Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design. Click to find out more!
STRATEGIES AND COUNTERMEASURES
By: Raymond Ankobia
This discusses strategies and countermeasures that will help alleviate threats and vulnerabilities commonly found in web application development.
3.1 Security Management Programs
A security policy drafted and implemented from a holistic viewpoint with full approval of senior executives. There must be security education and awareness campaigns for the development team and administrators to foster a secure development lifecycle. Policies will ensure secure configuration of web servers and back end databases. Key amongst education campaigns is social engineering [8][7] where the attacker deceitfully extracts information directly from authorized people.
3.2 Deployment of Application Firewalls
This is a fairly new concept that offers use of gateways that specifically operate at the application layer. These are stateful, intelligent and content driven programmes/appliances that operate by checking web content. This allows for evaluation of attack signatures and exploits and prevents them from impacting on the targets. They look out and allow legitimate requests of users to reach the backend servers and databases whilst preventing, logging and alerting administrators of malicious activities. Even though these may be able to do a far better job of analysing application content including graphics, they are not a panacea and the battle is far from over. Malicious and encrypted content will still get through firewalls [6].
3.3 Using SSL/TLS (HTTPS) Protocol
SSL/TLS has become the de-facto protocol for deploying secure web applications running on HTTP. It is based on Public Key Technology and X509 certificates, and defined by the Internet Engineering Task Force (IEFT) RFC 2246. This is supported in most web browsers and provides a secure tunnel between the client and the server. The server side almost always authenticates to the client by making available its public key to the client for verification; thereby offering a mechanism to identify rogue servers that impersonate by spoofing IP addresses with wrong DNS entries [8][7].
In most situations, the client side authentication is optional. This is due largely to the overhead of requiring every client to have a public key. This provides confidentiality, integrity and authenticity of transactions between both ends of the traffic. However, it must be emphasised that hackers concentrate on attacking the endpoints'; poor deployment and implementation of applications and databases make easy break-ins.
Poor implementation of a secure protocol does not make it any better. Attention to detailed instructions from these specifications is imperative to get it right.
3.4 Sandboxing and Code Signing
This idea for using sandboxes and signing of code (especially mobile code) is to introduce trust and assurance to the end user as to the origin of the application in question. Sandboxes are restricted and non-privileged operating environments [2][1]. Java Applets use this approach by encapsulating permissions and rights to resources within the programme itself.
This provides a safer environment as the Java Virtual Machine (embedded in most browsers) consults the security manager for any violations or privileged system calls that may compromise the local computer. The author of a code may digitally sign it to give some authenticity and confidence to the end user; allowing that signature to be publicly verified using a certified public directory.
Authenticode is the approach by Microsoft for digitally signing code to provide trust and authenticity of origin. Developers of ActiveX controls/programmes may likewise sign the code to give similar level of trust and authenticity. However, discretion is left entirely to the user to check the authenticity of the digital signatures. [2] Clearly declares, "A digital signature does not, however, provide any guarantee of benevolence or competence". The Sandboxing (by Sun Microsystems) approach offers better assurance since it comes with a built-in security reference monitor that checks the access controls of the objects. These architectures are designed with Public Key Infrastructure (PKI) in mind and require education and awareness programmes on key management and certification authorities.
3.5 Use of Honeypots
These are used to lure potential crackers / hackers. The principle is one of falsifying information and placing it where hackers will eventually find it. The original concept seem to have come from [9] where he managed to bait hackers with falsified information which eventually led to their capture. This allows for the footprints of malicious activities to be logged, monitored and analysed. They help analyse the weak points that may are exposed with subsequent introduction of countermeasures that will seal any weaknesses that may be exploited. Use of this technology does have some legal implications. There is a debate as to whether this is enticement or entrapment and may require legal interpretation before use.
3.6 Using SiteDigger
This is a tool developed by Foundstone Professional Services to help web application developers and administrators test the efficacy of security measures incorporated during design. It works in conjunction with certain API's which will need to be downloaded from Google's website (http://code.google.com/). This tool will help the web application developer or administrator to scan and generate reports of any leakages on a particular website.
3.7 ISO/IEC 17799 (Part I)
This was originally a British code of practice for Information Security Management and was later adopted by ISO as a Standard [5]. This has many facets for compliance and one of them is Systems Development and Maintenance. Part II of this, is for accreditation (currently being vetted by ISO for standardisation).
It engages the certifying party through a rigorous compliance process, which includes the integration of controls and audit trails built into application systems. It encourages stringent checks and controls, Input data validation, message authentication to guard against unauthorised changes, output validation to ensure correct input and processing (the old adage "Garbage In, Garbage out), and the use of cryptographic controls to protect the confidentiality and integrity of information.
