Web Hacking

1. Web Hacking Case Studies

2. Web Site Hacking • Popular to get noticed, and to make a social or political point. • Used to embarrass press, rivals, or others who the hackers disapprove of. • People get really concerned about Kevin Mitnick.

3. General Cases • People hacking web sites are usually, though not always, using old and well known security vulnerabilities. • Often times scripts are used to exploit problems, thus allowing a lower level of “hacker” to compromise the server. • Generally sites are vandalized, and occasionally information is stolen, but effects are usually localized.

4. General Situation • Many of the attacks can be avoided by reasonable or competent systems administrators. System or server configuration is usually a factor in the compromise. • Many attacks are unnoticed by the compromised site, due to lack of monitoring tools. • Systems administrators often times look at the local system, without considering the network and associated systems as a whole. * • Often times they don’t even look at the local system as a whole, but simply at the web server. *

5. Case Study: New York Times • Site compromised and defaced by HFG. • Content replaced with “3l33+” speak criticizing various columnists. • Interesting point is that the real messages were in HTML comments. • The messages also talked about how the site was compromised.. Via statd.

6. Comparable Case Studies • classifieds.penthouse.com • System compromised, and root obtained through rdist. • www.jpl.nasa.gov • Compromised through an S/Key vulnerability, ironically enough. • sps.motorola.com / www.mot.co.jp • Compromised through an AIX hole, root obtained with -froot

7. Case Study: Yahoo • Site possibly compromised via a known web server hole in Apache. (General consensus) • Yahoo uses a web server based on apache, but varied off to handle its needs more exactly. Over time security problems were found and fixed in apache, but not propagated back to Yahoo. • The site compromised was running a PC-based Unix (FreeBSD) which made overflow code easier to build.

8. Overall Problems • Systems administrators too focused on exact task at hand, and not looking at the big picture. • This is often times a problem in a larger environment, as you have groups responsible for software, web sites, server management, security, firewalls, monitoring, networks, etc… • Lax administrators trusting all in-place security measures to protect them. (Lots of eggs, 1 Basket.) • Good analogy: Hard crunchy shell with a soft chewy center. (Paraphrase Marcus Ranum) • Unfortunately, VERY COMMON. • Fortunately, Easy to Fix.

9. Intro to E-Commerce • What is it? • Exchange of money or goods electronically. • From consumer to business, consumer to consumer, or business to business. • Examples: • Online purchasing • Content purchasing (Micro-Transactions) • Inter-Company EDI or Extranets • Stock management online • Auction/Classifieds

10. Simple Example • A site wants to put up an online store to well a new line of Widgets. Builds a pretty catalog and users can enter information. • Wants the site to be secure so has their provider install a secure web server for customers to use when placing orders. Will take credit card information and do real-time credit authorization. • Any Issues?

11. Simple Example Continued • What is the security of the provider? Is it a shared machine or a dedicated machine? • Is the order information stored in a database? Does this include credit information? What is the problem scope if the server is compromised? • Taxes? • How will credit authorization be handled? • What about product fulfillment? Who will ship the widgets? Will the fulfillment company have access to customer data? Are they secure?

12. Step by Step.. • The provider and machine security is similar to the problems that we have discussed, with the added issue that many companies cannot verify a providers claims and have to go off of face value. * • Storing customer information in a database is definitely an issue. Problems include: • Loss of customer confidentiality • Loss of orders if database attacked and destroyed • Potential compromise of customer credit information

13. More Steps • Credit authorization can be handled by many services, but some may be preferable to others. • As an example, CyberCash returns a “ticket” that can be stored, instead of the entire credit card information. This helps reduce the scope of liability, but introduces other problems. (Backorders..) • Product fulfillment is usually the biggest problem to handle. Companies will often times need to find a distributor to handle shipping, and these systems usually can’t be directly accessed. The problem that arises is backorders, and legally not being able to capture payment until a product is shipped.

14. Credit Card Processing • Two Basic Parts: Authorization & Capture • Authorization checks the card to see if the specified amount is accepted by the card company. • Returns approved, denied, or referral (call) • Capture • Transfers the actual money from the credit card company to the vendor or seller. (Legally cannot occur until product is delivered to consumer, or shipped from facility.)

15. Credit Cards Continued • Backend • There is obviously some data exchange between the company handling the transactions and the financial institutions to handle these tasks. • CyberCash or VeriFone have direct connections with lenders to handle this processing, as an example. Typically stores would not try to make direct connections to the banks as this would be a nightmare for banks and bank security.