M-7 One Page

profileJackie Channn
conklin_principlesofcomputersecurity_5e_Chap017_PPT.pptx

Web Components

Chapter 17

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Objectives (1 of 2)

Describe the functioning of the SSL/TLS protocol suite.

Explain web applications, plug-ins, and associated security issues.

Describe secure file transfer options.

Explain directory usage for data retrieval.

Explain scripting and other Internet functions that present security concerns.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

2

Objectives (2 of 2)

Use cookies to maintain parameters between web pages.

Examine web-based application security issues.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

3

Key Terms (1 of 2)

Active Server Pages (ASP)

ActiveX

ASP.NET

Authenticode

Buffer overflow

Code signing

Common Gateway Interface (CGI)

Cookie

File Transfer Protocol (FTP)

Hypertext Markup Language (HTML)

Inlining

Internet Engineering Task Force (IETF)

Java

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Active Server Pages (ASP) – Microsoft’s server-side script technology for dynamically generated web pages.

ActiveX – A Microsoft technology that facilitates rich Internet applications, and therefore extends and enhances the functionality of Microsoft Internet Explorer. Like Java, ActiveX enables the development of interactive content. When an ActiveX-aware browser encounters a web page that includes an unsupported feature, it can automatically install the appropriate application so the feature can be used.

ASP.NET – A technology that operates in much the same fashion as CGI: it allows programs to be run outside the web server and to return data to the web server to be served to end users via a web page.

Authenticode – Microsoft code-signing technology used to provide integrity and attribution on software.

Buffer overflow – A specific type of software coding error that enables user input to overflow the allocated storage area and corrupt a running program.

Code signing – The application of digital signature technology to software for purposes of integrity and authentication control.

Common Gateway Interface (CGI) – An older, outdated technology used for server-side execution of programs on web sites.

Cookie – Information stored on a user’s computer by a web server to maintain the state of the connection to the web server. Used primarily so preferences or previously used information can be recalled on future requests to the server.

File Transfer Protocol (FTP) – An application-level protocol used to transfer files over a network connection.

Hypertext Markup Language (HTML) – A protocol used to mark up text for use across HTTP.

Inlining – Using an embedded control from another site with or without the other site’s permission.

Internet Engineering Task Force (IETF) – A large international community of network designers, operators, vendors, and researchers, open to any interested individual concerned with the evolution of the Internet architecture and the smooth operation of the Internet. The actual technical work of the IETF is done in its working groups, which are organized by topic into several areas (such as routing, transport, and security). Much of the work is handled via mailing lists, with meetings held three times per year.

Java – A computer language invented by Sun Microsystems as an alternative to Microsoft’s development languages. Designed to be platform-independent and based on C, Java offered a low learning curve and a way of implementing programs across an enterprise, independent of platform.

4

Key Terms (2 of 2)

JavaScript

Lightweight Directory Access Protocol (LDAP)

PHP

Plug-in

Secure Sockets Layer (SSL)

Server-side scripting

SSL stripping attack

Transport Layer Security (TLS)

Uniform Resource Locator (URL)

X.500

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

JavaScript – A scripting language developed by Netscape and designed to be operated within a browser instance. JavaScript works through the browser environment. The primary purpose of JavaScript is to enable features such as validation of forms before they are submitted to the server.

Lightweight Directory Access Protocol (LDAP) – This is an application protocol for querying and modifying directory services running over TCP/IP.

PHP – This is a general-purpose scripting language, originally designed for web development to produce dynamic web pages.

Plug-in – These are small application programs that increase a browser’s ability to handle new data types and add new functionality.

Secure Sockets Layer (SSL) – An encrypting layer between the session and transport layers of the OSI model designed to encrypt above the transport layer, enabling secure sessions between hosts.

Server-side scripting – The processing of scripts on the server side of an Internet connection to prevent client tampering with the process.

SSL stripping attack – A specific type of man-in-the-middle attack against SSL.

Transport Layer Security (TLS) – A newer form of SSL that is now an Internet standard.

Uniform Resource Locator (URL) – A specific character string used to point to a specific item across the Internet.

X.500 – The standard format for directory services including LDAP.

5

Introduction

Before the Web, plenty of methods were used to perform user tasks.

File Transfer Protocol (FTP) was used to move files, and Telnet allowed users access to other machines.

What was missing was the common architecture brought by Berners-Lee:

A common addressing scheme, built around the concept of a Uniform Resource Locator (URL)

The concept of linking documents to other documents by URLs through the Hypertext Markup Language (HTML)

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

6

Current Web Components and Concerns

Security concerns can be grouped into three main tasks:

Securing a server that delivers content to users over the Web

Securing the transport of information between users and servers over the Web

Securing the user’s computer from attack over a web connection

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

The usefulness of the Web is due not just to browsers, but also to web components that enable services for end users through their browser interfaces. These components use a wide range of protocols and services to deliver the desired content. From a security perspective, they offer users an easy-to-use, secure method of conducting data transfers over the Internet. Many protocols have been developed to deliver this content, although for most users, the browser handles the details.

From a systems point of view, many security concerns have arisen, but they can be grouped into three main tasks:

Securing a server that delivers content to users over the Web

Securing the transport of information between users and servers over the Web

Securing the user’s computer from attack over a web connection

This chapter presents the components used on the Web to request and deliver information securely over the Internet.

7

Web Protocols

Requirements for computer communications are handled through protocols.

Agreed-upon sets of rules that allow different vendors to produce hardware and software that can interoperate with hardware and software developed by other vendors

Very important and form the basis by which all the separate parts can work together

Specific instantiation of protocols done through hardware and software components

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

When two people communicate, several things must happen for the communication to be effective: they must use a language that both parties understand, and they must correctly use the language—that is, structure and syntax—to express their thoughts. The mode of communication is a separate entity entirely, for the previous statements are important in both spoken and written forms of communication.

8

Encryption (SSL and TLS) (1 of 3)

Secure Sockets Layer (SSL) is a general-purpose protocol developed by Netscape for managing the encryption of information being transmitted over the Internet.

The Internet Engineering Task Force (IETF) embraced SSL in 1996 through a series of RFCs and named the group of RFCs Transport Layer Security (TLS).

SSL and TLS are essentially the same, although not interchangeable.

SSL is dead and TLS is the path forward, although everyone calls it SSL.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

SSL began as a competitive feature to drive sales of Netscape’s web server product, which could then send information securely to end users. This early vision of securing the transmission channel between the web server and the browser became an Internet standard. Today, SSL is almost ubiquitous with respect to e-commerce—all browsers support it as do web servers, and virtually all e-commerce web sites use this method to protect sensitive financial information in transit between web servers and browsers.

