4 Network applicationsWhat is a network application (NA)? What is the difference between a network application and a stand-alone/non-network application (SA)? Use a checkmark (√) to show your answer.CharacteristicsNASABoth program and data are store on the same computerEither the program used or the data being used reside on a networkBoth the program used and the data being used reside on a networkUses a client-server architecture
5 Which of the following can be classified as client or server network application? Microsoft ProjectMicrosoft VisioOracle SolarisWindows NTAdobe PhotoshopC++Google ChromeUNIXIISApacheWinSCP (client FTP)OS XMovie MakerInternet Explorer
6 Application securityImagine that you have the following categories of software installed on your computers. Which one would you harden first and why? Which one you should harden next and why?Client and server network applicationsNon-network applicationsOperating systems
7 Applications Security Issues Few Operating Systems, but Many ApplicationsBecause OS are harden, most attacks target applications.Most applications run with administrative or super user (root) privilegesSecuring applications is challengingHuge number of apps, Variety of security baselinesClient & server application programsComputer HardwareOperating SystemWeb service software (IIS, Apache, ...) Web browser, Photo editors, Movie maker, Productivity software, etc.
8 Which of the following is true about Application Security? If a server application (or service) is no longer needed, it should be turned offFewer applications on a computer means fewer attack opportunitiesUse good security baselines to install and configure appsDo not install application centrally using group policiesAdd application layer authentication by requiring users to provide credentials to run application programsImplement cryptographic authentication for sensitive appsIf a server application (or service) is no longer needed, it should be removedDo not turn on each applications’ automatic update checking8
9 Applications and Buffer Overflow OUTDOORBuffers are RAM areas where data is stored temporarilyBuffer overflow occurs when data spill from one buffer to the nextBuffer Overflow is the biggest issue in application codingIf an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAMBuffer overflow attacksRAMBuffer1Buffer2Buffer7Buffer3Buffer4Buffer6Buffer59
10 Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.If the data contain malware, the malware could run and creates a DoSExample of input data: ABCDEF LET JOHN IN WITHOUT PASSWORDBufferInstructions123456PrintRun ProgramAccept inputBufferInstructions123456ABCDEFLET JOHN IN WITHOUT PASSWORDRun ProgramAccept input1010
11 Stack Entry and Buffer Overflow Stack entry: data buffer & Return address registry2. Add Datato Buffer1. Write ReturnAddressReturnAddress5. Start ofAttacker dataData Buffer3. Direction ofData Writing4. OverwriteReturn AddressWhen a program puts one subprogram on hold to call another, it writes the return address in RAM areas called stack entriesThe called subprogram may add data to the buffer to the point it overwrites the return addressIf the added buffer data is Attack code, this will be a buffer overflow attackBuffer Overflow explained w/beer: https://www.youtube.com/watch?v=7LDdd90aq5Y
12 Preventing Buffer Overflow Key Principle: Never Trust User InputUse Languages/tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C or Assembly, etc).However, this is usually not possible or practical because almost all modern OS are written in the C language.Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments.Design And Build Security Within CodeUse Source Code Scanning Tools.Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code.For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.// replace le following linestrcpy (buffer2, strng2);// bystrcpy (buffer2, string2, 8)
13 Applications permissions Examples for smartphonesMake phone callsFor Dialer replacements, Google Voice, etc. NOT for Ringtone apps. If an app you download has no business setting up a phone call, be suspicious.Send SMS or MMSRead contact dataFind GPS locationIf an app gets its revenue from location-based ads, it needs to know where you are. Otherwise be suspicious.Network Communication (full internet access, view network / Wi-Fi state, Create Bluetooth connection)If an app has no function for you to communicate with anyone else, or any type of downloadable content, this usually means ads. To show you ads, the app needs to get them from the Internet
14 How to Know apps permissions? Download and install SureMDM Web ConsoleLogin into the SureMDM Web ConsoleSelect your smartphone or tablet from the device list.Click on the Apps buttons to see list of installed apps on the device.Select an Application and Click on Permission button. Screen similar to the following will popup.
15 Applications permissions (cont.) Android does a great job forcing app developers to inform the prospective user just what sort of permissions are required and what information the app will access.If an app does not need permissions it is requesting before installing, do not install.If a hacker takes over an application program, he or she receives the permissions with which the program runs.
17 Webservice & E-Commerce apps Web applications could be the target of many types of attacks like:Directory browsingTraversal attacksWeb defacementUsing HTTP proxy to manipulate interaction between client and serverIIS IPP Buffer OverflowBrowser attacksTime configuration
18 Web sites’ directory browsing Web server with Directory Browsing disabledUser cannot get access to list of files in the directory by knowing or guessing directory names
19 Web site with directory browsing Web server with Directory Browsing enabledUser can get access to the list of files in the directory by knowing or guessing directory names
20 Traversal Attack Normally, paths start at the WWW root directory Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory.Example: ../../Example:If attacker traverses to Command Prompt directory in Windows or NT, he can execute any command with system privileges
21 Traversal Attacks (Cont.) Preventing traversal attacksCompanies filter out ../ and ..\ using URL scanning softwareAttackers respond with hexadecimal and UNICODE representations for ../ and ..\ASCII Character Chart with Decimal, Binary and Hexadecimal ConversionsNameCharacterCodeDecimalBinaryHexNullNUL00Start of HeadingSOHCtrl A101Space3220Exclamation Point!Shift 13322Plus+Shift =432BPeriod.462EForward Slash/472FTilde~Shift’1267E
22 Website defacementTaking over a web server and replacing normal web pages by hacker-produced pagesEffect could last because ISP cache of popular web sitesExample of recent website defacementsATTRITION Web Page Hack Mirror:Zone-H web site for most recent attacks:Check Onhold and Archive
23 Manipulating HTTP requests Attackers use proxies to manipulate communications between browsers and web serversExample using Webscarab
24 IIS IPP Buffer Overflow The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacksThe jill.c program was developed to launch the attack using:GET NULL.printer HTTP/1.0Host: 420-byte jill.c code to launch the command shellIIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.
25 IIS IPP Buffer Overflow (cont.) Link to jill.c codeCode compilable using gcc jill.c –o jill on LinuxPrecompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.
27 Login Screen Bypass Attack Website user gets a login screenInstead of logging in, user enters a URL to bypass the login screen and gain access without authorization.
28 Browser Attacks Malicious links attack.txt.exe seems to be attack.txt User must click on them to execute (but not always)Common extensions are hidden by default in some operating systems.attack.txt.exe seems to be attack.txt
29 Browser Attacks (Cont.) Common AttacksRedirection to unwanted webpageScripts might change the registry, home pageSome scripts might “trojanize” your DNS error-handling routine when you mistype a URLPop-up windowsWeb bugs; i.e. links that are nearly invisible, can be used to track users at a websiteDomain names that are common misspellings of popular domain namesMicrosoff.com, (a porn site)