Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and E-Mail. Chapter 9



From this document you will learn the answers to the following questions:

What can attack a client side scripting Java applets?

What extensions are hidden by default in windows attack?

What must developers have?

Similar documents
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Contents Introduction xxvi Chapter 1: Understanding the Threats: Viruses, Trojans, Mail Bombers, Worms, and Illicit Servers

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Common Security Vulnerabilities in Online Payment Systems

SSL VPN Technology White Paper

Web Application Report

Lecture 15 - Web Security

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

This chapter covers the following topics: Why Network Security Is Necessary Secure Network Design Defined Categorizing Network Security Threats How

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Last update: February 23, 2004

Network and Host-based Vulnerability Assessment

The following multiple-choice post-course assessment will evaluate your knowledge of the skills and concepts taught in Internet Business Associate.

The McAfee SECURE TM Standard

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Spyware. Summary. Overview of Spyware. Who Is Spying?

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

Security Goals Services

Homeland Security Red Teaming

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

Columbia University Web Security Standards and Practices. Objective and Scope

What is Web Security? Motivation

Barracuda Web Site Firewall Ensures PCI DSS Compliance

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Lotus Domino Security

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Protecting Your Organisation from Targeted Cyber Intrusion

Web and Security 1 / 40

Why Should You Care About Security Issues? SySmox WEB security Top seven ColdFusion Security Issues

Web Application Security Considerations

How To Understand The History Of The Web (Web)

Paladin Computers Privacy Policy Last Updated on April 26, 2006

Passing PCI Compliance How to Address the Application Security Mandates

Network Security - ISA 656 Application Firewalls

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Web Engineering Web Application Security Issues

NeoMail Guide. Neotel (Pty) Ltd

Talk Internet User Guides Controlgate Administrative User Guide

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

Network Security. Demo: Web browser

PC Security and Maintenance

Using Microsoft s Free Security Tools Help Secure your Windows Systems taken from Web and Other Sources by Thomas Jerry Scott November, 2003

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Implementing Security Update Management

Windows Operating Systems. Basic Security

Hacking Database for Owning your Data

An Insight into Cookie Security

Web Security School Final Exam

Firewalls, IDS and IPS

Testing Web Applications for SQL Injection Sam Shober

THE OPEN UNIVERSITY OF TANZANIA

Recommended Practice Case Study: Cross-Site Scripting. February 2007

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

COB 302 Management Information System (Lesson 8)

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Web Plus Security Features and Recommendations

Web App Security Audit Services

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Web Hosting Features. Small Office Premium. Small Office. Basic Premium. Enterprise. Basic. General

Domains Help Documentation This document was auto-created from web content and is subject to change at any time. Copyright (c) 2016 SmarterTools Inc.

SonicWALL Security Quick Start Guide. Version 4.6

Desktop and Laptop Security Policy

A Decision Maker s Guide to Securing an IT Infrastructure

A Roadmap for Securing IIS 5.0

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

SPAMfighter Mail Gateway

SECURING INFORMATION SYSTEMS

How To Get The Most Out Of Your From Your Mail Server (For A Small Business)

Why The Security You Bought Yesterday, Won t Save You Today

Application Security Testing. Generic Test Strategy

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Webmail Using the Hush Encryption Engine

Windows Remote Access

Best Practice Configurations for OfficeScan (OSCE) 10.6

FileCloud Security FAQ

1. Why is the customer having the penetration test performed against their environment?

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Networking: EC Council Network Security Administrator NSA

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Enterprise Security Critical Standards Summary

OWASP Top Ten Tools and Tactics

CMP3002 Advanced Web Technology

F-Secure Internet Security 2012

Clientless SSL VPN Users

Web Application Penetration Testing

Transcription:

Figure 9-1: General Application Application Security: Electronic Commerce and E-Mail Chapter 9 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Executing Commands with the Privileges of a Compromised Application If an attacker takes over an application, the attacker can execute commands with the privileges of that application Many applications run with super user (root) privileges 1 2 Figure 9-1: General Application Buffer Overflow Attacks From Chapter 6: Vulnerabilities Exploits Fixes Patches Manual work-arounds, or Version upgrades) Figure 9-1: General Application Buffer Overflow Attacks Buffers are places where data is stored temporarily If an attacker sends too much data, a buffer might overflow, overwriting an adjacent section of RAM If that section is retrieved, various problems can occur Read as data, read as program instructions, illegal values that cause a crash 3 4 Figure 9-1: General Application Figure 9-2: Stack Entry and Buffer Overflow Buffer Overflow Attacks Stacks are used to hold information temporarily on subprograms 2. Add Data to Buffer 1. Write Return Address Stack overflows might allow an attacker to execute any command (Figure 9-2) 5. Start of Attack Code Data Buffer Return Address An example: The IIS IPP Buffer Overflow Attack: Host variable is overflowed 3. Direction of Data Writing 4. Overwrite Return Address 5 6

