CIS4370 Chapter 8

What is a client-side script?

A client-side script is code that is written to execute on the client PC, allowing the attacker access to the PC.

Is JavaScript a scripted form of Java?

No

What is SQL?

SQL is a query language used to extract, insert, or delete data from a database

What impacts can buffer overflows have?

The impact of a buffer overflow can range from nothing to the crashing of the server, or the ability to execute any command on the server.

To where does the overwritten return address point?

The overwritten address will point to data in the buffer, which will actually be program/attack code that will be executed instead of legitimate code.

Why is patching applications more time consuming than patching operating systems?

There are many more applications compared to only one OS, and finding information about application vulnerabilities takes a lot of time.

How can SQL injection be prevented?

Threats from SQL injection can be mitigated by "parameterizing" queries and sanitizing inputs.

What can hackers gain by taking over application programs?

privileges of the application program

What is the most popular way for hackers to take over hosts?

taking over an application with root privileges

What is a buffer?

temporary storage area in memory

What is a buffer overflow attack?

writes data longer than the space allocated

What is blind SQL injection?

• Blind SQL injection uses a series of SQL statements that produce different responses based on true/false questions, or timed responses.

What is a Java applet?

•A Java applet is a small program written in the Java language. The Java applet is downloaded into a webpage.

How does a SQL injection attack work?

•A SQL injection attack works by manipulating the way database parameters are processed. Malformed parameters are passed via a web interface to be processed by a database. The malformed parameters allow an attacker to extract data, shut down a database, or perform a variety of database functions.

Why are security baselines needed for installing applications?

•A complex series of actions is needed for any major application. This requires the checklist of a security baseline.

In staged development, what three servers do companies use?

•A development server, a testing server, and a production server

Why is Active-X dangerous?

•Active-X is dangerous because it has significant permissions on the machine. If a hacker writes in Active-X, it could compromise the PC easily.

Overall, what is the big problem with Skype?

•Although Skype concerns are theoretical, the fact that Skype cannot be well controlled by corporate security policies makes it unacceptable in many firms.

What is a cross-site scripting (XSS) attack?

•An XSS attack is one in which some input is echoed back in the form of information on a webpage. If a script can be put into the original input, this script will be executed when it is sent back to the user.

What kinds of external access are needed for e-commerce?

•An e-commerce server needs to have network access to a number of systems external to itself, including servers within firms (for order entry, accounting, shipping, and so forth) and servers outside the firm in merchant banks and companies that check credit card numbers for validity. The webmaster or e-commerce master often has no control over the security of other systems.

What are your computer's settings for the four zones?

•Answers will vary.

Why is it important to minimize permissions for application programs?

•Application permissions must be minimized because if a hacker takes over an application, he or she can take over the entire host if the permissions are too great.

Where is an application proxy firewall placed relative to the webserver?

•Application proxy firewalls would be placed in front of the webserver, between the webserver and the border router.

Why is application-level authentication superior to operating system authentication?

•Application-level authentication is superior because it requires the hacker to not only have an exploit, but also authenticated access to a server (versus just an exploit).

Why are hacking and malware dangerous in VoIP?

•As with all applications, hacking and malware can render VoIP completely vulnerable to the attacker, where they can issue commands, such as SIP BYE, when they want to disrupt service or re-route data.

Why do hackers attack browsers?

•Attackers might want to have data stored on the client, and attackers can use a compromised client to attack other systems for which the client has access credentials.

What risks do webservice and e-commerce service create for corporations?

•Attacks can disrupt service, harm a company's reputation, and expose private information with heavy repercussions to the firm. They can also enable customer fraud against the firm to succeed more effectively.

What are directory traversal attacks?

•Attacks in which a user reaches a directory outside of the WWW root directory and its subdirectories

Why can DoS attacks be successful even if they only increase latency slightly?

•By increasing latency, DoS attacks can severely degrade the performance of VoIP systems, making them almost unusable.

What is website defacement?

•Changing the contents of a webpage

Why do attackers want to get domain names such as micosoft.com?

•Common misspellings of legitimate websites will naturally draw users. Once at the site, the malicious websites can download mobile code to attack the PC.

In which tab of IE are cookies controlled?

•Cookies are controlled under the Privacy tab.

What dangers do cookies create?

•Cookies can be used to track a user's activity, which could violate privacy. Cookies can also hold PII.

