Web Security
-
Upload
yusuph-kileo -
Category
Documents
-
view
2.148 -
download
0
description
Transcript of Web Security
2013
ABSTRACT
In this report Web security will be discussed in detail. Some
current issues related to web attacks across the world will be
discussed and some few key points to take note on Cyber
security will be provided as plat form for an individual to be
able to learn more on the issues related to Web threats that are
growing fast now a days.
YUSUPH KILEO
05/03/2013
WEB SECURITY
YUSUPH KILEO WEB SECURITY
© 2014 Page 1
Table of Contents INTRODUCTION ............................................................................................................................................. 2
WEB SECURITY THREAT ................................................................................................................................. 3
INTERGRITY ............................................................................................................................................... 3
CONFIDENTIALITY ..................................................................................................................................... 4
DENIAL OF SERVICE (DoS) ......................................................................................................................... 4
AUTHENTICATION ..................................................................................................................................... 5
WEB SECURITY APPROCHES .......................................................................................................................... 6
SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY ......................................................................... 7
SECURE ELECTRONIC TRANSACTION........................................................................................................... 13
CURRENT ISSUES ON WEB ATTACK ............................................................................................................. 14
SEVEN –STEP CYBER SECURITY STRATEGY .............................................................................................. 17
CONCLUSION ............................................................................................................................................... 18
REFENCES .................................................................................................................................................... 19
YUSUPH KILEO WEB SECURITY
© 2014 Page 2
INTRODUCTION
Definition: World Wide Web (WWW) can be defined as a client/server application running over
the internet and TCP/IP intranet. In order for an individual to access something that is available
on the Web, he/she should go through either internet or intranet.
The benefits of the web in a current world may be obvious to Facebook users -- the exchange of
ideas, access to healthcare and education, the buying and selling of products and services, and
keeping in touch with friends and family! However, there is a dark side to this global resource
which stems from the misuse of information and communication technologies, ICTs, including
Cyberthreats and cybercrime.
There are many cases whereby websites have been reported falling in to cyber-attacks from
various group of people or individuals across courtiers every now and then. This is the dark side
of the misuse of ICT to cause harm on webs that includes stilling of money through online
transaction, stilling of confidential information and many other bad acts.
Base on this note it is highly advised to have a look at the web security issues so that an
individual will be able to know how to secure the web from various attacks. We should put in
mind that attacks cannot be completely avoided but an individual can create mechanism to
prevent/ harden the web to be attacked easily.
YUSUPH KILEO WEB SECURITY
© 2014 Page 3
WEB SECURITY THREAT
There are four main types of security threats that an individual can face while using Web named
as Integrity, Confidentiality, Authentication and Denial of service (DoS). There is a way to group
this threats in two terms named as Active attack and Passive attack.
Definitions: Eavesdropping on network traffic between browser and server and gaining access to
information on a Web site that is supposed to be restricted is known as Passive Attack.
Active attacks include impersonating another user, altering messages in transit between client
and server, and altering information on a Web site.
INTERGRITY
Definition: Transmitted data/information through internet or computer assets can only be
modified (deleting, changing or creating) by authorized users.
Threats:
Modification of user data
Trojan horse browser
Modification of memory
Modification of message traffic in transit.
Consequences:
Loss of information
Compromise of machine
Vulnerability to all other threats
To protect/ secure web from the above threats that lead to multiple consequences as seen above
Cryptographic checksum can be applied by the user as a Countermeasure.
YUSUPH KILEO WEB SECURITY
© 2014 Page 4
CONFIDENTIALITY
Definition: Data in computer System and Transmitted information through web can be
accessible only to the authorized users. This type of access includes reading, printings and
others.
Threats:
Eavesdropping on the Net.
Theft of info from server.
Theft of data from client.
Info about network configuration.
Info about which client talks to server.
Consequences:
Loss of information
Loss of privacy
To protect/ secure web from the above threats that lead to multiple consequences as seen above
Encryption and web proxies can be applied by the user as a Countermeasure.
