security threats to e-commerce - hkcert
TRANSCRIPT
Cyber Threats to e-Commerce
S.C. LeungCISSP CISA CBCP
Page 2
Who are we?
HKCERT– Established in 2001. Operated by HK Productivity Council– Provide Internet users and SME services (free-of-charge)– Scope of services
• Security Monitor and Early Warning• Incident Report Handling• Publication of guideline• Public Awareness
– www.hkcert.org– Free subscription of alert information via email and mobile (we pay for the SMS
charges)
Page 3
HKCERT
Local Enterprise & Internet Users
本地企業及互聯網用戶
CERTCERT
CERTCERTCERTCERT
CERTCERT
APCERTAPCERT
CERT Teams in Asia Pacific亞太區其他協調中心
CERTCERT
CERTCERT CERTCERT
CERTCERT
CERTCERTFIRSTFIRST
CERT Teams around the World全球其他協調中心
Law Enforcement 執法機關
Internet Infrastructure互聯網基建機構
Universities大學
Software Vendor軟件供應商
Security Research Centre
保安研究中心
Page 4
Agenda
Attackers and the Motives of Attacks
Attack Trends Highlight
Relevance to e-Commerce
Attacks and Counter-attack Strategies
Cyber Threats to e-Commerce
Page 5
Attackers and Motives
Kiddies and Early Hackers: Fame
Activists: Hacktivism– Anonymous, Lulzsec groups
State sponsored– Civilian monitoring
• Doubts on R2D2 Trojan in Germany– Attacks to state critical infrastructure or military
• Stuxnet - 2010• USA drone malware - 2011
E-Commerce Relevant
Cybercriminals: Money– Theft of information– Extortion– Control machine for other purposes
Unfriendly parties– Disgruntled employees
- loss of reputation via data leakage or scandals
– Business competitors• DoS• Theft of business sensitive information,
patent, forumla
Page 6
Cybercrime as a Service
Products Piracy: theft of CD Keys
Theft of Personal Information and Identification (SSN, id, password, cc #.)
Services Hosting: Spam relays, phishing web hosting
Phishing attacks: paid web hosting
Proxy network (so beware of unsolicited open proxy!)
Spyware/adware installation: pay per installation
Click fraud: pay per click
DDoS: extortion or competitor service site attack
Blackmail / Ransomware
encrypts hard drive data demand ransom
Page 7
Attack Trend Highlights
Attack becomes less visible - uninformed victims
Botnet as platform to deliver attacks
Cybercrime as a Service
Moving up from network attack– to web application attack
– to business logic abuse
Exploit points of weak defense
Going Mobile, Going Social, Going Cloud
Page 8
Attacks Becomes Less Visible
– Visible mass spreading worms (Blaster, Sasser, Netsky) peaked 2003-2005. – Reports on malware attack dropped significantly. – Security incident reports (hacking, phishing, defacement, botnet and others)
increased by 4 folds.
520805
527 446 326 272 144190
898
14571255 1101 948 955 928
31092815
234 260
596
0
500
1000
1500
2000
2500
3000
3500
2001-2002
2002-2003
2003-2004
2004-2005
2005-2006
2006-2007
2007-2008
2008-2009
2009-2010
2010-2011
Virus attack
Security attack
HKCERT incident report statistics
Page 9
Reporting Party (2010/11)
27.84%
44.25%
27.92% local
overseas
proactivediscovery
How Less Visible Attacks Surfaces
Victim report figure is low.
Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks.
1. Overseas parties reported incidents to HKCERT
2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong Kong
Page 10
Botnet (roBot Network) - infrastructure for cybercrime
DDoS DDoS attackattackSpamSpam
Up: DataDown: Command/Update
Bot Herder
bot bot bot bot bot bot bot
Up: DataDown: Command/Update
C&C C&C C&C
victim victim
Wikipedia not totally correct in “botnet”, Botnet is much more than DDOS platform.
Page 11
Relevance to e-Commerce
Websites– Exploit server to provide launchpad for attacks
– For data on server
– For money in extortion
Web Users– Targeted for credential, data breach, fraudulent transaction
– Man-in-the-Middle (MitM), Man-in-the-Browser (MitB), Man-in-the-Mobile (MitMo) attacks
Attacks to Websites
Page 13
Mass injection of osCommerce websites (Jul 2011)
osCommerce is an open source shopping cart using web 2.0 technology
Large scale injection attack since July. Over 2.7M web pages infected globally.
