Lotus Domino
Building Rock Solid Security
                     Part - I

                          © Sanjaya Kumar Saxena
The Alarming Truth
                                         Italian Bank hit by
                              ea ch XSS Fr...
Vulnerability Consequences

                         As a percentage of Overall Disclosures
                         in 20...
Vulnerabilities by Attack Technique




                                      © Sanjaya Kumar Saxena
What is Information?
Knowledge acquired through study or experience or instruction
A collection of facts or data



 In ou...
What is Security?
Freedom from Danger, Risk, etc.; Safety.
Precautions taken to guard against Crime, Attack, Sabotage, Esp...
What is Information Security?

“    The protection of information systems against unauthorized access to or
     modificat...
What is Information Security?

“    The protection of information systems against unauthorized access to or
     modificat...
What is Information Security?
   Confidentiality
        Ensuring that information is accessible only to those authorized ...
What is a Threat?
Something that is a source of danger,
“Earthquakes are a constant threat in Japan”



 In our context,
 ...
Information Security Threats

                  THREAT


   Source       Technique            Method

   Internal     Eave...
Vulnerabilities
 Weakness in the system
     Result of bug or design/deployment flaw



 Common Vulnerabilities:
     Buff...
Threats - Counter Measures

  Eavesdropping           Cryptography

      Privacy             Cryptography

  Authenticati...
SQL Injection

 SQL Injection vulnerabilities occurs due to improper validations on user input
 fields.

 This attack can ...
SQL Injection

 Username:


 Password:



     Remember Me


    LOGIN

 Forgot Password?




                    © Sanjay...
SQL Injection

 Username:
  UserID

 Password:
  Password123



     Remember Me


    LOGIN

 Forgot Password?




      ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
SQL Injection

                    Statement = “Select * from tUsers where
 Username:                      userid = ‘ “ + ...
XSS Attack
Cross Site Scripting vulnerabilities occur when a web based application does not
validate user inputs on form f...
XSS




A simple entry form of a social networking application

                                                         ©...
XSS




Field manipulation with javascript

                                     © Sanjaya Kumar Saxena
XSS




All it takes to popup your sensitive information from the database
                                               ...
XSS - SAMY MySpace Worm




<script>




           A Self propagating, Cross Site Scripting (XSS) Worm affected millions
...
XSS - SAMY MySpace Worm


                  <script>
<script>




           The process began when a user (SAMY) placed a...
XSS - SAMY MySpace Worm


                  <script>
<script>




           When other users of Myspace.com viewed SAMY’s...
XSS - SAMY MySpace Worm


                    <script>
<script>




 This code was bypassing the normal approval process o...
XSS - SAMY MySpace Worm


                     <script>
<script>




                                                    <...
XSS - SAMY MySpace Worm


                     <script>
<script>




                                                 <scr...
XSS - SAMY MySpace Worm
This process would repeat in the newly infected user’s profile




                    <script>
<s...
XSS - SAMY MySpace Worm


           <script>
<script>




                      <script>




                            ...
XSS - SAMY MySpace Worm
The spread of virus limits itself to the website and can essentially
create a denial-of-service at...
Typical Attack Methodology
A Quick Preview

                 Reconnaissance




              Discover & Understand
      ...
Reconnaissance
An inspection or exploration of an area, especially in the context of military
information gathering.



 C...
Reconnaisance Example
 Open web-site, View source to check out web server
     No information – Use TELNET




 IIS V5 has...
Attack Demonstration - Step 1




Search engines can be used to look up NSFs on web
                                      ...
Attack Demonstration - Step 2




Names.nsf found exposed
                                © Sanjaya Kumar Saxena
Attack Demonstration - Step 3




                                © Sanjaya Kumar Saxena
Attack Demonstration - Step 4




                                © Sanjaya Kumar Saxena
Counter Measures
Basic Concepts




                   © Sanjaya Kumar Saxena
What is a Cryptography?

“   Algorithms implemented in hardware or software to mathematically
    combine a key with plain...
Dual Key Cryptography


Secret (or Public Key)   Secret (or Public Key)




      Encryptor                Decryptor




 ...
Digital Signature

  #
                                  Your Secret Key
                    Hash




                 Enc...
A Fundamental Question
 How do I trust a public key?                                     CERTIFICATE
     Let a trustworth...
Secured Transactions using Certificates
 Validate by:
     Establishing Trust



 Authenticate by:
     Challenging Each O...
Estalishing Trust
 By Exchange of Certificates
     After masking private data (if any)



 By Comparing Certificates
    ...
Authentication - Step 1

       Requester generates a random # and challenges the server to sign it.

❶


                ...
Authentication - Step 2

              Server generates a random # and challenges the requester to sign it.