DENIAL OF SERVICE (DoS)
Definition: A threat intending to make computer resources or web information from the internet
unavailable to its intended users. Flooding of network or disruption of connection are mostly
used techniques to cause Denial of service (DoS). When an attacker is intending to cause Denial
of service (DoS), it is difficult to prevent.
Threats:
Killing of user threads
Flooding machine with bogus requests
Filling up disk or memory
Isolating machine by DNS attacks
YUSUPH KILEO WEB SECURITY
© 2014 Page 5
Consequences:
Disruptive
Annoying
Prevent user from getting work done.
AUTHENTICATION
Definition: The origin of the electronic document, message or information transmitted over
the web is correctly identified with an assurance that the identity is not false.
Threats:
Impersonation of legitimate users.
Data forgery.
Consequences:
Misrepresentation of user.
Belief that false information is valid.
To protect/ secure web from the above threats that lead to multiple consequences as seen above
Cryptographic techniques can be applied by the user as a Countermeasure.
YUSUPH KILEO WEB SECURITY
© 2014 Page 6
WEB SECURITY APPROCHES
There are number of ways that an individual can utilize to
provide security to the web. Each approach to provide
security to the web has its advantage based on how an
individual utilize it.it should be kept in mind that these
approaches differ with respects to their scope of
applicability and their relative location within the TCP/IP
protocol stack as follows:-
i. Use IP security.
The advantage of using IPsec is that it is transparent to end users and
applications and provides a general-purpose solution.
HTTP FTP SMTP
TCP
IP/IPsec
Further, IPsec includes a filtering capability so that only selected traffic need
incur the overhead of IPsec processing.
ii. Implement security just above TCP.
The foremost example of this approach is the Secure Sockets Layer (SSL) and
the follow-on Internet standard known as Transport Layer Security (TLS).
HTTP FTP SMTP
SSL or TLS
TCP
IP
Protocol Stack Definition:
A protocol stack refers to a
group of protocols that are
running concurrently that are
employed for the implementation
of network.
protocol suite.
YUSUPH KILEO WEB SECURITY
© 2014 Page 7
At this level, there are two implementation choices. For full generality, SSL
(or TLS) could be provided as part of the underlying protocol suite and
therefore be transparent to applications. Alternatively, SSL can be embedded
in specific packages. For example, Netscape and Microsoft Explorer browsers
come equipped with SSL, and most Web servers have implemented the
protocol.
iii. Specific security services are embedded within the particular application.
The advantage of this approach is that the service can be tailored to the
specific needs of a given application. In the context of Web security, an
important example of this approach is Secure Electronic Transaction (SET).
S/MME PGP SET
Kerberos
SMTP HTTP
UDP TCP
IP
SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY
When discussing web security approach in earlier section (4.0) part ii SSL and TLS were
introduced that can be implemented just above TCP. This is one of approach that can be used as
an approach to secure websites. Here the SSL and TLS will be discussed in terms of architecture
and their protocols and the different between them.
SSL Architecture: SSL is designed to make use of TCP to provide a reliable end-to-end secure
service. SSL is not a single protocol but rather two layers of protocols.
YUSUPH KILEO WEB SECURITY
© 2014 Page 8
SSL handshake
protocol
SSL Change cipher
spec protocol
SSL Alert
protocol
HTTP
SSL Record protocol
TCP
IP
The SSL Record Protocol provides basic security services to various higher-layer protocols. In
particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web
client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as
part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol.
These SSL-specific protocols are used in the management of SSL exchanges and are examined
later in this section.
Two important SSL Concepts are:-
a. SSL Connection.
- A transport that provide suitable type of service.
- For SSL, such connections are peer-to-peer relationship.
- The connections are transient.
- Every connection is associated with one session.
b. SSL Session.
- An association between a client and server.
- It is created by handshake protocol.
