Lotus Security Part I
- 2. The Alarming Truth
Italian Bank hit by
ea ch XSS Fraudsters Chinese H
L s Data B8r
exis NePoit, Feb 17, 200
x — Netcraft, Jan 8 2008 18-million acker ste
als
s — HackB
Identities
gton
— Washin ase.com
IndiaTimes.com M , Feb 10
, 2008
alware
Hackers break into — Information W
eek, Feb 17, 200
r’s Presidential Mac blogs defaced
8
Ecuado 6 by XSS
website Ha g Stage 007
ckin eb 9 2
— The Register,
Feb 17, 2008
— Thaindian, Feb 11, 2008 — Wikiped
ia, F RIAA wiped off the Net
— The Register, Jan 20
websites
, 2008
Greek Ministry
intrusion
Your Free MacW
by hacker1,2008
orld
hit 3
Expo Platinum
Pass
own
rini, Jan
eKathime — CNet, Jan 1
es d
— 4,2008
Hacker steals
Drive -by Pharmin
g
Davidson Co.’s r tak ia
acke ylvan
H
in the Wild n 21 2008
Client Data enns 6, 2008
P an
— Symantec, Ja — Falls Tribune, J
Feb 4 2008 — AP,
© Sanjaya Kumar Saxena
- 5. What is Information?
Knowledge acquired through study or experience or instruction
A collection of facts or data
In our context of ISO 27K,
An asset that, like other important business assets, is essential to an organization’s business and
consequently needs to be suitably protected.
Categories
Internal
External
Customer
Outsourced
© Sanjaya Kumar Saxena
- 6. What is Security?
Freedom from Danger, Risk, etc.; Safety.
Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc.
© Sanjaya Kumar Saxena
- 7. What is Information Security?
“ The protection of information systems against unauthorized access to or
modification of information, whether in storage, processing or transit, and
against the denial of service to authorized users or the provision of service to
unauthorized users, including those measures necessary to detect, document,
”
and counter such threats.
from U.S. National Information Systems Security Glossary
© Sanjaya Kumar Saxena
- 8. What is Information Security?
“ The protection of information systems against unauthorized access to or
modification of information, whether in storage, processing or transit, and
against the denial of service to authorized users or the provision of service to
unauthorized users, including those measures necessary to detect, document,
”
and counter such threats.
from U.S. National Information Systems Security Glossary
© Sanjaya Kumar Saxena
- 9. What is Information Security?
Confidentiality
Ensuring that information is accessible only to those authorized to have access
Integrity
Safeguarding the accuracy and completeness of information and processing methods
Availability
Ensuring that authorized users have access to information and associated assets when required
from ISO 27001
© Sanjaya Kumar Saxena
- 10. What is a Threat?
Something that is a source of danger,
“Earthquakes are a constant threat in Japan”
In our context,
Unwanted events that may result in harm to asset(s)
Maybe deliberate or accidental
Exploits known Vulnerabilities
© Sanjaya Kumar Saxena
- 11. Information Security Threats
THREAT
Source Technique Method
Internal Eavesdropping Unstructured
External Privacy Structured
Authentication
Repudiation
Unauthorized Access
Denial of Service
© Sanjaya Kumar Saxena
- 12. Vulnerabilities
Weakness in the system
Result of bug or design/deployment flaw
Common Vulnerabilities:
Buffer Overflow
SQL Injection
Cross Site Scripting (XSS)
Directory Traversal
SPAM is the result of SMTP vulnerabilites
© Sanjaya Kumar Saxena
- 13. Threats - Counter Measures
Eavesdropping Cryptography
Privacy Cryptography
Authentication Passwords/Certificates
Repudiation Digital Signatures
Unauthorized Access ACLs/Cryptography
Denial of Service Availability/Firewall
© Sanjaya Kumar Saxena
- 14. SQL Injection
SQL Injection vulnerabilities occurs due to improper validations on user input
fields.
This attack can be mounted when a form field contents are used to build
SQL statements dynamically inside the code, which is subsequently executed.
This may allow the attacker to include malicious code in to the dynamically
created SQL statement by tricking the data entered in the input field.
The attacker may gain access to back-end database allowing him/her to
read, delete and modify information.
A SQL injection attack at the time of logging into an application is shown in
the following slides.
© Sanjaya Kumar Saxena
- 17. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + + ” ’ AND
UserID password = ‘ “ + + ” ’ ”;
Password:
Password123
Remember Me
LOGIN
Forgot Password?
© Sanjaya Kumar Saxena
- 18. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + + ” ’ ”;
Password:
Password123
Remember Me
LOGIN
Forgot Password?
© Sanjaya Kumar Saxena
- 19. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
Remember Me
LOGIN
Forgot Password?
© Sanjaya Kumar Saxena
- 20. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
Forgot Password?
© Sanjaya Kumar Saxena
- 21. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
UserID Username Password User’s Name
Forgot Password?
9876 sks pw3007 Sanjaya K Saxena
© Sanjaya Kumar Saxena
- 22. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
UserID Username Password User’s Name
Forgot Password?
9876 sks pw3007 Sanjaya K Saxena
UserID = ‘ or 1=1 --
© Sanjaya Kumar Saxena
- 23. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
UserID Username Password User’s Name
Forgot Password?
9876 sks pw3007 Sanjaya K Saxena
UserID = ‘ or 1=1 --
SELECT * from tUsers where
userid = ‘ ’ AND password = ‘pw3007’
© Sanjaya Kumar Saxena
- 24. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
UserID Username Password User’s Name
Forgot Password?