Figure 9-1: General Application Figure 9-1: General Application Few Operating Systems But Many Applications So application hardening is more total work than operating system hardening Application Security Actions Understanding the server s role and threat environment Application Security Actions Basics Physical security (Chapter 2) Harden the operating system (Chapter 6) Backup (Chapter 10) Install Application Patches If it runs only one or a few services, easy to disallow irrelevant things 7 8 Figure 9-1: General Application Figure 9-1: General Application Application Security Actions Minimize applications Main applications Subsidiary applications Be guided by security baselines Add application layer authentication Implement cryptographic systems Application Security Actions Minimize the permissions of applications so that successful attackers will not own the machine Hackers who take over an application obtain the permissions of that application Many applications run as root, giving the hacker total control of the computer if compromised Application take-over is the most common way to hack computers today 9 10 Importance of Webservice and E-Commerce Security Cost of disruptions The cost of loss of reputation and market capitalization Importance of Webservice and E-Commerce Security Customer fraud (including credit card fraud) Loss of revenues when product is not paid for Credit card company charge-back fees Must use external firm to check credit card numbers 11 12

Importance of Webservice and E-Commerce Security Cost of privacy violations Links to internal corporate servers Webservers Versus E-Commerce Servers Webservice provides basic user interactions Microsoft Internet Information Server (IIS) Apache on UNIX Other webserver programs 13 14 Figure 9-4: Webservice Versus E-Commerce Service Webservers Versus E-Commerce Servers E-commerce servers add functionality: Order entry, shopping cart, payment, etc. Custom programs written for special purposes Webserver Software Component (PHP, etc.) E-Commerce Software Custom Programs Subsidiary E-Commerce Software 15 16 Some Webserver Attacks Website defacement Numerous IIS buffer overflow attacks, many of which take over the computer Some Webserver Attacks IIS directory traversal attacks Normally, paths start at the WWW root directory Adding../ might take the attacker up a level, out of the WWW root box If traverse to command prompt directory in Windows 2000 or NT, can execute any command with system privileges 17 18

Some Webserver Attacks IIS directory traversal attacks Some Webserver Attacks Apache has problems, too Companies filter out / and \ Attackers respond with hexadecimal and UNICODE representations for / and \ 19 20 Patching the Webserver and E-Commerce Software and Its Components Patching the webserver software is not enough Also must patch e-commerce software E-commerce software might use third-party component software that must be patched Controlling Dynamic Webpage Development Static versus dynamic webpages For static webpages: GET /path/filename.extension HTTP / version CGI to pass parameters to a program GET /path/programname.exe?variable1= value &variable2= value Inefficient. Starts new copy of program with each request 21 22 Controlling Dynamic Webpage Development ASP is Microsoft s server-side scripting language ISAPI from Microsoft starts a.dll component Component continues to run; no need to start a new copy with each request Controlling Dynamic Webpage Development Controlling software development Programmer training in safe programming methods Auditing for security weaknesses 23 24

Controlling Dynamic Webpage Development Deployment Development servers: Developers must have wide privileges Staging servers: Only testers and systems administrators should have privileges Production servers: Only systems administrators should have privileges 25 User Authentication None: No burden on customer (e.g., traditional SSL/TLS) Username and password provide some protection but may be given out without checking customer quality IPsec and digital certificates: Expensive and difficult for customers TLS with client digital certificates: Less expensive than IPsec but difficult for customers 26 Take over a client via the browser Interesting information on the client Can use browser to attack clients -side scripting Java applets: Small Java programs Scripting languages (not full programming languages) JavaScript and VBScript Active-X from Microsoft; highly dangerous because it can do almost everything 27 28 Malicious links User must click on them to execute (but not always) Common extensions are hidden by default in windows attack.txt.exe seems to be attack.txt Common Attacks File reading and executing a command Redirection to unwanted webpage Scripts might change the registry, home page Might Trojanize the program called when user mistypes a URL Pop-up windows behind main window so source is hard to find 29 30

