Malvertising & Mobile Malware Madness:

This talk has two parts — 1) I survey some of the most recent trends in malvertising (malicious advertising) attacks and solutions on the web, and 2) I describe some preliminary work on the behavioral analysis of mobile applications and mobile malware. In the first part of this talk, after briefly reviewing some recent malvertising cases, I describe both a technological approach and business model for mitigating malvertising on the Internet. In the second part of the talk, I discuss the results of an experiment on over 10,000 Android applications in which we identified privacy and security violations through behavioral analysis techniques. Finally, I bring together what we can learn from battles of the past by discussing the looming threat of mobile malvertising and what we can do to cap it.

Mobile Malware Madness and How to Cap the Mad Hatters:

This talk surveys mobile malware (such as DroidDream, Ikee, and Zitmo) that have recently infected hundreds of thousands of user devices, and shows demos of how web malware threats such as drive-by-downloads and malvertising are on the horizon for mobile devices. We also discuss how behavioral-based malware detection techniques can be used to identify and neutralize such malware.

Black Hat 2011:

Android attacks and smartphone privacy leaks In this video from the Black Hat 2011 security conference, Neil Daswani, CTO and co-founder of Dasient talks about his conference presentation. Daswani and his team demonstrated a drive-by attack on Google Android smartphones using a vulnerability in Webkit and a coding error in Skype. The exploit bypasses the Android platform sandboxing security features, allowing an attacker to take complete control of the smartphone to steal contact information, account credentials and other sensitive data. While the hole used in Webkit has been patched, Daswani believes more weaknesses exist in the browser engine. In addition, Daswani explains the results of his team’s behavioral analysis of more than 10,000 Android applications. The study found widespread privacy leaks.

Drive By Downloads: How to Avoid Getting a Cap Popped in Your App:

This talk will present state-of-the-art web-based malware attacks and describe how the techniques used have evolved over time. Learn how today’s attackers use additional mechanisms to inject malicious code, conduct multiple injections into a single web page, use multi-DOM node injections, foil first generation web-based malware scanners and rely on social engineering technologies.Prerequisite knowledge Attendees should have a general understanding of web application security and malware threats.Session learning objectives Attendees will gain increased awareness of drive-by-downloads, and how they have morphed over time, as well as an understanding of modern drive-by-download techniques. To support this, we will provide code samples of new, modern-day drive-by-download attacks and highly technical information. We will also provide pointers to freely available resources, including a Twitter data feed that can be used by attendees and webmaster to stay on top of the newest drive-by-download infection types.

Dasient: Cybercrime Interviews

Mar 26, 2011 Dasient, the leader in Web anti-malware technology, envisions an Internet that is safe and malware-free for users and online businesses. Dasient protects the websites of leading financial services, e-commerce, media, web hosting and other global enterprises from losses of data, revenue and reputation caused by web-based malware attacks. Furthermore, Dasient’s adaptive security intelligence re-defines Internet security by scanning the expanses of the Web and harnessing the power of data to mount defenses against future malware attacks.

Dasient Interview w/ Neil Daswani

Mar 26, 2011 Dasient, the leader in Web anti-malware technology, envisions an Internet that is safe and malware-free for users and online businesses. Dasient protects the websites of leading financial services, e-commerce, media, web hosting and other global enterprises from losses of data, revenue and reputation caused by web-based malware attacks. Furthermore, Dasient’s adaptive security intelligence re-defines Internet security by scanning the expanses of the Web and harnessing the power of data to mount defenses against future malware attacks.

Black Hat DC: Malware Distribution via Widgetization of the Web

Mar 25, 2011 The Web 2.0 transformation has in part involved many sites using third-party widgets. We present the “widgetized web graph” showing the structure of high traffic web sites from the standpoint of widgets, show how web-based malware and scareware is propagated via such widgets, and provide data on how a mass web-based malware attack can take place against the Quantcast 1000 web sites via widgets.

