The information within this presentation may change without notice. The intent of this information is for educational purposes to organizations desiring to understand electronic threats to their security. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the authors be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Block Cipher: segregate plaintext into blocks
Cipher: the cryptographic transformation
Ciphertext: the result of encryption
Clustering: occurrence where ciphertext of two messages (using the same algorithm) is identical
Codes: cryptographic transformation representing words or phrases
Cryptanalysis: act of obtaining plaintext from ciphertext
Cryptographic Algorithm: procedures used to encipher and decipher messages
Cryptography: science of hiding the meaning of communication
Cryptology: cryptography and cryptanalysis
Cryptosystem: set of transformations between plaintext and ciphertext
Decipher: reversing encipher process to produce a readable message
Encipher: to make the message unreadable except to the intended recipient
Exclusive Or: binary addition without the carry bit
Key (Cryptovariable): sequence controlling the enciphering / deciphering processes
Link Encryption: multiple stage process of enciphering at one node, deciphering the message at the next node, enciphering it again at that node with a different key, and so on.
The point of these animated slides is to show that the applications are written to work with the security tools and policies. If you compromise the application (via a browser) you can bypass the security.
Base - explosion of WEB in ‘93 allowed anyone with a browser to access your site.
1nd anime - firewalls were put in place to only allow specific port access (i.e. WEB traffic)
2rd anime - with FW still have access problem so add authentication to only allow WEB access with channel encryption
3th anime - need for e-Business has introduced backend application driven by the WEB browsers. Compromise the application via the browser and you get past the security policies, compromise the applications, and access/manipulate sensitive resource.
4th anime - The same issue still exists. If we have done our job properly then we may have taken care of all of the know attacks, but we still have not add addressed the unknown application hack. These are real threats to the site. Click on the “APPLICATION HACKS” to link to the application hacks demo. The demo will return back to the point when completed (can always hit escape out of the demo ppt to return here).
5th anime - AppShield solves this problem by providing application perimeter defense, front ending any potential threat so that they never reach the server. A point to make here is that the server will not spend its time processing illegal requests.
If we look at the complexity of the web application, it is multi-layered and includes all the business logic that enables user’s interaction with the web site and the transacting with the back-end data systems sitting behind the site. These applications come in the form of 3rd party packaged software and code developed in-house.
Even in a secure environment, so much has to go right for these layers to behave appropriately that it is amazing these sites work half the time!. (NEXT SLIDE)
Main speaking points:
- We used to have simple web sites.
- The web server sent HTML to your browser and displayed it
- No real business application, maybe marketing or advertising
- Business data nowhere near the websites.
Main speaking points:
- Now we no longer have websites, we have web applications
- Web applications reside on multiple systems in distributed architectures
- Use sophisticated programming languages and architectures
- Corporate and customer data moved to the computing edge
- Edge extended to cellphones, pda’s, mobile sales force solutions, inventory management systems, etc.
Key Speaking Points:
- Web applications invite public access to your most sensitive data
- Customer information, transaction information, and even proprietary corporate data can all be accessed through the web application
Main Speaking Points:
- Access has to be allowed to the application by firewalls and all lists, or else your web site won’t work. This trust is what hackers try to exploit through the application.
-This is because of how we secure our websites
We harden and protect the servers
We restrict access from the outside
But the web application has to be accessible to the public
The web application itself holds many vulnerabilities that can be exploited
Perimeter security cannot secure the web application
Web vulnerabilities are exploited over HTTP, using HTML
Web applications breach our perimeter and provide direct access to customer and business data on back-end databases
Main Speaking Points:
There is great risk in these web application vulnerabilities
In 2001 The Computer Security Institute said that web application incidents cost companies more than XXX millions of dollars (update this quote to make it accurate.)
In the 2002 survey just released, 44% of the respondents quantified their financial loss at over 455 million dollars.
<number>
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
Also could be an example of 3rd party missconfiguration
2XX Client Request Successful
200 OK; the request was fulfilled.
201 OK; following a POST command.
202 OK; accepted for processing, but processing is not completed.
203 OK; partial information--the returned information is only partial.
204 OK; no response--request received but no information exists to send back.
3XX Redirection
301 Moved--the data requested has a new location and the change is permanent.
302 Found--the data requested has a different URL temporarily.
303 Method--under discussion, a suggestion for the client to try another location.
304 Not Modified--the document has not been modified as expected.
4XX Error seems to be in the client
400 Bad request--syntax problem in the request or it could not be satisfied.
401 Unauthorized--the client is not authorized to access data.
402 Payment required--indicates a charging scheme is in effect.
403 Forbidden--access not required even with authorization.
404 Not found--server could not find the given resource.
5XX Error seems to be in the server
500 Internal Error--the server could not fulfill the request because of an unexpected condition.
501 Not implemented--the sever does not support the facility requested.
502 Server overloaded--high load (or servicing) in progress.
503 Gateway timeout--server waited for another service that did not complete in time.
Note: There are many other tags, we won’t go over all of them
Explain about the different parts of the request (path, query)
Emphasize the \r\n\r\n between the headers and the body
Show the “Content-Type: application/x-www-form-urlencoded”, and the “Content-Length” headers
For cookies:
<META HTTP-EQUIV="Set-Cookie" CONTENT="cookievalue=xxx;expires=Friday, 31-Dec-99 23:59:59 GMT; path=/">
SSL – in the user’s point of view, this is basically just encrypted HTTP (secured)
Many of these techniques can be used with other search engines. Some of these techniques can not.
the technique is old, but an old dog can learn new tricks... read on...
Because Google took our URL, and “translated” it for us, we appear to be surfing Google, not Defcon. Even images are fetched via Google! This is not foolproof, and should only be used as a transparant proxy, but it can effectively hide where we’re surfing from the casual observer...
How does this work?
I don’t work at Google, and I don’t have their source code.
My guess is that the Google bot caught the site when the authentication mechanism was down.
My other guesses are much more insidious...
this search finds all .gov sites with the word “boobs” in the text... no politicians were listed in the returned results...
Site Restricted Search
Example: admission site:www.stanford.edu
If you know the specific web site you want to search but aren’t sure where the information is located within that site, you can use Google to search only within a specific web site.
Do this by entering your query followed by the string “site:” followed by the host name.
Note: The exclusion operator (“-“) can be applied to this query term to remove a web site from consideration in the search.Note: Only one site: term per query is supported.
If you prepend "inurl:" to a query term, Google search restricts the results to documents containing that word in the result URL. Note there can be no space between the "inurl:" and the following word.
Note: "inurl:" works only on words , not URL components. In particular, it ignores punctuation and uses only the first word following the "inurl:" operator. To find multiple words in a result URL, use the "inurl:" operator for each word.
Note: Putting "inurl:" in front of every word in your query is equivalent to putting "allinurl:" at the front of your query.
The script is simple. Just do recursive Google searches for intitle:Index.of “Apache/[version] Server at” and grep out the “Results” line from the returned output. That line will look something like: “Results 1 - 10 of about 15,700. Search took 0.72 seconds” when searching for intitle:index.of “Apache/1.3.11 Server at”
lots of times when a directory listing is unintentional, the default title of the page begins with a generic “Index of “...
lots of times when a directory listing is unintentional, the default title of the page begins with a generic “Index of “...
Mike Walker at CSC created a program like this (but better) to automate scans for his clients.
“Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.” –Michal Zalewski
wah.... no encrypted passwords?
...but this one’s old....
<whine> “but encrypted passwords are tooo hard....” </whine>