AN OVERVIEW OF INTERNET SECURITY

-


1.0 INTRODUCTION

Internet security is an essential part of information technology or rather computer security to be more direct. It is quite related to the internet. It always involves the browser security which is the application that views HTML files over the internet. It always involves the browser security and also network security on a general level as applied to operating systems which are a part of the application layer system.

The goal of internet security is to establish rules and procedures which are used to check against attacks over the internet. The internet being a network of many different networks, it is an unsecure channel for information exchange. Hence, there is a high risk of intrusion and fraud. Methods have been developed mitigate all these threats to the data over the transmission channels. Such methods as encryption have been taken to check the threats of sniffing packets, hacking and phishing.


1.1 EVOLUTION

Data is the key item in business transaction, when these data is altered or intercepted as it travels through the network, by a malicious or fraudulent client, these could cost an organisation a lot of money, a business detail or project. Hence, it is a necessary to identify the flaws in the web applications to be able to mitigate them effectively.

As the world need for the internet increase daily, the world has embraced cloud computing, many more people are transacting business, conducting researches, storing information, publishing ideas, exchanging mails, upload and the download of various software, videos are streamed, games are played and social sites are been visited through the internet (web) applications.

Web applications use a very simple architecture:

· Internet for connectivity among users

· Creation of the application using HTML

· Hosting on a browser controlled environment or server

· A user interface always referred to as a browser.

These web applications are generally easy to acquire and use, they are always efficient and pensive. Hence, a lot of people have access to these browsers and can access the internet for one or more different purpose hence exposing the internet to a whole lot of malicious vulnerabilities through these web applications. Vulnerabilities in web application ay take dozens of form which create so many fatalities.

Many attacks use fault injections, which exploits the vulnerabilities in a web application syntax and semantics. This means that an attacker can easily manipulate the Uniform Resource Locator (URL) link to force an exploitable malfunction in the application. These types of fault injection are of two types the SQL Injection and the Cross-site Scripting.

Some other attacks may target an individual website an individual website by infiltrating it with a malware, so when a computer visits the website, they are affected by these malwares. When the computers are connected over the internet, these malwares would redirect the computer to rogue sites which would steal password information directly from the user’s computer by tricking users to provide confidential information and might even use the user’s computer as a nefarious mechanism to carry out further attacks. These attacks on each application can result to a very high negative effect.

For more than a decade, Organisations have always depended upon security measures at the perimeter of the network such as firewalls, in order to protect fraudulent attacks. These threats always come from non trusted client access points, session-less protocols, the general complexity of the network layer security. With web application client software usually cannot always be controlled by the application owner. An attacker can forge an identity to look like a legitimate client as web applications do not process client applications directly; these illegitimate clients duplicate a user’s identity or create fraudulent messages and cookies.

In addition, HTTP is a session-less protocol and is therefore susceptible to replay and injection attacks. Hyper-text transport protocol messages can easily be modified spoofed and sniffed.




2.0 TYPES OF INTERNET SECURITY LAYERS

2.1 NETWORK LAYER (INTERNET PROTOCOL SECURITY)

Internet protocol security (IPsec) is a collection of protocols designed by the Internet Engineering Task Force (IETF), to provide security for a packet at network level. It helps create an authenticated and encrypted packet for the IP layer. The two main encryption transformations been utilised by the IPsec are the Authentication Header (AH) and the Encapsulation Security Payload (ESP). The IP security architecture uses the concept of a security association as the basis for building security functions into IP [9]. A security association is simply the bundle of algorithms and parameters (such as keys) that is being used to encrypt and authenticate a particular flow in one direction. Therefore, in normal bi-directional traffic, the flows are secured by a pair of security associations. [9]

The IPsec operates in two modes, in the host to host transport mode and in the network tunnelling mode.

In transport mode, only the payload or information of the IP packet is usually encrypted or authenticated or both. Since the IP header is not encrypted, the routing remains intact; however, when the authentication header is used, the IP addresses cannot be translated, as this will invalidate the hash value. The transport and application layers are always secured by hash, so they cannot be modified in any way. The IPsec layer exists right below the transport layer. [11]





Fig 2.1a: IPsec in transport mode.



In tunnel mode, both the IP header and information in this mode is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications (e.g. private chat).because the IP header is encrypted also, the IPsec layer exist below the network layer and a new network layer is created.





Fig 2.1b: IPsec in tunnel mode.




2.1.1 THE AH PROTOCOL provides source, authentication and data integrity but does not really provide confidentiality or privacy of the data.







Fig 2.1.1: the AH protocol suite



2.1.2 THE ESP PROTOCOL provides source, authentication and data integrity and provides confidentiality or privacy of the data unlike the AH protocol.




