1 / 7

Case Study: A Forensic Lesson for Web Security (MSS, part one)

Case Study: A Forensic Lesson for Web Security (MSS, part one). A Hacked E-commerce Site. A security officer’s nightmare! Users’ passwords got stolen! Customers’ credit card numbers were exposed. Merchandize were purchased on line using the stolen credit cards.

nbyrd
Download Presentation

Case Study: A Forensic Lesson for Web Security (MSS, part one)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Case Study:A Forensic Lesson for Web Security (MSS, part one) csci5931 Web Security

  2. A Hacked E-commerce Site • A security officer’s nightmare! • Users’ passwords got stolen! • Customers’ credit card numbers were exposed. • Merchandize were purchased on line using the stolen credit cards. • The company’s reputation was ruined. • The CIO or security officer’s job is at stake. • … csci5931 Web Security

  3. Case Study: A Forensic Log • page 2 of the MSS book: • Five groups of log entries (a, b, …, f) • The company’s firewall was configured to prevent any traffic but HTTP traffic via port 80 (HTTP) and port 443 (SSL). • The intruder exploited a vulnerability in the index.cgi script to list the content of the system password file. • Q: What vulnerability was exploited? csci5931 Web Security

  4. Analysis of the Hacking Incident • pages 2 to 9 • What knowledge and skills does a “successful” hacker need to possess? • Understanding of Web server operation, scripting language used, activation mechanisms • Understanding of operating system commands • Lots of patience and some luck • Anything missing from the list? csci5931 Web Security

  5. Can the Incident Have Been Prevented? • Yes. There exist “stronger” security technology to counter the potential attacks. Examples? • Elimination of source code exposure • Set-up of a DMZ • Enforcement of access control list • The “least privilege” rule • … • See an overview of common solutions in GS Chapter 1. csci5931 Web Security

  6. Lessons Learned from the Case Study • A firewall does not guarantee a secure e-commerce site. Why? • Security auditing has its limits. Why? • Strong password protection may not be enough. Why? • The bottom line: The secure operation of a web site requires a mixture of protection mechanisms, each taking care of one of the many components and links in a N-tier web-based application and all together deliver a secure web site. csci5931 Web Security

  7. Next • Review of the N-tier web based applications • Review of cryptography • Java security model csci5931 Web Security

More Related