 Right good morning everyone. I'm quite surprised that there's actually anyone here given it's 10am in the morning So my name is Gunter Ollman with me is Stefan Frey There's a couple of other people that couldn't make it here today Thomas Dubenoff and Martin May. So we're talking about some research that we did recently paper last month on this So we're talking about how do we you know what happens to the internet if you're managed to exploit 100 million plus hosts hopefully before brunch So we weren't quite sure about what sort of state would be in so if you if you're wondering about the little g in the top right hand corner That's a reminder to us. Who's it who's actually meant to be speaking? And as you can probably tell that from the accents were not precisely locals So here we go. So the situation Yeah, the internet is getting more and more hostile. There's a lot more profit-motivated attacks There's a new sort of a hack on me about You know who's going to be doing this text how much money you're going to make It's been a lot of Press about the master facements, you know all these iframe injection code on these iframe injections using your cross-scripting or search engine optimization already driving the drive by downloads type of things and You know if you look at the press you're probably seeing all these things about There's a big SEO attack in March Where just one of the one of the URLs and the injection was about 1.2 million? defasements page defasements from where I work and that's yeah We're currently monitoring about about a hundred thousands new defasements or repeat defasements Every week and so these are all typical iframe injections all driving to a particular website or websites in Hong Kong China these sorts of things and And You know given all this information about all the websites being hacked and all these master facements and all that We sort of thought yeah There's a lot of data about about the servers and about what's happening there But if you actually managed to do a really good good iframe injection and managed to install it onto you know a fairly very popular sites What would be the real damage show how many you know how many hosts out there? So how many web users are actually out there today that would be infected through these fairly common attacks? Vectors and have a look at that site and try to get a you know Sort of a ground truth of if you've got everything just running just right you know how big a damage could you actually do? So you know that's what we were interested in finding out so so what we sort of looked at this You know so how do we measure this? How do we understand how many vulnerable web users and vulnerable web browsers there are out there? Nice easy one Yeah, the user agent fields and every single htp packets the nice user agent in there You know if you're using anything except for Internet Explorer minor version information about that particular web browser and Thank you most of the web browsers now With all the additional plugins you also get a lot of details about the actual plugins that have been installed on top of those web browsers Okay, and of course you know any some just what just about every single web server will record the information It's more of a case of just sifting out the user agent information and You know the browser version particular the minor version will Can be easily associated to a particular? So how do we get that information? Yes, I'm one of us had a good idea saying well Google has lots of web servers. They get lots of traffic You know how can we sort of get our hands on some some information? so We managed to get hold of our work with a with Google on the analysis of their web logs So we had access to all of their user agents data by day from between January 2007 through to January 2nd, so Great. Thanks to Google for giving us that and it's you know everyone understands just how big Google is and You know this is the sort of the first study to actually have access to that truly global data set and that massive massive volume of data But a key thing is you know, no we didn't heck Google. We actually just asked them very politely for access the information Okay, and this is what we found out based on our measurements more than 37 million Users do not always use the latest most secure version of their browsers We came up by measuring directly using this methodology opera safari and firefox. You see their respective numbers and we estimated internet explorer I'll show you later how we came up with this estimate as with an iceberg the tip above the water It's just a smaller part the bigger part below the water is what we couldn't measure and this is one of these in Plugins that even the most secure browser can be owned by that So more interesting the numbers I showed you for before is just at the end of our observation period Now we looked at what is the evolution of the share of the latest major version of those four browsers? What we see here is for example firefox and internet explorer seven to have different dynamics They were released in about the same month folks are quite about more than 90% of the share within firefox browser versions internet explorer is seven is still Only about half of the percentage or half of the people that use that browser very interesting also if you look at the safari tree around July 2007 this was the beta version that was released and we observed the jump from around zero to about ten percent Looks like they have beta user community Then we have the next two jumps is the official release of safari tree And then the massive rollout together with the new version of the operating system when you look at internet explorer seven around Christmas 2007 January 2008 looks like lots of people got new boxes with Windows installed another observation is the end of support of firefox 1.5 if again if you look at may 2007 there's a big jump in Firefox so firefox end of May Was the latest version of 1.5 released and the big jump happened then when the first patch That was only available for firefox 2 was released. So this was obviously huge incentive for people to upgrade their browsers So this was the major version of the browsers now we look at within the major latest major version What is the pool that we found that applied all the patches available at a certain date? So the maximum share of most secure browser versions we found was in firefox Within those one point five years when we measured and they had eighty three point three percent at max So what the other end we found the internet explorer at maximum forty seven point six percent part of This situation is because internet explorer still has a huge share of all the Versions that you are like internet explorer six and below us They don't have technologies like and deficient one term that we need in today's hostile environment Okay, I said before Internet explorer seven doesn't reveal the minor version So we had a look at the secure as personal software inspector very nice tool that every one of you can install And it passes the registry and reports the diversions. It finds back home Obviously using the user agent string is unbiased because you all contributed to our measurement without Knowing it, but if you use PSI you have to install a tool first So the results from PSI are biased if we take directly the results from PSI we see four point four percent of Internet explorer seven is not patched if we compare results from Secuna with our measurement results We find the correction factor of around two point one to in their data And we use this correction factor of two point one to came up with our number of six hundred and