Starting with SSL 3.0, in 1999, the IETF issued RFC 2246, “TLS Protocol Version 1.0,” followed by RFC 2712, which added Kerberos authentication, and then RFCs 2817 and 2818, which extended TLS to HTTP version 1.1 (HTTP/1.1). Although SSL has been through several versions, TLS begins with an equivalency to SSL 3.0, so today SSL and TLS are essentially the same, although not interchangeable. Recent attacks have left SSL vulnerable, and the consensus is that SSL is dead and TLS is the path forward, although everyone calls it SSL.

9

Encryption (SSL and TLS) (2 of 3)

Goal of TCP is to send an unauthenticated, error-free stream of information between two computers.

SSL/TLS adds message integrity and authentication functionality to TCP through the use of cryptographic methods.

Cryptographic methods are an ever-evolving field.

Because both parties must agree on an implementation method, SSL/TLS has embraced an open, extensible, and adaptable method to allow flexibility and strength.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

SSL/TLS is a series of functions that exists in the OSI (Open System Interconnection) model between the application layer and the transport and network layers.

When two programs initiate an SSL/TLS connection, one of their first tasks is to compare available protocols and agree on an appropriate common cryptographic protocol for use in this particular communication. As SSL/TLS can use separate algorithms and methods for encryption, authentication, and data integrity, each of these is negotiated and determined depending upon need at the beginning of a communication.

10

Encryption (SSL and TLS) (3 of 3)

Figure 17.1 IE 11 security options

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Browsers from Mozilla (Firefox) and Microsoft (Internet Explorer 11) allow fairly extensive SSL/TLS setup options as shown in Figure 17.1

11

How SSL/TLS Works (1 of 11)

An overview explains how SSL/TLS works.

The process begins with a client request for a secure connection and a server’s response.

For the client and server to communicate, both sides must agree on a commonly held protocol.

SSL v1, v2, v3, or TLS v1, v1.1, v1.2

Commonly available cryptographic algorithms include Diffie-Hellman and RSA.

The next step is to exchange certificates and keys as necessary to enable authentication.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

TLS, Not SSL

Just know that TLS should be used in place of SSL for all instances. To use these protocols effectively between a client and a server, an agreement must be reached on which protocol to use, which is done via the TLS handshake process. The process begins with a client request for a secure connection and a server’s response. Although similar, SSL is no longer secure and TLS remains the only option.

How SSL/TLS Works

To use these protocols effectively between a client and a server, an agreement must be reached on which protocol to use, which is done via the TLS handshake process.

The process begins with a client request for a secure connection and a server’s response.

For the client and server to communicate, both sides must agree on a commonly held protocol (SSL v1, v2, v3, or TLS v1).

Commonly available cryptographic algorithms include Diffie-Hellman and RSA.

The next step is to exchange certificates and keys as necessary to enable authentication.

The channel is protected by encryption against eavesdropping.

Each packet is encrypted using the symmetric key before transfer across the network, and then decrypted by the receiver.

12

How SSL/TLS Works (2 of 11)

Once authentication is established, the channel is secured with symmetric key cryptographic methods and hashes.

Typically RC4 or 3DES for symmetric key and MD5 or SHA-1 for the hash functions.

The authenticity of the server and possibly the client has been established, and the channel is protected by encryption against eavesdropping.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

All of this work requires CPU time; hence, SSL/TLS connections require significantly more overhead than unprotected connections. Establishing connections is particularly time consuming, so even stateless web connections are held in a stateful fashion when secured via SSL/TLS, to avoid repeating the handshake process for each request. This makes some web server functionality more difficult, such as implementing web farms, and requires that either an SSL/TLS appliance be used before the web server to maintain state or the SSL/TLS state information be maintained in a directory-type service accessible by all of the web farm servers. Either method requires additional infrastructure and equipment. However, to enable secure e-commerce and other private data transactions over the Internet, this is a cost-effective method to establish a specific level of necessary security.

13

How SSL/TLS Works (3 of 11)

TLS handshake

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

TLS Handshake

The following steps, depicted in the illustration above, establish a TLS secured channel (the SSL handshake is deprecated due to all versions of SSL being compromised):

The client sends to the server the client’s SSL version number, cipher settings, and session-specific data.

The server sends to the client the server’s SSL version number, cipher settings, session-specific data, and its own certificate. If the resource requested requires client authentication, the server requests the client’s certificate.

The client authenticates the server using the information it has received. If the server cannot be authenticated, the user is warned of the problem and informed that an encrypted and authenticated connection cannot be established.

The client encrypts a seed value with the server’s public key (from certificate—step 2) and sends it to the server. If the server requested client authentication, the client also sends the client certificate.

If the server requested client authentication, the server attempts to authenticate the client certificate. If the client certificate cannot be authenticated, the session ends.

The server uses its private key to decrypt the secret, and then performs a series of steps (which the client also performs) to generate a master secret. The required steps depend on the cryptographic method used for key exchange.

Both the client and the server use the master secret to generate the session key, which is a symmetric key used to encrypt and decrypt information exchanged during the SSL session.

The client sends a message informing the server that future messages from the client will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the client portion of the handshake is finished.

The server sends a message informing the client that future messages from the server will be encrypted with the session key. It then sends a separate (encrypted) message indicating that the server portion of the handshake is finished.

The SSL handshake is now complete and the session can begin.

14

How SSL/TLS Works (4 of 11)

Each packet is encrypted using the symmetric key before transfer across the network, and then decrypted by the receiver.

The use of certificates could present a lot of data and complication to a user.

Fortunately, browsers have incorporated much of this desired functionality into a seamless operation.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

15

How SSL/TLS Works (5 of 11)

Once you have decided always to accept code from XYZ Corporation, subsequent certificate checks are handled by the browser.

The ability to manipulate certificate settings is under the Options menus in both Internet Explorer and Mozilla Firefox.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

16

How SSL/TLS Works (6 of 11)

Figure 17.2 Internet Explorer certificate management options

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

17

How SSL/TLS Works (7 of 11)

Figure 17.3 Internet Explorer certificate store

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

18

How SSL/TLS Works (8 of 11)

Figure 17.4 Firefox certificate options

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

19

How SSL/TLS Works (9 of 11)

Figure 17.5 Firefox certificate store

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

20

How SSL/TLS Works (10 of 11)

Once a communication is in the SSL/TLS channel, it is very difficult to defeat the SSL protocol

Before data enters the secured channel, however, defeat is possible.

A Trojan program that copies keystrokes and echoes them to another TCP/IP address in parallel with the intended communication can defeat SSL/TLS, for example, provided that the Trojan program copies the data prior to SSL/TLS encapsulation.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

This type of attack has occurred and has been used to steal passwords and other sensitive material from users, performing the theft as the user actually types in the data.

21

How SSL/TLS Works (11 of 11)

SSL/TLS man-in-the-middle attack

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

SSL/TLS Proxy Attack

SSL/TLS-based security is not foolproof. It can be defeated, as in the case of a proxy-based attack. Examining the handshake, the following steps could occur, as shown in this illustration:

The client (C) initiates a TLS session with their bank server (S) through a proxy (P).

