Over the last several years, cyberattacks have become more sophisticated, extensive, frequent and more difficult to defend against. Many cybersecurity experts believe that these attacks will only continue to grow more complex and aggressive. Some of the most prevalent types of network security attacks any IT professional should be aware of include the following:. Of course, these are only a few of the many ways that hackers may try to infiltrate network systems, and they will continue to develop new, creative ways to do so.
Just as there are many ways to infiltrate a network, there are many different techniques and strategies that IT professionals can use to secure one. Some of the most common types of network security solutions include:. A combination of different techniques will ensure that your network is as secure as possible and will help to meet the unique needs of your organization.
Below is a very basic overview of some of the most important, but perhaps underestimated, steps IT professionals should take to ensure network security. Always be aware of who has access to your network or servers.
After all, not everyone in your organization needs to be able to physically or electronically access everything on your network. Physically protect your servers and your devices. Keep them in a safe location, and do not grant general access to this room or area.
You should never assume that your network is completely secure. Continually test and troubleshoot your network to see what is substandard or to identify any vulnerabilities.
Be sure to make fixes and updates as needed. In addition, if you do not already have a data recovery plan in place, now is the time to create one. Even the best-secured networks are compromised and infiltrated, and though no one wants or necessarily expects that to happen, being prepared for the worst will make solving the problem significantly easier.
Computer networking is constantly evolving , and what was once considered a network security best practice may soon be a thing of the past. The damage caused by logic bombs vary from changing bytes of data to making hard drives unreadable. However, until they do, logic bombs can lie dormant on a system for weeks, months, or years. Botnet, short for ro BOT NET work, is a group of bots, which are any type of computer system attached to a network whose security has been compromised.
They are typically controlled remotely. The Mirai botnet was able to gain control of internet of things IoT connected devices like your DVR, home printer as well as smart appliances by entering the default username and password that the devices shipped with. The threat actors deployed a DDoS distributed denial of service attack by sending large amounts of data at a website hosting company, causing many popular websites to be taken offline.
Adware and Spyware are both unwanted software. Adware is designed to serve advertisements on screens within a web browser. While harmless, adware can be annoying for the user.
Spyware, on the other hand, is a type of malware designed to gain access and damage your computer. Attackers then sell your data to advertisers or data firms, capture your bank account information, or steal your personal identity. Spyware is often downloaded in a software bundle or from file-sharing-sites. Rootkits are a back door program that allows a threat actor to maintain command and control over a computer without the user knowing.
This access can potentially result in full control over the targeted system. Some antivirus software can detect rootkits, however, they are difficult to clean from a system. Social engineering attacks have become a popular method used by threat actors to easily bypass authentication and authorization security protocols and gain access to a network.
These attacks have increased significantly in the last 5 years becoming a lucrative business for hackers. Accidentally downloading an attachment or clicking a link to a website with malicious code can cost thousands in damages. Note : This does not prove malicious intent. The user could be a victim of a social engineering attack. A phishing email scam is an online threat that appears to be from a legitimate user or business. These scams attempt to trick users into providing sensitive information such as a username and password, downloading or opening an application, or transferring money.
Phishing relies on creating false trust, which is why threat actors will often send emails from familiar websites. When the user enters their credentials the bad guys log the username and password. The damage from a phishing attack can vary based on what information they have access to. For instance, a personal user may have their bank account siphoned or their identity stole. Spear phishing is similar to phishing in that it attempts to trick a user.
However, spear phishing attacks are designed to use personal information to get you to click a link. They will also sometimes use urgency or a risk of monetary value to bait their victims. For example, the email from Bank of America to Amy B shows that someone has attempted to access her account and that the bank has locked it.
In order for Amy to resolve the issue all she has to do is click on the link to reset her password. The threat actors are hoping Amy will be panicked about her money, clicks the link, and then gives them her login information. Whaling is a type of phishing attack that targets a high-profile business executive or manager with more critical information to lose.
Whaling emails are different from other phishing attacks in that the emails and web pages serving the scam appear to be official. Vishing, the combination of voice and phishing , is a phishing attack that takes place over the phone, typically a VoIP Voice over IP line.