Common Attacks Cookies and web bugs Cookies are placed on user computer; can be retrieved by website Can be used to track users at a website Web bugs links that are nearly invisible can do the same 31 Common Attacks Choose domain names that are common misspellings of popular domain names Microsoff.com, www.whitehouse.com (a porn site) Opening two windows; transfer information from client window to webserver window 32 Enhancing Browser Security Patches and updates Set strong security options (Figure 9-5) for Microsoft Internet Explorer 6.0 Remotely managing browsers on employee client PCs Figure 9-5: Internet Options Dialog Box in Internet Explorer 6.0 33 34 Figure 9-7: E-Mail Standards E-Mail Technology E-Mail s and Mail Servers (Figure 9-7) Mail server software: Sendmail on UNIX, Microsoft Exchange, and Lotus/IBM Exchange, Notes dominate on Windows servers SMTP to Send Sender s Mail Server SMTP to Send Receiver s Mail Server POP or IMAP to Download On Windows clients, Microsoft Outlook Express is safer than full-featured Outlook because Outlook Express generally does not execute content 35 Sending E-Mail Message Receiving E-Mail RFC 822 or 2822 body HTML body 36

E-Mail Technology SMTP to send messages from client to mail server or from mail server to mail server To download messages to client e-mail program from receiver s mail server POP: Simple and popular; manage mail on client PC IMAP: Can manage messages on mail server 37 E-Mail Technology E-mail bodies RFC 822 / RFC 2822: Plain English text HTML bodies: Graphics, fonts, etc. HTML bodies might contain scripts, which might execute automatically when user opens the message Web-based e-mail needs only a browser on the client PC 38 Figure 9-8: Web-Based E-Mail s Browser HTTP Request Message HTTP Response Message Webpage Containing Message Webserver Program E-Mail Content Filtering Antivirus filtering and filtering for other executable code Especially dangerous because of scripts in HTML bodies Spam: Unsolicited commercial e-mail PC Almost all client PCs now have browsers. No need to install new software Webserver with Web-Based E-Mail 39 40 E-Mail Content Filtering Volume is growing rapidly: Slowing and annoying users (porno and fraud) Filtering for spam also rejects some legitimate messages Inappropriate Content Companies often filter for sexually or racially harassing messages Could be sued for not doing so Sometimes employees attack spammers back; only hurts spoofed sender and the company could be sued 41 42

E-Mail Retention On hard disk and tape for some period of time Benefit: Can find information Drawback: Can be discovered in legal contests; could be embarrassing Must retain some messages for legal purposes (firing employees, banking, etc.) E-Mail Security Message authentication to prevent spoofed sender addresses Employee training E-mail is not private; company has right to read Your messages may be forwarded without permission 43 44 E-Mail Security Employee training E-Mail Encryption Not widely used because of lack of clear standards Never to put anything in a message they would not want to see in court, printed in the newspapers, or read by their boss Never forward messages without permission Don t open attachments unless expecting it and with all software patched and antivirus scanning on 45 IETF has not been able to settle upon a single standard because of in-fighting Three standards are used in corporations TLS S/MIME PGP 46 Figure 9-9: Cryptographic Protection for E-Mail E-Mail Encryption Mail Server TLS only requires a digital certificate for servers S/MIME requires a PKI for digital certificates SMTP, POP, etc. Over TLS SMTP, POP, etc. over TLS PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C s list of public keys Dangerous: Misplaced trust can spread bogus key/name pairs widely Sending E-Mail TLS is easy to implement No end-to-end encryption (Mail server sees all mail in plaintext) Receiving E-Mail 47 48

Figure 9-9: Cryptographic Protection for E-Mail Figure 9-9: Cryptographic Protection for E-Mail Mail Server Mail Server Sending E-Mail S/MIME with PKI End-to-end encryption Complex to administer E-mail programs typically can do it Receiving E-Mail Sending E-Mail PGP with Circles of Trust End-to-end encryption Usually clumsy user interface Receiving E-Mail 49 50 Figure 9-10: Database and Instant Other Applications There are many other applications Each has its own security issues Figure 9-10: Database and Instant Database Often used in mission-critical applications Application layer authentication: Many database applications have passwords beyond the computer login password Relational databases: Tables with rows (entities) and columns (attributes) 51 52 Figure 9-10: Database and Instant Database Granularity of access control Restrict users to certain columns (attributes) in each row For instance, deny access to salary column to most users Figure 9-10: Database and Instant Database Granularity of access control Prevent access to individual data: Allow trend analysts to deal only with sums and averages for aggregates such as departments Limit access control to rows, for instance, only rows containing data about people in the user s own department 53 54

