Chapter 2: Attackers and Their Attacks
Download
Report
Transcript Chapter 2: Attackers and Their Attacks
Chapter 6: Web Security
Security+ Guide to Network
Security Fundamentals
Second Edition
Objectives
Protect e-mail systems
List World Wide Web vulnerabilities
Secure Web communications
Secure instant messaging
Protecting E-Mail Systems
E-mail has replaced the fax machine
as the primary communication tool for
businesses
Has also become a prime target of
attackers and must be protected
How E-Mail Works
Use two Transmission Control
Protocol/Internet Protocol (TCP/IP)
protocols to send and receive
messages
Simple Mail Transfer Protocol (SMTP)
handles outgoing mail
Post Office Protocol (POP3 for the current
version) handles incoming mail
The SMTP server on most machines
uses sendmail to do the actual
sending; this queue is called the
sendmail queue
How E-Mail Works (continued)
How E-Mail Works (continued)
POP3 is a basic protocol that allows
users to store a collection of messages
on the server.
The email client connects to the POP3
server and downloads messages onto the
local computer.
After messages are downloaded, they are
generally erased from the POP3 server.
How E-Mail Works (continued)
Deleting retrieved messages from the mail
server and storing them on a local computer
make it difficult to manage messages from
multiple computers
Internet Mail Access Protocol (IMAP4, port 143)
is a more advanced protocol that solves many
problems
Email remains on the e-mail server
Email can be organized into folders and read from any
computer.
Email can be read and replied to while offline.
The next time a connection is established, mail is
sent.
E-Mail Vulnerabilities
Several e-mail vulnerabilities can be
exploited by attackers:
Malware
Spam
Hoaxes
Malware
Because of its ubiquity, e-mail has
replaced floppy disks as the primary
carrier for malware
E-mail is the malware transport
mechanism of choice for two reasons:
1.
2.
Because almost all Internet users have email, it has the broadest base for attacks
Malware can use e-mail to propagate itself
Malware (continued)
Users must be educated about how
malware can enter a system through email and proper policies must be
enacted to reduce risk of infection
E-mail users should never open
attachments with these file extensions:
.bat, .ade, .usf, .exe, .pif
Antivirus software and firewall products
must be installed and properly
configured to prevent malicious code
from entering the network through email
Spam
The amount of spam (unsolicited e-mail)
that flows across the Internet is difficult to
judge
The US Congress passed the Controlling
the Assault of Non-Solicited Pornography
and Marketing Act of 2003 (CAN-SPAM) in
late 2003
Spam (continued)
According to a Pew memorial Trust
survey, almost half of the
approximately 30 billion daily e-mail
messages are spam
Spam is having a negative impact on
e-mail users:
25% of users say the ever-increasing
volume of spam has reduced their overall
use of e-mail
52% of users indicate spam has made
them less trusting of e-mail in general
70% of users say spam has made being
online unpleasant or annoying
Spam (continued)
Filter e-mails at the edge of the network to
prevent spam from entering the SMTP server
SPAM, Email Firewall (Barracuda)
Use a backlist of spammers to block any e-mail
that originates from their e-mail addresses
Sophisticated e-mail filters can use Bayesian
filtering
User divides e-mail messages received into two piles,
spam and not-spam.
The filter looks for words that appear more often in
each pile to calculate new messages’ probability of
being spam or not spam.
Hoaxes
E-mail messages that contain false
warnings or fraudulent offerings
Unlike spam, are almost impossible to
filter
Defense against hoaxes is to ignore
them
Hoaxes (continued)
Any e-mail message that appears as
though it could not be true probably is
not
E-mail phishing is also a growing practice
A message that falsely identifies the
sender as someone else is sent to
unsuspecting recipients
E-Mail Encryption
Two technologies used to protect email messages as they are being
transported:
Secure/Multipurpose Internet Mail
Extensions
Pretty Good Privacy
Secure/MIME (S/MIME)
Protocol that adds digital signatures
and encryption to Multipurpose
Internet Mail Extension (MIME)
messages
MIME was originally intended to send nontext files
Provides these features:
Digital signatures – Interoperability
Message privacy – Seamless integration
Tamper detection
Pretty Good Privacy (PGP)
Functions much like S/MIME by
encrypting messages using digital
signatures
A user can sign an e-mail message
without encrypting it, verifying the
sender but not preventing anyone from
seeing the contents
First compresses the message
Reduces patterns and enhances resistance
to cryptanalysis
Creates a session key (a one-time-only
secret key)
This key is a number generated from
random movements of the mouse and
keystrokes typed
Pretty Good Privacy (PGP)
PGP uses a passphrase to encrypt the
private key on the local computer
Passphrase:
A longer and more secure version of a
password
Typically composed of multiple words
More secure against dictionary attacks
Pretty Good Privacy (PGP)
Encryption
Examining WWW Vulnerabilities
Originally, webpages were static and
links on one webpage would take you to
another static page.
Content on the page did not change or move
Dynamic content can also be used by
attackers
Dynamic content is content that can change,
such as animated images or information that
customized based on who is viewing the
page.
