Hack Proofing P1

---

1 YEAR UPGRADE BUYER PROTECTION PLAN ™ ce Site our E-commer Y The Only Way to Stop a Hacker Is to Think Like One • Step-by-Step Instructions for Securing Financial Transactions and Implementing a Secure E-Commerce Site • Hundreds of Tools & Traps and Damage & Defense Sidebars and Security Alerts! • Complete Coverage of How to Hack Your Own Site Ryan Russell Teri Bidwell Oliver Steudler Robin Walshaw From the authors L. Brent Huston Technical Editor of the best-selling HACK PROOFING™ YOUR NETWORK [email protected] With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. [email protected] is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: s One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. s “Ask the Author”™ customer query forms that enable you to post questions to our authors and editors. s Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. s Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the max- imum value from your investment. We’re listening. www.syngress.com/solutions 1 YEAR UPGRADE BUYER PROTECTION PLAN ™ rce Site Your E- comme The Only Way to Stop a Hacker is to Think Like One Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable case, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®, and “Career Advancement Through Skill Enhancement®,”are registered trademarks of Syngress Media, Inc. “Ask the Author™,”“Ask the Author UPDATE™,”“Mission Critical™,” and “Hack Proofing™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 AERAF43495 002 VNA49FU4FJ 003 CAKL3956FM 004 BNA424TURT 005 BNTUR495QF 006 596JFA3RRF 007 Y745T9TBLF 008 QW5VCD986H 009 BN3TE5876A 010 NVA384NHS5 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Hack Proofing Your E-Commerce Site Copyright © 2001 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or dis- tributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-928994-27-X Technical edit by: L. Brent Huston Copy edit by: Darren Meiss and Beth A. Roberts Technical review by: Kevin Ziese Freelance Editorial Manager: Maribeth Corona-Evans Co-Publisher: Richard Kristof Index by: Robert Saigh Developmental Editor: Kate Glennon Page Layout and Art by: Shannon Tozier Acquisitions Editor: Catherine B. Nolan Distributed by Publishers Group West in the United States. Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Richard Kristof and Duncan Anderson of Global Knowledge, for their generous access to the IT industry’s best courses, instructors and training facilities. Ralph Troupe, Rhonda St. John, and the team at Callisma for their invaluable insight into the challenges of designing, deploying and supporting world-class enterprise networks. Karen Cross, Lance Tilford, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Bill Richter, Kevin Votel, and Brittin Clark of Publishers Group West for sharing their incredible marketing experience and expertise. Mary Ging, Caroline Hird, Simon Beale, Caroline Wheeler,Victoria Fuller, Jonathan Bunkell, and Klaus Beran of Harcourt International for making certain that our vision remains worldwide in scope. Anneke Baeten, Annabel Dent, and Laurie Giles of Harcourt Australia for all their help. David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Ethan Atkin at Cranbury International for his help in expanding the Syngress program. Joe Pisco, Helen Moyer, and the great folks at InterCity Press for all their help. v Contributors Ryan Russell (CCNA, CCNP) is the best-selling author of Hack Proofing Your Network: Internet Tradecraft (ISBN: 1-928994-15-6). He is MIS Manager at SecurityFocus.com, has served as an expert witness on secu- rity topics, and has done internal security investigation for a major soft- ware vendor. Ryan has been working in the IT field for over 11 years, the last 6 of which have been spent primarily in information security. He has been an active participant in various security mailing lists, such as BugTraq, for years. Ryan has contributed to four Syngress titles on the topic of networking. He holds a Bachelors of Science degree in Computer Science. Ryan wishes to thank Karen Mathews at the U.S. Department of Energy for her assistance in preparing Chapter 10. Mark S. Merkow (CCP) has been an Information Systems professional since 1975, working in a variety of industries. For the last 12 years he has been working for a Fortune 50 financial services company in Phoenix, AZ. Mark