Threat actors are able to use tools specific to VoIP systems, thereby hacking their auto dialers to send robo messages from a spoofed VoIP address. In , nearly 48 billion robocalls were made in the U. In some cases, threat actors will attempt to confuse you by saying that your system is hacked and the password needs to be updated. Sometimes, the threat actors will get clever by pretending to be friendly. Smishing is a cyber attack that uses SMS text messages to mislead its victims into providing sensitive information to a threat actor.
Sensitive information includes your account name and password, banking account or credit card numbers. The threat actor may also embed a short url link into the text message, inviting the user to click on the link which in most cases is a redirect to a malicious site.
Spam has been plaguing our inbox since the inception of email communication. First, the entire optical network must be tuned carefully each time a new connection is made. Therefore, no one can tap an optical system without detection. Clipping just one fiber in a bundle will destroy the balance in the network.
Second, optical fiber carries light energy, not electricity. Light does not emanate a magnetic field as electricity does. Therefore, an inductive tap is impossible on an optical fiber cable. Just using fiber, however, does not guarantee security, any more than does using encryption. The repeaters, splices, and taps along a cable are places at which data may be available more easily than in the fiber cable itself.
The connections from computing equipment to the fiber may also be points for penetration. By itself, fiber is much more secure than cable, but it has vulnerabilities too. Wireless networking is becoming very popular, with good reason.
With wireless, people are not tied to a wired connection; they are free to roam throughout an office, house, or building while maintaining a connection. Universities, offices, and even home users like being able to connect to a network without the cost, difficulty, and inconvenience of running wires.
The difficulties of wireless arise in the ability of intruders to intercept and spoof a connection. As we noted earlier, wireless communications travel by radio. In the United States, wireless computer connections share the same frequencies as garage door openers, local radios typically used as baby monitors , some cordless telephones, and other very short distance applications.
Although the frequency band is crowded, few applications are expected to be on the band from any single user, so contention or interference is not an issue.
But the major threat is not interference; it is interception. A wireless signal is strong for approximately to feet. To appreciate those figures, picture an ordinary ten-story office building, ten offices "wide" by five offices "deep," similar to many buildings in office parks or on university campuses. Assume you set up a wireless base station receiver in the corner of the top floor.
That station could receive signals transmitted from the opposite corner of the ground floor. If there were a similar building adjacent, the signal could also be received throughout that building, too.
Few people would care to listen to someone else's baby monitor, but many people could and do take advantage of a passive or active wiretap of a network connection. A strong signal can be picked up easily. And with an inexpensive, tuned antenna, a wireless signal can be picked up several miles away. In other words, someone who wanted to pick up your particular signal could do so from several streets away.
Parked in a truck or van, the interceptor could monitor your communications for quite some time without arousing suspicion. Interception of wireless traffic is always a threat, through either passive or active wiretapping. Sidebar illustrates how software faults may make interception easier than you might think. You may react to that threat by assuming that encryption will address it. Unfortunately, encryption is not always used for wireless communication, and the encryption built into some wireless devices is not as strong as it should be to deter a dedicated attacker.
The New Zealand Herald [GRI02] reports that a major telecommunications company was forced to shut down its mobile e-mail service because of a security flaw in its wireless network software.
The flaw affected users on the company's CDMA network who were sending e-mail on their WAP-enabled wireless applications protocol mobile phones. The vulnerability occurred when the user finished an e-mail session. In fact, the software did not end the WAP session for 60 more seconds. If a second network customer were to initiate an e-mail session within those 60 seconds and be connected to the same port as the first customer, the second customer could then view the first customer's message.
The company blamed the third-party software provided by a mobile portal. Nevertheless, the company was highly embarrassed, especially because it "perceived security issues with wireless networks" to be "a major factor threatening to hold the [wireless] technology's development back. It is estimated that 85 percent of wireless users do not enable encryption on their access points, and weaknesses in the WEP protocol leave many of the remaining 15 percent vulnerable.
Anyone with a wireless network card can search for an available network. Internet bulletin boards have maps of metropolitan areas with dots showing wireless access points. The so-called parasitic grid movement is an underground attempt to allow strangers to share wireless Internet access in metropolitan areas.
