 Good evening everybody. Welcome back from the club or wherever you were at. Hopefully some of you got some sleep and I'm actually pretty impressed with the number of people that are here for a Sunday morning at 10. So congratulations on making it this far. My name is Dan Hubbard. I'm not a bot. I'm going to talk today about Web 2.0 and Web 2.0 Honey Pots, something that I'm calling Honey Jacks. So Web 2.0 and the web in general is very interesting how things are changing and things are evolving at a pretty rapid pace. I travel quite a bit with work and one of the things I like to do is take pictures of machines running, kind of important stuff. I actually had one of the, I think it's Paris Hotel, has that big screen out there and there was a blue screen on it a couple of days ago. But the picture didn't work out well enough. So this one I was at the airport in Vancouver and it turns out that my flight was on time or not. I couldn't really tell actually. So nothing really all that interesting that there's a little active script message on the screen. But what was really interesting to me was after that the webmaster developer at the airport opened up the web page and started developing and changing the code right there on the fly. You could actually see him changing it and then hitting apply, save, loading up the screen again, another error and typing in save over and over again. So it kind of just shows where we are. I mean this really is a perpetual beta. Live testing really runs into troubles and versioning or the lack thereof makes it difficult to disclose these types of problems. So really the agenda I'm going to talk about, you know, wow, the web has a version number. Who knew? Then I'm going to talk about web 2.0 or something I call exploit 2.0. I'm going to talk about Honey Jacks, what they are, why they're important, what we use them for, the different types that can be deployed. Then I'm going to talk a little bit about reporting from those accounts, how you can automate some of this, then disclosure. As I said disclosure and full disclosure or responsible disclosure depending on what side of the camp you're on is a whole different game when it comes to website problems. Lastly of course I'm going to talk about legal aspects, I'm sure you all are interested in that. Bit of a grab bag and then we'll wrap it up. I imagine I'll probably have some time for questions and answers here because I don't have too many slides to go through. So, you know, one of these things is not like the other. This is O'Reilly's meme map who actually coined the term web 2.0 and I believe attempted to trademark it. So really, you know, web 2.0 is everything. What is it? Wow, I don't really know actually, I guess it's a philosophy according to a number of people. But if you look at this meme map there's some kind of interesting things that stick out about web 2.0. One is trust your users. So trust your users that are actually connecting to your website, that are actually going to connect to your website and manage the content of your website. Well, that's kind of interesting in security. You know when was the last time we started trusting users? Second one, small pieces loosely joined. Web is components. Sometimes this is called mashups. I like to call it mushups. Take all kinds of components that kind of are the same, that have all kinds of different versions for all kinds of different companies. Mash them together and then sell parts or buy books from that side or roll over and get a cool image of a map. You know, emergent, user behavior not predetermined. It's really hard to understand how your environment is going to be changed when you don't know the behavior of the end user. You always want to model kind of what the end user is going to do. You want to look for certain inputs into the system. Well, if you don't know what they're going to do, if it's unpredictable, it becomes harder to manage. I talked on this, or I touched on this a little bit earlier, perpetual beta. There's no release. These things are always changing. Every single day, almost every hour, almost every minute, some of these sites are changing. There is no versioning. It's always beta. And lastly, it's kind of funny hackability. So, you know, tons of hackability in these sites. So just looking at some of the Web 2.0 characteristics. I'm losing control of your own destiny, which is user created content. Who do you trust, which are social networks? I'm going to touch on these a little bit more, but, you know, the great thing about social networks is, hey, it's my friends. I trust my friends. Of course, I'm going to allow him to send me some data. That's my buddy. Unintended installations and code injection and RSS. Mashups. You know, the any port 80 rule in every company. Well, security guys are often the last ones to know. Security guys in the company don't really know that, hey, the web developer just decided that they're going to connect to another company to do some type of transaction. That's all over the web. Their firewall says, hey, allow that. Port 80. Go for it. But I have a firewall. You know, it's all about the information, not the network. And lastly, and this actually is probably one of the biggest points is, you know, it's just so easy and, you know, it's