Drive By Downloads: How to Avoid Getting a Cap Popped in Your App:

This talk will present state-of-the-art web-based malware attacks and describe how the techniques used have evolved over time. Learn how today’s attackers use additional mechanisms to inject malicious code, conduct multiple injections into a single web page, use multi-DOM node injections, foil first generation web-based malware scanners and rely on social engineering technologies.Prerequisite knowledge Attendees should have a general understanding of web application security and malware threats.Session learning objectives Attendees will gain increased awareness of drive-by-downloads, and how they have morphed over time, as well as an understanding of modern drive-by-download techniques. To support this, we will provide code samples of new, modern-day drive-by-download attacks and highly technical information. We will also provide pointers to freely available resources, including a Twitter data feed that can be used by attendees and webmaster to stay on top of the newest drive-by-download infection types.

Commonwealth Club: Keeping the Net Healthy: Vint Cerf and Paul Mockapetris

October 4, 2010 Viruses, spyware, spam, phishing, zombie machines. Several years ago, we might have thought of these as just a nuisance, and their perpetrators as mostly underemployed kids. Today, cybercrime is worth billions of dollars to loosely organized networks of criminals that prey on individuals, businesses and governments with malicious or profit-seeking intent. What are some of the current threats, and how is industry responding to them? What new threats might we expect in the coming years? Is the Internet’s health partly a result of misaligned incentives, where those who cause the damage don’t bear its costs? How can we change that? What more should industry, government and individuals be doing to protect the network and, ultimately, ourselves? Note: There are additional bookmarks to chapters of the video in which Neil had some exchanges with Vint and Esther. Watch additional bookmarks of the video here:

• Neil -> Vint: What should each party on the Internet do about web-based malware?
• Vint -> Neil: Tell us what Dasient does.
• Esther -> Neil: New business model: Require people to use Dasient.

Black Hat 2010: mod_antimalware

July 25, 2010 Drive-by downloads planted on legitimate sites (e.g., via “structural” and other vulnerabilities in web applications) cause web sites to get blacklisted by Google, Yahoo, and other search engines and browsers. In this talk, I describe the technical architecture and implementation of mod_antimalware, a novel, open-source containment technology for web servers that can be used to 1) quarantine web-based malware infections before they impact users, 2) allow web pages to safely be served even while a site is infected, and 3) give webmasters time to recover from an attack before their web sites get blacklisted by popular search engines and browsers. There are multiple parts to the video. Watch additional parts of the video here: Black Hat 2010: mod_antimalware

Dasient: The Only Tool You Need to Protect Your Site Against Malware

February 25, 2010 Shariq Rizvi and Neil Daswani used to tackle security issues at Google. Together with former McKinsey consultant Ameet Ranadive, they decided to found the company Dasient in 2008 after recognizing that malware targets were becoming more and more diversified each year. Dasient will not only notify you when your website has been compromised and show you the malicious code-it also offers a risk assessment report telling you every possible outlet for future breaches. Webmasters can be more proactive in protecting themselves from hackers.

Mitigating Web-based Malware Attacks

July 29, 2009 Over the past few years, malware spreading primarily by infecting web pages has been a significant emerging trend that has become so significant that the major search engines ( including Google, Yahoo, and MSN) and browsers (such as Firefox, Chrome, and IE 8 ) have been blacklisting infected web pages to protect users. This presentation provides statistics about this trend, and discusses how we can scalably defend websites from the problem via an open-source, security-as-a-service model that enables hosting providers to protect web sites that they host. I’ll also discuss how Dasient’s technology platform provides automated diagnosis, monitoring, and quarantining of web-based malware, and a few ways in which search engines, technology providers like Dasient, and hosting providers can collaborate to control the spread of web-based malware.

The Entrepreneurial Sindhi

July 26, 2009 Entrepreneurship is in the blood of Sindhis. This talk will cover how we can retain and grow our entrepreneurial nature, bringing positive impact to the world in the process, and even turn our diaspora into one of our greatest strengths (for instance, through events like this YSA Retreat). In 1947, Mahatma Gandhi said “The Sindh Hindus are first-class businessmen. Why are they running away to Bombay, Madras and other places? It will not be they who will be the losers… for they will make money for themselves, wherever they go. There is hardly any place in the world where Sindhis are not found. In South Africa they were making big money and gave of it liberally to the poor.” Gandhi could not have hit the nail on the head any better. There are multiple parts to the video. Watch additional parts of the video here: The Entrepreneurial Sindhi.