And then there are wireless LAN users who refuse to shut off their service. Retailer BestBuy was embarrassed by a customer who bought a wireless product.
While in the parking lot, he installed it in his laptop computer. Much to his surprise, he found he could connect to the store's wireless network. BestBuy subsequently took all its wireless cash registers offline.
But the CVS pharmacy chain announced plans to continue use of wireless networks in all of its stores, arguing "We use wireless technology strictly for internal item management. If we were to ever move in the direction of transmitting [customer] information via in-store wireless LANs, we would encrypt the data" [BRE02]. The wireless communication standards are The -b and -a standards are very similar, differing primarily in which frequency they use and what transfer rate they can support.
The -b standard can currently support up to 10 Mbps million bits per second , and -a slightly over 50 Mbps. WEP is a classical stream cipher using a or bit key.
As we noted in Chapter 2, a bit key can be easily discerned by any interested attacker. But surveys reveal that WEP has been disabled in 85 percent!
Moreover, even when encryption is used, the design of the encryption solution sometimes makes it easy to crack. Wireless also admits a second problem: the possibility of rogue use of a network connection. This protocol is useful in office or campus settings, where not all users clients are active at any time. A small number of IP addresses can be shared among users.
Essentially the addresses are available in a pool. This scheme admits a big problem with authentication. Unless the host authenticates users before assigning a connection, any requesting client is assigned an IP address and network access. Typically, this assignment occurs before the user on the client workstation actually identifies and authenticates to a server, so there may not be an authenticable identity that the DHCP server can demand.
The situation is so serious that in some metropolitan areas a map is available, showing many accepting wireless connections. There are many points of which network traffic is available to an interceptor. Figure illustrates how communications are exposed from their origin to their destination. Figure Wiretap Vulnerabilities. From a security standpoint, you should assume that all communication links between network nodes can be broken. For this reason, commercial network users employ encryption to protect the confidentiality of their communications, as we demonstrate later in this chapter.
Local network communications can be encrypted, although for performance reasons it may be preferable to protect local connections with strong physical and administrative security instead.
Internet protocols are publicly posted for scrutiny by the entire Internet community. Many problems with protocols have been identified by sharp reviewers and corrected before the protocol was established as a standard.
But protocol definitions are made and reviewed by fallible humans. Likewise, protocols are implemented by fallible humans. For example, TCP connections are established through sequence numbers. The client initiator sends a sequence number to open a connection, the server responds with that number and a sequence number of its own, and the client responds with the server's sequence number.
Suppose as pointed out by Morris [MOR85] someone can guess a client's next sequence number. That person could impersonate the client in an interchange. Sequence numbers are incremented regularly, so it can be easy to predict the next number. Similar protocol problems are summarized in [BEL89]. In many instances, there is an easier way than wiretapping for obtaining information on a network: impersonate another person or process.
Why risk tapping a line, or why bother extracting one communication out of many, if you can obtain the same data directly? Impersonation is a more significant threat in a wide area network than in a local one. Local individuals often have better ways to obtain access as another user; they can, for example, simply sit at an unattended workstation.
Still, impersonation attacks should not be ignored even on local area networks, because local area networks are sometimes attached to wider area networks without anyone's first thinking through the security implications. Pick up the identity and authentication details of the target from a previous communication or from wiretapping. Chapter 4 reported the results of several studies showing that many users choose easy-to-guess passwords.
In Chapter 3, we saw that the Internet worm of capitalized on exactly that flaw. Morris's worm tried to impersonate each user on a target machine by trying, in order, a handful of variations of the user name, a list of about common passwords and, finally, the words in a dictionary. Sadly, many users' accounts are still open to these easy attacks.
A second source of password guesses is default passwords. Administrators often forget to delete or disable these accounts, or at least to change the passwords. In a trustworthy environment, such as an office LAN, a password may simply be a signal that the user does not want others to use the workstation or account. Sometimes the password-protected workstation contains sensitive data, such as employee salaries or information about new products.
Users may think that the password is enough to keep out a curious colleague; they see no reason to protect against concerted attacks.
