Computer security Lecture 10. Web security, Mobile security
|
|
- Randall Gallagher
- 8 years ago
- Views:
Transcription
1 Computer security Lecture 10 Web security, Mobile security
2 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
3 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
4 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
5 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
6 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
7 Web protocols The HyperText Transfer Protocol (HTTP) belongs to the application layer of the OSI network layers A client sends a request (GET or POST) to the server The web server interprets the call, extracting user-provided parameters Sometimes there are back-end servers that provide the actual content (e.g., from a database) The server responds with a page in HyperText Markup Language (HTML)
8 Uniform Resource Locator/Identifier/Name The URL part is put through DNS lookup The URN part is used to identify the file (or data entity) desired by the client The hierarchical structure is not quite orderly in a URI TKO1.pdf Attackers have formed hostnames with characters that look like a slash...
9 Phishing
10 URL obfuscation Misspelling of URLs, preferably ones which are hard to notice Hiding the true target, so-called Clickjacking <a href=" Similar-looking letters (t and f, d and b,... ), especially in long URLs
11 URL obfuscation: Unicode Unicode characters from other than ASCII are used to support multiple language URLs There are many look-alike Unicode letters Even worse, some are rendered exactly the same as each other
12 URL obfuscation: A famous example involved a phishing site that registered the domain using the cyrillic letter p (prononunced like swedish r) The cyrillic p is rendered as the latin p by browsers (although it may be different glyphs from the font used) The cyrillic p has Unicode #0440, while the latin p has #0070 Different URLs, different hosts Even worse, the phishing site obtaned an SSL certificate for the site
13 POST and GET There are two types of requests, POST and GET POST was intended to upload large data volumes, and puts the action to be performed into the request body GET was intended to download data, and puts the (relatively short) request parameters in the URI These are largely equivalent in their use today &-response=enkursplan.lasso&op=eq&k budget year=2012&op=eq& k kurskod=tsit02
14 Sanitize those parameters
15 Responses in HTML HTML itself is relatively harmless Elements include forms, frames, iframes, images, applets, scripts Some are active, activated by specific events A simple activation is the onclick action of the [submit] button of a form that causes a GET request Others are onmouseup, onmousehover,...
16 The Browser Displays web pages, represents them internally in the Domain Object Model tree Manages sessions Performs access control for client-side scripts html head body title meta meta h1 p ul a li li li
17 Sessions HTTP sessions can be established, but is not authenticated Authenticated sessions come in three variants Transport layer sessions (TLS) Network layer sessions Application layer sessions (private data)
18 Transport layer sessions: TLS ClientHello ServerHello,... Client ClientKeyExchange...,Finished Server
19 Transport layer sessions: EAP-TTLS Client EAP-Req/Id EAP-Resp/Id EAP-TTLS Start EAP-TTLS ClientHello EAP-TTLS ServerHello,... EAP-TTLS ClientKeyExchange EAP-TTLS...,Finished EAP-TTLS...,Finished EAP-TTLS Username,...,CHAP-Password EAP Success/Failure Server
20 TLS sessions, making ends meet
21 Network layer sessions The server creates a Session ID (SID) and transmits that to the client Often issued without user authentication, but authentication can be used Can be transferred by two mechanisms GET or POST parameters Cookies
22 Sessions using GET and POST Using the GET mechanism requires each link on a page to include the SID as a GET parameter The server needs to respond with a page where all links include the SID The POST mechanism uses a hidden form that holds the SID This also needs to be included in every page from the server Both of these are fairly weak, unless a transport layer session (HTTPS) already has been established
23 Cookies Cookies are small packets of data contained in server responses in a Set-Cookie header field Contains key-value pairs, domain, expiry date, an optional path, and secure and HTTP only flags The secure flag enforces HTTPS transmission The HTTP only flag prohibits client script access
24 Sessions using Cookies Put SID in a cookie and use that Attackers may try to modify a cookie to elevate their priviliges, cookie poisoning They could also try to steal the cookies, we ll see techniques for that later Basic requirements: SIDs should be hard to predict, and cookies should be stored safely
25 Cookies and privacy Cookies don t just store SIDs, they can be used to store all sorts of things But cookies are only sent to the matching domain? And cookies are stored at the user? No problem then! Not so fast, accessibility is really the problem, and cookies are sent to the matching domain This is a distributed database, and there are law requirements for such a thing
26 Cookie stealing Cookies are sent to the matching domain This is an example of same-origin policies Scripts are also under this policy The trick is to get your script included in a response from a trusted site (and to give you the cookie) The technique to do this is called cross-site scripting
27 Cross-site scripting, XSS This is a collection of techniques used to get attackers scripts included in web pages from trusted servers There must always be an opening for entering the script into the web page Oddly, there are (a few) servers that use the techniques to provide legitimate content
28 Reflected (nonpersistent) XSS Here, a script resides on the attacker s server The target user needs to be lured to the attacker s site Then, there are several techniques, a simple example: <A HREF=" alert( XSS! )></SCRIPT>">Click here</a> If the comment page echoes the argument, the script gets executed on the comment page, with the priviliges for pages from the trusted server Not only comment pages, but search engines, 404 pages,...