holds a Masters in Decision and Information Systems from Arizona State University’s College of Business and is completing his Masters of Education in Educational Technology at ASU’s College of Education, specializing in developing distance learning courses.Today he serves as an e-commerce Security Advisor working with both internal and external Web designers and developers. Mark has authored or co- authored six books on computer technology since 1990, including Breaking Through Technical Jargon, Building SET Applications for Secure Transactions, Thin Clients Clearly Explained, Virtual Private Networks For Dummies, A Complete Guide to Internet Security, and The ePrivacy Imperative. In addition, Mark is a computer columnist for several local, national, and international print publications, along with an e-zine hosted at Internet.com. Robin Walshaw (MCSE, DPM), author of Mission Critical Windows 2000 Server Administration (ISBN: 1-928994-16-4), is an independent consultant who architects security and infrastructure solutions for large vii corporations around the globe. By applying a combination of sound busi- ness sense and technical insight, Robin is able to design and deliver scal- able solutions targeted at enabling the enterprise to effectively leverage technology.With a flair for developing strategic IT solutions for diverse clients, he has worked in the world of computers in 8 countries, and has traveled to over 30 in the last 10 years. A veteran of numerous global pro- jects, Robin has honed his skills across a wide variety of businesses, plat- forms, and technologies. He has managed to scratch his head and look slightly confused in the world of security, network operating systems, development, and research. Having traversed the globe and seen its many beautiful wonders, Robin is still captivated by the one thing that leaves him breathless— Natalie, his wife. She is a light against the darkness, a beauty whose smile can melt even the coldest heart. Teri Bidwell (GCIA) has been involved in Internet security for over 10 years as an analyst, engineer, and administrator and is a SANS-Certified GCIA Intrusion Analyst. Her career began securing Unix networks at the University of Colorado and continued as a Cisco network engineer and DNS manager for Sybase, Inc.Today,Teri is a security analyst for a firm headquartered in Reston,VA. She is a key contributor to corporate secu- rity strategy and is an advisor for e-business development. Her specialties include policy creation, vulnerability assessment, penetration testing, and intrusion detection for corporate environments. Teri received a Computer Science degree from the University of Colorado and sits on the SANS GCIA Advisory Board. She currently lives and works in Boulder, CO with her family, Clint,Wes, and Michael. Michael Cross (MCSE, MCP+I, CNA) is a Microsoft Certified System Engineer, Microsoft Certified Product Specialist, Microsoft Certified Professional + Internet, and a Certified Novell Administrator. Michael is the Network Administrator, Internet Specialist, and a Programmer for the Niagara Regional Police Service. He is responsible for network security and administration, programming applications, and is Webmaster of their Web site at www.nrps.com. He has consulted and assisted in computer- related/Internet criminal cases, and is part of an Information Technology viii team that provides support to a user base of over 800 civilian and uniform users. His theory is that when the users carry guns, you tend to be more motivated in solving their problems. Michael owns KnightWare, a company that provides consulting, pro- gramming, networking,Web page design, computer training, and other services. He has served as an instructor for private colleges and technical schools in London, Ontario Canada. He has been a freelance writer for several years and has been published over two dozen times in books and anthologies. Michael currently resides in St. Catharines, Ontario Canada with his lovely fiancée Jennifer. Oliver Steudler (CCNP, CCDP, CSE, CNE) is a Senior Systems Engineer at iFusion Networks in Cape Town, South Africa. Oliver spe- cializes in routing, switching, and security and has over 10 years of experi- ence in consulting, designing, implementing, and troubleshooting complex networks. He has written articles on TCP/IP, networking, secu- rity, and data communications