However, if that trustworthy environment is connected to an untrustworthy wider-area network, all users with simple passwords become easy targets. Indeed, some systems are not originally connected to a wider network, so their users begin in a less exposed situation that clearly changes when the connection occurs. Dead accounts offer a final source of guessable passwords.
To see how, suppose Professor Romine, a faculty member, takes leave for a year to teach at another university. The existing account may reasonably be kept on hold, awaiting the professor's return.
But an attacker, reading a university newspaper online, finds out that the user is away. Now the attacker uses social engineering on the system administration "Hello, this is Professor Romine calling from my temporary office at State University. I haven't used my account for quite a while, but now I need something from it urgently. I have forgotten the password. The system then locks the account administratively, and the attacker uses a social engineering attack.
In all these ways the attacker may succeed in resetting or discovering a password. Because of the rise in distributed and client-server computing, some users have access privileges on several connected machines.
To protect against arbitrary outsiders using these accesses, authentication is required between hosts. This access can involve the user directly, or it can be done automatically on behalf of the user through a host-to-host authentication protocol.
In either case, the account and authentication details of the subject are passed to the destination host. When these details are passed on the network, they are exposed to anyone observing the communication on the network. These same authentication details can be reused by an impersonator until they are changed. Because transmitting a password in the clear is a significant vulnerability, protocols have been developed so that the password itself never leaves a user's workstation. But, as we have seen in several other places, the details are important.
Microsoft LAN Manager was an early method for implementing networks. It had a password exchange mechanism in which the password itself was never transmitted in the clear; instead only a cryptographic hash of it was transmitted. A password could consist of up to 14 characters.
A 7-character or shorter password had all nulls in the second substring and was instantly recognizable. An 8-character password had 1 character and 6 nulls in the second substring, so 67 guesses would find the one character. These work factors differ by a factor of approximately 10 billion. See [MUD97] for details. This lesson is a good example of why security and cryptography are very precise and must be monitored by experts from concept through design and implementation.
Obviously, authentication is effective only when it works. A weak or flawed authentication allows access to any system or person who can circumvent the authentication.
In a classic operating system flaw, the buffer for typed characters in a password was of fixed size, counting all characters typed, including backspaces for correction. If a user typed more characters than the buffer would hold, the overflow caused the operating system to bypass password comparison and act as if a correct authentication had been supplied. These flaws or weaknesses can be exploited by anyone seeking access.
In a local environment, many users are not aware of which networked operating system is in use; still fewer would know of, be capable of, or be interested in exploiting flaws. However, some hackers regularly scan wide area networks for hosts running weak or flawed operating systems. Thus, connection to a wide area network, especially the Internet, exposes these flaws to a wide audience intent on exploiting them. If two computers are used by the same users to store data and run processes and if each has authenticated its users on first access, you might assume that computer-to-computer or local user-to-remote process authentication is unnecessary.
These two computers and their users are a trustworthy environment in which the added complexity of repeated authentication seems excessive. However, this assumption is not valid. To see why, consider the Unix operating system. In Unix, the file. The files are intended to support computer- to-computer connection by users who have already been authenticated at their primary hosts. These "trusted hosts" can also be exploited by outsiders who obtain access to one system through an authentication weakness such as a guessed password and then transfer to another system that accepts the authenticity of a user who comes from a system on its trusted list.
An attacker may also realize that a system has some identities requiring no authentication. Some systems have "guest" or "anonymous" accounts to allow outsiders to access things the systems want to release to anyone. For example, a bank might post a current listing of foreign currency rates, a library with an online catalog might make that catalog available for anyone to search, or a company might allow access to some of its reports. A user can log in as "guest" and retrieve publicly available items.
Typically, no password is required, or the user is shown a message requesting that the user type "GUEST" or your name , which really means any string that looks like a name when asked for a password. Each of these accounts allows access to unauthenticated users. Authentication data should be unique and difficult to guess.
But unfortunately, the convenience of one, well-known authentication scheme sometimes usurps the protection. For example, one computer manufacturer planned to use the same password to allow its remote maintenance personnel to access any of its computers belonging to any of its customers throughout the world.
Fortunately, security experts pointed out the potential danger before that idea was put in place. The system network management protocol SNMP is widely used for remote management of network devices, such as routers and switches, that support no ordinary users. SNMP uses a "community string," essentially a password for the community of devices that can interact with one another. But network devices are designed especially for quick installation with minimal configuration, and many network administrators do not change the default community string installed on a router or switch.
