Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Fall 2017

Published byViljo Hyttinen Modified over 6 years ago

Similar presentations

Presentation on theme: "CSCD 303 Essential Computer Security Fall 2017"— Presentation transcript:

1 CSCD 303 Essential Computer Security Fall 2017
Lecture 17 – Internet Security Reading: See links end of Lecture

2 Overview Internet Security Threats Web Technology Web 2.0
Active Content Javascript Java Applets ActiveX Controls VBScript Ajax

3 Internet Security Introduction
There are currently over 1 Billion websites on the web That number is growing as more of the world gets connected and technology makes it easier for people to have a voice and online presence via Websites Everyone can be an author …. Over a third of the websites online are powered by four key platforms: WordPress, Joomla!, Drupal, and Magento. WordPress is leading market with over 60% market share

4 Internet Security Introduction
Implications for Web Site Security According to a 2016 Web Security Report by Sucuri Large influx of unskilled webmasters and service providers responsible for the deployment and administrations of these sites. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. March 2016, Google reports over 50 million website users greeted with warning that websites visited were either trying to steal information or install malicious software.

5 Watch Live Web Sites Get Hacked
Want to view websites hacked in real time?

6 Internet Security Knowing how the Internet works and understanding the technologies used, allows us to better defend our content and figure out how its being attacked Technologies used today, makes the Internet more popular than ever and unsafe at the same time Major problem is Internet has evolved from storing content to user created content

7 Web Threats

8 Infected Websites – Lots !!!!
Google warns 760,000 websites: 'You've been hijacked' - but many are infected again in days Google is urging website operators to sign up for its security notifications after a study of 760,935 hijacked websites revealed the difficulties in cleaning up infections that expose visitors to malware Previous studies have found that sites running on WordPress, Joomla, and Drupal faced a higher risk of compromise because hackers focused on platforms with the largest marketshare. been-hijacked-but-many-are-infected-again-in-days/

9 More Security Threats 2013 is-the-web-browser Recognition among security authorities that drive-by malware from web links is #1 threat facing networks today Attackers are moving into targeting browser plugins Java, Adobe Reader and Adobe Flash Drive-by download attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and actual malicious code

10 Web Technology Useful to understand how Web works
As technical people, have basic understanding of clients/servers Look at details and some stats on both browsers and Web Servers Which browsers would you guess are most popular today? Nice page of ALL Web browsers, even text based

11 Web Browser Stats 2017 Chrome IE/Edge Firefox Safari Opera
October % % % % % September % 4.2 % % % % August % % % % % Chrome IE/Edge Firefox Safari Opera December % % % % % November % % % 4.0 % % October % % % % %

12 Web Server Stats server-survey.html Based on annual survey sites, Netcraft reports that Apache has a 41 % share in 2017 while IIS has 10% Apache , % 410, % -0.35 Microsoft 101, % , %

13 Web Server Operating Systems
Apache has been the most widely used web server on the Internet since the early days of the Web. It still is dominant Underlying operating system is mostly – Linux Over years, this has proven to be the most reliable and flexible platform for running high- quality web hosting services worldwide. linux.html Windows based hosts use the IIS (Internet Information Services) Server and of course run on some version of Windows

14 Web Browser Functions Browser interprets and displays HTML files
Supposed to conform to specifications maintained W3C (World Wide Web Consortium) organization Standards organization for web Current Version HTML 5 as of 2014

15 Plug-ins Enhance Browsers
Visit web page that includes more than simple HTML content Likely to need plug-in applications Flash Player most needed plug-in 75% of the animated advertisements you see online are Flash .swf movies Adobe Acrobat Reader .pdf, next most needed Most government forms, online application forms, multitude of other documents use .pdf format on the Web Movie/audio player to run .mov, .mp3, .wav, .au, and .avi files Windows Media Player is .. most popular

16 Browser and Web Server State
Neither Browsers or Web Servers keep “state” What does this mean? How can browsers and Web Servers keep state?

