ECOM 6031 Fundamentals of e-Commerce Security (Dr KP Chow, Dr Lucas Hui) Lecture 2: Web Browser and Web Server Security Dr Lucas Hui (CYC307, 28592190, [email protected]) 1 Content • Review of World Wide Web • Case of Facebook CSRF ((4) threats from server to client) • Case of Java Signed Applet Protection ((4) threats from server to client) • A Short Review of SSL (with ref to root cert) • Case of Captcha (protection of : (3) Threats via Client to Server) • Case of SQL injection ( (3) Threats via Client to Server) – SQL injection • Summary 2 Discussion Question • What kind of company data you can allow your employee to access the company Intranet through ____ ? 1. at office 2. at home using a fixed PC 3. at home using a laptop 4. at an oversea cyber-café using a laptop • Can you suggest some protection strategy that can make you feel safe? 3 Review of Internet Technology (History) • In early 1960s, US Dept of Defense (DoD) started research in networking computers, developed a multiple channel network • In 1972, E-mail was born • In 1980s, PC became popular, leaded to PC networks • US National Science Foundation (NSF) funded network services in 1980s • In 1987, Hong Kong is connected to Internet (via HARNET : Hong Kong Academic and Research Network, set up by HKU) • In 1991, NSF further eased its restriction on Internet commercial activities • Privatization of Internet was substantially completed in 1995. • Internet service providers (ISPs) sell Internet access rights directly to customers • Note: Internet is (close to) free, provide global connectivity 4
Understanding the Fundamentals of E-commerce Security (2)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Content• Review of World Wide Web• Case of Facebook CSRF ((4) threats from server to
client)• Case of Java Signed Applet Protection ((4) threats from
server to client)• A Short Review of SSL (with ref to root cert)• Case of Captcha (protection of : (3) Threats via Client
to Server)• Case of SQL injection ( (3) Threats via Client to Server)
– SQL injection• Summary
2
Discussion Question• What kind of company data you can allow your
employee to access the company Intranet through ____ ?1. at office2. at home using a fixed PC 3. at home using a laptop4. at an oversea cyber-café using a laptop
• Can you suggest some protection strategy that can make you feel safe?
3
Review of Internet Technology (History)
• In early 1960s, US Dept of Defense (DoD) started research in networking computers, developed a multiple channel network
• In 1972, E-mail was born• In 1980s, PC became popular, leaded to PC networks• US National Science Foundation (NSF) funded network services in
1980s• In 1987, Hong Kong is connected to Internet (via HARNET : Hong
Kong Academic and Research Network, set up by HKU)• In 1991, NSF further eased its restriction on Internet commercial
activities• Privatization of Internet was substantially completed in 1995.• Internet service providers (ISPs) sell Internet access rights directly to
customers• Note: Internet is (close to) free, provide global connectivity
4
Internet Definition - FNC• On October 24, 1995, the FNC unanimously passed a resolution defining the
term Internet. This definition was developed in consultation with the leadership of the Internet and Intellectual Property Rights (IPR) Communities.
• RESOLUTION:
“The Federal Networking Council (FNC) agrees that the following language reflects our definition of the term "Internet".
"Internet" refers to the global information system that --
(i) is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons;
(ii) is able to support communications using the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-compatible protocols; and
(iii) provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein."
5
Early Internet Initiative in Hong Kong: HARNET
6
Network Technology• Use TCP/IP protocol
– TCP: Transmission Control Protocol• Controls the assembly of a message into smaller packets before
it is transmitted over the Internet– IP: Internet Protocol
• Includes rules for routing individual data packets from their source to their destination
• IP Address– Internet addr. are based on a 32-bit no. called an IP address.– IP addr. is a series of up to 4 separate no. (e.g 147.204.89.56) that
uniquely identifies a computer connected to the Internet.– Management of IP addr. (static, mobile, NAT (Network-Address
Translation)) an important issue for higher level applications
7 8
Domain Names• IP address difficult to remember• Domain names
– Sets of words assigned to specific IP addresses– Example: www.hku.hk
• Contains three parts separated by periods• Top-level domain (TLD): rightmost part • Generic top-level domains (gTLDs)
• (1) Static web page– simple to implement, easy to estimate data transfer time
• (2) Dynamic pages - Server side code execution– Reduce server side page storage, may overload the
system when number of requests is huge• (3) Dynamic pages – Client side code execution
– Low server burden (both CPU cycle and DB storage), but may have incompatibility issues for some clients
• (4) Dynamic pages – both Server/Client side code execution– Most flexible, can carry out a lot of business logic, web
access data analysis, and personalization. However, very complicate to implement
11
Properties of Web Technology (important for e-commerce)
• Thin Client / Thick Server http model– Need to ‘instruct’ the client browser to execute client-side
program codes– Installation of client-side software component is extremely
unfavorable– Now (2011) it is a bit different (e.g. AJAX)
• Worldwide connection (7 days, 24 hours)• Universal readership (independent of client machines and browsers)
– A difficult problem for m-commerce using intelligent device (e.g. iPhone, SmartGrid meters) of which the bandwidth, screen size, and client processing power is constrained
• Infrastructure is free• http connections are “sessionless”
– C S: request, followed by S C: response• Security is not an emphasis! (This is our problem)
12
Just Some e-Crime Cases• Targeted Trojans (Trojan horse programs built to attack a certain
target’s vulnerabilities) are distributed via marketing CDs in cases related to some Israeli companies
• Targeted Trojans spread via email is design to attack the e-gold company using the ‘hidden session’ attack
• A payroll company potentially exposed > 25,000 customers private info due to process breakdown
• In 2002, a credit reporting company reported that 13,000 customer records were stolen using an authorization code belonging to Ford Motor Company (insider problem)
• A keylogger is downloaded from a phishing site, then waited until the user accessed an online banking application and forwarded the keystrokes to a malicious Web site.
