Slide Web Security
Trang 1Chapter 6: Web Security
Security+ Guide to Network Security
Fundamentals
Second Edition
Trang 2• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging
Trang 3Protecting E-Mail Systems
• E-mail has replaced the fax machine as the primary communication tool for businesses
• Has also become a prime target of attackers and must be protected
Trang 4How E-Mail Works
• Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
• The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the
sendmail queue
Trang 5How E-Mail Works (continued)
Trang 6• Sendmail tries to resend queued messages
periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers
• Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems
– E-mail remains on the e-mail server
Trang 7How E-Mail Works (continued)
• E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)
• Non-text documents must be converted into text format before being transmitted
• Three bytes from the binary file are extracted and converted to four text characters
Trang 10Malware (continued)
• A worm can enter a user’s computer through an
e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all
unread e-mail messages
• E-mail clients can be particularly susceptible to macro viruses
– A macro is a script that records the steps a user
performs
– A macro virus uses macros to carry out malicious
functions
Trang 11Malware (continued)
• Users must be educated about how malware can enter
a system through e-mail and proper policies must be enacted to reduce risk of infection
– E-mail users should never open attachments with these file extensions: bat, ade, usf, exe, pif
• Antivirus software and firewall products must be
installed and properly configured to prevent malicious code from entering the network through e-mail
• Procedures including turning off ports and eliminating open mail relay servers must be developed and
enforced
Trang 12• The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) in late 2003
Trang 13Spam (continued)
• According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail
messages are spam
• Spam is having a negative impact on e-mail users:
– 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail
– 52% of users indicate spam has made them less
trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying
Trang 14• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles, spam and not-spam
Trang 15• E-mail messages that contain false warnings or fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them
Trang 16Hoaxes (continued)
• Any e-mail message that appears as though it could not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients
Trang 17E-Mail Encryption
• Two technologies used to protect e-mail messages
as they are being transported:
– Secure/Multipurpose Internet Mail Extensions
– Pretty Good Privacy
Trang 18Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME)
messages
• Provides these features:
– Digital signatures – Interoperability
– Message privacy – Seamless integration
– Tamper detection
Trang 19Pretty Good Privacy (PGP)
• Functions much like S/MIME by encrypting messages using digital signatures
• A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing anyone from seeing the contents
• First compresses the message
– Reduces patterns and enhances resistance to
cryptanalysis
• Creates a session key (a one-time-only secret key)
– This key is a number generated from random
movements of the mouse and keystrokes typed
Trang 20Pretty Good Privacy (PGP)
(continued)
• Uses a passphrase to encrypt the private key on the local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks
Trang 21Pretty Good Privacy (PGP)
(continued)
Trang 22Examining World Wide Web
Vulnerabilities
• Buffer overflow attacks are common ways to gain unauthorized access to Web servers
• SMTP relay attacks allow spammers to send
thousands of e-mail messages to users
• Web programming tools provide another foothold for Web attacks
• Dynamic content can also be used by attackers
– Sometimes called repurposed programming (using programming tools in ways more harmful than
originally intended)
Trang 23• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is
downloaded onto the user’s computer
• The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java
interpreter
Trang 24JavaScript (continued)
• Several defense mechanisms prevent JavaScript
programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities
• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
– JavaScript security is handled by restrictions within the Web browser
Trang 25JavaScript (continued)
Trang 26Java Applet
• A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML code
• Can also be made into hostile programs
• Sandbox is a defense against a hostile Java applet
– Surrounds program and keeps it away from private
data and other resources on a local computer
• Java applet programs should run within a sandbox
Trang 27Java Applet (continued)
Trang 28• Two types of Java applets:
– Unsigned Java applet: program that does not come from a trusted source
– Signed Java applet: has a digital signature proving the program is from a trusted source and has not been
altered
• The primary defense against Java applets is using the appropriate settings of the Web browser
Trang 29Java Applet (continued)
Trang 30• Set of technologies developed by Microsoft
• Outgrowth of two other Microsoft technologies:
– Object Linking and Embedding (OLE)
– Component Object Model (COM)
• Not a programming language but a set of rules for how applications should share information
Trang 31– Have full access to Windows operating system
• ActiveX controls are managed through Internet Explorer
• ActiveX controls should be set to most restricted levels
Trang 32ActiveX (continued)
Trang 33• Computer files that contains user-specific information
• Need for cookies is based on Hypertext Transfer
Protocol (HTTP)
• Instead of the Web server asking the user for this
information each time they visits that site, the Web server stores that information in a file on the local
computer
• Attackers often target cookies because they can
contain sensitive information (usernames and other private information)
Trang 34Cookies (continued)
• Can be used to determine which Web sites you view
• First-party cookie is created from the Web site you are currently viewing
• Some Web sites attempt to access cookies they did not create
– If you went to www.b.org , that site might attempt to get the cookie A-ORG from your hard drive
– Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie
Trang 35Common Gateway Interface (CGI)
• Set of rules that describes how a Web server
communicates with other software on the server and vice versa
• Commonly used to allow a Web server to display
information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database
Trang 36Common Gateway Interface (CGI)
(continued)
• CGI scripts create security risks
– Do not filter user input properly
– Can issue commands via Web URLs
• CGI security can be enhanced by:
– Properly configuring CGI
– Disabling unnecessary CGI scripts or programs
– Checking program code that uses CGI for any
vulnerabilities
Trang 378.3 Naming Conventions
• Microsoft Disk Operating System (DOS) limited
filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc)
• Called the 8.3 naming convention
• Recent versions of Windows allow filenames to
contain up to 256 characters
• To maintain backward compatibility with DOS,
Windows automatically creates an 8.3 “alias”
filename for every long filename
Trang 388.3 Naming Conventions (continued)
• The 8.3 naming convention introduces a security
vulnerability with some Web servers
– Microsoft Internet Information Server 4.0 and other
Web servers can inherit privileges from parent
directories instead of the requested directory if the
requested directory uses a long filename
• Solution is to disable creation of the 8.3 alias by
making a change in the Windows registry database
– In doing so, older programs that do not recognize long filenames are not able to access the files or
subdirectories
Trang 39Securing Web Communications
• Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol
• One implementation is the Hypertext Transport
Protocol over Secure Sockets Layer
Trang 40Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
• SSL protocol developed by Netscape to securely transmit documents over the Internet
– Uses private key to encrypt data transferred over the SSL connection
– Version 2.0 is most widely supported version
– Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL
Trang 41Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
Trang 42Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
(continued)
• TLS Handshake Protocol allows authentication
between server and client and negotiation of an
encryption algorithm and cryptographic keys before any data is transmitted
• FORTEZZA is a US government security standard
that satisfies the Defense Messaging System security architecture
– Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access
control to messages, components, and even systems
Trang 43Secure Hypertext Transport
Protocol (HTTPS)
• One common use of SSL is to secure Web HTTP
communication between a browser and a Web server
– This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL
• Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
• Whereas SSL/TLS creates a secure connection
between a client and a server over which any amount
of data can be sent security, HTTPS is designed to transmit individual messages securely
Trang 44Securing Instant Messaging
• Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account
• Instant messaging (IM) is a complement to e-mail
that overcomes these
– Allows sender to enter short messages that the
recipient sees and can respond to immediately
Trang 45Securing Instant Messaging
Trang 46Securing Instant Messaging
(continued)
• Steps to secure IM include:
– Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers
– Enable IM virus scanning
– Block all IM file transfers
– Encrypt messages
Trang 47• Protecting basic communication systems is a key to resisting attacks
• E-mail attacks can be malware, spam, or hoaxes
• Web vulnerabilities can open systems up to a variety