Web Defacement

Anh Nguyen
May 6th , 2010

Organization

Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions

Introduction
Introduction
Web Defacement
Hackers Motivation
Effects on Organizations

How Hackers Deface Web Pages

Solutions to Web Defacement
Conclusions

Introduction
Web Defacement
Occurs when an intruder maliciously
alters a Web page by inserting or
substituting provocative and
frequently offending data
Exposes visitors to misleading
information

Introduction
Web Defacement
http://www.attrition.org/mirror/attritio
n/
Tracks of defacement incidents and
keeps a mirror of defaced Web sites

Introduction
Hackers Motivation
Look for credit card numbers and other valuable
proprietary information
Gain credibility in the hacking community, in
some high profile cases, 15 minutes of fame
through media coverage of the incident

Introduction
Effects on Organizations
Organizations lose
Credibility and reputation
Customer trust and revenue
E-retailers can lose considerable patronage if their
customers feel their e-business is insecure
Financial institutions may experience significant loss of
business and integrity

How Hackers Deface Web

Pages

Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions

How Hackers Deface Web

Pages
Obtain usernames
Use information-gathering techniques
Make use of publicly available
information
Domain registration records

Use social engineering tactics

Call an employee and pose as a system
administrator

How Hackers Deface Web Pages

(Cont.)
Guess passwords
Go through a list of popular or default
choices
Use intelligent guesses
Use social engineering tactics
Birth dates
Names of family members

10

How Hackers Deface Web Pages

(Cont.)
Obtain administrator privileges
Perform additional information
gathering to find out useful tidbits
The exact version and patch levels of
the OS
The versions of software packages
installed on the machine
Enabled services and processes

11

How Hackers Deface Web Pages

(Cont.)
Access well-known Web sites and
locate hacks that exploit
vulnerabilities existing in the
software installed
Gain control of the machine and
modify the content of pages easily

12

How Hackers Deface Web Pages (Cont.)

Sechole

An example of a privilege escalation

exploit on Windows NT4
The attack modifies the instructions
in memory of the OpenProcess API
call so it can attach to a privileged
process
Once the privileged process runs, the
code adds the user to the
Administrators group
The technique works if the code runs
13

How Hackers Deface Web Pages (Cont.)

Sechole

In the presence of Microsofts

Internet Information Server (IIS) Web
server and some other conditions,
Sechole can be launched from a
remote location

14

How Hackers Deface Web Pages (Cont.)

Sechole

Another approach is to exploit

vulnerabilities in Internet servers that
are listening to open ports
No need to log on to the server
Execute malicious code over an open
legitimate connection

15

How Hackers Deface Web Pages (Cont.)

IIS Hack

Well-known example for a remote

attack on the IIS Web server
Hackers exploit a buffer overflow
weakness in lsm.dll, causing
malicious code to execute in the
security context of the System on the
server

16

Solutions to Web
Defacement

Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions

17

Solutions to Web Defacement

Firewalls
Do not scan incoming HTTP packets
HTTP attacks (such as IIS Hack) are not
detected
Network-based Intrusion Detection Systems
(NIDS) and Host-based Intrusion Detection
Systems (HIDS)
Listen to packets on the wire, but do not block
them
In many cases, the packet reaches its
destination before it is being interpreted by the
NIDS
18

Solutions to Web
Defacement (Cont.)
Integrity assessment
A hash code (similar to a checksum) for
a Web page reflecting the pages
content is computed
The saved hash code is periodically
compared with the freshly computed
one to see if they match
The frequency of the hash code
comparisons needs to be high
The scheme collapses when pages are
19
generated dynamically

Solutions to Web
Defacement (Cont.)
Multi-layered protection system
Needed in order to effectively deal with
Web defacement
On-the-spot prevention
Attack s should be identified before their
executions, i.e. they should be identified at
the service request level
Use system call and API call interception

20

Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
Administrator (root) resistant
Allow only specific predefined user (the Web
master), instead of the Administrator
account, to modify the Web site content and
configuration

Application access control

A single predefined program should be used
to edit and/or create Web pages

OS level protection
21

Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
HTTP attack protection
A protection module that scans incoming
HTTP requests for malicious requests, even
when the communication is encrypted,
should be used

Web server resources protection

Executables
Configuration files
Data files
Web server process
22

Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
Other Internet server attack protection
Bind (a DNS server)
Sendmail (an SMTP server)

23

Conclusions

Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions

24

Conclusions
Thank you for your time
Questions and feedback are welcome

25

References
Prevent Web Site Defacement
http://www.mcafee.com/us/local_content
/white_papers/wp_2000hollanderdeface
ment.pdf

26