Web Hacking

1
Web Hacking

• Case Studies

2
Web Site Hacking

• Popular to get noticed, and to make a social or
  political point.
• Used to embarrass press, rivals, or others who
  the hackers disapprove of.
• People get really concerned about Kevin Mitnick.

3
General Cases

• People hacking web sites are usually, though not
  always, using old and well known security
  vulnerabilities.
• Often times scripts are used to exploit problems,
  thus allowing a lower level of hacker to
  compromise the server.
• Generally sites are vandalized, and occasionally
  information is stolen, but effects are usually
  localized.

4
General Situation

• Many of the attacks can be avoided by reasonable
  or competent systems administrators. System or
  server configuration is usually a factor in the
  compromise.
• Many attacks are unnoticed by the compromised
  site, due to lack of monitoring tools.
• Systems administrators often times look at the
  local system, without considering the network and
  associated systems as a whole.
• Often times they dont even look at the local
  system as a whole, but simply at the web server.

5
Case Study New York Times

• Site compromised and defaced by HFG.
• Content replaced with 3l33 speak criticizing
  various columnists.
• Interesting point is that the real messages were
  in HTML comments.
• The messages also talked about how the site was
  compromised.. Via statd.

6
Comparable Case Studies

• classifieds.penthouse.com
• System compromised, and root obtained through
  rdist.
• www.jpl.nasa.gov
• Compromised through an S/Key vulnerability,
  ironically enough.
• sps.motorola.com / www.mot.co.jp
• Compromised through an AIX hole, root obtained
  with -froot

7
Case Study Yahoo

• Site possibly compromised via a known web server
  hole in Apache. (General consensus)
• Yahoo uses a web server based on apache, but
  varied off to handle its needs more exactly.
  Over time security problems were found and fixed
  in apache, but not propagated back to Yahoo.
• The site compromised was running a PC-based Unix
  (FreeBSD) which made overflow code easier to
  build.

8
Overall Problems

• Systems administrators too focused on exact task
  at hand, and not looking at the big picture.
• This is often times a problem in a larger
  environment, as you have groups responsible for
  software, web sites, server management, security,
  firewalls, monitoring, networks, etc
• Lax administrators trusting all in-place security
  measures to protect them. (Lots of eggs, 1
  Basket.)
• Good analogy Hard crunchy shell with a soft
  chewy center. (Paraphrase Marcus Ranum)
• Unfortunately, VERY COMMON.
• Fortunately, Easy to Fix.

9
Intro to E-Commerce

• What is it?
• Exchange of money or goods electronically.
• From consumer to business, consumer to consumer,
  or business to business.
• Examples
• Online purchasing
• Content purchasing (Micro-Transactions)
• Inter-Company EDI or Extranets
• Stock management online
• Auction/Classifieds

10
Simple Example

• A site wants to put up an online store to well a
  new line of Widgets. Builds a pretty catalog and
  users can enter information.
• Wants the site to be secure so has their provider
  install a secure web server for customers to use
  when placing orders. Will take credit card
  information and do real-time credit
  authorization.
• Any Issues?

11
Simple Example Continued

• What is the security of the provider? Is it a
  shared machine or a dedicated machine?
• Is the order information stored in a database?
  Does this include credit information? What is
  the problem scope if the server is compromised?
• Taxes?
• How will credit authorization be handled?
• What about product fulfillment? Who will ship
  the widgets? Will the fulfillment company have
  access to customer data? Are they secure?

12
Step by Step..

• The provider and machine security is similar to
  the problems that we have discussed, with the
  added issue that many companies cannot verify a
  providers claims and have to go off of face
  value.
• Storing customer information in a database is
  definitely an issue. Problems include
• Loss of customer confidentiality
• Loss of orders if database attacked and destroyed
• Potential compromise of customer credit
  information

13
More Steps

• Credit authorization can be handled by many
  services, but some may be preferable to others.
• As an example, CyberCash returns a ticket that
  can be stored, instead of the entire credit card
  information. This helps reduce the scope of
  liability, but introduces other problems.
  (Backorders..)
• Product fulfillment is usually the biggest
  problem to handle. Companies will often times
  need to find a distributor to handle shipping,
  and these systems usually cant be directly
  accessed. The problem that arises is backorders,
  and legally not being able to capture payment
  until a product is shipped.

14
Credit Card Processing

• Two Basic Parts Authorization Capture
• Authorization checks the card to see if the
  specified amount is accepted by the card company.
• Returns approved, denied, or referral (call)
• Capture
• Transfers the actual money from the credit card
  company to the vendor or seller. (Legally cannot
  occur until product is delivered to consumer, or
  shipped from facility.)

15
Credit Cards Continued

• Backend
• There is obviously some data exchange between the
  company handling the transactions and the
  financial institutions to handle these tasks.
• CyberCash or VeriFone have direct connections
  with lenders to handle this processing, as an
  example. Typically stores would not try to make
  direct connections to the banks as this would be
  a nightmare for banks and bank security.