Essential Computer...
Transcript of Essential Computer...
CSCD 303Essential Computer SecurityFall 2019
Lecture 18a – Internet Security 2
Reading: Chapter 7, Links in Slides
Overview
• Internet Security• Active X • Javascript • Security Models• Third Party Content
Review
• Said …– Active Content is common in today’s Internet– People want functionality– Security seems to be secondary– Still true in 2019 since the late 1990’s
Web 2.0 Problem
• Also, stated– Web 2.0 has problems– Security– Was not and is not primary design decision– What is primary motivation behind many Web
sites today?• Make money, service customers - Banking• Advertise things• Sell things
The Web Today: “Islands” of Code
JavaApplet
JavaApplet
JavaScriptJavaScript
VBScriptVBScript ActiveXControl
ActiveXControl
HTMLDocument
HTMLDocument
Non-HTMLDocument
Non-HTMLDocument
.doc
.pdfimages
Overview and Questions
• Active X – What is security of Active X?
• Javascript– What was intended for Javascript security?– Has it been achieved?
• Third Party content – What happens when you no longer control the
content on your pages?
Active X
• Active X has been around since the 90’s– It was Microsoft’s way of putting content on
Web pages
– Competition with Netscape who had Javascript
– Unlike Javascript,
– ActiveX components have no restrictions on actions they can take in your system
Active X Permissions
• Active X– Allows applications or parts of applications to
be utilized by web browser – Applications have full access to operating
system– Web pages can use/download Active X
components
Motivation For ActiveXBring Component-based Development to the Internet
“Software Developers - want to easily create, reuse and integrate software components
Web Producers - want to build rich, engaging Web sites quickly and easily
End Users - want an intriguing, exciting experience”
Note: Nothing about Security
DevelopersDevelopers
WebWebProducersProducers
End UsersEnd Users
Active X
• What’s the security model?• Let the user decide if its safe …
• Is this a good decision?
ActiveX Security Model
• ActiveX controls reside on client's machine, activated by HTML tag
– ActiveX controls are not interpreted by browser
– Compiled binaries executed by client OS
– Controls can be downloaded and installed
• Similar to Java Applets
Security model relies on three components1. Digital signatures to verify source of binary
• AuthentiCode
2. IE policy can reject controls from Network Zones
3. Controls marked by author as Safeforscripting which affects the way control used
Active X Digital Signatures
• Microsoft devised something called “Authenticode”• Once code is downloaded,
• Windows tells you who wrote code
• Asking if you want to run it
• Browser uses digital signature to certify who wrote code, so you can believe the statement of authorship
• Problems with this?• Flawed model of security, Do you personally know
author?
• More seriously, gives appearance of offering some sort of safety, which makes it more dangerous
Example of Authenticode
Active X Control Screen
– However, users are not prepared,
– Do you think they have enough knowledge to handle this decision?
Active X Security Zones
• Internet Explorer uses Network Zones that groups sites based on certain conditions– Whether it is an Internet- or Intranet-based site,
Local or Trusted site– User-editable whitelist or blacklist– Security restrictions are applied per zone
• All the sites in a zone are subject to the restrictions
• MS article on setting Security zone https://support.microsoft.com/en-us/help/17479/windows-
internet-explorer-11-change-security-privacy-settings
Network Security Zones
IE 8 Added Protection
• IE 8 added protections for Active X– Can restrict Active X to a single user
• Previously Active X was installed globally• Doesn't apply to pre-existing controls• Only for Vista and Windows 7
– Can restrict Active X control to specific domains• Whitelist domains for an Active X control
– Data Execution Prevention• Turned on by default• Will help prevent Active X Control buffer overflows from
working - enforces places in memory for data only, no executable code
IE 9, 10 and 11 Active X Filtering Recent IE versions allow users to completely filter Active X and to
turn it back on if needed
Turning it off
Turn it back on
https://www.sevenforums.com/tutorials/149053-internet-explorer-activex-filtering-turn-off.html
Active X SafeforScripting
• "SFI" and "SFS" flags are properties which are set by the ActiveX developer
– Means that developed ActiveX control is harmless and may be safely initialized and/or run by a scripting language … Who sets the flags?
– The developer sets these flags within their code
Internet Explorer verifies these before loading
– However, no guarantee that ActiveX control is indeed safe
Advice on Managing Active X Controls Advice from some security folks is to completely turn
off Active X controls, but you can lose functionality http://www.howtogeek.com/162282/what-activex-controls-are-
and-why-theyre-dangerous/
Active X and Other Browsers
Default, Google Chrome and Firefox web browsers do not support ActiveX controls
Workarounds to enable ActiveX controls Google Chrome users can download IE Tab extension that
acts as Internet Explorer emulator– Helps enable ActiveX controls in Google Chrome -
emulates IE by using IE rendering engine directly within Chrome
Firefox users can install ff-activex-host plugin to enable ActiveX controls in browser
– Plugin makes it possible to use (host) ActiveX controls in Firefox and provides full access to hosted control (events, functions, properties)
Microsoft Edge No Support for Active X Controls Legacy technologies in Microsoft Edge lose
support, Active X, Browser Helper Objects, VBScript and
others
Benefit? Better interoperability with other modern
browsers, improved performance, security & reliability, and reduced code complexity
https://blogs.windows.com/msedgedev/2015/05/06/a-break-from-the-past-part-2-saying-goodbye-to-activex-vbscript-attachevent/
Current Problem for S. Korea Govt● So if ActiveX technology is pretty much dead, why are we
writing about it? Who even cares about ActiveX control vulnerabilities in 2019?
