Web 2'0 Security

1
Web 2.0 Security

• Active Content
• Mobile Code
• Lydia Lourbacos, IT Security Manager
• CISSPCAP, CISM, CISA, GCIH, GCFA
• SANS Mentor for GCIH GCFA

2
Overview of Web 2.0 Security

• Brief Internet History
• The Web
• Web 2.0 vs. Web 1.0
• Why is Web 2.0 dangerous?
• What can you do?
• Web 3.0
• .and beyond.Discussion

3
Internet History -1

• ARPA What caused its creation when?
• 1958
• in response to Soviet Sputnik
• Year of first 2 Nodes of ARPAnet?
• 1969
• Year of First basic email using _at_ ?
• 1972
• First world leader to send email?
• Queen Elizabeth
• Year Apple Computer Founded?
• 1976

4
.Internet History - 2

• Year TCP IP put together?
• 1978
• Year Microsoft Creates DOS ?
• 1981
• Year Internetcoined? (Smilies invented)
• 1982
• Year ARPANet has 5000 hosts
• 1986

5
Internet History - 3

• Year ARPANet has 10,000 hosts
• 1987
• Year of Morris Worm
• 1988
• Year The Web was born Whose vision?
• 1989
• Tim Berners-Lee
• Death of ARPANet 1989 _at_ 20 years

6
Internet Trivia - 4

• Year HTML introduced?
• 1993
• Year Yahoo born?
• 1994100,000 visitors
• Year Amazon eBay born?
• 1995
• Year Google born?
• 1998

7
Internet Use

• 1969 2 nodes
• 1996 45 million
• 1999 150 million
• 2002 544 million
• 2005 1 billion
• 2007 1.3 billion
• 2009 1.669 billion
• December 22, 2012 0

8
What is Web 2.0?

• The Web -- static (RetronymWeb 1.0)
• Web 2.0 -- add value interactive
• Web 3.0 -- sixth sense
• Web 4.0 .?

9
Web 1.0 vs Web 2.0http//www.oreillynet.c
om/pub/a/oreilly/tim/news/2005/09/30/what-is-Web-2
0.html
10
5 Tenets of Web 2.0 -1

• Users add value
• Value is data (video, audio, images, text)
• Data accrues on platform of applications
• Chat
• Audio/video
• Databases
• Google maps

11
5 Tenets of Web 2.0 -2

• Applications can be accessed from many devices
• Devices are becoming integrated into changing
  our lives profoundly
• http//www.oreillynet.com/pub/a/oreilly/tim/news/2
  005/09/30/what-is-Web-20.html

12
Elements of Web 2.0 -1

• 3D Virtual Worlds (Second Life 10)
• Blogs Podcasts Twitter
• Bookmarking (Digg, Delicious, 50)
• Cloud Computing (SaaS, PaaS, IaaS)

13
Elements of Web 2.0 -2

• Mashups integration of 2 external
  data/functions - Fastest growing app
• http//news.zdnet.com/2422-13569_22-152729.html
• http//hisz.rsoe.hu/alertmap/index2.php?areausal
  angeng
• Photo Video Sites (YouTube, Flickr, 50)
• Pop-up Ads
• RSS
• Social Networking Sites (Facebook, 100)

14
Why is Web 2.0 Different?

• Web 2.0 is NOT TV only better
• INTERACTIVITY is based on
• Mobile Code
• Active Content
• The gun is loaded and you dont know it!

15
Interpreters

• Code no longer distinct from data
• Scripts-High level programming languages
• Scripts require interpreters or JIT compilers
• Application Interpreters are different
  ubiquitous

16
Mobile Code -1

• Code transmitted, executed on client
• A portable instruction
• program, script, macro or other
• Shipped unchanged over Internet
• To variety of platforms (clients)
• Executed same on each client

17
Mobile Code -2

• Examples provide rich content
• JavaScript
• VBScript
• JScript (Microsofts version of JavaScript)
• AJAX
• (Asynchronous JavaScript And eXtended markup
  language)
• Java applets
• ActiveX (formerly OLE)
• Flash
• Shockwave

18
Active Content

• Uses Interpreters in applications to run mobile
  code
• Acts within electronic documents
• Trigger execute actions on a platform
• Automatic
• No user intervention/knowledge

19
Client Side Active Content

• Different Interpreters in
• Email clients
• Office Automation
• Adobe PDF
• Browsers
• Render other content types
• Video /Audio /Graphics
• Forms
• Postscript (printing)

20
Client Browser Active Content

• Cookies
• datamine authentication patterns
• Cross site scripting goal to steal cookies
• Browser dependent
• Data validation
• Forms
• Error messages
• Browsers Render Content
• Graphics, menus
• Render audio, video, proprietary content

21
Client Browser Extensions

• Browsers render content
• Graphics
• Menus
• Other types like video, audio
• Extensions-extend content types rendered
• Different audio or video types
• FTP, bookmarking, form fill out
• Handling capabilities are registered w browser
• Usually require full access to browser/OS
  Internals

22
Browser Plug-ins Helpers

• Plug-ins are confined to the capability of the
  browser
• Plug-ins cannot enforce authenticated signatures
• Helpers (content viewers)
• Run independent of browser security controls
• Windows Media Player, RealPlayer, Quicktime,
  Shockwave, Flash

