Chapter 3 begins with an overview of how web pages can be rigged as attack vectors, and some observations about why data holding devices (servers and workstations) need protection as well as the network they are on.
Hardening the Operating System
The text lists the number of lines of code that are estimated to be in several different operating systems, including some historical versions of Windows. The point seems to be that patches and fixes are expected in larger programs. Because there is more to go wrong? Maybe, or maybe it is more likely that the pieces do not all fit together well because it is cobbled together out of lots of parts. I tried to find a definitive count for the number or lines of code in Windows 7, and only found disclaimer statements from Microsoft folks who said they can't possibly track that. Okay, so they don't pay programmers by the number of lines of code they write. It's more important to know how much RAM, how much hard drive space, and how great a processor I need to run it.
You are probably aware that Microsoft tends to release patches and such on particular Tuesdays, unless there is a pressing reason to do it sooner. The text offers a chart of definitions on page 82, explaining the difference between seven kinds of downloads you might be asked to apply to a program or an operating system. These phrases are presented in the text as though they were universally understood by all software publishers as meaning the same thing. This is not true in all cases. See the note on page 83, and take an aspirin or two as you read it over again. "Most vendors call a general security update a patch, but Microsoft calls it a security update." How's that again? Who's right and who's wrong?
The text points out that the first three types in the list typically do not address security issues, but the last four types do. On page 83, the text turns the discussion to managing patches and other updates. The four options offered by Windows are presented as representative examples of your choices:
The first three include automatically checking for updates, or their functions would not take place. In the environment of my day job, we typically do not have devices check Microsoft for updates because of the degree of customization of applications and the possibility of patches breaking some functionality. We follow the model in the next topic instead, automated patch update service.
In environments where the users do not own their computers (e.g. large companies, government offices, schools) it is better to have central control over configuration and patches. The advantages listed in the book all apply:
Buffer Overflow Protection
When programs run on a well managed operating system, they run in memory address ranges (buffers) that are allocated for their use. Well behaved programs do not attempt to use memory outside their allocated buffers. When they do reach for addresses outside allocated ranges, this is a buffer overflow. This can be enough to stop a computer from running, depending on what is in the memory that is overwritten.
As the text explains, an attacker may overflow a buffer to change the value of a pointer stored in it. (A pointer is a variable that remembers a memory address.) How does that hurt or help? Well, the pointer that the attacker is changing holds the address of the process that is legitimately using that memory. Change the pointer to the address of the attacker's malware, and you have given the malware control of the memory that was overflowed, and access to the data stored in it. More importantly, you have given the malware the ability to overwrite the data with more program code. You should see how this might allow malware to take over what a legitimate program was doing, or to gain space to load more of itself.
Two defenses against overflow attacks in Windows systems are discussed: data execution prevention (DEP) and address space layout randomization (ASLR). The text notes that neither defense is a complete solution, and they should be run together, with other defense layers.
Configuring Operating System Protection
The text lists four approaches to protecting the operating system that are typically applied together in large organizations:
Web Browser Attacks
The text describes cookies, which are not necessarily malicious themselves. The text defines a cookie as a file that a web site places on a user's computer, typically for the purpose of identifying the user on a return visit. A cookie could be called a first-party cookie if it is being used by the web site that wrote it on your machine. It is a third-party cookie if the same cookie is being accessed by any other web site (or entity).
The text points out that a separate entity might examine your cookies to tell where you have been on the Internet, what you have looked at or told other web sites, and make guesses about what advertising to show you. The text does not describe any kind of attack associated with cookies. It does mention that you could configure a browser to disable cookies, or to delete them when the browser is closed. The latter is a better option if your company uses processes that require cookies.
Java is a compiled programming language. It can be used to make large programs (Java programs) or small ones (Java applets). Java applets are typically called and downloaded by web pages. The text describes a sandbox as a secure part of memory in which a Java applet could run, while being denied access to data it should not need.
Sandboxes are used for unsigned Java applets: applets whose origin has not been verified or are not from a trusted source. Signed applets carry "proof" that they are from trusted sources and are allowed to run without sandbox restrictions. The sandbox cannot keep the Java applet from doing things like the example on page 92. A Java applet is asking the user to provide a login ID and password. The only indication that this request is not coming from the operating system is the message at the bottom of the dialog box that says "Warning: Applet window". In the larger sense, this is not even a meaningful warning. What if the applet had a legitimate need to collect an ID and a password, for instance to allow access to a database? A user should be warned to beware any process that asks for things that should not be given out to everyone.
The text turns to ActiveX. This discussion should cause you to run screaming into the night. Microsoft introduced the concept as a way to execute reusable code, and to share information between applications. ActiveX controls (add-ons, applications) have access to the entire operating system, and can do anything the user is allowed to do, once they are installed on a computer. Like Java applets, they can be viewed as being from a trusted source, however, in the same way, the source may not be aware of what the control actually does. ActiveX can be disabled in the web browser, but its functionality is not limited to the web browser.