This laxity makes these devices on the network perimeter open to many SNMP attacks. Some vendors still ship computers with one system administration account installed, having a default password.
Or the systems come with a demonstration or test account, with no required password. Some administrators fail to change the passwords or delete these accounts. Finally, authentication can become a problem when identification is delegated to other trusted sources. For instance, a file may indicate who can be trusted on a particular host. Or the authentication mechanism for one system can "vouch for" a user. We noted earlier how the Unix. While these features are useful to users who have accounts on multiple machines or for network management, maintenance, and operation, they must be used very carefully.
Guessing or otherwise obtaining the network authentication credentials of an entity a user, an account, a process, a node, a device permits an attacker to create a full communication under the entity's identity. Impersonation falsely represents a valid entity in a communication. Closely related is spoofing , when an attacker falsely carries on one end of a networked interchange.
Examples of spoofing are masquerading, session hijacking, and man-in-the-middle attacks. In a masquerade one host pretends to be another. A common example is URL confusion. Domain names can easily be confused, or someone can easily mistype certain names. Thus xyz. Names with or without hyphens coca-cola. From the attacker's point of view, the fun in masquerading comes before the mask is removed.
For example, suppose you want to attack a real bank, First Blue Bank of Chicago. The actual bank has the domain name Blue-Bank. Next, you put up a web page at BlueBank. Finally, you ask people to log in with their name, account number, and password or PIN. This redirection can occur in many ways.
For example, you can pay for a banner ad that links to your site instead of the real bank's, or you can send e-mail to Chicago residents and invite them to visit your site. After collecting personal data from several bank users, you can drop the connection, pass the connection on to the real Blue Bank, or continue to collect more information.
You may even be able to transfer this connection smoothly to an authenticated access to the real Blue Bank so that the user never realizes the deviation. There are no known cases of this kind of fraudulent connection involving banks or finance.
But there are two U. In another version of a masquerade, the attacker exploits a flaw in the victim's web server and is able to overwrite the victim's web pages. Although there is some public humiliation at having one's site replaced, perhaps with obscenities or strong messages opposing the nature of the site for example, a plea for vegetarianism on a slaughterhouse web site , most people would not be fooled by a site displaying a message absolutely contrary to its aims.
However, a clever attacker can be more subtle. Instead of differentiating from the real site, the attacker can try to build a false site that resembles the real one, perhaps to obtain sensitive information names, authentication numbers, credit card numbers or to induce the user to enter into a real transaction.
Session hijacking is intercepting and carrying on a session begun by another entity. Suppose two entities have entered into a session but then a third entity intercepts the traffic and carries on the session in the name of the other. Our example of Books-R-Us could be an instance of this technique. If Books Depot used a wiretap to intercept packets between you and Books-R-Us, Books Depot could simply monitor the information flow, letting Books-R-Us do the hard part of displaying titles for sale and convincing the user to buy.
Then, when the user has completed the order, Books Depot intercepts the "I'm ready to check out" packet, and finishes the order with the user, obtaining shipping address, credit card details, and so forth.
To Books-R-Us, the transaction would look like any other incomplete transaction: The user was browsing but for some reason decided to go elsewhere before purchasing. We would say that Books Depot had hijacked the session. A different type of example involves an interactive session, for example, using Telnet. If a system administrator logs in remotely to a privileged account, a session hijack utility could intrude in the communication and pass commands as if they came from the administrator.
Our hijacking example requires a third party involved in a session between two entities. A man-in-the-middle attack is a similar form of attack, in which one entity intrudes between two others.
The difference between man-in-the-middle and hijacking is that a man-in-the-middle usually participates from the start of the session, whereas a session hijacking occurs after a session has been established. The difference is largely semantic and not too significant. Man-in-the-middle attacks are frequently described in protocols.
To see how, suppose you want to exchange encrypted information with your friend. You contact the key server and ask for a secret key with which to communicate with your friend. The key server responds by sending a key to you and your friend. One man-in-the-middle attack assumes someone can see and enter into all parts of this protocol. A malicious middleman intercepts the response key and can then eavesdrop on, or even decrypt, modify, and reencrypt any subsequent communications between you and your friend.