Over 45,000 pages in Hong Kong
Inject "<iframe>" and "<script>" pointing to malicious links such as "willysy.com" and "exero.eu“
Page 14
Page 15
Redirecte
d to Malware
server
Download
Malw
are
Exploits imported from other servers via iframes, redirects
When compromised, dropper download and install the actual bot malware
Multi-stage infection (drive-by download)
Exploit serverWeb server (injected) Malware Hosting
Browser
Web request
Serve Exploit Page
Redirected to
Exploit server
Page 16
Website Protection Strategies
Plugging security holes – Get security vulnerabilities warnings (available in http://www.hkcert.org)– Regular and Timely Patching
Application Firewall– Block web application attacks
Writing secure web applications is the root– Good coding practice; Minimum privilege of database user account– Code scanning, Vulnerability scanning– HKCERT SQL injection defense guideline
• http://www.hkcert.org/english/sguide_faq/sguide/sql_injection_en.pdf– OWASP (Open Web Application Security Project) Top Ten Project
• SQL injection, Cross-site scripting, Broken authentication and session management, mis-configuration …– https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Page 17
Website Protection Strategies
Defense in depth- Separate web server and database server
- Encryption- Encrypt web communication- Encrypt sensitive data on server
- Plan for contingency- What if website not available ?
- Alternate website- Manual procedure?
- Backup and Recovery
Attacks to Web Users
Page 19
Attacks targeting web users
Attack more sophisticated, targeting two-factor authentication, using Man-in-the-Middle attacks
From getting credential to transfer money on the spot, because piggybacking window is temporary
From phishing (fake site) to fraud on real online site
Targeted, because each online e-commerce site is different
E-Commerce site does not see hacker from access log. They are in the browser carrying the cyber identity of the customer
Page 20
What is Man-in-the-Middle attack?
Hacker sits in the middle of the client and server and able to read, modify and insert messages sent between the parties
Client and Server NOT AWARE the existence of the middle man
It is an ACTIVE attack instead of passive sniffing
webserver
webbrowser
GET http://abc.com
HTTP/1.0 200 OK
Normal HTTP connection
GET http://abc.comHTTP/1.0 200 OK
attacker
GET http://abc.com
HTTP/1.0 200 OK
MITM hijacked connection
Page 21
Botnet targeting Banks and e-Commerce
Zeus and SpyEye Botnets
– steals banking information by Keylogging and Form Grabbing
– features:
• Take screenshot (save to html without image)
• Fake redirect (redirect to a prepared fake bank webpage)
• HTML inject (hijack the login session and inject new field)
• Log the visiting information of each banking site, record the input string (text or post URL)
Page 22
Man-in-the-Browser
Hackers’ dream: breaking two factor authentication– Intercept transaction
• Install software/plugin inside the browser, hook major OS and web browser APIs and proxying data
Rewrite the screen. Trick user to enter credentials.
Change amount and change destination to attacker account
Change the display to user as if his transaction was executed– Calculate the “should be amount”
and rewrites the remaining total to screen
– store in database in the cloud the amount transacted in user's perspective
Source: www.cronto.com
Page 23
Zeus in the Mobile
ZitMo (reported in Sep-2010)– Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature
– Mobile Infection: • Infected PC visit bank website• Zeus inject HTML content into webpage,
requesting user to input their mobile phone number and the IMEI # (and phone model)
• Hacker sends a new "digital certificate" to the phone
• User install the Zeus mobile.
– Platforms: Symbian, Android, WinCE and BlackBerry– Sniff the SMS messages when waken up by special
SMS• Steal one-time password (OTP) sent via SMS
SpyEye go mobile (Apr-2011) using similar techniques
2011-July
Page 24
Inserting transaction (when login)
Login Trojan kick upshadow login at
the back
Submit
Submit
Shadow Login
“Not successful. Please retry”
PIN + OTP
PIN + OTP2
PIN + OTP
Hacker use OTP2 to authenticate a transaction
Insert a new window
Page 25
Defense at client side
3 Baseline Defense is necessary but not insufficient– Protection from malware
– Personal Firewall
– Update patches this is more and more important
Install Microsoft Malicious Software Removal Tool (MSRT)
Secunia Personal Software Inspectorhttp://secunia.com/vulnerability_scanning/personal/
Page 26
Defense at client side
Use newer and secure browsers (Chrome 12, FF 5, IE 9)
The Use separate browsers for casual browsing and transaction based come with new features: URL blocking, sandbox
Avoid installing add-ons (extension, activeX objects …) on the browser
Attacks to Business Logics
Page 28
Attacks to Business Logics
When SQL and XSS vulnerabilities are reducing, attackers change focus to vulnerabilities in business logic
Business logic flaws are not software bug. Business logic abuse are not exploits. Attackers are using functionality used by legitimate users.– Web application firewalls has no defense on it.
– Quality assurance may overlook this because tests usually test what the code is supposed to do, and not what it can be made to do.
Page 29
Abuse of Functionality
Case 1: Winning Online Auction– Online auction website : all logged in user can bid and view who is bidding what.
– Intruder logout: prevents password guess for 1 hour after 5 failed tries within 5 minute.
What can be abused here?– One can bruteforce other bidders’ account login (denial of service)
What can be done to improve?– Use CAPTCHA instead of intruder logout (~Gmail)
– Need to display who is bidding what?