just so cool to do Web 2.0 things. It's very in vogue. There's a lot of venture capitalist money out there. Lots of people are investing in this and it's almost like the .com thing all over again. And a lot of people are deploying these technologies without understanding the implications of that simply because they were told to or simply because it's cool. And it's really easy to do. You know, in many cases, the programming logic is abstracted from the user. Just call some Windows program which does everything for you behind the scenes. You've got to really understand what that actually means. So let's talk a little bit about user created content. Basically, the property owners, which I like to call kind of the web, the website owner, is leasing space to their users. Saying, hey, I own this property, but I'm going to lease a little bit of space to all my users. And I'm going to kind of allow them to do what they want to do. And I want to get as many users into that space and help them, enable them to do as much as they can in a very dynamic environment. That's usually what it's all about. We're talking about a minimum of 400 to 500 million pages changing dramatically in real time in some of these domains. So, I mean, this is really, really active. Content stripping, you know, it's done, but it's very difficult to enforce. How do you enforce a language that can be obfuscated and encoded in so many different ways? It's really hard to strip this data out. We've seen time and time again. You know, you put some content stripping in, someone gets around it through some type of vulnerability. It's really easy to test for vulnerabilities. You know, just connect to the site. Try a script. Try and post something. You don't have to download anything. You don't need a license. It's free in many cases. They're very open platforms. Very little disclosure. So there's not a lot of disclosure going on. Hey, there's a vulnerability in this particular web property. And a vulnerability means all kinds of different things. There's not necessarily a buffer overflow or a zero day or some type of client or application vulnerability. In many cases, it's a configuration problem. You know, they have to allow dynamic graphic and content. If they don't, they're not successful. So this can run into problems, you know, quick time. A good example. Trust within the user networks. And lastly, used as a many to many communication platform. This is a lot different than how the web used to be. Where it was kind of like connect to a site. You know, and then I go to another web page. Now it's, I'm connecting and I'm communicating to people through the site itself. So just looking at some examples. The one on your right is a MySpace exploit that happened where some adware purveyors figured out a way to actually put, inject iframes into people's profiles. There was a large number of profiles that were infected. And the iframe pointed to a site that had the WMF code on it. WMF I think was about a month old at that time. There was a patch available for about a week. But there was reports about a million users or so being infected. My machine obviously was prompted to run the code. Second example, Wikipedia. Someone created a post on the German version of Wikipedia. Put a Trojan horse on there. Sent out a spam. Did a spam run. Attracted people to the Wikipedia page. Presumably they clicked on it and were owned. The last one's a little more recent. This is fairly, getting fairly common or more frequent. This is a MySpace profile where a cascading style sheet has been put over top of the original page. And when you connect to your page, it looks just like your profile. But anywhere you click the mouse, it doesn't matter what you click the mouse on, it asks you to log in. You log in and it takes your credentials from your profile. And many people ask, why do I want MySpace credentials? What am I going to do with that? It's kind of pointless, right? Well, there's kind of two big reasons among others. One is that you can impersonate that person in that friend network. So you can go into their friend network and presumably they're popular hopefully. In which case you can impersonate that person and gain an extra level of trust. The other is that people use the same usernames and passwords all over the place. So why not try that username and password on bankofamerica.com and Wells Fargo and their email and all other spaces. So now I'm going to talk a little bit about social networks. Does anyone recognize who that is in the picture? That's the most popular person in MySpace. Her name is Tila Tequila. Basically a fabricated personality of a real person that is now incredibly popular all through MySpace. All through MySpace. She has an album. She has a movie contract. She does all kinds of personal appearances. She was one of the people of the year in time this year if you can believe it. Currently she has, what is it, 70 million views to her profile and approximately 2 million friends, one person. So the problem with social networks is really interlinking hundreds of millions of users. As I said, this is a communication platform. For a lot of the new generation internet users, email is still year 2000 dad. I can't believe you use that. Wow, everyone uses MySpace. Why would I bother