ECOM 6031

Content
Review of World Wide Web Case of Facebook CSRF ((4) threats from server to client) Case of Java Signed Applet Protection ((4) threats from server to client) A Short Review of SSL (with ref to root cert) Case of Captcha (protection of : (3) Threats via Client to Server) Case of SQL injection ( (3) Threats via Client to Server) SQL injection Summary

Fundamentals of e-Commerce Security

(Dr KP Chow, Dr Lucas Hui)

Lecture 2: Web Browser and Web Server Security

Dr Lucas Hui (CYC307, 28592190, hui@cs.hku.hk)

1 2

Discussion Question
What kind of company data you can allow your employee to access the company Intranet through ____ ?
1. 2. 3. 4. at office at home using a fixed PC at home using a laptop at an oversea cyber-caf using a laptop

3

Review of Internet Technology (History)

In early 1960s, US Dept of Defense (DoD) started research in networking computers, developed a multiple channel network In 1972, E-mail was born In 1980s, PC became popular, leaded to PC networks US National Science Foundation (NSF) funded network services in 1980s In 1987, Hong Kong is connected to Internet (via HARNET : Hong Kong Academic and Research Network, set up by HKU) In 1991, NSF further eased its restriction on Internet commercial activities Privatization of Internet was substantially completed in 1995. Internet service providers (ISPs) sell Internet access rights directly to customers Note: Internet is (close to) free, provide global connectivity
4

Can you suggest some protection strategy that can make you feel safe?

Internet Definition - FNC

On October 24, 1995, the FNC unanimously passed a resolution defining the term Internet. This definition was developed in consultation with the leadership of the Internet and Intellectual Property Rights (IPR) Communities. RESOLUTION: The Federal Networking Council (FNC) agrees that the following language reflects our definition of the term "Internet". "Internet" refers to the global information system that -(i) is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons; (ii) is able to support communications using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/followons, and/or other IP-compatible protocols; and (iii) provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein."
5

Early Internet Initiative in Hong Kong: HARNET

Network Technology
Use TCP/IP protocol TCP: Transmission Control Protocol Controls the assembly of a message into smaller packets before it is transmitted over the Internet IP: Internet Protocol Includes rules for routing individual data packets from their source to their destination IP Address Internet addr. are based on a 32-bit no. called an IP address. IP addr. is a series of up to 4 separate no. (e.g 147.204.89.56) that uniquely identifies a computer connected to the Internet. Management of IP addr. (static, mobile, NAT (Network-Address Translation)) an important issue for higher level applications

Domain Names
IP address difficult to remember Domain names Sets of words assigned to specific IP addresses Example: www.hku.hk Contains three parts separated by periods Top-level domain (TLD): rightmost part Generic top-level domains (gTLDs) (e.g. .edu .com) Sponsored top-level domains (sTLD) (e.g. .aero sponsored by SITA) Internet Corporation for Assigned Names and Numbers (ICANN) Responsibility: managing non-sTLD
8

Internet (rough idea)

Internet Backbone Router

LAN

Client/Server Relation using Static Pages

Router

Mobile phone network

Server LAN ADSL connection

Internet
(1) http request

LAN

WAN

(Internet part)

Base station LAN Boardband router Wireless network access pt (Intranet part)

(2) http response

Web Server software Server

10

Client (Browser)
Hand phone Personal Computer Smart card reader PDA Laptop

Static HTML pages with text, pictures, etc

Selection of Technologies in Web Server

(1) Static web page simple to implement, easy to estimate data transfer time (2) Dynamic pages - Server side code execution Reduce server side page storage, may overload the system when number of requests is huge (3) Dynamic pages Client side code execution Low server burden (both CPU cycle and DB storage), but may have incompatibility issues for some clients (4) Dynamic pages both Server/Client side code execution Most flexible, can carry out a lot of business logic, web access data analysis, and personalization. However, very complicate to implement
11

Properties of Web Technology (important for e-commerce)

