Fundamentals of eCommerce Security (2)

ECOM 6031

Fundamentals of e-Commerce Security

(Dr KP Chow, Dr Lucas Hui)

Lecture 2: Web Browser and Web Server Security

Dr Lucas Hui(CYC307, 28592190, [email protected])

1

Content• Review of World Wide Web• Case of Facebook CSRF ((4) threats from server to

client)• Case of Java Signed Applet Protection ((4) threats from

server to client)• A Short Review of SSL (with ref to root cert)• Case of Captcha (protection of : (3) Threats via Client

to Server)• Case of SQL injection ( (3) Threats via Client to Server)

– SQL injection• Summary

2

Discussion Question• What kind of company data you can allow your

employee to access the company Intranet through ____ ?1. at office2. at home using a fixed PC 3. at home using a laptop4. at an oversea cyber-café using a laptop

• Can you suggest some protection strategy that can make you feel safe?

3

Review of Internet Technology (History)

• In early 1960s, US Dept of Defense (DoD) started research in networking computers, developed a multiple channel network

• In 1972, E-mail was born• In 1980s, PC became popular, leaded to PC networks• US National Science Foundation (NSF) funded network services in

1980s• In 1987, Hong Kong is connected to Internet (via HARNET : Hong

Kong Academic and Research Network, set up by HKU)• In 1991, NSF further eased its restriction on Internet commercial

activities• Privatization of Internet was substantially completed in 1995.• Internet service providers (ISPs) sell Internet access rights directly to

customers• Note: Internet is (close to) free, provide global connectivity

4

Internet Definition - FNC• On October 24, 1995, the FNC unanimously passed a resolution defining the

term Internet. This definition was developed in consultation with the leadership of the Internet and Intellectual Property Rights (IPR) Communities.

• RESOLUTION:

“The Federal Networking Council (FNC) agrees that the following language reflects our definition of the term "Internet".

"Internet" refers to the global information system that --

(i) is logically linked together by a globally unique address space based on the Internet Protocol (IP) or its subsequent extensions/follow-ons;

(ii) is able to support communications using the Transmission ControlProtocol/Internet Protocol (TCP/IP) suite or its subsequent extensions/follow-ons, and/or other IP-compatible protocols; and

(iii) provides, uses or makes accessible, either publicly or privately, high level services layered on the communications and related infrastructure described herein."

5

Early Internet Initiative in Hong Kong: HARNET

6

Network Technology• Use TCP/IP protocol

– TCP: Transmission Control Protocol• Controls the assembly of a message into smaller packets before

it is transmitted over the Internet– IP: Internet Protocol

• Includes rules for routing individual data packets from their source to their destination

• IP Address– Internet addr. are based on a 32-bit no. called an IP address.– IP addr. is a series of up to 4 separate no. (e.g 147.204.89.56) that

uniquely identifies a computer connected to the Internet.– Management of IP addr. (static, mobile, NAT (Network-Address

Translation)) an important issue for higher level applications

7 8

Domain Names• IP address difficult to remember• Domain names

– Sets of words assigned to specific IP addresses– Example: www.hku.hk

• Contains three parts separated by periods• Top-level domain (TLD): rightmost part • Generic top-level domains (gTLDs)

(e.g. .edu .com)• Sponsored top-level domains (sTLD) (e.g. .aero

sponsored by SITA)– Internet Corporation for Assigned Names and

Numbers (ICANN)• Responsibility: managing non-sTLD

8

Internet (rough idea)LAN

LAN

(Intranet part)

LAN

(Internet part)WANLAN

Wireless network access pt

Hand phone LaptopPDA

Boardband router

ADSL connection

Smart card reader

Mobile phone network

Base station

Router

Internet Backbone Router

Server

Personal Computer 9

Client/Server Relation using Static Pages

Internet

Client (Browser)ServerStatic HTML

pages with text, pictures, etc

Web Server software(2) http response

(1) http request

10

Selection of Technologies in Web Server

• (1) Static web page– simple to implement, easy to estimate data transfer time

• (2) Dynamic pages - Server side code execution– Reduce server side page storage, may overload the

system when number of requests is huge• (3) Dynamic pages – Client side code execution

– Low server burden (both CPU cycle and DB storage), but may have incompatibility issues for some clients