Fig 2.1.2: the ESP protocol suite



2.2 TRANSPORT LAYER.

The dominant protocols for providing security at the transport layer is the secured socket layer (SSL) and its successor the transport layer security (TLS). The SSL and the TLS are used to protect data at the transport layer. They achieve this by allowing and a server to communicate across a network by preventing tampering and eavesdropping. [7]

There are two ways of achieving this either by using different port number for the TLS or SSL security or by the use of same protocol by the process of handshaking.

During the handshaking process the client (web application) and the server (web browser) agree on various parameters in establishing the connection security. The handshaking processes can be achieved in four phases:

· The client sends the server its SSL version number, cipher setting and other useful information to set up the communication and the server sends its own SSL version, cipher setting to the client and both exchange certificates. After the phase 1 the client and server knows the SSL version of, cryptographic algorithms, the compression method and the two random numbers for key generation.

· The client tries to authenticate with the server, it uses all the information sent by the server to try and authenticate with the server, it checks the certificate sent, to confirm if it is from a trusted certificate authority, it checks whether the certificate has expired. If the server cannot be authenticated the connection is aborted by a warning message box, else the server is authenticated during this process the client learns the server public key. The same procedure is taken at the server to authenticate the client. After Phase 2, the server is authenticated to the client, and the client knows the public key of the server if required.

· If both ends have been authenticated, the client generates a pre master secret for the session, it encrypts it with the server public key, it then sends the encrypted key to the server, which uses a private key to decrypt the pre master secret ad generates the master secret. They both use the master secret to generate the session keys, used in encrypting and decrypting data been sent across the network during the SSL or TLS session to verify the data integrity. After Phase 3, the client is authenticated to the server, and both the client and the server know the pre-master secret.

· During phase 4 client sends an encrypted message to the server to show that it own end of the handshake is complete, the server decrypts the message and replies to show that it own end of the handshake is complete.





CLIENT END SERVER END







Fig 2.2: Handshake in SSL and TLS protocols.



2.3 APPLICATION LAYER

EMAIL: Email is an application layer protocol which requires security, sending email from one client to another starts with the composition of the mail. The mail is then transformed into a format. The formatted mails sent through a mail user agent (client) to the mail transfer client (server). The sender supplies its own server with the clients list and then the message, the sender’s server creates a connection with the receiver’s server which forwards the message to the recipient client. The messages sent through an email is secured using the following mechanism as discussed:

· Pretty good privacy (PGP)

· Multipurpose internet mail extension (MIME)

· Message authentication mechanism (MAC).

2.3.1 Pretty Good Privacy

This provides privacy and integrity by encrypting messages and data files using such encryption algorithm as CAST 128 and Triple DES [6]. Email messages can be protected using PGP cryptography in such ways as:

· Signing an email message to insure integrity and confirm sender’s identity.

· Encryption of message body to confidentiality.

· Encryption of the communication between mail servers to protect both message body and message header.[6]

2.3.2 Multipurpose Internet Mail Extensions

MIME transforms non-ASCII data at the sender's site to Network Virtual Terminal (NVT) ASCII data and delivers it to client's Simple Mail Transfer Protocol (SMTP) to be sent through the Internet.[6] The server SMTP at the receiver's side receives the NVT ASCII data and delivers it to MIME to be transformed back to the original non-ASCII data. [6]

2.3.3 Message Authentication Code

A Message authentication code (MAC) is a cryptography method that uses a secret key to encrypt a message. This method outputs a MAC value that can be decrypted by the receiver, using the same secret key used by the sender. The Message Authentication Code protects both a message's data integrity as well as its authenticity. [6]



2.4 FIREWALL

The firewall consists of gateways and filters which controls the access between networks. They help in screening network traffic and block malicious traffic. These firewalls exist between the SMTP and HTTP connections. The firewalls create a choke point (which is a checkpoint between internal private network and the public internet).[8]

They have a platform for IPsec, using their tunnel capability is used for creation of Virtual Private Network (VPN); hence, it has the ability to hide the internal network system and their information from the public internet. [8]




Fig 2.4: Firewall restricting incoming and outgoing data.

2.4.1 Types of firewalls.

· Packets filter firewall.

· Circuit level gateway firewall.

· Application level gateway or the proxy firewall.



2.4.1.1 Packets filter firewall

This is a type of firewall that processes the network traffic by filtering the traffic according to the packets. It requires a border router which determines which packets enters or leave the network.

