Where Privacy and Integrity Issues Occur
Figure 9-1 shows a high-level view of an Internet infrastructure and the many points in a Web application at which privacy and integrity threats can arise. We'll look at each of these points in more detail in the following sections.
Figure 9-1. Locations where privacy and integrity issues may arise in a Web application.
Privacy and Integrity Issues on Client Computers
Privacy and integrity issues at the client are often overlooked. In the case of a Microsoft Windows NT or Windows 2000 desktop used by one person in a secure environment, these issues might not be crucial because a Windows NT or Windows 2000 desktop can be locked if the owner desires, preventing a malicious user from accessing or modifying data. However, if the computer is connected to the Internet, malicious Web sites might attempt to attack the computer. And in many documented cases Web browsers have had privacy-related bugs which could, in theory, have led to an invasion of the user's privacy through the malicious accessing of cookie files and the browsing of history data. Integrity issues are less common, but not improbable.
Privacy threats also exist in a kiosk or shared workstation environment. Rather than the attack coming across a network or modem connection, the attack comes from another user of the shared computer, if that user can access private data cached by software on the computer. Examples of shared computer scenarios include the following:
- Library computers shared by library members
- An engineering workshop's shop floor computer shared by many engineers
- An airport computer allowing users to access their Internet-based e-mail
The first type of threat possible in the client computer scenario is an information disclosure threat, whereby a user sees which Web sites another user visited and possibly the data the user entered and viewed, such as stock trades, usernames, passwords, e-mail, and bank account information. The second threat is a little more insidious. If a user leaves the browser open and has used an authentication scheme while accessing a Web server, the user's credentials might have been cached by the browser. Using the same browser, an attacker could navigate to a Web site visited by the first user. Because the browser has cached the credential information, it might not prompt the attacker to reenter a username and password. The attacker now has access to the previous user's data and could possibly modify the data.
In most circumstances, caching is useful because it provides users with a fast browsing experience and reduces network bandwidth requirements. However, when dealing with sensitive information, it's important to realize that under certain circumstances, caching can be dangerous.
Privacy and Integrity Issues at the Proxy Server
A proxy server is used by companies as a gateway to the Internet. Rather than linking directly to the Internet, users make Internet requests to the proxy server, which in turn accesses the data on the Internet. This has two major benefits:
- The Web site does not know which user made the request; as far it is concerned the request came from the proxy server. This can help maintain privacy because the user's internal IP addresses are not disclosed to Web servers.
- Most proxy servers cache frequently accessed Web pages. This capability increases throughput because cached Web pages are loaded quickly into the browser.
As in the previous section, however, the caching of information is also a source of threats. An attacker who has access to the proxy server also has access to user's data cached by the proxy and thus can view the data and possibly change it.
Proxy servers also log information about users as they browse the Internet. Any user who has access to these logs can determine your browsing habits. This might not seem like a big privacy issue, but it is. Imagine a manager who believes one of her employees is looking for another job ordering the engineer in charge of the proxy servers to provide her with the proxy server logs. Analyzing the logs, the manager can determine whether the employee has been searching career-oriented Web sites.
Privacy and Integrity Issues on the Internet
As information flows between Web clients and Web servers, the data passes through numerous routers, switches, bridges, and other computers. It's possible for an attacker or a malicious administrator to access confidential data or modify data as it passes through these devices. This also applies to e-mail messages. Often, e-mail messages are stored in multiple e-mail servers before arriving at the final destination.
Figure 9-2 outlines where privacy and integrity threats occur as data travels across an insecure network such as the Internet.
Figure 9-2. Points of privacy and integrity vulnerability across the Internet.
A Note on Anonymous AccessEven though your personal identity might not be known to a Web site, much about you, such as the Web pages you visit, is known and stored in logs. Most notably, your IP address is logged by the Web site. Many Web sites do not use the logs' statistics for anything more than tuning the site's performance, tweaking content, and sometimes troubleshooting, but logs do provide long electronic trails of events on a Web site.
Note that if your IP address is that of a proxy server or an address assigned to you by an ISP, the IP address can still be traced back to you. Admittedly, it's not easy to do this and might require a search warrant, but take our word for it, the pieces are easy to put together. If you came through an ISP, the ISP has the date and time you dialed up as well as the timeframe within which you "leased" the IP address from the ISP. If your connection is through a proxy server, the proxy server's IP address will appear in your IP packets, but your real IP address will appear in the proxy server's log. Once again, it's easy to trace back to you.
Special servers called anonymizing proxies do provide greater protection for users by hiding their IP addresses; a user connects to the anonymizing proxy and the proxy connects to the requested Web server. However, once again, this is not foolproof because the anonymizing proxy knows your IP address. One popular proxy, by the way, is Anonymizer.com at www.anonymizer.com, which also provides anonymous e-mail.
In short, true anonymity is incredibly difficult to achieve on the Web.
Privacy and Integrity Issues at the Firewall
The firewall resides near the Web server and is used to filter network traffic before it reaches the Web server. Normally, a firewall is well configured and secure, but not always! Sometimes administrators can make errors that leave the firewall prone to attack.
Security threats at firewalls include information disclosure and tampering with data—specifically, the firewall's filtering rules. If an attacker accesses these rules, he might be able to determine weaknesses in the network infrastructure. For example, if the attacker determines that certain IP addresses are not filtered by the firewall, possibly because of administrative oversight, he can use these addresses in forged IP packets to attack the network. If the attacker can change the filtering rules, he can leave the network vulnerable to further attack.
Privacy and Integrity Issues at the Web Server
As a Web site designer, you need to keep your Web site application design private and secure from malicious alteration. For example, regarding privacy, if you include confidential data in some Active Server Pages (ASP) pages and an attacker can access the source code to the Web page, she will gain access to the confidential information. It's unfortunate, but many ASP pages include Microsoft SQL Server usernames and passwords in database connection strings, thereby endangering the database if an attacker gains access to the ASP page.
IMPORTANT
As a Web application developer, you should not put private information such as a query string in any URL, even if you are sending the data when using SSL/TLS. It's possible that such data will be logged by the Web server. If the logs are compromised, an attacker will have access to confidential data.
Regarding integrity threats, obviously you don't want attackers manipulating your Web site's home page to include whatever messages the attacker wants to leave. Defacing home pages is a common pastime amongst script-kiddies. Script-kiddies are attackers with some technical skill who use scripts downloaded from the Internet to search for and attack vulnerable computers. Most commonly, vulnerable computers are computers that have not been updated to remedy a security problem.
Privacy and Integrity Issues at the Database
Privacy and integrity issues abound at the database, simply because all the information about the Web site resides here. For example, in the case of our Exploration Air example, when users make airline bookings, the flight and customer information resides in the database. If the database were compromised, the attacker could gain access to other users' information, such as address and credit card information, or to the airline's Web-based sales information. Alternatively, an attacker could tamper with client information, changing credit card information, addresses, and so on. It's imperative that the database be protected from information disclosure and integrity attacks.
The CD Universe AttackIn late 1999, CD Universe (www.cduniverse.com) had a major privacy breach of their customer database because of a vulnerability in the company's payment-processing software. The attacker managed to get a list of thousands of CD Universe clients, the clients' addresses, and, most importantly, their credit card information.
One of the authors of this book had bought merchandise from CD Universe and was notified of the attack quickly by the vendor. The company also went one step further and notified the credit card-issuing banks, which then contacted their clients to offer replacement cards. The breach was a serious inconvenience for CD Universe customers because thousands of credit cards had to be canceled and reissued.
EAN: N/A
Pages: 138