• Credit card info are stolen since data that should have been discarded are being stored for troubleshooting purposes in an unencrypted format.
• And others …
13
Threats for E-Com (by purposes)• Against ‘random hacking’
– Viruses– Port-scanning (for free services)– Hacking (e.g as a ‘zombie’ in a DDOS attack)
• Against ‘Targeted attack’– Stealing of company/customer info– Disruption of services (e.g. DDOS attack)– Faked transactions (e.g. illegal e-banking activities)– Damages on purpose (e.g. ex-employee,
information warfare)• Targeted attack is the important issue
14
E-Com Security Problems
• Client (no/low security control)• Communication channel (Internet : an
– Machines (Servers/DB)– Employees– Data (Customer info)
• Fraud (Cheating, related to non-repudiation issues)– Stealing of a valid user account password
15
Threats for E-ComLAN
LAN
LANWANLAN
Wireless network access pt
Hand phone LaptopPDA
Boardband router
ADSL connection
Smart card reader
Mobile phone network
Base station
Router
Internet Backbone Router
Server
Personal Computer 16
Web Security problems status (2011)• Communication link problem is (kind of) solved
– Secure Channel technology like SSL• E-commerce fraud:
– Technically valid transactions– A user cheats another– Logging of evidence is the key idea– Proofing of evidence (Computer Forensics) is an important
current issue!• Client-side (Browser) and Server-side are still big big problem• Client and Server will affect each other
– (1) Direct Threats to Client (Trojan horse, key logger, etc)– (2) Direct Threats to Server (port scanning, intrusion, hacking)– (3) Threats from Client to Server (through a valid web session)– (4) Threats from Server to Client (through a valid web session)
17
Danger in ClientLAN
LAN
LANWANLAN
Wireless network access pt
LaptopPDA
Router
Internet Backbone Router
Keyloggers, spyware, backdoors, virus, etc
Server
Client-side problems• System patches not
updated (attacking virus)
• Opening emails with malicious attachments
• Running untrusted programs from floppy, USB drives
• Visiting Malicious web pages (e.g. Phishing site, hidden IFRAME in forums)
• Social Engineering (leaking passwords) 18
Case of Facebook: CSRF• CSRF (Cross Site Request Forgery)• Belonging to: (4) Threats from Server to Client)• General Key idea:
– After Client authenticated to a Server, the authentication info is stored in client (usually as cookie) (e.g. user login bank website)
– By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following:
• Hacker site to create a ‘faked request’, and let the user to send the ‘faked request’ to the Server, to carry out a ‘faked transaction’ (like money transfer)
• Very suitable for target attack! (e.g. stealing from a e-bank account)
• Lesson to learn: your authentication history may be harmful to you, if you visit a hacker site afterward!
19
Case of Facebook: CSRF (2)• Facebook case Key idea:
– After Client authenticated to Facebook, the authentication info is stored in client (usually as cookie) (e.g. user login bank website)
– By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following:
• Hacker site to create a ‘faked request’, and let the user to send the ‘faked request’ to Facebook, run an evil app (again at the hacker site) that steals Facebook info from the user account.
• A detailed report on (Reference F1) http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html
20
Recall: session using cookies as authentication info stored in Client PC
ServerBrowser
Cookie as auth. info
21
CSRF framework (Cross Site Request Forgery)
Hacker Site
Victim Site
User Victim(cookie with auth. Info)
(4) Faked request with do illegal commands, just like user had authentication done properly!
