Web Security

2013

ABSTRACT

In this report Web security will be discussed in detail. Some

current issues related to web attacks across the world will be

discussed and some few key points to take note on Cyber

security will be provided as plat form for an individual to be

able to learn more on the issues related to Web threats that are

growing fast now a days.

YUSUPH KILEO

05/03/2013

WEB SECURITY

YUSUPH KILEO WEB SECURITY

© 2014 Page 1

Table of Contents INTRODUCTION ............................................................................................................................................. 2

WEB SECURITY THREAT ................................................................................................................................. 3

INTERGRITY ............................................................................................................................................... 3

CONFIDENTIALITY ..................................................................................................................................... 4

DENIAL OF SERVICE (DoS) ......................................................................................................................... 4

AUTHENTICATION ..................................................................................................................................... 5

WEB SECURITY APPROCHES .......................................................................................................................... 6

SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY ......................................................................... 7

SECURE ELECTRONIC TRANSACTION........................................................................................................... 13

CURRENT ISSUES ON WEB ATTACK ............................................................................................................. 14

SEVEN –STEP CYBER SECURITY STRATEGY .............................................................................................. 17

CONCLUSION ............................................................................................................................................... 18

REFENCES .................................................................................................................................................... 19


© 2014 Page 2

INTRODUCTION

Definition: World Wide Web (WWW) can be defined as a client/server application running over

the internet and TCP/IP intranet. In order for an individual to access something that is available

on the Web, he/she should go through either internet or intranet.

The benefits of the web in a current world may be obvious to Facebook users -- the exchange of

ideas, access to healthcare and education, the buying and selling of products and services, and

keeping in touch with friends and family! However, there is a dark side to this global resource

which stems from the misuse of information and communication technologies, ICTs, including

Cyberthreats and cybercrime.

There are many cases whereby websites have been reported falling in to cyber-attacks from

various group of people or individuals across courtiers every now and then. This is the dark side

of the misuse of ICT to cause harm on webs that includes stilling of money through online

transaction, stilling of confidential information and many other bad acts.

Base on this note it is highly advised to have a look at the web security issues so that an

individual will be able to know how to secure the web from various attacks. We should put in

mind that attacks cannot be completely avoided but an individual can create mechanism to

prevent/ harden the web to be attacked easily.


© 2014 Page 3

WEB SECURITY THREAT

There are four main types of security threats that an individual can face while using Web named

as Integrity, Confidentiality, Authentication and Denial of service (DoS). There is a way to group

this threats in two terms named as Active attack and Passive attack.

Definitions: Eavesdropping on network traffic between browser and server and gaining access to

information on a Web site that is supposed to be restricted is known as Passive Attack.

Active attacks include impersonating another user, altering messages in transit between client

and server, and altering information on a Web site.

INTERGRITY

Definition: Transmitted data/information through internet or computer assets can only be

modified (deleting, changing or creating) by authorized users.

Threats:

Modification of user data

Trojan horse browser

Modification of memory

Modification of message traffic in transit.

Consequences:

Loss of information

Compromise of machine

Vulnerability to all other threats

To protect/ secure web from the above threats that lead to multiple consequences as seen above

Cryptographic checksum can be applied by the user as a Countermeasure.


© 2014 Page 4

CONFIDENTIALITY

Definition: Data in computer System and Transmitted information through web can be

accessible only to the authorized users. This type of access includes reading, printings and

others.

Threats:

Eavesdropping on the Net.

Theft of info from server.

Theft of data from client.

Info about network configuration.

Info about which client talks to server.

Consequences:

Loss of information

Loss of privacy


Encryption and web proxies can be applied by the user as a Countermeasure.

DENIAL OF SERVICE (DoS)

Definition: A threat intending to make computer resources or web information from the internet

unavailable to its intended users. Flooding of network or disruption of connection are mostly

used techniques to cause Denial of service (DoS). When an attacker is intending to cause Denial

of service (DoS), it is difficult to prevent.

Threats:

Killing of user threads

Flooding machine with bogus requests

Filling up disk or memory

Isolating machine by DNS attacks


© 2014 Page 5

Consequences:

Disruptive

Annoying

Prevent user from getting work done.

AUTHENTICATION

Definition: The origin of the electronic document, message or information transmitted over

the web is correctly identified with an assurance that the identity is not false.

Threats:

Impersonation of legitimate users.

Data forgery.

Consequences:

Misrepresentation of user.

Belief that false information is valid.


Cryptographic techniques can be applied by the user as a Countermeasure.


