Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Published byGyles Wiggins Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999."— Presentation transcript:

1 Web Site Security Andrew Cormack JANET-CERT Andrew.Cormack@ukerna.ac.uk ©The JNT Association, 1999

2 Web Site Security, Andrew Cormack Where’s the problem? Number of CIAC bulletins since October 1997: Apache0 IIS5 Solaris8 Windows NT8 (Internet Explorer3 ) See especially CIAC bulletin J-042 on web security

3 ©The JNT Association, 1999Web Site Security, Andrew Cormack First fix your host Minimal configuration don’t run things you don’t need Up to date with patches Keep it that way new bugs every month Pay attention to logs you may only get one warning

4 ©The JNT Association, 1999Web Site Security, Andrew Cormack Limit the scope for errors Minimal access restricted users restricted hosts (e.g. use TCP wrappers) Single function others will compete with web serving and make operation much more complicated

5 ©The JNT Association, 1999Web Site Security, Andrew Cormack What can go wrong Denial of service (availability) Information leakage (privacy) Loss of control (integrity) unauthorised modification or worse

6 ©The JNT Association, 1999Web Site Security, Andrew Cormack Denial of service Not much you can do to prevent it! when does popularity become DoS? Precautions have more performance than likely attacker have different servers for different readers be ready with a "sorry" backup

7 ©The JNT Association, 1999Web Site Security, Andrew Cormack Information leakage (web stuff) Web is designed for publishing Protection mechanisms are weak files have many names addresses can be faked passwords can be sniffed Shared authentication puts other systems at risk! Use offline encryption if you must

8 ©The JNT Association, 1999Web Site Security, Andrew Cormack Information leakage (system stuff) Caused by badly configured servers badly written scripts misguided scripts (finger, last, etc.) Can lose script source code password or other configuration files

9 ©The JNT Association, 1999Web Site Security, Andrew Cormack Loss of control (severe) Beware of uploads replacing graphics or your home page who can publish? how do you know who they are? Unexpected interactions uploads of scripts java applets on multi-purpose server

10 ©The JNT Association, 1999Web Site Security, Andrew Cormack Loss of control (fatal) Allowing readers to run commands Never run server as root hackers have to work harder Never put test scripts on live server and check, check and re-check production scripts Compromised system probably a write-off

11 ©The JNT Association, 1999Web Site Security, Andrew Cormack The worst cgi script w $1 What if $1 is ”andrew;cat /etc/passwd”... Use perl -wT to trap errors better a 500 error than a lost system Even commercial scripts have errors!

12 ©The JNT Association, 1999Web Site Security, Andrew Cormack Conclusion Don't build on sand Think carefully about "ease of use” Plan for the worst Talk with CERT Never stop!

13 ©The JNT Association, 1999Web Site Security, Andrew Cormack Don’t forget the browser Browsers sometimes run untrusted code ActiveX - can run any Windows application JavaScript - limited but powerful functions Java - runs in a sandbox, but this may leak Added “viewers”, e.g. word, excel Beware!

14 ©The JNT Association, 1999Web Site Security, Andrew Cormack Applet capabilities Such programs can do anything the user can read or write files on local disk or network make calls on the network Browser control is a hard problem but not unique: mail and office apps are the same Technical fixes are draconian User education (like viruses) is the best bet

15 ©The JNT Association, 1999Web Site Security, Andrew Cormack

Download ppt "Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999."

Similar presentations

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Building a Home Web Server Grant Root

Building a Home Web Server Grant Root
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.

1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© De Montfort University, 20011 Web Servers Chris Hand And Howell Istance De Montfort University.

© De Montfort University, Web Servers Chris Hand And Howell Istance De Montfort University.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
PRACTICAL STEPS IN SECURING WINDOWS NT Copyright, 1996 © Dale Carnegie & Associates, Inc. TIP For additional advice see Dale Carnegie Training® Presentation.

PRACTICAL STEPS IN SECURING WINDOWS NT Copyright, 1996 © Dale Carnegie & Associates, Inc. TIP For additional advice see Dale Carnegie Training® Presentation.
Chapter 5 Security Threats to Electronic Commerce

Chapter 5 Security Threats to Electronic Commerce
Website on Computer Security By: Brittany Freeman.

Website on Computer Security By: Brittany Freeman.

Similar presentations

Ads by Google