Computer Security Update Bob Cowles, SLAC stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract.

Slides:

Advertisements

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

Advertisements

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.

Chapter 7 HARDENING SERVERS.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.

Web Server Administration

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Security+ Guide to Network Security Fundamentals, Third Edition

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Computer Security and Penetration Testing

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Chapter 4 Application Security Knowledge and Test Prep

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

Hacking Web Server Defiana Arnaldy, M.Si

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Computer Concepts 2014 Chapter 7 The Web and .

 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Configuring a Web Server. Overview Overview of IIS Preparing for an IIS Installation Installing IIS Configuring a Web Site Administering IIS Troubleshooting.

Lesson 9 Common Windows Exploits. UTSA IS 3523 ID and Incident Response Overview Top 20 Exploits Common Vulnerable Ports Detecting Events.

PC Maintenance: Preparing for A+ Certification Chapter 25: The Internet.

Delving into the Internet and Networks. In the beginning  ARPANET – set up for the military to have another network of communication  Pre-cursor to.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

Security Issues in Unix OS Saubhagya Joshi Suroop Mohan Chandran.

1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.

A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 19 PCs on the Internet.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

INTRODUCTION TO SERVERS & INSTALLATION OF WINDOWS SERVER 2008 R2 Network Administration and Maintenance.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Network Security Techniques by Bruce Roy Millard Division of Computing Studies Arizona State University

.  At least one in ten web pages are booby-trapped with malware  Just viewing an infected Web page installs malware on your computer, if your operating.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented to HEPiX at Fermilab 23 Oct 2002 Work supported by U. S. Department of Energy.

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

CSCE 548 Secure Software Development Taxonomy of Coding Errors.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

UNIT 3 SEMINAR Unit 3 Chapter 3 in CompTIA Security + Course Name – IT Introduction to Network Security Instructor – Jan McDanolds, MS Contact Information:

The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.

Building Secure Web Applications With ASP.Net MVC.

OV Copyright © 2005 Element K Content LLC. All rights reserved. Hardening Internetwork Devices and Services  Harden Internetwork Connection Devices.

HTML, Third Edition--Illustrated Brief 1 HTML, Third Edition Illustrated Brief Unit A Creating an HTML Document.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Security fundamentals Topic 8 Securing network applications.

17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.

Application of the Internet 1998/12/09 KEIO University, JAPAN Mikiyo

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Windows Administration How to protect your computer.

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Chapter 7: Identifying Advanced Attacks

Introduction to SQL Server 2000 Security

Web Servers / Deployment

INTERNET SECURITY.

Presentation transcript:

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at RAL 09 Dec 2002 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515

09 Deceber 2002RAL – Bob Cowles – SLAC2 Areas Solaris Cisco Linux IIS Internet Explorer Windows Web Applications Misc Virus & Worm Conclusions News

09 Deceber 2002RAL – Bob Cowles – SLAC3 Solaris ssh & OpenSSH in.talkd cachefsd xdr_array bo (affects OpenAFS too) ttdbserver TTYPROMPT Java priocntl XFS

09 Deceber 2002RAL – Bob Cowles – SLAC4 Cisco et al ssh Aironet wireless APs (telnet) ntp daemon httpd default passwords DSL router vulnerabilities

09 Deceber 2002RAL – Bob Cowles – SLAC5 Linux wu-ftp glibc ssh & OpenSSH glibc (reboot required) Bugzilla OpenSSL TCPDUMP and libcap Mozilla 1.2 KDE

09 Deceber 2002RAL – Bob Cowles – SLAC6 Apache Transfer chunking mod_ssl off-by-one shared memory scoreboard - scripting

09 Deceber 2002RAL – Bob Cowles – SLAC7 IIS Cookie handling error (cross domains).htr heap overflow Office Web components SmartHTML interpreter.htr transfer chunking XSS vulnerabilities MDAC

09 Deceber 2002RAL – Bob Cowles – SLAC8 Internet Explorer file name spoofing VBScript read local files jpeg scripting Gopher protocol error SSL cert checking error (Outlook, too) Cached objects MDAC

09 Deceber 2002RAL – Bob Cowles – SLAC9 Windows MS SQL Server & Media Player XMLHTTP JVM Debugger MS Office document grabbing Network Connection Manager Windows XP SP1

09 Deceber 2002RAL – Bob Cowles – SLAC10 Web Applications (little progress) OS cmd or SQL injection by forms & URL parms File traversal “../” in file uploads Leaving inappropriate permissions on folders Errors that reveal source code & passwords Failure to perform validation of ALL input Using non-expiring cookies for login Cross Site Scripting (XSS) Depending on client-side security

09 Deceber 2002RAL – Bob Cowles – SLAC11 Misc Add’l files indexed by Google AOL AIM & Yahoo Messenger snmp PGP buffer overflow zlib libbind resolver buffer overflow MIME send by reference (RFC 2046) TCP/IP ambiguity Realplayer bind out-of-office

09 Deceber 2002RAL – Bob Cowles – SLAC12 Virus & Worm Magistr badtrans Goner Myparty: Frethem (your password) Klez Bugbear e-card spam Winevar (uses auto-opening of html attachments)

09 Deceber 2002RAL – Bob Cowles – SLAC13 Conclusions Poor administration is still a major problem Firewalls cannot substitute for patches Multiple levels of virus/worm protection are necessary Clue is more important than open source

09 Deceber 2002RAL – Bob Cowles – SLAC14 News OpenSSH trojaned 20 things to make systems safe and secure New PGP.. incl. version 8.0 for Windows SMTP trojaned Flash & Warhol worms Attack on root DNS servers Oct22.html Oct22.html The Art of Deception by Kevin Mitnick Mind of the Miscreant System maintenance is lacking MS ftp server reveals all