Application Security:
Electronic Commerce and E-Mail
1.
a) What can hackers gain by taking over application programs?
They often can get the application’s access rights. Many applications run
as root, so a hacker who takes them over has root control over the
computer.
b) What is the most popular way for hackers to take over hosts?
Hacking applications.
Why is patching applications more time consuming than patching operating
systems?
There are many more applications than operating systems, so the total
work of patching them is much larger than the total work of patching
operating systems.
<Each has its own way of announcing patches and doing patching, which
must be learned>
2.
a) Why must you know a server’s role to know how to protect it?
Specific types of servers (webservers, mail servers, etc.) need to allow
specific types of communication. Other types of communication should be
disallowed.
b) Why is it important to minimize both main applications and subsidiary
applications?
Hackers often attack poorly known subsidiary applications. If they
succeed, they get the access rights of the main application.
c) Why are security baselines needed?
Hardening an application is so complex that people cannot know or
remember all the steps. They must consult the security baseline like a pilot
going through a checklist before take-off.
h) Why is application-level authentication desirable?
This provides a second level of protection to provide defense in depth.
3.
a) List the reasons why webserver and e-commerce server security are important.
External parties and corporate employees often need information at
corporate websites to do their work.
Many companies depend heavily on their e-commerce sites to generate
sales
b) What monetary losses might come from website defacements?
Lost productivity.
Lost revenues.
Lost reputation.
Lost market capitalization (stock price).
c) From customer fraud?
The cost of goods shipped and not paid for.
Charge-back costs by credit card companies when charge card numbers
are rejected.
d) From a failure to protect customer private data?
Government sanctions.
Lawsuits
a) Distinguish between webservice and e-commerce service.
Webservice implements basic HTTP request–response cycles.
E-commerce adds functions on top of webservice—an interactive
catalogue, a shopping cart, order entry, payment, etc.
b) Why are custom programs written?
To provide specific functionality not in the base package.
c) What kinds of external access are needed for e-commerce?
Page 2
Merchant banks.
Credit card number verification firms.
Credit reporting firms.
d) Does the webmaster or e-commerce master have control over the security of
other servers inside and outside the firm?
Usually not.
4.
a) What software must be patched on an e-commerce server?
The main e-commerce software.
Subsidiary software, such as PHP.
The WWW software.
b) What three other webserver protections?
Run website vulnerability tools.
Examine website error logs regularly.
Add a webserver firewall.
Lock down the application by permitting only the fewest possible
subsidiary applications for basic operation, adding more only as needed.
a) Distinguish between static and dynamic (active) webpages.
Static webpages have viewable content but are passive.
Dynamic or active webpages have logic and can take action. If an attacker
designs them for nefarious purposes, dynamic webpages can do damage to
the user or the server.
11.
a) Why do hackers attack browsers?
To get data stored on the client.
To use the client to attack other computers.
b) How do HTML scripts aid hackers?
Scripts execute when the webpage is opened.
Scripts are easy to write.
c) What is a Java applet?
Page 3
It is a small Java program that executes when a webpage is loaded or when
the user takes specific actions.
d) How do scripting languages compare to full programming languages?
Scripts are easier to write but are less powerful in what they can do.
e) Is JavaScript a scripted form of Java?
No.
f) Why is Active-X dangerous?
There are almost no limitations on what Active-X attacker components
can do.
g) Do users have to click on malicious links to actuate them?
Not always.
h) Using Windows defaults, what will malicious.txt.exe look like to a user?
malicious.txt
i) If a user has been involuntarily redirected to an unwanted webpage, what
effects might the user see?
They may see content that offends them.
They may get pop-behind ads whose origins are obscured by the time they
are found.
The webpages they download may contain malicious active content. For
instance, if the user types incorrect URLs in the future, they may be taken
to pornographic websites.
j) Why do attackers want to get domain names such as micosoft.com?
If users type these names accidentally, they can be sent rogue webpages.
k) How are cookies used to track users within a website?