P acts by echoing the information sent to it by C (step 1a) to S (step 1b), imitating C to S, and establishing a secure channel between P and S (TLS #1).

P creates a second secure channel to C (TLS #2), using information received from S, pretending to be S.

The user assumes that the dotted lines occur—a secure channel to the bank directly—when the client actually has only a secure channel to the proxy. In fact, the proxy has the secure channel to the bank, and as far as the bank is concerned, the proxy is the client and using the client’s credentials. For a proxy that is not completely trusted, this could be a nightmare for the client.

The advent of high-assurance certificates prevents the proxy from imitating the bank, as it cannot give the correct set of credentials back to the client to complete the high-assurance handshake. Mutual authentication is also designed to prevent this, as the proxy cannot simultaneously imitate both sides of the handshake. Mutual authentication is rarely used, as there is the issue of maintaining client certificates that are trusted to a server—a challenge for broad-reach sites like financial institutions and e-commerce sites.

22

The Web (HTTP and HTTPS) (1 of 4)

HTTP is used for the transfer of hyperlinked data over the Internet, from web servers to browsers.

When a secure connection is needed, SSL/TLS is used and appears in the address as https://.

If the protocol is https:, your connection is secure.

If the protocol is http:, then the connection is carried by plaintext for anyone to see.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

HTTP is used for the transfer of hyperlinked data over the Internet, from web servers to browsers. When a user types a URL such as http://www.example.com into a browser, the http:// portion indicates that the desired method of data transfer is HTTP. Although it was initially created just for HTML pages, today many protocols deliver content over this connection protocol. HTTP traffic takes place over TCP port 80 by default, and this port is typically left open on firewalls because of the extensive use of HTTP.

One of the primary drivers behind the development of SSL/TLS was the desire to hide the complexities of cryptography from end users. When using an SSL/TLS-enabled browser, this can be done simply by requesting a secure connection from a web server instead of a nonsecure connection. With respect to HTTP connections, this is as simple as using https:// in place of http://.

The entry of an SSL/TLS-based protocol will cause a browser to perform the necessary negotiations with the web server to establish the required level of security. Once these negotiations have been completed and the session is secured by a session key, a closed padlock icon is displayed in the lower right of the screen to indicate that the session is secure. If the protocol is https:, your connection is secure; if it is http:, then the connection is carried by plaintext for anyone to see.

EXAM TIP: HTTPS (HTTP over SSL) uses TCP Port 443. The unencrypted form is HyperText Transfer Protocol (HTTP), which uses TCP Port 80.

23

The Web (HTTP and HTTPS) (2 of 4)

Figure 17.6 High-assurance notification in Internet Explorer

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Figure 17.6 shows a secure connection in Internet Explorer.

As of Internet Explorer 7, Microsoft places the padlock icon in an obvious position, next to the URL, instead of in the lower-right corner of the screen, where users could more easily miss it.

24

The Web (HTTP and HTTPS) (3 of 4)

Figure 17.7 High-assurance notification in Firefox

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Figure 17.7 shows a secure connection in Firefox.

25

The Web (HTTP and HTTPS) (4 of 4)

To combat a variety of attacks, in 2006 the SSL/TLS landscape changed with the advent of extended validation certificates and high security browsers.

These changes provide visual cues to the user when high assurance certificates are being used as part of a secure SSL/TLS connection.

The objective of enabling cryptographic methods in this fashion is to make it easy for end users to use these protocols.

SSL/TLS is designed to be protocol agnostic.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

To combat a variety of attacks, in 2006 the SSL/TLS landscape changed with the advent of extended validation certificates and high security browsers. These changes provide visual cues to the user when high assurance certificates are being used as part of a secure SSL/TLS connection. These improvements were in response to phishing sites and online fraud, and although they require additional costs and registration on the part of the vendors, this is a modest up-front cost to help reduce fraud and provide confidence to customers.

The objective of enabling cryptographic methods in this fashion is to make it easy for end users to use these protocols. SSL/TLS is designed to be protocol agnostic. Although designed to run on top of TCP/IP, it can operate on top of other, lower-level protocols, such as X.25. SSL/TLS requires a reliable lower-level protocol, so it is not designed and cannot properly function on top of a nonreliable protocol such as the User Datagram Protocol (UDP). Even with this limitation, SSL/TLS has been used to secure many common TCP/IP-based services.

26

HTTPS Everywhere

With a variety of encryption technologies available, managing the resources for HTTPS connections is much easier, and a case has been made by many in security that all web connections should be HTTPS.

This has resulted in the HTTPS Everywhere movement.

HTTPS Everywhere would go a long way for privacy, because it would prevent data snooping.

HTTPS Everywhere would prevent many man-in-the-middle attacks, such as SSL stripping.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

When websites were first deployed, providing HTTPS was a resource cost issue, because it took processor cycles to encrypt all the connections. Today, with a variety of encryption technologies available, managing the resources for HTTPS connections is much easier, and a case has been made by many in security that all web connections should be HTTPS. This has resulted in the HTTPS Everywhere movement (https://www.eff.org/https-everywhere/), spearheaded by the Electronic Frontier Foundation (EFF).

If web sites everywhere would turn off HTTP in favor of using only HTTPS (with TLS in light of SSL vulnerabilities), this would not solve all the security problems, but it would raise the bar substantially for many attacks. HTTPS Everywhere would go a long way for privacy, because it would prevent data snooping. It would also prevent many man-in-the-middle attacks, such as SSL stripping.

27

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an IETF standard and a mechanism to enforce rules to prevent browsers from downgrading security when accessing a site.

HSTS was created in response to a series of attack profiles.

The SSL stripping attack works on both SSL and TLS by transparently converting the secure HTTPS connection into a plain HTTP connection, removing the transport layer encryption protections.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

HTTP Strict Transport Security (HSTS) is an IETF standard and a mechanism to enforce rules to prevent browsers from downgrading security when accessing a site. The policy states that when a web server provides an HTTP response header field named “Strict-Transport-Security,” then the user agent shall comply by not issuing insecure requests. The header field has a time period associated with it, set in the header, during which the policy is in effect.

The SSL stripping attack works on both SSL and TLS by transparently converting the secure HTTPS connection into a plain HTTP connection, removing the transport layer encryption protections. Although an observant user might notice the drop in security, by then the damage may have been done, and this relies upon users knowing whether a page should be secure or not. No warnings are presented to the user during the downgrade process, which makes the attack fairly subtle to all but the most vigilant. Marlinspike’s sslstrip tool fully automates the attack and is available on the Web.

28

Directory Services (DAP and LDAP) (1 of 2)

A directory is designed and optimized for reading data, offering very fast search and retrieval operations.

To enable interoperability, the X.500 standard was created as a standard for directory services.

The primary method for accessing an X.500 directory is through the Directory Access Protocol (DAP).

