190 likes | 344 Views
E-Commerce and Web Security. Lesson 14. Threats to Web Sites. Employee Misbehavior (deliberate or otherwise) Crackers Angry Customers Political Activism Terrorism Criminals Competitors Nonhostile acts “acts of God” “acts of Clod” Death by backhoe or Pile driver Operator error
E N D
E-Commerce and Web Security Lesson 14
Threats to Web Sites • Employee Misbehavior (deliberate or otherwise) • Crackers • Angry Customers • Political Activism • Terrorism • Criminals • Competitors • Nonhostile acts • “acts of God” • “acts of Clod” • Death by backhoe or Pile driver • Operator error • Poorly executed updates, maintenance
Risks to Sonia in previous slide • The risk that the information she provides for this transaction will be used against her at some future time. For example, the address that she gives may end up on a mailing list and used to send her unwanted physical or electronic mail. • The risk that the merchant might take over Sonia’s web browser and use it to surreptitiously glean information from her computer about her. • The risk that the merchant may experiment with Sonia’s sensitivity to price or determine the other stores where she is shopping, allowing the merchant to selectively raise the prices that are offered to Sonia so that they will be as high as she is willing to pay – and definitely higher than the prices that are charged the “average” customer.
Risks to the merchant • Sonia might in fact be a competitor, or an automated program that is systematically scanning the store’s inventory and obtaining a complete price list. • Sonia might be Jason, a 14-year-old computer prankster who has stolen Sonia’s credit card number and is using it illegally to improve his CD collection. • Jason might break into the merchant’s computer where Sonia’s card number is kept and steal it, making the merchant open to liability. • Jason could have broken into the merchant’s computer and be issuing fraudulent orders. • Jason might have his own credit card and having compromised the merchant’s computer, he issues reverse charge orders into Jason’s account. The credits appear on Jason’s card and he quickly removes the cash. • Jason might alter the store’s database or WWW pages so the CD’s received are not the ones the customers ordered. • Jason might sabotage the online store by lowering the prices of the merchandise to below the store’s cost.
Threats to E-business Interception of Data Man-in-the-Middle Spoofing Mobile Code Open Shares Server The Internet Client CGI problems Coding problems Subversion Misconfigurations Open directories/shares Access control Default accounts
A type of Social Engineering <script> password = prompt(“Please enter your dial-up password”,””); <script>
Web-based vulnerabilities • Manually inspect web pages • View Page Source • often find comments which may contain • email addresses, comments, old passwords, phone numbers
Finding well-known vulnerabilities • Automated Scripts • Phfscan.c • an example script that implemented an interface to a white-pages like service used to look up name and address information. User could, however, trick it to execute commands locally by “escaping” the script by using a newline character in the input. • Cgiscan.c • scans for a number of the older scripts such as: • PHF - (see above) • count.cgi - buffer overflow, allow remote execution • test-cgi - list all files and directories in scripts directory (thus may be able to find other, more serious, vulnerabilities) • PHP - one vulnerability allowed you to view any file on systemalso a buffer overflow problem
Taking down a web site using only a browser: -from “Hacking Exposed” • Sample ColdFusion problem (problem is in how they handle their input validation for passwords) • Point your browser to the Administrator logon page of a typical ColdFusion server • Edit the HTML by using File | Edit Page • Change the ACTION tag by prepending the server name/address to the URL • Change the HTML tag holding the password so the size and maxlength properties are in the 1,000,000 range • Preview and save the HTML file • Generate close to 1,000,000 characters and input to password field. • Watch CPU utilization go to 100% (or if you make it 1,000,000,000 watch it die instantly)
Misuse of hidden tags • Poor shopping-cart design can allow attackers to falsify values if hidden HTML tags are the sole mechanism for assigning the price to an item. Ex: • <input type=hidden name=“price” value=“199.99”> • A simple change using Netscape Composer would allow the user to modify the price to 1.99 • Modify the width value of fields to some arbitrary large number then submit large string. May be able to crash the server.
Tips for the E-Commerce Consumer • Buy only from a reputable site. • Avoid responding to e-mails asking you for personal info such as address, credit card numbers, and SSN’s • When conducting an online transaction, ensure your Web browser has established an encrypted session. • Carefully examine credit card statements for, particularly those cards you use for online purchases. • Select good passwords for accounts.
Tips for the E-Commerce Merchant • Ensure all patches and updates (OS and applications) are applied. • Servers should be protected by firewalls and IDS. • Common applications should be thoroughly reviewed for possible vulnerabilities. • Customer data should be kept on a separate server, not the same server that houses the Web application. • Customer data should be encrypted. • Web servers and their supporting systems should be tested on a regular basis by trained security professionals.
Tips for Merchant (cont) • Eliminate default accounts • Prohibit poor/easily guessed passwords • Deactivate all unnecessary services • Ensure file access permissions are properly set • Enable audit logging • Run system file integrity checks
Summary • What is the Importance and Significance of this material? • How does this topic fit into the subject of “Voice and Data Security”?