Web Security

 < Free Open Study > 



Web security is a huge topic that covers a wide range of security holes such as weak ActiveX controls, Java applets, HTML documents, insecure Web servers, and many other topics. In fact, we could write an entire book on this topic alone. Fortunately, our focus has been fine-tuned, thanks to the CompTIA Security+ objectives. The topics in this section are directly in line with objectives as they relate to Web security.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS)

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are commonly used security protocols that provide transport security through Internet browsers offered by Netscape and Microsoft.

SSL and TLS are session-based X.509 digital certificate supporting protocols that use a public and private key exchange to encrypt the passing of data between client and server systems. Both protocols support RSA, DES, IDEA, 3DES, and MD5. They can be used by services such as HTTP, FTP, SMTP, IMAP, POP, and Telnet.

Note 

There is a high probability that the exam will want you to know that SSL is X.509 based and uses a public and private key exchange to encrypt data.

SSL uses a combination of the SSL Record protocol and the SSL Handshake protocol to provide security. The Handshake protocol provides authentication services while the Record protocol provides for a secure connection. TLS was developed after SSL and has succeeded SSL in most uses. TLS ensures that no external or malicious forces can eavesdrop on messages sent or received.

Many Internet Web sites utilize SSL or TLS as a secure means of obtaining confidential customer information, such as bank account and other personal information. It provides confidential Web sessions and authentication services for Web servers.

Web site URLs that utilize these protocols begin with HTTPS://.

HyperText Transport Protocol Secure (HTTPS)

HyperText Transport Protocol Secure (HTTPS) is a very popular secure protocol used to transmit messages over the Internet. SSL and TLS are used to establish a secure connection between a client and host. HTTPS was developed and is concerned with the secure transmission of individual messages between client and host by using TPC port 443 as opposed to the normal port 80 used to transmit normal HTTP data. It is important to note that HTTPS and SSL compliment each other for secure Internet connectivity.

You will also know you are using HTTPS when you make a request through your Internet browser and the URL (Uniform Resource Locator) begins with HTTPS://.

Note 

It is probable that you will need to know that HTTPS is a secure Internet protocol for the exam.

Instant Messaging

As you are probably aware, Instant Messaging (IM) is a form of electronic communication service that allows a private, or not so private, conversation to take place between two or more people. You can download popular instant messaging software over the Internet from providers such as AOL, Yahoo, MSN, and ICQ. A popular XML-based, open-source instant messaging system known as Jabber can be also be downloaded. More information can be obtained from Jabber.org. With instant messaging, a user is typically notified when a “friend” or “buddy” is available or online. Either user can then initiate a messaging conversation as long as the possible recipient of the message is willing to accept it. Some services include the ability to block messing from those pesky unwanted users that want to chat at an inappropriate time. You can even have bells and whistles go off when someone wants to chat with you.

Instant Messaging Vulnerabilities

The instant messaging craze has swept the world by storm. What better way to communicate could there possibly be? Instant messaging is quick and convenient. It allows people at work to communicate with others at work very quickly throughout the corporate empire and also allows workers to chat with their families while on company time.

Instant messaging software is everywhere and hackers, crackers, and would-be thugs are using the security holes that instant messaging offers to do their wrongful deeds.

Most client-side instant messaging software of the day is Web based. People who seem to be hard at work in offices and cubicles are often chatting on instant messaging systems with software they have downloaded personally. These messaging systems often go through the Internet, bypassing corporate firewall security. This is a big no-no for obvious reasons.

Many messaging systems allow users to send attachments and do file transfers of information. Although many companies and home users have antivirus programs that scan e-mail and attachments included with e-mail, little protection exists for messaging systems.

Another popular hacking technique is to attack a home user through an instant messaging system at home sweet home, then attack the company the home user works for through the user’s remote VPN connection to the office. More and more buffer overflow attack methods are being instituted through the use of popular instant messaging programs.

The following are recommendations that should be implemented to protect your home or office network from the threats of instant messaging vulnerabilities:

  1. Install a personal firewall at the desktop level.

  2. Purchase an intra-company messaging system that includes specialized secure IM servers and client software. Yes, some secure technologies will cost money.

  3. If possible, disable or eliminate the ability of the messaging client to carry out file transfers.

There is a huge chance that you will have to identify the security weaknesses involved with using instant messaging. My guess would be that the number-one weakness of instant messaging is that it was developed without concern for security. Number two weakness: messages and transfers are not encrypted. Clear text all the way!

8.3 Naming Conventions

Understanding 8.3 naming conventions is important for any network technician or administrator. Although 8.3 naming conventions are part of the CompTIA Security+ domain structure, it is not probable that you will have to do name conversions or identify the improper use of names. However, for the domain structure study and just in case, know this material.

DOS files are stored in directories or subdirectories. In today’s Windows world, we call directories folders. In DOS, there are specific rules that apply when creating and naming files and directories.