using email? I can't send all these cool widgets and gadgets to my friends. I can't connect to multiple people at once. It's not a good medium for that. More contacts equals better sites and more success. So the more contacts you have within your network, the more sought after your profile could be. We saw with the Sammy worm that one friend can infect millions of users through their network. So there's always the chance where you can actually get people automatically to join your profile. I'm going to talk about that later. And finally, one account compromise can be used to gain user trust. Imagine if you got a whole Latila tequila profile and you got 2 million friends instantaneously. You can do all kinds of things with that. Lastly, a lot of people think of the social networks really as a toy or an entertainment thing. Well, it's actually not anymore. You know, I often hear people in the planes or at the airport. Yeah, man, my LinkedIn profile. I just got my 1,000th contact. You know, how many contacts you haven't linked in? Well, you know, I've only got 700. I got to really work on that. So it's really not just about entertainment. It's about business colleagues. It's about networking with associates. It's about recruiting. It's about gaining popularity in your space. You ever want to see a bunch of headhunters? Just put your profile on LinkedIn and put all kinds of garbage in there. You will get more headhunters coming after you than anything else you could think of. This is just an example of a recent zero day for VDA labs on the LinkedIn toolbar. Pulled the Metasploit shell code and allows you to run code without user interaction. So just a little sidebar on Web 2.0. This is kind of related to this, but not too much. You know, RSS is becoming very popular. I think with IE7 and Vista, it's built in. With Outlook 2007, it's built in. And it's almost NNTP all over again. And the interesting thing is I think people are going to start using RSS more and more. And people are going to start sharing feeds. And hey, can I get your feed, your meta feed for entertainment news, or can I get this feed? So there's a chance that people could be going after the meta feeds or the feed distributors. And imagine the amount of people that you could, in fact, by just going after those particular feed users. And the great thing about RSS is it's there and it runs without the user. The user doesn't have to open and interact and connect to a site. RSS is just connecting with a heartbeat and pulling data down to your machine. And in many cases, they're just embedding a browser within that. So vulnerability within a browser could potentially open a vulnerability within an RSS feed. So now I'm going to talk about Honey Jacks. So Honey Jacks really are kind of the next step in kind of honey technologies. I'm sure everyone is really familiar with Honey Pots. Honey Pots are there set to emulate operating systems and applications behaviors. Usually they just kind of sit out on the internet and attract users or don't attract users. Nowadays, you don't have to do a lot with a Honey Pot to get stuff. And they're designed to either get infected or track an end user in some way. Honey Clients are kind of the opposite. Honey Clients actually emulate client behavior. In our labs, we use Honey Clients a lot to go out and monitor the web and connect to websites and run code from those websites to see if it's doing something it shouldn't be doing. So Honey Clients are getting more popular. There's Honey Clients for web, peer-to-peer, DNS mining, all kinds of things. So this is really the next step. Honey, obviously from Honey Technologies, Jacks from Ajax. So Honey Jacks are user accounts, profiles, and web social networks. They can also emulate user behavior. So why would you want to deploy these? So the first thing is an interesting stat from the guys at Akismit. Akismit is from the same gentleman that did WordPress, which is one of the most popular blogging software open source, well the most popular by far. And right now 95% of all blog comments are spam. That's pretty huge. So if you believe that spam and porn are kind of, you know, similar, right? And things often start with spam and porn, often turn into phishing and malcode, then we're in for it. I mean if 95% of all the stuff that's getting posted up there is spam, and if you believe that spam could turn into phishing and malicious code attacks, then there is a whole bunch of things that could happen in the next little while here. I mean the spam problem is not a little one, and the spam problem hasn't really gotten all that much better over the last little while. It's one new weapon in the arsenal to help ResearchWeb2.0 threats. This isn't the silver bullet obviously, this is just a tool. The threat playing field is changing. You know, research really needs to evolve with it. You know, downloading and asking your customers for samples of binaries, taking those samples, throwing them into IDA, reversing them, creating a signature and updating all your customers, isn't really doing that great anymore, right? I mean the attacks have really changed. This is one of the ways the attacks have changed. And finally this could be used by the property owners also. There's nothing that says, hey, you know, big