Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia.

Published byDamian Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia."— Presentation transcript:

1 Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia

2 Agenda Weaknesses of the paper Attacks not mentioned Future Trends

3 Weaknesses of the paper

4 Web-based Attacks: White Paper or Infomercial…? Shameless plugs peppered throughout No mention of non-Symantec solutions, like desktop virtualization Well yes, but every body does it. How else would they get funded…

5 Vulnerability of web-based applications A topic for nerds, written by nerds… Technical aptitude is needed to even understand the challenge/threat This is likely one of the problems with getting people to pay attention to security

6 Compare with articles about ‘The Cloud’ Articles about ‘The Cloud’ get noticed by execs because it speaks to them You can find them in In-flight magazines Their message: A credit card, a few mouse clicks, and voila! Provisioned IT resources

7 Attacks not mentioned

8 New ways of getting you to a malicious site Blogs Social Networking url shortners Twitter and Facebook viruses exist

9 Google, How We Get To Most Sites: We trust Google! Search Engine Optimization(SEO) poisoning aims to boost malicious websites to the top of the list.

10 An Example of SEO Poisoning 1) Find a legitimate website (http://jeffkimballwater.com)

11 An Example of SEO Poisoning 2) Compromise the website. Easy! 3) Submit a special url to a search engine “http://jeffkimballwater.com?r=discover-card”

12 http://jeffkimballwater.com?r=discover-financial-services http://jeffkimballwater.com?r=discover-credit-cards http://jeffkimballwater.com?r=discover-card-facts http://jeffkimballwater.com?r=apply-for-a-credit-card ??? http://jeffkimballwater.com?r=discover-financial-services ??? http://jeffkimballwater.com?r=discover-credit-cards ??? http://jeffkimballwater.com?r=discover-card-facts ??? http://jeffkimballwater.com?r=apply-for-a-credit-card An Example of SEO Poisoning 4) When the search engine indexes this url a script is called. Change the page to add a bunch of hidden, relevant links. Get the keywords for these links from another search engine ??? http://jeffkimballwater.com?r=discover-card “discover card” Discover Financial Services Discover Credit Cards Discover Card Facts Apply for a credit card

13 An Example of SEO Poisoning 5) Highly ranked “Discover Card Application” delivers malicious payload to people from Google. 6) Site looks normal to everyone else.

14 Attacking a website using Cross Site Forgery Cross-Site Reference Forgery XSRF CSRF Sea Surfing Session Riding Hostile Linking One-Click attacks A confused deputy attack on a website, where the website already trusts a user.

15 An Example of Cross Site Forgery Bob Frazer logs into Bankbank.com Bob then logs into FerrariOwnersClub.com Mal posts a bad link as his signature picture, which Bob loads. Bob, who is still logged into Bankbank, executes the request.

16 Attacking You Through Your Phone Not web based yet, but attackers are interested. Trojan- SMS.AndroidOS.FakePl ayer.a Sends texts without user’s knowledge to premium rate numbers. Android Spyware Tip Calculator

17 Attacking You Through Your Phone Symbian OS Skulls Worm:iOS/Ikee Proof of concept spreads through WiFi or 3G, sends financial information to server.

18 Future Trends

19 Future Trends - Users Increasingly young base users More online Edu-taiment/games More familiar and comfortable with the web world Less knowledgeable in security risk

20 Future Trends - Attacks Increase internet users Move IPv4 to IPv6 More attacks on the Web Servers More sophisticated hackers

21 Future Trends - Companies Focus more on Web Security Getting better in locking down the web

22 Future Trends - Cloud Computing Increase in IT budgets More Web-Applications hosted in the Cloud Lower cost comes higher security risk More complex Security

23 Future Trends - Browsers will be more responsible Google Chrome FireFox

24 Future Trends – Spams More legits

25

Download ppt "Web-Based Attacks: Offense Wild Wild West Bob, Jeff, and Junia."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 200 300 400 500 100 BlueRedGreenPurpleOrange.

BlueRedGreenPurpleOrange.
Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007.

Vulnerability, Attack, Defense Split Tunneling Cross-Site Request Forgery And You Mary Henthorn OIT Senior Technology Analyst February 8, 2007.
Maximise Your Online Presence SEO & Social Media Strategies For Local Business Owners.

Maximise Your Online Presence SEO & Social Media Strategies For Local Business Owners.
Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.

Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Introduction Web Development II 5 th February. Introduction to Web Development Search engines Discussion boards, bulletin boards, other online collaboration.

Introduction Web Development II 5 th February. Introduction to Web Development Search engines Discussion boards, bulletin boards, other online collaboration.
UNIFORM RESOURCE LOCATOR (URL)

UNIFORM RESOURCE LOCATOR (URL)
SEO PACKAGES. Types of Plans Starter Plan Business Plan Enterprises Plan.

SEO PACKAGES. Types of Plans Starter Plan Business Plan Enterprises Plan.
Online Advertising By Paige Aspinall. What is Online Advertising?  Online advertising is a mean of promoting products and services using the internet.

Online Advertising By Paige Aspinall. What is Online Advertising?  Online advertising is a mean of promoting products and services using the internet.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Search Engine Optimization By Tom Fallenstein. Introduction Why you want high rankings Why you want high rankings Keywords Keywords Tools to help choose.

Search Engine Optimization By Tom Fallenstein. Introduction Why you want high rankings Why you want high rankings Keywords Keywords Tools to help choose.
S.E.O. What we need to do for every site we build.

S.E.O. What we need to do for every site we build.
Quiz Review.

Quiz Review.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Internet Standard Grade Computing. Internet a wide area network spanning the globe. consists of many smaller networks linked together. Service a way of.

Internet Standard Grade Computing. Internet a wide area network spanning the globe. consists of many smaller networks linked together. Service a way of.
Protecting Yourself Online (Information Assurance)

Protecting Yourself Online (Information Assurance)
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google