Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Security Breach

advertisement 
Security Breach
Bsc in Software Design(Web Development) Y4
Security
Tian Jingquan
A00094635
Introduction
Vulnerability are defects in specific implemented or system security policy of the hardware, software, and
protocol, which can allow an attacker to unauthorized access or damage the system. Are restricted
computer components, applications or other online resources inadvertently left unprotected entry point.
Computers, Internet, e-commerce, Facebook, Smartphones...etc - With the existence and expansion of
the above terms, Security breach is growing at its own unexpected speed and in its own unpredictable
style too. How to prevent security breach is a hot topic for all industrial/political sectors.
The most common day to day security breach and problems we come across are Injection, denial of
service attacks, Cross-Site Scripting, etc. In some cases, it may cause little problem or no harm at all.
However, in some others, it may cost millions to the victim and the side effects can last for a long period.
Now, Internet is used more and more widely. Operating on the network, like transactions becomes more
and more. Almost operating is through web to Conduct and use database to store information. I will focus
describe security breach which had in these two part.
SQL Injection
SQL injection is often used to attack the security of a website by inputting SQL statements in a web form
to get a badly designed website to perform operations on the database - often to dump the database
content to the attacker.
Users can query the database to code, according to the result returned, to get the data he would like to
know, this is the so-called SQL Injection.
SQL injection is an injection attacks:
Wherein the use of loopholes in the database layer, insert the SQL command in the input, change the SQL
statement to query structure, and to induce the database server to perform, so as to achieve the target.
SQL injection vulnerability causes is not taken effective measures to distinguish SQL commands and user
input data, the attacker could attack command embedded in the input data, change the SQL statement to
query
SQL injection vulnerability Arises because not taken effective measures to distinguish SQL commands and
user input data, the attacker could attack instructions embedded in the input data, change the SQL
statement to query structure and induce database system to perform, so as to achieve the target
There is no such way to fully protect you from SQLIA, but the following method can minimize the
possibility being attacked.
Example of SQL injection:
(1) an ASP.NET Web application with a login page, the login page controls whether the user has access to
the application, it requires the user to enter a name and password.
(2) In login page, enter the content will be directly used to construct dynamic SQL commands, or directly
used as the parameters of the stored procedure. Here is an example of the ASP.NET application to
construct queries:
System.Text.StringBuilder query = new System.Text.StringBuilder ("SELECT * from Users WHERE login =
'").
Append (txtLogin.Text). Append ("' AND password = '"). Append (txtPassword.Text). Append ("' ");
(3) The attacker entered "'or '1' = '1 'and the like in the user name and password input box.
(4) user input submitted to the server, server is running ASP.NET code above to construct the SQL
command to query the user, but the attacker entered content is very special, so the resulting SQL
commands into:
SELECT * FROM users WHERE login ='' or '1 '=' 1 'AND password ='' or '1' = '1 '.
(5) The server performs the query or stored procedure, for compare with the identity information which
stored in server and identity information which entered by the user.
(6) Since the SQL command has been virtually injection attacks to modify, has not really authenticate
users, System mistakenly authorized to the attacker, If the attacker knows the content input in the form
of the application will be directly used to verify the identity of the query he will try to enter some special
SQL string to tamper, query , change its original function, to cheat the system to grant access.
System environment different, an attacker may cause damage different, this damage mainly determined
by the application to access the database security permissions.
If the user's account with administrator or other more advanced permissions, an attacker may table to
the database to perform various operation he wants to do, including add, delete, or update data, and
may even delete the table.
Prevention SQL injection:
1. Parameterized statements
Rather than embedding user input, each user input should be assigned to the parameter which had been
included in parameterized query statements.
Using type safe parameterized statement: - In most API, including ADO Asp.Net2.0 all support the
programmer to specify the certain type of the variables, for example (string, integer, varchar, date etc) by
doing so, these variables are escaped/encoded.
2. Escaping
A straightforward, though error-prone, way to prevent injections is to escape characters that have a
special meaning in SQL. For example, every occurrence of a single quote (') in a parameter must be
replaced by two single quotes ('') to form a valid SQL string literal.
