Web Hacking - PowerPoint PPT Presentation

About This Presentation
Title:

Web Hacking

Description:

1. Web Hacking. Case Studies. 2. Web Site Hacking ... People hacking web sites are usually, though not always, using old and well ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 16
Provided by: cs491
Category:
Tags: hacking | web

less

Transcript and Presenter's Notes

Title: Web Hacking


1
Web Hacking
  • Case Studies

2
Web Site Hacking
  • Popular to get noticed, and to make a social or
    political point.
  • Used to embarrass press, rivals, or others who
    the hackers disapprove of.
  • People get really concerned about Kevin Mitnick.

3
General Cases
  • People hacking web sites are usually, though not
    always, using old and well known security
    vulnerabilities.
  • Often times scripts are used to exploit problems,
    thus allowing a lower level of hacker to
    compromise the server.
  • Generally sites are vandalized, and occasionally
    information is stolen, but effects are usually
    localized.

4
General Situation
  • Many of the attacks can be avoided by reasonable
    or competent systems administrators. System or
    server configuration is usually a factor in the
    compromise.
  • Many attacks are unnoticed by the compromised
    site, due to lack of monitoring tools.
  • Systems administrators often times look at the
    local system, without considering the network and
    associated systems as a whole.
  • Often times they dont even look at the local
    system as a whole, but simply at the web server.

5
Case Study New York Times
  • Site compromised and defaced by HFG.
  • Content replaced with 3l33 speak criticizing
    various columnists.
  • Interesting point is that the real messages were
    in HTML comments.
  • The messages also talked about how the site was
    compromised.. Via statd.

6
Comparable Case Studies
  • classifieds.penthouse.com
  • System compromised, and root obtained through
    rdist.
  • www.jpl.nasa.gov
  • Compromised through an S/Key vulnerability,
    ironically enough.
  • sps.motorola.com / www.mot.co.jp
  • Compromised through an AIX hole, root obtained
    with -froot

7
Case Study Yahoo
  • Site possibly compromised via a known web server
    hole in Apache. (General consensus)
  • Yahoo uses a web server based on apache, but
    varied off to handle its needs more exactly.
    Over time security problems were found and fixed
    in apache, but not propagated back to Yahoo.
  • The site compromised was running a PC-based Unix
    (FreeBSD) which made overflow code easier to
    build.

8
Overall Problems
  • Systems administrators too focused on exact task
    at hand, and not looking at the big picture.
  • This is often times a problem in a larger
    environment, as you have groups responsible for
    software, web sites, server management, security,
    firewalls, monitoring, networks, etc
  • Lax administrators trusting all in-place security
    measures to protect them. (Lots of eggs, 1
    Basket.)
  • Good analogy Hard crunchy shell with a soft
    chewy center. (Paraphrase Marcus Ranum)
  • Unfortunately, VERY COMMON.
  • Fortunately, Easy to Fix.

9
Intro to E-Commerce
  • What is it?
  • Exchange of money or goods electronically.
  • From consumer to business, consumer to consumer,
    or business to business.
  • Examples
  • Online purchasing
  • Content purchasing (Micro-Transactions)
  • Inter-Company EDI or Extranets
  • Stock management online
  • Auction/Classifieds

10
Simple Example
  • A site wants to put up an online store to well a
    new line of Widgets. Builds a pretty catalog and
    users can enter information.
  • Wants the site to be secure so has their provider
    install a secure web server for customers to use
    when placing orders. Will take credit card
    information and do real-time credit
    authorization.
  • Any Issues?

11
Simple Example Continued
  • What is the security of the provider? Is it a
    shared machine or a dedicated machine?
  • Is the order information stored in a database?
    Does this include credit information? What is
    the problem scope if the server is compromised?
  • Taxes?
  • How will credit authorization be handled?
  • What about product fulfillment? Who will ship
    the widgets? Will the fulfillment company have
    access to customer data? Are they secure?

12
Step by Step..
  • The provider and machine security is similar to
    the problems that we have discussed, with the
    added issue that many companies cannot verify a
    providers claims and have to go off of face
    value.
  • Storing customer information in a database is
    definitely an issue. Problems include
  • Loss of customer confidentiality
  • Loss of orders if database attacked and destroyed
  • Potential compromise of customer credit
    information

13
More Steps
  • Credit authorization can be handled by many
    services, but some may be preferable to others.
  • As an example, CyberCash returns a ticket that
    can be stored, instead of the entire credit card
    information. This helps reduce the scope of
    liability, but introduces other problems.
    (Backorders..)
  • Product fulfillment is usually the biggest
    problem to handle. Companies will often times
    need to find a distributor to handle shipping,
    and these systems usually cant be directly
    accessed. The problem that arises is backorders,
    and legally not being able to capture payment
    until a product is shipped.

14
Credit Card Processing
  • Two Basic Parts Authorization Capture
  • Authorization checks the card to see if the
    specified amount is accepted by the card company.
  • Returns approved, denied, or referral (call)
  • Capture
  • Transfers the actual money from the credit card
    company to the vendor or seller. (Legally cannot
    occur until product is delivered to consumer, or
    shipped from facility.)

15
Credit Cards Continued
  • Backend
  • There is obviously some data exchange between the
    company handling the transactions and the
    financial institutions to handle these tasks.
  • CyberCash or VeriFone have direct connections
    with lenders to handle this processing, as an
    example. Typically stores would not try to make
    direct connections to the banks as this would be
    a nightmare for banks and bank security.
Write a Comment
User Comments (0)
About PowerShow.com