View
263
Download
0
Embed Size (px)
DESCRIPTION
Information Security Lesson 6 - Web Security - Eric Vanderburg
Citation preview
Information Security © 2006 Eric Vanderburg
Information Security
Chapter 6
Web Security
Information Security © 2006 Eric Vanderburg
Reasons for software vulnerability• Large amount of code
– Windows 2000 – 20 million lines– Windows XP – 40 million lines– Linux – 55 million lines
• Extensibility– Ex: Firefox plug-ins– Drivers (use signed drivers)
• Wired (connectivity)– More internet enabled applications which may
not be secure. (weather, stocks, media player)
Information Security © 2006 Eric Vanderburg
An email message
1. [email protected] uses a client to create a message for [email protected]
2. Client connects to mail.source.com SMTP server on port 25 and forwards the message.
3. SMTP server compares the source and destination domain names. If they are the same, the message goes to the POP3 server for source.com via the delivery agent.
Information Security © 2006 Eric Vanderburg
An email message
4. The source.com SMTP server connects to the destination.com SMTP server and passes the message. If the destination.com SMTP server is not responding, the message is queued and sent later. After 4 hours in the queue the sender is notified.
5. Destination.com passes the message to the destination.com POP3 server.
6. The message is stored in the POP3 mailbox for retrieval by [email protected]
Information Security © 2006 Eric Vanderburg
• POP3 (Post Office Protocol) – offers a storage place for messages until downloaded from the server. Port 119
• IMAP (Internet Mail Access Protocol) – Messages always reside on the server. Port 143
• E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)
Information Security © 2006 Eric Vanderburg
Email• **All the following operate at the application layer• MIME (Multipurpose Internet Mail Extensions) – standard
for embedding email with rich text, graphics, sound, & video.
• S/MIME (Secure MIME) – adds encryption and authentication to email. – Digital signatures– Works with different email clients– Encrypts messages– Encryption & signing is transparent– Checksums to protect integrity
• PGP (Pretty Good Privacy) – Encrypted with a session key that is encrypted with the recipient’s public key. – Must download a plugin to use with email clients.
Information Security © 2006 Eric Vanderburg
Email vulnerabilities
• Several e-mail vulnerabilities can be exploited by attackers:– Malware– Spam– Hoaxes
• SMTP relay attacks allow spammers to send thousands of e-mail messages to users
Information Security © 2006 Eric Vanderburg
Email vulnerabilities
• SPAM– 30 billion daily e-mail messages are spam– 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail– 52% of users indicate spam has made them less
trusting of e-mail in general– 70% of users say spam has made being online
unpleasant or annoying– Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses– Bayesian filtering – words found in the SPAM bin help
define other SPAM messages.
Information Security © 2006 Eric Vanderburg
Internet vulnerabilities
• Buffer overflow attacks are common ways to gain unauthorized access to Web servers
• Both file names and aliases must be protected if 8.3 aliases are not disabled. Incorrect permissions could be applied.
• Dynamic content can also be used by attackers– Repurposed programming - using
programming tools in ways more harmful than originally intended (Javascript, ActiveX)
Information Security © 2006 Eric Vanderburg
JavaScript
• Provides client side dynamic content• Virtual Machine (VM) - a Java interpreter• JavaScript code is downloaded onto the
user’s computer within the HTML code– defense mechanisms:
• Cannot read or write to the file system• No networking capabilities
– problems:• Can capture and send user information without the
user’s knowledge or authorization• Security is through browser. It does not protect
code that executes outside a browser.
Information Security © 2006 Eric Vanderburg
Java Applet
• Separate program downloaded with but separate from the HTML
• Sandbox - Surrounds program and keeps it away from private data and other resources on a local computer
• Signed or unsigned
Information Security © 2006 Eric Vanderburg
ActiveX• Standard for information sharing between
programs• Installed when referenced by a web page• Do not run in a sandbox. Has full access to the
OS• Signed or unsigned – only proves source but not
safety• Only run on Windows• Set per computer instead of per user• ActiveX controls as a whole are either disabled
or enabled in IE
Information Security © 2006 Eric Vanderburg
Cookies• Stores information from a web site
– Sessions– Saved logon
• Very small (4KB)• Has an expiration date• First party cookie – A site’s own cookie• Third party cookie – Another site’s cookie• Disable third party cookie access• Many sites require cookies so disabling them will
change your online experience but disallowing sites
Information Security © 2006 Eric Vanderburg
CGI (Common Gateway Interface)
• CGI script – program code that adheres to CGI rules. – Used for communicating with other server
software via web pages. – CGI on the server must be set to not execute
remote code statements
Information Security © 2006 Eric Vanderburg
Web security
• SSL (Secure Sockets Layer)- v3.0 latest– Disable versions 1 & 2
• TLS (Transport Layer Security) – v1.0 is approximately the same as SSL3.0
• PCT (Personal Communications Technology) – Microsoft technology with longer keys and a better algorithm than SSL. (Not popular)
• Application layer protocol so it can run on top of any network but it must be integrated with the program to work.
Information Security © 2006 Eric Vanderburg
SSL / TLS / PCT Steps1. Client sends a ClientHello message specifying the list of cipher
suites, compression methods and the highest protocol version it supports.
2. Server receives the ClientHello and sends a ServerHello, where selections are made from available suites, compression, and versions.
3. Client and server exchange certificates (depending on the selected public key cipher) The server can request a certificate from the client, so that the connection can be mutually authenticated.
4. Master secret (a common secret used for generating other keys) is negotiated using Diffie-Hellman exchange, or by encrypting a secret with a public key (if using mutual authentication).
5. Data is sent encrypted with a key generated from the master secret and the selected cipher suite.
6. When the connection is terminated a hash of all the exchanged data seen by both parties is sent for verification.
Information Security © 2006 Eric Vanderburg
FORTEZZA
• Information security system based on a PC Card security token.
• Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access.
• Wide in use in Government and Military applications
• Latest version is FORTEZZA Plus
Information Security © 2006 Eric Vanderburg
HTTP & SSL
• HTTPS - HTTP over SSL/TLS – secures individual messages instead
• SSL/TLS secures the entire communication between client and server
• Port 443
Information Security © 2006 Eric Vanderburg
Chatting
• IM (Instant Message)• Server contains list of users and their buddies• When connected, a user’s IP & port are sent to
all their buddies. • Direct connections can be established to send
messages without involving the server. • Most chat programs can log chats (optional)
which are stored locally. Google Talk stores chat logs on the server.
• Data sent through IM could be malicious (pictures, programs, video, music)
Information Security © 2006 Eric Vanderburg
Acronyms• CGI, Common Gateway Interface• CAN-SPAM, Controlling the Assault of Non Solicited
Pornography and Marketing Act of 2003• IM, Instant Messaging• IMAP, Internet Mail Access Protocol• MIME, Multipurpose Internet Mail Extensions• PCT, Personal Communications Technology• POP, Post Office Protocol• PGP, Pretty Good Privacy• S/MIME, Secure Multipurpose Internet Mail Extensions• SSL, Secure Sockets Layer• SMTP, Simple Mail Transfer Protocol• TLS, Transport Layer Security• VM, Virtual Machine