Lightweight Directory Access Protocol (LDAP) contains the most commonly used functionality.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

A directory is a data storage mechanism similar to a database, but it has several distinct differences designed to provide efficient data retrieval services compared to standard database mechanisms. A directory is designed and optimized for reading data, offering very fast search and retrieval operations. The types of information stored in a directory tend to be descriptive attribute data. A directory offers a static view of data that can be changed without a complex update transaction. The data is hierarchically described in a treelike structure, and a network interface for reading is typical.

To enable interoperability, the X.500 standard was created as a standard for directory services. The primary method for accessing an X.500 directory is through the Directory Access Protocol (DAP), a heavyweight protocol that is difficult to implement completely, especially on PCs and more constrained platforms.

This led to the Lightweight Directory Access Protocol (LDAP), which contains the most commonly used functionality. LDAP can interface with X.500 services, and, most importantly, LDAP can be used over TCP with significantly less computing resources than a full X.500 implementation. LDAP offers all of the functionality most directories need and is easier and more economical to implement; hence LDAP has become the Internet standard for directory services.

29

Directory Services (DAP and LDAP) (2 of 2)

SSL/TLS LDAP

SSL/TLS provides several important functions to LDAP services:

Establishes the identity of a data source through the use of certificates.

Provides for the integrity and confidentiality of the data being presented from an LDAP source.

Interoperability is a function of correct setup.

Once an LDAP server is set up to function over an SSL/TLS connection, it operates as it always has.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

SSL/TLS provides several important functions to LDAP services. It can establish the identity of a data source through the use of certificates, and it can also provide for the integrity and confidentiality of the data being presented from an LDAP source.

As LDAP and SSL/TLS are two separate independent protocols, interoperability is more a function of correct setup than anything else. To achieve LDAP over SSL/TLS, the typical setup is to establish an SSL/TLS connection and then open an LDAP connection over the protected channel. To do this requires that both the client and the server be enabled for SSL/TLS. In the case of the client, most browsers are already enabled. In the case of an LDAP server, this specific function must be enabled by a system administrator. As this setup initially is complicated, it’s definitely a task for a competent system administrator.

Once an LDAP server is set up to function over an SSL/TLS connection, it operates as it always has. The LDAP server responds to specific queries with the data returned from a node in the search. The SSL/TLS functionality is transparent to the data flow from the user’s perspective. From the outside, SSL/TLS prevents observation of the data request and response, ensuring confidentiality.

30

File Transfer (FTP and SFTP) (1 of 4)

File Transfer Protocol (FTP) is an application-level protocol that operates over a wide range of lower-level protocols.

FTP is embedded in most operating systems and provides a method of transferring files from a sender to a receiver.

FTP clients initiate transactions and FTP respond to transaction requests.

Clients for FTP on a PC can range from an application program, to the command-line FTP program in Windows/DOS to most browsers.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

File Transfer Protocol (FTP) is an application-level protocol that operates over a wide range of lower-level protocols. FTP is embedded in most operating systems and provides a method of transferring files from a sender to a receiver. Most FTP implementations are designed to operate both ways, sending and receiving, and can enable remote file operations over a TCP/IP connection. FTP clients are used to initiate transactions, and FTP servers are used to respond to transaction requests. The actual request can be either to upload (send data from client to server) or to download (send data from server to client).

Clients for FTP on a PC can range from an application program, to the command-line FTP program in Windows/DOS, to most browsers. To open an FTP data store in a browser, you can enter ftp://url in the browser’s address field to indicate that you want to see the data associated with the URL via an FTP session—the browser handles the details.

31

File Transfer (FTP and SFTP) (2 of 4)

Blind FTP (anonymous FTP)

In FTP, a standard account called anonymous exists.

It allows unlimited public access to the files.

It is commonly used for unlimited distribution.

On a server, access permissions can be established to allow only downloading or only uploading or both.

FTP servers present a security risk so it is typically not permitted on workstations, and disabled on servers without need for this functionality.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

To access resources on a computer, an account must be used to allow the operating system–level authorization function to work. In the case of an FTP server, you may not wish to control who gets the information, so a standard account called anonymous exists. This allows unlimited public access to the files and is commonly used when you want to have unlimited distribution.

On a server, access permissions can be established to allow only downloading or only uploading or both, depending on the system’s function. As FTP servers can present a security risk, they are typically not permitted on workstations and are disabled on servers without need for this functionality.

32

File Transfer (FTP and SFTP) (3 of 4)

SFTP

FTP operates in a plaintext mode.

Secure FTP (SFTP) combines both the Secure Shell (SSH) protocol and FTP to allow confidential transfer.

SFTP operates as an application program that encodes both the commands and the data being passed and requires SFTP to be on both the client and the server.

SFTP is not interoperable with standard FTP.

The server must be enabled with the SFTP program, and then clients can access the server, provided they have the correct credentials.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

FTP operates in a plaintext mode, so an eavesdropper can observe the data being passed. If confidential transfer is required, Secure FTP (SFTP) combines both the Secure Shell (SSH) protocol and FTP to accomplish this task.

SFTP operates as an application program that encodes both the commands and the data being passed and requires SFTP to be on both the client and the server. SFTP is not interoperable with standard FTP—the encrypted commands cannot be read by the standard FTP server program.

To establish SFTP data transfers, the server must be enabled with the SFTP program, and then clients can access the server, provided they have the correct credentials. One of the first SFTP operations is the same as that of FTP: an identification function that uses a username and an authorization function that uses a password. There is no anonymous SFTP account by definition, so access is established and controlled from the server using standard access control lists (ACLs), IDs, and passwords.

33

File Transfer (FTP and SFTP) (4 of 4)

FTPS

FTPS is the implementation of FTP over an SSL/TLS-secured channel.

This supports complete FTP compatibility, yet provides the encryption protections enabled by SSL/TLS.

FTPS commonly runs on port 990 but can run on port 21.

FTPS running on port 990, it is referred to as Implicit FTPS because the use of port 990 implies a secure connection.

FTPS running on port 21 is referred to as an Explicit FTPS connection.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

34

Vulnerabilities

The use of protocols such as TLS can result in complacency.

Using TLS and other encryption methods will not guard against your credit card information being “lost” by a company with which you do business.

The key to understanding what is protected and where it is protected is to understand what these protocols can and cannot do.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Modern encryption technology can provide significant levels of privacy, up to military-grade secrecy. The use of protocols such as TLS provides a convenient method for end users to use cryptography without having to understand how it works. This can result in complacency—the impression that once TLS is enabled, the user is safe, but this is not necessarily the case. If a Trojan program is recording keystrokes and sending the information to another unauthorized user, for example, TLS cannot prevent the security breach. If the user is connecting to an untrustworthy site, the mere fact that the connection is secure does not prevent the other site from running a scam.