YUSUPH KILEO WEB SECURITY
© 2014 Page 9
- Define a set of cryptographic security parameters which can be shared
among multiple connections.
- They are used to avoid the expensive negotiation of new security
parameters for each connection.
- A session state is defined by:-
i. Session Identifier
ii. Peer certificate
iii. Compression method
iv. Cipher spec
v. Master secret
vi. Is resumable
vii. Server and client random
viii. Client writer mac secret and
sever writer mac secret
ix. Sever writer key and client write key.
x. Initialization vectors and
xi. Sequence Numbers.
SSL Record Protocol: the overall operation of the SSL Record Protocol. The Record Protocol
takes an application message to be transmitted, fragments the data into manageable blocks,
optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the
resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and
reassembled and then delivered to higher-level users.
“There are actually a
number of states
associated with each
session. Once a session
is established, there is
a current operating
state for both read and
write (i.e., receive and
send). In addition,
during the Handshake
Protocol, pending read
and write states are
created. Upon
successful conclusion
of the Handshake
Protocol, the pending
states become the
current states.”
YUSUPH KILEO WEB SECURITY
© 2014 Page 10
The SSL Record Protocol provides two services for SSL
connections:
Confidentiality: The Handshake Protocol defines a shared
secret key that is used for conventional encryption of SSL
payloads.
Message Integrity: The Handshake Protocol also defines a
shared secret key that is used to form a message
authentication code (MAC).
After the 2 steps, then the of the message authentication code over the compressed data is
performed. For this purpose, the shared secrete key is used. (See the calculation definition
below)
hash(MAC_write_secret || pad_2 ||
hash(MAC_write_secret || pad_1 || seq_num ||
SSLCompressed.type ||
SSLCompressed.length || SSLCompressed.fragment))
“The first step is
fragmentation. Each
upper-layer message
is fragmented into
blocks of 214
bytes
(16384 bytes) or less.
Next, compression is
optionally applied.
Compression must be
lossless and may not
increase the content
length by more than
1024 bytes.
In SSLv3 (as well as
the current version of
TLS), no compression
algorithm is specified,
so the default
compression
algorithm is null.”
YUSUPH KILEO WEB SECURITY
© 2014 Page 11
(See the elaboration below)
EQ Definition
|| concatenation
MAC_write_secret shared secret key
hash cryptographic hash algorithm; either MD5 or SHA-1
pad_1 the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and
40 times (320 bits) for SHA-1
pad_2 the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times
for SHA-1
seq_num the sequence number for this message
SSLCompressed.type the higher-level protocol used to process this fragment
SSLCompressed.length the length of the compressed fragment
SSLCompressed.fragme
nt
the compressed fragment (if compression is not used, the plaintext
fragment)
Next, the compressed message plus the MAC are encrypted using symmetric encryption.
Encryption may not increase the content length by more than 1024 bytes, so that the total length
may not exceed 214
+ 2048.
The final step of SSL Record Protocol processing is to prepend a header, consisting of the
following fields:
Content Type (8 bits): The higher layer protocol used to process the enclosed fragment.
Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
YUSUPH KILEO WEB SECURITY
© 2014 Page 12
Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0.
Compressed Length (16 bits): The length in bytes of the plaintext fragment (or
compressed fragment if compression is used). The maximum value is 214
+ 2048.
SSL HAND SHAKE PROTOCOL
Protocol Description
Change
Cipher
Spec
Protocol
It uses the SSL Record Protocol, and
it is the simplest. This protocol
consists of a single message, which
consists of a single byte with the
value 1. The sole purpose of this
message is to cause the pending state
to be copied into the current state,
which updates the cipher suite to be
used on this connection.
Alert
Protocol
It used to convey SSL-related alerts
to the peer entity. As with other
applications that use SSL, alert
messages are compressed and
encrypted, as specified by the current
state.
Handshake
Protocol
This protocol allows the server and
client to authenticate each other and
to negotiate an encryption and MAC
algorithm and cryptographic keys to
be used to protect data sent in an SSL
record. The Handshake Protocol is
used before any application data is
transmitted.
