View
215
Download
0
Category
Tags:
Preview:
Citation preview
HOME NETWORK SECURITY – EMPHASIS ON WEB SPOOFING
CS 265
SHALINI RAMESH
TOPICS •Crisis
•Computer Crimes
•Types of Spoofing
•Web Spoofing
- working
- short term solutions
- long term solutions
•General Precautions
• Internet has grown very fast and security has lagged behind.
• Legions of hackers have emerged as impedance to entering the hackers club is low.
• It is hard to trace the perpetrator of cyber attacks since the real identities are camouflaged.
• It is very hard to track down people because of the ubiquity of the network.
• Large scale failures of internet can have a catastrophic impact on the economy which relies heavily on electronic transactions.
Crisis
• Some of the sites which have been compromised– U.S. Department of Commerce– NASA– CIA– Greenpeace– Motorola– UNICEF– Church of Christ …
• Some sites which have been rendered ineffective– Yahoo– Microsoft– Amazon …
Why Security?
Wired & Wireless Networks
Protocol- is a well defined specification that allows computers to communicate across a network.
Internet Protocol – can be thought of as a common language of computers on the internet.
IP address – every computer on the internet has an IP address associated with it. But this address may change over time due to-Dialing into ISPConnected behind a network firewallConnected to a broadband service using dynamic IP addressing.
TECHNOLOGY
Dial-up Broadband
Connection type Dial on demand Always on
IP addressChanges on each call
Static or infrequently changing
Relative connection speed
Low High
Remote control potential
Computer must be dialed in to control remotely
Computer is always connected, so remote control can occur anytime
ISP-provided security
Little or none Little or none
What can intruders do?
•Attackers can gain control of the system and launch attacks on other systems.
•They can hide their true location and attack high profile computer system in government or financial institutions.
•Intruders can program in such a way, where they can watch all the actions a person does.
•Reformat the hard disc and change the data of a good guy.
Intentional misuse of your computer
1. Trojan horse programs 2. Back door and remote administration programs 3. Denial of service 4. Being an intermediary for another attack 5. Unprotected Windows shares 6. Mobile code (Java, JavaScript, and ActiveX) 7. Cross-site scripting 8. Email spoofing 9. Email-borne viruses 10.Hidden file extensions 11.Chat clients 12.Packet sniffing
Trojan horse programs:
•Intruder tricks the computer user into installing “back door” programs.
•Intruder gets easy access to the system without the user’s knowledge.
•Intruder can change the system configuration
•He can infect the computer with virus.
Back door and remote administration programs:
•Mostly windows computers are vulnerable to this attack.
•3 tools which are commonly used by intruders to gain control are BACKORIFICE, NETBUS and SUBSEVEN.
Denial of service
•This attack causes the user’s computer to crash or it becomes very busy processing data, that the owner of the computer becomes unable to use it.
Unprotected windows shares
•Unprotected windows networking shares can be exploited by the intruders in an automated way to place tools on a large number of windows-leased computers attached to the internet.•Site security on the internet is inter- dependent.•Another threat is that worms and virus propagate thro’ unprotected windows networks.Eg: 911 worm
Mobile code ( java / java script /activex )
•These programming languages let web developers to write code and they are executed on the browser.
•This code can be used by intruders to gather information about various things, the user does on the internet.
Email borne virusesViruses and other types of malicious code mostly spread thro’ attachments with email messages.The user should never run a program which he has received from an unauthorized address.
Cross-site scripting
A bad guy may attach a script to something and send it to a website. Later when the web-site responds to the user, the malicious script is transferred to the user’s browser.
The many ways this can happen is-
•Following links in web pages, email messages without knowing what the link is.
•Using interactive forms on an untrustworthy website
•Participating in online discussion groups, where users can post text containing HTML tags only.
Definition:An attacker alters his identity so that some one
thinks he is some one else– Email, User ID, IP Address, …– Attacker exploits trust relation between user and
networked machines to gain access to machines
Types of Spoofing:1. IP Spoofing:2. Email Spoofing3. Web Spoofing4. Frame Spoofing
Spoofing
Email Spoofing
pretending to be somebody else in emails.
IP Spoofing
pretending to be somebody else’s machine( pretending to be the trusted intranet host with a particular IP address )
Frame Spoofing
attacker inserts a frame into the web-page.
one of the user frames can be controlled by an attacker while the others are normal.
DETAILS ABOUT WEB – SPOOFING
web – spoofing
pretending to be somebody else’s website.
• It is an internet security attack that could endanger the privacy of world wide web users and the integrity of their data.
•Today’s browsers like internet –explorer and Netscape navigator are vulnerable to this attack.
•Almost unnoticeable to web page visitor
•Changes are so small and buried in thousands of lines of html source code.
•www.ebay.com becomes www.ebey.com
1
2
3
4
5
Request URL
RequestURL
Send requested
URL
Rewrite pageRewritten page sent
VICTIM
ATTACKER
WWW SERVER
Classic example of
Man-in–the-middle
Working
1.Attacker registers a web address matching an entity.
2.Eg; amazone.com , ebey.com
3.Web- spoofing allows the attacker to create a “shadow copy” of the entire world wide web.
4.The user accesses this shadow web thro’ the attacker’s machine.
5.The attacker gets hold of all the personal information like user-ids, passwords, financial statements.
6.Another major drawback is that the attacker can send false or misleading data to the web servers in the user’s name or vice-versa.
7.In other words the attacker controls all the activities a user does on the web.
How the attack works?
•The attacker creates misleading context in order to trick the victim into making an inappropriate security relevant decision.
