Professional Documents
Culture Documents
WEB SECURITY
ABSTRACT In this report Web security will be discussed in detail. Some current issues related to web attacks across the world will be discussed and some few key points to take note on Cyber security will be provided as plat form for an individual to be able to learn more on the issues related to Web threats that are growing fast now a days. YUSUPH KILEO 05/03/2013
YUSUPH KILEO
WEB SECURITY
Table of Contents
INTRODUCTION ............................................................................................................................................. 2 WEB SECURITY THREAT ................................................................................................................................. 3 INTERGRITY ............................................................................................................................................... 3 CONFIDENTIALITY ..................................................................................................................................... 4 DENIAL OF SERVICE (DoS) ......................................................................................................................... 4 AUTHENTICATION ..................................................................................................................................... 5 WEB SECURITY APPROCHES .......................................................................................................................... 6 SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY ......................................................................... 7 SECURE ELECTRONIC TRANSACTION........................................................................................................... 13 CURRENT ISSUES ON WEB ATTACK ............................................................................................................. 14 SEVEN STEP CYBER SECURITY STRATEGY .............................................................................................. 17 CONCLUSION............................................................................................................................................... 18 REFENCES .................................................................................................................................................... 19
2014
Page 1
YUSUPH KILEO
WEB SECURITY
INTRODUCTION
Definition: World Wide Web (WWW) can be defined as a client/server application running over the internet and TCP/IP intranet. In order for an individual to access something that is available on the Web, he/she should go through either internet or intranet. The benefits of the web in a current world may be obvious to Facebook users -- the exchange of ideas, access to healthcare and education, the buying and selling of products and services, and keeping in touch with friends and family! However, there is a dark side to this global resource which stems from the misuse of information and communication technologies, ICTs, including Cyberthreats and cybercrime. There are many cases whereby websites have been reported falling in to cyber-attacks from various group of people or individuals across courtiers every now and then. This is the dark side of the misuse of ICT to cause harm on webs that includes stilling of money through online transaction, stilling of confidential information and many other bad acts. Base on this note it is highly advised to have a look at the web security issues so that an individual will be able to know how to secure the web from various attacks. We should put in mind that attacks cannot be completely avoided but an individual can create mechanism to prevent/ harden the web to be attacked easily.
2014
Page 2
YUSUPH KILEO
WEB SECURITY
INTERGRITY
Definition: Transmitted data/information through internet or computer assets can only be modified (deleting, changing or creating) by authorized users. Threats:
Modification of user data Trojan horse browser Modification of memory Modification of message traffic in transit.
Consequences:
To protect/ secure web from the above threats that lead to multiple consequences as seen above Cryptographic checksum can be applied by the user as a Countermeasure.
2014
Page 3
YUSUPH KILEO
WEB SECURITY
CONFIDENTIALITY
Definition: Data in computer System and Transmitted information through web can be accessible only to the authorized users. This type of access includes reading, printings and others. Threats:
Eavesdropping on the Net. Theft of info from server. Theft of data from client. Info about network configuration. Info about which client talks to server.
Consequences:
To protect/ secure web from the above threats that lead to multiple consequences as seen above Encryption and web proxies can be applied by the user as a Countermeasure.
Killing of user threads Flooding machine with bogus requests Filling up disk or memory Isolating machine by DNS attacks
Page 4
2014
YUSUPH KILEO
WEB SECURITY
Consequences:
AUTHENTICATION
Definition: The origin of the electronic document, message or information transmitted over the web is correctly identified with an assurance that the identity is not false. Threats:
Consequences:
To protect/ secure web from the above threats that lead to multiple consequences as seen above Cryptographic techniques can be applied by the user as a Countermeasure.
