Security for Web Developers
(Prepared as background for a Webgrrls-LA chat on Dec 12, 2000)
Kinds of Security
- Availability: whether the web site is available when users want it. An attack that makes a site unavailable is called a Denial-of-Service attack.
- Integrity: whether an attacker can change the content or software on the web site. A site this has happened to is called 'hacked' or 'subverted'.
- Authenticity: whether an attacker can make his site look like yours, and thereby get users to divulge private info to him.
Examples include 'spoofing' attacks and 'man-in-the-middle' attacks.
- Privacy: whether an attacker can find out things he oughtn't (like credit card numbers).
Privacy is usually compromised by bad design or installation of a web application, but can also be
compromised by attacks, including one called "purchase-key" attack, where the attacker simply bribes someone who works on the site.
It is also often compromised by using applications like FTP, TELNET, or POP3, which send unencrypted passwords over the Internet.
- Safety: whether an attacker can destroy information on a user's computer.
Active-X components, Javascript, viruses, and worms can all be used effectively to attack a user's computer. (Java is much safer.)
- Physical: whether an attacker can walk up to your computer and boot his own software on it.
- Malpractice: if you don't follow commonly accepted best security practices, you or your company could be
liable for damages attackers caused to other systems using your computers!
Case Studies: How Sites Were Hacked
- A computer infected with the
Hybris virus
recently mailed an infected attachment supposedly from "hahaha@sexyfun.net" to Webgrrls-LA members.
The virus gives the virus author total control over infected computers.
It even updates itself via the Internet periodically!
This means infected computer are at risk of being used for just about anything:
password sniffing (which would be a breach of privacy),
launching Distributed Denial of Service attacks on other sites,
or of having their web content or applications hacked (if the infected computer is a web server).
- One novice web designer I know used Front Page's bulletin board feature in 1999 to store credit card info. Not a good idea.
I found the URL of the hidden board by doing "View Source" on his info entry page and guessing a bit, then
called him up and read off a few credit card numbers. (An example of a site without effective privacy.)
- ZDNet's OpenHack Challenge - shows how
even a relatively well secured site was hacked, and how you can protect yours. (An example of a site with bugs
and poorly configured applications that together caused a loss of site integrity.)
-
Distributed Denial-of-Service Attacks on Yahoo, Amazon, EBay, CNN, and others in 2000 -
how hackers broke into hundreds of computers and used them a base from which to
launch a massive denial-of-service attack on popular sites.
- Chasing the Wind
- A game of cat and mouse between a system administrator and a script
kiddie. Describes how script kiddies find vulnerable sites, and how
network administrators at large sites try to track them down.
Advisories
Many groups post security advisories. Here are a few recent ones:
Tools
- SSH is a protocol that replaces FTP and Telnet; it's a secure way to upload or download files
or open a commandline shell session on your web server.
You can find free SSH clients at www.openssh.com or
www.freessh.org,
and commercial versions at many places, for instance, www.ssh.com and
vandyke.com.
Basic Security Checklist
- Secure your own workstation first! The server is only as secure as
the workstations of all the people who are allowed to upload to it.
- If you're using Windows,
disable Javascript, Active X, and Active Scripting in the Restricted Zone,
and set Outlook/Outlook Express to use the Restricted Zone when reading email.
See
this CERT advisory
(mirror site) for step-by-step instructions.
- If you're using Windows or Mac, get a good antivirus program
that runs daily and keeps itself up to date.
- Turn off all unneeded network services.
The most common unneeded service on Macs and PC's is file and printer sharing.
See
here and
here
for tips on how to turn that off.
- Don't use programs that send passwords in the clear.
FTP (e.g. Fetch), Telnet, and email programs that use POP3 are common offenders.
Secure alternatives exist; you can use SSH instead of FTP or Telnet.
Not many ISP's support secure email protocols, though.
- Don't use the same password for different systems.
Even if you're good, and use a secure protocol like SSH to upload to your web server,
but your email program uses an insecure protocol like POP3,
you can still get hacked if your passwords for mail and for the web server are the same.
- Don't run old versions of third-party packages on your web server!
You need to stay up-to-date to avoid falling victim to attacks on known vulnerabilities.
- Learn more! Go find better security checklists, and follow them.
Learn what attacks are common at the moment.
See "Online Resources" below.
Online Resources
Advanced Online Resources
Books
Each of these books has a sample chapter online; these samples are well worth reading.
(They're all part of O'Reilly's Nutshell series, btw. I love that series.)
Other
Copyright 1999,2000 Dan Kegel
dank@alumni.caltech.edu
Last updated: 8 January 2001
[Return to www.kegel.com]