Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Chapter 7 9/9/20151Web Security. cs490ns-cotter2 Objectives Protect e-mail systems Identify World Wide Web vulnerabilities Secure Web communications.

Published byErnest Miles Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security Chapter 7 9/9/20151Web Security. cs490ns-cotter2 Objectives Protect e-mail systems Identify World Wide Web vulnerabilities Secure Web communications."— Presentation transcript:

1 Web Security Chapter 7 9/9/20151Web Security

2 cs490ns-cotter2 Objectives Protect e-mail systems Identify World Wide Web vulnerabilities Secure Web communications

3 cs490ns-cotter3 How E-Mail Works Defined in RFC 822 Use two Internet protocols to send and receive messages –Simple Mail Transfer Protocol (SMTP) handles outgoing mail and –Either Post Office Protocol (POP3 for the current version) handles incoming mail –Or Internet Mail Access Protocol (IMAP4 is current) The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue

4 cs490ns-cotter4 E-mail Architecture SenderRecipient Mail Server Mail server Remote Access server

5 cs490ns-cotter 5 E-mail Architecture Internet SMTP MGA SenderRecipient Retrieval Protocol Delivery Protocol

6 cs490ns-cotter6 How E-Mail Works Sendmail tries to resend queued messages periodically (about every 15 minutes) Downloaded messages are erased from POP3 server (by default) Deleting retrieved messages from the mail server and storing them on a local computer may make it difficult to manage messages from multiple computers Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems –E-mail can remain on the e-mail server

7 cs490ns-cotter7 How E-Mail Works (cont) E-mail attachments are often in binary format (word processing documents, spreadsheets, sound files, pictures, etc.) –But SMTP is text only. Multipurpose Internet Mail Extensions (MIME) –Rfc 1341, 1521, 1522 –Non-text documents must be converted into text format before being transmitted –Three bytes from the binary file are extracted and converted to four text characters

8 cs490ns-cotter8 E-Mail Vulnerabilities Several e-mail vulnerabilities can be exploited by attackers: –Malware –Spam –Hoaxes

9 cs490ns-cotter9 Malware Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware E-mail is the malware transport mechanism of choice for two reasons: –Because almost all Internet users have e- mail, it has the broadest base for attacks –Malware can use e-mail to propagate itself

10 cs490ns-cotter10 Malware (cont) A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages E-mail clients can be particularly susceptible to macro viruses –A macro is a script that records the steps a user performs –A macro virus uses macros to carry out malicious functions

11 cs490ns-cotter11 Spam The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003

12 cs490ns-cotter12 Spam (cont) According to a Pew Memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam Spam is having a negative impact on e-mail users: –25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail –52% of users indicate spam has made them less trusting of e-mail in general –70% of users say spam has made being online unpleasant or annoying

13 cs490ns-cotter13 E-Mail Encryption Two technologies used to protect e-mail messages as they are being transported: –Secure/Multipurpose Internet Mail Extensions –Pretty Good Privacy

14 cs490ns-cotter14 S/MIME Secure/Multipurpose Internet Mail Extensions –Initial specification 10/95 (rfc 1847) –V2 widely deployed 3/98 (rfc 2311) –V3 available 6/99 (rfc 2633) Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages

15 cs490ns-cotter15 S/MIME Functionality –Enveloped Data (Message Privacy) –Signed Data (Digital Signatures, Tamper Detection) –Clear-signed Data (Interoperability) –Signed and Enveloped Data (Everything!)

16 cs490ns-cotter16 Pretty Good Privacy (PGP) Functions much like S/MIME by encrypting messages using digital signatures A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents Originally released as freeWare. Now available as a commercial product –GNU Privacy Guard (GPG) available for free. –Two versions are generally INcompatible.

17 cs490ns-cotter17 PGP (cont) Stores private keys on a local “keyring” file –Uses a passphrase to encrypt the keyring on the local computer Passphrase: –A longer and more secure version of a password –Typically composed of multiple words –More secure against dictionary attacks

18 cs490ns-cotter18 PGP Encryption Message Compression –Reduces patterns and enhances resistance to cryptanalysis Session key (a one-time-only secret key – 128 bit number) –This key is a number generated from random movements of the mouse and keystrokes typed

19 cs490ns-cotter19 PGP Services Digital Signature –Uses DSS / SHA or RSA / SHA –SHA-1 used to create message digest. RSA / DSS used to encrypt digest using sender’s private key Message Encryption –Session Key generated. –Message encrypted with CAST-128 / IDEA / 3DES –Session key encrypted using D-H or RSA and recipient’s public key Compression –Uses zip algorithm