3. Security review
Having a formal security process, review all the codes before going live and each updates afterwards.
4. Do not store critical data in the database directly. All the password should be saved after one
way hashed. This is automatically done in ASP.Net 2.0. In such way, even if the database is hacked,
the sensitive data will not be used.
5. Use Anti-SQL injection attack program.
Bit9 security breach
1. In 2012/7, Bit9 said a common Web application vulnerability was responsible for allowing hackers to
ironically use the security vendor's systems as a launch pad for attacks on other organizations.
In an embarrassing admission, Bit9 said earlier this month that it neglected to install its own software on
a part of its network, which lead to the compromise.
Bit9 said attackers gained access by exploiting a SQL injection flaw in one of its Internet-facing Web
servers. A SQL injection flaw can allow a hacker to enter commands into a web-based form and get the
backend database to respond.
All told, three Bit9 customers were attacked, but Sverdlove did not reveal their names. More than 1,000
companies use Bit9's software, including Fortune 500 companies in banking, energy, aerospace and
defense and U.S. federal government agencies.
2.When it happened. The compromised server was shut down for about six months, but was brought back
online in January. Bit9 then discovered the problem. "We took immediate containment and remediation
steps, revoked the certificate in question and reached out to our entire customer base," Sverdlove Bit9's
CTO Harry wrote.
Sverdlove wrote that the attacks appeared to be designed to "infiltrate select US organizations in a very
narrow market space." Utilities, banks and government entities were not affected, he wrote.
Analyse compromised
We see restart in January, Bit9 quickly found the problem, indicating that there is a security monitoring
process, in order to quickly find the problem.
And look at the remedy of Bit9’s:
"We took immediate containment and remediation steps, revoked the certificate in question and reached
out to our entire customer base,"
They also did reviewing its entire code base. The company also is undergoing a security audit and
"addressed the errors that led to the compromise,"
Now we see, a good security system, can save a lot of losses.
Cross-site scripting attacks
Unlike SQL injection to the Web server as the target attacks, cross-site scripting attack is to target point to
the Web business systems services provided by the client.
The attack by Cross-site scripting is attackers exploited by web applications Inadequate or improper
disposal of user input validation, then can be executed to steal the victim's information or to perform
malicious code on the victim machine.
It through Add malicious code On the web page, when visitors browse the Web malicious code is
executed. Or send a message to the administrator to Induce administrators Browse. Thus get
Administrator privileges to control of the entire web site. Attacker to exploit cross-site request forgery can
easily force the user's browser to issue unintentional HTTP request. Such as fraudulent wire transfer
requests, request to modify the password and download illegal content.
Prevention XSS:
1.Attempts to prevent the cross-site vulnerabilities, prevent attackers published cross-site attacks
statement in the attack web site
You can't trust any user-submitted content.
First, the place of the user input and variables in code need to carefully check the length of the filter and
the "<", ">", ";" "'" character do;
Second, any content before wrote on page must be encode. It avoid accidentally HTML tag comes out.
This level well, at least you can block more than half of XSS attacks.
2 cookie burglar
First, avoid disclosure of user privacy in a cookie, such as email, password, and so on. Followed by the
cookie and system ip binding to reduce the risk of cookie leakage. Such an attack to get the cookie no
practical value, Impossible brought to replay.
3. Try using POST instead of GET to submit the form
POST operation is impossible to bypass the use of javascript, this will give an attacker to increase the
difficulty of reducing the available
Cross-site vulnerability.
4.Strict inspection refer
Check http refer from the expected url.
5. change one-step process to multi-step, in multi-step process, introduction of well-tested code
A multi-step process, each step generates a verification code as a hidden form elements embedded in the
middle of the page, the next step verification code is submitted to the server, the server checks whether
the verification code match.
6.The Introduction of user interaction
Simple a picture numeracy can block almost all of the unexpected privileged operations.
7.Only allow anonymous access using dynamic javascript.
8 for submit information, like Img link which user's submitted. check whether there
Redirected back to the web site, not really picture or suspicious actions.
9 internal management web site
In many cases, internal management website often neglect attention to security issues, just simply restrict
access to sources.
This website tend to XSS attacks without resistance, need to pay more attention.
