1
Information Security: The Big Picture - SANS GIAC
© 2000
1
Information Security:
The Big Picture – Part V
Stephen Fried
2
Information Security: The Big Picture - SANS GIAC
© 2000
2
Agenda
• General Security Introduction
• Telecommunications Fundamentals
•Network Fundamentals
•Network Security
•
World Wide Web Security
• Information Secrecy & Privacy
• Identification and Access Control
• Programmatic Security
•Conclusion
If you are taking this course you undoubtedly know about the World Wide Web. As valuable, as
useful, and as important to our everyday lives as the web has become, it is full of security issues and
problems. This section will examine those issues.
3
Information Security: The Big Picture - SANS GIAC
© 2000
3
Everything You Always Wanted to
Know About Web Communications…

get some information and send it back to the browser. When you click on a simple link on a web page you are typically issuing a GET
transaction request. A POST transaction allows the browser to send some information to the server, usually information from a form the user
fills out. POST transactions send the information from the browser to the server. The server will then act on the input and send any results back
to the client. Generally, users don’t have control over whether clicking on a link on a web page will initiate a GET or POST transaction. That
decision is already coded into the web page itself.
4
Information Security: The Big Picture - SANS GIAC
© 2000
4
HTML Security
• Reading HTML Source
• Hidden Fields
• Server Side Includes
Given the open nature of the HTTP protocol, it is easy to start seeing some of the negative security issues that surround its use. On this
slide we will examine some of these problems.
The easiest way to learn HTML is to examine the HTML source code of any page you happen to visit. Most browsers have an option
to let you view the HTML source of the current page you are viewing. From there you can see all the code, fields, tags, and other
HTML elements that make up the page. You may also see some unexpected things. Many developers put information into source code
that is never meant for public viewing, thinking that regular people will never see it. When you view the code you may see things like
variable names and data values that are used internally by the web site’s programs. You may see references to the names of the site’s
developers or internal information about the organization that is running the server. You may see references to directory names where
files are stored on the web server. There may be references to user IDs or passwords for different services on the machines. If the
server is using JavaScript or some other scripting language you may see code paths that refer to options that the user would not
normally see. All this information can give an attacker a clue as to the underlying structure and organization of the server in order to
plan an attack. And it’s all there free for the looking.
Many web pages, particularly those that use input forms, make use of a feature of HTML called Hidden Fields. Like their name
implies, hidden fields reside on a web page form but they are hidden from view when the page is displayed. Hidden fields are typically
used as a method for carrying information from one form to another without requiring the user to re-enter the information on each
form. However, hidden fields can also contain values not entered by the user. For example, when a user enters a user ID on a web
form, the server might look up the user’s Social Security Number and place that in a hidden field for later use. If you look at the

enter a term for searching or enter a user ID and password to gain entry to a particular site. Or, more commonly,
the user will need to enter information into a form like a credit card number or merchandise numbers. The server
will then send this information to some other program for processing. The processing program, like any other
computer program, relies on this input to drive its functions. There is an age-old axiom in computers that says
“garbage in, garbage out.” This means that if the user enters bad input into the program they will get bad output.
Computer programs by and large don’t handle bad input very well. They do great with normal, expected input.
As long as the user works with the program in the ways that the designer anticipated, everything goes along just
fine. But when a user acts in a way that the designer did not anticipate, either accidentally or maliciously, the
program will not act predictably. In fact, the results of this action are generally unknown. If you haven’t figured
this out already, computer security people hate when things act in unknown, unpredictable ways. That’s because
it makes it difficult, if not impossible, to protect the system. SYN floods, fragmentation attacks and the Ping of
Death are all examples of what happens when a system receives input it did not expect.
Plain vanilla HTML also has no built-in methods for validating user input. There are no variable checks or data
validation rules built into HTML to prevent bad input from happening. If you are using a scripting language to
develop your pages you can build validation routines into your forms, but if you want to stick with plain HTML
you are out of luck.
That’s why you need to pay particular attention to any web pages, or any program for that matter, that requires
user input. You need to ensure that all input is validated for correctness. What does “validated” mean? It means
that you need to check that the input is correct for the type of information being requested. If you are looking for
a Social Security number, make sure that there are no letters entered by the user. If you are requesting a piece of
text that should be 10 characters long, make sure the user doesn’t enter 500 characters of text.
Beyond simple type and length validation, you also need to check the input to see if it matches the type of
information you are expecting. For example, if you normally only sell 2 or 3 of a particular items is it normal for
a user to order 999 of that item? Is the name on the customer’s credit card different from the name on the
shipping address? Things like this can be a clue to possible unauthorized activity or fraud.
6
Information Security: The Big Picture - SANS GIAC
© 2000
6
Cookies