20 cs490ns-cotter20 PGP Encryption Meet me for lunch Tuesday compress Mt m fr lnch Tsdy encrypt 4#*l, $@2ug D86qL Recipient’s Public Key Session Key 4#*l, $@2ug D86qL Sender Recipient

21 cs490ns-cotter21 WWW Vulnerabilities WWW Phishing Mobile Code –Javascript, Java, ActiveX/COM Cookies SQL Injection Dynamic content can also be used by attackers –Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended)

22 HTML Hypertext markup language (HTML) –Describes the content and formatting of Web pages –Rendered within browser window HTML features –Static document description language –Supports linking to other pages and embedding images by reference –User input sent to server via forms HTML extensions –Additional media content (e.g., PDF, video) supported through plugins –Embedding programs in supported languages (e.g., JavaScript, Java) provides dynamic content that interacts with the user, modifies the browser user interface, and can access the client computer environment 9/9/2015Web Security22

23 Phishing Forged web pages created to fraudulently acquire sensitive information User typically solicited to access phished page from spam email Most targeted sites –Financial services (e.g., Citibank) –Payment services (e.g., PayPal) –Auctions (e..g, eBay) 45K unique phishing sites detected monthly in 2009 [APWG Phishing Trends Reports]APWG Phishing Trends Reports Methods to avoid detection –Misspelled URL –URL obfuscation –Removed or forged address bar 9/9/2015Web Security23

24 Phishing Example 9/9/2015Web Security24 http://www.anti-phishing.com

25 URL Obfuscation Properties of page in previous slide –Actual URL different from spoofed URL displayed in address bar URL escape character attack –Old versions of Internet Explorer did not display anything past the Esc or null character –Displayed vs. actual site http://trusted.com%01%00@malicious.com Unicode attack –Domains names with Unicode characters can be registered –Identical, or very similar, graphic rendering for some characters –E.g., Cyrillic and Latin “a” –Phishing attack on paypal.com –Current version of browsers display Punycode, an ASCII-encoded version of Unicode: www.xn--pypal-4ve.com 9/9/2015 Web Security25 http://www.anti-phishing.com

26 Mobile Code What is mobile code? –Executable program –Sent via a computer network –Executed at the destination Examples –JavaScript –ActiveX –Java Plugins –Integrated Java Virtual Machines 9/9/2015Web Security26

27 JavaScript 9/9/2015Web Security27 Scripting language interpreted by the browser Code enclosed within … tags Defining functions: function hello() { alert("Hello world!"); } Event handlers embedded in HTML Built-in functions can change content of window window.open("http://brown.edu") Click-jacking attack <a onMouseUp="window.open(′http://www.evilsite.com′)" href="http://www.trustedsite.com/">Trust me!

28 ActiveX vs. Java ActiveX Control Windows-only technology runs in Internet Explorer Binary code executed on behalf of browser Can access user files Support for signed code An installed control can be run by any site (up to IE7) IE configuration options –Allow, deny, prompt –Administrator approval Java Applet Platform-independent via browser plugin Java code running within browser Sandboxed execution Support for signed code Applet runs only on site where it is embedded Applets deemed trusted by user can escape sandbox 9/9/2015Web Security28

29 Embedding an ActiveX Control Draw a Square Here is an example ActiveX reference: <OBJECT ID="Sample“ CODEBASE="http://www.badsite.com/controls/stop.ocx" HEIGHT="101“ WIDTH="101“ CLASSID="clsid:0342D101-2EE9-1BAF-34565634EB71" > 9/9/2015Web Security29

30 Authenticode in ActiveX This signed ActiveX control ask the user for permission to run –If approved, the control will run with the same privileges as the user The “Always trust content from …” checkbox automatically accepts controls by the same publisher –Probably a bad idea 9/9/2015Web Security30 Malicious Mobile Code, by R. Grimes, O’Reilly Books

31 cs490ns-cotter31 ActiveX Security

32 Classic ActiveX Exploits Exploder and Runner controls designed by Fred McLain –Exploder was an ActiveX control for which he purchased a VeriSign digital signature –The control would power down the machine –Runner was a control that simply opened up a DOS prompt While harmless, the control easily could have executed format C: or some other malicious command –http://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htmhttp://www.halcyon.com/mclain/ActiveX/Exploder/FAQ.htm Quicken exploit by a German hacking club –Intuit’s Quicken is personal financial management tool –Can be configured to auto-login to bank and credit car sites –The control that would search the computer for Quicken and execute a transaction that transfers user funds to their account 9/9/2015Web Security32

