1 / 61

CSCD 303 Essential Computer Security Winter 2014

CSCD 303 Essential Computer Security Winter 2014. Lecture 10 – Internet Security Reading: See links end of Lecture. Overview. Internet Security Threats Web Technology Web 2.0 Active Content Javascript Java Applets ActiveX Controls VBScript Ajax. Internet Security.

tanek-vega
Download Presentation

CSCD 303 Essential Computer Security Winter 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CSCD 303Essential Computer SecurityWinter 2014 Lecture 10 – Internet Security Reading: See links end of Lecture

  2. Overview • Internet Security • Threats • Web Technology • Web 2.0 • Active Content • Javascript • Java Applets • ActiveX Controls • VBScript • Ajax

  3. Internet Security • Major source of security problems is from the Internet • Going to study how the Internet works and the technologies used that both makes the Internet popular and unsafe at the same time • The way the Internet has evolved from storing content to user created content has contributed to the difficulty of keeping safe while we surf

  4. Web Threats

  5. Internet Threats 2009 • 23,500 new infected Web pages are discovered every day • One every 3.6 seconds • 15 new bogus anti-virus vendor websites discovered every day!! • Number has tripled, up from average of five detected per day, during 2008 • 6,500 new spam-related websites are discovered every day • One website every 13 seconds, 24 hours a day • Almost double same period in 2008 http://www.sophos.com/sophos/.../sophos-security-threat-report-jul-2009-na-wpus.pdf

  6. More Internet Stats http://community.websense.com/blogs/websense-features/archive/2009/09/15/websense-security-labs-report-state-of-internet-security-q1-q2-2009.aspx • Today's threats are Web Based • During first half of 2009 Websense Security Labs discovered: • 233% growth in number of malicious sites in last six months and a 671% growth during last year • 77% of Web sites with malicious code are legitimate sites that have been compromised. • 86% of all unwanted emails in circulation contained links to spam sites and/or malicious Web sites

  7. More Security Threats 2013 http://blog.spikes.com/blog/2013/1/11/the-top-security-threat-of-2013-is-the-web-browser • Recognition among security authorities that drive-by malware from web links is #1 threat facing networks today • Attackers are moving into targeting browser plugins • Java, Adobe Reader and Adobe Flash • Drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code

  8. Web Technology • Useful to understand how Web works • As technical people, have basic understanding of clients/servers • Look at details and some stats on both browsers and Web Servers • Which browsers would you guess are most popular today? Nice page of ALL Web browsers, even text based http://www.webdevelopersnotes.com/design/browsers_list.php3

  9. Web Browser Stats • Monthly statistics on Web Browser market http://www.w3schools.com/browsers/browsers_stats.asp Ranking as of December 2013 1st - Chrome 2nd - Firefox 3rd – Internet Explorer There are five major browsers used today Internet Explorer, Firefox, Safari, Chrome and Opera

  10. Web Server Stats http://news.netcraft.com/archives/2013/04/02/april-2013-web-server-survey.html • Based on a survey of 205+ million sites, Netcraft reports that Apache has a 65% share in 2011 while IIS has 16%

  11. Web ServerOperating Systems http://httpd.apache.org/ • Apache has been the most widely used web server on the Internet since the early days of the Web. It still is dominant • Underlying operating system is mostly – Linux Over years, this has proven to be the most reliable and flexible platform for running high-quality web hosting services worldwide. http://www.ntchosting.com/apache-server-linux.html • Windows based hosts use the IIS (Internet Information Services) Server and of course run on some version of Windows

  12. Web Browser Functions • Browser interprets and displays HTML files • Supposed to conform to specifications maintained W3C (World Wide Web Consortium) organization • Standards organization for web • Current Version HTML 4, Version 5 in progress • Supposed to be out end of 2014 http://www.sitepoint.com/w3c-html5-2014-plan/ • Current CSS Version 2, Version 3 in progress http://www.w3.org/TR/CSS2/, version 3 in progress

  13. Plug-ins Enhance Browsers • Visit web page that includes more than simple HTML content • Likely to need plug-in applications • Flash Player most needed plug-in • 75% of the animated advertisements you see online are Flash .swf movies • Adobe Acrobat Reader .pdf, next most needed • Most government forms, online application forms, multitude of other documents use .pdf format on the Web • Movie/audio player to run .mov, .mp3, .wav, .au, and .avi files • Windows Media Player is .. most popular

  14. Browser and Web Server State • Neither Browsers or Web Servers keep “state” • What does this mean? • How can browsers and Web Servers keep state?