17 Browsers and Web Server State Defined
This means user data is not persisted from one Web page to next in a Web site Web developers refer to practice of tracking users as maintaining state Series of interactions that a particular user has with a site is a session

18 Browser State How do browsers keep state? Cookies!!! Cookies
Cookies, small text files stored in your computer's browser directory or other directory Cookies Created when you use your browser to visit website that uses cookies to keep track of your movements within site, Helps resume where you left off, Remembers registered login, theme selection, preferences, and other customized selections

19 Browser Cookies Two types of cookies are used Session cookies,
Temporary cookies remain in cookie file of your browser until you leave the site These cookies only stored in memory Persistent cookies, Remain cookie file, browser for much longer Have an expiration date

20 Browser Cookies Each cookie has values for six fields:
Each cookie has values for six fields: * Name - Name of the cookie * Value - ID string set by Web site * Domain - Of Web site issuing cookie * Path - “/” means the cookie is valid anywhere on that domain * Expires - Cookie expires on that date * Secure (used for cookies that require a SSL connection)‏

21 Can Cookies Be Malicious?
What do you think? Use of Cookies To collect demographic information about who visits Web site. Sites often use this information to track how often visitors come to the site and how long they remain on the site. To personalize the user's experience on the Web site. Cookies do not act maliciously on computer systems. They are merely text files that can be deleted at any time - they are not plug ins nor are they programs. Cookies do contain personal information .. that you give to site

22 Can Cookies Be Malicious?
Popular view … previous slide. Cookies can violate privacy, but are not generally malware or compromise security Other views, say … Yes. Cookies can be evil !!! Involved in Cross Site Request Forgery Attack (XSRF) Session Fixation XSS – Cross Site Scripting, Cookie Tossing Attack Other resources: threats-1.html

23 Evolution of Web Technologies

24 Problem All research shows, Internet based attacks appear to be increasing Why is this?

25 Evolved from Web 1.0 to 2.0 Most people agree that Web 2.0 is
Interactive and social Facilitating collaboration between people User content is the norm This is distinct from the early web (Web 1.0) which was a static information dump where people read websites but rarely interacted with them

26 Web 2.0 How do you define Web 2.0?
Web "as Platform," where software applications built on Web as opposed to desktop Customers are building content Activities of users generating content ... ideas, text, videos, pictures create value to web site ... Nice YouTube Video of “Us as Web”

27 Web 2.0 vs. Web 1.0

28 Web 2.0 Technologies

29 Web 2.0 Web 1.0 Web 2.0 Pull information Read information
HTML (Web pages)‏ Web 2.0 Push information Read / write (cooperate and collaborate)‏ XML, RSS= Rich Site Summary, Mash-ups What's a mash-up?

30 Mash-up Defined A mashup
Web site that combines content data from more than one source to create a new user experience "mashup" comes from pop music term, refers to two or more songs combined into a new song Example Most common Google product used for mashups is Google Maps

31 Security and Web 2.0 Why is Web 2.0 more Insecure?
User generated content Do you trust your users? Easier to upload or infect content More complicated technologies behind Web 2.0 Active content – scripts and other automatic components Combined content from many sources Advertising often contributes vulnerabilities

32 Web 2.0 Increases Threat communicate and use web
Popularity of Web 2.0 sites has changed way we communicate and use web Created an irresistible target for malware authors Social-networking sites, blogs, and wikis Malware authors take advantage of these sites, opening up yet another front in security defenses and hackers How-to-protect-against-Web-20-threats/article/34711/

33 Web 2.0 Nightmare “Every company has plans to move mission critical applications to the Web Yet, companies don't have web security plan to ensure sites free from exploits and hackers … (accidents waiting to happen)‏” CIO Magazine quote Look at the technologies that enables Web to function

34 Web 3.0 is Coming http://socialmediatoday.com/node/423732
Web 3.0 is a Marketing Term. Sadly, this is probably most likely way that we'll be using term 'Web 3.0' in future Within Web 3.0 social networks will be critical conduits through which we design and stumble through our individual contexts, veering out to increasingly social content experiences built by big content providers like Yahoo, AOL, newspapers, blogs and so on Amazon and eBay have already become large media experiences as we come to enjoy act of browsing as much as act of buying For example, eBay Motors says 95% of traffic doesn’t come to buy car as much as look at cars They’re a media channel that sells ads more than they are a marketplace for cars.