and also co-authored another Syngress title, Managing Cisco Network Security (ISBN: 1-928994-17-2). Kevin Ziese is a computer scientist at Cisco Systems, Inc. Prior to joining Cisco, he was a senior scientist and founder of the Wheelgroup Corporation, which was acquired by Cisco Systems in April of 1998. Before founding the Wheelgroup Corporation, he was Chief of the Advanced Countermeasures Cell at the Air Force Information Warfare Center. ix Technical Editor and Contributor L. Brent Huston earned his Associate of Applied Science degree in Electronics at DeVry Technical Institute (Columbus, Ohio) in 1994. He has more than 10 years of experience in IT, mostly in the areas of cyber security testing, network monitoring, scanning protocols, firewalls, viruses and virus prevention formats, security patches, and hacker techniques. As President and CEO of his own information security company, MicroSolved, Inc., he and his staff have performed system and network security-consulting services for Fortune 500 companies and all levels of governmental facilities. He is well versed in the use and implementation of all the major security tools and appliances. In the past, Brent developed “Passys”—a passive intrusion detection system for Unix and has also iden- tified previously unknown security vulnerabilities in Ascom routers, Windows NT, and Linux operating systems. Brent is an accomplished computer and information security speaker and has published numerous white papers on security-related topics. Recently he was involved in the laboratory testing of major firewall appli- ances at his company’s central Ohio facilities.This testing was to prove the worthiness of each appliance as well as possible vulnerabilities that had not as yet been established by their parent companies. He reported his results both to the individual product companies and at a national security industry presentation. Brent is also currently engaged with the Office of Independent Oversight and Performance Assurance in Columbus, OH. He was responsible for designing and implementing a state-of-the-art cyber security testing and research lab for this office and several DOE national laboratories have utilized his expertise to perform network pene- tration and detection services. Such services have required a high security clearance from Brent. Brent is an Internet Security Systems Certified Engineer, Sidewinder Firewall Certified Administrator, IBM Secure Network Gateway Certified Administrator, and Phoenix Firewall Certified Administrator. x Contents Understand the Goals of Security in the Commerce Process Foreword xxv s Protect the privacy of Chapter 1 Applying Security the consumer at the Principles to Your E-Business 1 point of purchase. Introduction 2 s Protect the privacy of the customers’ Security as a Foundation 3 information while it is Confidentiality 3 stored or processed. Integrity 4 s Protect the Availability 4 confidential identity of customers, vendors, Presenting Security As More Than and employees. a Buzzword 6 s Protect the company The Goals of Security in E-Commerce 9 from waste, fraud, and abuse. Planning with Security in Mind 10 s Protect the Security during the Development Phase 13 information assets of Implementing Secure Solutions 14 the company from Managing and Maintaining Systems in discovery and disclosure. a Secure Environment 15 s Preserve the integrity Applying Principles to Existing Sites 20 of the organization’s It All Starts with Risk 21 information assets. Fix the Highest Risks First 22 s Ensure the availability of systems and Management and Maintenance during processes required for the Patching Process 23 consumers to do Impact of Patching on Production business with the Systems 24 company. s Ensure the availability The Never-Ending Cycle of Change 25 of systems and Developing a Migration Plan 26 processes required for How to Justify a Security Budget 27 the company to do business with its The Yardstick Approach 27 vendors and partners. xi xii Contents A Yardstick Approach Case Study 29 Possible Results of Failure 30 The Fear Tactic Approach 31 A Fear Tactic Approach Case Study 32 Possible Results of Failure 34 Security as a Restriction 35 Security as an Enabler 36 Summary 38 Solutions Fast Track 39 Frequently Asked Questions 43 Chapter 2 DDoS Attacks: Intent, Tools, and Defense 45 Damage & Defense Introduction 46 Sidebars Provide You What Is a DDoS Attack? 