Cyber Threats to e-commerce S.C. Leung CISSP CISA CBCP
Who are we? HKCERT Established in 2001. Operated by HK Productivity Council Provide Internet users and SME services (free-of-charge) Scope of services Security Monitor and Early Warning Incident Report Handling Publication of guideline Public Awareness www.hkcert.org Free subscription of alert information via email and mobile (we pay for the SMS charges) Page 2
HKCERT CERT Teams in Asia Pacific 亞 太 區 其 他 協 調 中 心 CERT CERT CERT CERT APCERT CERT CERT CERT Teams around the World 全 球 其 他 協 調 中 心 CERT FIRST CERT CERT Law Enforcement 執 法 機 關 Security Research Centre 保 安 研 究 中 心 Internet Infrastructure 互 聯 網 基 建 機 構 Local Enterprise & Internet Users 本 地 企 業 及 互 聯 網 用 戶 Software Vendor 軟 件 供 應 商 Page 3 Universities 大 學
Agenda Cyber Threats to e-commerce Attackers and the Motives of Attacks Attack Trends Highlight Relevance to e-commerce Attacks and Counter-attack Strategies Page 4
Attackers and Motives Kiddies and Early Hackers: Fame E-Commerce Relevant Activists: Hacktivism Anonymous, Lulzsec groups State sponsored Civilian monitoring Doubts on R2D2 Trojan in Germany Attacks to state critical infrastructure or military Stuxnet - 2010 USA drone malware - 2011 Cybercriminals: Money Theft of information Extortion Control machine for other purposes Unfriendly parties Disgruntled employees - loss of reputation via data leakage or scandals Business competitors DoS Theft of business sensitive information, patent, forumla Page 5
Cybercrime as a Service Products Piracy: theft of CD Keys Theft of Personal Information and Identification (SSN, id, password, cc #.) Services Hosting: Spam relays, phishing web hosting Phishing attacks: paid web hosting Proxy network (so beware of unsolicited open proxy!) Spyware/adware installation: pay per installation Click fraud: pay per click DDoS: extortion or competitor service site attack Blackmail / Ransomware encrypts hard drive data demand ransom Page 6
Attack Trend Highlights Attack becomes less visible - uninformed victims Botnet as platform to deliver attacks Cybercrime as a Service Moving up from network attack to web application attack to business logic abuse Exploit points of weak defense Going Mobile, Going Social, Going Cloud Page 7
Attacks Becomes Less Visible 3500 3000 2500 2000 1500 1000 500 520 190 234 260 3109 596 HKCERT incident report statistics 2815 898 805 1457 1255 527 446 1101 Virus attack Security attack 948 955 928 326 272 144 0 2001-2002 2002-2003 2003-2004 2004-2005 2005-2006 2006-2007 2007-2008 2008-2009 2009-2010 2010-2011 Visible mass spreading worms (Blaster, Sasser, Netsky) peaked 2003-2005. Reports on malware attack dropped significantly. Security incident reports (hacking, phishing, defacement, botnet and others) increased by 4 folds. Page 8
How Less Visible Attacks Surfaces Reporting Party (2010/11) 27.92% 27.84% local overseas Victim report figure is low. Compromise becomes visible when victim machine being used to participate in phishing, malware hosting or other attacks. 44.25% proactive discovery 1. Overseas parties reported incidents to HKCERT 2. HKCERT use proactive discovery methodologies to find out hacked machines in Hong Kong Page 9
Botnet (robot Network) - infrastructure for cybercrime Bot Herder Up: Data Down: Command/Update C&C C&C C&C Up: Data Down: Command/Update bot bot bot bot bot bot bot Spam DDoS attack victim victim Page 10 Wikipedia not totally correct in botnet, Botnet is much more than DDOS platform.