❶


         ...
Upcoming SlideShare
Loading in...5
×

Lotus Security Part I

1,616
-1

Published on

Building Rock Solid Lotus Domino Security
Part I - Essential Information Security Concepts

Published in: Technology, News & Politics
1 Comment
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,616
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
1
Likes
5
Embeds 0
No embeds

No notes for slide

Lotus Security Part I

  1. 1. Lotus Domino Building Rock Solid Security Part - I © Sanjaya Kumar Saxena
  2. 2. The Alarming Truth Italian Bank hit by ea ch XSS Fraudsters Chinese H L s Data B8r exis NePoit, Feb 17, 200 x — Netcraft, Jan 8 2008 18-million acker ste als s — HackB Identities gton — Washin ase.com IndiaTimes.com M , Feb 10 , 2008 alware Hackers break into — Information W eek, Feb 17, 200 r’s Presidential Mac blogs defaced 8 Ecuado 6 by XSS website Ha g Stage 007 ckin eb 9 2 — The Register, Feb 17, 2008 — Thaindian, Feb 11, 2008 — Wikiped ia, F RIAA wiped off the Net — The Register, Jan 20 websites , 2008 Greek Ministry intrusion Your Free MacW by hacker1,2008 orld hit 3 Expo Platinum Pass own rini, Jan eKathime — CNet, Jan 1 es d — 4,2008 Hacker steals Drive -by Pharmin g Davidson Co.’s r tak ia acke ylvan H in the Wild n 21 2008 Client Data enns 6, 2008 P an — Symantec, Ja — Falls Tribune, J Feb 4 2008 — AP, © Sanjaya Kumar Saxena
  3. 3. Vulnerability Consequences As a percentage of Overall Disclosures in 2006-2008 © Sanjaya Kumar Saxena
  4. 4. Vulnerabilities by Attack Technique © Sanjaya Kumar Saxena
  5. 5. What is Information? Knowledge acquired through study or experience or instruction A collection of facts or data In our context of ISO 27K, An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Categories Internal External Customer Outsourced © Sanjaya Kumar Saxena
  6. 6. What is Security? Freedom from Danger, Risk, etc.; Safety. Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc. © Sanjaya Kumar Saxena
  7. 7. What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
  8. 8. What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
  9. 9. What is Information Security? Confidentiality Ensuring that information is accessible only to those authorized to have access Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorized users have access to information and associated assets when required from ISO 27001 © Sanjaya Kumar Saxena
  10. 10. What is a Threat? Something that is a source of danger, “Earthquakes are a constant threat in Japan” In our context, Unwanted events that may result in harm to asset(s) Maybe deliberate or accidental Exploits known Vulnerabilities © Sanjaya Kumar Saxena
  11. 11. Information Security Threats THREAT Source Technique Method Internal Eavesdropping Unstructured External Privacy Structured Authentication Repudiation Unauthorized Access Denial of Service © Sanjaya Kumar Saxena
  12. 12. Vulnerabilities Weakness in the system Result of bug or design/deployment flaw Common Vulnerabilities: Buffer Overflow SQL Injection Cross Site Scripting (XSS) Directory Traversal SPAM is the result of SMTP vulnerabilites © Sanjaya Kumar Saxena
  13. 13. Threats - Counter Measures Eavesdropping Cryptography Privacy Cryptography Authentication Passwords/Certificates Repudiation Digital Signatures Unauthorized Access ACLs/Cryptography Denial of Service Availability/Firewall © Sanjaya Kumar Saxena
  14. 14. SQL Injection SQL Injection vulnerabilities occurs due to improper validations on user input fields. This attack can be mounted when a form field contents are used to build SQL statements dynamically inside the code, which is subsequently executed. This may allow the attacker to include malicious code in to the dynamically created SQL statement by tricking the data entered in the input field. The attacker may gain access to back-end database allowing him/her to read, delete and modify information. A SQL injection attack at the time of logging into an application is shown in the following slides. © Sanjaya Kumar Saxena
  15. 15. SQL Injection Username: Password: Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  16. 16. SQL Injection Username: UserID Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  17. 17. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  18. 18. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  19. 19. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  20. 20. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  21. 21. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena © Sanjaya Kumar Saxena
  22. 22. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- © Sanjaya Kumar Saxena
  23. 23. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘ ’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  24. 24. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  25. 25. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  26. 26. XSS Attack Cross Site Scripting vulnerabilities occur when a web based application does not validate user inputs on form fields, syntax of urls etc. An attacker can embed their own code into the Data entry form, manipulating the appearance and/or behavior of the page. A web-link is crafted and placed on the page in a manner that entices users to click on the link. Users treat the link placed on the web form as coming from a trusted source or same organization, thereby falling a prey to this vulnerability. The attacker gets access to sensitive application information by accessing cookie data of the user’s account on the vulnerable website/application. XSS attack is shown in the following slides, displaying a form field that allowed user to enter JavaScript code which returns complete user profile information from the application’s database. In this example “alert(document.cookie)” is entered in an input field leading to compromising cookie information. © Sanjaya Kumar Saxena