Why are custom programs especially vulnerable?

•Custom programs offer security through obscurity, but because they are often not programmed securely, hackers have automated tools that can find common exploits (such as buffer overflows) to allow them to attack the application.

What permissions does the developer have on the development server?

•Developers get extensive permissions on the development server.

On the production server?

•Developers get no permissions on the production server.

On the testing server?

•Developers get no permissions on the testing server.

Distinguish between WWW service and e-commerce service.

•E-commerce adds functionality to webservice.

How can eavesdropping be thwarted?

•Eavesdropping can be thwarted by encrypting both transport and signaling traffic.

What sound quality problem may encryption create?

•Encryption adds a small delay, which may impact performance.

Is encryption widely used in e-mail?

•Encryption is not widely used in email because of the difficulties of end-to-end encryption systems.

What can users do to enhance browser security?

•Ensure patches are installed and upgrade the software when updates are available.

What is error-based inference?

•Error-based inference is used by attackers to manipulate a database based on the errors returned when commands are submitted.

For what legal reason should companies filter sexually or racially harassing message content?

•Filtering explicit message content shows that the company does not tolerate this type of action and tries to stop it. (In case of lawsuits, this may help.)

Why do firewalls have problems with typical VoIP traffic?

•Firewalls don't like VoIP traffic because the packets are small, there are lots of them, they cannot be appreciably delayed to minimize latency, and they use multiple ports for signaling and transport.

Why do firewalls have a difficult time controlling Skype?

•Firewalls have a difficult time controlling Skype because Skype protocol is unknown and changes frequently to avoid analysis. Skype uses its structure to help users communicate through NAT firewalls. This is good for the user but bad for corporate security.

Why are HTML bodies in e-mail messages dangerous?

•HTML can contain malicious scripts.

How can social engineering be used to trick a victim to go to a malicious website?

•Hackers can send messages saying something bad (or good) has happened and directs you to a malicious website.

In what two ways can attackers circumvent filtering designed to stop directory traversal attacks?

•Hackers can use hexadecimal and Unicode character sets to enter the value for the ".." characters to be executed.

Distinguish between IP telephones and soft phones.

•IP telephones are telephones that contain everything needed to attach to a VoIP network.

What is a login screen bypass attack?

•In a login screen bypass attack, the attacker bypasses the login page by typing a URL for a page beyond the login screen.

Distinguish between transport and signaling.

•In transport, data/voice is sent. In signaling, the parameters for the communication channel are determined, configured, and managed.

What is the difference between in-band and out-of-band SQL injection?

•In-band SQL injection extracts data directly from the database and displays it in a web browser. Out-of-band SQL injection uses malformed statements to extract data through a different application, such as e-mail.

Why is it called mobile code?

•It is called mobile code because the code travels from the webpage to the client to execute.

Why is webserver attack damaging?

•It may be embarrassing to the company.

In directory access commands and URLs, what does ".." represent?

•It means move to the parent of the current directory.

Why is extrusion prevention needed for intellectual property?

•It prevents the loss of trade secrets.

Why must you know a server's role to know how to protect it?

•Knowing what a server is meant to do allows you to determine what services must be kept on, and all others can be disallowed.

What is eavesdropping?

•Listening in on another's conversations

Why is it bad to go to a malicious website?

•Malicious websites can have attack scripts that automatically load an executable on a PC, which is bad.

Why may malware that allows an attacker to execute a single command on a user's computer not really be limited to executing a single command?

•Malware that allows an attacker to execute a single command may be used to initiate another program that provides much greater PC access (such as a command shell).

What may happen on a compromised computer if a user mistypes the host name in a URL?

•Mistyping a URL may send a user to a malicious website, where hostile mobile code is waiting to attack your PC.

What is mobile code?

•Mobile code consists of commands written into a webpage that are downloaded when the page is visited.

Does the webmaster or e-commerce administrator have control over the security of other servers?

•Neither the webmaster nor e-commerce administrator have control over the security of other systems outside their purview.

Does Skype's file transfer generally work with antivirus programs?

•No, Skype's file transfer generally does not work with antivirus programs.

Does Skype control who can register a particular person's name?

•No, an attacker can use another person's name and impersonate him or her. Skype initial registration is open and uncontrolled.

What is PII, and why must it be prevented from leaving the firm?

