web site security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Web Site Security PowerPoint Presentation
Download Presentation
Web Site Security

Loading in 2 Seconds...

play fullscreen
1 / 15

Web Site Security - PowerPoint PPT Presentation


  • 292 Views
  • Uploaded on

Web Site Security Andrew Cormack JANET-CERT Andrew.Cormack@ukerna.ac.uk ©The JNT Association, 1999 Where’s the problem? Number of CIAC bulletins since October 1997: Apache 0 IIS 5 Solaris 8 Windows NT 8 ( Internet Explorer 3 ) See especially CIAC bulletin J-042 on web security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web Site Security' - Angelica


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web site security

Web Site Security

Andrew Cormack

JANET-CERT

Andrew.Cormack@ukerna.ac.uk

©The JNT Association, 1999

where s the problem
Where’s the problem?
  • Number of CIAC bulletins since October 1997:
  • Apache 0
  • IIS 5
  • Solaris 8
  • Windows NT 8
  • ( Internet Explorer 3 )
  • See especially CIAC bulletin J-042 on web security
first fix your host
First fix your host
  • Minimal configuration
    • don’t run things you don’t need
  • Up to date with patches
  • Keep it that way
    • new bugs every month
  • Pay attention to logs
    • you may only get one warning
limit the scope for errors
Limit the scope for errors
  • Minimal access
    • restricted users
    • restricted hosts (e.g. use TCP wrappers)
  • Single function
    • others will compete with web serving
    • and make operation much more complicated
what can go wrong
What can go wrong
  • Denial of service (availability)
  • Information leakage (privacy)
  • Loss of control (integrity)
    • unauthorised modification
    • or worse
denial of service
Denial of service
  • Not much you can do to prevent it!
    • when does popularity become DoS?
  • Precautions
    • have more performance than likely attacker
    • have different servers for different readers
    • be ready with a "sorry" backup
information leakage web stuff
Information leakage (web stuff)
  • Web is designed for publishing
  • Protection mechanisms are weak
    • files have many names
    • addresses can be faked
    • passwords can be sniffed
  • Shared authentication puts other systems at risk!
  • Use offline encryption if you must
information leakage system stuff
Information leakage (system stuff)
  • Caused by
    • badly configured servers
    • badly written scripts
    • misguided scripts (finger, last, etc.)
  • Can lose
    • script source code
    • password or other configuration files
loss of control severe
Loss of control (severe)
  • Beware of uploads
    • replacing graphics
    • or your home page
    • who can publish? how do you know who they are?
  • Unexpected interactions
    • uploads of scripts
    • java applets on multi-purpose server
loss of control fatal
Loss of control (fatal)
  • Allowing readers to run commands
  • Never run server as root
    • hackers have to work harder
  • Never put test scripts on live server
    • and check, check and re-check production scripts
  • Compromised system probably a write-off
the worst cgi script
The worst cgi script
  • w $1
  • What if $1 is ”andrew;cat /etc/passwd”...
  • Use perl -wT to trap errors
    • better a 500 error than a lost system
  • Even commercial scripts have errors!
conclusion
Conclusion
  • Don't build on sand
  • Think carefully about "ease of use”
  • Plan for the worst
  • Talk with CERT
  • Never stop!
don t forget the browser
Don’t forget the browser
  • Browsers sometimes run untrusted code
    • ActiveX - can run any Windows application
    • JavaScript - limited but powerful functions
    • Java - runs in a sandbox, but this may leak
    • Added “viewers”, e.g. word, excel
  • Beware!
applet capabilities
Applet capabilities
  • Such programs can do anything the user can
    • read or write files on local disk or network
    • make calls on the network
  • Browser control is a hard problem
    • but not unique: mail and office apps are the same
  • Technical fixes are draconian
  • User education (like viruses) is the best bet