  27. 27. XSS A simple entry form of a social networking application © Sanjaya Kumar Saxena
  28. 28. XSS Field manipulation with javascript © Sanjaya Kumar Saxena
  29. 29. XSS All it takes to popup your sensitive information from the database © Sanjaya Kumar Saxena
  30. 30. XSS - SAMY MySpace Worm <script> A Self propagating, Cross Site Scripting (XSS) Worm affected millions of profiles on My Space © Sanjaya Kumar Saxena
  31. 31. XSS - SAMY MySpace Worm <script> <script> The process began when a user (SAMY) placed a javascript code in his profile on Myspace.com, a community site for sharing photos and staying in touch with friends. © Sanjaya Kumar Saxena
  32. 32. XSS - SAMY MySpace Worm <script> <script> When other users of Myspace.com viewed SAMY’s profile, the code would initiate a background request via AJAX, to add SAMY in user’s friends list. © Sanjaya Kumar Saxena
  33. 33. XSS - SAMY MySpace Worm <script> <script> This code was bypassing the normal approval process of adding a user of application to their friends list. © Sanjaya Kumar Saxena
  34. 34. XSS - SAMY MySpace Worm <script> <script> <script> The next step in the script was self replicating © Sanjaya Kumar Saxena
  35. 35. XSS - SAMY MySpace Worm <script> <script> <script> This involved parsing out the code and pasting it to viewing user’s profile. © Sanjaya Kumar Saxena
  36. 36. XSS - SAMY MySpace Worm This process would repeat in the newly infected user’s profile <script> <script> <script> © Sanjaya Kumar Saxena
  37. 37. XSS - SAMY MySpace Worm <script> <script> <script> © Sanjaya Kumar Saxena
  38. 38. XSS - SAMY MySpace Worm The spread of virus limits itself to the website and can essentially create a denial-of-service attack, due to the exponential spread of attacker’s friends list. This code will not affect any other site, except the malicious code can be used by another hacker. © Sanjaya Kumar Saxena
  39. 39. Typical Attack Methodology A Quick Preview Reconnaissance Discover & Understand Vulnerabilities Mount Attack © Sanjaya Kumar Saxena
  40. 40. Reconnaissance An inspection or exploration of an area, especially in the context of military information gathering. Commonly known techniques: Social Engineering Dumpster Driving Leveraging Web WHOIS DNS Search Engine Web-based Online Tools http://privacy.net/analyze http://network-tools.com © Sanjaya Kumar Saxena
  41. 41. Reconnaisance Example Open web-site, View source to check out web server No information – Use TELNET IIS V5 has over 250 known vulnerabilities © Sanjaya Kumar Saxena
  42. 42. Attack Demonstration - Step 1 Search engines can be used to look up NSFs on web © Sanjaya Kumar Saxena
  43. 43. Attack Demonstration - Step 2 Names.nsf found exposed © Sanjaya Kumar Saxena
  44. 44. Attack Demonstration - Step 3 © Sanjaya Kumar Saxena
  45. 45. Attack Demonstration - Step 4 © Sanjaya Kumar Saxena
  46. 46. Counter Measures Basic Concepts © Sanjaya Kumar Saxena
  47. 47. What is a Cryptography? “ Algorithms implemented in hardware or software to mathematically combine a key with plain text to produce cipher text and to convert cipher ” text to its original plain text form. © Sanjaya Kumar Saxena
  48. 48. Dual Key Cryptography Secret (or Public Key) Secret (or Public Key) Encryptor Decryptor Message Message © Sanjaya Kumar Saxena
  49. 49. Digital Signature # Your Secret Key Hash Encryptor + Message with # Message Digital Signature Hash Digital Signature = Decryptor Hash Your Public Key © Sanjaya Kumar Saxena
  50. 50. A Fundamental Question How do I trust a public key? CERTIFICATE Let a trustworthy agency certify it! Name Public Key Expiry Date Certificate: Issuer ID Other Attributes Like a driving license or passport Certifies your public key and other attributes Issued by a trustworthy agency Called Certification Agency (CA) CA’s Digital Signature © Sanjaya Kumar Saxena
  51. 51. Secured Transactions using Certificates Validate by: Establishing Trust Authenticate by: Challenging Each Other © Sanjaya Kumar Saxena
  52. 52. Estalishing Trust By Exchange of Certificates After masking private data (if any) By Comparing Certificates Trust the public key if the two have a common CA Possible in a hierarchical situation also © Sanjaya Kumar Saxena
  53. 53. Authentication - Step 1 Requester generates a random # and challenges the server to sign it. ❶ Server signs and sends it back. ❷ Signature Requester verifies the signature. ❸ Signature © Sanjaya Kumar Saxena
  54. 54. Authentication - Step 2 Server generates a random # and challenges the requester to sign it. ❶ Requester signs and sends it back. ❷ Signature Server verifies the signature. ❸ Signature Authentication is Successful! © Sanjaya Kumar Saxena

×