csci5931 Web Security 1

Case Study:

A Forensic Lesson for Web Security (MSS, part one)

csci5931 Web Security 2

A Hacked E-commerce Site

A security officer’s nightmare! Users’ passwords got stolen! Customers’ credit card numbers were exposed. Merchandize were purchased on line using the stolen

credit cards. The company’s reputation was ruined. The CIO or security officer’s job is at stake. …

csci5931 Web Security 3

Case Study: A Forensic Log

page 2 of the MSS book: Five groups of log entries (a, b, …, f) The company’s firewall was configured to prevent any

traffic but HTTP traffic via port 80 (HTTP) and port 443 (SSL).

The intruder exploited a vulnerability in the index.cgi script to list the content of the system password file.

Q: What vulnerability was exploited?

csci5931 Web Security 4

Analysis of the Hacking Incident

pages 2 to 9 What knowledge and skills does a “successful”

hacker need to possess? Understanding of Web server operation, scripting

language used, activation mechanisms Understanding of operating system commands Lots of patience and some luck Anything missing from the list?

csci5931 Web Security 5

Can the Incident Have Been Prevented?

Yes. There exist “stronger” security technology to counter the potential attacks. Examples? Elimination of source code exposure Set-up of a DMZ Enforcement of access control list The “least privilege” rule … See an overview of common solutions in GS Chapter 1.

csci5931 Web Security 6

Lessons Learned from the Case Study

A firewall does not guarantee a secure e-commerce site. Why?

Security auditing has its limits. Why? Strong password protection may not be enough. Why?

The bottom line: The secure operation of a web site requires a mixture of protection mechanisms, each taking care of one of the many components and links in a N-tier web-based application and all together deliver a secure web site.

csci5931 Web Security 7

Next

Review of the N-tier web based applications Review of cryptography Java security model