  15. Browsers and Web ServerState Defined • This means user data is not persisted from one Web page to next in a Web site • Web developers refer to practice of tracking users as maintaining state • Series of interactions that a particular user has with a site is a session

  16. Browser State • How do browsers keep state? • Cookies!!! • Cookies, small text files stored in your computer's browser directory or other directory • Cookies • Created when you use your browser to visit website that uses cookies to keep track of your movements within site, • Helps resume where you left off, • Remembers registered login, theme selection, preferences, and other customized selections

  17. Browser Cookies • Two types of cookies are used • Session cookies, • Temporary cookies remain in cookie file of your browser until you leave the site • These cookies only stored in memory • Persistent cookies, • Remain cookie file, browser for much longer • Have an expiration date

  18. Browser Cookies http://en.wikipedia.org/wiki/HTTP_cookie Each cookie has values for six fields: * Name - Name of the cookie * Value - ID string set by Web site * Domain - Of Web site issuing cookie * Path - “/” means the cookie is valid anywhere on that domain * Expires - Cookie expires on that date * Secure (used for cookies that require a SSL connection)‏

  19. Evolution of Web Technologies

  20. Problem • All research shows, Internet based attacks appear to be increasing • Why is this?

  21. Evolved from Web 1.0 to 2.0 • Most people agree that Web 2.0 is • Interactive and social • Facilitating collaboration between people • User content is the norm • This is distinct from the early web (Web 1.0) which was a static information dump where people read websites but rarely interacted with them

  22. Web 2.0 • How do you define Web 2.0? • Web "as Platform," where software applications built on Web as opposed to desktop • Customers are building content • Activities of users generating content ... ideas, text, videos, pictures create value to web site ... • Nice YouTube Video of “Us as Web” http://www.youtube.com/watch?v=NLlGopyXT_g

  23. Web 2.0 vs. Web 1.0

  24. Web 2.0 Technologies

  25. Web 2.0 • Web 1.0 • Pull information • Read information • HTML (Web pages)‏ • Web 2.0 • Push information • Read / write (cooperate and collaborate)‏ • XML, RSS, Mash-ups • What's a mash-up?

  26. Mash-up Defined • A mashup • Web site that combines content data from more than one source to create a new user experience • "mashup" comes from pop music term, refers to two or more songs combined into a new song • Example • Most common Google product used for mashups is Google Maps

  27. Security and Web 2.0 • Why is Web 2.0 more Insecure? • User generated content • Do you trust your users? • Easier to upload or infect content • More complicated technologies behind Web 2.0 • Active content – scripts and other automatic components • Combined content from many sources • Advertising often contributes vulnerabilities

  28. Web 2.0 Increases Threat • Popularity of Web 2.0 sites has changed way we communicate and use web • Created an irresistible target for malware authors Social-networking sites, blogs, and wikis • Malware authors take advantage of these sites, opening up yet another front in cat-and-mouse game between security defenses and hackers http://www.scmagazineus.com/ How-to-protect-against-Web-20-threats/article/34711/

  29. Web 2.0 Nightmare • “Every company has plans to move mission critical applications to the Web • Yet, companies do not have web security plan to ensure applications free from exploits and hackers … (accidents waiting to happen)‏” CIO Magazine quote http://cio20.com/2008/01/03/web-20-and-application-security/ • Look at the technologies that enables Web to function

  30. Web 3.0 is Coming http://socialmediatoday.com/node/423732 • Web 3.0 is a Marketing Term. Sadly, this is probably most likely way that we'll be using term 'Web 3.0' in future • Within Web 3.0 social networks will be critical conduits through which we design and stumble through our individual contexts, veering out to increasingly social content experiences built by big content providers like Yahoo, AOL, newspapers, blogs and so on • Amazon and eBay have already become large media experiences as we come to enjoy act of browsing as much as act of buying • For example, eBay Motors says 95% of traffic doesn’t come to buy car as much as look at cars • They’re a media channel that sells ads more than they are a marketplace for cars.

  31. Active Content

  32. Active Content • Used to be Web pages consisted of HTML • Purpose of the Internet was • Download information • View pictures and other graphic images • Fill out input forms • Our Web site, example of what kind of content? http://penguin.ewu.edu/cscd303/

  33. Active Content • What is active content? • Web site that is either interactive • Such as Internet polls or • Dynamic, such as animated GIFs, stock tickers, weather maps, moving ads • Embedded objects, streaming video and audio CNN http://cnn.com/

  34. Active Content Languages • Implementing Active Content • HTML does not have built in capability to handle active content … this is changing HTML 5 • Embedded video objects, • Dancing bears • Other languages added to Web pages within HTML tags allow expanded capability • What languages implement Active Content?