2.4.1.2 Circuit level gateway firewall.

Circuit-level gateway is a proxy server that operates at the network level of an Open Systems Interconnection (OSI) reference model, it works using port numbers and by NAT hiding the private address of the source computer from the public internet therefore the computer isn’t exposed to outside threat easily.







2.4.1.3 Application level gateway or the proxy firewall.

This is a type of firewall that requires a proxy server which works at the top layer of the OSI reference model, it works as to analyse the entire message or data to determine which gets through the firewall.








3.0 TYPES OF WEB APPLICATION ATTACKS.

3.1 AUTHENTICATION ATTACKS:

3.1.1 Brute Force

A Brute Force attack is a process of trying to guess someone’s password, login credentials or cryptographic keys using series of automated processes.

3.1.2 Insufficient Authentication

Insufficient Authentication this is a process when a user has access to a web content without providing a complete and necessary credential for the login.

3.1.3 Weak Password Recovery Validation

Weak Password Recovery Validation is a website error which allows another user to be able to recover another user password.

3.2 AUTHORIZATION ATTACKS:

3.2.1 Credential/Session Prediction

Credential/Session Prediction is a method of stealing, impersonating or hijack a web site user without detection.

3.2.2 Insufficient Authorization

Insufficient Authorization is when a web site permits access to sensitive content or functionality that should require increased access control restrictions.[2]

3.2.3 Insufficient Session Expiration

Insufficient Session Expiration is when a web site allows an attacker to be able to use an expired session credential to gain access, it is usually a syntax error with Jquery.

3.2.4 Session Fixation

Session Fixation is an attack technique that forces a user's session ID to an explicit value.[2]

3.3 CLIENT-SIDE ATTACKS:

3.3.1 Content Spoofing

Content Spoofing is a fraudulent attack technique used to trick a user to believe the content of a webpage as legitimate, when it is malicious.

3.3.2 Cross-site Scripting

Cross-site Scripting (XSS) is a method of attack that forces a web site to echo attacker-supplied executable codes, it usually achieves this using cookies which loads without request into the user’s browser..

3.3.3 Buffer Overflow

Buffer Overflow exploits are attacks that changes the application flow by overwriting some vital parts of its memory locations.

3.3.4 Format String Attack

Format String Attacks alter the flow of an application by using string formatting library features to access other memory space.[2]


3.3.5 OS Commanding

OS Commanding is an attack technique used to exploit web sites by executing Operating System commands through manipulation of application input.[2]

3.3.6 SQL Injection

SQL Injection is an attack used to manipulate weak websites by constructing manipulative SQL statements to control the database.

3.3.7 SSI Injection

SSI Injection (Server-side Include) is a server-side exploit method where an attacker sends code into the web server and later the codes are executed locally by the web browser, which is how spywares work.



3.4 INFORMATION DISCLOSURE ATTACKS:

3.4.1 Directory Indexing
Automatic directory listing/indexing is a web server function that lists all of the files within a requested directory if the normal base file is not present.[2]

3.4.2 Information Leakage

Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.[5][2]

3.4.3 Path Traversal

The Path Traversal attack method which forces an access to files, directories, and commands that are located outside the web document root directory.

3.4.4 Predictable Resource Location

Predictable Resource Location is an attack method required to be able to access hidden websites content and functionalities.

3.5 LOGICAL ATTACKS:

3.5.1 Abuse of Functionality

Abuse of Functionality is an attack technique that uses a web site's own features and functionality to consume, defraud, or circumvents access controls mechanisms.[2]

3.5.2 Denial of Service

Denial of Service (DoS) is an attack method in which the primary aim of the attacker is to stop the web application from offering the service of which it was designed.

3.5.3 Insufficient Anti-automation

Insufficient Anti-automation is a website error which enables an attacker to automate a manual process.

3.5.4 Insufficient Process Validation

Insufficient Process Validation is when a web site permits an attacker to bypass the required flow of control of the web application.



4.0 SPYWARE: 

Viruses attack your computer and data to destroy them, virus infections are obvious and easily detected by antivirus and their effect is gradually coming to extinction as result of the presence of antivirus but spyware attack your computer to steal your personal data and information from your computer, spyware infections are silent and cannot be detected by antivirus therefore their threats are ever increasing.