2014
Page 5
YUSUPH KILEO
WEB SECURITY
2014
Page 6
YUSUPH KILEO
WEB SECURITY
At this level, there are two implementation choices. For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol. iii. Specific security services are embedded within the particular application. The advantage of this approach is that the service can be tailored to the specific needs of a given application. In the context of Web security, an important example of this approach is Secure Electronic Transaction (SET). S/MME Kerberos PGP SET HTTP
SMTP
UDP IP
TCP
2014
Page 7
YUSUPH KILEO
WEB SECURITY
HTTP
The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges and are examined later in this section. Two important SSL Concepts are:a. SSL Connection. A transport that provide suitable type of service. For SSL, such connections are peer-to-peer relationship. The connections are transient. Every connection is associated with one session.
YUSUPH KILEO
WEB SECURITY
Define a set of cryptographic security parameters which can be shared among multiple connections.
They are used to avoid the expensive negotiation of new security parameters for each connection.
A session state is defined by:i. Session Identifier ii. Peer certificate iii. Compression method iv. Cipher spec v. Master secret vi. Is resumable vii. Server and client random viii. Client writer mac secret and sever writer mac secret ix. Sever writer key and client write key. x. Initialization vectors and xi. Sequence Numbers.
associated with each session. Once a session is established, there is a current operating
state for both read and write (i.e., receive and send). In addition,
during the Handshake Protocol, pending read and write states are created. successful of the Upon conclusion Handshake
SSL Record Protocol: the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled and then delivered to higher-level users.
2014
Page 9
YUSUPH KILEO
WEB SECURITY
message into
fragmented
blocks of 214 bytes (16384 bytes) or less. Next, compression is optionally applied.
Compression must be lossless and may not increase the content length by more than 1024 bytes. In SSLv3 (as well as the current version of TLS), no compression algorithm is specified, so the default
The SSL Record Protocol provides two services for SSL connections:
Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).
After the 2 steps, then the of the message authentication code over the compressed data is performed. For this purpose, the shared secrete key is used. (See the calculation definition below)
hash(MAC_write_secret || pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment))
2014
Page 10
YUSUPH KILEO
WEB SECURITY
(See the elaboration below) EQ || MAC_write_secret hash pad_1 Definition concatenation shared secret key cryptographic hash algorithm; either MD5 or SHA-1 the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and 40 times (320 bits) for SHA-1 pad_2 the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times for SHA-1 seq_num SSLCompressed.type SSLCompressed.length the sequence number for this message the higher-level protocol used to process this fragment the length of the compressed fragment
SSLCompressed.fragme the compressed fragment (if compression is not used, the plaintext nt fragment)
Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes, so that the total length may not exceed 214 + 2048. The final step of SSL Record Protocol processing is to prepend a header, consisting of the following fields:
Content Type (8 bits): The higher layer protocol used to process the enclosed fragment. Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
Page 11
2014
YUSUPH KILEO
WEB SECURITY
Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0. Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used). The maximum value is 214 + 2048.
Description It uses the SSL Record Protocol, and it is the simplest. This protocol consists of a single message, which consists of a single byte with the value 1. The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.
Alert Protocol
It used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and
encrypted, as specified by the current state. Handshake This protocol allows the server and Protocol client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted.
2014
YUSUPH KILEO
WEB SECURITY
Provides a secure communications channel among all parties involved in a transaction. Provides trust by the use of X.509v3 digital certificates. Ensures privacy because the information is only available to parties in a transaction when and where necessary.
SET Features: There are Four Key features of SET as follow: Confidentiality of information Integrity of data Cardholder account authentication Merchant authentication NOTE: Unlike IPsec and SSL/TLS, SET provides only one choice for each
cryptographic algorithm. This makes sense, because SET is a single application with a single set of requirements, whereas IPsec and SSL/TLS are intended to support a range of applications.
SET Participants: There are six participants in the SET system namely: Cardholder Merchant Issuer Acquirer Payment gateway and Certification authority.