YUSUPH KILEO WEB SECURITY
© 2014 Page 13
SECURE ELECTRONIC TRANSACTION
Definition: Secure Electronic Transaction (SET) is an open encryption and security specification
designed to protect credit card transactions on the Internet. It is not a payment system, Ruther it
is a set of security protocols and formats that enables users to employ the existing credit card
payment infrastructure on an open network, such as the Internet, in a secure fashion.
SET services: There are three services provided by SET namely:-
Provides a secure communications channel among all parties involved in a transaction.
Provides trust by the use of X.509v3 digital certificates.
Ensures privacy because the information is only available to parties in a transaction when
and where necessary.
SET Features: There are Four Key features of SET as follow:-
Confidentiality of information
Integrity of data
Cardholder account authentication
Merchant authentication
SET Participants: There are six participants in the SET system namely:-
Cardholder
Merchant
Issuer
Acquirer
Payment gateway and Certification authority.
NOTE: Unlike IPsec and SSL/TLS, SET
provides only one choice for each
cryptographic algorithm. This makes sense,
because SET is a single application with a
single set of requirements, whereas IPsec and
SSL/TLS are intended to support a range of
applications.
YUSUPH KILEO WEB SECURITY
© 2014 Page 14
CURRENT ISSUES ON WEB ATTACK
No. TARGET DESCRIPTION ATTACK
1.
SECTORLEAKS404 hacks a Web
Server belonging to ACNUR
(United Nations Refugees Agency)
and leaks credentials of President
Barack Obama.
SQLi
2.
Yet another Security Firm victim
of defacement. This time the target
is Kaspersky, whose Costa Rica
Web Site (www.kaspersky.co.cr)
is defaced.
Defacement
3.
Two Liberal Russian media outlets
and an election watchdog became
victim to huge cyber-attacks
during Russian elections. Sites
belonging to the Ekho Moskvy
radio station, online news portal
slon.ru and election watchdog,
Golos, all went down on
December the 4th, at around 5am
Central European Time.
DDoS
YUSUPH KILEO WEB SECURITY
© 2014 Page 15
4.
Websites belonging to a
Netherlands-based issuer of digital
certificates Gemnet become
unavailable following reports
hackers penetrated their security
and accessed internal databases.
The access happened thanks to a
PHPMyAdmin page without
password.
Unprotected
Server Page
5.
Russian hackers flood Twitter with
automated hashtags to hamper
communication between
opposition activists. The pro-
government messages with the
hashtag #????????????
(Triumfalnaya) were generated by
a twitter botnet composed by
thousands of Twitter accounts that
had little activity before.
Botnet
6.
As part as #OpSony, Sony Pictures
Website is hacked by
@s3rver_exe, Anonnerd and
N3m3515, once again in the name
of the Anonymous movement and
against Sony showing its support
for SOPA. In the same operation a
fake Facebook account is created
simulating a real account hacked.
Account
Hacking
YUSUPH KILEO WEB SECURITY
© 2014 Page 16
7.
In the name of the #Antisec
movement, an unknown hacker
exposes the IP addresses and other
details of 49 SCADA systems,
inviting the readers to connect and
take screenshots of the internals.
Unauthorized
Access
8.
The website of Brazilian Political
Party PMDB do Maranhão
(pmdbma.com.br) is hacked by
an “Alone Hacker” who makes all
the secondary pages of the web
site inaccessible
N/A
9.
IBM Research domain
(researcher.ibm.com) is hacked
and defaced by Hacker collective
group dubbed Kosova Hacker
Security.
SQLi
10.
The Anonymous temporarily force
the main website for Interpol
(Interpol.in) offline, after the
international police group
announced it had arrested 25
suspected Supporters. The site
www.interpol.int was Unreachable
for 20-30 minutes.
