Beruflich Dokumente
Kultur Dokumente
Content
Review of World Wide Web Case of Facebook CSRF ((4) threats from server to client) Case of Java Signed Applet Protection ((4) threats from server to client) A Short Review of SSL (with ref to root cert) Case of Captcha (protection of : (3) Threats via Client to Server) Case of SQL injection ( (3) Threats via Client to Server) SQL injection Summary
Discussion Question
What kind of company data you can allow your employee to access the company Intranet through ____ ?
1. 2. 3. 4. at office at home using a fixed PC at home using a laptop at an oversea cyber-caf using a laptop
3
Can you suggest some protection strategy that can make you feel safe?
Network Technology
Use TCP/IP protocol TCP: Transmission Control Protocol Controls the assembly of a message into smaller packets before it is transmitted over the Internet IP: Internet Protocol Includes rules for routing individual data packets from their source to their destination IP Address Internet addr. are based on a 32-bit no. called an IP address. IP addr. is a series of up to 4 separate no. (e.g 147.204.89.56) that uniquely identifies a computer connected to the Internet. Management of IP addr. (static, mobile, NAT (Network-Address Translation)) an important issue for higher level applications
Domain Names
IP address difficult to remember Domain names Sets of words assigned to specific IP addresses Example: www.hku.hk Contains three parts separated by periods Top-level domain (TLD): rightmost part Generic top-level domains (gTLDs) (e.g. .edu .com) Sponsored top-level domains (sTLD) (e.g. .aero sponsored by SITA) Internet Corporation for Assigned Names and Numbers (ICANN) Responsibility: managing non-sTLD
8
LAN
Router
Internet
(1) http request
LAN
WAN
(Internet part)
Base station LAN Boardband router Wireless network access pt (Intranet part)
Client (Browser)
Hand phone Personal Computer Smart card reader PDA Laptop
13
Client (no/low security control) Communication channel (Internet : an unprotected/unreliable free network) Servers (more controllable)
Machines (Servers/DB) Employees Data (Customer info)
Router
Server
LAN
WAN
LAN LAN
Personal Computer
PDA
Laptop
16
Danger in Client
LAN
Communication link problem is (kind of) solved Secure Channel technology like SSL E-commerce fraud: Technically valid transactions A user cheats another Logging of evidence is the key idea Proofing of evidence (Computer Forensics) is an important current issue! Client-side (Browser) and Server-side are still big big problem Client and Server will affect each other (1) Direct Threats to Client (Trojan horse, key logger, etc) (2) Direct Threats to Server (port scanning, intrusion, hacking) (3) Threats from Client to Server (through a valid web session) (4) Threats from Server to Client (through a valid web session)
17
Router
Client-side problems
System patches not updated (attacking virus) Opening emails with malicious attachments Running untrusted programs from floppy, USB drives Visiting Malicious web pages (e.g. Phishing site, hidden IFRAME in forums) Social Engineering (leaking passwords)
LAN
WAN
LAN LAN
Server
18
transaction (like money transfer) Very suitable for target attack! (e.g. stealing from a ebank account) Lesson to learn: your authentication history may be harmful to you, if you visit a hacker site afterward!
19
20
21
22
Recall: Client Side Security is difficult!! One client can interact with many E-com servers
Potential problem : information from E-com sites can be stolen from cookies in a client machine)
Other means : email attachments, reading email from browsers, screen savers, installation of free software, etc. Protection means : anti-virus software, user education, better user protection environment (e.g. signed applets)
24
23
25
28
A: M
Aprv Aprv
Apub Apub
C
Apub Aprv
M
29
C'
M
30
Relationship with CA
33
34
And
Bobs public key is 7890
Signed by Adam
Bpub
Signing
Bpub
CA_Sig
CAprv
35
B1
Browser
37
Browser
38
(3) S1s applet can be executed in browser. User is shown a Yes answer (and S1s cert details) B1 is my customer, Trust him! B1
Browser
39
Browser
40
In case no Big Brother knows S1, the user will be prompted to see whether he trusted S1 or not
No means:
? ? ? ? Browser
41
The Web server (S1) providing the signed applet, is not a valid customer of anyone of the Root Certification Authorities. The browser let you decide whether to execute the signed applet or not.
43
44
SSL Protection
SSL provides secure encryption in the two points (browser and server). No intermediate routers, processes can see the content Limitation: the two endpoints can still leak information Discussion Question: what is the protection provided by SSL to a company?
What are the values to customer access? What are the values for employee access? Is SSL necessary? Is SSL sufficient?
The risk: data unprotected by SSL may be seen by intermediate routers. In many cases this is still safe. BUT: attack code in non-SSL data can be dangerous!!
45
46
Case of CAPTCHA
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart
CAPTCHA is usually used to protect websites against bots which abuse the websites and is usually placed:
At a login form to prevent dictionary attack Before account registration Before showing an e-mail on a personal website to avoid spammers getting your email address when they crawl the web to look for valid e-mail addresses Etc
48
Eg: reCAPTCHA
Googles project (http://www.google.com/recaptcha)
A plugin as a web service Only need to add a few lines of code to your website to embed it
49
50
Alternative implementations
Rely on visual perception (more than distorted text):
identifying an object that does not belong in a particular set of objects. locating the center of a distorted image. identifying distorted shapes. 3D captcha, Etc.
Cases
D-Link adds CAPTCHA to home routers The new CAPTCHA system will be particularly useful to thwart malicious attacks that target default passwords on routers to alter DNS records to hijack all future connections. http://www.zdnet.com/blog/security/d-link-adds-captcha-to-homerouters/3365?tag=content;search-results-rivers Gmail, Yahoo and Hotmail systematically abused by spammers The MessageLabs Intelligence annual report for 2008 indicates that on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its Septs peak of 25%. Vendors cite machine learning CAPTCHA breaking techniques as the cause of it, some doubt they actually outsource account registration process to human CAPTCHA solvers. http://www.zdnet.com/blog/security/gmail-yahoo-and-hotmailsystematically-abused-byspammers/2293?tag=content;search52 results-rivers
Attack
Technical attack: Microsoft's CAPTCHA successfully broken (May 31, 2008)
A research paper entitled A Low-cost Attack on a Microsoft CAPTCHA published the attack. Microsoft's CAPTCHA scheme was designed to be segmentationresistant. However, the attackers simple attack has achieved a segmentation success rate of higher than 90% against this scheme. They show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks, and it is not a trivial task to design a CAPTCHA scheme that is both usable and robust. http://www.zdnet.com/blog/security/microsofts-captcha-successfullybroken/1232
Human attack: some companies will provide a plug-in for your program
When you program sees a Captcha request, the picture will send to the company, and the company will have a group of human being to answer for you.
53
Web Server
Database
Bad input
user = ' or 1=1 --
(URL
The -- causes rest of line to be ignored. Now ok.EOF is always false and login succeeds.
Is this exploitable?
57
59