WEBSENSE® SECURITY LABS™

2006 Semi-Annual Web Security Trends Report

OWASP Presentation

November 9, 2006

Jim Young

(301) 512-3350

2

The Web and Security

The Web is the #1 attack vector

The Web is becoming an application platform

More and more ways to attack

3

Security Research Division of Websense

Mission

Websense Security Labs discovers and investigates today's advanced Internet threats and publishes its findings and works with leading security organizations regarding increasingly sophisticated and dangerous Internet threats.

4

What Security Labs do

Discover and investigate internet threats including malicious code and phishing

Research and classify threats

Publish timely product and information updates to customers and the security community

http://www.websensesecuritylabs.com

5

Publish Security Labs Alerts

– High profile web and internet threats– Phishing, Malcode, MWS, Informational– Free to subscribe

Security Labs Blog– Additional information sharing for

Security professionals– Tracks repeat attacks, emerging

attacks, localized attacks

6

Key Trends

Easy-to-use hacker toolkits on the rise: Almost 15 percent of sites designed to steal information are derived from toolkits. These kits, made by professional malicious code writers, are for sale on the internet and allow non-sophisticated users to launch sophisticated attacks against operating system exploits and vulnerabilities.

Criminal motive of attacks more apparent: Traditional hacking for fun has been replaced with activities designed to steal confidential data to reap financial rewards. Websense found a 100 percent increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. – Conversely, Websense has seen more than a 60 percent drop in

websites designed merely to change user preferences, such as browser settings.

Increase in cyber-extortion: allowing malicious hackers to keep data hostage on an end-users machine while demanding a monetary sum to unlock the data.

7

Major Findings – 1H 2006

January 5, 2006 - First to discover more than 1,100 URLs that were attempting to exploit users who had not installed the patch for the Microsoft® Windows® Metafile (WMF) vulnerability which was discovered by Websense Security Labs in mid-December 2005.

March 24, 2006 - First to discover 200 unique URLs that were attacking a revealed Internet Explorer® "zero-day" vulnerability that could allow code to launch without end-user consent.

June 21, 2006 - Reported on end-users’ being lured to install malicious code through text messages. Victims received a message on their mobile phone stating that their mobile phone would be charged daily until the victim submitted information online.

June 21, 2006 - Reported a new type of attack that used email and voice over telephone, known as “vishing”. The attack targeted bank customers. Like traditional phishing attacks, users received a spoofed email message. However, unlike the most popular forms of phishing, where users are lured to a fraudulent website, this lure directed users to a telephone number.

8

Zero-hour / Zero-Day Vulnerability

Example: VML Zero-Day Exploit– Exploits bug in the way IE handles VML– No immediate IE patch – WebAttacker kit has ability to detect browser settings and

serve different exploits – Downloads keyloggers, trojans, bots, worms, malware –

often “drive-by” download (user intervention not required)– Infecting 10,000 plus sites, including some legitimate sites,

and was spreading fast– Serves known exploits but also new and mutant variants for

which the anti-spyware, anti-virus solutions had no immediate defense

Malicious Code

PhishingSpywareSpyware

9

Federal Government and Critical Infrastructure Cyber Protection

Nation-State Attacks• Team expertise• Computational power• Motivation

FISMA• More paperwork or more secure systems?

Protecting Personal Identifiable Information (PII)

Telework Initiatives and IT Security

10

Upcoming Events

Annual Computer Security Applications Conference• December 11-15• Miami, FL

DHS S&T New Tools for CND• Jan. 17, 2007• Washington, DC• Government-funded R&D

• Play matchmaker

• Next-generation:– intrusion-detection and -prevention systems– source code analysis solutions to eliminate errors in open-

source applications

– secure memory monitoring products