1 / 26

Web Defacement

Web Defacement. Anh Nguyen May 6 th , 2010. Organization. Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions . Introduction. Introduction Web Defacement Hackers Motivation Effects on Organizations How Hackers Deface Web Pages

loan
Download Presentation

Web Defacement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Defacement Anh Nguyen May 6th , 2010

  2. Organization • Introduction • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions

  3. Introduction • Introduction • Web Defacement • Hackers Motivation • Effects on Organizations • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions

  4. IntroductionWeb Defacement • Occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequently offending data • Exposes visitors to misleading information

  5. IntroductionWeb Defacement • http://www.attrition.org/mirror/attrition/ • Tracks of defacement incidents and keeps a “mirror” of defaced Web sites

  6. IntroductionHackers Motivation • Look for credit card numbers and other valuable proprietary information • Gain credibility in the hacking community, in some high profile cases, 15 minutes of fame through media coverage of the incident

  7. IntroductionEffects on Organizations • Organizations lose • Credibility and reputation • Customer trust and revenue • E-retailers can lose considerable patronage if their customers feel their e-business is insecure • Financial institutions may experience significant loss of business and integrity

  8. How Hackers Deface Web Pages • Introduction • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions

  9. How Hackers Deface Web Pages • Obtain usernames • Use information-gathering techniques • Make use of publicly available information • Domain registration records • Use ‘social engineering’ tactics • Call an employee and pose as a system administrator

  10. How Hackers Deface Web Pages (Cont.) • Guess passwords • Go through a list of popular or default choices • Use intelligent guesses • Use ‘social engineering’ tactics • Birth dates • Names of family members

  11. How Hackers Deface Web Pages (Cont.) • Obtain administrator privileges • Perform additional information gathering to find out useful tidbits • The exact version and patch levels of the OS • The versions of software packages installed on the machine • Enabled services and processes

  12. How Hackers Deface Web Pages (Cont.) • Access well-known Web sites and locate hacks that exploit vulnerabilities existing in the software installed • Gain control of the machine and modify the content of pages easily

  13. How Hackers Deface Web Pages (Cont.) Sechole • An example of a privilege escalation exploit on Windows NT4 • The attack modifies the instructions in memory of the OpenProcess API call so it can attach to a privileged process • Once the privileged process runs, the code adds the user to the Administrators group • The technique works if the code runs locally

  14. How Hackers Deface Web Pages (Cont.) Sechole • In the presence of Microsoft’s Internet Information Server (IIS) Web server and some other conditions, Sechole can be launched from a remote location

  15. How Hackers Deface Web Pages (Cont.) Sechole • Another approach is to exploit vulnerabilities in Internet servers that are listening to open ports • No need to log on to the server • Execute malicious code over an open legitimate connection

  16. How Hackers Deface Web Pages (Cont.) IIS Hack • Well-known example for a remote attack on the IIS Web server • Hackers exploit a buffer overflow weakness in lsm.dll, causing malicious code to execute in the security context of the System on the server

  17. Solutions to Web Defacement • Introduction • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions

  18. Solutions to Web Defacement • Firewalls • Do not scan incoming HTTP packets • HTTP attacks (such as IIS Hack) are not detected • Network-based Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS) • Listen to packets on the wire, but do not block them • In many cases, the packet reaches its destination before it is being interpreted by the NIDS

  19. Solutions to Web Defacement (Cont.) • Integrity assessment • A hash code (similar to a checksum) for a Web page reflecting the page’s content is computed • The saved hash code is periodically compared with the freshly computed one to see if they match • The frequency of the hash code comparisons needs to be high • The scheme collapses when pages are generated dynamically

  20. Solutions to Web Defacement (Cont.) • Multi-layered protection system • Needed in order to effectively deal with Web defacement • On-the-spot prevention • Attack s should be identified before their executions, i.e. they should be identified at the service request level • Use system call and API call interception

  21. Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) • Administrator (root) resistant • Allow only specific predefined user (the Web master), instead of the ‘Administrator’ account, to modify the Web site content and configuration • Application access control • A single predefined program should be used to edit and/or create Web pages • OS level protection

  22. Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) • HTTP attack protection • A protection module that scans incoming HTTP requests for malicious requests, even when the communication is encrypted, should be used • Web server resources protection • Executables • Configuration files • Data files • Web server process

  23. Solutions to Web Defacement (Cont.) • Multi-layered protection system (Cont.) • Other Internet server attack protection • Bind (a DNS server) • Sendmail (an SMTP server)

  24. Conclusions • Introduction • How Hackers Deface Web Pages • Solutions to Web Defacement • Conclusions

  25. Conclusions • Thank you for your time • Questions and feedback are welcome

  26. References • Prevent Web Site Defacement • http://www.mcafee.com/us/local_content/white_papers/wp_2000hollanderdefacement.pdf

More Related