•The attacker sets up a false but convincing world around the victim.
•The victim thinks that the false world is the real world and does something which will have disastrous effects.
•After the attacker makes a copy of the page requested, looks for all special html commands that may reference a URL and changes them.
Details
URL rewriting:The attacker’s first trick is to rewrite all the Url’s on some web-page so that they point to the attacker’s server rather than the real server.Consider http://www.hotmail.comIs rewritten ashttp://www.attacker.org/http://hotmail.comWhere www.attacker.org is the attacker’s server.Once the attacker’s server gets the real document, he rewrites all the url’s .Then the attacker’s server sends the rewritten page to the victim.
The real attack1.To start an attack, the attacker must
convince the victim to use the attacker’s false web.
2.He can put a link of his web on a popular website.
3.The attacker can email the victim a pointer to the false web
4.Attacker can trick a web search engine into indexing part of the false web.
Perfecting the art:• Some content that give the victim clues
that an attack is being made.• Easy to convince the victim, because
browsers are very customizable.
Perfecting the art
STATUS LINE:A single line of text at the bottom of the browser. When the mouse is held on the web page, the url is displayed.The victim might notice a false URL.When the page is being fetched the status line briefly displays the name of the server being contacted.Hence www.attacker.org may be displayed.
Solution :The attacker can cover up both by adding a java script program to every rewritten page.These programs can write to status lineHence they always show the victim the address of the real web
LOCATION LINE
Displays the url of the current page.Rewritten url may appear on the location line
Solution :
a java script program can hide the real location line and replace it by a false location line that looks right and is in the same expected place.
This fake location line can also accept keyboard input, allowing the victim to type in the url’s normally.
Viewing document source :
A user can possibly see the rewritten urls in the HTML source code and could spot an attack.
Solution:
Write a JavaScript to hide a browser’s menu bar, replacing it with a menu bar that looks identical.From this the user could view the original (non- rewritten) HTML source.
Tracing an attacker:
Not possible!!!!!!!!!!!!!!!!!He attacks thro’ some innocent user’s machine.
Smart hacker
1.) Victim uses IE, hacker might write an ActiveX control, which is executed each time the victim runs the browser.
The hacker’s ActiveX might replace a normal URL with hacked URL.
2.) hacker can hide the rewritten URL using an embedded program within the spoofing server
This hides the real location line and replaces it with a fake location line.
Secure connection
•Attack works even when victim requests a page thro’ secure connection
•Secure web access using S-HTTP or Secure Sockets Layer – browser display is as usual
•Hacker’s server will deliver the page
•Victim’s browser will turn on the secure connection indicator
•But!!!!!!!!!!!!!!!!!!!!!!!!
Example?????????False ATM machine in public areas.
Misleading URLs...
Neither of the following two links are really CNN... http://www.cnn.com:mainpage@2175456613/~sws/0/ (works from most platforms)
http://www.cnn.com:mainpage@129.170.213.101/~sws/0/ (works from most of the
Spoofing can be of 2 types
1] Security-relevant decisions:
the decision taken by the user may result in breach of privacy or unauthorized tampering with data.
Eg:Typing in a password or user-id
The user accepts a downloaded document, which contains malicious elements that may harm the user.
2] context The text and pictures on a web page might give some information as to where the page came from
Eg:If the user sees a corporate logo, then he can assume that the page originated from that company.
WWW.MICROSOFT.COM WWW.MICR0S0FT.COM
Manual.doc may not be so !!!!!!!!!!!!!
Ways to attack :
The attacker can see and modify any data that is going from the victim to the web server. The attacker may also control the return traffic from the web server to the victim.
1] Surveillance
•The attacker passively watches the traffic moving along the network.
•He will be able to record the pages the victim visits and the contents of those pages
•In an interactive form , the details are captured.
2] Tampering:
•The attacker modifies the data from the victim to the server
•He can also modify the data from the server to the victim
Spoofing the www:
The attacker does not have the whole spoofed copy. Only the web page requested is spoofed.
Short term solution :
•Disable JavaScript in the browser – attacker unable to hide the evidence
•Browser’s location line is always visible
•Keep checking the urls – are they the intended ones.
•Disable java, ActiveX
•Use URL checking software to check that the links point to expected locations.
•Use host security policies & procedures to ensure that critical files cannot be modified. Eg: Some type of access control method to deny access if somebody attempts to modify files.
Contd………………….
•Enabling the browser to show the URL we are accessing. This enables us to see the actual URL that is being referenced.
•Do not be paranoid- old saying “ just because you are paranoid does not mean that somebody isn’t trying to get you”
Long term solutions :
•Action on the part of browser manufacturers-Changing browser code so that the browser always displays the location line
•An improved secure connection indicator would help, for pages fetched via secure locations.
•Indicate the browser at the other end
•Use simple language to indicate like HP.Inc instead of www.hp.com
Arcticsoft’s solution :
Arcticsoft’s WebAssurity
•Lets users dynamically verify web pages
•User can instantly say if anything is wrong
Some general precautions:
•Consult your system support personnel if you work from home•Use virus protection software•Don't open unknown email attachments
•Don't run programs of unknown origin
•Keep all applications, including your operating system, patched
•Turn off your computer or disconnect from the network when not in use
•Make a boot disk in case your computer is damaged or compromised
•Make regular backups of critical data
References :
Website of department of Computer Science, Princeton University - www.cs.princeton.edu
Website of Carnegie Mellon University
www.cs.dartmouth.edu
www.systemexperts.com
citeseer.nj.nec.com
Recommended