22
The Facebook
specialCSRF case
• From reference F1: detailed report on http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html
23
Case of Java Signed Applet Protection• Recall: Client Side Security is difficult!!• One client can interact with many E-com servers
– Potential problem : information from E-com sites can be stolen from cookies in a client machine)
• More serious problem : Active Content– Programs embedded in Web pages– E.g. Java applets, ActiveX controls, Javascripts, VBSscripts– Attracts Trojan Horse, Virus, Malicious cookie, zombie (a
program secretly takes over the computer)• Other means : email attachments, reading email from
browsers, screen savers, installation of free software, etc.
• Protection means : anti-virus software, user education, better user protection environment (e.g. signed applets)
24
Java Signed Applet key issue• There is a program (or a piece of code) sent from the
Web server to the client (i.e. the browser)– Can I have an easy Yes/No ‘test’ to decide whether
the program is safe to run or not?– The PKI (Public Key Infrastructure) and the Browser
technology provides one such solution !!!• Of course :
– Is this solution good or not?• Let’s see it usage and limitation…
25
The Signed Applet Example• Signed Applet - Java Applet with ‘digital signature’• Treat the Applet as a ‘document’ from Server to Client• The Applet will have an extra document, called a ‘digital
signed’ attached to it.– The “Applet + digital_signature” is a Signed Applet– When Server creates this Applet, server will put in
this digital_signature as well– Only the Server (which holds a “private key”) can
create this digital_signature• Client will ‘verify the digital signature’• If the verification process is ok, Client will allow the
Applet to execute• Result: only Applet from verifiable server will be
executed26
The Signed Applet Technology• What is the technology that the client used, to ‘verify a
signed Applet’? - Public Key Cryptography• Server, will create the digital_signature using “the
server’s private key” usually stored in a hardware token in the server machine
• Client, will verify the digital signature, using the server’s public key. This public key is stored in a data structure called ‘Public Key Certificate’’
• The Public Key Certificate of the Server will be sent from Server to Client when the Applet is loaded, or in some previous connections
• Client, using some ‘Root Cert’ + the server’s Public Key Cert + the Signed Applet, can perform the verification
27
Public Key Certificate in IE
28
Root Certificates in IE (A lot!)
29
Review of Public Key Crypto-system (PKC)
• A has public key Apub, & corresponding private key Aprv• From Apub, almost impossible to find Aprv• Apub is known to all; Aprv is secret to A
A : Aprv
Aprv
Apub
M MC
Apub
ApubAprv
MC'M
30
Public key System Properties• Xpub(Xprv(M)) = Xprv(Xpub(M)) = M• Mathematically, given the private key, it is extremely
difficult to find the public key• Security strength always depends on key length• Can be used in digital signature, encryption, and other
advanced usage• Data Encryption : A sends a confidential message M to B
– A sends Bpub(M) to B, B decrypts with Bprv• Digital Signature: A sends a signed message M to B
– A sends Aprv(M) to B, B decrypts with Apub• Encryption and signature can be used together
31
Relationship with CA
32
Use of Digital Signature
33
Different Digital Signatures Schemesby Public key systems
A sends M to B• A sends Aprv(M), M to B• A sends Aprv(H(M)), M to B• A sends Aprv(H(M)), Bpub(M) to B (sign and encrypt)• A sends Aprv(H(M)), Bpub(K), Ek(M) to B (K is a
block cipher key to act as a ‘session key’, Ek is the block cipher encryption)
• The last two versions are more popular. For simplicity, we can assume the last version is used.
34
Public Key Certificate (PKC)• Problems in Public Key Cryptography
– Private key : users have to keep in secret– Public key : make sure everyone can get a correct copy
(solution: store in a Public Key Certificate)• Certification Authorithy (CA) : a trusted third party (e.g. Hong
Kong Post CA, VeriSign)• Says “I, as the CA, certified that B’s public key value is 136…….,
digitally signed by me, the CA”• Needs CA’s public key to verify correctness of B’s PKC (where to
find CA’s public key?)
CA_Sig
Bpub B's PublicKey
Certificate
Bpub Signing
CAprv35
Public Key Certificate Concept
CA’s value is 1234
Signed by CA
Adam’s public key is 3456
Signed by Mr. CA
Bob’s public key is 7890
Signed by Adam
Z knows public key of Mr. CA is 1234
And If Z gets:
He will know Bob’s public key
Q: User Z wants to know the public key value of Bob:-
Administrative assumption:
Everyone knows Mr. CA’s public key value
Technical assumption:
If you get the public key of X, you can verify all documents digitally signed by X.
36
How the “Root Certs” are used?