29 Stored (persistent), and DOM-based XSS In a stored XSS attack, the attacker stores the script directly at the trusted server, for example on a discussion page A DOM-based XSS attack is based on the habit of some pages to interpret the document.url at the client rather than at the server Attacker embeds script in a request URL Script gets put in document.url, but is not interpreted at the server, nor is in the HTML response Page contains references to document.url, so script is executed in the client The recent Facebook worms are of this kind
30 Cookie stealing through XSS Cookies are available in the DOM, in document.cookie (unless HTML-only is set) A (more complex) attack is now <IFRAME frameborder=0 src="" height=0 width=0 id="xss" id="xss" name="xss"></iframe> <SCRIPT> frames["xss"].location.href =" </SCRIPT>
31 Defenses against XSS Disable scripts (or rather, enable it only for sites you trust; use Noscript) Sanitize your inputs (well) Improve authentication Improve access control, so that it becomes harder to steal user credentials through the same-origin policy
32 Cross-Site Request Forgery (CSRF, XSRF) The opposite (in a sense) of a XSS attack A XSS attack uses the client s trust of a server execute commands at the client with the server s priviliges A CSRF attack uses the server s trust of a client and lures the client to request execution of commands at the server with the client s priviliges Common examples are inserted pages that perform (unwanted) actions on behalf of the client A merchant that uses paypal can normally not access credit card data of his customers A merchant lets the customer login to paypal, and then re-authenticates the user as himself If the user now enters credit card information, the merchant would get access to that
33 Web services security The internet is a complicated place, where services interact in various ways The book talks about mashups that combine services from several sources Often leads to complicated (and vulnerable) authentication and authorization structures
34 Federated Identity Management Several organizations cooperate to manage identity information Implements a trust, but verify strategy Authenticate on one site, get access to several sites Sites need agreements that regulate liability and dispute resolution Privacy has to be considered Security Assertion Markup Language (SAML) is a meta-level single sign-on protocol that can be implemented in Kerberos or through a PKI A slightly different example is OpenID
35 Web: Threat model Attacks from communication and network security Also: direct web attacks, phishing, session hijacking, cross-site scripting,... Alice Bob Eve
36 Mobility Mobile networks create a whole new set of problems: How do we authenticate users? How do we authenticate roaming users? How do we hand over sessions from one base station to another? Do we share a new session key, or transfer the old one? Can the user distinguish a false base station from a real one?
37 Analogue phones First generation cellphones provided no confidentiality (some obfuscation) Criminals used them to create alibies through call ftorwarding from land lines Authentication was sent through a challenge-response protocol, but in the clear, resulting in charge fraud
38 GSM politics At the time (the eighties, early nineties), there were strong restrictions on use of cryptography Law enforcement wanted to be able to perform wiretaps GSM consortium consisted of mainly national post, phone, and telegraph operators
39 GSM Design goals: good voice quality, cheap end systems, low running costs, international roaming, hand-held devices(!), new services such as SMS Security goals: protect against charge fraud, eavesdropping, and track stolen devices (but this was not always implemented)
40 GSM components Each GSM user has a subscription in a home network Users can use other visited network A phone consists of mobile equipment, and a Subscriber Identity Module (SIM) that contains cryptographic hardware, cryptographic keys, and other info The network side has base stations and a few different servers that handle user data
41 GSM IMSI, TMSI The identifier for a GSM phone is the International Mobile Subscriber Identity, IMSI The phone and home network share a 128-bit authentication key K i To protect user privacy, the IMSI is sent in the clear only in the initial connection to the GSM network, after that a Temporary MSI, TMSI is used The TMSI changes when phone moves between networks
42 GSM crypto Uses a 64-bit session key K c, created in the authentication process The authentication algorithm A3 and the key generation algorithm A8 are chosen by the network The encryption algorithm A5 is standardized, this is a stream cipher that can handle channel noise well, but does not give message integrity By todays standards, A5 is weak: A5/1 is the first version, the export A5/2 was broken immediately upon release, while A5/3 is somewhat stronger