35 Active Content

36 Active Content Used to be Web pages consisted of HTML
Purpose of the Internet was Download information View pictures and other graphic images Fill out input forms Our Web site, example of what kind of content?

37 Active Content What is active content?
Web site that is either interactive Such as Internet polls or Dynamic, such as animated GIFs, stock tickers, weather maps, moving ads Embedded objects, streaming video and audio CNN

38 Active Content Languages
Implementing Active Content HTML does not have built in capability to handle active content … this is changing HTML 5 Embedded video objects, Dancing bears Other languages added to Web pages within HTML tags allow expanded capability What languages implement Active Content?

39 Active Content Languages
Active content implemented mainly through Javascript ActiveX Controls Deprecated in new browsers Java Applets VBScript AJAX

40 Javascript What is it? Has anything to do with Java?
JavaScript, is unrelated to Java programming language Has common C syntax JavaScript copies many Java names and naming conventions Was originally named "LiveScript" Renamed in a co-marketing deal between Netscape and Sun Netscape bundling Sun's Java runtime in their then-dominant browser

41 Javascript JavaScript writes functions that are embedded in or included from HTML page Simple Examples Opening or popping up new window with control over size, position, and attributes of window Validation of web form input value before submitted to server Changing images as mouse cursor moves over them … catches user’s attention Example here

42 Javascript JavaScript code runs locally in user's browser
Respond to user actions quickly, making an application feel more responsive Example: Gmail is written in JavaScript JavaScript dispatches requests for information such as the content of an message

43 HTML code with Javascript
<head><title>simple page</title></head> <body> <script type="text/javascript"> document.write ('Hello World!'); </script> <noscript> <p>Your browser either does not support JavaScript, or you have JavaScript turned off.</p> </noscript> </body> </html>

44 Java Applets Java Applets
The word applet is meant to suggest a small application Applets were intended to be small programs run over the Internet Applets can be viewed over Internet, or without any connection to Internet When you use browser to view page that contains an applet, applet's code is transferred to your system Executed by browser's Java Virtual Machine (JVM)‏

45 Java Applets An applet class is compiled in same way as any other Java class However, applets run differently from other Java programs Normal way to run applet is to embed it in an HTML document Then run and viewed through a Web browser

46 Java Applets <html> <head> <title> Vampire Control
. . . <applet code="AppletCalculator.class" width=400 height=300> </applet> </html>

47 Active X ActiveX, set of object-oriented programming technologies and tools from Microsoft! You create, in ActiveX environment, a component Self-sufficient program that can be run anywhere in your ActiveX network Component known as an ActiveX control ActiveX Microsoft's answer to Java An ActiveX control is like Java applet Can be developed in several languages Visual Basic, C++ Java

48 Active X ActiveX Renamed Component Object Model (COM)‏
developed by Microsoft for Windows, Changed to ActiveX in 1996 A software application can compose one or more components in order to provide needed functionality

49 Active X Most Microsoft Windows applications
Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player, All … Use ActiveX controls Encapsulate functionality as ActiveX controls can be embedded in other applications Internet Explorer also allows ActiveX controls to be embedded inside web pages Point for us !!!! Can expand application functionality to the Web!

50 Example Active X Control

51 Active X ActiveX Controls are like Java Applets,
Both designed to be downloaded and executed from web browsers Differences Java applets can run on nearly any platform, ActiveX components can only run on Microsoft's Internet Explorer ActiveX controls also granted a much higher level of control over Windows than Java applets Making them both more powerful and dangerous!!!

52 Active X Example The process of embedding ActiveX controls into a web page is very similar to the way Java applets are embedded. The following example shows the HTML code used to embed an ActiveX control. <OBJECT ID="AreaMenu" WIDTH=192 HEIGHT=192 CLASSID="CLSID:275E2FE D0-89D6-00A0C90C9B67" CODEBASE=" version=1,0,0,44"> <PARAM NAME="ForeColor" VALUE="&H "> <PARAM NAME="BackColor" VALUE="&H00BEBEBE"> <PARAM NAME="FontName" VALUE="Verdana"> <PARAM NAME="FontSize" VALUE="10"> <PARAM NAME="FontBold" VALUE="0"> <PARAM NAME="FontItalic" VALUE="0"> <PARAM NAME="FontUnderline" VALUE="0"> <PARAM NAME="FontStrikethrough" VALUE="0"> <PARAM NAME="FontCharset" VALUE="0"> </OBJECT>

