Web hacking and the Internet user

1. Web hacking and the Internet user

2. Web hacking • Basics • Web pilfering: download selectively web sites and search files off-line. • Automated scripts: developed by advanced hackers for use by “script kiddies.” See SecurityInnovation for vulnerability scanners. • IIS security: see Microsoft Web Application Security guide to setup the IIS and identify threats and create countermeasures. • CGI: programming CGI with security in mind by W3org, a compilation and an index for CGI security resources, SSI and CGI security, • ASP vulnerabilities: HTML and programming in the same directory, dot bug, samples (showcode and codebrws). See Microsoft ASP Security. • Web vulnerability scanners are available for UNIX/Linux: Nikto and Whisker. • Buffer Overflows: (i) PHP security, (ii) do not use the wwwcount.cgi, and (iii) IIS iishack vulnerability (use MSBA to find patches). • Poor Web design • Misuse of hidden tags (price, shipping, etc), e.g. search “type=hidden name=price” • SSI: noExecs, pre-processing for hidden code.

3. Hacking the Internet user:Malicious mobile code • Microsoft ActiveX (Active X controls have the file extension.ocx) • similar to OLE let an object be embedded in a page using the <object> tag • When IE finds a page with a control, it checks the Registry to find out if the control is available, if it is IE displays the page and runs the control • If it is not, IE uses Authenticode to check the author (Verisign role) and download the control. Finally IE displays the page and runs the control • “Safe for Scripting”: Authenticode is not used with these controls, malicious Web sites may explore as a vulnerability. Easy to mark as such. Countermeasures: • apply patches for Scriptlet/Eyedog and OUA (Office 2000 UA). • Set macro protection to High in Tool/Macro menu in Office. • restrict or disable ActiveX, using security zones • Using security zones: IE has five predefined zones: Internet, Local Intranet, Trusted Sites, Restricted Sites, and My Computer. • Internet zone: disable ActiveX controls, enable per-session cookies and file download, and set scripting to prompt. • Trusted Sites: assign medium security and add sites you can trust to run ActiveX controls, e.g. Microsoft sites.

4. Hacking the Internet user:Malicious mobile code • Java basic security: (a) strong typing enforced at compile and execution time, (b) built in JVM bytecode verifier controls memory space (buffer overflows are difficult to happen), (c) no memory pointers (making difficult to insert commands in running code), (d) security manager (control access to computer resources), and (e) code signing similar to Authenticode. Recommendations: update and use security zones. • JavaScript: most frequently used client-side scripting. MS executes JavaScript using Active Scripting. Again use security zones to restrict the use of JavaScript. • Beware of the “cookie monster”: cookies can be per session or persistent. • Settings in Firefox and Internet Explorer .(IE 7 ) • Cookie sniffing: capturing cookies using packet sniffing tools (SpyNet/PeepNet). • Countermeasures: Cookie cutters, Firefox and IE cookie controls. • IE HTML frame vulnerabilities. TheIE's cross-domain security model(a domain is a security boundary - any open windows within the same domain can interact with each other, but windows from different domains cannot). • IFRAME ExecCommand: iframe is a IE tag to create a floating frame on the middle of a nonframed page. A hacker wrote a JavaScript to read a local file. • Countermeasure in IE: Tools, security, disable Navigate sub-frames across different domains.

5. Hacking the Internet user:E-mail hacking • basics: (i)create a text file using the correct MIME syntax, (ii) usenetcat to send the message to an open relay SMTP server, (iii) check the results. Using mpack we can include an attachment . If mail server requires authentication this hack fails, therefore you should use Sam Spade to check server first. • disable Java, JavaScript and ActiveX in Mail, e.g. Thunderbird. • executing code through e-mail: block all emails that have attachments with the extensions .scr,.pif, zip, • Outlook Express: “book worms:” Melissa, ILOVEYOU (see book), Nimda, CodeRed, etc, access OE address book and mail themselves to all entries. More recent versions use as subject and content parts of messages sent or received. Use Microsoft patch. Countermeasure: OE 2003 and above: Tools, Options, Read, Read All messages as Plain Text. • File attachment attacks: scrap files (.shs and .shb), Long file names in attachments should be blocked by anti-virus, or server filtering. Save As in Excel/PowerPoint, and be aware of OE use of the TEMP directory.

6. Hacking the Internet user: other • SSL : overview, use the 128-bit encryption (most countries now). Potential fraud: bypassing the certificate validation. Click on lock to see certificate. • IRC hacking: not only message exchange, but also file exchange. Users connect to a reflector (BNC, IRC Bouncer or proxy server), making the tracing of IRC users fruitless (a plus for hackers), all you get is the BNC IP. • DCC Send and Get connect directly two IRC users and allow file exchange, what makes easy to an user or worm infected user to distribute malicious code. • Countermeasure: if you need to use IRC, run anti-virus on the directory you selected as default for DCC downloads , and read more about IRC security. • Napster hacking: as a distributed file-sharing network, it has the potential to distribute Trojans, viruses, disguised as MP3 audio files. Napster checks headers and frames to see if the files are MP3 files, but Wrapster disguise files as MP3. Similar services may also be vulnerable. • Global countermeasures • keep Antivirus signatures updated (at least twice a month). • firewalls and traffic scanners (e.g. Vital Security™ Web Appliance).