A server can send a cookie to the browser. Only the website can read this
cookie. The cookie can contain a history of where the user has gone in the
website. With each new website visit, the cookie is updated.
l) How do web bugs track users?
Page 4
Web bugs are small or invisible graphics. Loading them requires and http
request message to a website. That website can keep track of who
downloaded the picture.
5.
a) What can users do to enhance browser security?
Apply patches and upgrade to a newer version.
Change settings to provide better security.
b) Under Internet Options in IE6.0, what do the three security-related tabs
control?
Security: Set security options for various Internet zones. Can use pre-set
values or customized options.
Privacy: To control what information is give to websites.
Content: Flag websites with questionable content; test digital certificates.
c) Why is the remote management of browsers desirable?
Users have neither the expertise nor the willingness to have high browser
security.
Users may deliberately turn off security features.
6.
a) Where should antivirus filtering be done?
It should be done on user PCs, on the mail server, and perhaps also by an
outsourcing firm.
It should NOT be done only on the user PC. Although users should have
antivirus software for defense in depth, they often turn it off accidentally
or deliberately.
Doing antivirus filtering at the mail server increases the mail server load,
but it cannot be turned off by users and will block viruses and other
malware before they reach users.
Doing antivirus filtering an outsourcing firm can get rid of viruses and
other malware before they ever reach the firm, and such firms have strong
antivirus knowledge.
b) Why are HTML bodies in e-mail messages dangerous? (Yes, this is a repeat of
Part g in the previous question. Sorry.)
They can contain active content that can be used to attack the receiver.
c) What is spam?
Page 5
The term “spam” (not capitalized except in titles or at the start of
sentences) is unsolicited commercial e-mail.
“Spam” (is a Hormel meatish product. (Not “songy pink animal matter”.)
d) Why is spam filtering dangerous?
It often filters out legitimate messages.
e) Why do companies filter sexually or racially harassing message content?
These can lead to lawsuits.
a) Is encryption widely used in e-mail?
No.
b) Compare PGP and S/MIME in terms of how verifiers learn the true party’s
public key.
In PGP, there are circles of trust. If someone you trust trusts a third party,
you may trust that third party’s public key.
S/MIME requires the verifier to get the true party’s public key from a
certificate authority.
c) Describe the advantages and disadvantages of each approach.
With PGP, misplaced trust tends to spread through the community.
Public Key Infrastructures are complex to establish.
d) How does TLS differ from the other two common encryption methods?
TLS does not provide end-to-end protection from the sender to the
receiver—only from the sender to the sender’s mail server and from the
receiver’s mail server to the receiver.
7.
a) Why is it good for database applications and other applications to have their
own passwords beyond the computer’s login password?
Database applications tend to be extremely sensitive, so adding an extra
layer of access control gives defense in depth.
Also, database access control can be more granular (specific) than all-ornothing access to an application.
b) What is granularity in database access control?
Page 6
Determining what row and column data a user can see.
Determining whether the user can see averages and other summary data or
individual data.
c) What are the security concerns raised by instant messaging?
Unrecorded conversations (the law requires certain messages to be
retained)
File transfers that bypass antivirus protections and that may infect users.
8.
An employee working at home complains that some of her messages to fellow
employees at the firm’s headquarters site are not getting through. What might be
the problem?
Possibilities
The message may have been addressed incorrectly.
These message may be being filtered out by an antivirus program
or by a content filtering program at the e-mail server.
The receiver may have a filter that is deleting these messages
automatically.
If the user is getting error reports back, these should be studied.
Reducing Alternative Hypotheses
Get the error message the user received.
The absence of an error message could also shed light on the
situation.
9.
A company is warned by its credit card companies that it will be classified as a
high-risk firm unless it immediately reduces the number of fraudulent purchases
made by its e-commerce clients. What should it do?
Check the validity of credit card numbers. This is the most crucial thing to
do.
Avoid international sales if there is a special problem with international
sales.
Require authentication (this will lose business). For instance, require a
telephone number and call that number.
Page 7