It also envisages strict and secure change control procedures and principle of least principle, by making sure that support developers are only given access to areas of their domain.
3.8 Security Audit
Self-Hack Audit [1]. The self-hack audit is an approach that uses methodology used by developers to identify and eliminate security weaknesses in an application before they are discovered and compromised. This will include checking login prompts, brute forcing passwords and setting up limits for login attempts. Penetration Testing. Particular mention is made of The Open Web Application Security Project (OWASP), which is an Open source platform used as a benchmark for testing web application vulnerabilities.
Read Entire Article:
features/features/vulnerabilities-in-web-applications
LinuxSecurity.com Feature Extras:
Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.
The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.
Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).
Bulletproof Virus Protection - Protect your network from costly security breaches with Guardian Digital’s multi-faceted security applications. More then just an email firewall, on demand and scheduled scanning detects and disinfects viruses found on the network. Click to find out more!
Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to
Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.
| Conectiva | ||
| Conectiva: clamav Fix for denial of service in clamav | ||
| 3rd, March, 2005
Clamav[1] is an anti-virus utility for Unix/Linux. This announcement updates clamav so it is able to update its database from the server without any problems related to its format and also because it fixes a security issue which could lead to a denial of service[2] situation. |
||
| Conectiva: kernel Kernel fixes | ||
| 7th, March, 2005
The Linux kernel is responsible for handling the basic functions of the GNU/Linux operating system. This announcement has the following important changes. |
||
| Conectiva: squid Fixes for multiple squid vulnerabilities | ||
| 8th, March, 2005
Squid[1] is a full-featured web proxy cache. This announcement fixes the following vulnerabilities for Squid. |
||
| Debian | ||
| Debian: New abuse packages fix local root exploit | ||
| 7th, March, 2005
Updated package. advisories/debian/debian-new-abuse-packages-fix-local-root-exploit |
||
| Debian: New kppp packages fix privileged file descriptor leak | ||
| 8th, March, 2005
Updated package. advisories/debian/debian-new-kppp-packages-fix-privileged-file-descriptor-leak |
||
| Fedora | ||
| Fedora Core 3 Update: HelixPlayer-1.0.3-3.fc3 | ||
| 3rd, March, 2005
Updated HelixPlayer packages that fixes two buffer overflow issues are now available. advisories/fedora/fedora-core-3-update-helixplayer-103-3fc3-11-28-00-118479 |
||
| Fedora Core 3 Update: tzdata-2005f-1.fc3 | ||
| 3rd, March, 2005
Updated package. advisories/fedora/fedora-core-3-update-tzdata-2005f-1fc3-18-50-00-118484 |
||
| Fedora Core 2 Update: tzdata-2005f-1.fc2 | ||
| 3rd, March, 2005
Updated package. advisories/fedora/fedora-core-2-update-tzdata-2005f-1fc2-18-51-00-118485 |
||
| Fedora Core 2 Update: kernel-2.6.10-1.770_FC2 | ||
| 3rd, March, 2005
Updated package. advisories/fedora/fedora-core-2-update-kernel-2610-1770fc2-18-52-00-118486 |
||
| Fedora Core 3 Update: kernel-2.6.10-1.770_FC3 | ||
| 3rd, March, 2005
Updated package. advisories/fedora/fedora-core-3-update-kernel-2610-1770fc3-18-52-00-118487 |
||
| Fedora Core 3 Update: libtool-1.5.6-4.FC3.1 | ||
| 4th, March, 2005
Libtool is a program used by many other programs to create static and dynamic libraries using a portable interface. Libtool is generally configured as part of every package that uses it. advisories/fedora/fedora-core-3-update-libtool-156-4fc31-02-56-00-118488 |
||
| Fedora Core 3 Update: firefox-1.0.1-1.3.2 | ||
| 4th, March, 2005
Some users may experience spacing issues in textareas. This update resolves those issues, updating to the latest version of the pango selection patch. advisories/fedora/fedora-core-3-update-firefox-101-132-12-58-00-118499 |
||
| Fedora Core 2 Update: ipsec-tools-0.5-0.fc2 | ||
| 4th, March, 2005
This updates ipsec-tools to 0.5, which correctly generates forward policies so that tunnels work on current kernels. advisories/fedora/fedora-core-2-update-ipsec-tools-05-0fc2-18-08-00-118507 |
||
| Fedora Core 3 Update: ipsec-tools-0.5-0.fc3 | ||
| 4th, March, 2005
This updates ipsec-tools to 0.5, which correctly generates forward policies so that tunnels work on current kernels. advisories/fedora/fedora-core-3-update-ipsec-tools-05-0fc3-18-09-00-118508 |
