Active x security The first technology I wanna talk about is a Microsoft technology that has been implemented in their

browsers for some time now. Presents controls or applets which allow you tocustomixe the web secutity beyond html. Customize control and features. Its gonna run on the client side which makes it vulnerable to attack. In internet explorer. In the new browsers they now have activex controls that can be embedded. Go to internet options and click on the security tab you can see the different zones on the top and if I click a zone lets say the internet and choose custom level you can see the different security settings for this particular zone. But not to go off track we are talking about activex here so if I scroll down u can see there are various option on how u want to configure active x on your browser. You can either disable enable or prompt where if I choose prompt it will ask me before it makes any changes. If you see I have download unsigned activex controls disabled because thats where the most damage can come from if its enabled. Also download signed activexcontrols usually means that it is verified by a certificate authority but that is not always the case. So you see from the end user side you do have some functionality in order to manage how activex is used on your computer.

Java is a full blown programming language. It has java runtime engine, environment and a bunch of language that use java. We are worried about the java applets. Small chunks of code that can run on mobile phones browser to improve functionality on the www. Its been a while since 94 since it was introduced in mosaic browser. To use it in browser u gotta down java runtime engine. Java applets run in a sandbox a safe area. Restriced area of memory limits the applets to resources and wont get access to sensitive data. But it can get outr of the sandbox through errors in the virtual machine. Many org. will block java applets and toher scripting with ids and ips. Application firewalls can combat this.

Most popular exploits on the net cross site scripting (xss) accounts for 80% of the documented sec vulnerability. Its found in web programs that allow coee injection into web pages. Also used to create phish email phish attacks and browser exploits. Attack often transparent to user but in the background is financial lost and privilege esculation. Markup lang. html, active x, adobe flash script written for xss. Sites familiar like myspace, facebook,yahoo,google,netscape, are all victims of xss. Major threat. 3 kinds dom based- type zeroes- in the pages client side script like a java script Non-persistant most common data provided by a web client and its used by server side scripts to generate a page of results for the user. What the attacker will do is use social enginerring to

follow the url to place code in the rsults page which will give them access to important information from the end user. Persistant- data is offered to a web application through the user and its first stored in the server like a database and is later displayed in a webpage to the user.

How do we mitigate against xss if its a huge problem. One way to prevent is to elimate scripts altogether. Dont use client side scripts altogrher. You can use your web browser to elimate these scripts on a per domain basis. IE security zone can be used for this. Go to internet option security custom level> we got a whole scripting category. We have the capability within our browsers. Another way is input validation which is a conept on the examine. The form will except some field which will contin certain info like a phone number and the server side routine could remove all the char but the digitals and parenthesis of the number so the input does not have scirpoting info so u can validate the input in the form on the webpage. Alsoion good for sql inject

cookies text files stored on hard drive of the user . used for tracking through the website Cookie security can be used against xss. Many applications will use session cookies for authentication for the tcp request. The web app will tie the session cookie with the ip address of the user to mitigate xss. So it only allows the ip address to use the session cookie which is good in many situations.

Buffer overflows 2nd most pop client attack. Found in outlook express. Flaw in the prog. For a target workstation to be sent a email virus. Process or program store data in temp data called a buffer and it attempts to install more data than the buffer can hold. the buffer can only hold up to a certain amount of data so the rest of the data has to flow elsewhere so it can overflow into other buffers it can damage user file, send instructions to other section of the computer. Can be intentional or unintentional either by a malicious hacker or just an error within the program. Worms that exploit buffer overflows are code red worm and sql slammer worm.

P2p file sharing most of the files shared are pirated can cause network bandwidth problems and legal problems as well. Problems with p2p file sharing. Can get spyware programs. Adware and

spyware backdoors Trojans vrisuses and worms embedded in the exe files u download. Use fireall block certain ports. But they can use dynamic ports too. In the corporate world you would include this in the security policy and it should be some type of inforcement. If your gona use them b careful wat u share. Designate the root c drive to store the share files but in essence you are letting anyone that is in the network see everything that is in that drive which includes critical system files. Make sure your anti-virus/spyware programs are scanning these files when u are downloading them. Install at your own risk.

Phishing within the past year or so is such a lucrative exploit as hackers have used this attack in growing numbers. Create lookalike sites like paypal BOA and send users emails to lure them into sending back usr names, bank account numbers social security numbers etc. anything confidential to steal their identity or get access to their credit care accounts. GET A PHISHING EMAIL SAMPLE.