70 likes | 84 Views
Explore the aftermath of a hacked e-commerce site, the forensic analysis, and lessons learned. Discover vulnerabilities exploited by intruders and preventive measures for a secure web environment.
E N D
Case Study:A Forensic Lesson for Web Security (MSS, part one) csci5931 Web Security
A Hacked E-commerce Site • A security officer’s nightmare! • Users’ passwords got stolen! • Customers’ credit card numbers were exposed. • Merchandize were purchased on line using the stolen credit cards. • The company’s reputation was ruined. • The CIO or security officer’s job is at stake. • … csci5931 Web Security
Case Study: A Forensic Log • page 2 of the MSS book: • Five groups of log entries (a, b, …, f) • The company’s firewall was configured to prevent any traffic but HTTP traffic via port 80 (HTTP) and port 443 (SSL). • The intruder exploited a vulnerability in the index.cgi script to list the content of the system password file. • Q: What vulnerability was exploited? csci5931 Web Security
Analysis of the Hacking Incident • pages 2 to 9 • What knowledge and skills does a “successful” hacker need to possess? • Understanding of Web server operation, scripting language used, activation mechanisms • Understanding of operating system commands • Lots of patience and some luck • Anything missing from the list? csci5931 Web Security
Can the Incident Have Been Prevented? • Yes. There exist “stronger” security technology to counter the potential attacks. Examples? • Elimination of source code exposure • Set-up of a DMZ • Enforcement of access control list • The “least privilege” rule • … • See an overview of common solutions in GS Chapter 1. csci5931 Web Security
Lessons Learned from the Case Study • A firewall does not guarantee a secure e-commerce site. Why? • Security auditing has its limits. Why? • Strong password protection may not be enough. Why? • The bottom line: The secure operation of a web site requires a mixture of protection mechanisms, each taking care of one of the many components and links in a N-tier web-based application and all together deliver a secure web site. csci5931 Web Security
Next • Review of the N-tier web based applications • Review of cryptography • Java security model csci5931 Web Security