2013

WEB SECURITY

ABSTRACT In this report Web security will be discussed in detail. Some current issues related to web attacks across the world will be discussed and some few key points to take note on Cyber security will be provided as plat form for an individual to be able to learn more on the issues related to Web threats that are growing fast now a days. YUSUPH KILEO 05/03/2013

YUSUPH KILEO

WEB SECURITY

Table of Contents
INTRODUCTION ............................................................................................................................................. 2 WEB SECURITY THREAT ................................................................................................................................. 3 INTERGRITY ............................................................................................................................................... 3 CONFIDENTIALITY ..................................................................................................................................... 4 DENIAL OF SERVICE (DoS) ......................................................................................................................... 4 AUTHENTICATION ..................................................................................................................................... 5 WEB SECURITY APPROCHES .......................................................................................................................... 6 SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY ......................................................................... 7 SECURE ELECTRONIC TRANSACTION........................................................................................................... 13 CURRENT ISSUES ON WEB ATTACK ............................................................................................................. 14 SEVEN STEP CYBER SECURITY STRATEGY .............................................................................................. 17 CONCLUSION............................................................................................................................................... 18 REFENCES .................................................................................................................................................... 19

2014

Page 1

YUSUPH KILEO

WEB SECURITY

INTRODUCTION
Definition: World Wide Web (WWW) can be defined as a client/server application running over the internet and TCP/IP intranet. In order for an individual to access something that is available on the Web, he/she should go through either internet or intranet. The benefits of the web in a current world may be obvious to Facebook users -- the exchange of ideas, access to healthcare and education, the buying and selling of products and services, and keeping in touch with friends and family! However, there is a dark side to this global resource which stems from the misuse of information and communication technologies, ICTs, including Cyberthreats and cybercrime. There are many cases whereby websites have been reported falling in to cyber-attacks from various group of people or individuals across courtiers every now and then. This is the dark side of the misuse of ICT to cause harm on webs that includes stilling of money through online transaction, stilling of confidential information and many other bad acts. Base on this note it is highly advised to have a look at the web security issues so that an individual will be able to know how to secure the web from various attacks. We should put in mind that attacks cannot be completely avoided but an individual can create mechanism to prevent/ harden the web to be attacked easily.

2014

Page 2

YUSUPH KILEO

WEB SECURITY

WEB SECURITY THREAT

There are four main types of security threats that an individual can face while using Web named as Integrity, Confidentiality, Authentication and Denial of service (DoS). There is a way to group this threats in two terms named as Active attack and Passive attack. Definitions: Eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted is known as Passive Attack. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site.

INTERGRITY
Definition: Transmitted data/information through internet or computer assets can only be modified (deleting, changing or creating) by authorized users. Threats:

Modification of user data Trojan horse browser Modification of memory Modification of message traffic in transit.

Consequences:

Loss of information Compromise of machine Vulnerability to all other threats

To protect/ secure web from the above threats that lead to multiple consequences as seen above Cryptographic checksum can be applied by the user as a Countermeasure.

2014

Page 3

YUSUPH KILEO

WEB SECURITY

CONFIDENTIALITY
Definition: Data in computer System and Transmitted information through web can be accessible only to the authorized users. This type of access includes reading, printings and others. Threats:

Eavesdropping on the Net. Theft of info from server. Theft of data from client. Info about network configuration. Info about which client talks to server.

Consequences:

Loss of information Loss of privacy

To protect/ secure web from the above threats that lead to multiple consequences as seen above Encryption and web proxies can be applied by the user as a Countermeasure.

DENIAL OF SERVICE (DoS)

Definition: A threat intending to make computer resources or web information from the internet unavailable to its intended users. Flooding of network or disruption of connection are mostly used techniques to cause Denial of service (DoS). When an attacker is intending to cause Denial of service (DoS), it is difficult to prevent. Threats:

Killing of user threads Flooding machine with bogus requests Filling up disk or memory Isolating machine by DNS attacks
Page 4

2014

YUSUPH KILEO

WEB SECURITY

Consequences:

Disruptive Annoying Prevent user from getting work done.

AUTHENTICATION
Definition: The origin of the electronic document, message or information transmitted over the web is correctly identified with an assurance that the identity is not false. Threats:

Impersonation of legitimate users. Data forgery.