DOS uses what is called an 8.3 file naming structure, otherwise known as eight dot three. This simply means that a file name can be up to eight characters long and have a three-character extension that represents the file type. A period (.) or dot is used to separate the file name from the extension. This means that the total length of the entire DOS file name plus the extension cannot exceed 11 characters. The file extension is not necessary unless the file is associated with a particular function.

Let’s use the DOS file name AUTOEXEC.BAT as an example. The AUTOEXEC is the DOS file name. The BAT extension specifies that the file is a batch file. The same is true for the CONFIG.SYS file. The CONFIG is the name of the file. The SYS extension identifies the file as a system file.

The following are rules that apply to DOS file and directory name creation:

  • A file or directory name can be no more than eight characters long.

  • An extension can be no more that three characters long.

  • No spaces can be included in the file, extension, or directory name.

  • The characters (? * , ; = + < > | [ ] / \) are illegal and cannot be used.

Long File Names (LFNs)

Windows 9.x, Windows 2000, Windows XP, Macintosh systems, and UNIX all support Long File Names (LFNs). LFNs can generally be up to 255 characters in length. Although these newer operating systems support LFNs, they still allow for backward compatibility with the 8.3 naming structure associated with DOS by creating an associated 8.3 file name for every new file created. Long File Names are basically broken down into 12-byte sections that allow for up to 255 characters to be utilized. For example:

  • The Long File Name=BEST CERTIFICATIONBOOK.DOC.

  • 8.3 associated filename=BESTCE~1.DOC.

Notice that the space was eliminated in the 8.3 associated file name. Windows automatically removes any spaces or invalid characters and truncates the filename.

It is important to note that the Windows 9.x root directory (C:\) can hold only 255 files. The truncation of LFNs to 8.3 names can fill up this 255-file storage limitation quickly and cause your system to halt. For this reason and others it is good practice to avoid storing your files in the root directory of any operating system. As a general rule of thumb, you should use all lowercase letters when naming your files and folders. Case in point, UNIX systems see upper- and lowercase files as different file names. For example, the UNIX OS will see the files Security.txt and security.txt as two separate files. You should also use intuitive, recognizable file and folder names. Meaningless names can result in files and folders that are very difficult to locate on a network.

LFN Security Precautions

Certain e-mail packages are susceptible to long file name vulnerabilities. When file attachments or news messages that exceed a certain number of characters in length are opened, the e-mail package shuts down. This inherent weakness of some mail packages is typically resolved with an upgrade or vender service patch.

Some earlier versions of Windows contain built-in networking software programs that process strings of file names. If these networking packages are not patched and receive exceptionally long file names strings, the system could experience a buffer overrun and crash.

Note 

Exceptionally long file names are often intentionally used to exploit network software vulnerabilities and cause buffer overruns.

Universal Naming Convention (UNC)

A UNC name is used to access a particular share on a particular workstation or server on a network. If you want to access a resource such as a printer or folder that has been shared on the network, you can gain access to it by typing in the UNC name from the Start>Run option in Windows. A UNC name always follows the format \\Servername\sharename. For example, say you want to access a folder on your network named Certified. The Certified folder resides on a server named Bigserver. You would go to Start>Run and type in \\Bigserver\Certified. If you have not been granted access permissions to the resource, you will be asked to provide a valid user ID and password in order to gain access.

Privacy

Computer information privacy is a very hot topic today. Computers and the Internet have made such things as paying bills, making purchases, and gaining information on just about any topic very easy. With a simple trip from the couch to the computer, you can make your mortgage payment, find a mate, buy a car, or take a virtual trip through the castles of Germany among other things.

But what price do we have to pay for this ease of accessible information? What really happens behind the scenes when we innocently view and educate ourselves using Web pages on the Internet?

When you view pages on the Internet, your Internet browser’s IP address and information such as your operating system’s version and other personal information are transmitted to the server that provides the page. This is done when your browser assembles a page and makes an HTTP request to a server. That server also checks to see if a cookie, which is a unique identifier that Web servers place in your system to identify you, has been placed in your system. If it has not, the server gives you a cookie. As a result, every mouse click you make on that particular site lets the site owner know it’s you.

Yes, you’re being watched. You are also being target marketed. Personal information such as your e-mail address is being sold and/or freely distributed by companies that house huge servers and databases that distribute cookies for many of the popular Internet sites. Wonder why you get so much spam? Click on a few more of those advertisements on a site and your information will be recorded and sold again.

Although it is unlikely that you will ever be able to protect your privacy totally on the Internet, there are some important actions you can take to minimize the amount of information you provide to servers, marketers, and spammers while surfing the Internet.

