Professional Documents
Culture Documents
Chapter 3
Protecting Systems
1
Objectives
2
Hardening the Operating System
3
Managing Operating System Updates
4
Managing Operating System Updates
(continued)
9
Manage patches locally instead of relying upon the vendors 10
Buffer Overflow Protection
• Buffer overflow
– Occurs when a process attempts to store data in
random access memory (RAM) beyond the
boundaries of a fixed-length storage buffer
– Extra data overflows into the adjacent memory
locations and under certain conditions may cause the
computer to stop functioning
• Attackers also use a buffer overflow in order to
compromise a computer
• Basic defenses
– Write “defensive” program code that will protect against
these attacks
– Use a programming language that makes these attacks
more difficult
• For Windows-based systems, there are two defenses
against buffer overflows
– Data execution prevention (DEP)
– Address space layout randomization (ASLR)
Client Server
21
Sheridan Institute of Technology and Advanced Learning
What else are cookies good for?
text
22
Sheridan Institute of Technology and Advanced Learning
Privacy levels
23
Sheridan Institute of Technology and Advanced Learning
To see or set your privacy levels
24
Sheridan Institute of Technology and Advanced Learning
How to see the levels on the Privacy tab
25
Sheridan Institute of Technology and Advanced Learning
Highest privacy level
26
Sheridan Institute of Technology and Advanced Learning
Lowest privacy level
It may not be
dangerous but
you may get more
Question: if I tracking cookies
select Accept than you want.
All Cookies is
that
dangerous?
27
Sheridan Institute of Technology and Advanced Learning
Pick one of these settings
28
Sheridan Institute of Technology and Advanced Learning
On a per site basis
• You can choose which sites to allow or block cookies
29
Sheridan Institute of Technology and Advanced Learning
More about cookies
30
Sheridan Institute of Technology and Advanced Learning
JavaScript
JavaScript is not Java, or even related to Java.
• Java applet
– A separate program stored on a Web server and
downloaded onto a user’s computer along with HTML code
– Can also be made into hostile ( خصم. )غير وديprograms
• ActiveX controls
– Also called add-ons or ActiveX applications
– Represent a specific way of implementing ActiveX
– Can perform many of the same functions of a Java applet, but do
not run in a sandbox
– Have full access to Windows operating system
• ActiveX poses a number of security concerns
41
ActiveX (continued)
• Nearly all ActiveX control security mechanisms are set in
Internet Explorer
• http://www.youtube.com/watch?v=wvKq3D71iYo
• http://www.youtube.com/watch?v =tI9gL4yjaTM
46
XSS-Attack: General Overview
Attacker Web Server
Post Forum Message: Did you know this?
Subject: GET Money for FREE !!! GET Money for FREE !!!
.....
Body: <script> attack code </script>
Re: Error message on startup
<script> attack code </script>
I found a solution!
.....
Can anybody help?
.....
Error message on startup
.....
Get /forum.jsp?fid=122&mid=2241
.....
4. Message scenarios!
is delivered by server Client
5. Browser executes script in message !!! attack code !!!
47
In other words :Cross-Site Scripting
• Attack:
– Steal Access Credentials, Denial-of-Service, Modify Web pages
– Execute any command at the client machine
XSS Solution
Input Validation
54
55
Hardening Web Servers
• Because of their open exposure, Web servers are prime
targets for attackers
• SQL injection
– One of the most common types of attacks
– Uses a form of injection like XSS
– Hinges on an attacker being able to enter an SQL database
query into a dynamic Web page
http://www.youtube.com/watch?v=0z1rt9Y-http://www.youtube.com/watch?
v=0z1rt9Y-ON0N0
Client
62
Quiz : What is an open email relay ?