As a volunteer handler for IrissCert, I was notified of several Irish websites being compromised and containing malicious code. The presentation covers the investigation and incident handling process followed.
8. How do users feel?
2/3 have been victims
< 10% feel very safe
97% expect to be
victims
Law Enforcement &
Businesses lack
resources
Friday 17 September 2010
29. Identification - Analysis
Exploited Sites hosted on one server
Weak FTP passwords (e.g. Ghost61)
Two most popular web site attacks –
• Gumblar - PHP Sites
• Asprox - SQL Injection
Friday 17 September 2010
37. Lessons Learned
Things required for an IR plan -
• IR Team
• Contact List
• Regular Reviews
• Escalation Process
Friday 17 September 2010
38. Lessons Learned
Awareness
Back-up & test the restore ;-)
Patch
Test website for vulnerabilities & exploits
Defence-in-depth
Free Local & Online tools for safer
browsing& analysis
Friday 17 September 2010
39. Lessons Learned
“A website must be able to protect itself from a hostile
browser and a browser must be able to protect itself from a
hostile website” Jeremiah Grossman (Feb. 2010)
Friday 17 September 2010
40. Lessons Learned - Prep
Fail to Prepare, well you know the rest :)
Friday 17 September 2010
41. Scareware Evolution
source: http://
www.f-secure.com
Friday 17 September 2010
43. go raibh mile maith agat
Twitter
@markofu
@irisscert
@hackeire
#irisscon
Google-Fu “scareware site:sans.org”
Unless states, source of images -> Flickr Creative Commons, iStockPhoto or my own!!
Friday 17 September 2010