•PII is Personally Identifiable Information (such as SSN, date of birth, address, etc.) that must be prevented from leaving a firm in order to avoid lawsuits related to identify theft or credit card theft.

How are VLANs useful in VoIP?

•Placing VoIP on a separate VLAN makes it difficult for attackers to come through the data side of the network to hack VoIP, and vice versa. It also helps to reduce traffic on the network for the data side.

In IM, what does a presence server do?

•Presence servers allow two users to locate each other.

What is extrusion prevention?

•Preventing certain information from leaving the company

What training should programmers who do custom programming have?

•Programmers need to be trained in secure programming both in general and for their particular language and application.

What attitude should programmers have about user input?

•Programmers should never trust user input. Input should be checked to make sure it does not contain anything a valid user would not enter.

What does a relay server do?

•Relay servers have all messages pass through them, allowing filtering and recording.

What standards provide end-to-end security?

•S/MIME and PGP provide end-to-end security.

Compare PGP and S/MIME in terms of how applicants learn the true party's public key.

•S/MIME uses the traditional PKI to share keys. In PGP, keys are shared via circles of trust.

What is an SQL injection attack?

•SQL injection attacks occur when an attacker enters a string that includes the user's info and another SQL query. When the program enters the input string in the SQL query, it may execute both the user's and attacker's query, providing info the attacker should not have (such as bank account routing info).

What part of the e-mail process does SSL/TLS usually secure?

•SSL/TLS usually only secures the transmission of email from the client to the server.

What is Skype?

•Skype is a VoIP service that currently offers free calling among Skype customers over the Internet and reduced-cost calling to and from Public Switched Telephone Network customers.

Why is Skype's use of proprietary software problematic?

•Skype's use of proprietary software is problematic because Skype uses proprietary software and protocols that have not been studied by security professionals. This causes security professionals to be concerned with the existence of vulnerabilities, backdoors, and other security threats.

What three problems does spam create?

•Spam clogs mailboxes, slows user computers, and annoys users by requiring them to spend time deleting the unwanted messages.

Why is spam filtering dangerous?

•Spam filtering is dangerous because valid email will eventually be affected.

What is spam?

•Spam is unsolicited commercial email.

Why is it important to minimize both main applications and subsidiary applications?

•The few applications you have, the fewer security risks there will be.

What problem is there with Skype's encryption for confidentiality?

•The problem with Skype's encryption for confidentiality is that its method is unknown. Worse yet, Skype controls the encryption keys so that it can read traffic if it wants.

In a stack overflow, what is overwritten by the overflow?

•The return address in a stack is overwritten in a stack overflow.

On what servers does the tester have access permissions?

•The tester should only have access to the test servers.

What three other webserver protections were mentioned in the text?

•The three other webserver protections mentioned in the text were (1) website vulnerability assessment tools, like Whisker, (2) reading website error logs, and (3) using a webserver proxy in front of the webserver.

Under Internet Options in IE, what can the user do on the Security tab?

•The user can select the general security settings for general, intranet, trusted, and restricted websites.

What software must be patched on an e-commerce server?

•The webserver, the e-commerce server, and subsidiary programs must all be up-to-date on their patches.

How do scripting languages compare to full programming languages?

•They are simpler and more limited.

Is E-Mail encryption the end-to-end security? Explain.

•This is not end-to-end security because unless all other links in the path are encrypted (such as between mail servers, and the POP3/IMAP connection from mail server to end user client application), there is no end-to-end security.

Why should cryptographic protections be used?

•To prevent eavesdropping by unauthorized people

Describe the advantages and disadvantages of each approach.

•Using PKI offers the strongest security, but it is labor-intensive and can be expensive to get key pairs issued to all participants. PGP is cheaper, but the possibility of misplacing trust and having bogus public key/name pairs is high. Thus, PKI has been used in corporate environments, while PGP is primarily used in person-to-person communications.

For corporate IM, what are the advantages of using a relay server instead of only a presence server?

•Using a relay server allows the company to report IM messages to satisfy legal retention and other compliance regulations.

Why is caller impersonation especially dangerous in VoIP?

•VoIP caller impersonations can provide spoofed credentials, making the impersonation seem more realistic.

What is VoIP?

•Voice over IP, or VoIP, is the digitization of voice and its transmission over a data network.