Using TLS and other encryption methods will not guard against your credit card information being “lost” by a company with which you do business, as in the Egghead.com credit card hack of 2000. In December 2000, Egghead.com’s credit card database was hacked, and as many as 3.7 million credit card numbers were exposed. This resulted eventually in the loss of the firm, which is now known as NewEgg. The year 2014 was a year filled with data breaches, losses of customer information—including credit card numbers—from many high-profile merchants such as Target. In these cases, the security failure was internal to the data storage in the company, not during transfer to the firm. So even with secure web controls, data can be lost after being stored in a company database.

The key to understanding what is protected and where it is protected is to understand what these protocols can and cannot do. The TLS suite can protect data in transit, but not on either end in storage. It can authenticate users and servers, provided that the certificate mechanisms are established and used by both parties. Properly set up and used, TLS can provide a very secure method of authentication, followed by confidentiality in data transfers and data integrity checking. But again, all of this occurs during transit, and the protection ends once the data is stored.

35

Code-Based Vulnerabilities

The idea of extending browser functions through plug-ins became a standard.

The opportunity exists for these applications or plug-ins to include malicious code that performs actions not desired by the end user.

Web browser malicious code is a major tool for computer crackers to use to obtain unauthorized computer access.

Whether delivered by HTML based e-mail, by getting a user to visit a web site, or even delivery via an ad server, the result is the same: malware performs malicious tasks in the browser environment.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

36

Buffer Overflows

One of the most common exploits used to hack into software is the buffer overflow.

The buffer overflow vulnerability is a result of poor coding practices on the part of software programmers.

This occurs when an application can accept more input than it has assigned storage space and the input data overwrites other program areas.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

The exploit concept is simple: An attacker develops an executable program that performs some action on the target machine and appends this code to a legitimate response to a program on the target machine. When the target machine reads through the too-long response, a buffer-overflow condition causes the original program to fail. The extra malicious code fragment is now in the machine’s memory, awaiting execution. If the attacker executed it correctly, the program will skip into the attacker’s code running it instead of crashing.

37

Java (1 of 2)

Java is a computer language invented by Sun Microsystems as an alternative to Microsoft’s development languages.

Designed to be platform-independent and based on C

Offered a low learning curve and a way of implementing programs across an enterprise

Found itself to be a leader in object-oriented programming languages

Operates through an interpreter called a Java Virtual Machine (JVM) on each platform

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Java is a computer language invented by Sun Microsystems as an alternative to Microsoft’s development languages. Designed to be platform-independent and based on C, Java offered a low learning curve and a way of implementing programs across an enterprise, independent of platform. Although platform independence never fully materialized, and the pace of Java language development was slowed by Sun, Java has found itself to be a leader in object-oriented programming languages.

38

Java (2 of 2)

Reliance on an interpretive step has led to performance issues.

Security is not a built-in function but an afterthought implemented independently of the language core.

Java has safety features, but safety is not security.

A malicious Java program can cause significant damage.

Sun provides different levels of security.

Do not to run Java programs at all.

Restrict Java program functionality when the program is not run directly from the system’s hard drive.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Java was initially designed to be used in trusted environments, and when it moved to the Internet for general use, safety became one of its much-hyped benefits. Java has many safety features, such as type checking and garbage collection, that actually improve a program’s ability to run safely on a machine and not cause operating system–level failures. This isolates the user from many common forms of operating system faults that can end in the “blue screen of death” in a Windows environment, where the operating system crashes and forces a reboot of the system. Safety is not security, however, and although safe, a malicious Java program can still cause significant damage to a system.

The primary mode of a computer program is to interact with the operating system and perform functional tasks for a user, such as getting and displaying data, manipulating data, storing data, and so on. Although these functions can seem benign, when enabled across the Web they can have some unintended consequences. The ability to read data from a hard drive and display it on the screen is essential for many programs, but when the program is downloaded and run from the Internet and the data is, without the knowledge of the user, sent across the Internet to an unauthorized user, this enables a program to spy on a user and steal data. Writing data to the hard drive can also cause deletions if the program doesn’t write the data where the user expects.

Most browsers adopted the second security policy, restricting Java functionality on a client unless the program was loaded directly from the client’s hard drive. Although this solved many problems initially, it also severely limited functionality. Today, browsers allow much more specific granularity on security for Java, based on security zones and user settings.

39

JavaScript (1 of 5)

JavaScript is a scripting language developed by Netscape and designed to be operated within a browser instance.

The primary purpose is to enable features such as validation of forms.

Enterprising programmers found many other uses for JavaScript, such as manipulating the browser history files, now prohibited by design.

JavaScript runs within the browser and the code is executed by the browser itself.

This has led to compatibility problems.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

40

JavaScript (2 of 5)

Figure 17.8 Java configuration settings in Internet Explorer

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Security settings in Internet Explorer are done by a series of zones, allowing differing levels of control over .NET functionality, ActiveX functionality, and Java functionality (see Figure 17.8).

Unfortunately, these settings can be changed by a Trojan program, altering the browser (without alerting the user) and lowering the security settings.

41

JavaScript (3 of 5)

Figure 17.9 Security setting functionality issues

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Security settings can be changed by a Trojan program, altering the browser (without alerting the user) and lowering the security settings. In Firefox, using the NoScript plug-in is a solution to this, but the reduced functionality leads to other issues, as shown in Figure 17.9, and requires more diligent user intervention.

42

JavaScript (4 of 5)

JavaScript's lack of a comprehensive security model left some security holes.

A form could submit itself via e-mail to an undisclosed recipient, either eavesdropping, spamming, or causing other problems.

Most browsers do not have a mechanism to halt a running script short of aborting the browser instance.

This may not be possible if the browser has stopped responding to commands.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Although JavaScript was designed not to be able to access files or network resources directly, except through the browser functions, it has not proven to be as secure as desired. This fault traces back to a similar fault in the Java language, where security was added on, without the benefit of a comprehensive security model.

So, although designers put thought and common sense into the design of JavaScript, the lack of a comprehensive security model left some security holes. For instance, a form could submit itself via e-mail to an undisclosed recipient, either eavesdropping, spamming, or causing other problems—imagine your machine sending death threat e-mails to high-level government officials from a rogue JavaScript implementation.

Further, most browsers do not have a mechanism to halt a running script, short of aborting the browser instance, and even this may not be possible if the browser has stopped responding to commands. Malicious JavaScripts can do many things, including opening two new windows every time you close one, each with the code to open two more. There is no way out of this one, short of killing the browser process from the operating system.

43

JavaScript (5 of 5)

Malicious JavaScripts can do many things.

Opening two new windows every time you close one, each with the code to open two more.

There is no way out of this one, short of killing the browser process from the operating system.

JavaScripts can also trick users into thinking they are communicating with one entity when in fact they are communicating with another.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

JavaScripts can also trick users into thinking they are communicating with one entity when in fact they are communicating with another. For example, a window may open asking whether you want to download and execute the new update from “http://www.microsoft.com…./update.exe,” and what is covered by the ellipsis (…) is actually “www.microsoft.com. attacker.org/”—the user assumes this is a Microsoft address that is cut short by space restrictions on the display.