Browser
Root Cert - cert. of “Big Brother” CA)
Server (S1)S1 has a “Cert of S1”, issued by “Big Brother” B1
37
During Authentication (e.g. signed Applet)
Browser
Root Cert - cert. of “Big Brother” CA)
Server (S1)S1 has a “Cert of S1”, issued by “Big Brother” B1
(1) Cert of S1 is loaded to Browser
B1
38
During Authentication (e.g. signed Applet)
Browser
Root Cert - cert. of “Big Brother” CA)
Server (S1)S1 has a “Cert of S1”, issued by “Big Brother” B1
(2) B1 verifies S1
B1
B1 is my customer, Trust him!
39
During Authentication (e.g. signed Applet)
Browser
Root Cert - cert. of “Big Brother” CA)
Server (S1)S1 has a “Cert of S1”, issued by “Big Brother” B1
(3) S1’s applet can be executed in browser. User is shown a Yes answer (and S1’s cert details)
B1
B1 is my customer, Trust him!
40
If S1 is not a valid client of a “Big Brother” …
Browser
Root Cert - cert. of “Big Brother” CA)
Server (S1)
In case no “Big Brother” knows S1, the user will be prompted to see whether he trusted S1 or not
?
?
?
?
41
Summary of Signed Applet technology• In your browser: an automated process, using PKI
technology, will give you a Y/N answer, deciding whether a signed applet is a ‘good program to execute’ or not
• “Yes” means:– The Web server (S1) providing the signed applet, is one valid
customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can execute this signed applet
– But … you have to look into the certificate details to see exactly who S1 is!
• “No” means:– The Web server (S1) providing the signed applet, is not a valid
customer of anyone of the Root Certification Authorities.– The browser let you decide whether to execute the signed applet
or not.• Key issue: Is this situation perfect? How to improve it?
42
A Short Review of SSL• Recall: Client only talks to a Server (S1) that
can be verified by a Root Cert owned by the client!
• In our business model, it means:– The Web server (S1) that can establish https session
with client, is one valid customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can establish https session with S1!
– But … you have to look into the certificate details to see exactly who S1 is!
43
SSL Mixed Content problem
What does this mean?
44
SSL Mixed Content problem (2)
The risk: data unprotected by SSL may be seen by intermediate routers.In many cases this is still safe.BUT: attack code in non-SSL data can be dangerous!! 45
SSL Protection• SSL provides secure encryption in the two points
(browser and server). – No intermediate routers, processes can see the
content• Limitation: the two endpoints can still leak information
• Discussion Question: what is the protection provided by SSL to a company?– What are the values to customer access?– What are the values for employee access?– Is SSL necessary?– Is SSL sufficient?
46
Case of CAPTCHA • CAPTCHA
– Completely Automated Public Turing test to tell Computers and Humans Apart
– 全自动区分计算机和人类的测试
• Automatically generate challenges which intends to:– Provide a problem easy enough for all humans to
solve.– The problem cannot be solved by a computer
program currently, unless it is specially designed to circumvent specific CAPTCHA systems.
– Eg. a human user can read distorted text while bots cannot
47
• CAPTCHA is usually used to protect websites against bots which abuse the websites and is usually placed:– At a login form to prevent dictionary attack– Before account registration– Before showing an e-mail on a personal
website to avoid spammers getting your e-mail address when they crawl the web to look for valid e-mail addresses
– Etc48
Eg: reCAPTCHA
• Google’s project (http://www.google.com/recaptcha)– A plugin as a web service– Only need to add a few lines of code to your
website to embed it
49
Eg: reCAPTCHA (cont.)
• Idea:– Digitizing physical books that were written
before the computer age. – Each word that cannot be read correctly by
"Optical Character Recognition" (OCR) is placed on an image and used as a CAPTCHA.
50
Alternative implementations
• Rely on visual perception (more than distorted text):– identifying an object that does not belong in a
particular set of objects.– locating the center of a distorted image.– identifying distorted shapes.– 3D captcha, Etc.
• Provide an audio version of the CAPTCHA for accessibility reasons
51
Cases • D-Link adds CAPTCHA to home routers
– The new CAPTCHA system will be particularly useful to thwart malicious attacks that target default passwords on routers to alter DNS records to hijack all future connections.
• Gmail, Yahoo and Hotmail systematically abused by spammers– The MessageLabs Intelligence annual report for 2008 indicates that
on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its Sept’s peak of 25%.
– Vendors cite machine learning CAPTCHA breaking techniques as the cause of it, some doubt they actually outsource account registration process to human CAPTCHA solvers.
31, 2008)– A research paper entitled “A Low-cost Attack on a Microsoft CAPTCHA“
published the attack.– Microsoft's CAPTCHA scheme was designed to be segmentation-
resistant. However, the attacker’s simple attack has achieved a segmentation success rate of higher than 90% against this scheme.
– They show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks, and it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.