IT Security

Activities
◇ discussions
◇ group reporting
◇ video clip
◇ short quiz

Ref: Computer Security, MIT OCW, tutorialspoint

http://www.autorunremover.com/what-is-autorun-inf.html
 security
Achieving some goals in the
presence of adversary

http://www.electronic-information.info/wp-content/uploads/2012/12/introduction-to-computer-security.jpg
 IT Security

Many systems are connected to the Internet, which

has adversaries. Thus, design of many systems
might need to address security, i.e. will the
system work when there's an adversary?

◇ Policy: the goal you want to achieve. e.g.

only Alice should read file F.
◇ Common goals: confidentiality, integrity,
availability.
 IT Security
◇ Threat model: assumptions about what the
attacker could do. e.g. can guess passwords,
cannot physically grab file server. Better to
err on the side of assuming attacker can do
something.
◇ Mechanism: knobs that your system provides
to help uphold policy. e.g. user accounts,
passwords, file permissions, encryption
◇ Resulting goal: no way for adversary within
threat model to violate policy. Note that
goal has nothing to say about mechanism.
 IT Security
Why is security hard? Negative goal.

◇ Need to guarantee policy, assuming the threat model.

◇ Difficult to think of all possible ways that attacker
might break in.
◇ Realistic threat models are open-ended (almost negative
models).
◇ Contrast: easy to check whether a positive goal is
upheld, e.g. Alice can actually read file F.
◇ Weakest link matters.
◇ Iterative process: design, update threat model as
necessary, etc.
 IT Security
What's the point if we can't achieve perfect
security?

◇ Each system will likely have some breaking

point leading to compromise.
◇ Doesn't necessarily mean the system is not
useful: depends on context.
◇ Important to understand what a system can
do, and what a system cannot.
 IT Security

In reality, must manage security risk vs.

benefit.
◇ More secure systems means less risk (or
consequence)of some compromises.
◇ Insecure system may require manual auditing
to check for attacks, etc.
Web Security Model
 Web Security

What is the web? In the old days,

it was a simple client/server
architecture (client was your web
browser, server was a machine on
the network that could deliver
static text and images to your
browser).
 Web Security

◇ In the old days, the server-side was much

more complex than the client-side: browsers
didn't support rich interactivity, but the
server might interface with databases,other
servers, etc.
◇ Because the server was so much more
complicated, "web security" focused on the
server-side. Up to this point, this class
has largely focused on the server-side as
well (e.g., buffer overflows on web
servers, privilege separation in the OKWS
server).
 Web Security

◇ The web has changed: now the browser is very

complicated.
◇ JavaScript: Allows a page to execute client-side code.
◇ DOM model Provides a JavaScript interface to the page's
HTML, allowing the page to add/remove tags, change
their styling, etc.
◇ XMLHttpRequests (AJAX): Asynchronous HTTP requests.
◇ Web sockets: Full-duplex client-server communication
over TCP.
◇ Web workers: Multi-threading support.
◇ Multimedia support: , web cams, screen-sharing. •
Geolocation: Browser can determine your location by
examining GPS units. Firefox can also locate you by
passing your WiFi information to the Google Location
Service. •
Web Security
Web Security
 Web Security

Can the JavaScript code of each frame

manipulate, process or interact with the other
objects of other frames?

Browsers use a security model called

same-origin policy

Basic strategy of same-origin policy: The

browsers assign an origin to every resource in
a page, including JavaScript libraries.
JavaScript code can only access resources that
belong to the same origin.
 Web Security

Developers should be able to create mash up

websites that combine content from mutually
cooperative websites
e.g. A site that combines Google maps with real
estate data
e.g. Social media Facebook “Like” button
 Web Security

◇ The Google analytics script and the jQuery script can

access all the resources belonging to foo.com
◇ JavaScript code in the Facebook frame has no access to
resources in the foo.com frame, because the two frames
have different origins. The two frames can only talk via
postMessage(), a JavaScript API that allows domains to
exchange immutable strings.
◇ JavaScript code in the Facebook frame cannot issue
XMLHttpRequest to foo.com's server
◇ However, the Facebook frame can import scripts, CSS, or
images from foo.com(Although that content can only
update the Facebook frame, since the content inherits
the authority of the Facebook origin, not foo.com
origin)
◇ The browser checks the type of ad.gif, determines that
ad.gif is an image, and concludes that the image should
receive no authority at all.
 Web Security

An HTTP cookie (also called web cookie,

Internet cookie, browser cookie or simply
cookie), is a small piece of data sent from a
website and stored in the user's web browser
while the user is browsing it. Every time the
user loads the website, the browser sends the
cookie back to the server to notify the user's
previous activity. (Wikipedia.org)
 Web Security

When generating an HTTP request, the browser

sends all the matching cookies in the request.
JavaScript code can access cookies that match
the same origin.
Protocol matters. HTTP JavaScript cannot access
HTTPS cookie
 Web Security

Why is it important to protect cookie from

arbitrary overwriting?
If an attacker controls a cookie, the attacker
can force the user to use an account that's
controlled by an attacker.

Ex. By controlling a Gmail cookie, an attacker

can redirect a user to an attacker controlled
account and ready any emails that are sent from
that account.
 Web Security

When the browser generates an HTTP request, it

automatically includes the relevant cookies.
What happens if the browser creates a frame
with a URL like this?
http://bank.com/xfer?amount=500&to=attackeraccount

What about the pixels on a screen?

They don't have an origin! A frame can draw
anywhere within its bounding box.
Problem: A parent frame can overlay content
atop the pixels of its child frames.
 Web Security

Names can be used as an attack vector!