As a browser scripting language, JavaScript is here to stay. Its widespread popularity for developing applets such as animated clocks, mortgage calculators, and simple games will overcome its buggy nature and poor level of security.

44

ActiveX (1 of 4)

ActiveX is the name given to a broad collection of application programming interfaces (APIs), protocols, and programs developed by Microsoft to download and execute code automatically over an Internet-based channel.

The code is bundled together into an ActiveX control with an .ocx extension.

ActiveX is a tool for the Windows environment and can be extremely powerful.

Its range of abilities give ActiveX a lot of power, but this power can be abused.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Exam Tip: ActiveX technology can be used to create complex application logic that is then embedded into other container objects such as a web browser. ActiveX components have very significant capabilities and thus malicious ActiveX objects can be very dangerous. Authenticode is a means of signing an ActiveX control so that a user can judge trust based on the control’s creator.

45

ActiveX (2 of 4)

Figure 17.10 ActiveX security settings in Internet Explorer

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Internet Explorer has several options to control the execution of ActiveX controls, as illustrated in the picture above.

46

ActiveX (3 of 4)

To enable security and consumer confidence in downloaded programs such as ActiveX controls, Microsoft developed Authenticode.

A system that uses digital signatures and allows Windows users to determine who produced a specific piece of code and whether or not the code has been altered.

Safety and security are different things, and Authenticode promotes neither in reality.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

47

ActiveX (4 of 4)

Authenticode does not identify whether a piece of code will cause damage to a system, nor does it regulate how code is used.

A perfectly safe ActiveX control under one set of circumstances may be malicious if used improperly.

Critics argue that code signing is not a panacea for security issues and that marketing it as doing more than it really does is irresponsible.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Authenticode provides limited accountability at the time of download and provides reasonable assurance that the code has not been changed since the time of signing. Authenticode does not identify whether a piece of code will cause damage to a system, nor does it regulate how code is used, so a perfectly safe ActiveX control under one set of circumstances may be malicious if used improperly. As with a notary’s signature, recourse is very limited—if code is signed by a terrorist organization and the code ruins your machine, all Authenticode did was make it seem legitimate. It is still incumbent upon the users to know from whom they are getting code and to determine whether or not they trust that organization.

Critics of Authenticode and other code-signing techniques are not against code signing, for this is a universally recognized good thing. What the critics argue is that code signing is not a panacea for security issues and that marketing it as doing more than it really does is irresponsible. Understanding the nuances of security is important in today’s highly technical world, and leaving the explanations to marketing departments is not the ideal solution.

48

Securing the Browser

Added features means weaker security.

No browser is 100 percent safe.

Currently Firefox coupled with the NoScript plug-in provides good protection.

Firefox will not execute ActiveX, so that threat vector is removed.

The NoScript plug-in allows the user to determine from which domains to trust scripts.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

A great deal of debate concerns the relative security issue of browser extensions versus the rich user interaction that they provide. There is no doubt that the richness of the environment offered by ActiveX adds to the user experience.

But as is the case in most coding situations, added features means weaker security, all other things being constant. If nothing else, a development team must spend some portion of its time on secure development practices, time that some developers and marketers would prefer to spend on new features.

Although no browser is 100 percent safe, the use of Firefox coupled with the NoScript plug-in comes the closest to fitting the bill. Firefox will not execute ActiveX, so that threat vector is removed.

The NoScript plug-in allows the user to determine from which domains to trust scripts. The use of NoScript puts the onus back on the user as to which domain scripts they choose to trust, and although it’s not perfect from a security perspective, this at least allows a measure of control over what code you want to run on your machine.

49

CGI

The Common Gateway Interface (CGI) was the original method for having a web server execute a program outside the web server process, yet on the same server.

The programs can be written in a number of languages.

The scripted programs embrace the full functionality of a server.

Poorly written scripts can cause unintended consequences at runtime and their defects are not always obvious.

CGI is an outdated and mostly retired technology.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

The Common Gateway Interface (CGI) was the original method for having a web server execute a program outside the web server process, yet on the same server. CGI offered many advantages to web-based programs. The programs can be written in a number of languages, although Perl is a favorite. These scripted programs embrace the full functionality of a server, allowing access to databases, UNIX commands, other programs, and so on. This provides a wide range of functionality to the web environment. With this unrestrained capability, however, come security issues. Poorly written scripts can cause unintended consequences at runtime. The problem with poorly written scripts is that their defects are not always obvious. Sometimes scripts appear to be fine, but unexpected user inputs can have unintended consequences.

CGI is an outdated, and for the most part retired, technology. It has been replaced by newer scripting methods.

50

Server-Side Scripts (1 of 2)

CGI has been replaced in many web sites through newer server-side scripting technologies such as Java, Active Server Pages (ASP), ASP.NET, and PHP.

These technologies operate in much the same fashion as CGI: they allow programs to be run outside the web server and to return data to the web server to be served to end users via a web page.

The term server-side script is actually a misnomer, as these are actually executable programs that are either interpreted or run in virtual machines.

These technologies have stronger security models than CGI.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Each of these newer technologies has advantages and disadvantages, but all of them have stronger security models than CGI. With these security models come reduced functionality and, as each is based on a different language, a steeper learning curve. Still, the need for adherence to programming fundamentals exists in these technologies—code must be well designed and well written to avoid the same vulnerabilities that exist in all forms of code. Buffer overflows are still an issue. Changing languages or technologies does not eliminate the basic security problems associated with incorporating open-ended user input into code. Understanding and qualifying user responses before blindly using them programmatically is essential to the security of a system.

51

Server-Side Scripts (2 of 2)

Each technology is based on a different language.

Results in a steeper learning curve

Must adhere to programming fundamentals.

Use well designed and well written code as buffer overflows are still an issue.

Basic security problems associated with incorporating open-ended user input into code still exist.

Understanding and qualifying user responses before blindly using them programmatically is essential to the security of a system.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

52

Cookies (1 of 5)

Cookies are small chunks of ASCII text passed within an HTTP stream to store data temporarily in a web browser instance.

A cookie is a series of name-value pairs that is stored in memory during a browser instance.

Expires, Domain, Path, and Secure

Because cookies are stored on a user’s machine in a form that will allow simple manipulation, they must always be considered suspect and are not suitable for use as a security mechanism.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

A cookie is actually a series of name-value pairs that is stored in memory during a browser instance. The specification for cookies established several specific name-value pairs for defined purposes. Additional name-value pairs may be defined at will by a developer. The specified set of name-value pairs includes the following: ■ Expires – This field specifies when the cookie expires. If no value exists, the cookie is good only during the current browser session and will not be persisted to the user’s hard drive. Should a value be given, the cookie will be written to the user’s machine and persisted until this datetime value occurs. ■ Domain – Specifies the domain where the cookie is used. Cookies were designed as memory-resident objects, but as the user or data can cause a browser to move between domains—say, from comedy.net to jokes.org—some mechanism needs to tell the browser which cookies belong to which domains.