Web2.0 company, why don't you deploy Honey Jacks? Why don't you figure out what people are doing in your space? So they're designed to help assist tracking and trending attacks, the attackers, and potentially predators. Escalation to abuse or security department of property owners, track common techniques, collect samples of binary code for detection and protection, collect URLs and script code for detection, and finally to monitor outbreaks. So, you know, WebSense, we use the last four for the most part where we're really looking at common techniques people are using and automated routines that people are using to put URLs and to put malicious code inside other users' profiles and then we gather that data, investigate it, research it, research it and then hopefully pump out some protection to our customers. So what types are there? The first one is something I call passive Honey Jacks. These are the ones that we use the most. These are accounts in Web2.0 space that are not luring users to add them in any way. Very similar to Honey Pots but they're user accounts. So you just add an account inside some popular network and it just sits there. It doesn't do anything whatsoever. It's just an account. The second is something called active Honey Jacks. Active Honey Jacks from a legal and acceptable use policy are probably the most controversial. These are accounts or bots in Web2.0 space that are designed to join networks. So they're actually designed to go out there and join the other people's networks in an automated way and potentially solicit other users to join their networks. Like, hey user, come and join my network. And also reply to requests. So we do have Honey Jacks that do automatically reply to people's requests. So we get friends' requests going into a lot of our Honey Jacks and we have an automated routine that goes in there and says, yes of course I'm going to accept your invitation and then we collect data on it. The last one are hybrids or passive aggressive Honey Jacks. These are the most fun to deploy if you're a creative person. But these are accounts that are designed to lure users to visit them through their characteristics. No automation here. So some obvious examples like pornography. So not so obvious examples are baby boomers looking for friends, music fans, common interest groups, popular merchandise, contests. And I'll show you some ways to set your profile to attract certain people to them and certain attackers to them. So the first example is one that I put up a while ago. I was attempting to sell a picture of a bike on eBay. So as you can see the picture was done in, I think it was MS Paint, if I recall. I'm not the most artistic person. Anyways, it was kind of interesting to me about the number of bots that actually were trying to win my auction. You know, who in their right mind would actually apply or try and buy a picture, let alone this picture, of a bike. But I noticed that a bunch of bots actually were connecting to my profile and bidding on it. Oh, that's kind of weird. Oh well, maybe I'll sell my picture. And then at the very end of the auction, something funny happened. Someone won the auction for about 300 bucks. And I thought, you know, wow, you know, do I print it? Just send him a JPEG, you know, how does he get it? So I emailed the person who actually had no reputation on eBay whatsoever. And according to their profile, you probably can't see it, but was in Columbia. And I said, hey, congratulations, you won the picture of the bike. How are you going to pay for it? I'm wondering how they're going to pay for it. He said, I'll get back to you as soon as possible. I'm going to pay for it. I want it. I really want it. You know, ship it to me. Okay, that's weird. I don't have an address. How am I going to ship it? He replied back and said, oh yeah, okay, I'll get back to you as soon as possible. Don't go to the next buyer. I really need that bike. Okay, great. Finally, after, you know, I think it's 48 hours whenever it expires before I was going to go to the next person who was bidding on it. He emailed me this and said, I want the bike. Give me the number, account bank, and tomorrow I solicit deposit to your morning. Please, I want your bike. Thank you. So basically, he wants me to give me his, my bank credentials so he can connect to my bank and do whatever with my data. I don't know if he ever actually looked at the bike, but I never heard from him again. I, of course, asked for all kinds of other data from him. Next example is something I put up on YouTube. This is just an example of how pervasive spam is in some of these networks. Within, I think it was, it was about a month on just something I threw up on YouTube was a video of nothing, really. I had three solicited requests and one was actually pretty violent. It was a violent request that I had to connect to their website as soon as possible and download something or I'd be in big trouble. So that's kind of interesting. The next one is what I was talking about in passive aggressive and I don't know if anyone's ever heard of eons.com. I may be old but I'm not that old. I'm not a baby boomer yet. But the really interesting thing about these kind of baby boomer Web 2.0 properties that are coming out is the users are not that technical