This attack is depicted in Figure This attack would be foiled with public keys, because the man-in-the-middle would not have the private key to be able to decrypt messages encrypted under your friend's public key. The man-in-the-middle attack now becomes more of the three-way interchange its name implies.
The man-in-the-middle intercepts your request to the key server and instead asks for your friend's public key.
The man-in-the-middle passes to you his own public key, not your friend's. You encrypt using the public key you received from the man-in-the-middle ; the man-in-the-middle intercepts and decrypts, reads, and reencrypts, using your friend's public key; and your friend receives. In this way, the man-in-the-middle reads the messages and neither you nor your friend is aware of the interception. A slight variation of this attack works for secret key distribution under a public key.
An attacker can easily violate message confidentiality and perhaps integrity because of the public nature of networks. Eavesdropping and impersonation attacks can lead to a confidentiality or integrity failure. Here we consider several other vulnerabilities that can affect confidentiality. Sometimes messages are misdelivered because of some flaw in the network hardware or software.
Most frequently, messages are lost entirely, which is an integrity or availability issue. Occasionally, however, a destination address will be modified or some handler will malfunction, causing a message to be delivered to someone other than the intended recipient. All of these "random" events are quite uncommon. More frequent than network flaws are human errors. It is far too easy to mistype an address such as , as , or ,, or to type "idw" or "iw" instead of "diw" for David Ian Walker, who is called Ian by his friends.
There is simply no justification for a computer network administrator to identify people by meaningless long numbers or cryptic initials when "iwalker" would be far less prone to human error.
To protect the confidentiality of a message, we must track it all the way from its creation to its disposal. Along the way, the content of a message may be exposed in temporary buffers; at switches, routers, gateways, and intermediate hosts throughout the network; and in the workspaces of processes that build, format, and present the message.
In earlier chapters, we considered confidentiality exposures in programs and operating systems. All of these exposures apply to networked environments as well. Furthermore, a malicious attacker can use any of these exposures as part of a general or focused attack on message confidentiality. Passive wiretapping is one source of message exposure. So also is subversion of the structure by which a communication is routed to its destination. Finally, intercepting the message at it source, destination, or at any intermediate node can lead to its exposure.
Sometimes not only is the message itself sensitive but the fact that a message exists is also sensitive. For example, if the enemy during wartime sees a large amount of network traffic between headquarters and a particular unit, the enemy may be able to infer that significant action is being planned involving that unit.
In a commercial setting, messages sent from the president of one company to the president of a competitor could lead to speculation about a takeover or conspiracy to fix prices. Or communications from the prime minister of one country to another with whom diplomatic relations were suspended could lead to inferences about a rapprochement between the countries.
In these cases, we need to protect both the content of messages and the header information that identifies sender and receiver. In many cases, the integrity or correctness of a communication is at least as important as its confidentiality.
In fact for some situations, such as passing authentication data, the integrity of the communication is paramount. In other cases, the need for integrity is less obvious. Next we consider threats based on failures of integrity in communication. Increasingly, people depend on electronic messages to justify and direct actions. For example, if you receive a message from a good friend asking you to meet at the pub for a drink next Tuesday evening, you will probably be there at the appointed time.
Likewise, you will comply with a message from your supervisor telling you to stop work on project A and devote your energy instead to project B. As long as it is reasonable, we tend to act on an electronic message just as we would on a signed letter, a telephone call, or a face-to-face communication. However, an attacker can take advantage of our trust in messages to mislead us. In particular, an attacker may. Signals sent over communications media are subject to interference from other traffic on the same media, as well as from natural sources, such as lightning, electric motors, and animals.
Such unintentional interference is called noise. These forms of noise are inevitable, and they can threaten the integrity of data in a message. Fortunately, communications protocols have been intentionally designed to overcome the negative effects of noise. Processes in the communications stack detect errors and arrange for retransmission, all invisible to the higher-level applications.
Thus, noise is scarcely a consideration for users in security-critical applications. One of the most widely known attacks is the web site defacement attack.