● Due to a law from 1999 to enhance Internet security, people in South Korea were stuck Internet Explorer and had to allow ActiveX controls to run
● In 2015 steps were taken to get rid of ActiveX controls from government websites with the goal being to have them completely removed by 2018
● Since 2007 and up to 2018 large number of 0-day attacks attributed to North Korea have been exploiting 28 different vulnerabilities in commonly used ActiveX controls
https://www.riskbasedsecurity.com/2019/05/21/critical-vulnerabilities-discovered-in-south-korean-activex-controls/
Javascript
JavaScript Defined
What is JavaScript ?
JavaScript is a client and server-side object-based scripting language that is used to make interactive Web pages.
JavaScript is most common scripting language to add interactivity to Web pages.
JavaScript is an interpreted language
These scripts are interpreted by JavaScript interpretor which is a built-in component of the Web browser.
Javascript is used on about 88 % of all websites
Why use Javascript?
Advantages of javascript Less server interaction
More interactivity
Richer interfaces
Fast feedback to visitors
Disadvantages of javascript Security !!!! More complex web pages Third party code obfuscation Rendering inconsistencies
JavaScript Security
• JavaScript security model is based upon Java• Downloaded scripts are run by default in restricted
“sandbox” environment
– Isolates them from rest of operating system
• Scripts are permitted access only to data in current document or closely related documents– No access is granted to local file system,– No access to memory space of other running
programs,– No access to operating system’s networking layer
Javascript Security Model
• Same-origin policy– Can only read properties of documents and
windows from same place• Same server, protocol, port
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policyhttps://www.w3.org/Security/wiki/Same_Origin_Policy
Examples, Assuming www.example.com
URL of Target Window
Result of Same Origin Check with www.example.com Reason
http://www.example.com/ index.html
Passes Same domain and protocol
http://www.example.com/ other1/other2/index.html
Passes Same domain and protocol
http://www.example.com:8080/dir/page.html
Does not pass Different port
http://www2.example.com/ dir/page.html
Does not pass Different server
http://otherdomain.com/ Does not pass Different domain
ftp://www.example.com/ Does not pass Different protocol
Same-origin check applies to access to window object of other frames
Javascript Security Policy
• Same-origin check
– Performed when trying to access properties or methods of another Window object
• Since each frame in a framed page has its own Window object,
– Same-origin policy applies to scripts attempting to access the content of frames
– If two frames haven’t been loaded from same site using same protocol, scripts cannot cross framed boundary
• Policy additionally applies to <iframe>s, as well as documents included with the <object> tag.
Example of Same Origin PolicyJavascript Assume you are logged into Facebook and visit a malicious
website in another browser tab. Without same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do.
For example read private messages, post status updates, read the form you entered your password on before submitting it
Facebook uses JavaScript to enhance user experience. Browser needs to detect the JavaScript is trusted to access Facebook resources. That's where same origin policy comes into play:
If JavaScript is included from HTML page on facebook.com, it may access facebook.com resources.
iframes and objects in HTML
The <object> tag defines an embedded object within an HTML document
Use this element to embed multimedia (like audio, video, Java applets, ActiveX, PDF, and Flash) in your web pages
You can also use the <object> tag to embed another webpage into your HTML document.
An iframe allows a document to be displayed within another web document in html
See example herehttp://www.w3schools.com/html/html_iframe.asp
Javascript Threats
• There are really two basic threats• Impersonation of a Legitimate User
– This threat violates trust a website places in a user, allowing attacker to initiate HTTP requests as user
• Impersonation of a Legitimate Website
– This threat violates trust user places in remote site by impersonating site in whole or in part
Problems with Same Origin Policy
• Poorly enforced on some browsers– Particularly older browsers
• Limitations if site hosts unrelated pages– Example: Web server often hosts sites for unrelated
parties• http://www.example.com/account/ • http://www.example.com/otheraccount/
– Same-origin policy, allows script on one page to access properties of document from another account
Problems with Same Origin Policy
• Truth is that most common web-attacks are directed against a legal same-origin implementation
• So, following vulnerabilities are all completely viable within the existing same-origin policy
– CSRF - Cross-site request forgery
– Cross-site scripting (XSS)
Problems with Same Origin Policy
• Cross-site request forgery (CSRF, XSRF, or cross-site reference forgery)– Takes a form from a malicious site, browser submits
form to trusted site with which user has an active set of credentials
• Cross-site request forgeries are a user-targeted attack
– Attack exploits trust a webserver places in a client with an established session
– Done via HTTP authentication or cookies
Problems with Javascript Policy• Cross-site scripting (XSS)
– A cross-site scripting attack exploits trust user places in a website, making it a common vector for phishing and related attacks
– Most cross-site scripting attacks attempt to hijack victim’s session key and smuggle it out by embedding it in an image or similar link
– Will talk about these attacks more later ...
