Chapter 6: Web Security

1
Chapter 6 Web Security

• Security Guide to Network Security Fundamentals
• Second Edition

2
Objectives

• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging

3
Protecting E-Mail Systems

• E-mail has replaced the fax machine as the
  primary communication tool for businesses
• Has also become a prime target of attackers and
  must be protected

4
How E-Mail Works

• Use two Transmission Control Protocol/Internet
  Protocol (TCP/IP) protocols to send and receive
  messages
• Simple Mail Transfer Protocol (SMTP) handles
  outgoing mail
• Post Office Protocol (POP3 for the current
  version) handles incoming mail
• The SMTP server on most machines uses sendmail to
  do the actual sending this queue is called the
  sendmail queue

5
How E-Mail Works (continued)
6
How E-Mail Works (continued)

• Sendmail tries to resend queued messages
  periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server
  and storing them on a local computer make it
  difficult to manage messages from multiple
  computers
• Internet Mail Access Protocol (current version is
  IMAP4) is a more advanced protocol that solves
  many problems
• E-mail remains on the e-mail server

7
How E-Mail Works (continued)

• E-mail attachments are documents in binary format
  (word processing documents, spreadsheets, sound
  files, pictures)
• Non-text documents must be converted into text
  format before being transmitted
• Three bytes from the binary file are extracted
  and converted to four text characters

8
E-Mail Vulnerabilities

• Several e-mail vulnerabilities can be exploited
  by attackers
• Malware
• Spam
• Hoaxes

9
Malware

• Because of its ubiquity, e-mail has replaced
  floppy disks as the primary carrier for malware
• E-mail is the malware transport mechanism of
  choice for two reasons
• Because almost all Internet users have e-mail, it
  has the broadest base for attacks
• Malware can use e-mail to propagate itself

10
Malware (continued)

• A worm can enter a users computer through an
  e-mail attachment and send itself to all users
  listed in the address book or attach itself as a
  reply to all unread e-mail messages
• E-mail clients can be particularly susceptible to
  macro viruses
• A macro is a script that records the steps a user
  performs
• A macro virus uses macros to carry out malicious
  functions

11
Malware (continued)

• Users must be educated about how malware can
  enter a system through e-mail and proper policies
  must be enacted to reduce risk of infection
• E-mail users should never open attachments with
  these file extensions .bat, .ade, .usf, .exe,
  .pif
• Antivirus software and firewall products must be
  installed and properly configured to prevent
  malicious code from entering the network through
  e-mail
• Procedures including turning off ports and
  eliminating open mail relay servers must be
  developed and enforced

12
Spam

• The amount of spam (unsolicited e-mail) that
  flows across the Internet is difficult to judge
• The US Congress passed the Controlling the
  Assault of Non-Solicited Pornography and
  Marketing Act of 2003 (CAN-SPAM) in late 2003

13
Spam (continued)

• According to a Pew memorial Trust survey, almost
  half of the approximately 30 billion daily e-mail
  messages are spam
• Spam is having a negative impact on e-mail users
• 25 of users say the ever-increasing volume of
  spam has reduced their overall use of e-mail
• 52 of users indicate spam has made them less
  trusting of e-mail in general
• 70 of users say spam has made being online
  unpleasant or annoying

14
Spam (continued)

• Filter e-mails at the edge of the network to
  prevent spam from entering the SMTP server
• Use a backlist of spammers to block any e-mail
  that originates from their e-mail addresses
• Sophisticated e-mail filters can use Bayesian
  filtering
• User divides e-mail messages received into two
  piles, spam and not-spam

15
Hoaxes

• E-mail messages that contain false warnings or
  fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them

16
Hoaxes (continued)

• Any e-mail message that appears as though it
  could not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as
  someone else is sent to unsuspecting recipients

17
E-Mail Encryption

• Two technologies used to protect e-mail messages
  as they are being transported
• Secure/Multipurpose Internet Mail Extensions
• Pretty Good Privacy