• (4) Dynamic pages – both Server/Client side code execution– Most flexible, can carry out a lot of business logic, web

access data analysis, and personalization. However, very complicate to implement

11

Properties of Web Technology (important for e-commerce)

• Thin Client / Thick Server http model– Need to ‘instruct’ the client browser to execute client-side

program codes– Installation of client-side software component is extremely

unfavorable– Now (2011) it is a bit different (e.g. AJAX)

• Worldwide connection (7 days, 24 hours)• Universal readership (independent of client machines and browsers)

– A difficult problem for m-commerce using intelligent device (e.g. iPhone, SmartGrid meters) of which the bandwidth, screen size, and client processing power is constrained

• Infrastructure is free• http connections are “sessionless”

– C S: request, followed by S C: response• Security is not an emphasis! (This is our problem)

12

Just Some e-Crime Cases• Targeted Trojans (Trojan horse programs built to attack a certain

target’s vulnerabilities) are distributed via marketing CDs in cases related to some Israeli companies

• Targeted Trojans spread via email is design to attack the e-gold company using the ‘hidden session’ attack

• A payroll company potentially exposed > 25,000 customers private info due to process breakdown

• In 2002, a credit reporting company reported that 13,000 customer records were stolen using an authorization code belonging to Ford Motor Company (insider problem)

• A keylogger is downloaded from a phishing site, then waited until the user accessed an online banking application and forwarded the keystrokes to a malicious Web site.

• Credit card info are stolen since data that should have been discarded are being stored for troubleshooting purposes in an unencrypted format.

• And others …

13

Threats for E-Com (by purposes)• Against ‘random hacking’

– Viruses– Port-scanning (for free services)– Hacking (e.g as a ‘zombie’ in a DDOS attack)

• Against ‘Targeted attack’– Stealing of company/customer info– Disruption of services (e.g. DDOS attack)– Faked transactions (e.g. illegal e-banking activities)– Damages on purpose (e.g. ex-employee,

information warfare)• Targeted attack is the important issue

14

E-Com Security Problems

• Client (no/low security control)• Communication channel (Internet : an

unprotected/unreliable free network)• Servers (more controllable)

– Machines (Servers/DB)– Employees– Data (Customer info)

• Fraud (Cheating, related to non-repudiation issues)– Stealing of a valid user account password

15

Threats for E-ComLAN

LAN

LANWANLAN


Hand phone LaptopPDA

Boardband router

ADSL connection

Smart card reader

Mobile phone network

Base station

Router


Server

Personal Computer 16

Web Security problems status (2011)• Communication link problem is (kind of) solved

– Secure Channel technology like SSL• E-commerce fraud:

– Technically valid transactions– A user cheats another– Logging of evidence is the key idea– Proofing of evidence (Computer Forensics) is an important

current issue!• Client-side (Browser) and Server-side are still big big problem• Client and Server will affect each other

– (1) Direct Threats to Client (Trojan horse, key logger, etc)– (2) Direct Threats to Server (port scanning, intrusion, hacking)– (3) Threats from Client to Server (through a valid web session)– (4) Threats from Server to Client (through a valid web session)

17

Danger in ClientLAN

LAN

LANWANLAN


LaptopPDA

Router


Keyloggers, spyware, backdoors, virus, etc

Server

Client-side problems• System patches not

updated (attacking virus)

• Opening emails with malicious attachments

• Running untrusted programs from floppy, USB drives

• Visiting Malicious web pages (e.g. Phishing site, hidden IFRAME in forums)

• Social Engineering (leaking passwords) 18

Case of Facebook: CSRF• CSRF (Cross Site Request Forgery)• Belonging to: (4) Threats from Server to Client)• General Key idea:

– After Client authenticated to a Server, the authentication info is stored in client (usually as cookie) (e.g. user login bank website)

– By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following:

• Hacker site to create a ‘faked request’, and let the user to send the ‘faked request’ to the Server, to carry out a ‘faked transaction’ (like money transfer)

• Very suitable for target attack! (e.g. stealing from a e-bank account)

• Lesson to learn: your authentication history may be harmful to you, if you visit a hacker site afterward!