Relevance to e-commerce Websites Exploit server to provide launchpad for attacks For data on server For money in extortion Web Users Targeted for credential, data breach, fraudulent transaction Man-in-the-Middle (MitM), Man-in-the-Browser (MitB), Man-in-the-Mobile (MitMo) attacks Page 11
Attacks to Websites
Mass injection of oscommerce websites (Jul 2011) oscommerce is an open source shopping cart using web 2.0 technology Large scale injection attack since July. Over 2.7M web pages infected globally. Over 45,000 pages in Hong Kong Inject "<iframe>" and "<script>" pointing to malicious links such as "willysy.com" and "exero.eu Page 13
Page 14
Multi-stage infection (drive-by download) Web server (injected) Exploit server Malware Hosting Web request Browser Redirected to Exploit server Serve Exploit Page Redirected to Malware server Download Malware Exploits imported from other servers via iframes, redirects When compromised, dropper download and install the actual bot malware Page 15
Website Protection Strategies Plugging security holes Get security vulnerabilities warnings (available in http://www.hkcert.org) Regular and Timely Patching Application Firewall Block web application attacks Writing secure web applications is the root Good coding practice; Minimum privilege of database user account Code scanning, Vulnerability scanning HKCERT SQL injection defense guideline http://www.hkcert.org/english/sguide_faq/sguide/sql_injection_en.pdf OWASP (Open Web Application Security Project) Top Ten Project SQL injection, Cross-site scripting, Broken authentication and session management, mis-configuration https://www.owasp.org/index.php/category:owasp_top_ten_project Page 16
Website Protection Strategies Defense in depth - Separate web server and database server - Encryption - Encrypt web communication - Encrypt sensitive data on server - Plan for contingency - What if website not available? - Alternate website - Manual procedure? - Backup and Recovery Page 17
Attacks to Web Users
Attacks targeting web users Attack more sophisticated, targeting two-factor authentication, using Manin-the-Middle attacks From getting credential to transfer money on the spot, because piggybacking window is temporary From phishing (fake site) to fraud on real online site Targeted, because each online e-commerce site is different E-Commerce site does not see hacker from access log. They are in the browser carrying the cyber identity of the customer Page 19
What is Man-in-the-Middle attack? Hacker sits in the middle of the client and server and able to read, modify and insert messages sent between the parties Client and Server NOT AWARE the existence of the middle man It is an ACTIVE attack instead of passive sniffing Normal HTTP connection GET http://abc.com web browser HTTP/1.0 200 OK web server GET http://abc.com HTTP/1.0 200 OK MITM hijacked connection GET http://abc.com HTTP/1.0 200 OK Page 20 attacker
Botnet targeting Banks and e-commerce Zeus and SpyEye Botnets steals banking information by Keylogging and Form Grabbing features: Take screenshot (save to html without image) Fake redirect (redirect to a prepared fake bank webpage) HTML inject (hijack the login session and inject new field) Log the visiting information of each banking site, record the input string (text or post URL) Page 21
Man-in-the-Browser Hackers dream: breaking two factor authentication Intercept transaction Install software/plugin inside the browser, hook major OS and web browser APIs and proxying data Rewrite the screen. Trick user to enter credentials. Change amount and change destination to attacker account Change the display to user as if his transaction was executed Calculate the should be amount and rewrites the remaining total to screen store in database in the cloud the amount transacted in user's perspective Source: www.cronto.com Page 22
Zeus in the Mobile ZitMo (reported in Sep-2010) Zeus ver 2.0, with Man-in-the-Mobile (MitMo) feature Mobile Infection: Infected PC visit bank website Zeus inject HTML content into webpage, requesting user to input their mobile phone number and the IMEI # (and phone model) Hacker sends a new "digital certificate" to the phone User install the Zeus mobile. Platforms: Symbian, Android, WinCE and BlackBerry Sniff the SMS messages when waken up by special SMS Steal one-time password (OTP) sent via SMS 2011-July SpyEye go mobile (Apr-2011) using similar techniques Page 23
Inserting transaction (when login) Login Trojan kick up shadow login at the back Shadow Login PIN + OTP Submit PIN + OTP Insert a new window Hacker use OTP2 to authenticate a transaction PIN + OTP2 Submit Not successful. Please retry Page 24
Defense at client side 3 Baseline Defense is necessary but not insufficient Protection from malware Personal Firewall Update patches this is more and more important Secunia Personal Software Inspector http://secunia.com/vuln erability_scanning/pers onal/ Install Microsoft Malicious Software Removal Tool (MSRT) Page 25
Defense at client side Use newer and secure browsers (Chrome 12, FF 5, IE 9) The Use separate browsers for casual browsing and transaction based come with new features: URL blocking, sandbox Avoid installing add-ons (extension, activex objects ) on the browser Page 26
Attacks to Business Logics
Attacks to Business Logics When SQL and XSS vulnerabilities are reducing, attackers change focus to vulnerabilities in business logic Business logic flaws are not software bug. Business logic abuse are not exploits. Attackers are using functionality used by legitimate users. Web application firewalls has no defense on it. Quality assurance may overlook this because tests usually test what the code is supposed to do, and not what it can be made to do. Page 28
