Web hacking • Basics • Web pilfering: download selectively web sites and search files off-line. • Automated scripts: developed by advanced hackers for use by “script kiddies.” See SecurityInnovation for vulnerability scanners. • IIS security: see Microsoft Web Application Security guide to setup the IIS and identify threats and create countermeasures. • CGI: programming CGI with security in mind by W3org, a compilation and an index for CGI security resources, SSI and CGI security, • ASP vulnerabilities: HTML and programming in the same directory, dot bug, samples (showcode and codebrws). See Microsoft ASP Security. • Web vulnerability scanners are available for UNIX/Linux: Nikto and Whisker. • Buffer Overflows: (i) PHP security, (ii) do not use the wwwcount.cgi, and (iii) IIS iishack vulnerability (use MSBA to find patches). • Poor Web design • Misuse of hidden tags (price, shipping, etc), e.g. search “type=hidden name=price” • SSI: noExecs, pre-processing for hidden code.
Hacking the Internet user:Malicious mobile code • Microsoft ActiveX (Active X controls have the file extension.ocx) • similar to OLE let an object be embedded in a page using the <object> tag • When IE finds a page with a control, it checks the Registry to find out if the control is available, if it is IE displays the page and runs the control • If it is not, IE uses Authenticode to check the author (Verisign role) and download the control. Finally IE displays the page and runs the control • “Safe for Scripting”: Authenticode is not used with these controls, malicious Web sites may explore as a vulnerability. Easy to mark as such. Countermeasures: • apply patches for Scriptlet/Eyedog and OUA (Office 2000 UA). • Set macro protection to High in Tool/Macro menu in Office. • restrict or disable ActiveX, using security zones • Using security zones: IE has five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer. • Internet zone: disable ActiveX controls, enable per-session cookies and file download, and set scripting to prompt. • Trusted Sites: assign medium security and add sites you can trust to run ActiveX controls, e.g. Microsoft sites.
Hacking the Internet user: other • SSL : overview, use the 128-bit encryption (most countries now). Potential fraud: bypassing the certificate validation. Click on lock to see certificate. • IRC hacking: not only message exchange, but also file exchange. Users connect to a reflector (BNC, IRC Bouncer or proxy server), making the tracing of IRC users fruitless (a plus for hackers), all you get is the BNC IP. • DCC Send and Get connect directly two IRC users and allow file exchange, what makes easy to an user or worm infected user to distribute malicious code. • Countermeasure: if you need to use IRC, run anti-virus on the directory you selected as default for DCC downloads , and read more about IRC security. • Napster hacking: as a distributed file-sharing network, it has the potential to distribute Trojans, viruses, disguised as MP3 audio files. Napster checks headers and frames to see if the files are MP3 files, but Wrapster disguise files as MP3. Similar services may also be vulnerable. • Global countermeasures • keep Antivirus signatures updated (at least twice a month). • firewalls and traffic scanners (e.g. Vital Security™ Web Appliance).