Thin Client / Thick Server http model Need to instruct the client browser to execute client-side program codes Installation of client-side software component is extremely unfavorable Now (2011) it is a bit different (e.g. AJAX) Worldwide connection (7 days, 24 hours) Universal readership (independent of client machines and browsers) A difficult problem for m-commerce using intelligent device (e.g. iPhone, SmartGrid meters) of which the bandwidth, screen size, and client processing power is constrained Infrastructure is free http connections are sessionless C S: request, followed by S C: response Security is not an emphasis! (This is our problem)
12

Just Some e-Crime Cases

Targeted Trojans (Trojan horse programs built to attack a certain targets vulnerabilities) are distributed via marketing CDs in cases related to some Israeli companies Targeted Trojans spread via email is design to attack the e-gold company using the hidden session attack A payroll company potentially exposed > 25,000 customers private info due to process breakdown In 2002, a credit reporting company reported that 13,000 customer records were stolen using an authorization code belonging to Ford Motor Company (insider problem) A keylogger is downloaded from a phishing site, then waited until the user accessed an online banking application and forwarded the keystrokes to a malicious Web site. Credit card info are stolen since data that should have been discarded are being stored for troubleshooting purposes in an unencrypted format. And others

Threats for E-Com (by purposes)

Against random hacking Viruses Port-scanning (for free services) Hacking (e.g as a zombie in a DDOS attack) Against Targeted attack Stealing of company/customer info Disruption of services (e.g. DDOS attack) Faked transactions (e.g. illegal e-banking activities) Damages on purpose (e.g. ex-employee, information warfare) Targeted attack is the important issue
14

13

E-Com Security Problems

Internet Backbone Router

Threats for E-Com

LAN

Client (no/low security control) Communication channel (Internet : an unprotected/unreliable free network) Servers (more controllable)
Machines (Servers/DB) Employees Data (Customer info)

Router

Mobile phone network

Server

ADSL connection Base station Boardband router

LAN

WAN

LAN LAN

Fraud (Cheating, related to non-repudiation issues)

Stealing of a valid user account password
15
Hand phone

Wireless network access pt

Personal Computer

Smart card reader

PDA

Laptop

16

Web Security problems status (2011)

Internet Backbone Router

Danger in Client
LAN

Communication link problem is (kind of) solved Secure Channel technology like SSL E-commerce fraud: Technically valid transactions A user cheats another Logging of evidence is the key idea Proofing of evidence (Computer Forensics) is an important current issue! Client-side (Browser) and Server-side are still big big problem Client and Server will affect each other (1) Direct Threats to Client (Trojan horse, key logger, etc) (2) Direct Threats to Server (port scanning, intrusion, hacking) (3) Threats from Client to Server (through a valid web session) (4) Threats from Server to Client (through a valid web session)
17

Router

Client-side problems
System patches not updated (attacking virus) Opening emails with malicious attachments Running untrusted programs from floppy, USB drives Visiting Malicious web pages (e.g. Phishing site, hidden IFRAME in forums) Social Engineering (leaking passwords)

LAN

WAN

LAN LAN

Server

Wireless network access pt

Keyloggers, spyware, Laptop PDA backdoors, virus, etc

18

Case of Facebook: CSRF

CSRF (Cross Site Request Forgery) Belonging to: (4) Threats from Server to Client) General Key idea:
After Client authenticated to a Server, the authentication info is stored in client (usually as cookie) (e.g. user login bank website) By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following: Hacker site to create a faked request, and let the user to send the faked request to the Server, to carry out a faked

Case of Facebook: CSRF (2)

Facebook case Key idea:
After Client authenticated to Facebook, the authentication info is stored in client (usually as cookie) (e.g. user login bank website) By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following: Hacker site to create a faked request, and let the user to send the faked request to Facebook, run an evil app (again at the hacker site) that steals Facebook info from the user account.

transaction (like money transfer) Very suitable for target attack! (e.g. stealing from a ebank account) Lesson to learn: your authentication history may be harmful to you, if you visit a hacker site afterward!
19

A detailed report on (Reference F1) http://blog.quaji.com/2009/08/facebook-csrf-attack-fulldisclosure.html

20

Recall: session using cookies as authentication info stored in Client PC

Browser Server

CSRF framework (Cross Site Request Forgery)

Victim Site (4)Faked requestwithdo illegal commands,just likeuserhad authentication doneproperly!