Purchase a software package that will remove unwanted cookies, banner ads, and sensitive HTTP header information. There are a slew of free proxy server software packages as well as other software packages that will hide your IP address while surfing the Internet. You can also disable Java, JavaScript, and ActiveX, which provide privacy invading security holes in your system. These will all be described next.

Note 

You might be asked to identify privacy in a manner similar to the following question: Darren wants to send Chris an e-mail that contains sensitive financial information. Darren is concerned that someone other than Chris will intercept this e-mail and gain access to the sensitive data. What is Darren concerned with?

  • A. Non-repudiation.

  • B. Authentication.

  • C. Encryption.

  • D. Privacy.

The correct answer to this question is D. Darren is concerned with privacy. Although answers A, B, and C look very tempting, they are incorrect to technical test takers. This is exactly what you need to be aware of when answering common sense questions. Be careful!

Cookies

As mentioned earlier in the chapter, a cookie is a message that is sent or transmitted to a Web server from a Web browser. It is important to note that a cookie can also be referred to as a state object or persistent cookie. The cookie is used to provide the Web server with unique information that is used to identify where the request to the server is coming from. In other words, the cookie provides information about you.

When you access pages on the Internet and enter your personal information into Web forms, that information along with other prepared information is combined into a file called a cookie. Most often, server-side scripts known as CGI scripts are used to control what happens with the cookie. The cookie is typically placed in the user profile folder of the user currently signed on to the system. If you are using a newer version of Windows such as Windows 2000, this location will be C:\Documents and Settings\Profile Name\Cookies. In the author’s case, this location is C:\Documents and Settings\Drvankman\Cookies.

The next time you happen upon the same Web site, your Internet browser will automatically forward the stored cookie to that Web sites server. If set up to do so, the server will provide you with a prepacked, customized page that targets you for specific advertisements. In other words, you will get spammed.

Many Web servers use trusted cookies as their only form of authentication. This widespread misuse of cookies has spawned a major security threat to both Web servers and users alike. If an attacker or cookie hijacker is able to infiltrate a user’s session while the user is logged on to a server service, the attacker can steal the user’s cookie and use it to access such things as account information. A common practice that attackers use to grab cookies during an active session is to execute a fake Java script on an unprotected server.

Although many servers are open to this cookie authentication exploitation, most servers that provide important financial information and extremely sensitive data have more secure authentication mechanisms and devices in place.

There are several good ways to protect your system from the threats to security provided so nicely by the use of cookies: You can set up you Internet browser to alert you when a cookie is present; you can direct your browser to download only cookies from trusted sites; or you can disable cookies altogether. Depending on your operating system and Internet browser, this procedure will vary.

For a great explanation of persistent cookies visit http://wp.netscape.com/newsref/std/cookie_spec.html.

Note 

There is a very good chance the exam will want you to know that cookies are extremely dangerous and can carry malicious viruses.

JavaScript

JavaScript is a programming script language that is supported by Internet browsers provided by Netscape and Microsoft. JavaScript is used commonly by Web developers to interact with Web pages that are typically created with HTML or XML source codes. In simple terms, Java allows developers to spruce up new or existing Web pages by adding features such as self-updating software packages, pop-up windows, link-to pages, and 3D interactive worlds. Java is considered to be a portable, object-oriented, robust, and secure scripting language.

The productive tools that we manufacture to design and create a better, more intuitive Internet experience all seem to come with a heavy price tag concerning security. Java, JavaScript, and Java applets (little programs sent with Web pages that do not require user interaction) are no exception. They all provide transportation mechanisms and can allow attackers to insert code that can infiltrate and destroy your system. Java scripts and applets are programs created that actually run on your system.

Hijackers and attackers often create scripts and applets, which are oftentimes able to circumvent network security parameters. They can be used to manipulate files on users’ computers.

Signed Applets

As mentioned earlier, applets are small programs that contain scripts sent with Web pages to users. Applets such as Java applets allow calculations, animations, and other functions to take place on a user’s system without a need for communication to occur back to the applet-providing server.

Applets can contain malicious code that can easily destroy a system if allowed to run. A popular technique known as sandboxing is often used to quarantine applets that appear suspicious or malicious.

Signed applets contain a digital signature. They are a means of proving that an applet has come from a trusted location, author, or site. Signed applets receive permissions to access local system resources. Plain applets only have access to the directories from which they originally run. Some books state that signed applets cannot be altered. This is simply not true. Anyone can create or forge a signed applet. This makes them very dangerous and provides a huge security vulnerability to local as well as networked systems.

It is important to note that most applets on the Web are unsigned applets. These applets can be assigned various security levels, which include untrusted, high, medium, and low levels of security. Please refer to Table 3.1 for the various levels of unsigned applet security.

The following site is an excellent resource that describes applets in more detail than the scope of this book will permit: http://java.sun.com/sfaq/#prevent.