43 GSM session key, Subscriber Identity Authentication
44 Roaming fraud A GSM subscription is taken out with a local network The user never intends to pay Instead he uses it abroad in a network of his choice, free of charge for a time (soft currency fraud) The home network also has to pay the foreign network for the service (hard currency fraud) Fraudsters and rouge networks may collude
45 False base stations Phone is authenticated, but network is not Furthermore, the network can ask the phone for the IMSI, breaking privacy And the network can even ask the phone to switch off encryption altogether Suddenly, network authentication is needed
46 UMTS (3G) UMTS is one 3G standard Higher speed, better security Above all, network authentication But also better crypto, uses KASUMI, a 128-bit key block cipher, used in a stream cipher mode
47 UMTS Authentication and Key Agreement
48 Internet mobility Mobile phone security is much about preventing fraudulent billing Internet mobility should meet other threats Redirecting traffic to get another user s messages Redirecting traffic to crowd another users reception In Mobile IPsec a user announces the current location to the intended correspondent directly and via the home agent The correspondent returns keygen tokens through both links The location is proved by knowing data from both links
49 WLAN WLAN security is not so much mobility but wireless network access Hiding the Service Set ID (SSID) is common but not so helpful The same applies to restricting access to a list of Medium Access Control (MAC) addresses The problem is that these are used before security can be set up, and can be sniffed in transit
50 WEP WEP is flawed Uses a stream cipher RC4 with a short IV; when IV repeats, so does the key stream, and this is really really bad for a stream cipher Checksum is CRC-32, and this is suited for finding random errors, not intentional modifications Finally, RC4 has been broken URGH
51 WPA This is a quick-fix designed to run on (mostly) the same hardware as WEP Generates a new encryption key for each packet through the Temporal Key Integrity Protocol Also changes the CRC checksum to a message integrity check algorithm called Michael There are still weaknesses that remain from WEP and some limitations of Michael that makes it possible to retrieve the keystream from short packets
52 WPA2 A new design Can be used in Transitional Security Network mode to allow older security modes (but... ) Robust Security Network mode is not backwards compatible Encryption is AES used in a stream cipher mode (CTR) Message integrity is ensured by CBC-MAC
53 Bluetooth Short range ad hoc networks Pairing may be by simple keypresses, close in time, or by PIN Main protection is physical proximity Security is better since Bluetooth 2.1 (2007), and include the Simple Secure Pairing in the book Uses the E0 stream cipher
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More information802.11 Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi Giulio.Rossetti@gmail.com
802.11 Security (WEP, WPA\WPA2) 19/05/2009 Giulio Rossetti Unipi Giulio.Rossetti@gmail.com 802.11 Security Standard: WEP Wired Equivalent Privacy The packets are encrypted, before sent, with a Secret Key
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationChapter 6 CDMA/802.11i
Chapter 6 CDMA/802.11i IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 Some material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWeb Security: SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: SSL/TLS Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,
More informationWireless Security. New Standards for 802.11 Encryption and Authentication. Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.
Wireless Security New Standards for 802.11 Encryption and Authentication Ann Geyer 209-754-9130 ageyer@tunitas.com www.tunitas.com National Conference on m-health and EOE Minneapolis, MN Sept 9, 2003 Key
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 6 Wireless Network Security Objectives Overview of IEEE 802.11 wireless security Define vulnerabilities of Open System Authentication,
More informationUMTS security. Helsinki University of Technology S-38.153 Security of Communication Protocols k-p.perttula@hut.fi 15.4.2003
UMTS security Helsinki University of Technology S-38.153 Security of Communication Protocols k-p.perttula@hut.fi 15.4.2003 Contents UMTS Security objectives Problems with GSM security UMTS security mechanisms
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More information9243060 Issue 1 EN. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation
9243060 Issue 1 EN Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation Nokia 9300i Configuring connection settings Nokia 9300i Configuring connection settings Legal Notice
More informationWeb Security Considerations
CEN 448 Security and Internet Protocols Chapter 17 Web Security Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationWeb Security. Mahalingam Ramkumar
