Title: Chapter 6: Web Security
1Chapter 6 Web Security
- Security Guide to Network Security Fundamentals
- Second Edition
2Objectives
- Protect e-mail systems
- List World Wide Web vulnerabilities
- Secure Web communications
- Secure instant messaging
3Protecting E-Mail Systems
- E-mail has replaced the fax machine as the
primary communication tool for businesses - Has also become a prime target of attackers and
must be protected
4How E-Mail Works
- Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages - Simple Mail Transfer Protocol (SMTP) handles
outgoing mail - Post Office Protocol (POP3 for the current
version) handles incoming mail - The SMTP server on most machines uses sendmail to
do the actual sending this queue is called the
sendmail queue
5How E-Mail Works (continued)
6How E-Mail Works (continued)
- Sendmail tries to resend queued messages
periodically (about every 15 minutes) - Downloaded messages are erased from POP3 server
- Deleting retrieved messages from the mail server
and storing them on a local computer make it
difficult to manage messages from multiple
computers - Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems - E-mail remains on the e-mail server
7How E-Mail Works (continued)
- E-mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
files, pictures) - Non-text documents must be converted into text
format before being transmitted - Three bytes from the binary file are extracted
and converted to four text characters
8E-Mail Vulnerabilities
- Several e-mail vulnerabilities can be exploited
by attackers - Malware
- Spam
- Hoaxes
9Malware
- Because of its ubiquity, e-mail has replaced
floppy disks as the primary carrier for malware - E-mail is the malware transport mechanism of
choice for two reasons - Because almost all Internet users have e-mail, it
has the broadest base for attacks - Malware can use e-mail to propagate itself
10Malware (continued)
- A worm can enter a users computer through an
e-mail attachment and send itself to all users
listed in the address book or attach itself as a
reply to all unread e-mail messages - E-mail clients can be particularly susceptible to
macro viruses - A macro is a script that records the steps a user
performs - A macro virus uses macros to carry out malicious
functions
11Malware (continued)
- Users must be educated about how malware can
enter a system through e-mail and proper policies
must be enacted to reduce risk of infection - E-mail users should never open attachments with
these file extensions .bat, .ade, .usf, .exe,
.pif - Antivirus software and firewall products must be
installed and properly configured to prevent
malicious code from entering the network through
e-mail - Procedures including turning off ports and
eliminating open mail relay servers must be
developed and enforced
12Spam
- The amount of spam (unsolicited e-mail) that
flows across the Internet is difficult to judge - The US Congress passed the Controlling the
Assault of Non-Solicited Pornography and
Marketing Act of 2003 (CAN-SPAM) in late 2003
13Spam (continued)
- According to a Pew memorial Trust survey, almost
half of the approximately 30 billion daily e-mail
messages are spam - Spam is having a negative impact on e-mail users
- 25 of users say the ever-increasing volume of
spam has reduced their overall use of e-mail - 52 of users indicate spam has made them less
trusting of e-mail in general - 70 of users say spam has made being online
unpleasant or annoying
14Spam (continued)
- Filter e-mails at the edge of the network to
prevent spam from entering the SMTP server - Use a backlist of spammers to block any e-mail
that originates from their e-mail addresses - Sophisticated e-mail filters can use Bayesian
filtering - User divides e-mail messages received into two
piles, spam and not-spam
15Hoaxes
- E-mail messages that contain false warnings or
fraudulent offerings - Unlike spam, are almost impossible to filter
- Defense against hoaxes is to ignore them
16Hoaxes (continued)
- Any e-mail message that appears as though it
could not be true probably is not - E-mail phishing is also a growing practice
- A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients
17E-Mail Encryption
- Two technologies used to protect e-mail messages
as they are being transported - Secure/Multipurpose Internet Mail Extensions
- Pretty Good Privacy
18Secure/Multipurpose Internet Mail Extensions
(S/MIME)
- Protocol that adds digital signatures and
encryption to Multipurpose Internet Mail
Extension (MIME) messages - Provides these features
- Digital signatures Interoperability
- Message privacy Seamless integration
- Tamper detection
19Pretty Good Privacy (PGP)
- Functions much like S/MIME by encrypting messages
using digital signatures - A user can sign an e-mail message without
encrypting it, verifying the sender but not
preventing anyone from seeing the contents - First compresses the message
- Reduces patterns and enhances resistance to
cryptanalysis - Creates a session key (a one-time-only secret
key) - This key is a number generated from random
movements of the mouse and keystrokes typed
20Pretty Good Privacy (PGP) (continued)
- Uses a passphrase to encrypt the private key on
the local computer - Passphrase
- A longer and more secure version of a password
- Typically composed of multiple words
- More secure against dictionary attacks
21Pretty Good Privacy (PGP) (continued)
22Examining World Wide Web Vulnerabilities
- Buffer overflow attacks are common ways to gain
unauthorized access to Web servers - SMTP relay attacks allow spammers to send
thousands of e-mail messages to users - Web programming tools provide another foothold
for Web attacks - Dynamic content can also be used by attackers
- Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)
23JavaScript
- Popular technology used to make dynamic content
- When a Web site that uses JavaScript is accessed,
the HTML document with the JavaScript code is
downloaded onto the users computer - The Web browser then executes that code within
the browser using the Virtual Machine (VM)?a Java
interpreter
24JavaScript (continued)
- Several defense mechanisms prevent JavaScript
programs from causing serious harm - JavaScript does not support certain capabilities
- JavaScript has no networking capabilities
- Other security concerns remain
- JavaScript programs can capture and send user
information without the users knowledge or
authorization - JavaScript security is handled by restrictions
within the Web browser
25JavaScript (continued)
26Java Applet
- A separate program stored on a Web server and
downloaded onto a users computer along with HTML
code - Can also be made into hostile programs
- Sandbox is a defense against a hostile Java