called DoubleClick has done. You’ve probably seen their advertisements on web pages you’ve visited. DoubleClick rents space on web
pages for advertisements. So, for example, when you visit the web page for acme.com you will see an ad that is actually generated by
DoubleClick from the DoubleClick server. The cookies generated by that ad are shared between the browser and DoubleClick, not the
browser and Acme. Then, when you go to widgets.com you may see another DoubleClick advertisement. Again, you will share a cookie
with DoubleClick, not Widgets.com. In this way, the DoubleClick service can begin to collect information on what sites you have visited
over the Internet. Many privacy advocates are extremely worried about this practice.
If you are really worried about cookies you can take steps to protect yourself. In most browsers you can set an option to prevent the
downloading of cookies to your browser. There are also a number of shareware add-on utilities that let you selectively block cookies based
on various criteria.
7
Information Security: The Big Picture - SANS GIAC
© 2000
7
SSL
• Protocol for encrypting network traffic
• Operates at Transport Layer
• Operates on port 443
•How it works
– Client connects to server
– Server indicates need for SSL
– Client and server exchange crypto keys
– Secure session begins
• Not a guarantee of security
Plain, generic HTTP is fine for open, non-secret communications, but some applications require more privacy than that
provided by HTTP. For example, you may want to keep your credit card information or information about your bank accounts
secret over the Internet. For these types of applications, there is the Secure Socket Layer protocol, or SSL.
SSL is a general-purpose protocol for encryption of network traffic. Although it is most commonly associated with HTTP
traffic, SSL operates at the Transport Layer of the TCP/IP stack and can be used with many different application protocols. Any
program that uses TCP can be modified to use SSL. General HTTP traffic typically operates on port 80. When SSL is enabled
on a connection it usually runs on port 443.

–Linkage
Protocols like SSL are designed to be general purpose protocols. This means that they can be used in a variety of applications under a
variety of different circumstances. In some instances, however,it is better to have an application-specific protocol. This is a protocol that
is designed with a particular purpose in mind. Such an application is the exchange of credit and payment information over the Internet.
This type of information can be highly sensitive and the need to keep it confidential is great. For this reason the Secure Electronic
Transaction protocol, or SET, was developed.
SET was developed by a number of large players in the credit card and computer industries, including Visa, MasterCard, Microsoft, and
Netscape. It was designed to handle the specific problems of transmitting credit and debit card information. For example, SET handles
issues like validating credit card numbers, checking the customer’s authorization to use the credit card, authorizing the transaction with
the bank, and processing the transaction. SET provides an integrated system that handles the entire transaction, including card
authorization and finalization of the sale. SET has a number of mechanisms that protect the customer, the merchant, and the bank. For
example, the protocol hides the actual credit card number from the merchant, instead sending it directly to the bank. Also, the bank does
not know the actual merchandise purchased by the customer, protecting the privacy of the customer’s purchases.
SET provides four basic services that protect transactions.
Authentication: All the parties to the transaction are authenticated using digital signatures. We will learn more about digital signatures
later when we discuss cryptography.
Confidentiality: The transaction is encrypted so that Internet eavesdroppers can not capture the data and discover the details of the
transaction.
Message Integrity: The transaction can not be tampered with by attackers. Thus, they can not alter the account numbers or payment
amounts involved in the transaction.
Linkage: SET allows a message sent by one party to the transaction (either the customer, the merchant, or the bank) to contain an
attachment that can be read only by another specified party. This allows the first party to verify that the attachment is correct without
being able to read the contents of the attachment. This is very important for the privacy reasons stated above.
SET has many advantages over plain SSL in that it covers the entire transaction from end to end. If plain SSL were used, the credit and
validation information would be exposed at many different points along the way, leaving the information available for attackers or data
thieves. This is, in fact, what happened in 1994 when an attacker broke into the Netcom Internet Service Provider and stole thousands of
credit card numbers that were stored on Netcom’s computers.
Although it seems like the perfect answer to credit exchanges on the Internet, use of SET in the real world has been slow in coming.
Hopefully, in the near future, its use will increase as more companies implement it as part of the on-line ordering systems and more
customers see its advantages and begin demanding it for their personal transactions.

transactions. Finally, since many CGI programs use underlying command interpreters (like Perl or a UNIX shell), the potential exists for an
attacker to run programs not intended by the designers of the system. This is a popular method of gaining unauthorized administrative access
on web servers.
There are several common mistakes that many CGI developers make when writing their programs. The first is misuse of command
interpreters. As mentioned before, many CGI programs use command interpreters that are called by the CGI program. Since there is no
direct linkage between the CGIO program and the command interpreter, the interpreter has little way of validating the information it is being
sent. If an attacker can find a way to pass random system commands to the interpreter they have the potential to successfully compromise
the computer.
Another common mistake is the lack of attention paid to memory management. As we will see later on when we discuss buffer
overflows, a common method of attack is to send a program more information than it was designed to handle. If the information reaches a
certain peak, or if it is carefully crafted, it has the ability to crash the server, often leaving the attacker with administrator privileges on the
computer. Also, if the program itself does not pay close attention to the resources it is using, it can potentially consume all the available
resources of the computer, again leaving it exposed to compromise.
The final common mistake, and the one that is also the most preventable, is passing unchecked user input to CGI programs. Many of the
most successful attacks have been based on the fact that a CGI program did not check the information entered by the user. In some cases,
users are able to enter privileged system commands as input to web forms and the computer will blindly execute them without even a virtual
glance.
CGI programs can add a great deal of flexibility to your web site. But, like any enabling technology, it has a negative side that must be
checked before proceeding blindly with its implementation. Also, CGI is a relatively old protocol, designed back when the web was still in
its infancy. There are more modern alternatives to CGI that have addressed some of CGIs shortcomings. Unfortunately, they have also
introduced some of their own
.
10
Information Security: The Big Picture - SANS GIAC
© 2000
10
Active Content
• Programs that interact in a network
environment
•Java

today’s world. What is a more realistic approach is to turn off active content for most sites. When you have a site that you really need or
want access to, turn it on temporarily for that site. Then, turn it off again when you leave the site. It’s a bit cumbersome, but it does give a
nice balance of security and convenience.