19

Case of Facebook: CSRF (2)• Facebook case Key idea:

– After Client authenticated to Facebook, the authentication info is stored in client (usually as cookie) (e.g. user login bank website)

– By attracting/cheating the user to click a malicious link, user will visit the hacker site, to let the hacker site do the following:

• Hacker site to create a ‘faked request’, and let the user to send the ‘faked request’ to Facebook, run an evil app (again at the hacker site) that steals Facebook info from the user account.

• A detailed report on (Reference F1) http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html

20

Recall: session using cookies as authentication info stored in Client PC

ServerBrowser

Cookie as auth. info

21

CSRF framework (Cross Site Request Forgery)

Hacker Site

Victim Site

User Victim(cookie with auth. Info)

(4) Faked request with do illegal commands, just like user had authentication done properly!

22

The Facebook

specialCSRF case

• From reference F1: detailed report on http://blog.quaji.com/2009/08/facebook-csrf-attack-full-disclosure.html

23

Case of Java Signed Applet Protection• Recall: Client Side Security is difficult!!• One client can interact with many E-com servers

– Potential problem : information from E-com sites can be stolen from cookies in a client machine)

• More serious problem : Active Content– Programs embedded in Web pages– E.g. Java applets, ActiveX controls, Javascripts, VBSscripts– Attracts Trojan Horse, Virus, Malicious cookie, zombie (a

program secretly takes over the computer)• Other means : email attachments, reading email from

browsers, screen savers, installation of free software, etc.

• Protection means : anti-virus software, user education, better user protection environment (e.g. signed applets)

24

Java Signed Applet key issue• There is a program (or a piece of code) sent from the

Web server to the client (i.e. the browser)– Can I have an easy Yes/No ‘test’ to decide whether

the program is safe to run or not?– The PKI (Public Key Infrastructure) and the Browser

technology provides one such solution !!!• Of course :

– Is this solution good or not?• Let’s see it usage and limitation…

25

The Signed Applet Example• Signed Applet - Java Applet with ‘digital signature’• Treat the Applet as a ‘document’ from Server to Client• The Applet will have an extra document, called a ‘digital

signed’ attached to it.– The “Applet + digital_signature” is a Signed Applet– When Server creates this Applet, server will put in

this digital_signature as well– Only the Server (which holds a “private key”) can

create this digital_signature• Client will ‘verify the digital signature’• If the verification process is ok, Client will allow the

Applet to execute• Result: only Applet from verifiable server will be

executed26

The Signed Applet Technology• What is the technology that the client used, to ‘verify a

signed Applet’? - Public Key Cryptography• Server, will create the digital_signature using “the

server’s private key” usually stored in a hardware token in the server machine

• Client, will verify the digital signature, using the server’s public key. This public key is stored in a data structure called ‘Public Key Certificate’’

• The Public Key Certificate of the Server will be sent from Server to Client when the Applet is loaded, or in some previous connections

• Client, using some ‘Root Cert’ + the server’s Public Key Cert + the Signed Applet, can perform the verification

27

Public Key Certificate in IE

28

Root Certificates in IE (A lot!)

29

Review of Public Key Crypto-system (PKC)

• A has public key Apub, & corresponding private key Aprv• From Apub, almost impossible to find Aprv• Apub is known to all; Aprv is secret to A

A : Aprv

Aprv

Apub

M MC

Apub

ApubAprv

MC'M

30

Public key System Properties• Xpub(Xprv(M)) = Xprv(Xpub(M)) = M• Mathematically, given the private key, it is extremely

difficult to find the public key• Security strength always depends on key length• Can be used in digital signature, encryption, and other

advanced usage• Data Encryption : A sends a confidential message M to B

– A sends Bpub(M) to B, B decrypts with Bprv• Digital Signature: A sends a signed message M to B

– A sends Aprv(M) to B, B decrypts with Apub• Encryption and signature can be used together

31

Relationship with CA

32

Use of Digital Signature

33

Different Digital Signatures Schemesby Public key systems

A sends M to B• A sends Aprv(M), M to B• A sends Aprv(H(M)), M to B• A sends Aprv(H(M)), Bpub(M) to B (sign and encrypt)• A sends Aprv(H(M)), Bpub(K), Ek(M) to B (K is a

block cipher key to act as a ‘session key’, Ek is the block cipher encryption)

• The last two versions are more popular. For simplicity, we can assume the last version is used.

