CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Questions with 2nd Request Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Advertisements

MFA for Business Banking – Security Code Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing these QT sheets.

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Creating the Ultimate Online Customer-Service Experience Stefan Beeli, Vice President ESP Computer Services Choosing the proper level of Technology A look.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Copyright © 2005 EFT Network, Inc. All Rights Reserved. Automated Recurring Payments Flexible Payment Solution.

FINANCE CLAIMS DISBURSEMENTS. 2 PaySpan Health Getting Started is Easy!  The process starts with an invitation from a payer that includes a registration.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Introduction to Online Data Collection (OLDC) Community Based Abstinence Education September, 2009.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Password?. Project CLASP: Common Login and Access rights across Services Plan

Password Management Strategies for Online Accounts Gaw & Felten Optional Reading.

Social Engineering PA Turnpike Commission. “Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users”

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Review an existing website Usability in Design. to begin with.. Meeting Organization’s objectives and your Usability goals Meeting User’s Needs Complying.

Application Process USAJOBS – Application Manager USA STAFFING ® —OPM’S AUTOMATED HIRING TOOL FOR FEDERAL AGENCIES.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.

Honeypot and Intrusion Detection System

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

E-COMMERCE JOBS This project (Project number: HU/01/B/F/PP ) is carried out with the financial support of the Commssion of the European Communities.

12 Developing a Web Site Section 12.1 Discuss the functions of a Web site Compare and contrast style sheets Apply cascading style sheets (CSS) to a Web.

Multifactor Identification for Internet Banking Citizens State Bank Monticello, Iowa

Electronic Security Initiative 2005 Security Assessment & Security Services 23 August 2005.

Module 7: Marketing Tools Intuit Financial Services University Internet Banking Certification Training.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Telephone Checks Innovative, Flexible, and Convenient Payment Solution.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Creating and Using Your FSA ID: An Overview

VCE IT Theory Slideshows By Mark Kelly Vceit.com Websites & Data.

WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.

Computer Security By Duncan Hall.

Configuring and Deploying Web Applications Lesson 7.

Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.

Unit 7 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/3/2016 Instructor: Williams Obinkyereh.

Sources of Network Intrusion Security threats from network intruders can come from both internal and external sources.  External Threats - External threats.

TAKE CHARGE OF YOUR FINANCES Submitted by- Ankita Pabale WRO ONLINE BANKING.

Yahoo Help Phone Number Get Instant Help.

ONLINE SECURITY Tips 1 Online Security Online Security Tips.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.

How to Make Yourself More Secure Using Public Computers and Free Public Wi-Fi.

APACHE Apache is generally recognized as the world's most popular Web server (HTTP server). Originally designed for Unix servers, the Apache Web server.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.

Microsoft Imagine Academy

How Can NRCS Clients Use the Conservation Client Gateway

SSL Certificates for Secure Websites

Microsoft Imagine Academy

Lesson 2- Protecting Yourself Online

Designing IIS Security (IIS – Internet Information Service)

Lesson 2- Protecting Yourself Online

WELCOME How to Setup Yahoo Account Key Feature in Browser? CONTACT US

Presentation transcript:

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash, Kevin Borders

Banking trends Internet has become part of our life Large number of people have given up conventional banking in favour of online banking People conduct both their personal and job-related business using these sites 42% of all internet users bank online Forbes.com conducted a survey on +900 people and divided users in: used online banking applications and paid bills online through their bank’s website used online banking applications but not online bill payments used no online banking activities whatsoever

How banks deal with online security Due to the sensitive nature of these sites, security is a top priority Hire security experts to conduct vulnerability assessments Deploy encryption protocols such as SSL Use firewalls and routers Monitoring accounts for suspicious activities User Identification (User ID + Passwords) Overall the online security has improved compare with a few years ago

This study – general considerations Conducted during Nov - Dec 2006 Analyses 214 U.S. financial institutions for user-visible security design flaws It is not focused on poor or confusing client-side interfaces, but on flaws that originate in poor design at the server that prevent users to make correct choices from the perspective of securing their transactions Design flaws are a result of decisions made during the website design phase and they promote insecure user behaviour These design features made it very difficult for someone to use the site securely

This study Use a tool for automatically detecting flaws They used “wget” to recursively download the financial institution websites and scripts to traverse and analyze the HTML pages They looked for :  break in the chain of trust  presenting secure login options on insecure pages  contact information/security advice on insecure pages  inadequate policies for user ids and passwords  ing security sensitive information insecurely

What they found 30% of the sites broke the chain of trust 47% presented a login page on an insecure page 55% presented contact and other sensitive information on insecure pages 31% allowed addresses as user names only 24% of the sites were completely free of these design flaws

1 Break in the chain of trust 30% (17 % gave no notification) of the banks tested were affected Violates: inadequate security context for informed decisions Customer is redirected to a site that has a different domain name than the financial institution’s site that was originally visited The switch is usually done without warning customers about such redirection Now it is up to the user to determine if the new site is really affiliated with the financial institution Solution (proposed by article): provide adequate notifications before taking the user to third-party sites and to always make such transitions from secure pages

2 Presenting secure login options on insecure pages 47% of the banks tested were affected Violates: embedding sensitive forms on insecure web pages Login pages and options displayed on insecure pages leave users vulnerable to man-in-the-middle attacks Some web sites use embedded JavaScript code for the login window and submit the information via SSL, but user has no way of knowing Some show a picture of a lock and the phrase “Secured with SSL” technology but this provides a false sense of security Other examples of this style include password-reset or new accounts forms that are embedded in insecure pages

3 Contact information/security advice on insecure pages 55% of the banks tested were affected Violates: not securing security-relevant context Provide bank's contact information or security advice in an insecure page Allows modification of the page by replacing the customer service phone numbers with bogus numbers Then crooks answer the phone and ask for SSN, birth date, or other confidential information

4 Inadequate policies for user ids and passwords 31% of the banks affected allow addresses as user names Violates: hard-to-guess credentials One study concluded that a strong username could be more important then a strong password Users should not use the social security numbers and addresses for user ids (easy to guess or collect) No policy on allowed passwords creates weak passwords making them vulnerable to dictionary attacks

5 ing security sensitive information insecurely Violates: confidentiality s could be used to sent sensitive information to customers If passwords are ed through an insecure mail server, an attacker could intercept unencrypted traffic on the network and obtain the sensitive information

 Are these security design flaws ? Displaying “Welcome back first_name” in insecure page before user logs on Not providing a “log off” button after user has finished making a payment and wants to leave the site.

Results With automated tools (such as this one) false positives are possible They tried to manually eliminate them wherever was possible Especially the “break-in-chain-of-trust” test has a significant number false positives (30 % reported but in fact there were only 17%) Most sites made an effort to provide good policies for user ids and passwords 68% had 2 or more design flaws 10% of the sites had all five design flaws

Sources of errors Some pages could not be completely retrieved due to wget's inability inability to handle JavaScript Possibility of human error in the manual inspection process to eliminate false positives Due to the way the test was conducted it is possible that not all the problem pages were discovered

Conclusions 76% of sites have at least one design flaw 24% of sites were completely free of design flaws Most financial websites today are taking traditional steps for securing their websites, such as the use of strong credentials A small fraction were found to not provide adequate enforcing of password policy or rely on easy-to-harvest user ids Shows that the current set of web security analysis and design techniques still leave significant security gaps They recommend that web developers employ these techniques when performing web security evaluations In the future the authors plan on evaluating additional design flaws

Questions ? ???