hack miami emiliocasbas

RAISING SECURITY AWARENESS AMONG WEB OWNERS AND USERS

Emilio Casbas

The Presentation is about…

Badwareand

Security awareness

The Problem is…

Some numbers…

30k new malicious URLs each day80% legitimate webs

Sources:

• http://www.sophos.com/medialibrary/PDFs/other/SophosSecurityThreatReport2012.pdf• http://www.barracudalabs.com/wordpress/index.php/2012/03/28/maliciousness-in-top-ranked-alexa-domains/

2 popular websites (alexa TOP 25k)

Drive by downloads

• http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v18_2012_21291018.en-us.pdf

Source: http://www.websense.com/content/websense-2013-threat-report.aspx

WEB SECURITY IS BECOMING MORE CHALLENGING

Source: Manufacturing compromise: The emergence of Exploit-as-a-servicehttp://cseweb.ucsd.edu/~voelker/pubs/eaas-ccs12.pdf

HOW LONG malicious?


2.5h average lifetime

HOW LONG malicious?


2.5h average lifetime44 days average lifetime

compromised?

Bussines model?

Hot topic

But…

Some questions…

What website software is targeted?

How are the websites compromised?

Some info…

“Compromised websites: an owner’s perspective” (paper)

Source:

• http://www.stopbadware.org/files/compromised-websites-an-owners-perspective.pdf

Problem …

Compromised web sites

44 days average lifetime

Due to…

Lack of security awareness

of

Web owners

Example…

Lack of security awareness

of

Web owners

Only small websites?

http://www.eeye.comhttp://www.ey.comhttp://www.coverity.comhttp://www.imperva.comhttp://www.avaya.comhttp://www.natwest.comhttp://www.entrust.comhttp://www.safenet-inc.comhttp://www.secureworks.comhttp://www.rbs.co.ukhttp://www.mckinsey.comhttp://www.conocophillips.comhttp://www.ford.comhttp://www.chevron.comhttp://www.verisign.comhttp://www.vasco.comhttp://www.ingrammicro.comhttp://www.eset-la.com….

What could we do?

Promote a safer web?

Spend money on web security audits?

Webmasters help for hacked sites?

Can we…

Raise web security awareness

Would it be possible?...


through an obtainable goal for every website?

Test time…


(Proof of Concept)

Example

STATS:

210

9209

Compromised websites:

CMS Software

Compromised websites:

Security awareness value

BAD BETTER

Apache/2.2.22(Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5

PHP/4.3.10-22

Microsoft-IIS/6.0

MetaGenerator[Joomla! 1.5

Index-Of

UncommonHeaders[x-varnish

X-Frame-Options[SAMEORIGIN

X-XSS-Protection[

cloudflare-nginx

gws

Accuracy

>=20

<20

Desenmascara.me features:

• Show a security awareness value

• Infrastructure details in plain words

• Suspicious iframes

• Check website blacklisted

• Ranking best websites

Desenmascara.me wishlist:

• Implement AI

• More passive checks

• Public stats

• Public API

• Open Source project?

Desenmascara.me wishlist:

• Raise web security awareness

• Decrease numbers of compromised websites

THANK YOU !

Questions ?

ecasbas

Thank you!

“I’ve seen estimates that over 99% of all internet attacks could be prevented if the web systems administrators would just use the most current versions”

Bruche Schneier on <Secrets & Lies>

“Webmasters need to ensure that their websites are running good code that isn’t open to exploitation”

Ian Fette, Google Security Team

hack miami emiliocasbas

Documents

web security audits

web security awarenessthrough

safer web

manufacturing compromise

emergence of exploit

test timeraise web

hacked sites

downloads http