  35. Active Content Languages • Active content implemented mainly through • Javascript • ActiveX Controls • Java Applets • VBScript • AJAX

  36. Javascript • What is it? Has anything to do with Java? • JavaScript, is unrelated to Java programming language • Has common C syntax • JavaScript copies many Java names and naming conventions • Was originally named "LiveScript" • Renamed in a co-marketing deal between Netscape and Sun • Netscape bundling Sun's Java runtime in their then-dominant browser

  37. Javascript JavaScript writes functions that are embedded in or included from HTML page Simple Examples • Opening or popping up new window with control over size, position, and attributes of window • Validation of web form input value before submitted to server • Changing images as mouse cursor moves over them … catches user’s attention • Example here http://www.javascripter.net/faq/onmouseo.htm

  38. Javascript • JavaScript code runs locally in user's browser • Respond to user actions quickly, making an application feel more responsive • Example: • Gmail is written in JavaScript • JavaScript dispatches requests for information such as the content of an e-mail message

  39. HTML code with Javascript <html> <head><title>simple page</title></head> <body> <script type="text/javascript"> document.write ('Hello World!'); </script> <noscript> <p>Your browser either does not support JavaScript, or you have JavaScript turned off.</p> </noscript> </body> </html>

  40. Java Applets • Java Applets • The word applet is meant to suggest a small application • Applets were intended to be small programs run over the Internet • Applets can be viewed over Internet, or without any connection to Internet • When you use browser to view page that contains an applet, applet's code is transferred to your system • Executed by browser's Java Virtual Machine (JVM)‏

  41. Java Applets • An applet class is compiled in same way as any other Java class • However, applets run differently from other Java programs • Normal way to run applet is to embed it in an HTML document • Then run and viewed through a Web browser

  42. Java Applets <html> <head> <title> Vampire Control </title> </head> . . . <applet code="AppletCalculator.class" width=400 height=300> </applet> . . . </html>

  43. Active X • ActiveX, set of object-oriented programming technologies and tools from Microsoft! • You create, in ActiveX environment, a component • Self-sufficient program that can be run anywhere in your ActiveX network • Component known as an ActiveX control • ActiveX Microsoft's answer to Java • An ActiveX control is like Java applet • Can be developed in several languages • Visual Basic, • C++ • Java

  44. Active X • ActiveX • Renamed Component Object Model (COM)‏ developed by Microsoft for Windows, • Changed to ActiveX in 1996 • A software application can compose one or more components in order to provide needed functionality

  45. Active X • Most Microsoft Windows applications • Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player, • All … Use ActiveX controls • Encapsulate functionality as ActiveX controls can be embedded in other applications • Internet Explorer also allows ActiveX controls to be embedded inside web pages • Point for us !!!! • Can expand application functionality to the Web!

  46. Example Active X Control

  47. Active X • ActiveX Controls are like Java Applets, • Both designed to be downloaded and executed from web browsers • Differences • Java applets can run on nearly any platform, • ActiveX components can only run on Microsoft's Internet Explorer • ActiveX controls also granted a much higher level of control over Windows than Java applets • Making them both more powerful and dangerous!!!

  48. Active X Example • The process of embedding ActiveX controls into a web page is very similar to the way Java applets are embedded. The following example shows the HTML code used to embed an ActiveX control. • <OBJECT ID="AreaMenu" WIDTH=192 HEIGHT=192 • CLASSID="CLSID:275E2FE0-7486-11D0-89D6-00A0C90C9B67" • CODEBASE="http://activex.microsoft.com/controls/mcsi/mcsimenu.cab# • version=1,0,0,44"> • <PARAM NAME="ForeColor" VALUE="&H00000000"> • <PARAM NAME="BackColor" VALUE="&H00BEBEBE"> • <PARAM NAME="FontName" VALUE="Verdana"> • <PARAM NAME="FontSize" VALUE="10"> • <PARAM NAME="FontBold" VALUE="0"> • <PARAM NAME="FontItalic" VALUE="0"> • <PARAM NAME="FontUnderline" VALUE="0"> • <PARAM NAME="FontStrikethrough" VALUE="0"> • <PARAM NAME="FontCharset" VALUE="0"> • </OBJECT>

  49. Active X Example • The tag creates the ActiveX object. The tag has 5 attributes: • ID: Object Name. You use ID to refer to the object with JavaScript • WIDTH: defines the width of the control on the web page • HEIGHT: defines the height of the control on the web page • CLASSID: Each ActiveX control assigned unique Class ID number, like an identification number, use number to tell computer which ActiveX control to load • CODEBASE: If control is not present on system, Codebase attribute tells the browser where to find the control on the Internet. The viewer's browser will then download the file and install it on to the user's computer • Short article below explains Active X http://www.cs.ualberta.ca/~zaiane/courses/cmput499/work/presentations/activex.html

  50. VBScript • VBScript • Visual Basic Scripting Edition • An Active Scripting language developed by Microsoft • Language's syntax reflects its history as a limited variation of Microsoft's Visual Basic programming language

More Related