CSC309: Web ProgrammingGreg Wilson 1    This may be the most important lecture in the courseAssuming you care about your data, your bank account, your reputation……and those of othersSecurity is a collective responsibilityA system is only as strong as its weakest componentIf you are creating CGI scripts, or sending data over the web, you are putting others at risk as well as yourself !Impossible to cover anything more than the basics in this lecturePlease read Schneier's Secrets and Lies and Beyond FearAnd treat everything you see in the papers with deep suspicionExample: 30,000 Internet police in China?No: 30,000 copies of a program called "Internet Police" installed in ChinaBut identity theft is a multi-billion dollar business" #$  %&'Security systems try to achieve many (often contradictory) goalsLet everyone who should be able to do something do it easily……while blocking people who <e>shouldn't</e> be able to……and gathering information about their attemptsAll three parts are importantCSC309: Web ProgrammingGreg Wilson 2! #$  %&'Most people are trustworthy most of the timePreventing legitimate users from doing things annoys themIf people are sufficiently annoyed, they'll turn security off, or find ways around itExample: best way to ensure villains can't access data is to erase it……which encourages people to write it down on scraps of paper(! #$  %&'Have to design the system for the villainous minorityAny system that relies on trust will eventually be abusedBe honest: do you always put a quarter in the jar when you get a cup of coffee in the staff room?Keeping track of how villains are trying to break in is (almost) as important as preventing themA good way to find holes in your systemBuild an audit trail in order to take legal action)% #$  *Most successful attacks use social engineering, not technologyCall up your bank, and see if you can get your credit card balance without your PINHelps if you sound like a grandmother who is close to tears because her poodle has just been hit by a car+!% #$ Second most successful way to attack a system is to get a job with the company running itBurn an extra copy of credit card data while backing up the serverTake notes of all the "fix later" points from the web site security auditMany companies choose not to press charges, rather than deal with bad publicity after a security failureCSC309: Web ProgrammingGreg Wilson 3,!% #$ Exploiting carelessness is the thirdMany people don't bother to change the default password on their wireless routerMany more choose easily-guessed passwords "Easy" if you have the right tools, that is But once one villain builds a tool, they can all use it!% #$ In fact, technology often makes systems lesssecureExample: facial recognition software that works correctly 99% of the timeSo one person in a hundred is mistakenly identified as a potential terrorist300,000 passengers a day in a busy airportThat's one false alarm every 30 secondsHow much attention do you think the guards will pay to the system after a week on the job?-%#.$ Security systems are responsible for:Authentication: who are you?Authorization: who is allowed to do what?Access control: how are rules enforced?Every exploit attacks one or more of theseConvince the system you are someone elseConvince it that you're allowed to do something you're notCircumvent its enforcement of the rules!-%#.When analyzing security, look for ways to compromise the three A'sUse defense in depthIf your first security mechanism fails, is there another one behind it just in case?First step is always risk assessmentWhat is most important to you?Always remember: the real purpose of a bicycle lock is to convince thieves to steal something elseCSC309: Web ProgrammingGreg Wilson 4 / &0%123Anyone who knows a URL can send it dataTherefore no guarantee that the HTTP request you receive was generated from your formInput provided for a selection list may not be one of the values you offeredInput for a text field may be longer than the maximum you specifiedQUERY_STRING parameters may be missing or fabricated Data may not even be formatted legally…"!&0%123Validate input before using itCheck that all the parameters you expect, and only those, are presentCheck that values meet constraints Has someone changed price=399.99 to price=3.99?Make sure special characters have been escapedBut watch out for double-escapingDon't re-invent the wheel: every language has libraries for thisIf you can't validate it, reject it#4256Always check filenames supplied by userSpecial case of the preceding rule, but importantExample: controlling access to documentsAll your documents live below /web/docsCheck URLs with url[:9] == '/web/docs' to prevent people from accessing /home/prof/grades.xslThen get /web/docs/../../home/prof/grades.xslAnalysis?Solution: normalize paths before using them(!#4256Example: temporary filesCGI creates temporary file /tmp/1728397.cgidata (where 1728397 is a pseudo-random number)A villain with an account on the system writes a script that repeatedly looks for /tmp/*.cgidata Copies contents, or overwritesAnalysis?Solution?CSC309: Web ProgrammingGreg Wilson 5)/ 78  /9 :4Suppose you want to build a search engineCan't be bothered writing it yourself, so use