Figure 9-10: Database and Instant Figure 9-10: Database and Instant Database Problems with commercial database servers Empty administrative password for Microsoft s SQL Server allowed break-ins New version of SQL Server will be more locked down 55 Instant Messaging (IM) Allows instant text communication and voice if has click to talk Retention problem: Not integrated into retention schedules File transfer problem: File transfers are not checked by antivirus programs, although a few popular antivirus programs check file transmissions for a few popular IM programs. 56 Figure 9-10: Database and Instant New Relay Servers and IM Some IM systems send all messages through a relay server This makes retention possible It makes filtering possible For many security vulnerabilities, only the relay server needs to be updated, not all clients PC Relay Server PC Applications are the most common target for hacking break-ins If hacker takes over an application, has the permissions of that application, often root permissions Few operating systems but many applications Hardening applications is much harder than managing operating systems (Chapter 6) 57 58 Buffer Overflow Attacks Attacker sends data for a field that contains a program to be executed Data is longer than the program s memory buffer for that variable When program instructions in the overflowed areas are executed, the attacker s code executes 59 Hardening Applications The server should be hardened and backed up Patches should be installed for vulnerabilities However, many applications exist, so just learning about vulnerabilities and patches can be a problem Minimize applications Main applications Subsidiary applications Be guided by security baselines 60

Hardening Applications (Continued) Add application layer authentication Implement cryptographic systems Minimize the permissions of applications so that successful hackers will not own the machine Webserver and Importance of these applications to the firm Damage to firm if taken over (including the revelation of private client data) Webservice dominated by Microsoft Internet Information Server (IIS) and Apache on UNIX 61 E-Commerce Attacks Defacement Take-overs through buffer overflow attacks IIS directory traversal attacks 62 E-Commerce service has multiple applications All must be patched and otherwise hardened Webserver Software Component (PHP, etc.) E-Commerce Software Custom Programs Subsidiary E-Commerce Software 63 Dynamic Webpages Accept user data Create webpage on the fly, then send back to the user If not programmed properly, will have vulnerabilities that can be exploited Deployment through development server, testing server, and then production server each will specific permissions for developers 64 User Authentication None: No burden on customer (e.g., traditional SSL/TLS) Username and password provide some protection but may be given out without checking customer quality Customer digital certificates: Expensive and difficult for customers 65 Attacks on Browsers Very widespread Many Internet Explorer Vulnerabilities -side scripting executes code on the user PC If vulnerabilities are found, these scripts can do extensive damage Malicious Links May download attack programs to user PCs and execute them 66

Attacks on Browsers Programs exploiting browser vulnerabilities can do considerable damage Delete files Install pop-up adds, redirect to pornography sites, steal credit card numbers, etc. Intrusive cookies Web bugs Attack URLs similar to legitimate URLs Enhancing Browser Security Patches and updates Set strong security options Remotely managing browsers on employee client PCs 67 68 E-Mail Security Vulnerabilities in mail servers (SENDMAIL, Exchange) Need antivirus filtering Need spam filtering (sometimes filters out legitimate messages) Inappropriate content (harassment) Need to retain certain e-mail, but retaining too much leave a firm open to legal discovery searches 69 E-Mail Security User Education E-mail is not private Your messages may be forwarded without permission Never to put anything bad in a message Never forward messages without permission Never open attachments unless expecting them and all your software is patched and your antivirus scanning on 70 E-Mail Encryption Not widely used No single standard Three standards are used in corporations TLS S/MIME PGP (used circles of trust for public keys) Database Security Application authentication beyond login authentication for defense in depth Restrict users to certain data May prohibit access to individual data for privacy reasons Commercial database servers have suffered from vulnerabilities that must be patched 71 72

Instant Messaging Messages not retained properly New File transfers usually not subject to antivirus filtering Relay servers may have all messages pass through them Allows filtering Can stop some vulnerabilities without updating all clients 73

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information