Information Security Lesson 6 - Web Security - Eric Vanderburg

Information Security © 2006 Eric Vanderburg

Information Security

Chapter 6

Web Security


Reasons for software vulnerability• Large amount of code

– Windows 2000 – 20 million lines– Windows XP – 40 million lines– Linux – 55 million lines

• Extensibility– Ex: Firefox plug-ins– Drivers (use signed drivers)

• Wired (connectivity)– More internet enabled applications which may

not be secure. (weather, stocks, media player)


An email message

1. [email protected] uses a client to create a message for [email protected]

2. Client connects to mail.source.com SMTP server on port 25 and forwards the message.

3. SMTP server compares the source and destination domain names. If they are the same, the message goes to the POP3 server for source.com via the delivery agent.

mailto:[email protected]



An email message

4. The source.com SMTP server connects to the destination.com SMTP server and passes the message. If the destination.com SMTP server is not responding, the message is queued and sent later. After 4 hours in the queue the sender is notified.

5. Destination.com passes the message to the destination.com POP3 server.

6. The message is stored in the POP3 mailbox for retrieval by [email protected]



Email

• POP3 (Post Office Protocol) – offers a storage place for messages until downloaded from the server. Port 119

• IMAP (Internet Mail Access Protocol) – Messages always reside on the server. Port 143

• E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)


Email• **All the following operate at the application layer• MIME (Multipurpose Internet Mail Extensions) – standard

for embedding email with rich text, graphics, sound, & video.

• S/MIME (Secure MIME) – adds encryption and authentication to email. – Digital signatures– Works with different email clients– Encrypts messages– Encryption & signing is transparent– Checksums to protect integrity

• PGP (Pretty Good Privacy) – Encrypted with a session key that is encrypted with the recipient’s public key. – Must download a plugin to use with email clients.


Email vulnerabilities

• Several e-mail vulnerabilities can be exploited by attackers:– Malware– Spam– Hoaxes

• SMTP relay attacks allow spammers to send thousands of e-mail messages to users


Email vulnerabilities

• SPAM– 30 billion daily e-mail messages are spam– 25% of users say the ever-increasing volume of spam

has reduced their overall use of e-mail– 52% of users indicate spam has made them less

trusting of e-mail in general– 70% of users say spam has made being online

unpleasant or annoying– Use a backlist of spammers to block any e-mail that

originates from their e-mail addresses– Bayesian filtering – words found in the SPAM bin help

define other SPAM messages.


Internet vulnerabilities

• Buffer overflow attacks are common ways to gain unauthorized access to Web servers

• Both file names and aliases must be protected if 8.3 aliases are not disabled. Incorrect permissions could be applied.

• Dynamic content can also be used by attackers– Repurposed programming - using

programming tools in ways more harmful than originally intended (Javascript, ActiveX)


JavaScript

• Provides client side dynamic content• Virtual Machine (VM) - a Java interpreter• JavaScript code is downloaded onto the

user’s computer within the HTML code– defense mechanisms:

• Cannot read or write to the file system• No networking capabilities

– problems:• Can capture and send user information without the

user’s knowledge or authorization• Security is through browser. It does not protect

code that executes outside a browser.


Java Applet

• Separate program downloaded with but separate from the HTML

• Sandbox - Surrounds program and keeps it away from private data and other resources on a local computer

• Signed or unsigned


ActiveX• Standard for information sharing between

programs• Installed when referenced by a web page• Do not run in a sandbox. Has full access to the

OS• Signed or unsigned – only proves source but not

safety• Only run on Windows• Set per computer instead of per user• ActiveX controls as a whole are either disabled

or enabled in IE


Cookies• Stores information from a web site

– Sessions– Saved logon

• Very small (4KB)• Has an expiration date• First party cookie – A site’s own cookie• Third party cookie – Another site’s cookie• Disable third party cookie access• Many sites require cookies so disabling them will

change your online experience but disallowing sites


CGI (Common Gateway Interface)

• CGI script – program code that adheres to CGI rules. – Used for communicating with other server

software via web pages. – CGI on the server must be set to not execute

remote code statements


Web security

• SSL (Secure Sockets Layer)- v3.0 latest– Disable versions 1 & 2

• TLS (Transport Layer Security) – v1.0 is approximately the same as SSL3.0

• PCT (Personal Communications Technology) – Microsoft technology with longer keys and a better algorithm than SSL. (Not popular)

• Application layer protocol so it can run on top of any network but it must be integrated with the program to work.


SSL / TLS / PCT Steps1. Client sends a ClientHello message specifying the list of cipher

suites, compression methods and the highest protocol version it supports.

2. Server receives the ClientHello and sends a ServerHello, where selections are made from available suites, compression, and versions.

3. Client and server exchange certificates (depending on the selected public key cipher) The server can request a certificate from the client, so that the connection can be mutually authenticated.

4. Master secret (a common secret used for generating other keys) is negotiated using Diffie-Hellman exchange, or by encrypting a secret with a public key (if using mutual authentication).

5. Data is sent encrypted with a key generated from the master secret and the selected cipher suite.

6. When the connection is terminated a hash of all the exchanged data seen by both parties is sent for verification.


FORTEZZA

• Information security system based on a PC Card security token.

• Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access.

• Wide in use in Government and Military applications

• Latest version is FORTEZZA Plus


HTTP & SSL

• HTTPS - HTTP over SSL/TLS – secures individual messages instead

• SSL/TLS secures the entire communication between client and server

• Port 443


Chatting

• IM (Instant Message)• Server contains list of users and their buddies• When connected, a user’s IP & port are sent to

all their buddies. • Direct connections can be established to send

messages without involving the server. • Most chat programs can log chats (optional)

which are stored locally. Google Talk stores chat logs on the server.

• Data sent through IM could be malicious (pictures, programs, video, music)


Acronyms• CGI, Common Gateway Interface• CAN-SPAM, Controlling the Assault of Non Solicited

Pornography and Marketing Act of 2003• IM, Instant Messaging• IMAP, Internet Mail Access Protocol• MIME, Multipurpose Internet Mail Extensions• PCT, Personal Communications Technology• POP, Post Office Protocol• PGP, Pretty Good Privacy• S/MIME, Secure Multipurpose Internet Mail Extensions• SSL, Secure Sockets Layer• SMTP, Simple Mail Transfer Protocol• TLS, Transport Layer Security• VM, Virtual Machine

Information Security Lesson 6 - Web Security - Eric Vanderburg

Technology

Transcript of Information Security Lesson 6 - Web Security - Eric Vanderburg