© 2014 Page 6

WEB SECURITY APPROCHES

There are number of ways that an individual can utilize to

provide security to the web. Each approach to provide

security to the web has its advantage based on how an

individual utilize it.it should be kept in mind that these

approaches differ with respects to their scope of

applicability and their relative location within the TCP/IP

protocol stack as follows:-

i. Use IP security.

The advantage of using IPsec is that it is transparent to end users and

applications and provides a general-purpose solution.

HTTP FTP SMTP

TCP

IP/IPsec

Further, IPsec includes a filtering capability so that only selected traffic need

incur the overhead of IPsec processing.

ii. Implement security just above TCP.

The foremost example of this approach is the Secure Sockets Layer (SSL) and

the follow-on Internet standard known as Transport Layer Security (TLS).

HTTP FTP SMTP

SSL or TLS

TCP

IP

Protocol Stack Definition:

A protocol stack refers to a

group of protocols that are

running concurrently that are

employed for the implementation

of network.

protocol suite.


© 2014 Page 7

At this level, there are two implementation choices. For full generality, SSL

(or TLS) could be provided as part of the underlying protocol suite and

therefore be transparent to applications. Alternatively, SSL can be embedded

in specific packages. For example, Netscape and Microsoft Explorer browsers

come equipped with SSL, and most Web servers have implemented the

protocol.

iii. Specific security services are embedded within the particular application.

The advantage of this approach is that the service can be tailored to the

specific needs of a given application. In the context of Web security, an

important example of this approach is Secure Electronic Transaction (SET).

S/MME PGP SET

Kerberos

SMTP HTTP

UDP TCP

IP

SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY

When discussing web security approach in earlier section (4.0) part ii SSL and TLS were

introduced that can be implemented just above TCP. This is one of approach that can be used as

an approach to secure websites. Here the SSL and TLS will be discussed in terms of architecture

and their protocols and the different between them.

SSL Architecture: SSL is designed to make use of TCP to provide a reliable end-to-end secure

service. SSL is not a single protocol but rather two layers of protocols.


© 2014 Page 8

SSL handshake

protocol

SSL Change cipher

spec protocol

SSL Alert

protocol

HTTP

SSL Record protocol

TCP

IP

The SSL Record Protocol provides basic security services to various higher-layer protocols. In

particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web

client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as

part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol.

These SSL-specific protocols are used in the management of SSL exchanges and are examined

later in this section.

Two important SSL Concepts are:-

a. SSL Connection.

- A transport that provide suitable type of service.

- For SSL, such connections are peer-to-peer relationship.

- The connections are transient.

- Every connection is associated with one session.

b. SSL Session.

- An association between a client and server.

- It is created by handshake protocol.


© 2014 Page 9

- Define a set of cryptographic security parameters which can be shared

among multiple connections.

- They are used to avoid the expensive negotiation of new security

parameters for each connection.

- A session state is defined by:-

i. Session Identifier

ii. Peer certificate

iii. Compression method

iv. Cipher spec

v. Master secret

vi. Is resumable

vii. Server and client random

viii. Client writer mac secret and

sever writer mac secret

ix. Sever writer key and client write key.

x. Initialization vectors and

xi. Sequence Numbers.

SSL Record Protocol: the overall operation of the SSL Record Protocol. The Record Protocol

takes an application message to be transmitted, fragments the data into manageable blocks,

optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the

resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and

reassembled and then delivered to higher-level users.

“There are actually a

number of states

associated with each

session. Once a session

is established, there is

a current operating

state for both read and

write (i.e., receive and

send). In addition,

during the Handshake

Protocol, pending read

and write states are

created. Upon

successful conclusion

of the Handshake

Protocol, the pending

states become the

current states.”


© 2014 Page 10

The SSL Record Protocol provides two services for SSL

connections:

Confidentiality: The Handshake Protocol defines a shared

secret key that is used for conventional encryption of SSL

payloads.

Message Integrity: The Handshake Protocol also defines a

shared secret key that is used to form a message

authentication code (MAC).

After the 2 steps, then the of the message authentication code over the compressed data is

performed. For this purpose, the shared secrete key is used. (See the calculation definition

below)

hash(MAC_write_secret || pad_2 ||

hash(MAC_write_secret || pad_1 || seq_num ||

SSLCompressed.type ||

SSLCompressed.length || SSLCompressed.fragment))

“The first step is

fragmentation. Each

upper-layer message

is fragmented into

blocks of 214

bytes

(16384 bytes) or less.

Next, compression is

optionally applied.

Compression must be

lossless and may not

increase the content

length by more than

1024 bytes.

In SSLv3 (as well as

the current version of

TLS), no compression

algorithm is specified,

so the default

compression

algorithm is null.”