UserVictim (cookiewith auth.Info) Cookie as auth. info HackerSite

21

22

Case of Java Signed Applet Protection

The Facebook special CSRF case

From reference F1: detailed report on http://blog.quaji.com/ 2009/08/facebookcsrf-attack-fulldisclosure.html

Recall: Client Side Security is difficult!! One client can interact with many E-com servers
Potential problem : information from E-com sites can be stolen from cookies in a client machine)

More serious problem : Active Content

Programs embedded in Web pages E.g. Java applets, ActiveX controls, Javascripts, VBSscripts Attracts Trojan Horse, Virus, Malicious cookie, zombie (a program secretly takes over the computer)

Other means : email attachments, reading email from browsers, screen savers, installation of free software, etc. Protection means : anti-virus software, user education, better user protection environment (e.g. signed applets)
24

23

Java Signed Applet key issue

There is a program (or a piece of code) sent from the Web server to the client (i.e. the browser) Can I have an easy Yes/No test to decide whether the program is safe to run or not? The PKI (Public Key Infrastructure) and the Browser technology provides one such solution !!! Of course : Is this solution good or not? Lets see it usage and limitation

The Signed Applet Example

Signed Applet - Java Applet with digital signature Treat the Applet as a document from Server to Client The Applet will have an extra document, called a digital signed attached to it. The Applet + digital_signature is a Signed Applet When Server creates this Applet, server will put in this digital_signature as well Only the Server (which holds a private key) can create this digital_signature Client will verify the digital signature If the verification process is ok, Client will allow the Applet to execute Result: only Applet from verifiable server will be executed 26

25

The Signed Applet Technology

What is the technology that the client used, to verify a signed Applet? - Public Key Cryptography Server, will create the digital_signature using the servers private key usually stored in a hardware token in the server machine Client, will verify the digital signature, using the servers public key. This public key is stored in a data structure called Public Key Certificate The Public Key Certificate of the Server will be sent from Server to Client when the Applet is loaded, or in some previous connections Client, using some Root Cert + the servers Public Key Cert + the Signed Applet, can perform the verification
27

Public Key Certificate in IE

28

Root Certificates in IE (A lot!)

Review of Public Key Crypto-system (PKC)

A has public key Apub, & corresponding private key Aprv From Apub, almost impossible to find Aprv Apub is known to all; Aprv is secret to A

A: M

Aprv Aprv

Apub Apub

C
Apub Aprv

M
29

C'

M
30

Relationship with CA

Public key System Properties

Xpub(Xprv(M)) = Xprv(Xpub(M)) = M Mathematically, given the private key, it is extremely difficult to find the public key Security strength always depends on key length Can be used in digital signature, encryption, and other advanced usage Data Encryption : A sends a confidential message M to B A sends Bpub(M) to B, B decrypts with Bprv Digital Signature: A sends a signed message M to B A sends Aprv(M) to B, B decrypts with Apub Encryption and signature can be used together
31 32

Use of Digital Signature

Different Digital Signatures Schemes by Public key systems

A sends M to B A sends Aprv(M), M to B A sends Aprv(H(M)), M to B A sends Aprv(H(M)), Bpub(M) to B (sign and encrypt) A sends Aprv(H(M)), Bpub(K), Ek(M) to B (K is a block cipher key to act as a session key, Ek is the block cipher encryption) The last two versions are more popular. For simplicity, we can assume the last version is used.