18
Secure/Multipurpose Internet Mail Extensions
(S/MIME)

• Protocol that adds digital signatures and
  encryption to Multipurpose Internet Mail
  Extension (MIME) messages
• Provides these features
• Digital signatures Interoperability
• Message privacy Seamless integration
• Tamper detection

19
Pretty Good Privacy (PGP)

• Functions much like S/MIME by encrypting messages
  using digital signatures
• A user can sign an e-mail message without
  encrypting it, verifying the sender but not
  preventing anyone from seeing the contents
• First compresses the message
• Reduces patterns and enhances resistance to
  cryptanalysis
• Creates a session key (a one-time-only secret
  key)
• This key is a number generated from random
  movements of the mouse and keystrokes typed

20
Pretty Good Privacy (PGP) (continued)

• Uses a passphrase to encrypt the private key on
  the local computer
• Passphrase
• A longer and more secure version of a password
• Typically composed of multiple words
• More secure against dictionary attacks

21
Pretty Good Privacy (PGP) (continued)
22
Examining World Wide Web Vulnerabilities

• Buffer overflow attacks are common ways to gain
  unauthorized access to Web servers
• SMTP relay attacks allow spammers to send
  thousands of e-mail messages to users
• Web programming tools provide another foothold
  for Web attacks
• Dynamic content can also be used by attackers
• Sometimes called repurposed programming (using
  programming tools in ways more harmful than
  originally intended)

23
JavaScript

• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed,
  the HTML document with the JavaScript code is
  downloaded onto the users computer
• The Web browser then executes that code within
  the browser using the Virtual Machine (VM)?a Java
  interpreter

24
JavaScript (continued)

• Several defense mechanisms prevent JavaScript
  programs from causing serious harm
• JavaScript does not support certain capabilities
• JavaScript has no networking capabilities
• Other security concerns remain
• JavaScript programs can capture and send user
  information without the users knowledge or
  authorization
• JavaScript security is handled by restrictions
  within the Web browser

25
JavaScript (continued)
26
Java Applet

• A separate program stored on a Web server and
  downloaded onto a users computer along with HTML
  code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java
  applet
• Surrounds program and keeps it away from private
  data and other resources on a local computer
• Java applet programs should run within a sandbox

27
Java Applet (continued)
28
Java Applet (continued)

• Two types of Java applets
• Unsigned Java applet program that does not come
  from a trusted source
• Signed Java applet has a digital signature
  proving the program is from a trusted source and
  has not been altered
• The primary defense against Java applets is using
  the appropriate settings of the Web browser

29
Java Applet (continued)
30
ActiveX

• Set of technologies developed by Microsoft
• Outgrowth of two other Microsoft technologies
• Object Linking and Embedding (OLE)
• Component Object Model (COM)
• Not a programming language but a set of rules for
  how applications should share information

31
ActiveX (continued)

• ActiveX controls represent a specific way of
  implementing ActiveX
• Can perform many of the same functions of a Java
  applet, but do not run in a sandbox
• Have full access to Windows operating system
• ActiveX controls are managed through Internet
  Explorer
• ActiveX controls should be set to most restricted
  levels

32
ActiveX (continued)
33
Cookies

• Computer files that contains user-specific
  information
• Need for cookies is based on Hypertext Transfer
  Protocol (HTTP)
• Instead of the Web server asking the user for
  this information each time they visits that site,
  the Web server stores that information in a file
  on the local computer
• Attackers often target cookies because they can
  contain sensitive information (usernames and
  other private information)

34
Cookies (continued)

• Can be used to determine which Web sites you view
• First-party cookie is created from the Web site
  you are currently viewing
• Some Web sites attempt to access cookies they did
  not create
• If you went to www.b.org, that site might attempt
  to get the cookie A-ORG from your hard drive
• Now known as a third-party cookie because it was
  not created by Web site that attempts to access
  the cookie

35
Common Gateway Interface (CGI)

• Set of rules that describes how a Web server
  communicates with other software on the server
  and vice versa
• Commonly used to allow a Web server to display
  information from a database on a Web page or for
  a user to enter information through a Web form
  that is deposited in a database