34

Public Key Certificate (PKC)• Problems in Public Key Cryptography

– Private key : users have to keep in secret– Public key : make sure everyone can get a correct copy

(solution: store in a Public Key Certificate)• Certification Authorithy (CA) : a trusted third party (e.g. Hong

Kong Post CA, VeriSign)• Says “I, as the CA, certified that B’s public key value is 136…….,

digitally signed by me, the CA”• Needs CA’s public key to verify correctness of B’s PKC (where to

find CA’s public key?)

CA_Sig

Bpub B's PublicKey

Certificate

Bpub Signing

CAprv35

Public Key Certificate Concept

CA’s value is 1234

Signed by CA

Adam’s public key is 3456

Signed by Mr. CA

Bob’s public key is 7890

Signed by Adam

Z knows public key of Mr. CA is 1234

And If Z gets:

He will know Bob’s public key

Q: User Z wants to know the public key value of Bob:-

Administrative assumption:

Everyone knows Mr. CA’s public key value

Technical assumption:

If you get the public key of X, you can verify all documents digitally signed by X.

36

How the “Root Certs” are used?

Browser

Root Cert - cert. of “Big Brother” CA)

Server (S1)S1 has a “Cert of S1”, issued by “Big Brother” B1

37

During Authentication (e.g. signed Applet)

Browser



(1) Cert of S1 is loaded to Browser

B1

38


Browser



(2) B1 verifies S1

B1

B1 is my customer, Trust him!

39


Browser



(3) S1’s applet can be executed in browser. User is shown a Yes answer (and S1’s cert details)

B1

B1 is my customer, Trust him!

40

If S1 is not a valid client of a “Big Brother” …

Browser


Server (S1)

In case no “Big Brother” knows S1, the user will be prompted to see whether he trusted S1 or not

?

?

?

?

41

Summary of Signed Applet technology• In your browser: an automated process, using PKI

technology, will give you a Y/N answer, deciding whether a signed applet is a ‘good program to execute’ or not

• “Yes” means:– The Web server (S1) providing the signed applet, is one valid

customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can execute this signed applet

– But … you have to look into the certificate details to see exactly who S1 is!

• “No” means:– The Web server (S1) providing the signed applet, is not a valid

customer of anyone of the Root Certification Authorities.– The browser let you decide whether to execute the signed applet

or not.• Key issue: Is this situation perfect? How to improve it?

42

A Short Review of SSL• Recall: Client only talks to a Server (S1) that

can be verified by a Root Cert owned by the client!

• In our business model, it means:– The Web server (S1) that can establish https session

with client, is one valid customer of one of the Root Certification Authorities. So S1 is a good guy, and your PC or browser can establish https session with S1!

– But … you have to look into the certificate details to see exactly who S1 is!

43

SSL Mixed Content problem

What does this mean?

44

SSL Mixed Content problem (2)

The risk: data unprotected by SSL may be seen by intermediate routers.In many cases this is still safe.BUT: attack code in non-SSL data can be dangerous!! 45

SSL Protection• SSL provides secure encryption in the two points

(browser and server). – No intermediate routers, processes can see the

content• Limitation: the two endpoints can still leak information

• Discussion Question: what is the protection provided by SSL to a company?– What are the values to customer access?– What are the values for employee access?– Is SSL necessary?– Is SSL sufficient?

46

Case of CAPTCHA • CAPTCHA

– Completely Automated Public Turing test to tell Computers and Humans Apart

– 全自动区分计算机和人类的测试

• Automatically generate challenges which intends to:– Provide a problem easy enough for all humans to

solve.– The problem cannot be solved by a computer

program currently, unless it is specially designed to circumvent specific CAPTCHA systems.

– Eg. a human user can read distorted text while bots cannot

47

• CAPTCHA is usually used to protect websites against bots which abuse the websites and is usually placed:– At a login form to prevent dictionary attack– Before account registration– Before showing an e-mail on a personal

website to avoid spammers getting your e-mail address when they crawl the web to look for valid e-mail addresses

– Etc48

Eg: reCAPTCHA

• Google’s project (http://www.google.com/recaptcha)– A plugin as a web service– Only need to add a few lines of code to your

website to embed it

49

Eg: reCAPTCHA (cont.)