||
| Fedora Core 3 Update: dmraid-1.0.0.rc6-1_FC3 | ||
| 7th, March, 2005
This updates dmraid to 1.0.0.rc6, which includes support for VIA ATARAID sets. advisories/fedora/fedora-core-3-update-dmraid-100rc6-1fc3-11-00-00-118515 |
||
| Fedora Core 3 Update: selinux-policy-targeted-1.17.30-2.85 | ||
| 7th, March, 2005
Updated package. advisories/fedora/fedora-core-3-update-selinux-policy-targeted-11730-285-14-14-00-118517 |
||
| Fedora Core 2 Update: ipsec-tools-0.5-1.fc2 | ||
| 7th, March, 2005
This update fixes some packaging errors: - the /var/racoon directory is shipped, for use with the admin port - racoon correctly looks for its config file in /etc/racoon now advisories/fedora/fedora-core-2-update-ipsec-tools-05-1fc2-16-06-00-118520 |
||
| Fedora Core 3 Update: ipsec-tools-0.5-1.fc3 | ||
| 7th, March, 2005
This update fixes some packaging errors: - the /var/racoon directory is shipped, for use with the admin port - racoon correctly looks for its config file in /etc/racoon now advisories/fedora/fedora-core-3-update-ipsec-tools-05-1fc3-16-07-00-118521 |
||
| Fedora Core 2 Update: gaim-1.1.4-1.FC2 | ||
| 7th, March, 2005
This fixes the crash in the Gadu Gadu protocol, and makes Yahoo file transfer and buddy icons work for the more common non-proxy case. Unfortunately this probably breaks the less common proxy case. advisories/fedora/fedora-core-2-update-gaim-114-1fc2-20-49-00-118526 |
||
| Fedora Core 3 Update: gaim-1.1.4-1.FC3 | ||
| 7th, March, 2005
This fixes the crash in the Gadu Gadu protocol, and makes Yahoo file transfer and buddy icons work for the more common non-proxy case. Unfortunately this probably breaks the less common proxy case. advisories/fedora/fedora-core-3-update-gaim-114-1fc3-20-49-00-118527 |
||
| Fedora Core 2 Update: libexif-0.5.12-2.2 | ||
| 8th, March, 2005
Updated package. advisories/fedora/fedora-core-2-update-libexif-0512-22-12-30-00-118535 |
||
| Fedora Core 3 Update: libexif-0.5.12-3.1 | ||
| 8th, March, 2005
Updated package. advisories/fedora/fedora-core-3-update-libexif-0512-31-12-31-00-118536 |
||
| Fedora Core 3 Update: gimp-2.2.4-0.fc3.1 | ||
| 8th, March, 2005
Updated package. advisories/fedora/fedora-core-3-update-gimp-224-0fc31-13-06-00-118537 |
||
| Subject: Fedora Core 3 Update: yum-2.2.0-0.fc3 | ||
| 8th, March, 2005
New yum release fixes multiple small bugs. advisories/fedora/subject-fedora-core-3-update-yum-220-0fc3-18-58-00-118538 |
||
| Fedora Core 3 Update: grip-3.2.0-4 | ||
| 9th, March, 2005
This fixes a buffer overflow when the CDDB server returns more than 16 matches. advisories/fedora/fedora-core-3-update-grip-320-4-19-20-00-118543 |
||
| Fedora Core 2 Update: grip-3.2.0-3.fc2 | ||
| 9th, March, 2005
This fixes a buffer overflow when the CDDB server returns more than 16 matches. advisories/fedora/fedora-core-2-update-grip-320-3fc2-19-20-00-118544 |
||
| Gentoo | ||
| Gentoo: BidWatcher Format string vulnerability | ||
| 3rd, March, 2005
BidWatcher is vulnerable to a format string vulnerability, potentially allowing arbitrary code execution. |
||
| Gentoo: OpenMotif, LessTif New libXpm buffer overflows | ||
| 4th, March, 2005
A new vulnerability has been discovered in libXpm, which is included in OpenMotif and LessTif, that can potentially lead to remote code execution. |
||
| Gentoo: xv Filename handling vulnerability | ||
| 4th, March, 2005
xv contains a format string vulnerability, potentially resulting in the execution of arbitrary code. |
||
| Gentoo: Mozilla Firefox Various vulnerabilities | ||
| 4th, March, 2005
Mozilla Firefox is vulnerable to a local file deletion issue and to various issues allowing to trick the user into trusting fake web sites or interacting with privileged content. |
||
| Gentoo: ImageMagick Filename handling vulnerability | ||
| 6th, March, 2005
A format string vulnerability exists in ImageMagick that may allow an attacker to execute arbitrary code. |
||
| Gentoo: Hashcash Format string vulnerability | ||
| 6th, March, 2005
A format string vulnerability in the Hashcash utility could allow an attacker to execute arbitrary code. |
||
| Gentoo: mlterm Integer overflow vulnerability | ||
| 7th, March, 2005
mlterm is vulnerable to an integer overflow, which could potentially allow the execution of arbitrary code. |
||
| Gentoo: KDE dcopidlng Insecure temporary file creation | ||
| 7th, March, 2005
The dcopidlng script is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files. |
||
| Mandrake | ||
| Mandrake: Updated curl packages fix | ||