Because of the large number of sites that have been defaced and the visibility of the result, the attacks are often reported in the popular press. A defacement is common not only because of its visibility but also because of the ease with which one can be done.
Web sites are designed so that their code is downloaded, enabling an attacker to obtain the full hypertext document and all programs directed to the client in the loading process. An attacker can even view programmers' comments left in as they built or maintained the code. The download process essentially gives the attacker the blueprints to the web site.
The ease and appeal of a defacement are enhanced by the seeming plethora of vulnerabilities that web sites offer an attacker. For example, between December and June the first 18 months after its release , Microsoft provided 17 security patches for its web server software, Internet Information Server IIS version 4.
And version 4. The web site vulnerabilities enable attacks known as buffer overflows, dot-dot problems, application code errors, and server-side include problems. Buffer overflow is alive and well on web pages, too. It works exactly the same as described in Chapter 3: The attacker simply feeds a program far more data than it expects to receive. A buffer size is exceeded, and the excess data spill over into adjoining code and data locations.
Perhaps the best-known web server buffer overflow is the file name problem known as iishack. To execute the procedure, an attacker supplies as parameters the site to be attacked and the URL of a program the attacker wants that server to execute.
Other web servers are vulnerable to extremely long parameter fields, such as passwords of length 10, or a long URL padded with space or null characters. Web server code should always run in a constrained environment. Ideally, the web server should never have editors, xterm and Telnet programs, or even most system utilities loaded. By constraining the environment in this way, even if an attacker escapes from the web server application, no other executable programs will help the attacker use the web server's computer and operating system to extend the attack.
The code and data for web applications can be transferred manually to a web server or pushed as a raw image. They expect to need to edit a web application in place, so they expect to need editors and system utilities to give them a complete environment in which to program.
A second, less desirable, condition for preventing an attack is to create a fence confining the web server application. With such a fence, the server application cannot escape from its area and access other potentially dangerous system areas such as editors and utilities. The server begins in a particular directory subtree, and everything the server needs is in that same subtree. Enter the dot-dot. In both Unix and Windows, '.. So someone who can enter file names can travel back up the directory tree one..
Cerberus Information Security analysts found just that vulnerability in the webhits. For example, passing the following URL causes the server to return the requested file, autoexec. A user's browser carries on an intricate, undocumented protocol interchange with the web server. To make its job easier, the web server passes context strings to the user, making the user's browser reply with full context.
A problem arises when the user can modify that context. To see why, consider our fictitious shopping site called CDs-R-Us, selling compact disks. At any given time, a server at that site may have a thousand or more transactions in various states of completion.
The site displays a page of goods to order, the user selects one, the site displays more items, the user selects another, the site displays more items, the user selects two more, and so on until the user is finished selecting. Many people go on to complete the order by specifying payment and shipping information. But other people use web sites like this one as an online catalog or guide, with no real intention of ordering. For instance, they can use this site to find out the price of the latest CD from Cherish the Ladies; they can use an online book service to determine how many books by Iris Murdoch are in print.
And even if the user is a bona fide customer, sometimes web connections fail, leaving the transaction incomplete. For these reasons, the web server often keeps track of the status of an incomplete order in parameter fields appended to the URL. These fields travel from the server to the browser and back to the server with each user selection or page request. Assume you have selected one CD and are looking at a second web page. The web server has passed you a URL similar to. You now select a second and the URL becomes.
But if you are a clever attacker, you realize that you can edit the URL in the address window of your browser. Consequently, you change each of and to This failure is an example of the time-of-check to time-of-use flaw that we discussed in Chapter 3. The server sets checks the price of the item when you first display the price, but then it loses control of the checked data item and never checks it again. This situation arises frequently in server application code because application programmers are generally not aware of security they haven't read Chapter 3!
A potentially more serious problem is called a server-side include. The problem takes advantage of the fact that web pages can be organized to invoke a particular function automatically. For example, many pages use web commands to send an e-mail message in the "contact us" part of the displayed page.
The commands, such as e-mail, if, goto, and include, are placed in a field that is interpreted in HTML. One of the server-side include commands is exec, to execute an arbitrary file on the server. For instance, the server-side include command.
0コメント