■ Path – This name-value pair further resolves the applicability of the cookie into a specific path within a domain. If path = /directory, the cookie will be sent only for requests within /directory on the given domain. This allows a level of granular control over the information being passed between the browser and server, and it limits unnecessary data exchanges.

■ Secure – The presence of the keyword [secure] in a cookie indicates that it is to be used only when connected in an SSL/TLS session. This does not indicate any other form of security, as cookies are stored in plaintext on the client machine. Cookie management on a browser is normally an invisible process, but most browsers have methods for users to examine and manipulate cookies on the client side.

So what good are cookies? Disable cookies in your browser and go to some common sites that you visit, and you’ll quickly learn the usefulness of cookies. Cookies store a variety of information, from customer IDs to data about previous visits. Because cookies are stored on a user’s machine in a form that will allow simple manipulation, they must always be considered suspect and are not suitable for use as a security mechanism. They can, however, allow the browser to provide crucial pieces of information to a web server. Advertisers can use them to control which ads you are pages, enabling functionality at the user’s desired levels. Cookies can also remember your ZIP code for a weather site, your ID for a stock tracker site, the items in your shopping cart—these are all typical cookie uses. In the final analysis, cookies are a part of the daily web experience, here to stay and useful if not used improperly (such as to store security data and to provide ID and authentication).

53

Cookies (2 of 5)

Figure 17.11 Chrome cookie management

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Chrome users can examine, delete, and block individual cookies through the interface shown in Figure 17.11.

54

Cookies (3 of 5)

Figure 17.12 Internet Explorer cookie management

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Internet Explorer has a similar interface, with just a Delete option in the browser under Browsing History (see Figure 17.12).

55

Cookies (4 of 5)

Figure 17.13 Internet Explorer cookie store

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Additional cookie manipulation can be done through the file processing system, because cookies are stored as individual files, as shown in Figure 17.13. This combination allows easier bulk manipulation, which is a useful option, as cookies can become quite numerous in short order.

56

Cookies (5 of 5)

If the user disables cookies in a browser, this type of information will not be available for the web server to use.

IETF RFC 2109 describes the HTTP state-management system (cookies) and specifies several specific cookie functions to be enabled in browsers, specifically:

The ability to turn on and off cookie usage

An indicator as to whether cookies are in use

A means of specifying cookie domain values and lifetimes

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Disabling Cookies

If the user disables cookies in a browser, this type of information will not be available for the web server to use. IETF RFC 2109 describes the HTTP state-management system (cookies) and specifies several specific cookie functions to be enabled in browsers, specifically:

■ The ability to turn on and off cookie usage

■ An indicator as to whether cookies are in use

■ A means of specifying cookie domain values and lifetimes

Several of these functions have already been discussed, but to surf cookie-free requires more than a simple step. Telling a browser to stop accepting cookies is a setup option available through an Options menu, but this has no effect on cookies already received and stored on the system. To prevent the browser from sending cookies already received, the user must delete the cookies from the system. This bulk operation is easily performed, and then the browser can run cookie-free. Several third-party tools enable even a finer granularity of cookie control.

57

Browser Plug-ins (1 of 2)

Plug-ins are small application programs that increase a browser’s ability to handle new data types and add new functionality.

Until recently, plug-ins have had a remarkable safety record.

As Flash-based content has grown more popular, crackers have examined the Flash plug-ins and software, determined vulnerabilities, and developed exploit code to use against the Flash protocol.

The death of Flash is on the horizon.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Sometimes these plugins are in the form of ActiveX components, which is the form Microsoft chose for its Office plug-in, which enables a browser to manipulate various Office files, such as pivot tables from Excel, over the Web. Adobe has developed Acrobat Reader, a plug-in that enables a browser to read and display Portable Document Format (PDF) files directly in a browser. PDF files offer platform independence for printed documents and are usable across a wide array of platforms—they are a compact way to provide printed information.

The combination of a development environment for developers and plug-in–enabled browsers that can display the content has caused these technologies to see widespread use. The result is a tremendous increase in visual richness in web communications, and this, in turn, has made the Web more popular and has increased usage in various demographic segments.

Until recently, these plug-ins have had a remarkable safety record. As Flash-based content has grown more popular, crackers have examined the Flash plug-ins and software, determined vulnerabilities, and developed exploit code to use against the Flash protocol. Adobe has patched the issue, but as Apple has decided not to

use Flash on its iPhones or iPads, the death of Flash is on the horizon.

58

Browser Plug-ins (2 of 2)

Figure 17.15 Add-ons for Internet Explorer

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Figure 17.15 illustrates Add-ons for Internet Explorer

59

Malicious Add-ons

Add-ons are pieces of code that are distributed to allow additional functionality to be added to an existing program.

A browser helper object (BHO) has unrestricted access to the Internet Explorer event model; it can capture keystrokes.

Other programs can have addons that utilize the permissions given the master program.

Understand the level of interaction risk they pose.

Unless signed by a trusted authority using Authenticode, ActiveX content should not be allowed in browsers, as the nature of the code changes can present significant risk.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Add-ons are pieces of code that are distributed to allow additional functionality to be added to an existing program. An example of these are browser helper objects (BHOs), which provide a means of creating a plugin module that is loaded with Internet Explorer and provide a means of adding capability to the browser. The functionality can be significant, as in the case of the Adobe Acrobat BHO that allows PDFs to be rendered in the browser. A BHO has unrestricted access to the Internet Explorer event model and can do things such as capture keystrokes.

Other programs can have addons that utilize the permissions given the master program. You should only use add-ons from trusted sources, and you need to understand the level of interaction risk they pose. ActiveX is a technology implemented by Microsoft to enhance web-enabled systems through significant additions to user controls. For example, unless signed by a trusted authority using Authenticode, ActiveX content should not be allowed in browsers, as the nature of the code changes can present significant risk.

60

Signed Applets (1 of 2)

Code signing was an attempt to bring the security of shrink-wrapped software to software downloaded from the Internet.

A signed applet can be hijacked as easily as a graphic or any other file.

Two ways an attacker could hijack a signed control are by inline access or by copying the file in its entirety and republishing it.

Inlining is using an embedded control from another site with or without the other site’s permission.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Code signing was an attempt to bring the security of shrink-wrapped software to software downloaded from the Internet. Code signing works by adding a digital signature and a digital certificate to a program file to demonstrate file integrity and authenticity. The certificate identifies the author, and the digital signature contains a hash value that covers code, certificate, and signature to prove integrity, and this establishes the integrity of the code and publisher via a standard browser certificate check. The purpose of a company signing the code is to state that it considers the code it created to be safe, and it is stating that the code will not do any harm to the system (to the company’s knowledge). The digital signature also tells the user that the stated company is, indeed, the creator of the code.