Emerging Security Vulnerabilities & the Impact to Business

January 29, 2008 This talk discusses how IT professionals can go about learning what they need to know to prevent the most significant emerging data security vulnerabilities, and the impact these vulnerabilities are having on electronic commerce. In this talk, I will review how attacks such as XSRF (Cross-Site-Request-Forgery) and SQL Injection work, and how to properly defend against them.Then, I will present some industry-wide statistics on softwaresecurity vulnerabilities reported to various databases, and emerging trends in the field of software security. Finally, it will discuss the current state of security education, and provide pointers to certification programs, books, and organizations where you can learn more.

How Cybercriminals Steal Money

June, 16 2008 Attend this session and learn how you can prevent todayʼs most significant data security vulnerabilities—the kind that leave businesses open to fraud that ranges from capturing tens of millions of credit card numbers to stealing money from bank accounts to constructing next-generation botnets. Weʼll review how cross-site request forgery, cross-site script inclusion and SQL injection attacks work and discuss their impact on Web 2.0, AJAX, mashup and social networking applications. We’ll present industry-wide statistics on security vulnerabilities, cover emerging security trends and discuss the current state of security education. Then we’ll tell you how to defend against security attacks and how to modify your software development process to achieve security, and we’ll recommend certification programs, books and organizations that can help you secure your applications.

Protecting the World from Cybercrime

August 28, 2008 Since 2005, over 230 million customer records have been lost or stolen in security breaches, and data breaches are at an all-time high in large part due to increased reliance on electronically stored files. Should you be concerned about the security of your personal information on the Internet and with the issue of online fraud? Do you wonder what could be done to help secure the web and our cyber-infrastructure? Come hear compelling stories about some of the most significant cyber-attacks over the past few years and what can be done to protect the world against rampant cybercrime and mass identify theft.

What Every Engineer Needs to Know About Security and Where to Learn It

July 10, 2007 This talk discusses recent trends in security, and what every engineer needs to know to prevent the most significant emerging threats such as cross-site scripting and SQL injection attacks. Just as every engineer might use object-oriented design principles to achieve extensibility and re-usability, every engineer needs to employ principles such as the principle of least privilege, fail-safe stance, and protecting against the weakest link to achieve security. Instead of focusing on “tips” and “tricks” that allow you to “band-aid” the security of your systems, we discuss how to derive defenses based on the application of security principles, such that you can determine how to deal with new threats as they come along or application-specific threats that might be relevant to your domain. Finally, we present some statistics on the current state of software security vulnerabilities, and discuss existing and upcoming challenges in the field of software security

Stanford BASES Innovatorsʼ Challenge Mini-Documentary 2005

The Innovators’ Challenge is an exciting, annual technology competition organized by BASES, the Business Association of Stanford Engineering Students. Find out more about the competition, the teams that compete, the judges, and the areas of research and development the competition attracts! This mini-documentary is presented as a “report” to the organization’s board of directors.

The Growing Threat and Impact of Web-Based Malware

The way malware is being distributed has undergone a fundamental shift, with attackers focusing on planting “drive-by downloads” on legitimate sites in an automated fashion, taking advantage of vulnerabilities in hosting platforms, web applications, and structural vulnerabilities in web sites. The impact is quite significant — end users can get infected simply by visiting affected web sites, and webmasters lose their traffic due to having their infected sites blacklisted by search engines and browsers. In this talk, we present data from the past year analyzing the growth of infections, and show how webmasters can take a holistic approach to preventing, detecting, containing, and recovering from such attacks. The data that we present has been gathered from Dasient’s telemetry systems, including its web-based malware infection library containing over 110,000 distinct samples (the largest of its kind), and its industry partners. For instance, over two million web sites have been infected in the past year which means that the number of web pages infected with malware almost doubled in the last quarter compared to ayear ago. This presentation will also focus on discussing how IT professionals can mitigate the threat of web-based malware infections by using a variety of resources and technologies.