Consequences:

Misrepresentation of user. Belief that false information is valid.

To protect/ secure web from the above threats that lead to multiple consequences as seen above Cryptographic techniques can be applied by the user as a Countermeasure.

2014

Page 5

YUSUPH KILEO

WEB SECURITY

WEB SECURITY APPROCHES

Protocol Stack Definition: A protocol stack refers to a group of protocols that are running concurrently that are employed for the implementation of network. protocol suite. i. Use IP security. The advantage of using IPsec is that it is transparent to end users and applications and provides a general-purpose solution. HTTP FTP TCP IP/IPsec Further, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing. ii. Implement security just above TCP. The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS). HTTP FTP SSL or TLS TCP IP SMTP SMTP There are number of ways that an individual can utilize to provide security to the web. Each approach to provide security to the web has its advantage based on how an individual utilize it.it should be kept in mind that these approaches differ with respects to their scope of applicability and their relative location within the TCP/IP protocol stack as follows:-

2014

Page 6

YUSUPH KILEO

WEB SECURITY

At this level, there are two implementation choices. For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol. iii. Specific security services are embedded within the particular application. The advantage of this approach is that the service can be tailored to the specific needs of a given application. In the context of Web security, an important example of this approach is Secure Electronic Transaction (SET). S/MME Kerberos PGP SET HTTP

SMTP

UDP IP

TCP

SECURE SOCKET LAYER AND TRANSPORT LAYER SECURITY

When discussing web security approach in earlier section (4.0) part ii SSL and TLS were introduced that can be implemented just above TCP. This is one of approach that can be used as an approach to secure websites. Here the SSL and TLS will be discussed in terms of architecture and their protocols and the different between them. SSL Architecture: SSL is designed to make use of TCP to provide a reliable end-to-end secure service. SSL is not a single protocol but rather two layers of protocols.

2014

Page 7

YUSUPH KILEO

WEB SECURITY

SSL handshake protocol

SSL Change cipher spec protocol

SSL Alert protocol

HTTP

SSL Record protocol TCP IP

The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges and are examined later in this section. Two important SSL Concepts are:a. SSL Connection. A transport that provide suitable type of service. For SSL, such connections are peer-to-peer relationship. The connections are transient. Every connection is associated with one session.

b. SSL Session. 2014

An association between a client and server. It is created by handshake protocol.

Page 8

YUSUPH KILEO

WEB SECURITY

Define a set of cryptographic security parameters which can be shared among multiple connections.

They are used to avoid the expensive negotiation of new security parameters for each connection.

A session state is defined by:i. Session Identifier ii. Peer certificate iii. Compression method iv. Cipher spec v. Master secret vi. Is resumable vii. Server and client random viii. Client writer mac secret and sever writer mac secret ix. Sever writer key and client write key. x. Initialization vectors and xi. Sequence Numbers.

There are actually a number of states

associated with each session. Once a session is established, there is a current operating

state for both read and write (i.e., receive and send). In addition,

during the Handshake Protocol, pending read and write states are created. successful of the Upon conclusion Handshake

Protocol, the pending states become the current states.

SSL Record Protocol: the overall operation of the SSL Record Protocol. The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled and then delivered to higher-level users.

2014

Page 9

YUSUPH KILEO

WEB SECURITY

The first step is fragmentation. upper-layer is Each

message into

fragmented

blocks of 214 bytes (16384 bytes) or less. Next, compression is optionally applied.

Compression must be lossless and may not increase the content length by more than 1024 bytes. In SSLv3 (as well as the current version of TLS), no compression algorithm is specified, so the default

The SSL Record Protocol provides two services for SSL connections:

Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).

compression algorithm is null.