23
Client Technical Protection -1

• Lock down clients
• Become familiar with FDCC
• Registry settings
• Group Policy Objects
• Internet Explorer restrictions
• Disable unneeded functionality
• Delete cookies temp directory on exit
• Run only signed objects on clients
• http//www.us-cert.gov/cas/tips/ST04-012.html
• http//technet.microsoft.com/en-us/library/cc75086
  2.aspx

24
Client Technical Protection -2

• Disable HTML in eMail
• Disable administrator access on clients
• Scan eMail/attachments for malware
• (only 20 of malware is caught)
• Work network --use egress filtering
• Home network --use hardware router
• Check logs

25
NEVER

• Click on links in emails
• Always type them in yourself

26
Server Side -1

• Server Side Scripting
• Happens on server - to resource to be sent
• On the fly formatting of HTML
• Not browser specific
• Web-server OS dependent
• AJAX API improve response times/user tasks
• Cross Site Scriptinginjection of malicious code
  into poorly secured servers pages
• 68 of servers vulnerable to it

27
Server Side -2

• Rexx, Perl, Python
• JavaScript ( Jscript) used in interactive
  documents
• ASP.NET
• SSI (CGI scripts)
• Java Enterprise Edition
• C
• VBScript

28
Server Technical Protection

• Programmer education
• Use OWASP standards
• Procurement/contracts
• OWASP standards in contracts
• Patch and Vulnerability program
• Strict change management
• Whitelisting (lots of pros and cons)
• Email filters, disable HTML (GPO)

29
Web 2.0 Threats -1

• Malicious websites Malware
• 3D Virtual Worlds
• Bookmarking
• Privacy /PII
• Blogs Podcasts
• Photo Video Sites

30
Web 2.0 Threats -2

• Both Privacy Malicious sites/malware
• Social Networking
• eMail
• Office Automation
• Mashups
• Cloud Computing (SaaS, PaaS, IaaS)
• Security of a remote system
• Encryption
• Cost
• End of Lifeif you have to pull it back inside

31
Web 2.0 Controls -1

• Policy
• Evaluate risk based on business sensitivity
• Policy restriction continuum
• Entirely block social networks
• Allow access but only during non-work time
• Allow access but closely monitor
• Block access after evidence of misuse
• Regardless of access--prohibit identification
  with company on social networking sites

32
Web 2.0 Controls -2

• Privacy
• Personally Identifiable Information (PII)
• Personal reputation future
• Children and teens
• Financial information
• Malware
• lt25 of malware caught by Anti-Malware
• HTML in eMail biggest attack vector
• Phishing and malicious site
• User awareness and education

33
Web 2.0 Controls -3

• MAJOR SAFEGUARD IS
• AWARENESS

34
Summary Web 2.0 Security

• Mobile code enabled by Active Content
• Establish follow policies procedures
• Lock down desktop
• Use OWASP inhouse, in contracts
• Patch Vulnerability program
• Establish active awareness program

35
Evolution to Web X.0

• Tim Berners-Lees Semantic Web
• the Web as a whole can be made more intelligent.
  
• The computer can learn enough about what the data
  means to process it.
• Web OS network services for distributed
  computing independent of computer OSes.

36
Web 3.0 ?
37
Web 4.0a hint?

• WolframAlpha
• http//www04.wolframalpha.com/
• Technology and a platform to make knowledge
  computable and accessible to everyone.
• Mathematica
• A symbolic language
• Includes 50,000 algorithms
• Is also a deployment platform

38
Web 4.0 One World Wide Computer

• http//www.ted.com/talks/kevin_kelly_on_the_next_5
  _000_days_of_the_web.html
• Nothing is inevitable except change
• We can be frightened or excited

39
Which are you?

• ?

40
References

• http//www.out-law.com/page-6946
• http//www.oreillynet.com/pub/a/oreilly/tim/news/
  2005/09/30/what-is-Web-20.html
• http//www.out-law.com/page-6946
• http//www.hpl.hp.com/techreports/2009/HPL-2009-9
  9.pdf
• http//www.youtube.com/watch?v6PNuQHUiV3Q What
  is Cloud Computing?
• http//www.practicalecommerce.com/articles/464-Ba
  sic-Definitions-Web-1-0-Web-2-0-Web-3-0
• http//www.ibm.com/developerworks/podcast/dwi/cm-
  int082206.txt Developer Works Interviews Tim
  Berners-Lee
• http//whitepapers.theregister.co.uk/paper/view/7
  43/swat-7designs-web2.0-threat-prevention.pdf
• http//securitymanagement.searchsecurity.com/docum
  ent5135258/abstract.htm Seven Design
  Requirements for Web 2.0 Threat Protection
• http//csrc.nist.gov/publications/nistpubs/800-28
  -ver2/SP800-28v2.pdf
• http//www.youtube.com/watch?vcbPDN7modE8
  Pattie Maes at TED Unveiling the Sixth Sense
• http//blogs.zdnet.com/BTL/?p4499 Dan Farber
  2/14/2007 From Semantic Web (3.0) to the WebOS
  (4.0)