Page 13
2014
YUSUPH KILEO
WEB SECURITY
(United Nations Refugees Agency) and leaks credentials of President Barack Obama. 2. Yet another Security Firm victim Defacement of defacement. This time the target is Kaspersky, whose Costa Rica Web Site (www.kaspersky.co.cr) is defaced. 3. Two Liberal Russian media outlets DDoS and an election watchdog became victim to huge cyber-attacks
during Russian elections. Sites belonging to the Ekho Moskvy radio station, online news portal slon.ru and election watchdog, Golos, all went down on
2014
Page 14
YUSUPH KILEO
WEB SECURITY
4.
Websites
belonging
to
hackers penetrated their security and accessed internal databases. The access happened thanks to a PHPMyAdmin password. 5. Russian hackers flood Twitter with Twitter automated hashtags to hamper communication opposition activists. between The proBotnet page without
(Triumfalnaya) were generated by a twitter botnet composed by thousands of Twitter accounts that had little activity before. 6. As part as #OpSony, Sony Pictures Account Website is hacked Anonnerd by and Hacking
@s3rver_exe,
N3m3515, once again in the name of the Anonymous movement and against Sony showing its support for SOPA. In the same operation a fake Facebook account is created simulating a real account hacked.
2014
Page 15
YUSUPH KILEO
WEB SECURITY
7.
In the name of the #Antisec Unauthorized movement, an unknown hacker exposes the IP addresses and other details of 49 SCADA systems, inviting the readers to connect and take screenshots of the internals. Access
8.
The website of Brazilian Political N/A Party PMDB do Maranho (pmdbma.com.br) is hacked by an Alone Hacker who makes all the secondary pages of the web site inaccessible
9.
IBM
Research is
(researcher.ibm.com)
and defaced by Hacker collective group dubbed Kosova Hacker Security. 10. The Anonymous temporarily force DDoS the main website for Interpol (Interpol.in) international offline, police after the
group
announced it had arrested 25 suspected Supporters. The site www.interpol.int was Unreachable for 20-30 minutes.
2014
Page 16
YUSUPH KILEO
WEB SECURITY
2014
Page 17
YUSUPH KILEO
WEB SECURITY
5. Train stuff: attackers understand that employees are the weakest link in the security chain and take advantage of natural human weakness through a style of attack known as Social engineering. Staff must, therefore be trained to recognize and respond to appropriately to social engineering attacks range from tailgating through to phishing, spear phishing and pharming. Also ensure that you have a well-through through social media strategy that minimizes information loss through social media websites, such as Facebook, LinkedIn and twitter. 6. Develop and test a security incident response plan (SIRP): sooner or later, your defenses will be breached and you, therefore need an effective robust plan for responding to the breach. Your response plan should include developing a digital forensics capability so that you have the in-house competence to secure areas of digital crime long before outside experts arrive on the scene. 7. Adopt ISO27001 and ISO27031 as standard: for developing and implementing comprehensive cyber security and business resilience management systems.
CONCLUSION
We have seen ways of web security implementations and the key note to secure electronic transaction. It has been a challenge these days when it comes to Web security and Online transaction since many cases has been reported related to threats in web securities and online transactions. Cases reported samples from recent research are well explained. Its encouraged that each individual has to keep in mind that when it comes to security it is not a duty of a certain group of people but each member should play an important role to ensure the security is kept in order. Its important to follow security strategy as mentioned in this report along with other secure implementation discussed from other parts to insure both web security and online transaction is kept in order.
2014
Page 18
YUSUPH KILEO
WEB SECURITY
REFENCES
1. Pfleeger, C.P., S. L. Pfleeger, Security in Computing, Prentice Hall, 3rd edition, 2002. 2. Anderson, R, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001, 3. Bishop, M, Computer Security: Art and Science, Addison Wesley, 2002. 4. William Stallings, Cryptography and Network Security, 4th edition 5. Stajano, F, Security for Ubiquitous Computing, Wiley, 2002. 6. Pieprzyk, J., T. Hardjono, J. Seberry, J. Pierprzyk, Fundamentals of Computer Security, Springer-Verlag, 2002. 7. 2010. Computer Network Security: 5th International Conference, on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM-ACNS ... Networks and Telecommunications). 1st Edition.
2014
Page 19