– Allow minimum bid to discourage unreasonable deal
Page 30
Insufficient Process Validation
Case 2: CNBC’s Million Dollar Portfolio Challenge– Ten 1-week challenges among 375K amateur traders for a prize of USD10K– Place simulated stock trade steps
1. Select the stock to purchase, no. of shares and user press submit button2. Backend system compute the total order using current price and wait for user
confirmation
What can be abused here?– One can hold step 2 confirmation until after trading close. Execute only if the stock price
rise significantly
What can be done to improve?– Always use the current share price to transact– Set timeout to session– Reject order execution after market closes
Page 31
Other Business Logic Abuses
Information leakage
Data scrapping
Password recovery
Pump-and-dump
Spoofing cookie values to gain access to other user's accounts
… more
Reference – https://www.whitehatsec.com/resource/wh
itepapers/business_logic_flaws.html
Page 32
Protection
Identification and Detection of attacks– Detect abnormal behaviour, e.g. large volume download, non-human speed
activities
– criminals behaves differently from normal users
– check login location, login device
– log analysis
Prevention– Pentest your business logic
– Use CAPTCHA to defend against robots
– Personal questions like image identification
Take down Botnet
Page 34
Hit criminals' critical infrastructure
Trace the supply chain of criminals (Law Enforcement)
Bring down their infrastructure (ISP, DNR)– C&C, Malicious web sites, fake domain names
– Domain name registry manage domain registration abuse
– ISP unplug malware hosting networks
Bring down spam borne attacks– Corps and ISPs to adopt Port 25 management (blocks SMTP); force
spammer to use credentials but is more accountable (advocated byAPWG, CERT)
http://www.maawg.org/port25/
Page 35
Botnet Takedowns in the past 2 years
Collaboration of law enforcement, Microsoft, security researchers, ISP, domain name registries taking fight to the court
Operations– Operation b49 (Waledac
botnet) Feb, 2010
– Operation Trident Breach(Rimecud botnet) - Oct 1, 2010 in Spain and Slovenia
– Operation Tolling (Bredolabbotnets) - Oct 25, 2010 in the Netherlands
• C&C is sinkholed
• Bots are redirected to a page informing infection
Page 36
Botnet Takedowns in the past 2 years
– Operation B107 (Rustock botnet) - Mar 16, 2011: most C&C in USA
• Global spam down by 40% immediately afterwards
• Bots still need to be cleaned up
– Operation Adeona (CoreFlood botnet) - Apr 13, 2011
• C&C sinkholed; send KILL command to bots to terminate in memory
– Operation Trident Tribunal (Scareware) - Jun 22, 2011 : long with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers
• http://www.fbi.gov/news/stories/2011/june/cyber_062211
– Operation B79 (Kelihos, DNS abuse) - Sep 26, 2011:
• http://blogs.technet.com/b/mmpc/archive/2011/09/26/operation-b79-kelihos-and-additional-msrt-september-release.aspx
Page 37
Success Factors in Botnet Takedown
Be a Good Neighbour– Collaboration with Law Enforcement and CERT to take down malicious content
– If you and other parties (ISPs, OSP, Security researchers, Academia) collaborate, the world will be different
Creative disruption tactics in takedown– Sharing of intelligence
– Operation Security (confidentiality, coordinated timing and speed)
– Preempt future attacks
– Use Sinkhole to get information of bots. Find out bot machines left before they join another botnet. They are vulnerable. They may be leaking data
– Solve legal issues
WE NEED YOU!
Going Cloud
Page 39
Security Issues arising from the Cloud
Service Level Management Challenge
Crime in the Cloud– Password cracking– Hosting of phishing site, malware– Botnet in the Cloud
• Zeus using Amazon's EC2 as command and control server (Dec-2009)– http://www.zdnet.com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-and-
control-server/5110• SpyEye uses Amazon S3 to exploit (Jul-2011)
– http://www.scmagazine.com.au/News/265367,amazon-used-to-spread-bank-stealing-trojan.aspx
– Launching DDoS
Investigation Challenge– Most fraud and attacks are conducted via fraudulent accounts (fraud cards)
• Create one more investigation– No seize of devices; no paradigm of forensics– Chain of custody start with cloud provider– Jurisdiction: where was the crime scene? where to serve warrant?
Page 40
Security Opportunity with Cloud
Cloud is elastic to take up more traffic volume by design
Secure Web as a Service– Provide secured frontline for customers’ web servers
– Shield most application attacks
– Shield moderate level of DoS attack defense
– Continuous monitoring. Regular audit
– Investigation
– Learn from one customer and apply to others
– ** But SSL websites may have consideration of confidentiality
Page 41
Conclusion
ATTACKERS– Attackers go after $$$. E-Commerce a sure target.
– Attackers also go mobile, sns and cloud
ATTACKS– Security Attacks are more and more sophisticated
– Botnet and “invisible” malware are the cybercrime vehicles
YOUR SECURITY, OUR SECURITY– Public Awareness is important: CARE is vital. Tools can only help.
– Close all security holes in (1) software, (2) procedure/business logic and (3) human
– We all need to work together for a safe, clean and reliable Internet.
Q & AQ & A
Website: www.hkcert.orgHotline: 81056060Email: [email protected]