Your SlideShare is downloading. ×
0
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Information Security Lesson 6 - Web Security - Eric Vanderburg
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information Security Lesson 6 - Web Security - Eric Vanderburg

287

Published on

Information Security Lesson 6 - Web Security - Eric Vanderburg

Information Security Lesson 6 - Web Security - Eric Vanderburg

Published in: Technology
1 Comment
1 Like
Statistics
Notes
No Downloads
Views
Total Views
287
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
27
Comments
1
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Information Security Chapter 6 Web Security Information Security © 2006 Eric Vanderburg
  • 2. Reasons for software vulnerability • Large amount of code – Windows 2000 – 20 million lines – Windows XP – 40 million lines – Linux – 55 million lines • Extensibility – Ex: Firefox plug-ins – Drivers (use signed drivers) • Wired (connectivity) – More internet enabled applications which may not be secure. (weather, stocks, media player) Information Security © 2006 Eric Vanderburg
  • 3. An email message 1. sender@source.com uses a client to create a message for receiver@destination.com 2. Client connects to mail.source.com SMTP server on port 25 and forwards the message. 3. SMTP server compares the source and destination domain names. If they are the same, the message goes to the POP3 server for source.com via the delivery agent. Information Security © 2006 Eric Vanderburg
  • 4. An email message 4. The source.com SMTP server connects to the destination.com SMTP server and passes the message. If the destination.com SMTP server is not responding, the message is queued and sent later. After 4 hours in the queue the sender is notified. 5. Destination.com passes the message to the destination.com POP3 server. 6. The message is stored in the POP3 mailbox for retrieval by receiver@destination.com Information Security © 2006 Eric Vanderburg
  • 5. Email • POP3 (Post Office Protocol) – offers a storage place for messages until downloaded from the server. Port 119 • IMAP (Internet Mail Access Protocol) – Messages always reside on the server. Port 143 • E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures) Information Security © 2006 Eric Vanderburg
  • 6. Email • **All the following operate at the application layer • MIME (Multipurpose Internet Mail Extensions) – standard for embedding email with rich text, graphics, sound, & video. • S/MIME (Secure MIME) – adds encryption and authentication to email. – – – – – Digital signatures Works with different email clients Encrypts messages Encryption & signing is transparent Checksums to protect integrity • PGP (Pretty Good Privacy) – Encrypted with a session key that is encrypted with the recipient’s public key. – Must download a plugin to use with email clients. Information Security © 2006 Eric Vanderburg
  • 7. Email vulnerabilities • Several e-mail vulnerabilities can be exploited by attackers: – Malware – Spam – Hoaxes • SMTP relay attacks allow spammers to send thousands of e-mail messages to users Information Security © 2006 Eric Vanderburg
  • 8. Email vulnerabilities • SPAM – 30 billion daily e-mail messages are spam – 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail – 52% of users indicate spam has made them less trusting of e-mail in general – 70% of users say spam has made being online unpleasant or annoying – Use a backlist of spammers to block any e-mail that originates from their e-mail addresses – Bayesian filtering – words found in the SPAM bin help define other SPAM messages. Information Security © 2006 Eric Vanderburg
  • 9. Internet vulnerabilities • Buffer overflow attacks are common ways to gain unauthorized access to Web servers • Both file names and aliases must be protected if 8.3 aliases are not disabled. Incorrect permissions could be applied. • Dynamic content can also be used by attackers – Repurposed programming - using programming tools in ways more harmful than originally intended (Javascript, ActiveX) Information Security © 2006 Eric Vanderburg
  • 10. JavaScript • Provides client side dynamic content • Virtual Machine (VM) - a Java interpreter • JavaScript code is downloaded onto the user’s computer within the HTML code – defense mechanisms: • Cannot read or write to the file system • No networking capabilities – problems: • Can capture and send user information without the user’s knowledge or authorization • Security is through browser. It does not protect code that executes outside a browser. Information Security © 2006 Eric Vanderburg
