Differences between revisions 2 and 6 (spanning 4 versions)
Revision 2 as of 2010-04-26 01:04:29
Size: 123
Editor: c-68-53-233-3
Comment:
Revision 6 as of 2010-04-26 01:40:33
Size: 8951
Editor: c-68-53-233-3
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
==Internet Client Vulnerabilities== == Internet Client Vulnerabilities ==

 * Of the numerous techniques to exploit internet end users.

  * Software exploits are the most the despicable.

  * This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

== ActiveX ==

 * Microsoft ActiveX
  * Microsoft answer to Java
  * First real attempt a a model for portable, remotely consumable software applications
  * ActiveX applications or controls
  * Can be written to perform specific functions
  * Such as displaying a movie or sound file
  * Can be embedded in a web page to provide this functionality
   * Example
   * Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
   * Usually the .ocx file extension
  
  * When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
  * First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
  * If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.
  * If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.
  * Optionally, it verifies the origin of the code using Authenticode and then executes that code
   * Controls are downloaded to the location specified by the Registry string value
  * (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache
  * Default in XP is %systemroot%\Downloaded Program Files

=== ActiveX Security Model ===
 * Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine.
 * The thing that stands in the way is the Microsoft’s Authentication paradigm.
 * Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)
  * Example of how ActiveX could be used to for malicious activity
  * 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
  * Called Internet Exploder
  * Safe for Scripting
  * Was the next significant security challenge
  * The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
  * Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
  * Eyedog has the ability to query the Registry and gather machine characteristics

=== ActiveX Abuse Countermeasures ===

 * From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system.
 * Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

== Java ==

 * Created by Sun Micro Systems.
 * Was created primarily to enable portable, remotely consumable software applications.
 * Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.
  * Vulnerabilities Found.
  * November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets.
  * The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

=== Java Countermeasures ===

 * Restrict Java trough the use of Microsoft Internet Explorer security zones.
 * Non-IE consult documentation on how to restrict.

== JavaScript and Active Scripting ==

 * Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape.
 * Blend of Perl- like ease-of-use with c/c++ like power.
  * Made it popular.
  * Also makes it attractive to hackers.
  * Makes it easy to fool the user into entering sensitive information.
  *Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting.
  * Security issues not caused by technology, but by the abuse of power and accessibility they give you.

=== JavaScript Countermeasures ===

 * Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

== Cookies ==

 * Underlies the World Wide Web, allows for tracking things from one visit to another.
 * Cookies, or special tokens contained with in HTTP requests and responses, that allow websites to remember who you are from visit to visit.
 * Attackers who get their hands on your cookies might be able to spoof your online identity or glean sensitive information.
 * The brute-force way to hijack cookies is to sniff them off the network and then replay them to the server.
 
=== Cookie Abuse Countermeasures ===

 * Get a tool to manage cookies.
 * IE’s cookie screening feature.
 * Use SSL.
 * Disable cookies.

== Cross-Site Scripting (xss) ==

 * XXS typically results from a web application that takes input from one user and displays it to another user.
  * Example.
  * The server at evil.org is a rogue server set up by the hacker to capture the unsuspecting user input. (in this case it is set to after a little while to pop up and say the session has ended and to enter your password to continue.

== SSL Attacks ==

 * Based on public-key cryptography.
 * SSL is a security implementation, and as such it is open to interpretation by those who implement it.
 * IMPLEMENTATION flaws can reduce the security of any specification to zero.
 
=== SSL Countermeasures ===

 * Keep your Internet Client software fully updates and patched.
 * Verify the SSL certificate.

== E-mail Hacking ==

 * Single most effective avenue into the computing space of the internet user.
 * Becomes a very powerful attack when embedded with ActiveX, JavaScript and is extended with its own powerful capabilities, such as file attachments.

=== File Attachments ===

 * One of the most convenient features of e-mail is the ability to attach files.
 * This can be used to deliver executable payloads directly to a end users desktop.
 * Greatest single vector of attack since the beginning.
 * Disguising executables as MP3’s or other file types.

=== MIME ===

 * Underlying e-mail attachments also played a significant role in the history of client hacking.
 * Multipart Internet Mail Extensions (MIME)is the standard for attaching files to e-mail messages by breaking them in to manageable chunks and Base64-encoding.

=== E-mail Hacking Countermeasures ===

 * Keep our software up to date.
 * Don’t open e-mail from people you don’t know or a chain forward.
 * Disable ActiveX and JavaScript for e-mail.