for one. The users have a lot of money in many cases. Many times they're getting ready to retire. Many, sometimes they have retired. And they don't really get the security aspects of the internet. So good old geriatric here joined a bunch of these networks and the profiles that I selected were ones that were things like looking to retire. People looking to retire in great cities. People that like Mercedes-Benz 500s. People that have money that they're willing to invest in if you can believe it is a big group. So you think of an attacker if you're going to go after someone, why not go after one of these great social or special interest groups that have a great profile from that aspect. They're not that well educated in this stuff. They're just kind of learning the web. They've got a lot of disposable income and hopefully their sons or family members don't work in security. So great targets. This is an example of one of our passive aggressive honey jacks that we had for a while. This was in MySpace. Within a month we had about six unsolicited requests. MySpace X's out accounts that are doing things that are bad or that are supposed to be doing things that are bad so you can see how quickly people connect to you, try and join your network and then get deleted. Now I'm going to talk about active honey jacks. There's really four types as there isn't any software world. There's open source. There's commercial. There is pox or proof of concept. And finally there is the favorite of most people here I would imagine which is do it on your own. So first example of active honey jacks, open source that's out there is Facebook bot. And there's actually a lot of these available in source for, source for to a number of different open source locations, all kinds of pro modules that are available. And basically these allow you to do things like posting profile pictures automatically, tagging pictures, changing your status, walling commands, joining groups, adding friends. I'm sending and reading private messages. My favorite, a system for generating random sentences. So lots of pretty powerful stuff that you can use with these and they're updated quite a bit. Second is commercial. And I would be careful about the commercial things that are out there. Most of the ones I tried are kind of lame. The open source ones are quite a bit more powerful. I don't know if I would spend money on this. I'm also not sure how they install themselves and some of the practices they do behind the scenes. But one example out there is something called friend bot that for 55 bucks you can join MySpace friends, you can join Facebook. You can send invites to everyone you know. You can send invites to people you don't know. There's bulletin services. It tells you when people are online. And it's really designed to create a bot for things like Facebook and MySpace and promote your band. The next example is Sammy Worm. This is obviously a proof of concept that doesn't work anymore. But you know the really interesting thing about the Sammy Worm was that A, all it did was add people to his account. So it didn't really do much damage. And it could have been a lot worse, right? I mean you connect to a million users and all you do is connect them to your profile. Well it could have been a lot more nefarious than that. But that's the worm. I mean I don't know how many lines that is but that's like 50 lines of code. So testing and writing these things, it can be done very rapidly and you can do things like infect a million users with 50 lines of code. That's pretty impressive. This code is available on the web. It's not exactly secret of course. Then the last one is do it on your own. Some great tools that are out there. Webbot, spiders and screen scrapers. A decent book there. It teaches you really how to screen scrape a web page. It teaches you how to write a crawler or a webbot to connect to websites. Ajax Hacks from O'Reilly. Probably the best Ajax book that's out there that I've seen at least. The Javascript from O'Reilly, the fourth edition is good. It goes into all kinds of different encoding techniques, decoding techniques, obfuscation. And finally Mozilla's Spider Monkey which is a Javascript engine for Firefox. Now that you've got all these honey jacks out there deployed, how do you report on them and how do you actually get some type of forensics? The first one is most social networks allow you to send a heartbeat via SMS or via email to some central location when someone attempts to add themselves to your network or even send you an email. That's kind of the easiest way to do it is to say, hey, anytime someone connects to my profile, send me an email, send me an SMS and then I'll investigate from there. But a better way is to write your own spider or your own bot that connects to your accounts and actually fingerprints the content of your page and then attempts to see if things have changed. This could be a little bit more accurate because if someone changes your profile, just for example, if someone gets into your account, changes your SMS or email settings, you can account for that. So this you can account for that. You obviously have to make sure all dynamic content changes by the host or accounted for. The easiest example there is ads. So, you know, most of the Web 