thirty seven million hosted risk Okay, what's the dynamics if it zoom in in about the two or three months window We see here the update dynamics for two updates of five walks two seven two zero seven two zero zero eight We have very very high dynamics We seem to say first three days after the release of a new version So the latest version and then it gets up with the most Recent version we've seen about three days five fox population Installs about or eighty percent of the five fox boat population installs The most recent version. We also see very sharp decline of the second latest version So say a couple of days ten or twenty days after the release of a new patch the Second latest version drops easily below five percent compare firefox and opera on the whole year 2007 This is the dynamics we found so we used firefox and opera those they are very similar Those are free browsers. They run on a Big selection of operating systems. We again see the same dynamics I showed before repeated for firefox on the other hand on Opera technically, it's the same dynamics, but it's much much slower So it for operate takes more than 11 days percent of what they had before a new patch was released and The share of obsolete or very old versions still is very very high for opera just because they expand the time so much another observation is this sawtooth on top of Firefox we called is the weekend effect It turns out that the most recent version of firefox is more popular during the weekend at the weekend then during the week Probably a option is that the private users adopt new versions faster than the corporate users in their environment So obviously when you're looking at all these different browsers major minor versions the question really that comes Why aren't people upgrading? Why are they patching and you know apply in these latest security fixes the latest major advances? To their to their software and frankly users themselves the general population probably excluding anyone here When why and how to patch their systems? Okay, and they don't understand really why they need to upgrade to these newer features and You know when we look at even some of the the better updating systems for the browsers The the messages that are popping up and the advanced and the advice provided to to the users is generally seen as Botherware, okay, and so if they can click through by cancel or whatever then that's what they tend to do So, you know, how can things sort of be helped? Yeah, can we nudge them and all that? You know the normal sort of way is you know, try to scare the shit out of them really and Generally that sort of works in the For for techies, but you know the vast majority of people out there running a web browser surfing the internet have no idea and You know exploits vulnerabilities mean nothing to them malware means nothing to them You know when they brought their Dell computer and you know in 2000 it came with a three-month license of McCarthy and You know, aren't they still safe from that? So one of the things that we sort of thinking about We're you know, we put in the paper for a bit of discussion was what happens if you take something that's you know It's well known to consumers You know consumers of software and consumers of anything we thought well What about if you try to apply a best before dates or best before philosophy to software? You know, so it works really well in foods You know and when you're going down to the grocery store and you see a bottle of milk there You check out the best before dates or you know expires by a date You know what that means to you, you know as you get closer to that expiry date You know you might sniff the milk a little bit if it's a week after the milk Expire a date. You're gonna be very wary of it. You know, it's not saying that you don't use it just makes you more aware of What you should be doing about that about that particular consumerized them and so we're sort of Thinking about yeah, can you apply that to to software into particular web browsers? And you know as one example we're sort of looking at you. How could you get this idea across and say here's a If you mentioned that the browser itself is now telling you that you know It's it's been expired for a certain number of days and there's a certain number of patches that are missing Yeah, this is by far not a solution You know ideally the ideal solution is that auto updates work silently work 100% of the time and do it instantaneously But you know just making users aware of what these problems are maybe the first sort of step We've had a lot of feedback from organizations, particularly financial organizations that like the ads expiry dates and best before dates associated with browsers in particular so they can sort of work out in advance Whether you know their customers as they connect to their websites and start using them if they're using a very old browser You know the probability that they've already been compromised in some way is gets incrementally higher So they can do extra back-end checking about your fordent transfers and other transactions So what can we sort of say in conclusion well first of all Yeah, so if you want to hack a planet, you don't need a zero-day Okay, a well-placed iFrame on a popular search engine would be more than enough to generate you gather 100 million odds Infected web browsers, you know on a daily or weekly basis. This isn't big stuff. There's very very easy stuff You know actually browser patching itself is a very complex problem You know there has been great improvements in those auto patching technologies But there's still you know a long way from actually working you know and from our analysis You know we're quite happy to say that you know fire fox is leading the pack on actually getting the the auto updating and actual patching process working for web browsers the best But you know patching itself is only already part of the solution this whole thing is really about this ergonomics of how easy it is to actually use these The patching processes, you know, so when we looked at comparing you know fire fox with opera Firefox requires one click to apply the the latest updates what average about 11 clicks to install the latest version now I guess you know from what we're sort of seeing and you know a lot of the psychology psychology Psychologic analysis of these popular of these processes are really basically seen that you know If you really have to require you know if you have to prompt the user you're going to fail and Normally what you see on any of these browser technologies of any time that there is a pop-up message saying you know you need to do this or There's an option that means that the expert who wrote the web browser or the expert develop the application didn't know what to do themselves So given we're all sort of the experts and one summer sensor or not You know here. I've got a couple of screenshots So can you tell from the these two screenshots which browser is missing the last eight patches and is still running? Flash version 6 a or b It's a sort of trick question because it's IE 6 so we didn't class it as the most it's that frankly you're for any user There is no visual way of being able to tell whether using a secure browser or an insecure browser on how many patches you're missing So if we don't know as the experts then how I 1.4 billion users supposed to know that they're still using the right sort of technologies So with that I think our time is sort of up So I'd like to say thanks and of course, yeah, you all contributed to our results if you've ever used any Google services And I guess we've got a few questions questions But there are any