| 4th, March, 2005
"infamous41md" discovered a buffer overflow vulnerability in libcurl's NTLM authorization base64 decoding. This could allow a remote attacker using a prepared remote server to execute arbitrary code as the user running curl. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated gaim packages fix | ||
| 4th, March, 2005
Gaim versions prior to version 1.1.4 suffer from a few security issues such as the HTML parses not sufficiently validating its input. This allowed a remote attacker to crash the Gaim client be sending certain malformed HTML messages (CAN-2005-0208 and CAN-2005-0473). |
||
| Mandrake: Updated gftp packages fix | ||
| 4th, March, 2005
A vulnerability in gftp could allow a malicious FTP server to overwrite files on the local system as the user running gftp due to improper handling of filenames containing slashes. The updated packages are patched to deal with these issues. |
||
| Mandrake: Updated cyrus-imapd packages | ||
| 4th, March, 2005
Several overruns have been fixed in the IMAP annote extension as well as in cached header handling which can be run by an authenticated user. As well, additional bounds checking in fetchnews was improved to avoid exploitation by a peer news admin. |
||
| Mandrake: Updated imap packages include | ||
| 4th, March, 2005
The imap package was missing a requires for xinetd, which is required for using the daemon. Updated packages include this requirement. |
||
| Mandrake: Updated kdegraphics packages | ||
| 4th, March, 2005
Previous updates to correct integer overflow issues affecting xpdf overlooked certain conditions when built for a 64 bit platform. (formerly CAN-2004-0888). This also affects applications like kdegraphics, that use embedded versions of xpdf. (CAN-2005-0206) |
||
| Mandrake: Updated unixODBC packages | ||
| 4th, March, 2005
The unixODBC packages shipped with Mandrakelinux 10.1 had a couple of issues with the GUI config tools: The gtk interface gODBCConfig does not exit when it's window is closed. |
||
| Mandrake: Updated dynamic packages | ||
| 8th, March, 2005
Dynamic did not launch kaffeine on insertion of a DVD vide when using KDE as the desktop. The updated version now launches kaffeine. |
||
| Red Hat | ||
| RedHat: Moderate: squid security update | ||
| 3rd, March, 2005
Updated squid packages that fix a denial of service issue are now available. This update has been rated as having important security impact by the Red Hat Security Response Team advisories/red-hat/redhat-moderate-squid-security-update-42646 |
||
| RedHat: Low: kdenetwork security update | ||
| 3rd, March, 2005
Updated kdenetwork packages that fix a file descriptor leak are now available. This update has been rated as having low security impact by the Red Hat Security Response Team advisories/red-hat/redhat-low-kdenetwork-security-update-RHSA-2005-175-01 |
||
| RedHat: Critical: RealPlayer security update | ||
| 3rd, March, 2005
An updated RealPlayer package that fixes two buffer overflow issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-realplayer-security-update-56018 |
||
| RedHat: Critical: HelixPlayer security update | ||
| 3rd, March, 2005
An updated HelixPlayer package that fixes two buffer overflow issues is now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-helixplayer-security-update-82453 |
||
| RedHat: Important: xpdf security update | ||
| 4th, March, 2005
An updated xpdf package that correctly fixes several integer overflows is now available. This update has been rated as having important security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-important-xpdf-security-update-71640 |
||
| RedHat: Moderate: mc security update | ||
| 4th, March, 2005
Updated mc packages that fix multiple security issues are now available. This update has been rated as having moderate security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-moderate-mc-security-update-66451 |
||
| RedHat: Critical: mozilla security update | ||
| 4th, March, 2005
Updated mozilla packages that fix a buffer overflow issue are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. advisories/red-hat/redhat-critical-mozilla-security-update-54092 |
||
| SuSE | ||
| SuSE: cyrus-sasl remote code execution | ||
| 3rd, March, 2005
A buffer overflow in the digestmda5 code was identified that could lead to a remote attacker executing code in the context of the service using sasl authentication. |
||
| SuSE: RealPlayer remote buffer overflow | ||
| 9th, March, 2005
Two security problems were found in the media player RealPlayer. |
||
