1. WEBSENSE ® SECURITY LABS™ 2006 Semi-Annual Web Security Trends Report OWASP Presentation November 9, 2006 Jim Young (301) 512-3350

2. 2 The Web and Security  The Web is the #1 attack vector  The Web is becoming an application platform  More and more ways to attack

3. 3 Security Research Division of Websense  Mission Websense Security Labs discovers and investigates today's advanced Internet threats and publishes its findings and works with leading security organizations regarding increasingly sophisticated and dangerous Internet threats.

4. 4 What Security Labs do  Discover and investigate internet threats including malicious code and phishing  Research and classify threats  Publish timely product and information updates to customers and the security community http://www.websensesecuritylabs.com

5. 5 Publish  Security Labs Alerts – High profile web and internet threats – Phishing, Malcode, MWS, Informational – Free to subscribe  Security Labs Blog – Additional information sharing for Security professionals – Tracks repeat attacks, emerging attacks, localized attacks

6. 6 Key Trends  Easy-to-use hacker toolkits on the rise: Almost 15 percent of sites designed to steal information are derived from toolkits. These kits, made by professional malicious code writers, are for sale on the internet and allow non-sophisticated users to launch sophisticated attacks against operating system exploits and vulnerabilities.  Criminal motive of attacks more apparent: Traditional hacking for fun has been replaced with activities designed to steal confidential data to reap financial rewards. Websense found a 100 percent increase in sites designed to install keyloggers, screen scrapers and other forms of crimeware. – Conversely, Websense has seen more than a 60 percent drop in websites designed merely to change user preferences, such as browser settings.  Increase in cyber-extortion: allowing malicious hackers to keep data hostage on an end-users machine while demanding a monetary sum to unlock the data.

7. 7 Major Findings – 1H 2006  January 5, 2006 - First to discover more than 1,100 URLs that were attempting to exploit users who had not installed the patch for the Microsoft ® Windows ® Metafile (WMF) vulnerability which was discovered by Websense Security Labs in mid-December 2005.  March 24, 2006 - First to discover 200 unique URLs that were attacking a revealed Internet Explorer ® "zero-day" vulnerability that could allow code to launch without end-user consent.  June 21, 2006 - Reported on end-users’ being lured to install malicious code through text messages. Victims received a message on their mobile phone stating that their mobile phone would be charged daily until the victim submitted information online.  June 21, 2006 - Reported a new type of attack that used email and voice over telephone, known as “vishing”. The attack targeted bank customers. Like traditional phishing attacks, users received a spoofed email message. However, unlike the most popular forms of phishing, where users are lured to a fraudulent website, this lure directed users to a telephone number.

8. 8 Zero-hour / Zero-Day Vulnerability  Example: VML Zero-Day Exploit – Exploits bug in the way IE handles VML – No immediate IE patch – WebAttacker kit has ability to detect browser settings and serve different exploits – Downloads keyloggers, trojans, bots, worms, malware – often “drive-by” download (user intervention not required) – Infecting 10,000 plus sites, including some legitimate sites, and was spreading fast – Serves known exploits but also new and mutant variants for which the anti-spyware, anti-virus solutions had no immediate defense Malicious Code Phishing Spyware

9. 9 Federal Government and Critical Infrastructure Cyber Protection  Nation-State Attacks Team expertise Computational power Motivation  FISMA More paperwork or more secure systems?  Protecting Personal Identifiable Information (PII)  Telework Initiatives and IT Security

10. 10 Upcoming Events  Annual Computer Security Applications Conference December 11-15 Miami, FL  DHS S&T New Tools for CND Jan. 17, 2007 Washington, DC Government-funded R&D Play matchmaker Next-generation: – intrusion-detection and -prevention systems – source code analysis solutions to eliminate errors in open- source applications – secure memory monitoring products