860 likes | 871 Views
Intro to Web Security. Revised 11/14/01. Primary Sources. www.cert.org -- THE Computer Emergency Response Team site. Windows 2000 Server Security for Dummies—Paul Sanna. IDG Books Web Servers, Security, and Maintenance – Larson & Stevens. Prentice Hall PTR
E N D
Intro to Web Security Revised 11/14/01
Primary Sources • www.cert.org -- THE Computer Emergency Response Team site. • Windows 2000 Server Security for Dummies—Paul Sanna. IDG Books • Web Servers, Security, and Maintenance – Larson & Stevens. Prentice Hall PTR • How the Internet Works. Preston Gralla. QUE.
Bond, James Bond • You have a Top Secret corporate project, so you go to a retreat high in the Sierras. You hook up your generator and power up your laptop. • Is your information secure?
Not Necessarily… • ½ Mile away on the side of highway 50 your competitors could be listening. • http://www.eskimo.com/~joelm/tempestintro.html#Just how prevalent is emanation monitoring?
Everything Emits Radiation • Your Monitor • Your Keyboard • Your Printer If it can be measured, it can be interpreted.
Total Security? • You can never have total security. • Your efforts to keep out hackers and crackers need to exceed the efforts they are willing to take to get in. • Rule 1: You have to want them out more than they want in.
Balance • You have to find a balance between security and functionality. • In other words, eTrade will not have 20 hoops for a user. But they have to have some. • Total Security and Accessibility are contradictions.
Drastic Efforts • Searching Trash Cans • Becoming Janitors • Calling as an Administrator and asking for a password • Researching interests and facts about victims • Posing as employees • Stealing computers
Notice that NONE of these has to do with computer skills-- • Searching Trash Cans • Becoming Janitors • Calling as an Administrator and asking for a password • Researching interests and facts about victims • Posing as employees • Stealing computers
The weakest link • The weakest link in the chain of computer network security is the human factor.
Who’s Knocking? Who is trying to get in to your system.
Hackers and Crackers • There is somewhat of a debate and misuse of the terms Hacker and Cracker.
Hacker One who is proficient at using or programming a computer; a computer buff. One who illegally gains access to or enters another's electronic system to obtain secret information or steal money American Heritage Dictionary
Cracker One who makes unauthorized use of a computer, especially to tamper with data or programs. • American Heritage Dictionary
Hacker vs. Cracker • Hackers coined the phrase “cracker” to distinguish themselves from their “less ethical” counterparts. • Hackers often consider themselves to be friends of the people, exposing weaknesses and telling the system administrators.
Not Geniuses • Hackers and Crackers may be smart, but genius is far from a prerequisite. • Most of the tools and attacks make use of well-known weaknesses. • Many of those who are caught—the child geniuses—are caught because they are NOT geniuses. They are “script kiddies” that get a hold of some useful programs or routines.
Reasons • Ego gratification • Personal Gain • Using your resources: Email, Server Space, etc.
Holy Grail • SuperUser, or Administrator, Access
Firewalls • Firewalls are the system--the software and/or hardware--used to prevent unauthorized access to or release of data. Common Components: • Packet Filters • Proxy Servers
Common Firewalls • Black Ice $25 - $30 personal edition • ZoneAlarm – Free for personal users • If you have a constant connection, have a firewall. If you are on dialup, you are still not entirely protected.
Packet Filters • Packets contain header information. • This contains such information as IP address of requestors and types of requests. • Virtually any transmission could be prescreened. • Newer firewalls can detect IP Spoofing (faking of IP addresses).
Proxy Servers • Proxy Servers are the actual machines directly connected to the internet. The other machines connect via the Proxy Server. • Thus, the security implementation at the proxy server or servers can filter out malicious requests. • Proxy Servers can also log every bit of inbound and outbound traffic.
Proxy Servers • Proxy servers, and servers in general, can be configured to specialize in one type of request: • FTP • HTTP • SMTP • TELNET • Streaming Media • Etc.
Smurf Attacks andDenial of Service Attacks • In Smurf attacks--or denial of service attacks--ISPs or Web servers are flooded with so much information, or so many requests, that legitimate users can not use the site. • Sometimes banks of computers at universities or libraries (or even worse, university libraries!) have been used to make mass attacks.
Ping! • Often these attacks are simply a bunch of ping requests.
Serving as an Intermediary • Your computer may be an intermediary in a denial of service attack!
Forged Addresses • Hackers Crackers and Spammers often forge return addresses. • Newer firewalls can supposedly detect forged addresses.
Viruses • By the way, don’t read message attachments about Snow White or Naked Wives or… • If you think a file may be an unfiltered virus, you can search for details, such as the attachment name, at sites such as mcaffe or symantec. • CERT has info on viruses
4 Main Places Viruses Attack • Executable Program Files • File Directory System • Boot and System areas • Data Files • Next on FOX: When Viruses Attack!
Macro Viruses • Macro Viruses typically uses VBA (Visual Basic for Applications) or other macro languages to cause damage. • Melissa spread by using a word macro to email itself to 50 people on a person’s outlook mail list.
Worms • Self-replicating viruses • Code Red, Nimda
Trojan Horses • Disguise themselves as useful or wanted programs. • Melissa – Disguised as a word document. • You willingly let them through the gates and they unleash their damage.
Antiviral Software • Virus software performs some or all of the following roles: • Scanners – Look for Viruses • Eradicators – Rid the system of viruses • Inoculators – Keep virus-infected programs from running
Illegal Access • May be malicious or sinister. • May use conventional or technological means to gain access to systems.
Theft and Disclosure • People may gain access to resources. • Credit Card Numbers • Accounts • Personal Information • Information to dig deeper
Site Spoofing • A site appears to be a legitimate site but is actually a copy of it to gain information, such as credit card numbers, from users. • This could even result in money being transferred to an imposter.
Data Modification • Somewhere the data you sent is modified to alter the transaction. • Digital Certificates are used to verify identities.
Data Destruction • Someone just wants to do damage • Keep Backups
Back Door, Remote Administration Programs On Windows computers, three tools commonly used by intruders to gain remote access to your computer are BackOrifice, Netbus, and SubSeven. These back door or remote administration programs, once installed, allow other people to access and control your computer. Source: CERT
Unprotected Shares • Remember, the Internet is just a big network. • Your system may be sharing resources…WITH THE WHOLE WORLD!
Malicious Code • Java, JavaScript, Active X • You can turn these off, but most sites use JavaScript. • These can be passed in HTML email.
Cross-site scripting • A malicious web developer may attach a script to something sent to a web site, such as a URL, an element in a form, or a database inquiry. Later, when the web site responds to you, the malicious script is transferred to your browser. • You can potentially expose your web browser to malicious scripts by
How Cross-site Scripting Spreads • following links in web pages, email messages, or newsgroup postings without knowing what they link to • using interactive forms on an untrustworthy site • viewing online discussion groups, forums, or other dynamically generated pages where users can post text containing HTML tags • Source: CERT
E-mail Spoofing • Someone may fake a source of email to send spam or request information.
Hidden File Extensions • Turn on the option to view all file extensions. Otherwise the file may appear to be a different type of file. • Windows is programmed to run files with certain file extensions using certain programs.
Chat Clients • Chat clients can send URLs or executable files.