33

34

Public Key Certificate (PKC)

Problems in Public Key Cryptography Private key : users have to keep in secret Public key : make sure everyone can get a correct copy (solution: store in a Public Key Certificate) Certification Authorithy (CA) : a trusted third party (e.g. Hong Kong Post CA, VeriSign) Says I, as the CA, certified that Bs public key value is 136., digitally signed by me, the CA Needs CAs public key to verify correctness of Bs PKC (where to find CAs public key?)

Public Key Certificate Concept

Z knows public key of Mr. CA is 1234 Q: User Z wants to know the public key value of Bob:Administrative assumption: Everyone knows Mr. CAs public key value Technical assumption: If you get the public key of X, you can verify all documents digitally signed by X. If Z gets:
Adams public key is 3456 CAs value is 1234
Signed by CA Signed by Mr. CA

And
Bobs public key is 7890
Signed by Adam

Bpub

Signing

Bpub

B's Public Key Certificate

CA_Sig

CAprv
35

He will know Bobs public key

36

How the Root Certs are used?

Server (S1) S1 has a Cert of S1, issued by Big Brother B1

During Authentication (e.g. signed Applet)

Server (S1) S1 has a Cert of S1, issued by Big Brother B1

Root Cert - cert. of Big Brother CA)

Root Cert - cert. of Big Brother CA)

(1) Cert of S1 is loaded to Browser

B1

Browser

37

Browser

38

During Authentication (e.g. signed Applet)

Server (S1) S1 has a Cert of S1, issued by Big Brother B1

During Authentication (e.g. signed Applet)

Server (S1) S1 has a Cert of S1, issued by Big Brother B1

Root Cert - cert. of Big Brother CA)

(2) B1 verifies S1 B1 is my customer, Trust him! B1

Root Cert - cert. of Big Brother CA)

(3) S1s applet can be executed in browser. User is shown a Yes answer (and S1s cert details) B1 is my customer, Trust him! B1

Browser

39

Browser

40

If S1 is not a valid client of a Big Brother

Server (S1)

Summary of Signed Applet technology

In your browser: an automated process, using PKI technology, will give you a Y/N answer, deciding whether a signed applet is a good program to execute or not Yes means:
The Web server (S1) providing the signed applet, is one valid customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can execute this signed applet But you have to look into the certificate details to see exactly who S1 is!

Root Cert - cert. of Big Brother CA)

In case no Big Brother knows S1, the user will be prompted to see whether he trusted S1 or not

No means:
? ? ? ? Browser
41

The Web server (S1) providing the signed applet, is not a valid customer of anyone of the Root Certification Authorities. The browser let you decide whether to execute the signed applet or not.

Key issue: Is this situation perfect? How to improve it?

42

A Short Review of SSL

Recall: Client only talks to a Server (S1) that can be verified by a Root Cert owned by the client! In our business model, it means:
The Web server (S1) that can establish https session with client, is one valid customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can establish https session with S1! But you have to look into the certificate details to see exactly who S1 is!

SSL Mixed Content problem

What does this mean?

43

44

SSL Mixed Content problem (2)

SSL Protection
SSL provides secure encryption in the two points (browser and server). No intermediate routers, processes can see the content Limitation: the two endpoints can still leak information Discussion Question: what is the protection provided by SSL to a company?
What are the values to customer access? What are the values for employee access? Is SSL necessary? Is SSL sufficient?

The risk: data unprotected by SSL may be seen by intermediate routers. In many cases this is still safe. BUT: attack code in non-SSL data can be dangerous!!

45

46

Case of CAPTCHA
CAPTCHA
Completely Automated Public Turing test to tell Computers and Humans Apart

Automatically generate challenges which intends to:

Provide a problem easy enough for all humans to solve. The problem cannot be solved by a computer program currently, unless it is specially designed to circumvent specific CAPTCHA systems. Eg. a human user can read distorted text while bots cannot
47

CAPTCHA is usually used to protect websites against bots which abuse the websites and is usually placed:
At a login form to prevent dictionary attack Before account registration Before showing an e-mail on a personal website to avoid spammers getting your email address when they crawl the web to look for valid e-mail addresses Etc
48

Eg: reCAPTCHA
Googles project (http://www.google.com/recaptcha)
A plugin as a web service Only need to add a few lines of code to your website to embed it

Eg: reCAPTCHA (cont.)