• Idea:– Digitizing physical books that were written

before the computer age. – Each word that cannot be read correctly by

"Optical Character Recognition" (OCR) is placed on an image and used as a CAPTCHA.

50

Alternative implementations

• Rely on visual perception (more than distorted text):– identifying an object that does not belong in a

particular set of objects.– locating the center of a distorted image.– identifying distorted shapes.– 3D captcha, Etc.

• Provide an audio version of the CAPTCHA for accessibility reasons

51

Cases • D-Link adds CAPTCHA to home routers

– The new CAPTCHA system will be particularly useful to thwart malicious attacks that target default passwords on routers to alter DNS records to hijack all future connections.

– http://www.zdnet.com/blog/security/d-link-adds-captcha-to-home-routers/3365?tag=content;search-results-rivers

• Gmail, Yahoo and Hotmail systematically abused by spammers– The MessageLabs Intelligence annual report for 2008 indicates that

on average, 12 percent of the spam volume that they were monitoring in 2008 came from legitimate email providers such as Gmail, Yahoo Mail and Hotmail, followed by its Sept’s peak of 25%.

– Vendors cite machine learning CAPTCHA breaking techniques as the cause of it, some doubt they actually outsource account registration process to human CAPTCHA solvers.

– http://www.zdnet.com/blog/security/gmail-yahoo-and-hotmail-systematically-abused-byspammers/2293?tag=content;search-results-rivers 52

Attack• Technical attack: Microsoft's CAPTCHA successfully broken (May

31, 2008)– A research paper entitled “A Low-cost Attack on a Microsoft CAPTCHA“

published the attack.– Microsoft's CAPTCHA scheme was designed to be segmentation-

resistant. However, the attacker’s simple attack has achieved a segmentation success rate of higher than 90% against this scheme.

– They show that a CAPTCHA that is carefully designed to be segmentation-resistant is vulnerable to novel but simple attacks, and it is not a trivial task to design a CAPTCHA scheme that is both usable and robust.

– http://www.zdnet.com/blog/security/microsofts-captcha-successfully-broken/1232

• Human attack: some companies will provide a plug-in for your program– When you program sees a Captcha request, the picture will send to the

company, and the company will have a group of human being to answer for you.

53

Case of SQL injection attack

• Browser attacks Server• Steps:

• I. Send malicious input to server• II. Input bad checking leads to malicious SQL query

• One kind of “Code injection attack”• Whenever we are running a program (instead of

showing a data) there is a problem– Buffer-overflow attack : breaking the programming language

computation model– PHP : the “eval”– SQL : the “execute”

54

Code injection attacks• Method: executing arbitrary code on the server• Example

code injection based on eval (PHP)

– http://site.com/calc.php (server side calculator)

– Attack: http://site.com/calc.php?exp=“ 10; system(‘rm *.*’) ”

(URL encoded)

…$in = $_GET[‘exp']; eval('$ans = ' . $in . ';'); …

55

SQL injection attack

WebServerattacker Database

Post malicious form unintended

SQL query

receive valuable data

56

Example: buggy login page

set ok = execute( "SELECT * FROM UsersWHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” );

if not ok.EOF login success

else fail;

Is this exploitable?

57

Bad input• Suppose user = “ ' or 1=1 -- ” (URL

encoded)

• Then scripts does:ok = execute( SELECT …

WHERE user= ' ' or 1=1 -- … )– The “--” causes rest of line to be ignored.

– Now ok.EOF is always false and login succeeds.

• The bad news: easy login to many sites this way. 58

April 2008 SQL Vulnerabilities

59

Summary: Some other attacks• XSS – Cross-site scripting

– Hacker web site sends client a script that steals information from an honest web site.

– Server “attacks” Client to “attack” Server– Use malicious web pages (those with scripts)– Quite a mature technique, yet very significant

• http://www.xssed.com/archive• Phishing

– A mature and low-tech attack, yet very active– http://www.penn-olson.com/2011/01/17/china-phishing/

• Discussion Question– With so many attacks being feasible, should we encrypt the

data stored in Server (or in Client), so that even if the system is being hacked, the data will not leak?

– If so, what company data should be encrypted? How?60

Documents

Fundamentals of eCommerce Security (2)