2.0 properties have ads that they dynamically place and they're different for every single person that connects to your page. So you have to account for that if you're fingerprinting the content. All changes should be kept and stored so every time you connect to your page, download it and connect to it. You can also find for the URLs that are dropped. So get a list of all the URLs and all the hrefs that are in your Honey Jacks and then create a comparison. Look for all the other hrefs that are in there because the number one thing that people do is they drop an href to an iframe or a cascading style sheet or something else outside of the property or on another compromised account. So if that appears, if an href appears that wasn't yours originally and isn't an ad, then there's a good chance something bad is going on. Content should be analyzed from the data mines source. So once you get an href, you've got to connect to the href where it is, download the code and analyze it. You've got to see what it's doing. If it's a binary file that happens through some type of exploit, run it in a sandbox, monitor the behavior of it. If it's JavaScript, run it through a decoder. These things are usually pretty heavily encoded now because the filtering that the web property owners are doing is looking for different types of JavaScript. So there's always kind of, or inevitably a way to get around the encoding filtering. So usually it's encoded in some way, so you've got to run it through a decent decoder. HTML code should be tested for candidates to send to the sandbox. You want to report the information to the vendor web property owner. I'm going to talk about this a little bit later. It sounds real easy, but there's not really great processes, and a lot of these websites for reporting information. And finally, the law and the terms and conditions of some of these sites. Any type of honey technology is really, if you're a corporation, you want to check with your legal team before you deploy these. Check the acceptable use policies, terms and conditions. And as I said earlier, be wary of commercial software with their eulahs because they may do stuff like track what you're doing within that particular space in order to sell that information to somebody else. I took a snapshot of my space, terms and conditions. Probably can't read it, but number four says, any automated use of the system, such as using scripts to add friends or send comments or messages is prohibited. So I warned you, it's in their site. And really, I think this is a huge problem out there right now. We mine about 90 million websites every 24 hours looking for sites that have been compromised and have malicious code on them. And we find anywhere between about 200 and 300,000 sites on any given day that have garbage on them. And one thing that is getting worse is the percentage of sites that have been compromised versus something that's been set up by a bad guy, you know, domain name or his own site or something else. Last I checked, we were at about 55%, 60% of all the pages that we're connecting to are compromised legitimate websites. There was this big case with MPAC in Italy recently, when there was like 10,000 websites that were compromised. And quite often it's pretty depressing because we have stats going back to like 2002 where there's literally 50 different iframes that have been put on the same site, one after the next, one after my just over and over and over again by an automated bot. And you can just see at the bottom of every one of their web pages is an iframe to a different site. You know, the attackers don't clean their stuff up, they just go in there and keep adding stuff in there. And yes, there's vulnerabilities and browsers. I mean, news. You know, obviously these kits that are being used out there are getting better at determining who's the user connecting, whether it's on people not patching also. But I think what's overlooked is the website side. So really, website security I think really has to be taken more seriously. There's massive amounts of problems with sites not being patched, configured incorrectly, allowing bad data, and they're becoming a conduit for others. There is entire groups out there that track sites that are compromised, that sell space on sites that are compromised, or that talk about compromises on sites. And one of the worst and these big hosting facilities have a few machines and then literally thousands of V-hosts on these machines. One compromise through a bulletin, PHP bulletin board or something else and you have access to all these websites that are out there. So website security or lack thereof is a huge problem. Cross-site scripting, open redirectors, allowing binary file posts, not scanning upload files, poor scripting filtering are all big problems. Post binary files to your site. I mean there's not much functionality there. The minimum you could look at the header of the file or something to see if it's a binary or run it through antivirus or something. Open redirectors, open redirectors are a huge problem. We see big name websites that have open redirectors and the fissures and lots of other guys work off of that. What they do is they just append the site for some type of cross-site scripting. PHP, BB, SQL, old web