Abuse of Functionality Case 1: Winning Online Auction Online auction website : all logged in user can bid and view who is bidding what. Intruder logout: prevents password guess for 1 hour after 5 failed tries within 5 minute. What can be abused here? One can bruteforce other bidders account login (denial of service) What can be done to improve? Use CAPTCHA instead of intruder logout (~Gmail) Need to display who is bidding what? Allow minimum bid to discourage unreasonable deal Page 29
Insufficient Process Validation Case 2: CNBC s Million Dollar Portfolio Challenge Ten 1-week challenges among 375K amateur traders for a prize of USD10K Place simulated stock trade steps 1. Select the stock to purchase, no. of shares and user press submit button 2. Backend system compute the total order using current price and wait for user confirmation What can be abused here? One can hold step 2 confirmation until after trading close. Execute only if the stock price rise significantly What can be done to improve? Always use the current share price to transact Set timeout to session Reject order execution after market closes Page 30
Other Business Logic Abuses Information leakage Data scrapping Password recovery Pump-and-dump Spoofing cookie values to gain access to other user's accounts more Reference https://www.whitehatsec.com/resource/wh itepapers/business_logic_flaws.html Page 31
Protection Identification and Detection of attacks Detect abnormal behaviour, e.g. large volume download, non-human speed activities criminals behaves differently from normal users check login location, login device log analysis Prevention Pentest your business logic Use CAPTCHA to defend against robots Personal questions like image identification Page 32
Take down Botnet
Hit criminals' critical infrastructure Trace the supply chain of criminals (Law Enforcement) Bring down their infrastructure (ISP, DNR) C&C, Malicious web sites, fake domain names Domain name registry manage domain registration abuse ISP unplug malware hosting networks Bring down spam borne attacks Page 34 Corps and ISPs to adopt Port 25 management (blocks SMTP); force spammer to use credentials but is more accountable (advocated by APWG, CERT) http://www.maawg.org/port25/
Botnet Takedowns in the past 2 years Collaboration of law enforcement, Microsoft, security researchers, ISP, domain name registries taking fight to the court Operations Operation b49 (Waledac botnet) Feb, 2010 Operation Trident Breach (Rimecud botnet) - Oct 1, 2010 in Spain and Slovenia Operation Tolling (Bredolab botnets) - Oct 25, 2010 in the Netherlands Page 35 C&C is sinkholed Bots are redirected to a page informing infection
Botnet Takedowns in the past 2 years Operation B107 (Rustock botnet) - Mar 16, 2011: most C&C in USA Global spam down by 40% immediately afterwards Bots still need to be cleaned up Operation Adeona (CoreFlood botnet) - Apr 13, 2011 C&C sinkholed; send KILL command to bots to terminate in memory Operation Trident Tribunal (Scareware) - Jun 22, 2011 : long with international law enforcement partners, announced the indictment of two individuals from Latvia and the seizure of more than 40 computers http://www.fbi.gov/news/stories/2011/june/cyber_062211 Operation B79 (Kelihos, DNS abuse) - Sep 26, 2011: http://blogs.technet.com/b/mmpc/archive/2011/09/26/operation-b79-kelihosand-additional-msrt-september-release.aspx Page 36
Success Factors in Botnet Takedown Be a Good Neighbour Collaboration with Law Enforcement and CERT to take down malicious content If you and other parties (ISPs, OSP, Security researchers, Academia) collaborate, the world will be different WE NEED YOU! Creative disruption tactics in takedown Sharing of intelligence Operation Security (confidentiality, coordinated timing and speed) Preempt future attacks Use Sinkhole to get information of bots. Find out bot machines left before they join another botnet. They are vulnerable. They may be leaking data Solve legal issues Page 37
Going Cloud
Security Issues arising from the Cloud Service Level Management Challenge Crime in the Cloud Password cracking Hosting of phishing site, malware Botnet in the Cloud Zeus using Amazon's EC2 as command and control server (Dec-2009) http://www.zdnet.com/blog/security/zeus-crimeware-using-amazons-ec2-as-command-andcontrol-server/5110 SpyEye uses Amazon S3 to exploit (Jul-2011) http://www.scmagazine.com.au/news/265367,amazon-used-to-spread-bank-stealingtrojan.aspx Launching DDoS Investigation Challenge Most fraud and attacks are conducted via fraudulent accounts (fraud cards) Create one more investigation No seize of devices; no paradigm of forensics Chain of custody start with cloud provider Jurisdiction: where was the crime scene? where to serve warrant? Page 39
Security Opportunity with Cloud Cloud is elastic to take up more traffic volume by design Secure Web as a Service Provide secured frontline for customers web servers Shield most application attacks Shield moderate level of DoS attack defense Continuous monitoring. Regular audit Investigation Learn from one customer and apply to others ** But SSL websites may have consideration of confidentiality Page 40
Conclusion ATTACKERS Attackers go after $$$. E-Commerce a sure target. Attackers also go mobile, sns and cloud ATTACKS Security Attacks are more and more sophisticated Botnet and invisible malware are the cybercrime vehicles YOUR SECURITY, OUR SECURITY Public Awareness is important: CARE is vital. Tools can only help. Close all security holes in (1) software, (2) procedure/business logic and (3) human We all need to work together for a safe, clean and reliable Internet. Page 41
Q & A Website: www.hkcert.org Hotline: 81056060 Email: hkcert@hkcert.org