== General Microsoft Client-Side Countermeasures ==

 * Deploy a personal firewall.
 * Keep up to date on all software patches.
 * Run antivirus software.
 * Run with least privilege.
 * Administrators should run the mentioned software at choke points.
 * Read e-mail in plain text.
 * Configure office productivity programs as securely as possible.
 * Don’t be gullible.
 * Keep your computing devices physically secure.

== Malware ==

 * Includes.
  * Viruses.
  * Worms.
  * Rootkits and backdoors.
  * Bots and zombies.
  * Trojan horses.
 
=== Countermeasures ===

 * Always back up your system before you have any problems.
 * Clean it up with the appropriate tools.
  * Meaning anti-virus.
 * The book recommends.
  * McAfee.
  * Symantec.
  * Computer Associates.
  * Panda.
  * Microsoft.
 * I recommend.
  * Kaspersky.
  * Web Root (SpySweeper with antivirus).
  * Computer Associates.

= Quiz =

1 What was Microsoft's answer to Java? ActiveX

2 Who created JavaScript? Netscape

3 What is the protocol over which the majority of e-commerce transactions occur? SSL

4 5 What are 3 of the General Microsoft Client-Side Countermeasures?

 * Deploy a personal firewall
 * Keep up to date on all software patches
 * Run antivirus software
 * Run with least privilege
 * Administrators should run the mentioned software at choke points
 * Read e-mail in plain text
 * Configure office productivity programs as securely as possible
 * Don’t be gullible
 * Keep your computing devices physically secure



 








Internet Client Vulnerabilities

  • Of the numerous techniques to exploit internet end users.
    • Software exploits are the most the despicable.
    • This is because software usually permits hackers to do their bidding with little of no visibility on the part of the victim.

ActiveX

  • Microsoft ActiveX
    • Microsoft answer to Java
    • First real attempt a a model for portable, remotely consumable software applications
    • ActiveX applications or controls
    • Can be written to perform specific functions
    • Such as displaying a movie or sound file
    • Can be embedded in a web page to provide this functionality
      • Example
      • Like Microsoft’s Object Linking and Embedding (OLE) supports embedding of Excel spreadsheets within Word docs
      • Usually the .ocx file extension
    • When Internet Explorer encounters a web page with an embedded ActiveX control (or Multiple Controls)
    • First checks user’s local system Registry to find to find out whether that component is available on the user’s machine
    • If it is, IE displays the webpage, loads the control into the browser’s memory address space, and executes it’s code.
    • If the control is not already installed on the user’s computer, IE downloads and installs the control using the location specified within the <OBECT> tag.

    • Optionally, it verifies the origin of the code using Authenticode and then executes that code
      • Controls are downloaded to the location specified by the Registry string value
    • (REG_SZ)HKLM\SOFTWARE\MICROSOFT\WINDOWS\CurrentVersion\Internet Settings\ActiveXCache

    • Default in XP is %systemroot%\Downloaded Program Files

ActiveX Security Model

  • Acting within the model described in the previous section malicious programmers could write ActiveX controls to do just about anything they want to a user’s machine.
  • The thing that stands in the way is the Microsoft’s Authentication paradigm.
  • Authenticode allows developers to “sign” their code using cryptographic mechanism that can be authenticated by IE and a third party before the code is executed. (VeriSign Corporation is typically the third party)

    • Example of how ActiveX could be used to for malicious activity
    • 1996 Fred Mclain wrote an ActiveX control that shutdown the user’s system cleanly (if it was running Windows 95 with advanced power management).
    • Called Internet Exploder
    • Safe for Scripting
    • Was the next significant security challenge
    • The way people could get a malicious program on your computer by simply visiting their website is manipulating the Scriptlet ActiveX control
    • Scriptlet.typelib can create, edit, and overwrite files on the hard disk.
    • Eyedog has the ability to query the Registry and gather machine characteristics

ActiveX Abuse Countermeasures

  • From a developers perspective, don’t write safe-for-scripting controls that could perform privileged actions on a user’s system.
  • Restrict or disable ActiveX through the use of Microsoft Internet Explorer security zones.

Java

  • Created by Sun Micro Systems.
  • Was created primarily to enable portable, remotely consumable software applications.
  • Differed from ActiveX in that it included a security ”sandbox” that restrains the programmers from making many of the mistakes that lead to security problems, such as buffer overflows.
    • Vulnerabilities Found.
    • November 2004, Jouko Pynnonene published an advisory on a devastating vulnerability in Sun’s Java Plug-in, which permits browsers to run java applets.
    • The vulnerability essentially allowed malicious web pages to disable Java’s security restrictions and break out of the Java sandbox, effectively neutering the security of the platform.