ActiveX

ActiveX is a set of object-oriented programs, technologies, and tools that are Microsoft’s answer to Java technology, which by the way was created by Sun Microsystems. ActiveX is basically a combination or outgrowth of the Microsoft technologies known as OLE (Object Linking and Embedding) and COM (Component Object Model). When this technology is used in a networked environment that provides directory support and other service, the COM technology becomes DCOM (Distributed Component Object model).

Using this technology, the goal is to create a self-sufficient program known as a component or ActiveX control that can be run anywhere your ActiveX network exists.

ActiveX controls or components are compared to Java applets and can be reused by applications and other systems throughout your network.

ActiveX provides a power tool for developers and programmers. Unfortunately, ActiveX carries with it security risks as do Java scripts and applets. However, the ActiveX security model is quite different from the security controls in place for Java and Java applets. As you might recall, Java applets are restricted based on a set of actions that are considered safe. The ActiveX security model does not limit an application package to a set of individual restrictive controls. Instead, its controls are based on digital signatures. These digital signatures are registered and certified with a trusted Digital Authority such as VeriSign. When a person registers a software package or application with a trusted CA (Certificate Authority), they are agreeing that the package or ActiveX control is free of malicious code. From that point on, the risks involved with downloading the controls are totally the responsibility of the user.

In simple terms, the main weaknesses or problems associated with ActiveX controls are as follows:

  • Once the user has accepted the certificate, responsibility of the control’s actions is placed completely on the user. If an uneducated user on your network happens to accept a certificate from an unknown or unofficial CA, you might not have many systems left by the end of the day.

  • Users can change browser settings to allow unsigned ActiveX controls to be downloaded with a warning.

  • There is no good logging or audit trail available to track down what an ActiveX control has done to your system.

If you need help troubleshooting problems associated with active content such as JavaScript and ActiveX using Internet Explorer, Microsoft provides an excellent white paper on the subject. You will also be shown how to disable dangerous active content all together in this white paper found at http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q154036.

CGI

The Common Gateway Interface (CGI) is a language-independent interface or standard that Internet Web servers use to pass a user’s request to an application program and forward a response back to the Web server, which in turn provides the results to the user. In English, when a user fills out a HTML form on a Web page, typically, a CGI program is used to process the forms data behind the scenes and get the information back to server. This allows Web servers to serve and interact with the users dynamically. The actual method of passing data between a server and an application is called the CGI.

CGI programs run on Web servers and are considered to be server-side applications. Java scripts, applets, and ActiveX controls are run on individual systems and are considered client-side programs. A disadvantage with using CGI programs is that they start a new service on a Web server every time a CGI program runs. This can result in a major decrease in performance of a Web server.

Note 

The use of CGI programs allows the vulnerabilities associated with HTTP to be exploited. Also, in order for CGI programs to work, they are written to run on most operating systems and have access to important server system files as well as connected hosts.

Poorly executed CGI scripts and lack of or improper file system permissions can open the security hole doors and leave servers as well as systems vulnerable to attacks.

SMTP Relay

SMTP (Simple Mail Transfer Protocol) is a TCP/IP protocol that is used for the sending and receiving of e-mail between servers or clients and servers. In most cases, SMTP is used for sending mail only. This is based on its inability to handle message queuing properly at the mail-receiving end. In order to receive stored messages properly from a mail server, most client-side systems are set up for POP3 (Post Office Protocol) or IMAP (Internet Message Access Protocol). You send mail with SMTP. You download or receive mail with POP3 or IMAP.

Note 

SMTP is most often used with TCP port 25. TCP and UDP ports are described in Chapter 4.

SMTP relay occurs when an intermediary mail server (relay server) is used to accept any incoming mail and forward it to another mail server or final destination. This final destination is typically the e-mail server where the user’s e-mail account is stored. There can be many relay servers involved with the relaying of e-mail.

The problem here is that mail servers implementing SMTP relay usually accept most mail received and deliver or relay outgoing mail without verifying or authenticating the sender or receiver. Spammers, spoofers, and unauthorized users can take advantage of this vulnerability by faking a sender’s address and using just about any receiving address they wish. This can cause great proliferation of junk mail or spam and usually does.

A common problem among companies that use improperly configured e-mail and SMTP relay servers is that they are unknowingly being used as hosts to spam other servers and hosts. This can result in a company’s mail server being black holed, meaning they are banned or blocked from using e-mail services provided by ISPs. This can then result in a major loss of productivity and downtime. SMTP relay anyone?

If you want to learn more regarding Web security, visit the following site that is hosted by the World Wide Web Consortium. You could probably spend the rest of your IT security career at this awesome site: http://www.w3.org/Security/Faq/.



 < Free Open Study > 



The Security+ Exam Guide. TestTaker's Guide Series
Security + Exam Guide (Charles River Media Networking/Security)
ISBN: 1584502517
EAN: 2147483647
Year: 2003
Pages: 136

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net