servers and old operating systems are all too common. So one of the big problems here is there's a real problem with tracking this kind of stuff. I mean as I said there's no versions, right? Well there is version 2, web 2.0 but the web is a big place. So how do you version a website? How do you version a web page? Well maybe we should start versioning the content of a page or the front page of some of these sites. Add a timestamp, an example of the code and maybe a hash. And when it changes that's a new version of some sort. Now that's pretty dynamic but at least if you're reporting or disclosing something you could say this time, this date, this site, this example code with this hash had this data versus saying this is a data. In the back end it's really hard to report that. No reporting. Security departments must field reports on websites and do more testing and retesting. I feel bad for the corporate security guys and a lot of these big web properties because usually they're very small. Talk to some of the big names out there like top five web properties and we're talking handfuls of people and the development teams are huge. So they've got the big problem and they're also the roadblock. We want to release this new thing that allows us to track users everywhere they're on the globe. Security guys not going to have any say in that. So security departments got to somehow get themselves involved in that. Change controls. Try and force yourself into the process. This is something actually recently that changed. No public credit. One of the reasons why people don't buy bugs is because they like to. They like to have credit and it's good kind of thought leadership for their company. So why not start issuing public credit for vulnerabilities within the web properties not just the applications or the OS's or the server applications and just actually the first of this month Microsoft started doing that on TechNet and Google has been doing this to start helping the people. They're helping you. You're going to do that. There's going to be a lot less things that are happening behind the scenes or surprises out there. Property owners really got to get to know who's in your back yard. I know it's hard that with a small amount of security people that are out there but look into things like Honeyjacks, look into automation, in your content space and it's a huge security struggle because you don't manage your own domain. Other people do. Not only do other people, the marketing folks are kind of on the other side of the fence. They want to open everything up and this other Web 2.0 company is now doing this. We got to do that. Let's do it fast. And finally just an idea. How about a web owner area on OSVDB? How about we start disclosing things on OSVDB and keeping track of them? So just a grab bag or maybe answering some questions from website owners or researchers. The first question and one of the problems we run into quite often is what if there's a reference in one of my Honeyjacks but the site is down and this happens a lot. One of your Honeyjacks reports back to you or one of your crawlers connects and it says, hey, there's an href with an iframe on my site. It's in there. You go to connect to it and it's down. What would you do? One thing is to do query the search engine for link references. See if that page is being linked anywhere else in any other profiles. See if it's being linked anywhere else. See if they're using it for some type of search engine poisoning. See if when you search for a music album that site comes up. Check for cache pages. Google cache is a great place to find old data. Good and bad. Look at the age of the domain if there's a domain. Look at the history of the site. Has it been used for phishing in the past? Has it been used for something bad? Look at who registered it. Look who the neighbors are. Quite often, especially in big compromises, if you run a nearest neighborhood algorithm against address space, you'll notice that you're in a bad area. You expand that area and hey, there's bad stuff all around that area. I'm so expand and see who the neighbors are. See if they're doing bad things. Finally, my boss told me that I need to make our website Web2.0. Should I? If you can, get the security team involved. If you're a security guy, get involved. Make sure they buy off on the design implementation. They can reproduce it. I would say to start off with anything, kind of educate people on the risks. Show some examples like the ones from my presentation. One of the very interesting things about this new or the amount of money that's being invested in these things is that personally, I don't believe there's a lot of brand equity in these spaces. People are investing hundreds of millions of dollars in some of these. My space was sold for a lot of money. Facebook has got a big price tag on it. Well, is there a lot of brand equity in those? What if there's a huge compromise in one of these sites and it really infects a lot of people? I don't think the switching cost is that high. I think people will switch pretty easily. The next MySpace will come out, right? Remember GeoCities? That was huge. Who's got a profile on GeoCities now? If your company has a huge equity in this, you've got to really elevate that, elevate the