A signed applet can be hijacked as easily as a graphic or any other file. The two ways an attacker could hijack a signed control are by inline access or by copying the file in its entirety and republishing it.

Inlining is using an embedded control from another site with or without the other site’s permission.

Republishing a signed control is done much like stealing a GIF or JPEG image—a copy of the file is maintained on the unauthorized site and served from there instead of from the original location.

61

Signed Applets (2 of 2)

The primary security concern comes from how the control is used.

A cracker may be able to use a control in an unintended fashion, resulting in file loss or buffer overflow—conditions that weaken a system and can allow exploitation of other vulnerabilities.

These are concerns not addressed simply by signing a control or applet.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

If a signed control cannot be modified, why be concerned with these thefts, apart from the issue of intellectual property? The primary security concern comes from how the control is used. A cracker may be able to use a control in an unintended fashion, resulting in file loss or buffer overflow—conditions that weaken a system and can allow exploitation of other vulnerabilities.

A common programming activity is cleaning up installation files from a computer’s hard drive after successfully installing a software package. If a signed control is used for this task and permission has already been granted, then improperly using the control could result in the wrong set of files being deleted. The control will still function as designed, but the issue becomes who it is used by and how. These are concerns not addressed simply by signing a control or applet.

62

Application-Based Weaknesses

The application software written to run on servers and serve up the content for users is also a target.

Attacking web-based applications has proven to be a lucrative venture for several reasons.

The target is a rich environment.

Building these custom applications to high levels of security is a difficult if not impossible feat.

The same programmatic errors that plague operating systems can cause havoc with web-based systems.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

Web browsers are not the only aspect of software being abused by crackers. The application software written to run on servers and serve up the content for users is also a target. Web application security is a fairly hot topic in security, as it has become a prime target for professional crackers. Criminal hackers typically are after some form of financial reward, whether from stolen data, stolen identity, or some form of extortion.

Attacking web-based applications has proven to be a lucrative venture for several reasons. First, the target is a rich environment, as company after company has developed a customer-facing web presence, often including custom-coded functionality that permits customer access to back-end systems for legitimate business purposes. Second, building these custom applications to high levels of security is a difficult if not impossible feat, especially given the corporate pressure on delivery time and cost.

The same programmatic errors that plague operating systems, such as buffer overflows, can cause havoc with web-based systems. But web-based systems have a new history of rich customer interactions, including the collection of information from the customer and dynamically using customer-supplied information to modify the user experience. This makes the customer a part of the application, and when proper controls are not in place, errors such as the MySpace-based Samy worm can occur. Different types of errors are commonly observed in the deployment of web applications, and these have been categorized into six logical groupings of vulnerabilities: authentication, authorization, logical attacks, information disclosure, command execution, and client-side attacks. A total of 24 different types of vulnerabilities have been classified by the Web Application Security Consortium (WASC), an international organization that establishes best practices for web application security.

63

Session Hijacking

It is important to securely implement the setup and teardown of a session.

There are numerous methods of session hijacking:

Man-in-the-middle attacks, side-jacking, browser takeovers are examples.

Side-jacking uses packet sniffing to steal a session cookie.

Securing only the logon process and then switching back to standard HTTP can enable this attack.

Defense is to use encryption correctly and to log out of and close applications when done.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

When communicating across the Web, it is common to create a session to control communication flows. Sessions can be established and controlled using a variety of methods, including SSL/TLS and cookies. It is important to securely implement the setup and teardown of a session, for if one party ends the communication without properly tearing down the communication session, an interloper can take over the session, continue after one of the parties has left, and impersonate that party. If you log into your bank to conduct transactions, but allow a session hijacker in, then the hijacker can continue banking after you leave, using your account. This is one of the reasons it is so important to log off of banking and financial sites, rather than just closing the browser.

There are numerous methods of session hijacking, from man-in-the-middle attacks to side-jacking and browser takeovers. Side-jacking is the use of packet sniffing to steal a session cookie. Securing only the logon process and then switching back to standard HTTP can enable this attack methodology.

The best defenses are to use encryption correctly (TLS, not SSL) and to log out of and close applications when done. When using multi-tabbed browsers, it is best to close the entire browser instance, not just the tab.

64

Client-Side Attacks (1 of 4)

The popularity and the utility of this interface have made the web browser a prime target for attackers to gain access and control over a system.

A wide variety of attacks can occur via a browser, typically resulting from a failure to properly validate input before use.

Unvalidated input can result in a series of injection attacks, header manipulation, and other forms of attack.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

The web browser has become the major application for users to engage resources across the Web.

65

Client-Side Attacks (2 of 4)

A cross-site scripting attack is a code injection attack in which an attacker sends code in response to an input request.

This code is then rendered by the web server, resulting in the execution of the code by the web server.

Cross-site scripting attacks take advantage of a few common elements in web-based systems.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

66

Client-Side Attacks (3 of 4)

When HTTP is being dynamically generated through the use of user inputs, unvalidated inputs can give attackers an opportunity to change HTTP elements.

When user-supplied information is used in a header, it is possible to create a variety of attacks such as:

Cache poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation, and open redirect.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

67

Client-Side Attacks (4 of 4)

Autofill and hidden fields

Autofill is a browser mechanism designed to make it easier for users to submit common data to webpages.

This is a convenience factor, but can also be a risk if the fields it is populating are hidden.

Not all browsers will autofill hidden fields, but those that do can be giving away items such as email address, phone number, house address, credit card details, and so on.

All based on previous entries and without the user seeing it as the field is hidden.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

68

Web 2.0 and Security (1 of 2)

Web 2.0 is a relatively new phenomenon that has swept the Internet.

It is a collection of technologies that is designed to make web sites more useful for users.

New languages and protocols, such as AJAX, to user-provided content, to social networking sites and user-created mash-ups

There is a wide range of security issues associated with this new level of deployed functionality.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

69

Web 2.0 and Security (2 of 2)

The new languages and protocols add significant layers of complexity to a web site’s design, and errors can have significant consequences.

Early efforts by Google to add Web 2.0 functionality to its applications created holes that allowed hackers access to a logged-in user’s Gmail account and password.

The foundations of security apply the same way in Web 2.0 as they do elsewhere.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

70

Chapter Summary (1 of 2)

Describe the functioning of the SSL/TLS protocol suite.

Explain web applications, plug-ins, and associated security issues.

Describe secure file transfer options.

Explain directory usage for data retrieval.

Explain scripting and other Internet functions that present security concerns.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

71

Chapter Summary (2 of 2)

Use cookies to maintain parameters between web pages.

Examine web-based application security issues.

Principles of Computer Security, Fifth Edition

Copyright © 2018 by McGraw-Hill Education. All rights reserved.

72