4.1 THE 12 MAJOR PRECAUTIONS IN WEB APPLICATION DEVELOPMENTS.

1. Do not blacklist any of the validations to detect XSS in input or to encode the output.[4]

2. Use a strongly typed parameterized queries API’s.[3]

3. Adding firewall rules to prevent web servers from making new external connections would be very helpful.

4. Always avoid using a dynamic query interface.

5. Always check the supplied credentials of the user.

6. Always apply an indirect object referencing and mapping.

7. Avoid usage of your GET request (URL) for any sensitive data or to perform any form of high value transactions.

8. Endeavour to assign a custom random security token into every form and URL you are operating on.

9. Endeavour to verify the entire authorisation to all referenced objects.

10. Specify a strong output encoding usually (ISO 8859-1 or UTF 8) [3].

11. For sensitive data and transactions always demand a re-authentication.

12. It is essential make use of a unique input validation mechanism in order to validate all your required data inputs.



4.2 HOW TO IDENTIFY VICTIMS OF INTERNET ATTACK

1. The amount of unsubscribed emails received would increase as your personal information has being stolen cookies and sent back to the cookie generator.

2. You get unwanted pop ups on your pages as a result of the spyware.

3. Your web application homepage would interchange without your knowledge.

4. Your computer becomes unnecessarily slow because it has more processing to do and more memory is used to load the spywares.



4.3 THE 9 STEPS PROTECT YOU WHILE SURFING THE INTERNET

1. Don’t access critical web applications that require login with your personal computer.

2. Never place your username and password in your workstation cache.

3. Do not forget to log off after each section.

4. Always alternate between different login credentials for different applications.

5. As often as possible change your password on critical sites..

6. Any unsolicited behaviour of your network should be reported to the service provider.

7. Endeavour to upgrade your operating system and web browsers as often as possible to keep them up to date.

8. Install and upgrade a personal firewall or antivirus and upgrade often.

9. Don’t download any software or any plug in from unreliable sources.





CONCLUSION

Every web application developer should always take into consideration the flaws that come with a poorly developer web application and its vast implications or effects. This could lead to loss of data, high cost as well as loss of an organisation.

Hence, extensive care should be taken in the design and development of web applications applying the 12 steps as recommended in this educative article to overcome the flaws attached with web application developments and during usage care should be taken when surfing the internet as not to download malicious files which would try to hamper the internet security of your web applications, therefore the 9 steps as stated in the article should be considered as vital rules that guide the usage of web\ internet application.


REFERENCES

[1] MIKE SHENA “web applications securities for dummies” 1st edition, 2011.

[2] WEB APPLICATION SEURITY CONSURTIUM “threat classification”, e-journal, webapp, 2004, 1st edition, pg 7-9.

[3] GOVERNMENT OF HONGKONG SPECIAL ADMIN REGION “web application security”, e-journal, owasp, February 2008, pg 22-25

[4] OWASP “top ten project theme” http://owasp.org/index.php/OWASP_TOP_TEN_PROJECT.htm

[5] BIG PLANET “understanding internet security” edition 1, 2004.

[6] WIKIPEDIA “internet security”, http://en.wikibooks.com/internetsecurity/wikipedia,encyclopedia.htm

[7] WIKIPEDIA “transport layer”, http://en.wikipedia.org/wiki/TLS

[8] WIKIPEDIA “firewall”, http://en,wikibooks.com/firewall/wikipedia,encyclopedia.htm

[9] WIKIPEDIA “IPsec”, http://en.wikipedia.org/wiki/ipsec

[10] MATHEW .J SEKWARTS “6 ways to strengthen web application security” http://darkreading.com/riskmanagement/6-ways-to-strengthen-web-application-security

NEIL TAYLOR “IPsec” http://walkwidnetwork.blogspot.com/2013/04/internet-protocol-security.html

Comments

Post a Comment

comment here

Popular posts from this blog

WIFITE

-
Wifite Package Description To attack multiple WEP, WPA, and WPS encrypted networks in a row. This tool is customizable to be automated with only a few arguments. Wifite aims to be the “set it and forget it” wireless auditing tool. Features: sorts targets by signal strength (in dB); cracks closest access points first automatically de-authenticates clients of hidden networks to reveal SSIDs numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) customizable settings (timeouts, packets/sec, etc) “anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete all captured WPA handshakes are backed up to wifite.py’s current directory smart WPA de-authentication; cycles between all clients and broadcast deauths stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit displays session summary at exit; shows any cracked keys all p...
Read more

Most common vulnerability – Stupidity!

-
Image
If you received a message from your boss saying he/she loved you – might be cause for suspicion? Many PC users consider malware, viruses, spyware, adware, worms, Trojans, Hoax, etc. as the same thing. While all these infections harm our computers, they are not the same. They are all types of malicious software that each behave differently.                                                            The word malware is a combination of two words “malicious” and “software”. It is a generic term used to describe all of the hostile and intrusive program codes including viruses, spyware, worms, Trojans, or anything that is designed to perform malicious operations on a computer. The meanings of many of these words have changed over time. Some refer to how the malware infects your system while other words are used to describe wha...
Read more