The attack method described in the text seems to have little to do with the XSS concept, but it is interesting. The attacker sends an email to a user, collects login ID and password, and uses that information to crack the user's account on some system. The key to this attack seems to be the very unusual URL in the link sent to the user.
To defend against cross site scripting:
The last point is laughable. Users should be taught to read the address that an embedded link goes to, and make proper decisions. They should also be taught to drink and drive responsibly. Since we can't manage either one, we must live with the fact that users will follow links to bad places.
Hardening Web Servers
The text turns to attacks on web servers, which are typically public facing devices, making them obvious targets for attacks. The first topic is SQL Injection. SQL is Structured Query Language, which is used to manipulate, manage, and report on database files. The CIS 331 class at Baker is about using this language as a database administrator. The link provided here goes to my class notes for that course. The text goes over a few examples of the syntax for some SQL commands. The general format for retrieving data is like this:
SELECT column list FROM data table WHERE conditional test ;
SELECT is followed by a list of columns, which may be any columns in the table being accessed, separated by commas. If you want all columns, you can use a wildcard character. In most versions of SQL, the wild card for "all" is the asterisk. FROM is followed by the name of the table to be read. WHERE is optional, and can be used to specify which rows to retrieve. If the WHERE clause is not used, all rows will be be retrieved.
A comprehensive discussion of SQL is beyond the scope of this class.
Some of the dangers of allowing an attacker to run SQL commands on the system are access to data, loss of data, and loss of data integrity. SQL can also make calls to the operating system of the host computer.
Four defenses against SQL injection are listed:
The text starts by telling us that email systems use two protocols, then comes back with a third possibility.
SMTP servers are meant to transfer messages from one domain to another in a relay system. An open relay system is one that an attacker can use to send whatever they want, and look like whoever they want. The text proposes defenses against this that would make the system unusable:
Both of these defenses would be unacceptable to most organizations.
The text continues with a discussion of Instant Messaging (IM). IM provides live chat lines between two or more users. Recent products support voice, video, and file transfer. The text explains that IM uses a server to provide connection information to users. A user starts an IM client, which tells the server the user's IP address. The server is used to provide an IP address for every person the user is allowed to contact, but when the user initiates contact with a message, it goes directly to the other user's IP address. (A newer term that means spam sent through instant messaging is spim. This term is not used in this chapter.)
Defenses against IM attacks are based on providing protections that the service does not include:
Peer to Peer (P2P) Networks use direct IP connections between nodes. All hosts on a P2P network can request and provide services; there are no dedicated servers. This type of network is often set up for a temporary purpose, but environments that use the client-server model typically forbid their use due to the same problems inherent in IM. The text discusses BitTorrent networks, based on a protocol established in 2001. Files are shared across multiple peers on their way to a requester, which enables each receiver of a piece of a file to send a copy on to any other peer. A feature the text notes about BitTorrent networks is that files are advertised as being available: users do not have to search for them.
The text states that BitTorrent cannot be used to distribute malware, but this appears to be a misperception on the part of the author. See the discussion in the article on Wikipedia behind the link above. The author should know better than to make a statement that something cannot contain a virus.
Software Security Applications
Since some of the problems discussed in this chapter did not have satisfactory solutions, the idea of installing software to reach a solution should be welcome at this point. Several types of dedicated software solutions are discussed.
A number of applications are available that protect against viruses and more. The text discusses the scanning and monitoring features that are common. The text presents an aspect of these programs as a disadvantage: they must be continuously updated with new virus definition files (signature files) that enable the product to recognize and deal with viruses. I do not see this as a disadvantage as much as a feature. New viruses are created all the time. You should expect that you have to update your protection to make sure you are protected against all currently known threats.
Popups are defined as small web browser windows that are spawned from web pages or other processes. Popups are typically spawned to hold ads, but they can be made for additional information, input forms, or other purposes. A popup blocker can be a feature of a browser, of an antivirus product, or a free standing application.
Spam is associated with email. It should not be a surprise that an anti-spam product can be installed on your outgoing queue (your SMTP server), or your incoming queue (your POP3 or IMAP4 server). Why not both? I can't think of a reason, but the book does not discuss it.
The text also discusses contracting a third party to filter your spam, instead of applying the filter to your own system.
Some email clients can be configured to block spam, but they may have to have particular settings turned on to do so. My copy of Outlook, for example, will not let me set a rule for Junk Mail (spam) unless I change from live mode to cached mode. The Junk Mail option would allow me to block a sender, block a sender's domain, or classify a sender as safe. These are the same settings listed for the third party option above.
The last option described in the text is to install separate filtering software that works with your email client.
Personal Software Firewalls
The text spends two paragraphs on firewalls (also called packet filters). This software may be part of the operating system, part of an antivirus solution, or a standalone product. We will see more on this subject later in the text.
Host Intrusion Detection Systems
The last topic in the chapter concerns systems to detect intrusions, which may be part of a security software solution. The text talks about them falling into four groups, but these might be thought of as four security approaches that the software could take:
HID systems need a baseline of behavior in order to detect a change from the normal activity in a system. The text will revisit this concept later.