Idea:
Digitizing physical books that were written before the computer age. Each word that cannot be read correctly by "Optical Character Recognition" (OCR) is placed on an image and used as a CAPTCHA.

49

50

Alternative implementations
Rely on visual perception (more than distorted text):
identifying an object that does not belong in a particular set of objects. locating the center of a distorted image. identifying distorted shapes. 3D captcha, Etc.

Cases
D-Link adds CAPTCHA to home routers The new CAPTCHA system will be particularly useful to thwart malicious attacks that target default passwords on routers to alter DNS records to hijack all future connections. http://www.zdnet.com/blog/security/d-link-adds-captcha-to-homerouters/3365?tag=content;search-results-rivers Gmail, Yahoo and Hotmail systematically abused by spammers The MessageLabs Intelligence annual report for 2008 indicates that on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its Septs peak of 25%. Vendors cite machine learning CAPTCHA breaking techniques as the cause of it, some doubt they actually outsource account registration process to human CAPTCHA solvers. http://www.zdnet.com/blog/security/gmail-yahoo-and-hotmailsystematically-abused-byspammers/2293?tag=content;search52 results-rivers

Provide an audio version of the CAPTCHA for accessibility reasons

51

Attack
Technical attack: Microsoft's CAPTCHA successfully broken (May 31, 2008)
A research paper entitled A Low-cost Attack on a Microsoft CAPTCHA published the attack. Microsoft's CAPTCHA scheme was designed to be segmentationresistant. However, the attackers simple attack has achieved a segmentation success rate of higher than 90% against this scheme. They show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks, and it is not a trivial task to design a CAPTCHA scheme that is both usable and robust. http://www.zdnet.com/blog/security/microsofts-captcha-successfullybroken/1232

Case of SQL injection attack

Browser attacks Server Steps:
I. Send malicious input to server II. Input bad checking leads to malicious SQL query

One kind of Code injection attack

Whenever we are running a program (instead of showing a data) there is a problem
Buffer-overflow attack : breaking the programming language computation model PHP : the eval SQL : the execute
54

Human attack: some companies will provide a plug-in for your program
When you program sees a Captcha request, the picture will send to the company, and the company will have a group of human being to answer for you.

53

Code injection attacks

Method: executing arbitrary code on the server Example
code injection based on eval (PHP) http://site.com/calc.php (server side calculator)
attacker

SQL injection attack

Post malicious form unintended SQL query

Web Server

Database

$in = $_GET[exp']; eval('$ans = ' . $in . ';');

receive valuable data

Attack: http://site.com/calc.php?exp= 10; system(rm *.*)

(URL encoded)
55 56

Example: buggy login page

Suppose
set ok = execute( "SELECT * FROM Users WHERE user=' " & form(user) & " ' AND pwd=' " & form(pwd) & ' ); if not ok.EOF login success else fail;
encoded)

Bad input
user = ' or 1=1 --
(URL

Then scripts does:

ok = execute( SELECT WHERE user= ' ' or 1=1 -- )

The -- causes rest of line to be ignored. Now ok.EOF is always false and login succeeds.

Is this exploitable?
57

The bad news: way.

easy login to many sites this

58

April 2008 SQL Vulnerabilities

Summary: Some other attacks

XSS Cross-site scripting Hacker web site sends client a script that steals information from an honest web site. Server attacks Client to attack Server Use malicious web pages (those with scripts) Quite a mature technique, yet very significant http://www.xssed.com/archive Phishing A mature and low-tech attack, yet very active http://www.penn-olson.com/2011/01/17/china-phishing/ Discussion Question With so many attacks being feasible, should we encrypt the data stored in Server (or in Client), so that even if the system is being hacked, the data will not leak? If so, what company data should be encrypted? How?
60

59