36
Common Gateway Interface (CGI) (continued)

• CGI scripts create security risks
• Do not filter user input properly
• Can issue commands via Web URLs
• CGI security can be enhanced by
• Properly configuring CGI
• Disabling unnecessary CGI scripts or programs
• Checking program code that uses CGI for any
  vulnerabilities

37
8.3 Naming Conventions

• Microsoft Disk Operating System (DOS) limited
  filenames to eight characters followed by a
  period and a three-character extension (e.g.,
  Filename.doc)
• Called the 8.3 naming convention
• Recent versions of Windows allow filenames to
  contain up to 256 characters
• To maintain backward compatibility with DOS,
  Windows automatically creates an 8.3 alias
  filename for every long filename

38
8.3 Naming Conventions (continued)

• The 8.3 naming convention introduces a security
  vulnerability with some Web servers
• Microsoft Internet Information Server 4.0 and
  other Web servers can inherit privileges from
  parent directories instead of the requested
  directory if the requested directory uses a long
  filename
• Solution is to disable creation of the 8.3 alias
  by making a change in the Windows registry
  database
• In doing so, older programs that do not recognize
  long filenames are not able to access the files
  or subdirectories

39
Securing Web Communications

• Most common secure connection uses the Secure
  Sockets Layer/Transport Layer Security protocol
• One implementation is the Hypertext Transport
  Protocol over Secure Sockets Layer

40
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)

• SSL protocol developed by Netscape to securely
  transmit documents over the Internet
• Uses private key to encrypt data transferred over
  the SSL connection
• Version 2.0 is most widely supported version
• Personal Communications Technology (PCT),
  developed by Microsoft, is similar to SSL

41
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) (continued)

• TLS protocol guarantees privacy and data
  integrity between applications communicating over
  the Internet
• An extension of SSL they are often referred to
  as SSL/TLS
• SSL/TLS protocol is made up of two layers

42
Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) (continued)

• TLS Handshake Protocol allows authentication
  between server and client and negotiation of an
  encryption algorithm and cryptographic keys
  before any data is transmitted
• FORTEZZA is a US government security standard
  that satisfies the Defense Messaging System
  security architecture
• Has cryptographic mechanism that provides message
  confidentiality, integrity, authentication, and
  access control to messages, components, and even
  systems

43
Secure Hypertext Transport Protocol (HTTPS)

• One common use of SSL is to secure Web HTTP
  communication between a browser and a Web server
• This version is plain HTTP sent over SSL/TLS
  and named Hypertext Transport Protocol over SSL
• Sometimes designated HTTPS, which is the
  extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection
  between a client and a server over which any
  amount of data can be sent security, HTTPS is
  designed to transmit individual messages securely

44
Securing Instant Messaging

• Depending on the service, e-mail messages may
  take several minutes to be posted to the POP3
  account
• Instant messaging (IM) is a complement to e-mail
  that overcomes these
• Allows sender to enter short messages that the
  recipient sees and can respond to immediately

45
Securing Instant Messaging (continued)

• Some tasks that you can perform with IM
• Chat
• Images
• Sounds
• Files
• Talk
• Streaming content

46
Securing Instant Messaging (continued)

• Steps to secure IM include
• Keep the IM server within the organizations
  firewall and only permit users to send and
  receive messages with trusted internal workers
• Enable IM virus scanning
• Block all IM file transfers
• Encrypt messages

47
Summary

• Protecting basic communication systems is a key
  to resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a
  variety of attacks
• A Java applet is a separate program stored on the
  Web server and downloaded onto the users
  computer along with the HTML code

48
Summary (continued)

• ActiveX controls present serious security
  concerns because of the functions that a control
  can execute
• A cookie is a computer file that contains
  user-specific information
• CGI is a set of rules that describe how a Web
  server communicates with other software on the
  server
• The popularity of IM has made this a tool that
  many organizations are now using with e-mail