Information Security Lesson 6 - Web Security - Eric Vanderburg

Information Security
Chapter 6
Web Security

Information Security © 2006 Eric Vanderburg

Reasons for software vulnerability
• Large amount of code
– Windows 2000 – 20 million lines
– Windows XP – 40 million lines
– Linux – 55 million lines

• Extensibility
– Ex: Firefox plug-ins
– Drivers (use signed drivers)

• Wired (connectivity)
– More internet enabled applications which may
not be secure. (weather, stocks, media
player)

An email message
1. sender@source.com uses a client to
create a message for
receiver@destination.com
2. Client connects to mail.source.com
SMTP server on port 25 and forwards
the message.
3. SMTP server compares the source and
destination domain names. If they are
the same, the message goes to the
POP3 server for source.com via the
delivery agent.

An email message
4. The source.com SMTP server connects to the
destination.com SMTP server and passes the
message. If the destination.com SMTP server
is not responding, the message is queued and
sent later. After 4 hours in the queue the
sender is notified.
5. Destination.com passes the message to the
destination.com POP3 server.
6. The message is stored in the POP3 mailbox
for retrieval by receiver@destination.com


Email
• POP3 (Post Office Protocol) – offers a
storage place for messages until
downloaded from the server. Port 119
• IMAP (Internet Mail Access Protocol) –
Messages always reside on the server.
Port 143
• E-mail attachments are documents in
binary format (word processing
documents, spreadsheets, sound files,
pictures)

Email
• **All the following operate at the application layer
• MIME (Multipurpose Internet Mail Extensions) – standard
for embedding email with rich text, graphics, sound, &
video.
• S/MIME (Secure MIME) – adds encryption and
authentication to email.
–
–
–
–
–

Digital signatures
Works with different email clients
Encrypts messages
Encryption & signing is transparent
Checksums to protect integrity

• PGP (Pretty Good Privacy) – Encrypted with a session
key that is encrypted with the recipient’s public key.
– Must download a plugin to use with email clients.

Email vulnerabilities
• Several e-mail vulnerabilities can be
exploited by attackers:
– Malware
– Spam
– Hoaxes

• SMTP relay attacks allow spammers to
send thousands of e-mail messages to
users


Email vulnerabilities
• SPAM
– 30 billion daily e-mail messages are spam
– 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying
– Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses
– Bayesian filtering – words found in the SPAM bin help
define other SPAM messages.

Internet vulnerabilities
• Buffer overflow attacks are common ways
to gain unauthorized access to Web
servers
• Both file names and aliases must be
protected if 8.3 aliases are not disabled.
Incorrect permissions could be applied.
• Dynamic content can also be used by
attackers
– Repurposed programming - using
programming tools in ways more harmful than
originally intended (Javascript, ActiveX)

JavaScript
• Provides client side dynamic content
• Virtual Machine (VM) - a Java interpreter
• JavaScript code is downloaded onto the
user’s computer within the HTML code
– defense mechanisms:
• Cannot read or write to the file system
• No networking capabilities

– problems:
• Can capture and send user information without the
user’s knowledge or authorization
• Security is through browser. It does not protect
code that executes outside a browser.

Java Applet
• Separate program downloaded with but
separate from the HTML
• Sandbox - Surrounds program and keeps
it away from private data and other
resources on a local computer
• Signed or unsigned


ActiveX
• Standard for information sharing between
programs
• Installed when referenced by a web page
• Do not run in a sandbox. Has full access to the
OS
• Signed or unsigned – only proves source but not
safety
• Only run on Windows
• Set per computer instead of per user
• ActiveX controls as a whole are either disabled
or enabled in IE

Cookies
• Stores information from a web site
– Sessions
– Saved logon

•
•
•
•
•
•

Very small (4KB)
Has an expiration date
First party cookie – A site’s own cookie
Third party cookie – Another site’s cookie
Disable third party cookie access
Many sites require cookies so disabling them will
change your online experience but disallowing
sites

CGI (Common Gateway Interface)
• CGI script – program code that adheres to
CGI rules.
– Used for communicating with other server
software via web pages.
– CGI on the server must be set to not execute
remote code statements


Web security
• SSL (Secure Sockets Layer)- v3.0 latest
– Disable versions 1 & 2

• TLS (Transport Layer Security) – v1.0 is
approximately the same as SSL3.0
• PCT (Personal Communications
Technology) – Microsoft technology with
longer keys and a better algorithm than
SSL. (Not popular)
• Application layer protocol so it can run on
top of any network but it must be
integrated with the program to work.

SSL / TLS / PCT Steps
1.
2.
3.

4.
5.
6.

Client sends a ClientHello message specifying the list of cipher
suites, compression methods and the highest protocol version it
supports.
Server receives the ClientHello and sends a ServerHello, where
selections are made from available suites, compression, and
versions.
Client and server exchange certificates (depending on the
selected public key cipher) The server can request a certificate
from the client, so that the connection can be mutually
authenticated.
Master secret (a common secret used for generating other keys)
is negotiated using Diffie-Hellman exchange, or by encrypting a
secret with a public key (if using mutual authentication).
Data is sent encrypted with a key generated from the master
secret and the selected cipher suite.
When the connection is terminated a hash of all the exchanged
data seen by both parties is sent for verification.


FORTEZZA
• Information security system based on a
PC Card security token.
• Each individual who is authorized to see
protected information is issued a Fortezza
card that stores private keys and other
data needed to gain access.
• Wide in use in Government and Military
applications
• Latest version is FORTEZZA Plus

HTTP & SSL
• HTTPS - HTTP over SSL/TLS – secures
individual messages instead
• SSL/TLS secures the entire
communication between client and server
• Port 443


Chatting
• IM (Instant Message)
• Server contains list of users and their buddies
• When connected, a user’s IP & port are sent to
all their buddies.
• Direct connections can be established to send
messages without involving the server.
• Most chat programs can log chats (optional)
which are stored locally. Google Talk stores
chat logs on the server.
• Data sent through IM could be malicious
(pictures, programs, video, music)

Acronyms
• CGI, Common Gateway Interface
• CAN-SPAM, Controlling the Assault of Non Solicited
Pornography and Marketing Act of 2003
• IM, Instant Messaging
• IMAP, Internet Mail Access Protocol
• MIME, Multipurpose Internet Mail Extensions
• PCT, Personal Communications Technology
• POP, Post Office Protocol
• PGP, Pretty Good Privacy
• S/MIME, Secure Multipurpose Internet Mail Extensions
• SSL, Secure Sockets Layer
• SMTP, Simple Mail Transfer Protocol
• TLS, Transport Layer Security
• VM, Virtual Machine

Information Security Lesson 6 - Web Security - Eric Vanderburg

More Related Content

What's hot

Viewers also liked

Similar to Information Security Lesson 6 - Web Security - Eric Vanderburg

More from Eric Vanderburg

Recently uploaded

Information Security Lesson 6 - Web Security - Eric Vanderburg