  • 11. Java Applet • Separate program downloaded with but separate from the HTML • Sandbox - Surrounds program and keeps it away from private data and other resources on a local computer • Signed or unsigned Information Security © 2006 Eric Vanderburg
  • 12. ActiveX • Standard for information sharing between programs • Installed when referenced by a web page • Do not run in a sandbox. Has full access to the OS • Signed or unsigned – only proves source but not safety • Only run on Windows • Set per computer instead of per user • ActiveX controls as a whole are either disabled or enabled in IE Information Security © 2006 Eric Vanderburg
  • 13. Cookies • Stores information from a web site – Sessions – Saved logon • • • • • • Very small (4KB) Has an expiration date First party cookie – A site’s own cookie Third party cookie – Another site’s cookie Disable third party cookie access Many sites require cookies so disabling them will change your online experience but disallowing sites Information Security © 2006 Eric Vanderburg
  • 14. CGI (Common Gateway Interface) • CGI script – program code that adheres to CGI rules. – Used for communicating with other server software via web pages. – CGI on the server must be set to not execute remote code statements Information Security © 2006 Eric Vanderburg
  • 15. Web security • SSL (Secure Sockets Layer)- v3.0 latest – Disable versions 1 & 2 • TLS (Transport Layer Security) – v1.0 is approximately the same as SSL3.0 • PCT (Personal Communications Technology) – Microsoft technology with longer keys and a better algorithm than SSL. (Not popular) • Application layer protocol so it can run on top of any network but it must be integrated with the program to work. Information Security © 2006 Eric Vanderburg
  • 16. SSL / TLS / PCT Steps 1. 2. 3. 4. 5. 6. Client sends a ClientHello message specifying the list of cipher suites, compression methods and the highest protocol version it supports. Server receives the ClientHello and sends a ServerHello, where selections are made from available suites, compression, and versions. Client and server exchange certificates (depending on the selected public key cipher) The server can request a certificate from the client, so that the connection can be mutually authenticated. Master secret (a common secret used for generating other keys) is negotiated using Diffie-Hellman exchange, or by encrypting a secret with a public key (if using mutual authentication). Data is sent encrypted with a key generated from the master secret and the selected cipher suite. When the connection is terminated a hash of all the exchanged data seen by both parties is sent for verification. Information Security © 2006 Eric Vanderburg
  • 17. FORTEZZA • Information security system based on a PC Card security token. • Each individual who is authorized to see protected information is issued a Fortezza card that stores private keys and other data needed to gain access. • Wide in use in Government and Military applications • Latest version is FORTEZZA Plus Information Security © 2006 Eric Vanderburg
  • 18. HTTP & SSL • HTTPS - HTTP over SSL/TLS – secures individual messages instead • SSL/TLS secures the entire communication between client and server • Port 443 Information Security © 2006 Eric Vanderburg
  • 19. Chatting • IM (Instant Message) • Server contains list of users and their buddies • When connected, a user’s IP & port are sent to all their buddies. • Direct connections can be established to send messages without involving the server. • Most chat programs can log chats (optional) which are stored locally. Google Talk stores chat logs on the server. • Data sent through IM could be malicious (pictures, programs, video, music) Information Security © 2006 Eric Vanderburg
  • 20. Acronyms • CGI, Common Gateway Interface • CAN-SPAM, Controlling the Assault of Non Solicited Pornography and Marketing Act of 2003 • IM, Instant Messaging • IMAP, Internet Mail Access Protocol • MIME, Multipurpose Internet Mail Extensions • PCT, Personal Communications Technology • POP, Post Office Protocol • PGP, Pretty Good Privacy • S/MIME, Secure Multipurpose Internet Mail Extensions • SSL, Secure Sockets Layer • SMTP, Simple Mail Transfer Protocol • TLS, Transport Layer Security • VM, Virtual Machine Information Security © 2006 Eric Vanderburg

×