9876 sks pw3007 Sanjaya K Saxena
UserID = ‘ or 1=1 --
SELECT * from tUsers where
userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’
© Sanjaya Kumar Saxena
- 25. SQL Injection
Statement = “Select * from tUsers where
Username: userid = ‘ “ + UserID + ” ’ AND
UserID password = ‘ “ + Password123 + ” ’ ”;
Password:
Password123
SELECT * from tUsers where
userid = ‘sks’ AND password = ‘pw3007’
Remember Me
LOGIN
UserID Username Password User’s Name
Forgot Password?
9876 sks pw3007 Sanjaya K Saxena
UserID = ‘ or 1=1 --
SELECT * from tUsers where
userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’
© Sanjaya Kumar Saxena
- 26. XSS Attack
Cross Site Scripting vulnerabilities occur when a web based application does not
validate user inputs on form fields, syntax of urls etc.
An attacker can embed their own code into the Data entry form, manipulating the
appearance and/or behavior of the page.
A web-link is crafted and placed on the page in a manner that entices users to click
on the link.
Users treat the link placed on the web form as coming from a trusted source or
same organization, thereby falling a prey to this vulnerability.
The attacker gets access to sensitive application information by accessing cookie
data of the user’s account on the vulnerable website/application.
XSS attack is shown in the following slides, displaying a form field that allowed user
to enter JavaScript code which returns complete user profile information from the
application’s database. In this example “alert(document.cookie)” is entered in an
input field leading to compromising cookie information.
© Sanjaya Kumar Saxena
- 29. XSS
All it takes to popup your sensitive information from the database
© Sanjaya Kumar Saxena
- 30. XSS - SAMY MySpace Worm
<script>
A Self propagating, Cross Site Scripting (XSS) Worm affected millions
of profiles on My Space
© Sanjaya Kumar Saxena
- 31. XSS - SAMY MySpace Worm
<script>
<script>
The process began when a user (SAMY) placed a javascript code in his
profile on Myspace.com, a community site for sharing photos and
staying in touch with friends.
© Sanjaya Kumar Saxena
- 32. XSS - SAMY MySpace Worm
<script>
<script>
When other users of Myspace.com viewed SAMY’s profile, the code
would initiate a background request via AJAX, to add SAMY in user’s
friends list.
© Sanjaya Kumar Saxena
- 33. XSS - SAMY MySpace Worm
<script>
<script>
This code was bypassing the normal approval process of adding a user
of application to their friends list.
© Sanjaya Kumar Saxena
- 34. XSS - SAMY MySpace Worm
<script>
<script>
<script>
The next step in the script was self replicating
© Sanjaya Kumar Saxena
- 35. XSS - SAMY MySpace Worm
<script>
<script>
<script>
This involved parsing out the code and pasting it to viewing user’s profile.
© Sanjaya Kumar Saxena
- 36. XSS - SAMY MySpace Worm
This process would repeat in the newly infected user’s profile
<script>
<script>
<script>
© Sanjaya Kumar Saxena
- 37. XSS - SAMY MySpace Worm
<script>
<script>
<script>
© Sanjaya Kumar Saxena
- 38. XSS - SAMY MySpace Worm
The spread of virus limits itself to the website and can essentially
create a denial-of-service attack, due to the exponential spread of
attacker’s friends list.
This code will not affect any other site, except the malicious code
can be used by another hacker.
© Sanjaya Kumar Saxena
- 40. Reconnaissance
An inspection or exploration of an area, especially in the context of military
information gathering.
Commonly known techniques:
Social Engineering
Dumpster Driving
Leveraging Web
WHOIS
DNS
Search Engine
Web-based Online Tools
http://privacy.net/analyze
http://network-tools.com
© Sanjaya Kumar Saxena
- 41. Reconnaisance Example
Open web-site, View source to check out web server
No information – Use TELNET
IIS V5 has over 250 known vulnerabilities
© Sanjaya Kumar Saxena
- 47. What is a Cryptography?
“ Algorithms implemented in hardware or software to mathematically
combine a key with plain text to produce cipher text and to convert cipher
”
text to its original plain text form.
© Sanjaya Kumar Saxena
- 49. Digital Signature
#
Your Secret Key
Hash
Encryptor
+ Message with
#
Message Digital Signature Hash
Digital Signature
=
Decryptor
Hash
Your Public Key
© Sanjaya Kumar Saxena
- 50. A Fundamental Question
How do I trust a public key? CERTIFICATE
Let a trustworthy agency certify it!
Name
Public Key
Expiry Date
Certificate: Issuer ID
Other Attributes
Like a driving license or passport
Certifies your public key and other attributes
Issued by a trustworthy agency
Called Certification Agency (CA)
CA’s Digital Signature
© Sanjaya Kumar Saxena
- 51. Secured Transactions using Certificates
Validate by:
Establishing Trust
Authenticate by:
Challenging Each Other
© Sanjaya Kumar Saxena
- 52. Estalishing Trust
By Exchange of Certificates
After masking private data (if any)
By Comparing Certificates
Trust the public key if the two have a common CA
Possible in a hierarchical situation also
© Sanjaya Kumar Saxena
- 53. Authentication - Step 1
Requester generates a random # and challenges the server to sign it.
❶
Server signs and sends it back.
❷ Signature
Requester verifies the signature.
❸ Signature
© Sanjaya Kumar Saxena
- 54. Authentication - Step 2
Server generates a random # and challenges the requester to sign it.
❶
Requester signs and sends it back.
❷ Signature
Server verifies the signature.
❸ Signature
Authentication is Successful!
© Sanjaya Kumar Saxena