Web Defacement Anh Nguyen May 6th , 2010 Organization • • • • Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2 Introduction • Introduction – Web Defacement – Hackers Motivation – Effects on Organizations • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions 3 Introduction Web Defacement • Occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequently offending data • Exposes visitors to misleading information 4 Introduction Web Defacement • http://www.attrition.org/mirror/attrition/ – Tracks of defacement incidents and keeps a “mirror” of defaced Web sites 5 Introduction Hackers Motivation • Look for credit card numbers and other valuable proprietary information • Gain credibility in the hacking community, in some high profile cases, 15 minutes of fame through media coverage of the incident 6 Introduction Effects on Organizations • Organizations lose – Credibility and reputation – Customer trust and revenue – E-retailers can lose considerable patronage if their customers feel their e-business is insecure – Financial institutions may experience significant loss of business and integrity 7 How Hackers Deface Web Pages • • • • Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 8 How Hackers Deface Web Pages • Obtain usernames – Use information-gathering techniques – Make use of publicly available information • Domain registration records – Use ‘social engineering’ tactics • Call an employee and pose as a system administrator 9 How Hackers Deface Web Pages (Cont.) • Guess passwords – Go through a list of popular or default choices – Use intelligent guesses – Use ‘social engineering’ tactics • Birth dates • Names of family members 10 How Hackers Deface Web Pages (Cont.) • Obtain administrator privileges • Perform additional information gathering to find out useful tidbits – The exact version and patch levels of the OS – The versions of software packages installed on the machine – Enabled services and processes 11 How Hackers Deface Web Pages (Cont.) • Access well-known Web sites and locate hacks that exploit vulnerabilities existing in the software installed • Gain control of the machine and modify the content of pages easily 12 How Hackers Deface Web Pages (Cont.) Sechole • An example of a privilege escalation exploit on Windows NT4 • The attack modifies the instructions in memory of the OpenProcess API call so it can attach to a privileged process • Once the privileged process runs, the code adds the user to the Administrators group • The technique works if the code runs locally 13 How Hackers Deface Web Pages (Cont.) Sechole • In the presence of Microsoft’s Internet Information Server (IIS) Web server and some other conditions, Sechole can be launched from a remote location 14 How Hackers Deface Web Pages (Cont.) Sechole • Another approach is to exploit vulnerabilities in Internet servers that are listening to open ports – No need to log on to the server – Execute malicious code over an open legitimate connection 15 How Hackers Deface Web Pages (Cont.) IIS Hack • Well-known example for a remote attack on the IIS Web server • Hackers exploit a buffer overflow weakness in lsm.dll, causing malicious code to execute in the security context of the System on the server 16 Solutions to Web Defacement • • • • Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 17 Solutions to Web Defacement • Firewalls – Do not scan incoming HTTP packets – HTTP attacks (such as IIS Hack) are not detected • Network-based Intrusion Detection Systems (NIDS) and Hostbased Intrusion Detection Systems (HIDS) – Listen to packets on the wire, but do not block them – In many cases, the packet reaches its destination before it is being interpreted by the NIDS 18 Solutions to Web Defacement (Cont.) • Integrity assessment – A hash code (similar to a checksum) for a Web page reflecting the page’s content is computed – The saved hash code is periodically compared with the freshly computed one to see if they match – The frequency of the hash code comparisons needs to be high – The scheme collapses when pages are generated dynamically 19 Solutions to Web Defacement (Cont.) • Multi-layered protection system – Needed in order to effectively deal with Web defacement – On-the-spot prevention • Attack s should be identified before their executions, i.e. they should be identified at the service request level • Use system call and API call interception 20 Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) – Administrator (root) resistant • Allow only specific predefined user (the Web master), instead of the ‘Administrator’ account, to modify the Web site content and configuration – Application access control • A single predefined program should be used to edit and/or create Web pages – OS level protection 21 Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) – HTTP attack protection • A protection module that scans incoming HTTP requests for malicious requests, even when the communication is encrypted, should be used – Web server resources protection • • • • Executables Configuration files Data files Web server process 22 Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) – Other Internet server attack protection • Bind (a DNS server) • Sendmail (an SMTP server) 23 Conclusions • • • • Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 24 Conclusions • Thank you for your time • Questions and feedback are welcome 25 References • Prevent Web Site Defacement – http://www.mcafee.com/us/local_content/white_ papers/wp_2000hollanderdefacement.pdf 26