53 Active X Example The tag creates the ActiveX object. The tag has 5 attributes: ID: Object Name. You use ID to refer to the object with JavaScript WIDTH: defines the width of the control on the web page HEIGHT: defines the height of the control on the web page CLASSID: Each ActiveX control assigned unique Class ID number, like an identification number, use number to tell computer which ActiveX control to load CODEBASE: If control is not present on system, Codebase attribute tells the browser where to find the control on the Internet. The viewer's browser will then download the file and install it on to the user's computer Short article below explains Active X ntations/activex.html

54 VBScript VBScript Visual Basic Scripting Edition
An Active Scripting language developed by Microsoft Language's syntax reflects its history as a limited variation of Microsoft's Visual Basic programming language

55 VBScript VBScript installed by default in every desktop release of Microsoft Windows since Windows 98 Microsoft Internet Explorer VBScript is similar in function to JavaScript, as a language to write functions that are embedded in or included from HTML pages

56 VBScript Web browsers Firefox, and Opera do not have built-in support for VBScript So ... developers almost always use JavaScript for cross-browser compatibility Besides client-side web development, VBScript is used for server-side processing of web pages, most notably with Microsoft Active Server Pages (ASP)‏

57 VBScript Example Can you see this in Firefox? <html>
<body> <script type="text/vbscript"> document.write("Hello World")‏ </script> </body> </html> Can you see this in Firefox?

58 Ajax AJAX Group of web technologies
Implements a web application that communicates with a server in the background, Without interfering with current state of page AJAX = Asynchronous JavaScript and XML AJAX is based on JavaScript and HTTP requests Not a new language but a combination of languages already known

59 Ajax Traditional Web application, interaction
between customer and server goes like this 1. Customer accesses Web application 2. Server processes request and sends data to browser while the customer waits 3. Customer clicks on a link or interacts with the application 4. Server processes request and sends data back to the browser while customer waits 5. etc.... There is a lot of customer waiting!!

60 Ajax Ajax Acts as an Intermediary
Ajax engine works within Web browser to render Web application and handle any requests that customer might have of Web server At start of session, browser loads an Ajax Engine — written in JavaScript and usually tucked away in a hidden frame Engine is responsible for both rendering interface user sees and communicating with server on user’s behalf

61 Ajax vs Traditional Web Browser

62 Ajax With Ajax, JavaScript loaded when page loads handles most of basic tasks Data validation and manipulation, Plus displays changes Same time that it makes display changes for customer, sends data back and forth to server Data transfer is not dependent upon actions of customer, asynchronous Google maps, Google suggest, Flicr use Ajax

63 Summary Begun to look at Internet and Web security
Web 2.0 is a problem Active Content is today’s Internet People want functionality Security seems to be secondary So, what else is new?

64 References Nice Overview of Browser/Web Workings
Wikipedia Browser Comparison Page Browser Cookies sics google-analytics-cookies.html Web 2.0

65 The End Next Time more Internet Security

Download ppt "CSCD 303 Essential Computer Security Fall 2017"

Similar presentations

The Internet and the Web

The Internet and the Web
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Web Server Programming

Web Server Programming
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias

Introduction to Web Application Architectures Web Application Architectures 18 th March 2005 Bogdan L. Vrusias
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Web Page Behavior IS 373—Web Standards Todd Will.

Web Page Behavior IS 373—Web Standards Todd Will.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.

WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.
Chapter 11 Adding Media and Interactivity. Flash is a software program that allows you to create low-bandwidth, high-quality animations and interactive.

Chapter 11 Adding Media and Interactivity. Flash is a software program that allows you to create low-bandwidth, high-quality animations and interactive.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 5: Multimedia on the Web.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 5: Multimedia on the Web.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.

DHTML. What is DHTML?  DHTML is the combination of several built-in browser features in fourth generation browsers that enable a web page to be more.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Web 2.0: Concepts and Applications 11 The Web Becomes 2.0.

Web 2.0: Concepts and Applications 11 The Web Becomes 2.0.

Similar presentations

Ads by Google