Web-Defacement

advertisement
Web Defacement
Anh Nguyen
May 6th , 2010
Organization
•
•
•
•
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
2
Introduction
• Introduction
– Web Defacement
– Hackers Motivation
– Effects on Organizations
• How Hackers Deface Web Pages
• Solutions to Web Defacement
• Conclusions
3
Introduction
Web Defacement
• Occurs when an intruder maliciously alters a
Web page by inserting or substituting
provocative and frequently offending data
• Exposes visitors to misleading information
4
Introduction
Web Defacement
• http://www.attrition.org/mirror/attrition/
– Tracks of defacement incidents and keeps a
“mirror” of defaced Web sites
5
Introduction
Hackers Motivation
• Look for credit card numbers and other valuable proprietary
information
• Gain credibility in the hacking community, in some high profile
cases, 15 minutes of fame through media coverage of the
incident
6
Introduction
Effects on Organizations
• Organizations lose
– Credibility and reputation
– Customer trust and revenue
– E-retailers can lose considerable patronage if their customers feel their
e-business is insecure
– Financial institutions may experience significant loss of business and
integrity
7
How Hackers Deface Web Pages
•
•
•
•
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
8
How Hackers Deface Web Pages
• Obtain usernames
– Use information-gathering techniques
– Make use of publicly available information
• Domain registration records
– Use ‘social engineering’ tactics
• Call an employee and pose as a system administrator
9
How Hackers Deface Web Pages (Cont.)
• Guess passwords
– Go through a list of popular or default choices
– Use intelligent guesses
– Use ‘social engineering’ tactics
• Birth dates
• Names of family members
10
How Hackers Deface Web Pages (Cont.)
• Obtain administrator privileges
• Perform additional information gathering to
find out useful tidbits
– The exact version and patch levels of the OS
– The versions of software packages installed on the
machine
– Enabled services and processes
11
How Hackers Deface Web Pages (Cont.)
• Access well-known Web sites and locate hacks
that exploit vulnerabilities existing in the
software installed
• Gain control of the machine and modify the
content of pages easily
12
How Hackers Deface Web Pages (Cont.)
Sechole
• An example of a privilege escalation exploit on
Windows NT4
• The attack modifies the instructions in
memory of the OpenProcess API call so it can
attach to a privileged process
• Once the privileged process runs, the code
adds the user to the Administrators group
• The technique works if the code runs locally
13
How Hackers Deface Web Pages (Cont.)
Sechole
• In the presence of Microsoft’s Internet
Information Server (IIS) Web server and some
other conditions, Sechole can be launched
from a remote location
14
How Hackers Deface Web Pages (Cont.)
Sechole
• Another approach is to exploit vulnerabilities
in Internet servers that are listening to open
ports
– No need to log on to the server
– Execute malicious code over an open legitimate
connection
15
How Hackers Deface Web Pages (Cont.)
IIS Hack
• Well-known example for a remote attack on
the IIS Web server
• Hackers exploit a buffer overflow weakness in
lsm.dll, causing malicious code to execute in
the security context of the System on the
server
16
Solutions to Web Defacement
•
•
•
•
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
17
Solutions to Web Defacement
• Firewalls
– Do not scan incoming HTTP packets
– HTTP attacks (such as IIS Hack) are not detected
• Network-based Intrusion Detection Systems (NIDS) and Hostbased Intrusion Detection Systems (HIDS)
– Listen to packets on the wire, but do not block them
– In many cases, the packet reaches its destination before it
is being interpreted by the NIDS
18
Solutions to Web Defacement (Cont.)
• Integrity assessment
– A hash code (similar to a checksum) for a Web
page reflecting the page’s content is computed
– The saved hash code is periodically compared with
the freshly computed one to see if they match
– The frequency of the hash code comparisons
needs to be high
– The scheme collapses when pages are generated
dynamically
19
Solutions to Web Defacement (Cont.)
• Multi-layered protection system
– Needed in order to effectively deal with Web
defacement
– On-the-spot prevention
• Attack s should be identified before their executions,
i.e. they should be identified at the service request
level
• Use system call and API call interception
20
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)
– Administrator (root) resistant
• Allow only specific predefined user (the Web master),
instead of the ‘Administrator’ account, to modify the
Web site content and configuration
– Application access control
• A single predefined program should be used to edit
and/or create Web pages
– OS level protection
21
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)
– HTTP attack protection
• A protection module that scans incoming HTTP
requests for malicious requests, even when the
communication is encrypted, should be used
– Web server resources protection
•
•
•
•
Executables
Configuration files
Data files
Web server process
22
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)
– Other Internet server attack protection
• Bind (a DNS server)
• Sendmail (an SMTP server)
23
Conclusions
•
•
•
•
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
24
Conclusions
• Thank you for your time
• Questions and feedback are welcome
25
References
• Prevent Web Site Defacement
– http://www.mcafee.com/us/local_content/white_
papers/wp_2000hollanderdefacement.pdf
26
Download