security risk. Look at mitigation techniques, incident, reporting, and handling. So in conclusion, don't run with scissors before you deploy Web2.0, be educated on the risks, or actually, check to see if you've already deployed Web2.0 technologies because there's a good chance that most of you have. If you must have user-created content, filter it, filter it, pen test it, report, update your filters. You'll be really surprised when people are trying to post to your sites, automatically and manually. If you're a security researcher, you know, at the heart of all this stuff is Javascript, XML, and a number of other technologies that wrap around that. So advanced Javascript, you know, it may not be as cool as Assembler, you know, debugging it isn't really as kind of underground, but it's pretty powerful stuff. I mean, you can do a lot of stuff with Javascript. Learn it, you know, live it, but you know, you don't have to love it, of course. And finally, you know, there's a lot of good stuff out there. There's a lot of really cool Web2.0 stuff. You know, I'd be lying if I said, you know, I didn't use Google Maps, MapQuest, and a lot of these things. But as with anything, you know, functionality, you know, comes security risk. And honestly, this happened kind of overnight. You know, Web2.0 and all these things, I mean, 80% of the top 20 websites are Web2.0 enabled. All this functionality just kind of happened. It's kind of like instant messaging five years ago where all these corporations were going, wow, I've got an instant messaging problem. Well, yeah, people have been using it for about two years now. But you know, I really think that people are able to pick up on this and really start researching it and understanding the risks involved in it. So, you know, get involved. So, any questions? Hello? Is this thing on? The question was, you know, is there any good technology to protect against connecting to these things? So, you know, I work for a vendor, obviously. So, we like to think we have some good technologies. But you know, I'm not going to do any vendor pitches. In general, and one of the real interesting aspects of that is originally about a year ago, nobody wanted to allow their users to connect to MySpace, Facebook, and LinkedIn. It was a blanket policy. We do not allow users to connect to these sites. And now we're starting to get more and more companies that go, you know what? Bill in accounting has to connect to MySpace to do this. And, you know, Larry, the CTO, has to connect to Facebook to do this. And Bill in sales has to connect to LinkedIn. So, you definitely have to kind of open the floodgates a little bit without, without obviously having the security problems. But as far as gateway stuff, you know, any product that does gateway scanning that looks at encoded data that has signatures for, has heuristics, has some type of reputation service can help out there. But we can talk after, if you want, kind of product specifics. Any other questions? Yeah, back row? Yeah, the question is, what's my opinion on kind of stateful web proxies? Yeah. So, I mean, web proxies are great obviously because you get to see all of the packets and the payload of all that data. But the problem with most web proxies is they don't have kind of the information layer intellect to know what's bad and what's good. They rely on something else like antivirus, for example, to do that. So, you know, if you're going to invest in something, either, you know, invest in something that's quite your own thing that allows you to look at the actual data itself. Okay. Yeah, I'm not intimately familiar with the product, but, you know, I have to take a look at it to see what it does. Yeah, SSL decryption is a very interesting subject. A lot of companies are now doing SSL decryption in order to inspect the packets on the wire to see if there's something bad in them and then spinning it back on the wire and basically intercepting the certificate authority and, as you said, essentially doing a man in the middle. So, obviously, there's privacy concerns there, right? I mean, if data is being decrypted and stored somewhere and then throwing back on the wire, it's something that you definitely want to be aware of and you better make sure those products have good security because all of your certs and all of your user data is going to be inspected and potentially stored somewhere, either in memory or on disk. So, you know, if you're deploying that type of technology, yeah, so the question was regarding standards and web authentication, I believe. Well, I spoke at the Antifishing Working Group last year and some guys spoke about authentication 2.0. So, you know, maybe there's something there. I'm not aware of any standard that's helping out with that side of things. The web is, you know, the Wild Wild West, right? It's really hard to standardize on something, especially as broad as the web and as broad generically. Oh, there's no other... Oh, sorry. Go ahead. Oh, yeah, of course. Yeah. And, you know, when we find a site that's compromised, we put it in our list and people can't... our users, if they decide to, can't connect to it. Well, thank you. Oh, sorry. No. No experience, really. Not that I can talk to intelligently, at least. Thank you for your time and I'll be in