Sometimes called repurposed programming
(using programming tools in ways more
harmful than originally intended)
JavaScript
Popular technology used to make
dynamic content
When a Web site that uses JavaScript is
accessed, the HTML document with the
JavaScript code is downloaded onto the
user’s computer
The Web browser then executes that
code within the browser using the
Virtual Machine (VM)―a Java interpreter
JavaScript (continued)
Several defense mechanisms prevent
JavaScript programs from causing
serious harm:
JavaScript does not support certain
capabilities
JavaScript has no networking capabilities
Other security concerns remain:
JavaScript programs can capture and send
user information without the user’s
knowledge or authorization
JavaScript security is handled by
restrictions within the Web browser
JavaScript (continued)
Java Applet
A separate program stored on a Web
server and downloaded onto a user’s
computer along with HTML code
Can also be made into hostile programs
Sandbox is a defense against a hostile
Java applet
Surrounds program and keeps it away from
private data and other resources on a local
computer
Java applet programs should run within
a sandbox
Java Applet (continued)
Java Applet (continued)
Two types of Java applets:
Unsigned Java applet: program that does
not come from a trusted source
Signed Java applet: has a digital signature
proving the program is from a trusted
source and has not been altered
The primary defense against Java
applets is using the appropriate settings
of the Web browser
Java Applet (continued)
ActiveX
Set of technologies developed by Microsoft
Outgrowth of two other Microsoft
technologies:
Object Linking and Embedding (OLE)
Component Object Model (COM)
Not a programming language but a set of
rules for how applications should share
information
ActiveX (continued)
ActiveX controls represent a specific
way of implementing ActiveX
Can perform many of the same functions of
a Java applet, but do not run in a sandbox
Have full access to Windows operating
system
ActiveX controls are managed through
Internet Explorer
ActiveX controls should be set to most
restricted levels
ActiveX (continued)
Cookies
Computer files that contains user-specific
information
Need for cookies is based on Hypertext
Transfer Protocol (HTTP)
Instead of the Web server asking the user
for this information each time they visits
that site, the Web server stores that
information in a file on the local computer
– dynamic content.
Attackers often target cookies because
they can contain sensitive information
(usernames and other private info)
Cookies (continued)
Can be used to determine which Web
sites you view
First-party cookie is created from the
Web site you are currently viewing
Some Web sites attempt to access
cookies they did not create
If you went to www.b-org, that site might
attempt to get the cookie A-ORG from your
hard drive
Now known as a third-party cookie because
it was not created by Web site that
attempts to access the cookie
Common Gateway Interface (CGI)
Set of rules that describes how a Web
server communicates with other
software on the server and vice versa
Commonly used to allow a Web server
to display information from a database
on a Web page or for a user to enter
information through a Web form that
is deposited in a database
Common Gateway Interface (CGI)
CGI scripts create security risks
Do not filter user input properly
Can issue commands via Web URLs
CGI security can be enhanced by:
Properly configuring CGI
Disabling unnecessary CGI scripts or
programs
Checking program code that uses CGI for
any vulnerabilities
Securing Web Communications
Most common secure connection uses
the Secure Sockets Layer/Transport
Layer Security protocol
One implementation is the Hypertext
Transport Protocol over Secure
Sockets Layer
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
SSL protocol developed by Netscape to
securely transmit documents over the
Internet
Uses private key to encrypt data
transferred over the SSL connection
Version 2.0 is most widely supported
Personal Communications Technology
(PCT), developed by Microsoft, is similar
to SSL
The last version of SSL is/was SSL 3.0
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
TLS protocol guarantees privacy and
data integrity between applications
communicating over the Internet
SSL/TLS protocol is made up of two
layers
An extension of SSL; they are often referred
to as SSL/TLS
TLS Handshake Protocol
TLS Record Protocol
The current version of TLS is 1.1
TLS 1.0 is the successor to SSL 3.0
Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
TLS Handshake Protocol allows authentication
between server and client and negotiation of
an encryption algorithm and cryptographic
keys before any data is transmitted
After the Handshake Protocol sets up the
encryption, message authentication code
(MAC) and key exchange, the Record Protocol
does the compression and encryption
FORTEZZA is a US government security
standard that satisfies the Defense Messaging
System security architecture
Has cryptographic mechanism that provides message
confidentiality, integrity, authentication, and access
control to messages, components, and even systems
Secure Hypertext Transport
Protocol (HTTPS)
One common use of SSL is to secure Web HTTP
communication between a browser and a Web
server
This version is “plain” HTTP sent over SSL/TLS and
named Hypertext Transport Protocol over SSL
Sometimes designated HTTPS, which is the
extension to the HTTP protocol that supports it
Whereas SSL/TLS creates a secure connection
between a client and a server over which any
amount of data can be sent security, HTTPS is
designed to transmit individual messages
securely
Summary
Protecting basic communication
systems is a key to resisting attacks
E-mail attacks can be malware, spam,
or hoaxes
Web vulnerabilities can open systems
up to a variety of attacks
A Java applet is a separate program
stored on the Web server and
downloaded onto the user’s computer
along with the HTML code
Summary (continued)
ActiveX controls present serious
security concerns because of the
functions that a control can execute
A cookie is a computer file that
contains user-specific information
CGI is a set of rules that describe how
a Web server communicates with other
software on the server
The popularity of IM has made this a
tool that many organizations are now
using with e-mail