Web hacking and the Internet user

1
Web hacking and the Internet user
2
Web hacking

• Basics
• Web pilfering download selectively web sites and
  search files off-line.
• Automated scripts developed by advanced hackers
  for use by script kiddies. See
  SecurityInnovation for vulnerability scanners.
• IIS security see Microsoft Web Application
  Security guide to setup the IIS and identify
  threats and create countermeasures.
• CGI programming CGI with security in mind by
  W3org, a compilation and an index for CGI
  security resources, SSI and CGI security,
• ASP vulnerabilities HTML and programming in the
  same directory, dot bug, samples (showcode and
  codebrws). See Microsoft ASP Security.
• Web vulnerability scanners are available for
  UNIX/Linux Nikto and Whisker.
• Buffer Overflows (i) PHP security, (ii) do not
  use the wwwcount.cgi, and (iii) IIS iishack
  vulnerability (use MSBA to find patches).
• Poor Web design
• Misuse of hidden tags (price, shipping, etc),
  e.g. search typehidden nameprice
• SSI noExecs, pre-processing for hidden code.

3
Hacking the Internet userMalicious mobile code

• Microsoft ActiveX (Active X controls have the
  file extension.ocx)
• similar to OLE let an object be embedded in a
  page using the ltobjectgt tag
• When IE finds a page with a control, it checks
  the Registry to find out if the control is
  available, if it is IE displays the page and runs
  the control
• If it is not, IE uses Authenticode to check the
  author (Verisign role) and download the control.
  Finally IE displays the page and runs the control
• Safe for Scripting Authenticode is not used
  with these controls, malicious Web sites may
  explore as a vulnerability. Easy to mark as
  such. Countermeasures
• apply patches for Scriptlet/Eyedog and OUA
  (Office 2000 UA).
• Set macro protection to High in Tool/Macro menu
  in Office.
• restrict or disable ActiveX, using security zones
• Using security zones IE has five predefined
  zones Internet, Local Intranet, Trusted Sites,
  Restricted Sites, and My Computer.
• Internet zone disable ActiveX controls, enable
  per-session cookies and file download, and set
  scripting to prompt.
• Trusted Sites assign medium security and add
  sites you can trust to run ActiveX controls, e.g.
  Microsoft sites.

4
Hacking the Internet userMalicious mobile code

• Java basic security (a) strong typing enforced
  at compile and execution time, (b) built in JVM
  bytecode verifier controls memory space (buffer
  overflows are difficult to happen), (c) no memory
  pointers (making difficult to insert commands in
  running code), (d) security manager (control
  access to computer resources), and (e) code
  signing similar to Authenticode. Recommendations
  update and use security zones.
• JavaScript most frequently used client-side
  scripting. MS executes JavaScript using Active
  Scripting. Again use security zones to restrict
  the use of JavaScript.
• Beware of the cookie monster cookies can be
  per session or persistent.
• Settings in Firefox and Internet Explorer .(IE 7
  )
• Cookie sniffing capturing cookies using packet
  sniffing tools (SpyNet/PeepNet).
• Countermeasures Cookie cutters, Firefox and IE
  cookie controls.
• IE HTML frame vulnerabilities. The IE's
  cross-domain security model (a domain is a
  security boundary - any open windows within the
  same domain can interact with each other, but
  windows from different domains cannot).
• IFRAME ExecCommand iframe is a IE tag to
  create a floating frame on the middle of a
  nonframed page. A hacker wrote a JavaScript to
  read a local file.
• Countermeasure in IE Tools, security, disable
  Navigate sub-frames across different domains.

5
Hacking the Internet userE-mail hacking

• basics (i)create a text file using the correct
  MIME syntax, (ii) use netcat to send the message
  to an open relay SMTP server, (iii) check the
  results. Using mpack we can include an attachment
  . If mail server requires authentication this
  hack fails, therefore you should use Sam Spade to
  check server first.
• disable Java, JavaScript and ActiveX in Mail,
  e.g. Thunderbird.
• executing code through e-mail block all emails
  that have attachments with the extensions
  .scr,.pif, zip,
• Outlook Express book worms Melissa, ILOVEYOU
  (see book), Nimda, CodeRed, etc, access OE
  address book and mail themselves to all entries.
  More recent versions use as subject and content
  parts of messages sent or received. Use Microsoft
  patch. Countermeasure OE 2003 and above Tools,
  Options, Read, Read All messages as Plain Text.
• File attachment attacks scrap files (.shs and
  .shb), Long file names in attachments should be
  blocked by anti-virus, or server filtering. Save
  As in Excel/PowerPoint, and be aware of OE use of
  the TEMP directory.

6
Hacking the Internet user other

• SSL overview, use the 128-bit encryption (most
  countries now). Potential fraud bypassing the
  certificate validation. Click on lock to see
  certificate.
• IRC hacking not only message exchange, but also
  file exchange. Users connect to a reflector (BNC,
  IRC Bouncer or proxy server), making the tracing
  of IRC users fruitless (a plus for hackers), all
  you get is the BNC IP.
• DCC Send and Get connect directly two IRC users
  and allow file exchange, what makes easy to an
  user or worm infected user to distribute
  malicious code.
• Countermeasure if you need to use IRC, run
  anti-virus on the directory you selected as
  default for DCC downloads , and read more about
  IRC security.
• Napster hacking as a distributed file-sharing
  network, it has the potential to distribute
  Trojans, viruses, disguised as MP3 audio files.
  Napster checks headers and frames to see if the
  files are MP3 files, but Wrapster disguise files
  as MP3. Similar services may also be vulnerable.
• Global countermeasures
• keep Antivirus signatures updated (at least twice
  a month).
• firewalls and traffic scanners (e.g. Vital
  Security Web Appliance).