DDoS
YUSUPH KILEO WEB SECURITY
© 2014 Page 17
SEVEN –STEP CYBER SECURITY STRATEGY
Recently, The UK IT Governance has released a white paper on cyber security. Once they
distribute it, I went through it and find out there are some very good ideas that I have to share
with all of you.
With the internet becoming a ubiquitous communication and application platform, the greatest
risk to our organizations is not cyber war, but cybercrimes.
Therefore, the seven key actions that should form part of an effective Cyber security strategies
highlighted by it governance that I would kindly like each of us to go through are as follows:-
1. Secure the cyber perimeter: test all your internet-facing applications and network
connections to ensure that all known vulnerabilities are identified and patched. This
should include testing all wireless networks. Make sure that OWASP and SANS top 10
Vulnerabilities and security weakness are patched. Once this is exercise – penetration
testing, remediation and confirmatory re-testing has been completed, schedule regular
network tests. Depending on risk, these should take place either quarterly or at least,
every six months.
2. Secure Mobile devices beyond the perimeter: encrypt and secure access to all portable
and mobile devices – laptops, mobile phones, BlackBerrys, USB sticks, etc to ensure that
the increasingly elastic network perimeter remains secure and that data taken beyond the
perimeter remain secure.
3. Secure the inwards and outwards beyond communication channel: e-mail, instant
messaging, and live chat. Make sure there are appropriate arrangements for data
archiving and an appropriate balance between protecting confidentiality, integrity and
availability.
4. Secure the internal network: Identify risks and control against intrusions from rogue
wireless access points from unauthorized USB sticks and from mobile data storage
devices – including mobile phones, iPods and so on.
YUSUPH KILEO WEB SECURITY
© 2014 Page 18
5. Train stuff: attackers understand that employees are the weakest link in the security
chain and take advantage of natural human weakness through a style of attack known as
“Social engineering”. Staff must, therefore be trained to recognize and respond to
appropriately to social engineering attacks range from tailgating through to phishing,
spear phishing and pharming. Also ensure that you have a well-through through social
media strategy that minimizes information loss through social media websites, such as
Facebook, LinkedIn and twitter.
6. Develop and test a security incident response plan (SIRP): sooner or later, your
defenses will be breached and you, therefore need an effective robust plan for responding
to the breach. Your response plan should include developing a digital forensics
capability so that you have the in-house competence to secure areas of digital crime long
before outside experts arrive on the scene.
7. Adopt ISO27001 and ISO27031 as standard: for developing and implementing
comprehensive cyber security and business resilience management systems.
CONCLUSION
We have seen ways of web security implementations and the key note to secure electronic
transaction. It has been a challenge these days when it comes to Web security and Online
transaction since many cases has been reported related to threats in web securities and online
transactions.
Cases reported samples from recent research are well explained. Its encouraged that each
individual has to keep in mind that when it comes to security it is not a duty of a certain group of
people but each member should play an important role to ensure the security is kept in order.
It’s important to follow security strategy as mentioned in this report along with other secure
implementation discussed from other parts to insure both web security and online transaction is
kept in order.
YUSUPH KILEO WEB SECURITY
© 2014 Page 19
REFENCES
1. Pfleeger, C.P., S. L. Pfleeger, Security in Computing, Prentice Hall, 3rd
edition, 2002.
2. Anderson, R, Security Engineering: A Guide to Building Dependable Distributed
Systems, Wiley, 2001,
3. Bishop, M, Computer Security: Art and Science, Addison Wesley, 2002.
4. William Stallings, Cryptography and Network Security, 4th
edition
5. Stajano, F, Security for Ubiquitous Computing, Wiley, 2002.
6. Pieprzyk, J., T. Hardjono, J. Seberry, J. Pierprzyk, Fundamentals of Computer Security,
Springer-Verlag, 2002.
7. 2010. Computer Network Security: 5th International Conference, on Mathematical
Methods, Models, and Architectures for Computer Network Security, MMM-ACNS ...
Networks and Telecommunications). 1st Edition.