47 with Additional Laying the Groundwork: DoS 48 Information on Minimizing Risk Resource Consumption Attacks 50 Malformed Packet Attacks 57 Anatomy of a DDoS attack 60 Damage & Defense… The Attacks of February 2000 63 Configuration Why Are E-Commerce Sites Prime Targets Management One method of instigating for DDoS? 67 a DoS is by altering the A Growing Problem 68 configuration of key How the Media Feeds the Cycle 69 devices such as routers and servers. Routing What Motivates an Attacker to Damage tables, registry databases, Companies? 70 and UNIX configuration Ethical Hacking: A Contradiction in Terms? 70 files are just a few of the Hacktivism 72 potential configuration databases that can be Fifteen Minutes of Fame 72 used against a business. It Hell Hath No Fury Like a Hacker Scorned 73 goes without saying, then, Show Me the Money! 73 that all Internet-facing devices should undergo Malicious Intent 74 strict change control What Are Some of the Tools Attackers Use procedures and that a to Perform DDoS Attacks? 75 backup of the last known good configuration Trinoo 76 should be available on Understanding How Trinoo Works 76 Contents xiii TFN2K:The Portable Monster 78 Understanding How TFN2K Works 78 Stacheldraht—A Barbed-Wire Offensive 81 Understanding How Stacheldraht Works 81 More DDoS Families 86 How Can I Protect My Site against These Types of Attacks? 87 Basic Protection Methods 90 Using Egress Rules to Be a Better “Net Neighbor” 95 Defending against the SYN’s of Know What You May the Internet 99 Be Giving Away in Methods for Locating and Removing Your HTML Code Zombies 103 Summary 109 Each hidden tag can be Solutions Fast Track 111 used with forms on your Frequently Asked Questions 117 site and includes a name and a value. When the Chapter 3 Secure Web Site Design 119 form is submitted, the Introduction 120 name and value in the hidden field is included Choosing a Web Server 121 with the results. For Web Server versus Web Service 121 example, the following Factoring in Web Servers’ Cost and line of code shows an Supported Operating Systems 122 input value of $100.00 associated with a variable Comparing Web Servers’ Security Features 127 called "cost." Authentication 127 Using CGI Applications 134 Using a text editor or Security Features Side By Side 134 HTML editing program, a hacker could alter the The Basics of Secure Site Design 143 value so that the value is Creating a Security Plan 143 changed to a lower Protecting against Internal Threats 145 amount. For example, the $100.00 could be changed Adding Security Tiers beyond the to $1.00. This would allow Web Server 146 buyers to purchase Apache versus Internet Information Services 149 products at a significantly reduced amount. Installation:The First Step 151 xiv Contents Installing and Configuring Apache 152 Installing and Configuring Internet Information Server 5.0 164 Windows 2000 Server and Internet Information Server 5.0 Security 168 Hardening the Server Software 173 Install Patches 174 Disable Unneeded Ports, Services, and Components 174 Delete Unneeded Scripts and Files 175 Hardening the Overall System 176 Password Hacking and Analysis Tools 178 Web Design Issues Dealing with HTML Code 183 Information in HTML Code 183 Using Server Side Includes (SSI) in HTML Code 186 Guidelines for Java, JavaScript, and Active X 189 Understanding Java, JavaScript, and ActiveX—and the Problems They May Cause 189 Preventing Problems with Java, JavaScript, and ActiveX 191 Programming Secure Scripts 196 Code Signing: Solution or More Problems? 199 Understanding Code Signing 199 The Strengths of Code Signing 200 Problems with the Code Signing Process 201 Should I Outsource the Design of My Site? 202 Understanding the Required Skills 203 Pros and Cons of Outsourcing Design Work 204 Workload 204 Security 205 Contracts and Cost 206 No Matter Who Designs It, Double-Check before You Implement It 207 Contents xv Summary 209 Solutions Fast Track 210 Frequently Asked Questions 214 Chapter 4 Designing and Implementing Security Policies 219 Introduction 220 Why Are Security Policies Important to an E-Commerce Site? 220 Learn How to Produce a What Is a Security Policy? 