After the 2 steps, then the of the message authentication code over the compressed data is performed. For this purpose, the shared secrete key is used. (See the calculation definition below)
hash(MAC_write_secret || pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment))

2014

Page 10

YUSUPH KILEO

WEB SECURITY

(See the elaboration below) EQ || MAC_write_secret hash pad_1 Definition concatenation shared secret key cryptographic hash algorithm; either MD5 or SHA-1 the byte 0x36 (0011 0110) repeated 48 times (384 bits) for MD5 and 40 times (320 bits) for SHA-1 pad_2 the byte 0x5C (0101 1100) repeated 48 times for MD5 and 40 times for SHA-1 seq_num SSLCompressed.type SSLCompressed.length the sequence number for this message the higher-level protocol used to process this fragment the length of the compressed fragment

SSLCompressed.fragme the compressed fragment (if compression is not used, the plaintext nt fragment)

Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes, so that the total length may not exceed 214 + 2048. The final step of SSL Record Protocol processing is to prepend a header, consisting of the following fields:

Content Type (8 bits): The higher layer protocol used to process the enclosed fragment. Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3.
Page 11

2014

YUSUPH KILEO

WEB SECURITY

Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0. Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used). The maximum value is 214 + 2048.

Protocol Change Cipher Spec Protocol

Description It uses the SSL Record Protocol, and it is the simplest. This protocol consists of a single message, which consists of a single byte with the value 1. The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection.

Alert Protocol

It used to convey SSL-related alerts to the peer entity. As with other applications that use SSL, alert messages are compressed and

encrypted, as specified by the current state. Handshake This protocol allows the server and Protocol client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. The Handshake Protocol is used before any application data is transmitted.
2014

SSL HAND SHAKE PROTOCOL

Page 12

YUSUPH KILEO

WEB SECURITY

SECURE ELECTRONIC TRANSACTION

Definition: Secure Electronic Transaction (SET) is an open encryption and security specification designed to protect credit card transactions on the Internet. It is not a payment system, Ruther it is a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network, such as the Internet, in a secure fashion. SET services: There are three services provided by SET namely:

Provides a secure communications channel among all parties involved in a transaction. Provides trust by the use of X.509v3 digital certificates. Ensures privacy because the information is only available to parties in a transaction when and where necessary.

SET Features: There are Four Key features of SET as follow: Confidentiality of information Integrity of data Cardholder account authentication Merchant authentication NOTE: Unlike IPsec and SSL/TLS, SET provides only one choice for each

cryptographic algorithm. This makes sense, because SET is a single application with a single set of requirements, whereas IPsec and SSL/TLS are intended to support a range of applications.

SET Participants: There are six participants in the SET system namely: Cardholder Merchant Issuer Acquirer Payment gateway and Certification authority.
Page 13

2014

YUSUPH KILEO

WEB SECURITY

CURRENT ISSUES ON WEB ATTACK

No. 1. TARGET DESCRIPTION ATTACK

SECTORLEAKS404 hacks a Web SQLi Server belonging to ACNUR

(United Nations Refugees Agency) and leaks credentials of President Barack Obama. 2. Yet another Security Firm victim Defacement of defacement. This time the target is Kaspersky, whose Costa Rica Web Site (www.kaspersky.co.cr) is defaced. 3. Two Liberal Russian media outlets DDoS and an election watchdog became victim to huge cyber-attacks

during Russian elections. Sites belonging to the Ekho Moskvy radio station, online news portal slon.ru and election watchdog, Golos, all went down on

December the 4th, at around 5am Central European Time.

2014

Page 14

YUSUPH KILEO

WEB SECURITY

4.

Websites

belonging

to

a Unprotected Server Page

Netherlands-based issuer of digital certificates unavailable Gemnet following become reports

hackers penetrated their security and accessed internal databases. The access happened thanks to a PHPMyAdmin password. 5. Russian hackers flood Twitter with Twitter automated hashtags to hamper communication opposition activists. between The proBotnet page without

government messages with the hashtag #????????????

(Triumfalnaya) were generated by a twitter botnet composed by thousands of Twitter accounts that had little activity before. 6. As part as #OpSony, Sony Pictures Account Website is hacked Anonnerd by and Hacking

@s3rver_exe,

N3m3515, once again in the name of the Anonymous movement and against Sony showing its support for SOPA. In the same operation a fake Facebook account is created simulating a real account hacked.

2014

Page 15

YUSUPH KILEO

WEB SECURITY

7.

In the name of the #Antisec Unauthorized movement, an unknown hacker exposes the IP addresses and other details of 49 SCADA systems, inviting the readers to connect and take screenshots of the internals. Access

8.

