IS 430 Chapter 4

Wed security Goals

Users want to safely browse the web:

No theft

No eavesdropping

Assurance of who/what you're communicating with

Three attack vectors against a browswer

1) go after the OS so it will impede browser's correct and secure functioning

2) Tackle the browser or ones its components, add-ons, or plug-ins so activity is altered

3) Intercept or modify communication to or from browser

Browser Attack Types

Man-in-the browser

Keystroke logger

page-in-the-middle

Program download substitution

User-in-the-middle

Man-in-the-browser

Trojan horse that intercepts data passing through the browser

Keystroke logger

hardware or software that records all keystrokes entered

Page-in-the-Middle

User is directed to a different page than believed or intended

Program Download Substitution

Attacker creates a page with seemingly innocuous and desirable programs for download

User-in-the-Middle

Using click-bait to trick users into solving CAPTCHAs on spammers behalf

Authentication is vulnerable at these points

Usability and accuracy

computer-to-computer interaction

Malicious software

Each side of computer interchange needs assurance of authentic identity

shared secret

something only the two entities on the end should know

one time password

good for only one use. To use it the two end parties need to have a shared secret list of passwords.

Out-of-band communication

transferring one fact along a communication path separate from that of another fact.

website defacement

an attacker replaces or modifies the content of a legitimate web site.

fake website

The attacker gets all the images a real site uses

Protecting web sites against change

Integrity checksums

signed code or data

Malicious web content

substitute content on a real web site

web bug

Clickjacking

Drive-by-download

web bug

tiny action points that can report page traversal patterns to central collecting points

clickjacking

Tricking a user into clicking a link by disguising what the link points to

Drive-By-Download

attack in which code is downloaded,installed, and executed on a computer without the user's permission

T/F Access control accomplishes separation, keeping two classes of things apart

True

Cross-Site Scripting (XSS)

executable code is included in the interaction between client and server and executed by the client or server.

persistent cross-site scripting attack

Server interprets and executes the script or saved the script and returns it to other clients

SQL Injection

inserting code into an exchange between a client and a database server

Service side include

takes advantage of the fact that web pages can be organized to invoke a particular function automatically.

pump and dump

a trader pumps, artificially inflates the stock price by rumors and a surge in activity. Traders dumps it when it gets high enough.

Screeners

tools to automatically identify and quarantine or delete spam.

Volume limitations

limit the volume of a single sender or single email system.

Postage

small charged for each email message send

Phising

email message tries to trick the recipient into disclosing private data or taking another unsafe action.

spear phishing

tempts recipients by seeming to come from sources the receiver knows and trusts.

PGP (Pretty Good Privacy)

A key-based encryption system for e-mail that uses a two-step verification process.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

perform security transformations very similar to those for PGP

Difference between PGP and S/MIME

Method of key exchange. Basic PGP depends on each user's exchanging keys with all potential recipients and establishing trusted recipients. S/MIME uses hierarchically validated certificates.