© 2014 Page 11

(See the elaboration below)

EQ Definition

|| concatenation

MAC_write_secret shared secret key

hash cryptographic hash algorithm; either MD5 or SHA-1

pad_1 the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and

40 times (320 bits) for SHA-1

pad_2 the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times

for SHA-1

seq_num the sequence number for this message

SSLCompressed.type the higher-level protocol used to process this fragment

SSLCompressed.length the length of the compressed fragment

SSLCompressed.fragme

nt

the compressed fragment (if compression is not used, the plaintext

fragment)

Next, the compressed message plus the MAC are encrypted using symmetric encryption.

Encryption may not increase the content length by more than 1024 bytes, so that the total length

may not exceed 214

+ 2048.

The final step of SSL Record Protocol processing is to prepend a header, consisting of the

following fields:

Content Type (8 bits): The higher layer protocol used to process the enclosed fragment.

Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.


© 2014 Page 12

Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.

Compressed Length (16 bits): The length in bytes of the plaintext fragment (or

compressed fragment if compression is used). The maximum value is 214

+ 2048.

SSL HAND SHAKE PROTOCOL

Protocol Description

Change

Cipher

Spec

Protocol

It uses the SSL Record Protocol, and

it is the simplest. This protocol

consists of a single message, which

consists of a single byte with the

value 1. The sole purpose of this

message is to cause the pending state

to be copied into the current state,

which updates the cipher suite to be

used on this connection.

Alert

Protocol

It used to convey SSL-related alerts

to the peer entity. As with other

applications that use SSL, alert

messages are compressed and

encrypted, as specified by the current

state.

Handshake

Protocol

This protocol allows the server and

client to authenticate each other and

to negotiate an encryption and MAC

algorithm and cryptographic keys to

be used to protect data sent in an SSL

record. The Handshake Protocol is

used before any application data is

transmitted.


© 2014 Page 13

SECURE ELECTRONIC TRANSACTION

Definition: Secure Electronic Transaction (SET) is an open encryption and security specification

designed to protect credit card transactions on the Internet. It is not a payment system, Ruther it

is a set of security protocols and formats that enables users to employ the existing credit card

payment infrastructure on an open network, such as the Internet, in a secure fashion.

SET services: There are three services provided by SET namely:-

Provides a secure communications channel among all parties involved in a transaction.

Provides trust by the use of X.509v3 digital certificates.

Ensures privacy because the information is only available to parties in a transaction when

and where necessary.

SET Features: There are Four Key features of SET as follow:-

Confidentiality of information

Integrity of data

Cardholder account authentication

Merchant authentication

SET Participants: There are six participants in the SET system namely:-

Cardholder

Merchant

Issuer

Acquirer

Payment gateway and Certification authority.

NOTE: Unlike IPsec and SSL/TLS, SET

provides only one choice for each

cryptographic algorithm. This makes sense,

because SET is a single application with a

single set of requirements, whereas IPsec and

SSL/TLS are intended to support a range of

applications.


© 2014 Page 14

CURRENT ISSUES ON WEB ATTACK

No. TARGET DESCRIPTION ATTACK

1.

SECTORLEAKS404 hacks a Web

Server belonging to ACNUR

(United Nations Refugees Agency)

and leaks credentials of President

Barack Obama.

SQLi

2.

Yet another Security Firm victim

of defacement. This time the target

is Kaspersky, whose Costa Rica

Web Site (www.kaspersky.co.cr)

is defaced.

Defacement

3.

Two Liberal Russian media outlets

and an election watchdog became

victim to huge cyber-attacks

during Russian elections. Sites

belonging to the Ekho Moskvy

radio station, online news portal

slon.ru and election watchdog,

Golos, all went down on

December the 4th, at around 5am

Central European Time.

DDoS


© 2014 Page 15

4.

Websites belonging to a

Netherlands-based issuer of digital

certificates Gemnet become

unavailable following reports

hackers penetrated their security

and accessed internal databases.

The access happened thanks to a

PHPMyAdmin page without

password.

Unprotected

Server Page

5.

Russian hackers flood Twitter with

automated hashtags to hamper

communication between

opposition activists. The pro-

government messages with the

hashtag #????????????

(Triumfalnaya) were generated by

a twitter botnet composed by

thousands of Twitter accounts that

had little activity before.

Twitter

Botnet

6.

As part as #OpSony, Sony Pictures

Website is hacked by

@s3rver_exe, Anonnerd and

N3m3515, once again in the name

of the Anonymous movement and

against Sony showing its support

for SOPA. In the same operation a

fake Facebook account is created

simulating a real account hacked.

Account

Hacking


© 2014 Page 16

7.