Web Security Mahalingam Ramkumar Issues Phishing Spreading misinformation Cookies! Authentication Domain name DNS Security Transport layer security Dynamic HTML Java applets, ActiveX, JavaScript Exploiting
More informationVIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY. AUTHOR: Raúl Siles. Founder and Security Analyst at Taddong
VIDEO Intypedia012en LESSON 12: WI FI NETWORKS SECURITY AUTHOR: Raúl Siles Founder and Security Analyst at Taddong Hello and welcome to Intypedia. Today we will talk about the exciting world of security
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationSecurity in IEEE 802.11 WLANs
Security in IEEE 802.11 WLANs 1 IEEE 802.11 Architecture Extended Service Set (ESS) Distribution System LAN Segment AP 3 AP 1 AP 2 MS MS Basic Service Set (BSS) Courtesy: Prashant Krishnamurthy, Univ Pittsburgh
More informationWeb-Application Security
Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice
More informationProtocol Rollback and Network Security
CSE 484 / CSE M 584 (Spring 2012) Protocol Rollback and Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,
More informationGateway Apps - Security Summary SECURITY SUMMARY
Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference
More informationGSM and UMTS security
2007 Levente Buttyán Why is security more of a concern in wireless? no inherent physical protection physical connections between devices are replaced by logical associations sending and receiving messages
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationHow To Understand And Understand The Security Of A Key Infrastructure
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography Objectives Define digital certificates List the various types of digital certificates and how they are used
More informationOverview of CSS SSL. SSL Cryptography Overview CHAPTER
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationMobile Office Security Requirements for the Mobile Office
Mobile Office Security Requirements for the Mobile Office S.Rupp@alcatel.de Alcatel SEL AG 20./21.06.2001 Overview Security Concepts in Mobile Networks Applications in Mobile Networks Mobile Terminal used
More informationNetwork Security Web Security and SSL/TLS. Angelos Keromytis Columbia University
Network Security Web Security and SSL/TLS Angelos Keromytis Columbia University Web security issues Authentication (basic, digest) Cookies Access control via network address Multiple layers SHTTP SSL (TLS)
More informationThe following chart provides the breakdown of exam as to the weight of each section of the exam.
Introduction The CWSP-205 exam, covering the 2015 objectives, will certify that the successful candidate understands the security weaknesses inherent in WLANs, the solutions available to address those
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationAgenda. Wireless LAN Security. TCP/IP Protocol Suite (Internet Model) Security for TCP/IP. Agenda. Car Security Story
Wireless s June September 00 Agenda Wireless Security ผศ. ดร. อน นต ผลเพ ม Asst. Prof. Anan Phonphoem, Ph.D. anan@cpe.ku.ac.th http://www.cpe.ku.ac.th/~anan Computer Engineering Department Kasetsart University,
More informationCS 356 Lecture 27 Internet Security Protocols. Spring 2013
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationCS5490/6490: Network Security- Lecture Notes - November 9 th 2015
CS5490/6490: Network Security- Lecture Notes - November 9 th 2015 Wireless LAN security (Reference - Security & Cooperation in Wireless Networks by Buttyan & Hubaux, Cambridge Univ. Press, 2007, Chapter
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationSecurity. Contents. S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks 1
Contents Security requirements Public key cryptography Key agreement/transport schemes Man-in-the-middle attack vulnerability Encryption. digital signature, hash, certification Complete security solutions
More informationAuthenticity of Public Keys
SSL/TLS EJ Jung 10/18/10 Authenticity of Public Keys Bob s key? private key Bob public key Problem: How does know that the public key she received is really Bob s public key? Distribution of Public Keys!
More informationAuthentication in WLAN
Authentication in WLAN Flaws in WEP (Wired Equivalent Privacy) Wi-Fi Protected Access (WPA) Based on draft 3 of the IEEE 802.11i. Provides stronger data encryption and user authentication (largely missing
More informationChapter 8. Network Security
Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationOPENID AUTHENTICATION SECURITY
OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009 1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication.
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationIntrusion Detection, Packet Sniffing
Intrusion Detection, Packet Sniffing By : Eng. Ayman Amaireh Supervisor :Dr.: Lo'ai Tawalbeh New York Institute of Technology (NYIT)- Jordan s s campus-2006 12/2/2006 eng Ayman 1 What is a "packet sniffer"?
