Consequences of Breach. Corrupted Data No access to resources Lost Sales/Loss of customer confidence Legal ramifications

Transcription

1 Web Security Consequences of breach of security Minimum functional requirements Purpose of Security Measures Simple Encryption Hashing: what it is and why bother? PHP Hash ing Code Injection Prepared Statements UNIX Top Seven Hacker Targets Strong Passwords

2 Consequences of Breach Corrupted Data No access to resources Lost Sales/Loss of customer confidence Legal ramifications

3 Minimum Functional Requirements Identification & Authentication - Password Use Access Control - Restricted Access Accountability - Activities linked to users Audit Trails - Log of resource use Accuracy - Prevent unauthorized modifications Reliability - Protect monopoly of resources by a user Data Exchange - Secure transmission channels

4 Purpose of Security Measures Authentication- Verifies user identity User name/password combination Authorization Verifies the user has access to requested resource Non-repudiation Prevents user from denying the message was sent Privacy Ability to shield communications from unauthorized viewing

5 Encryption/Decryption Set of rules (cipher) used to convert plaintext to cipher text Does not stop interference with a message, but does make the message unintelligible. Decryption uses the reverse of the cipher to retrieve the original (plaintext) message. Simple Encryption Example: A simple substitution cipher using 3 key (offset of 3): ABCDEFGHIJKLMNOPQRSTUVWXYZ DEFGHIJKLMNOPQRSTUVWXYZABC Example: INTERNET = LQWHUQHW

6 What is hash ing and why do it? Unlink encryption (which you can decrypt), when you hash something you can never get the plain text back Instead you take a plain text string re-hash it (the same way) and compare the outputted string, same output means same input Why bother? The rationale User s enter their password into your system, and you store them If you are hacked and the passwords are in the clear the hacker can see them, this is worse than it sounds: most people use the same password for most things online

7 PHP Hash Functions PHP provides predefined functions that will perform encryption (hash ing) for you: md5($string_arg); will return a 32-character hexadecimal rendering of the string you entered The function needs to be seeded with an encryption key (on the server) Therefore each returned rendering is different from server to server (but will work on the same server it was encrypted on) sha1($string_arg); works similarly as md5() but with a different algorithm (i.e. math equation) will return a 40-character hexadecimal rendering of the string you entered hash($algorithm,$string_arg); Pass the algorithm to use ( md5 or shah1 or a list of others) hash_algos(); will return an array of all registered algorithms supported by the server NOTE: none of the algorithms are perfect, theoretically all can be broken, but more secure than clear text

8 Salt Your Hash Salt ing refers to prepending or appending a random string to a password/string before hashing it To authenticate a user, take the user entered password, apply the salt and then hash the resulting string. If the string in the database matches the hashed and salted string, the user entered the original password Sharing salts can be shared amongst all users, or each user can have their own salt (stored in a database). Individual salts are more secure, but is also consumes more resources (requires data to be retrieved from the database based on id alone) NOTE: in this course passwords will NOT be SALTed Recommended reading: ()

9 Code Injection is the exploitation of a computer bug that is caused by processing invalid data. can be used by an attacker to introduce (or "inject") code into a computer program (including websites) to change the course of execution. the results can be disastrous can be intentional (malevolent or benevolent) or unintentionial

10 Preventing Code Injection Input validation Selective input inclusion/exclusion Escaping dangerous characters. htmlspecialchars() function (converts HTML tags to their ISO equivalents) strip_tags() function (completely removes HTML tags) for safe output of text in HTML pg_escape_string() to isolate data which will be included in an SQL request, to protect against SQL Injection. Input encoding (htmlspecialchars($string_data, ENT_QUOTES); ENT_QUOTES replaces single-quotes with &#039 Output encoding (htmlspecialchars_decode() ) "parameterized SQL queries" (aka "prepared statements")

11 Prepared Statements (example) <?php // Connect to the database using predefined function $dbconn = db_connect(); // Prepare a query for execution $result = pg_prepare($dbconn, "my_query", 'SELECT * FROM users WHERE id = $1 AND password = $2'); // Execute the prepared query. Note that it is not necessary to escape // the strings in any way $result = pg_execute($dbconn, "my_query", array( test, p@$$w0rd)); // Execute the same prepared query, this time with a different parameter $result = pg_execute($dbconn, "my_query", array( anotheruser, sex ));?>

12 Unix Top Seven Hacker Targets 1. Root password: Hackers ultimate goal Come and go as they please with full access 2. Root access: 3. User X s password The hacker has a particular user s password, which provides the hacker access to the system 4. User X s access 5. Some user s password: The hacker has a random user s password, and does not know the user s access or controls 6. Some user s access: 7. Denial of Service attacks Even without complete account access, many hackers can delete files, crash the system, and otherwise damage your installations From Hackerproof by Kris Jisma, p. 516

13 Strong Passwords To make a strong password Is at least seven characters in length, and the longer the better. Includes upper and lower case letters, numerals, symbols Has at least one symbol character in the second through sixth position Has at least four different characters in your password (no repeats) Looks like a sequence of random letters and numbers Don't use ANY PART of your logon name for your password Don't use any actual word or name in ANY language Don't use numbers in place of similar letters Don't reuse any portion of your old password Don't use consecutive letters or numbers like "abcdefg" or "234567" Don't use adjacent keys on your keyboard like "qwerty"