In the name of the #Antisec

movement, an unknown hacker

exposes the IP addresses and other

details of 49 SCADA systems,

inviting the readers to connect and

take screenshots of the internals.

Unauthorized

Access

8.

The website of Brazilian Political

Party PMDB do Maranhão

(pmdbma.com.br) is hacked by

an “Alone Hacker” who makes all

the secondary pages of the web

site inaccessible

N/A

9.

IBM Research domain

(researcher.ibm.com) is hacked

and defaced by Hacker collective

group dubbed Kosova Hacker

Security.

SQLi

10.

The Anonymous temporarily force

the main website for Interpol

(Interpol.in) offline, after the

international police group

announced it had arrested 25

suspected Supporters. The site

www.interpol.int was Unreachable

for 20-30 minutes.

DDoS


© 2014 Page 17

SEVEN –STEP CYBER SECURITY STRATEGY

Recently, The UK IT Governance has released a white paper on cyber security. Once they

distribute it, I went through it and find out there are some very good ideas that I have to share

with all of you.

With the internet becoming a ubiquitous communication and application platform, the greatest

risk to our organizations is not cyber war, but cybercrimes.

Therefore, the seven key actions that should form part of an effective Cyber security strategies

highlighted by it governance that I would kindly like each of us to go through are as follows:-

1. Secure the cyber perimeter: test all your internet-facing applications and network

connections to ensure that all known vulnerabilities are identified and patched. This

should include testing all wireless networks. Make sure that OWASP and SANS top 10

Vulnerabilities and security weakness are patched. Once this is exercise – penetration

testing, remediation and confirmatory re-testing has been completed, schedule regular

network tests. Depending on risk, these should take place either quarterly or at least,

every six months.

2. Secure Mobile devices beyond the perimeter: encrypt and secure access to all portable

and mobile devices – laptops, mobile phones, BlackBerrys, USB sticks, etc to ensure that

the increasingly elastic network perimeter remains secure and that data taken beyond the

perimeter remain secure.

3. Secure the inwards and outwards beyond communication channel: e-mail, instant

messaging, and live chat. Make sure there are appropriate arrangements for data

archiving and an appropriate balance between protecting confidentiality, integrity and

availability.

4. Secure the internal network: Identify risks and control against intrusions from rogue

wireless access points from unauthorized USB sticks and from mobile data storage

devices – including mobile phones, iPods and so on.


© 2014 Page 18

5. Train stuff: attackers understand that employees are the weakest link in the security

chain and take advantage of natural human weakness through a style of attack known as

“Social engineering”. Staff must, therefore be trained to recognize and respond to

appropriately to social engineering attacks range from tailgating through to phishing,

spear phishing and pharming. Also ensure that you have a well-through through social

media strategy that minimizes information loss through social media websites, such as

Facebook, LinkedIn and twitter.

6. Develop and test a security incident response plan (SIRP): sooner or later, your

defenses will be breached and you, therefore need an effective robust plan for responding

to the breach. Your response plan should include developing a digital forensics

capability so that you have the in-house competence to secure areas of digital crime long

before outside experts arrive on the scene.

7. Adopt ISO27001 and ISO27031 as standard: for developing and implementing

comprehensive cyber security and business resilience management systems.

CONCLUSION

We have seen ways of web security implementations and the key note to secure electronic

transaction. It has been a challenge these days when it comes to Web security and Online

transaction since many cases has been reported related to threats in web securities and online

transactions.

Cases reported samples from recent research are well explained. Its encouraged that each

individual has to keep in mind that when it comes to security it is not a duty of a certain group of

people but each member should play an important role to ensure the security is kept in order.

It’s important to follow security strategy as mentioned in this report along with other secure

implementation discussed from other parts to insure both web security and online transaction is

kept in order.


© 2014 Page 19

REFENCES

1. Pfleeger, C.P., S. L. Pfleeger, Security in Computing, Prentice Hall, 3rd

edition, 2002.

2. Anderson, R, Security Engineering: A Guide to Building Dependable Distributed

Systems, Wiley, 2001,

3. Bishop, M, Computer Security: Art and Science, Addison Wesley, 2002.

4. William Stallings, Cryptography and Network Security, 4th

edition

5. Stajano, F, Security for Ubiquitous Computing, Wiley, 2002.

6. Pieprzyk, J., T. Hardjono, J. Seberry, J. Pierprzyk, Fundamentals of Computer Security,

Springer-Verlag, 2002.

7. 2010. Computer Network Security: 5th International Conference, on Mathematical

Methods, Models, and Architectures for Computer Network Security, MMM-ACNS ...

Networks and Telecommunications). 1st Edition.

Web Security

Documents

Transcript of Web Security