More informationNokia and Nokia Connecting People are registered trademarks of Nokia Corporation
Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation Nokia E70 Configuring connection settings Nokia E70 Configuring connection settings Legal Notice Copyright Nokia 2006. All
More informationNetwork Security - ISA 656 Email Security
Network Security - ISA 656 Angelos Stavrou November 13, 2007 The Usual Questions The Usual Questions Assets What are we trying to protect? Against whom? 2 / 33 Assets The Usual Questions Assets Confidentiality
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationNetwork Security Essentials Chapter 5
Network Security Essentials Chapter 5 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 5 Transport-Level Security Use your mentality Wake up to reality From the song, "I've Got
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationTLS/SSL in distributed systems. Eugen Babinciuc
TLS/SSL in distributed systems Eugen Babinciuc Contents 1. Introduction to TLS/SSL 2. A quick review of cryptography 3. TLS/SSL in distributed systems 4. Conclusions Introduction to TLS/SSL TLS/SSL History
More informationWireless Networks. Welcome to Wireless
Wireless Networks 11/1/2010 Wireless Networks 1 Welcome to Wireless Radio waves No need to be physically plugged into the network Remote access Coverage Personal Area Network (PAN) Local Area Network (LAN)
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationwww.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More informationConfiguring connection settings
Configuring connection settings Nokia E90 Communicator Configuring connection settings Nokia E90 Communicator Configuring connection settings Legal Notice Nokia, Nokia Connecting People, Eseries and E90
More informationRecommended 802.11 Wireless Local Area Network Architecture
NATIONAL SECURITY AGENCY Ft. George G. Meade, MD I332-008R-2005 Dated: 23 September 2005 Network Hardware Analysis and Evaluation Division Systems and Network Attack Center Recommended 802.11 Wireless
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationOverview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP
Overview Securing TCP/IP Chapter 6 TCP/IP Open Systems Interconnection Model Anatomy of a Packet Internet Protocol Security (IPSec) Web Security (HTTP over TLS, Secure-HTTP) Lecturer: Pei-yih Ting 1 2
More informationSingle Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationOutline. INF3510 Information Security. Lecture 10: Communications Security. Communication Security Analogy. Network Security Concepts
Outline INF3510 Information Security Lecture 10: Communications Security Network security concepts Communication security Perimeter security Protocol architecture and security services Example security
More informationWireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com
Wireless Security Overview Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance 209-754-9130 ageyer@tunitas.com Ground Setting Three Basics Availability Authenticity Confidentiality Challenge
More informationNokia E61i Configuring connection settings
Nokia E61i Configuring connection settings Nokia E61i Configuring connection settings Legal Notice Copyright Nokia 2007. All rights reserved. Reproduction, transfer, distribution or storage of part or
More informationThe Importance of Wireless Security
The Importance of Wireless Security Because of the increasing popularity of wireless networks, there is an increasing need for security. This is because unlike wired networks, wireless networks can be
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More information3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Network Layer: IPSec Transport Layer: SSL/TLS Chapter 4: Security on the Application Layer Chapter 5: Security
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationState of Kansas. Interim Wireless Local Area Networks Security and Technical Architecture
State of Kansas Interim Wireless Local Area Networks Security and Technical Architecture October 6, 2005 Prepared for Wireless Policy Committee Prepared by Revision Log DATE Version Change Description
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationWeb Security (SSL) Tecniche di Sicurezza dei Sistemi 1
Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1 How the Web Works - HTTP Hypertext transfer protocol (http). Clients request documents (or scripts) through URL. Server response with documents. Documents
More informationAPPLICATION SECURITY AND ITS IMPORTANCE
Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE
More informationTransport Layer Security Protocols
SSL/TLS 1 Transport Layer Security Protocols Secure Socket Layer (SSL) Originally designed to by Netscape to secure HTTP Version 2 is being replaced by version 3 Subsequently became Internet Standard known
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationKey Management (Distribution and Certification) (1)
Key Management (Distribution and Certification) (1) Remaining problem of the public key approach: How to ensure that the public key received is really the one of the sender? Illustration of the problem
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationTable of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example
Table of Contents Wi Fi Protected Access 2 (WPA 2) Configuration Example...1 Document ID: 67134...1 Introduction...1 Prerequisites...1 Requirements...1 Components Used...2 Conventions...2 Background Information...2
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationchap18.wireless Network Security
SeoulTech UCS Lab 2015-1 st chap18.wireless Network Security JeongKyu Lee Email: jungkyu21@seoultech.ac.kr Table of Contents 18.1 Wireless Security 18.2 Mobile Device Security 18.3 IEEE 802.11 Wireless
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationCyber Security Workshop Ethical Web Hacking
Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e Downloading WebGoat and Burp
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationWLAN Information Security Best Practice Document
WLAN Information Security Best Practice Document Produced by FUNET led working group on wireless systems and mobility (MobileFunet) (WLAN security) Author: Wenche Backman Contributors: Ville Mattila/CSC
More informationRelax Everybody: HTML5 Is Securer Than You Think
Relax Everybody: HTML5 Is Securer Than You Think Martin Johns (@datenkeller) SAP AG Session ID: ADS-W08 Session Classification: Advanced Motivation For some reason, there is a preconception that HTML5
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationCross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Audun Jøsang University of Oslo Spring 2015 Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationSecurity Protocols/Standards
Security Protocols/Standards Security Protocols/Standards Security Protocols/Standards How do we actually communicate securely across a hostile network? Provide integrity, confidentiality, authenticity
More informationComputer Networks. Secure Systems
Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to
More information