Java Countermeasures

  • Restrict Java trough the use of Microsoft Internet Explorer security zones.
  • Non-IE consult documentation on how to restrict.

JavaScript and Active Scripting

  • Originally “LiveScript” and is still associated with Sun’s Java, but is actually a separate scripting language created by Netscape.

  • Blend of Perl- like ease-of-use with c/c++ like power.
    • Made it popular.
    • Also makes it attractive to hackers.
    • Makes it easy to fool the user into entering sensitive information.
    • Microsoft platforms execute JavaScript and other client-side scripting languages using Component Object Model (COM) – Based technology called Active Scripting.

    • Security issues not caused by technology, but by the abuse of power and accessibility they give you.

JavaScript Countermeasures

  • Restrict JavaScript and Active Scripting trough the use of Microsoft Internet Explorer security zones.

Cookies

  • Underlies the World Wide Web, allows for tracking things from one visit to another.
  • Cookies, or special tokens contained with in HTTP requests and responses, that allow websites to remember who you are from visit to visit.
  • Attackers who get their hands on your cookies might be able to spoof your online identity or glean sensitive information.
  • The brute-force way to hijack cookies is to sniff them off the network and then replay them to the server.

  • Get a tool to manage cookies.
  • IE’s cookie screening feature.
  • Use SSL.
  • Disable cookies.

Cross-Site Scripting (xss)

  • XXS typically results from a web application that takes input from one user and displays it to another user.
    • Example.
    • The server at evil.org is a rogue server set up by the hacker to capture the unsuspecting user input. (in this case it is set to after a little while to pop up and say the session has ended and to enter your password to continue.

SSL Attacks

  • Based on public-key cryptography.
  • SSL is a security implementation, and as such it is open to interpretation by those who implement it.
  • IMPLEMENTATION flaws can reduce the security of any specification to zero.

SSL Countermeasures

  • Keep your Internet Client software fully updates and patched.
  • Verify the SSL certificate.

E-mail Hacking

  • Single most effective avenue into the computing space of the internet user.
  • Becomes a very powerful attack when embedded with ActiveX, JavaScript and is extended with its own powerful capabilities, such as file attachments.

File Attachments

  • One of the most convenient features of e-mail is the ability to attach files.
  • This can be used to deliver executable payloads directly to a end users desktop.
  • Greatest single vector of attack since the beginning.
  • Disguising executables as MP3’s or other file types.

MIME

  • Underlying e-mail attachments also played a significant role in the history of client hacking.
  • Multipart Internet Mail Extensions (MIME)is the standard for attaching files to e-mail messages by breaking them in to manageable chunks and Base64-encoding.

E-mail Hacking Countermeasures

  • Keep our software up to date.
  • Don’t open e-mail from people you don’t know or a chain forward.
  • Disable ActiveX and JavaScript for e-mail.

General Microsoft Client-Side Countermeasures

  • Deploy a personal firewall.
  • Keep up to date on all software patches.
  • Run antivirus software.
  • Run with least privilege.
  • Administrators should run the mentioned software at choke points.
  • Read e-mail in plain text.
  • Configure office productivity programs as securely as possible.
  • Don’t be gullible.
  • Keep your computing devices physically secure.

Malware

  • Includes.
    • Viruses.
    • Worms.
    • Rootkits and backdoors.
    • Bots and zombies.
    • Trojan horses.

Countermeasures

  • Always back up your system before you have any problems.
  • Clean it up with the appropriate tools.
    • Meaning anti-virus.
  • The book recommends.
    • McAfee.

    • Symantec.
    • Computer Associates.
    • Panda.
    • Microsoft.
  • I recommend.
    • Kaspersky.
    • Web Root (SpySweeper with antivirus).

    • Computer Associates.

Quiz

1 What was Microsoft's answer to Java? ActiveX

2 Who created JavaScript? Netscape

3 What is the protocol over which the majority of e-commerce transactions occur? SSL

4 5 What are 3 of the General Microsoft Client-Side Countermeasures?

  • Deploy a personal firewall
  • Keep up to date on all software patches
  • Run antivirus software
  • Run with least privilege
  • Administrators should run the mentioned software at choke points
  • Read e-mail in plain text
  • Configure office productivity programs as securely as possible
  • Don’t be gullible
  • Keep your computing devices physically secure

Back to Cptr427Winter2010

HackingExposedChapter12 (last edited 2010-04-26 01:40:33 by c-68-53-233-3)