33 Cookies Cookies are a small bit of information stored on a computer associated with a specific server –When you access a specific website, it might store information as a cookie –Every time you revisit that server, the cookie is re-sent to the server –Effectively used to hold state information over sessions Cookies can hold any type of information –Can also hold sensitive information This includes passwords, credit card information, social security number, etc. Session cookies, non-persistent cookies, persistent cookies –Almost every large website uses cookies 9/9/2015Web Security33

34 More on Cookies Cookies are stored on your computer and can be controlled –However, many sites require that you enable cookies in order to use the site –Their storage on your computer naturally lends itself to exploits (Think about how ActiveX could exploit cookies...) –You can (and probably should) clear your cookies on a regular basis –Most browsers will also have ways to turn off cookies, exclude certain sites from adding cookies, and accept only certain sites' cookies Cookies expire –The expiration is set by the sites' session by default, which is chosen by the server –This means that cookies will probably stick around for a while 9/9/2015Web Security34

35 SQL Injection Attack Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: SELECT user FROM table WHERE name = ‘user_input’; An SQL injection attack involves placing SQL statements in the user input 9/9/2015Web Security35

36 SQL Syntax SELECT statement is used to select data FROM one or more tables in a database Result-set is stored in a result table WHERE clause is used to filter records 9/9/2015Storage Confidentiality36 SELECT column_name(s) or * FROM table_name WHERE column_name operator value

37 Login Authentication Query Standard query to authenticate users: select * from users where user='$usern' AND pwd='$password' Classic SQL injection attacks –Server side code sets variables $username and $passwd from user input to web form –Variables passed to SQL query select * from users where user='$username' AND pwd='$passwd' Special strings can be entered by attacker select * from users where user='M' OR '1=1' AND pwd='M' OR '1=1' Result: access obtained without password 9/9/2015Web Security37

38 cs490ns-cotter38 Securing Web Communications Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol One implementation is the Hypertext Transport Protocol over Secure Sockets Layer

39 cs490ns-cotter39 SSL / TLS SSL protocol developed by Netscape to securely transmit documents over the Internet –Uses private key to encrypt data transferred over the SSL connection –Version 3.0 is most widely supported version –Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL

40 cs490ns-cotter40 SSL / TLS TLS protocol guarantees privacy and data integrity between applications communicating over the Internet –An extension of SSL; they are often referred to as SSL/TLS SSL/TLS protocol is made up of two layers

41 cs490ns-cotter41 SSL / TLS TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture –Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems

42 cs490ns-cotter42 HTTPS One common use of SSL is to secure Web HTTP communication between a browser and a Web server –This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL Generally designated HTTPS, which is the extension to the HTTP protocol that supports it Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely

43 cs490ns-cotter43 References: S/MIME – PGP –RFCs 2311-2315 –RFC 2015, 2440, 3156 –Cryptography and Network Security – Stallings openPGP –RFC 4880 TLS –RFC 2246

44 cs490ns-cotter44 Summary Protecting basic communication systems is a key to resisting attacks E-mail attacks can be malware, spam, or hoaxes Web vulnerabilities can open systems up to a variety of attacks A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code

45 cs490ns-cotter45 Summary ActiveX controls present serious security concerns because of the functions that a control can execute A cookie is a computer file that contains user- specific information CGI is a set of rules that describe how a Web server communicates with other software on the server The popularity of IM has made this a tool that many organizations are now using with e-mail

Download ppt "Web Security Chapter 7 9/9/20151Web Security. cs490ns-cotter2 Objectives Protect e-mail systems Identify World Wide Web vulnerabilities Secure Web communications."

Similar presentations

Basic Communication on the Internet:

Basic Communication on the Internet:
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Lecture 5: Email security: PGP Anish Arora CIS694K Introduction to Network Security.

Lecture 5: security: PGP Anish Arora CIS694K Introduction to Network Security.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
» Explain the way that electronic mail (e-mail) works » Configure an e-mail client » Identify e-mail message components » Create and send e-mail messages.

» Explain the way that electronic mail ( ) works » Configure an client » Identify message components » Create and send messages.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

Similar presentations

Ads by Google