Javascript Security Policy
• Signed Objects– Requires you as the developer to identify yourself
– Signing tool, creates a digital signature of your script
– Prior to loading script, browser can try to verify your identity as a legitimate author
– Because of being signed, your script can ask for more privileges
• Example: Access to local file system
Javascript Security Policy
• Problems with Signed Scripts– Can you think of problems with signed scripts?
– Useful for Intranet types of environments• Know the IT department, signed means something
– Not so good for the Web
– Don't know developers, how can you trust them?
– And, certification may be almost nothing• Asking them for a valid email address
• No real verification they are legitimate
Third Party Content
41
Third Party Content
– More and more organizations are using third parties (users, business partners, etc.) to provide active content for their sites
• “Third party active content” is anything on your site that you didn’t create that can change the way the site functions
• For today, we’ll focus on JavaScript, but other active types have similar risks
The “Circle of Trust”
42
Easy with one
The “Amorphous Blob of Trust”
43
Not so easy with many
Content From Other Sites
• Advertising and Ad Tracking
• Site tracking– “You had 1 visitor today. He clicked here and
here and here.”
• Enhanced content or functionality– Mashups, RSS feeds, stock tickers, content
from partners, etc.44
45
Advertising and Ad Tracking• Banner ads are often rotated with
JavaScript– To ensure consistency and allow for updates,
most online advertising companies host JavaScript files themselves, Trust them?
<!-- begin ad tag --><script type="text/javascript">
ord=Math.random()*10000000000000000 + 7;document.write('<script language="JavaScript"
src="http://n4061ad.doubleclick.net/adj/you.home/_default;sz=300x35;kvideoid=-1kItblmJow;tile=1;dcopt=ist;ord=' + ord + '?" type="text/javascript"><\/script>');</script>
Answer: Hack DoubleClick. Replace their JavaScript files could effectively create a cross-site scripting attack against all the sites that use them.
But surely they’re secure, right?Maybe. Can you afford to assume that?With that kind of prize, do you think people won’t try?
Malwarebytes notes problems with DoubleClick ...“Google’s DoubleClick ad network abused once again in
malvertising attacks”https://blog.malwarebytes.com/threat-analysis/2014/09/googles-doubleclick-ad-network-abused-once-again-in-malvertising-attacks/
Advertising and Ad Tracking• Question: How do you hack 2,000 websites at
once?
46
Factors of Control for Site-Provided Content• Who is allowed to put content
on a page?– If allow content from another company, has
due diligence been done?• Ask questions about their security program
• Demand independent validation
• What could they accomplish if it were malicious?
• Could steal any and all of the user’s data in the
application
Regulatory Requirements• Could use of externally hosted, third party active
content violate regulatory requirements such as PCI DSS, FFIEC, HIPAA
Requirements generally include:• Implementation of safeguards to prevent exposure
of user data to a third party
• Regular assessments on all systems with access to the data
– Caveat: Never known of anyone that failed an audit by a regulatory agency because of third party content
48
Examples from Sites you Know
BestBuy.com
50
<script src="http://cts.channelintelligence.com...
Amazon.com
51
<iframe src="http://ad.doubleclick.net...
<iframe src="http://servedby.advertising.com...
BankofAmerica.com (Search Page)
52
<script language=“javascript”>// external script that has been downloaded and hosted</script>
BankofAmerica.com Script Source
53
Ok, raise your hand if you can tell me what that does. It’s either obfuscated or someone has a very unique coding style.
Here is the problem with trying to validate external scripts. It may be impossible ...
BankofAmerica.com Script Source
54
All this script is doing is calling another external JavaScript with some parameters
Schwab.com (Login Page)
55
<script src="https://ad.doubleclick.net...
Ringo.com (Login Page)
56
<iframe src="http://ads.monster.com...
<embed src="http://m1.2mdn.net...
<script src="http://m1.2mdn.net...
<script src="http://pagead2.googlesyndication.com...
<script src="http://update.videoegg.com...
<script src="http://4.adbrite.com...
<script src="http://media.monster.com...
<script src="http://cookie.monster.com...
Summary
• Lots of bad things out to get you
• Will be covering specific attacks
• Browser defenses
• More to come ….
• Stay tuned
The End
• Next Time– Web based Attacks, XSS and others