Post on 18-Dec-2015
Web Defacement
Anh NguyenMay 6th , 2010
2
Organization
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
3
Introduction
• Introduction– Web Defacement – Hackers Motivation– Effects on Organizations
• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
4
IntroductionWeb Defacement
• Occurs when an intruder maliciously alters a Web page by inserting or substituting provocative and frequently offending data
• Exposes visitors to misleading information
5
IntroductionWeb Defacement
• http://www.attrition.org/mirror/attrition/– Tracks of defacement incidents and keeps a
“mirror” of defaced Web sites
6
IntroductionHackers Motivation• Look for credit card numbers and other valuable proprietary
information• Gain credibility in the hacking community, in some high
profile cases, 15 minutes of fame through media coverage of the incident
7
IntroductionEffects on Organizations• Organizations lose
– Credibility and reputation– Customer trust and revenue– E-retailers can lose considerable patronage if their customers feel their
e-business is insecure– Financial institutions may experience significant loss of business and
integrity
8
How Hackers Deface Web Pages
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
9
How Hackers Deface Web Pages
• Obtain usernames– Use information-gathering techniques– Make use of publicly available information• Domain registration records
– Use ‘social engineering’ tactics• Call an employee and pose as a system administrator
10
How Hackers Deface Web Pages (Cont.)
• Guess passwords– Go through a list of popular or default choices– Use intelligent guesses– Use ‘social engineering’ tactics• Birth dates• Names of family members
11
How Hackers Deface Web Pages (Cont.)
• Obtain administrator privileges • Perform additional information gathering to
find out useful tidbits– The exact version and patch levels of the OS– The versions of software packages installed on the
machine– Enabled services and processes
12
How Hackers Deface Web Pages (Cont.)
• Access well-known Web sites and locate hacks that exploit vulnerabilities existing in the software installed
• Gain control of the machine and modify the content of pages easily
13
How Hackers Deface Web Pages (Cont.) Sechole
• An example of a privilege escalation exploit on Windows NT4
• The attack modifies the instructions in memory of the OpenProcess API call so it can attach to a privileged process
• Once the privileged process runs, the code adds the user to the Administrators group
• The technique works if the code runs locally
14
How Hackers Deface Web Pages (Cont.) Sechole
• In the presence of Microsoft’s Internet Information Server (IIS) Web server and some other conditions, Sechole can be launched from a remote location
15
How Hackers Deface Web Pages (Cont.) Sechole
• Another approach is to exploit vulnerabilities in Internet servers that are listening to open ports– No need to log on to the server– Execute malicious code over an open legitimate
connection
16
How Hackers Deface Web Pages (Cont.) IIS Hack
• Well-known example for a remote attack on the IIS Web server
• Hackers exploit a buffer overflow weakness in lsm.dll, causing malicious code to execute in the security context of the System on the server
17
Solutions to Web Defacement
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
18
Solutions to Web Defacement
• Firewalls – Do not scan incoming HTTP packets– HTTP attacks (such as IIS Hack) are not detected
• Network-based Intrusion Detection Systems (NIDS) and Host-based Intrusion Detection Systems (HIDS)– Listen to packets on the wire, but do not block them– In many cases, the packet reaches its destination before it
is being interpreted by the NIDS
19
Solutions to Web Defacement (Cont.)
• Integrity assessment– A hash code (similar to a checksum) for a Web
page reflecting the page’s content is computed– The saved hash code is periodically compared with
the freshly computed one to see if they match– The frequency of the hash code comparisons
needs to be high– The scheme collapses when pages are generated
dynamically
20
Solutions to Web Defacement (Cont.)
• Multi-layered protection system– Needed in order to effectively deal with Web
defacement– On-the-spot prevention• Attack s should be identified before their executions,
i.e. they should be identified at the service request level• Use system call and API call interception
21
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– Administrator (root) resistant• Allow only specific predefined user (the Web master),
instead of the ‘Administrator’ account, to modify the Web site content and configuration
– Application access control• A single predefined program should be used to edit
and/or create Web pages
– OS level protection
22
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– HTTP attack protection• A protection module that scans incoming HTTP
requests for malicious requests, even when the communication is encrypted, should be used
– Web server resources protection• Executables• Configuration files• Data files• Web server process
23
Solutions to Web Defacement (Cont.)
• Multi-layered protection system (Cont.)– Other Internet server attack protection• Bind (a DNS server)• Sendmail (an SMTP server)
24
Conclusions
• Introduction• How Hackers Deface Web Pages• Solutions to Web Defacement• Conclusions
25
Conclusions
• Thank you for your time• Questions and feedback are welcome
26
References
• Prevent Web Site Defacement– http://www.mcafee.com/us/local_content/
white_papers/wp_2000hollanderdefacement.pdf