McAfee security breach
On 2011/3/27, YGN ethical hackers organization says security company McAfee site full of security
vulnerabilities.
These holes can lead to cross-site scripting attacks or other attacks.
YGN published article which said on Full Disclosure website.
Including disclosure of the internal host name and 18 leaked source code vulnerability.
The McAfee website can be used for XC script to attack this part which hosted McAfee used to download
software files.
According to YGN, after February 10 report to McAfee on its website, there are many security
vulnerabilities, McAfee said it is to solve these problems as soon as possible. As of March 27, YGN found
McAfee no fix these security vulnerabilities, so they public disclosure of these vulnerabilities.
Analyse compromised
This matter is not only embarrassing, but also affected some on McAfee's reputation. Because McAfee to
the enterprise's and consumer's website Sales McAfee security services. McAfee Web site said, McAfee
security software scan every day Find thousands of hacker vulnerabilities. If this site is the high standard
of the McAfee safety certification, then users of McAfee anti-virus products in their browser will see a
"McAfee Security" tab. McAfee security software claims, Can test unintentional website hosting personal
information access, dangerous website links, phishing attacks and other malicious software danger.
Secure web site is unsafe,it not just like a joke. This fact shows that security issues require long-term
concern has never been a one-shot deal. XSS attack compared with other means of attack are more subtle
and varied, and business processes, the implementation of the code have a relationship, there is no what
permanent solution. In addition, the face of XSS, often have to sacrifice convenience to guarantee
complete security, how to balance between security and convenience is also a need to consider things.
Conclusion
For ourselves
Many new technology and tools into our vision. Such as Andrews.
But,android came as the most attacked mobile operating system. It became the target due to its open
nature and its large market share.
At the same time, more and more public services we will use, such as Wi-Fi.
But, Wi-Fi use for public so we should pay attention to Wi-Fi security when using wireless hotspots at
restaurants, airports, hotels, and other public places. Tools such as the Firefox add-on Firesheep make it
easy for people to eavesdrop on your activity while you’re using Wi-Fi. The tools enable any attacker on
the same hotspot to capture your logins to Facebook, Twitter, and other sites that don’t automatically use
SSL encryption.
For organization
Social networks, particularly Facebook, also suffered from an increase in threats. Through tainted
websites and apps, attackers hacked accounts and distributed malware, phishing come-ons, and other
scams to Facebook users. The danger spread via wall posts, links, photo tags, comments, and scripting
flaws.
So,for the organization, is you go and making sure that it is safe to do, you don’t, it will only further
reduce the security
However, no matter how the Internet has been changed, the security policy should always be followed.
We need to improve the protection of their own, the organization should also ready before the outbreak
of the security vulnerabilities and after . Whether it is technically, or management.
References:
http://www.cnw.com.cn/news-international/htm2011/20110330_219947.shtml
http://www.networkworld.com/news/2013/022613-hacking-victim-bit9-blames-sql-267082.html
http://wenku.baidu.com/view/8998cbcf89eb172ded63b7bf.html
http://wenku.baidu.com/view/9d57cf6d7e21af45b307a813.html
http://wenku.baidu.com/view/6cff664efe4733687e21aae7.html
http://wenku.baidu.com/view/777e0183d4d8d15abe234e85.html
Related documents
Hands on Demonstration for Testing Security in Web Applications
Hands on Demonstration for Testing Security in Web Applications
Powerpoint Slides
Powerpoint Slides
DBT Exams DBT SQL Admin
DBT Exams DBT SQL Admin
Job Title: Application Developer Department Name: Development
Job Title: Application Developer Department Name: Development
What You Should Do/Know as the New SQL Server DBA
What You Should Do/Know as the New SQL Server DBA
Database performance cookbook - CSCI 6442
Database performance cookbook - CSCI 6442
Damn Vulnerable web application
Damn Vulnerable web application
Change Data Capture (CDC) *as a tool for Disaster
Change Data Capture (CDC) *as a tool for Disaster
Mid-term Calss Review
Mid-term Calss Review
Security Penetration Testing and Ethical Hacking
Security Penetration Testing and Ethical Hacking
Download
advertisement