applet - Surrounds program and keeps it away from private
data and other resources on a local computer - Java applet programs should run within a sandbox
27Java Applet (continued)
28Java Applet (continued)
- Two types of Java applets
- Unsigned Java applet program that does not come
from a trusted source - Signed Java applet has a digital signature
proving the program is from a trusted source and
has not been altered - The primary defense against Java applets is using
the appropriate settings of the Web browser
29Java Applet (continued)
30ActiveX
- Set of technologies developed by Microsoft
- Outgrowth of two other Microsoft technologies
- Object Linking and Embedding (OLE)
- Component Object Model (COM)
- Not a programming language but a set of rules for
how applications should share information
31ActiveX (continued)
- ActiveX controls represent a specific way of
implementing ActiveX - Can perform many of the same functions of a Java
applet, but do not run in a sandbox - Have full access to Windows operating system
- ActiveX controls are managed through Internet
Explorer - ActiveX controls should be set to most restricted
levels
32ActiveX (continued)
33Cookies
- Computer files that contains user-specific
information - Need for cookies is based on Hypertext Transfer
Protocol (HTTP) - Instead of the Web server asking the user for
this information each time they visits that site,
the Web server stores that information in a file
on the local computer - Attackers often target cookies because they can
contain sensitive information (usernames and
other private information)
34Cookies (continued)
- Can be used to determine which Web sites you view
- First-party cookie is created from the Web site
you are currently viewing - Some Web sites attempt to access cookies they did
not create - If you went to www.b.org, that site might attempt
to get the cookie A-ORG from your hard drive - Now known as a third-party cookie because it was
not created by Web site that attempts to access
the cookie
35Common Gateway Interface (CGI)
- Set of rules that describes how a Web server
communicates with other software on the server
and vice versa - Commonly used to allow a Web server to display
information from a database on a Web page or for
a user to enter information through a Web form
that is deposited in a database
36Common Gateway Interface (CGI) (continued)
- CGI scripts create security risks
- Do not filter user input properly
- Can issue commands via Web URLs
- CGI security can be enhanced by
- Properly configuring CGI
- Disabling unnecessary CGI scripts or programs
- Checking program code that uses CGI for any
vulnerabilities
378.3 Naming Conventions
- Microsoft Disk Operating System (DOS) limited
filenames to eight characters followed by a
period and a three-character extension (e.g.,
Filename.doc) - Called the 8.3 naming convention
- Recent versions of Windows allow filenames to
contain up to 256 characters - To maintain backward compatibility with DOS,
Windows automatically creates an 8.3 alias
filename for every long filename
388.3 Naming Conventions (continued)
- The 8.3 naming convention introduces a security
vulnerability with some Web servers - Microsoft Internet Information Server 4.0 and
other Web servers can inherit privileges from
parent directories instead of the requested
directory if the requested directory uses a long
filename - Solution is to disable creation of the 8.3 alias
by making a change in the Windows registry
database - In doing so, older programs that do not recognize
long filenames are not able to access the files
or subdirectories
39Securing Web Communications
- Most common secure connection uses the Secure
Sockets Layer/Transport Layer Security protocol - One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer
40Secure Sockets Layer (SSL)/Transport Layer
Security (TLS)
- SSL protocol developed by Netscape to securely
transmit documents over the Internet - Uses private key to encrypt data transferred over
the SSL connection - Version 2.0 is most widely supported version
- Personal Communications Technology (PCT),
developed by Microsoft, is similar to SSL
41Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) (continued)
- TLS protocol guarantees privacy and data
integrity between applications communicating over
the Internet - An extension of SSL they are often referred to
as SSL/TLS - SSL/TLS protocol is made up of two layers
42Secure Sockets Layer (SSL)/Transport Layer
Security (TLS) (continued)
- TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys
before any data is transmitted - FORTEZZA is a US government security standard
that satisfies the Defense Messaging System
security architecture - Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and
access control to messages, components, and even
systems
43Secure Hypertext Transport Protocol (HTTPS)
- One common use of SSL is to secure Web HTTP
communication between a browser and a Web server - This version is plain HTTP sent over SSL/TLS
and named Hypertext Transport Protocol over SSL - Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it - Whereas SSL/TLS creates a secure connection
between a client and a server over which any
amount of data can be sent security, HTTPS is
designed to transmit individual messages securely
44Securing Instant Messaging
- Depending on the service, e-mail messages may
take several minutes to be posted to the POP3
account - Instant messaging (IM) is a complement to e-mail
that overcomes these - Allows sender to enter short messages that the
recipient sees and can respond to immediately
45Securing Instant Messaging (continued)
- Some tasks that you can perform with IM
- Chat
- Images
- Sounds
- Files
- Talk
- Streaming content
46Securing Instant Messaging (continued)
- Steps to secure IM include
- Keep the IM server within the organizations
firewall and only permit users to send and
receive messages with trusted internal workers - Enable IM virus scanning
- Block all IM file transfers
- Encrypt messages
47Summary
- Protecting basic communication systems is a key
to resisting attacks - E-mail attacks can be malware, spam, or hoaxes
- Web vulnerabilities can open systems up to a
variety of attacks - A Java applet is a separate program stored on the
Web server and downloaded onto the users
computer along with the HTML code
48Summary (continued)
- ActiveX controls present serious security
concerns because of the functions that a control
can execute - A cookie is a computer file that contains
user-specific information - CGI is a set of rules that describe how a Web
server communicates with other software on the
server - The popularity of IM has made this a tool that
many organizations are now using with e-mail