The website of Brazilian Political N/A Party PMDB do Maranho (pmdbma.com.br) is hacked by an Alone Hacker who makes all the secondary pages of the web site inaccessible

9.

IBM

Research is

domain SQLi hacked

(researcher.ibm.com)

and defaced by Hacker collective group dubbed Kosova Hacker Security. 10. The Anonymous temporarily force DDoS the main website for Interpol (Interpol.in) international offline, police after the

group

announced it had arrested 25 suspected Supporters. The site www.interpol.int was Unreachable for 20-30 minutes.

2014

Page 16

YUSUPH KILEO

WEB SECURITY

SEVEN STEP CYBER SECURITY STRATEGY

Recently, The UK IT Governance has released a white paper on cyber security. Once they distribute it, I went through it and find out there are some very good ideas that I have to share with all of you. With the internet becoming a ubiquitous communication and application platform, the greatest risk to our organizations is not cyber war, but cybercrimes. Therefore, the seven key actions that should form part of an effective Cyber security strategies highlighted by it governance that I would kindly like each of us to go through are as follows:1. Secure the cyber perimeter: test all your internet-facing applications and network connections to ensure that all known vulnerabilities are identified and patched. This should include testing all wireless networks. Make sure that OWASP and SANS top 10 Vulnerabilities and security weakness are patched. Once this is exercise penetration testing, remediation and confirmatory re-testing has been completed, schedule regular network tests. Depending on risk, these should take place either quarterly or at least, every six months. 2. Secure Mobile devices beyond the perimeter: encrypt and secure access to all portable and mobile devices laptops, mobile phones, BlackBerrys, USB sticks, etc to ensure that the increasingly elastic network perimeter remains secure and that data taken beyond the perimeter remain secure. 3. Secure the inwards and outwards beyond communication channel: e-mail, instant messaging, and live chat. Make sure there are appropriate arrangements for data archiving and an appropriate balance between protecting confidentiality, integrity and availability. 4. Secure the internal network: Identify risks and control against intrusions from rogue wireless access points from unauthorized USB sticks and from mobile data storage devices including mobile phones, iPods and so on.

2014

Page 17

YUSUPH KILEO

WEB SECURITY

5. Train stuff: attackers understand that employees are the weakest link in the security chain and take advantage of natural human weakness through a style of attack known as Social engineering. Staff must, therefore be trained to recognize and respond to appropriately to social engineering attacks range from tailgating through to phishing, spear phishing and pharming. Also ensure that you have a well-through through social media strategy that minimizes information loss through social media websites, such as Facebook, LinkedIn and twitter. 6. Develop and test a security incident response plan (SIRP): sooner or later, your defenses will be breached and you, therefore need an effective robust plan for responding to the breach. Your response plan should include developing a digital forensics capability so that you have the in-house competence to secure areas of digital crime long before outside experts arrive on the scene. 7. Adopt ISO27001 and ISO27031 as standard: for developing and implementing comprehensive cyber security and business resilience management systems.

CONCLUSION
We have seen ways of web security implementations and the key note to secure electronic transaction. It has been a challenge these days when it comes to Web security and Online transaction since many cases has been reported related to threats in web securities and online transactions. Cases reported samples from recent research are well explained. Its encouraged that each individual has to keep in mind that when it comes to security it is not a duty of a certain group of people but each member should play an important role to ensure the security is kept in order. Its important to follow security strategy as mentioned in this report along with other secure implementation discussed from other parts to insure both web security and online transaction is kept in order.

2014

Page 18

YUSUPH KILEO

WEB SECURITY

REFENCES
1. Pfleeger, C.P., S. L. Pfleeger, Security in Computing, Prentice Hall, 3rd edition, 2002. 2. Anderson, R, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2001, 3. Bishop, M, Computer Security: Art and Science, Addison Wesley, 2002. 4. William Stallings, Cryptography and Network Security, 4th edition 5. Stajano, F, Security for Ubiquitous Computing, Wiley, 2002. 6. Pieprzyk, J., T. Hardjono, J. Seberry, J. Pierprzyk, Fundamentals of Computer Security, Springer-Verlag, 2002. 7. 2010. Computer Network Security: 5th International Conference, on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM-ACNS ... Networks and Telecommunications). 1st Edition.

2014

Page 19