases. Press releases are funneled to Business Wire by various organizations, which are sometimes embargoed temporarily because the information may affect the value of a stock.
Press release files are uploaded to the Web server (Business Wire), but not linked, until the embargo is lifted. At such time, the press release Web pages are linked into the main website and users are notified with URLs similar to the following:
http://website/press_release/08/29/2007/00001.htmlhttp://website/press_release/08/29/2007/00002.htmlhttp://website/press_release/08/29/2007/00003.html
Before granting read access to the press release Web page, the system ensures the user is properly logged-in.
© 2009 WhiteHat, Inc. | Page
Just because you cannot see it does not mean it is not there...
38
An Estonian financial firm discovered that the press release Web page URLs were named in a predictable fashion.
And, while links might not yet exist because the embargo was in place, it didn’t mean a user couldn’t guess at the filename and gain access to the file. This method worked because the only security check Business Wire conducted was to ensure the user was properly logged-in, nothing more.
According to the SEC, which began an investigation, Lohmus Haavel & Viisemann profited over $8 million by trading on the information they obtained.
SEC Vs. The Estonian Spidershttp://www.webpronews.com/topnews/2005/11/02/sec-vs-the-estonian-spiders
© 2009 WhiteHat, Inc. | Page
A Ukrainian hacker breaks into Thomson Financial and steals a gloomy results announcement for IMS Health, hours before its release to the stock market ...
39
• Hacker enters ~$42,000 in sell orders betting the stock will fall
• The stock fell sharply making the hacker ~$300,000
• Red flags appear and the SEC freezes the funds
• Funds are ordered to be released, “Dorozhko’s alleged ‘stealing and trading’ or ‘hacking and trading’ does not amount to a violation” of securities laws, Judge Naomi Reice Buchwald
• The Times speculates that the DoJ has simply deemed the case not worth pursuing - probably due to the difficulties involved in gaining cooperation from local authorities to capture criminals in Ukraine.
Ukrainian Hacker Makes a Killing in Stock Market Fraudhttp://blog.wired.com/27bstroke6/2008/02/ukrainian-hacke.html
Ukrainian hacker may get to keep profitshttp://www.vnunet.com/vnunet/news/2209899/hacker-keep-profits
© 2009 WhiteHat, Inc. | Page 40
http://blog.wired.com/27bstroke6/2008/09/six-year-old-st.htmlhttp://consumerist.com/5048362/google-placed-wrong-date-on-ual-story-stock-yo+yo-ensueshttp://www.forbes.com/2008/09/08/ual-tribune-bankruptcy-biz-media-cz_ja_tvr_0908ualstory.htmlhttp://www.theregister.co.uk/2008/09/10/ua_bankruptcy_farce/
A large traffic spike on a Sunday night pushed a 2002 story of a bankruptcy filling by United Airlines to the most viewed business story category on the South Florida Sun Sentinel's Web site.
Google indexed the new link and the story appeared on Google News.
Pump and Dump Scams Evolve
A Miami advisory firm performed a Google search for bankruptcies Monday morning that returned the 2002 UAL story, which they mistook as being current, and was subsequently distributed through the Bloomberg News Service.
United Airlines' stock price sank more than 75%, slipping down from $12 to a $3 level before trading was suspended. After the dust settled, shares returned to near normal levels.
© 2009 WhiteHat, Inc.
The cybercrime industry posses sophisticated business models that include Software-as-a-Service, SLA agreements, and discrete distribution of services. Hackers and Botnets can be easily rented.
Hackers for Hire
© 2009 WhiteHat, Inc. | Page 42
© 2009 WhiteHat, Inc. | Page 43
Online Permit ManagementIn 2006, the Brazilian environment ministry did away with paper dockets and implemented an online program to issue permits documenting how much land a company could legally log and tracking the timber leaving the Amazon state of Para.
"We've pointed out before that this method of controlling the transport of timber was subject to fraud.”
André MuggiatiCampaigner Amazon office in ManausGreenpeace International
Allegedly 107 logging companies hired hackers to compromised the system, falsifying online records to increase the timber transport allocations. Police arrested 30 ring leaders.
As a result an estimated 1.7 million cubic metres of illegal timber have been smuggled out of the Amazon, enough to fill 780 Olympic-sized swimming pools.
© 2009 WhiteHat, Inc. | Page 44
Amazonian Rainforest Hack
http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazohttp://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16
© 2009 WhiteHat, Inc. | Page 45
Tip of the iceberg: same computer system is used in two other Brazilian states.
$833,000,000
http://www.greenpeace.org/international/news/hackers-help-destroy-the-amazohttp://www.scientificamerican.com/blog/60-second-science/post.cfm?id=hackers-help-loggers-illegally-stri-2008-12-16
© 2009 WhiteHat, Inc. | Page
Other Permits Managers
46
© 2009 WhiteHat, Inc. | Page 47
Hiring the Good Guys
“By exploiting these vulnerabilities, the public could gain unauthorized access to information stored on Web application computers. Further, through these vulnerabilities, internal FAA users (employees, contractors, industry partners, etc.) could gain unauthorized access to ATC systems because the Web applications often act as front-end interfaces (providing front-door access) to ATC systems.”
KPMG audited 70 FAA Web applications and identified 763 high-risk vulnerabilities
http://news.cnet.com/8301-1009_3-10236028-83.htmlhttp://www.darkreading.com/security/government/showArticle.jhtmlhttp://www.oig.dot.gov/StreamFile?file=/data/pdfdocs/ATC_Web_Report.pdf
© 2009 WhiteHat, Inc. | Page
Business logic flaws = $$$Prime target for the bad guys.
Test often, test everywhereThreat Model. Not all vulnerabilities can be identified in the design phase, by analyzing the code, or even during QA.
Detect attacks by profilingHTTP requests appear legitimate, but active attacks will appear anomalous. He who has the most points, credits, or in-system cash is probably a cheater.
48
© 2009 WhiteHat, Inc. | Page
Google Hacking - $ low six figures
Scamming eCommerce - $ mid six figures
Exploiting Affiliate Networks - $ seven figures
Gaming the stock market - $ high seven figures
PRICELESS
Manipulating return policy systems - $ high six figures
defrauding online permits - $ high nine figures
Free pizza with secret coupon codes...
49
© 2009 WhiteHat, Inc.
Jeremiah GrossmanBlog: http://jeremiahgrossman.blogspot.com/Twitter: http://twitter.com/jeremiahgEmail: [email protected]
WhiteHat Securityhttp://www.whitehatsec.com/
Questions?Why aren’t you doing this?