IDN: internationalized domain names(non-latin
letters).
Supporting more languages is good, but now, it can be
difficult for users to distinguish two domain names
from each other.
Ex. Cyrillic "C" character looks like the Latin "C"
character! So, an attacker can buy a domain like
"cats.com"(with a Cyrillic "C") and trick users who
thought that they were going to "cats.com" (Latin "C")
Browser vendors thought registrars will prohibit
ambiguous names.
 Web Security

HTML5 introduces a new screen-sharing API: Once the

user gives permission, a site can capture the entire
visible screen area and transmit it back to the site's
origin.
So, if an attacker page can convince the user to grant
screen-sharing permission, the attacker page can open
an iframe to a sensitive site and capture the screen
contents!
The iframe will send cookies, so the user will
automatically be logged in, allowing the attacker to
see "real" information, not boring login page stuff.
 Web Security

The browser security model is obviously a mess. It's

very complex and contains a lot of subtleties and
inconsistencies.
Q: Why not rewrite the security model from scratch?
A1: Backwards compatibility! There's a huge amount of
pre-existing web infrastructure that people rely on.
A2: How do we know that a new security model would be
expressive enough? Users typically do not accept a
reduction of features in exchange for an increase in
security.
A3: Any security model may be intrinsically
doomed---perhaps all popular systems are destined to
accumulate a ton of features as time progresses.
Security Web App
 Securing Web App

SQL injection attacks

Suppose that the application needs to issue SQL query
based on user input:
query = “SELECT * FROM table WHERE userid=”+userid
What if attacker supplies:
“135 OR 1=1;”
“0; DELETE FROM table;”
Solution: Unambiguous encode data like replace ‘ with
\’
Django defines a query abstraction layer which sits
atop SQL and allows applications to avoid writing raw
SQL
 Securing Web App

You can also run into problems if untrusted entities

can supply filenames.
Ex. Suppose that a web server reads files based on
user-supplied parameters.
open(“/www/images/”+filename)
Problem: filename might look like this:
../../../../etc/passwd
As with SQL injection, the server must sanitize the
user input: the server must reject file names with
slashes, or encode the slashes in some way
 Securing Web App

When developing a web app, it is more advisable

to use a web framework like Django.
Django developers have put some amount of
thought into security. So Django is a good case
study to see how people implement web security
in practice
 Case Study:
User password
http://www.guanotronic.com/~serge/papers/chi13b.pdf
 Malicious software

Malicious software (malware) is any

software that gives partial to full
control of the system to the
attacker/malware creator.
 Malicious software

◇ Viruses - Virus, a self inserting copies of itself

into other computer programs into data file or the
boot sector of the hard drive. Upon successful
replication, viruses cause harmful activity on
infected hosts such as stealing hard disk space or
CPU time.
 Malicious software

◇ Worms - A worm is a type of malware which leaves a

copy of itself in the memory of each computer in
its path.
 Malicious software

◇ Trojans - Trojan, non-self-replicating type of

malware that contains malicious code which upon
execution results in loss or theft of data or
possible system harm
 Malicious software

◇ Adware Adware also known as freeware or pitchware is a

free computer software that contains commercial
advertisements that include games, desktop toolbars and
utilities. It is a Web-based app and collects Web browser
data to target advertisements especially pop-ups.
 Malicious software
◇ Spyware - Spyware is infiltration software that
anonymously monitors users which enables a hacker to
obtain sensitive information from the user's computer.
Spyware exploits users and application vulnerabilities
that is quite often attached to free online software
downloads or to links that are clicked by users.
 Malicious software

◇ Root kit - A rootkit is a software used by a hacker to

gain admin level access to a computer/network which is
installed through a stolen password or by exploiting a
system vulnerability without the victim's knowledge.
 Cross-site request forgery

A CSRF attack forces an authenticated user(victim) to

send a forged HTTP request, including the victim's
session cookie to a vulnerable web application which
allows the attacker to force the victim's browser to
generate request such that the vulnerable app
perceives as legitimate requests from the victim.
 Autorun.inf
Autorun virus, as the name suggests it uses the Autorun.inf feature
in the Windows Os that is used for launching the programs that are
stored in the removable media such as DVDs, USB Devices, CD ROMs, as
well as Memory Sticks.
If there is autorun.inf virus in USB drive, each time you insert the
removable media and double-click your drives to open it, virus files
begin executing and infect your computer: which spreads itself onto
the computer by making the multiple copies of the autorun.inf and
.exe files on every drive of your computer.
When your computer is infected, viruses might clandestinely connect
to the malicious web site and install the keylogger on your PC. the
key logger steal all your private information like usernames,
account numbers, social security, passwords, credit card
information, as well as other sensitive information. It is thus very
important for you to remove the Autorun virus from computer
 Video clip

https://www.youtube.com/watch?v=F7pYHN9iC9I
 6 Groups
Topic 1: Certificate Authority, HTTPS vs HTTP
Topic 2: MD-Functions, SHA-Functions, How passwords are stored
Topic 3: Phishing, Spamming and how the email providers solve this
Topic 4: Ransomware
Topic 5: The Great Firewall of China
Topic 6: Denial of Service
Topic 1: Certificate Authority, HTTPS vs
HTTP
Topic 2: MD-Functions, SHA-Functions, How
passwords are stored
Topic 3: Phishing, Spamming and how the
email providers solve this (Group 3)
Topic 4: Ransomware (Group 2)
Topic 5: The Great Firewall of China (Group
1)
Topic 6: Denial of Service (Group 4)