221 Security Policy Value versus Risk 222 Security versus Services Provided 223 Cost of Security versus Cost of Not New Security Issue Identify Key Stakeholders Having Security 224 Policy Review Where Do I Begin? Conduct 225 Procedure Review Research What Elements Should My Security Policy Workshop Baseline Policy Address? Solicit Feedback 228 Confidentiality and Personal Privacy Policies 230 Edit Draft Policy Requirements for Authentication 231 Proposed Requirements for Protecting Customer Policy Draft Information 236 Legal Review Privacy Policies 239 Information Integrity Policies 240 Final Policy Draft Quality Assurance Policies 241 Executive Assuring Information Integrity through Approval Technology 244 Availability of Service Policies Publication End User Training 244 Are Prewritten Security Policies Available on the Net? 246 All Organizations Are Different—and So Are Their Policies 246 Example Policies and Frameworks 247 A Word about the Outsourcing of Policy Development 248 How Do I Use My Security Policy to Implement Technical Solutions? 248 xvi Contents How Do I Inform My Clients of My Security Policies? 251 Building Customer Confidence through Disclosure 252 Security as a Selling Point 253 Summary 254 Solutions Fast Track 255 Frequently Asked Questions 259 Chapter 5 Implementing a Secure Chapter 5 Answers All Your Questions About E-Commerce Web Site 261 Implementing a Introduction 262 Secure Site Introduction to E-Commerce Site Components 262 Implementing Security Zones 264 Q: How do I know if I am Introducing the Demilitarized Zone 266 logging too much or too little information Multiple Needs Equals Multiple Zones 268 on my systems? Problems with Multi-Zone Networks 271 A: Log the information Understanding Firewalls 272 you feel that you need to make good Exploring Your Firewall Options 272 decisions. If you have Designing Your Firewall Rule Set 275 problems sifting It Starts with a “Deny All” Attitude 276 through the logs to locate issues and you Common Ports for Common have had proper Communications 276 training, then you need Converting Pseudo-Code to Firewall to eliminate the log Rules 278 entries that you do not use to make decisions Protocols and Risks: Making Good or keep those log Decisions 279 entries and use an How Do I Know Where to Place My automated tool to select only the entries Components? 280 you are interested in. Profiling Systems by Risk 280 You are logging too Establishing Risk Control Requirements 282 little information if you do not have a picture Creating Security Zones through of your systems’ Requirement Grouping 283 operations and your Implementing Intrusion Detection 283 users’ behaviors. What Is Intrusion Detection? 285 Your Choices in Intrusion Detection 286 Contents xvii Network-Based IDS 288 Host-Based IDS 290 Example of a Network-Based IDS 292 Example of a Host-Based IDS 293 Managing and Monitoring the Systems 295 What Kind of Management Tasks Can I Expect to Perform? 295 What Kinds of Monitoring Should I Be Performing? 296 Basic System Monitoring 298 Monitoring Your Security Devices 299 Log File Management 300 Should I Do It Myself or Outsource My Site? 301 Pros and Cons of Outsourcing Your Site 302 Co-Location: One Possible Solution 303 Selecting an Outsource Partner or ASP 303 Summary 305 Solutions Fast Track 305 Frequently Asked Questions 311 Chapter 6 Securing Financial Transactions 313 Introduction 314 Understanding Internet-Based Payment Card Systems 315 Credit, Charge, or Debit Cards:What Are the Differences? 315 Point-of-Sale Processing 317 Differences That Charge Cards Bring into the Picture 318 Capture and Settlement 319 Steps in an Internet-Based Payment Card Transaction 321 Toxic Data Lives Everywhere! 325 Approaches to Payments via the Internet 326 Options in Commercial Payment Solutions 327 Commerce Server Providers 328 Braving In-house Resources 329 xviii Contents Secure Payment Processing Environments 331 Additional Server Controls 335 Controls at the Application Layer 336 Understanding Cryptography 337 Methodology 337 Complete Coverage of Third Party Merchants' Substitution Method 337 POS Systems. Transposition Method 338 Transposition Example 339 ICVERIFY's features include The Role of Keys in Cryptosystems 342 the following: Symmetric Keys 342 s Importing credit card Asymmetric Keys 342 transaction data from other PC applications, Principles of Cryptography 343 such as spreadsheets or Understanding Hashing 344 databases. Digesting Data 345 s Offline group mode to submit a batch of Digital Certificates 348 transactions at one CCITT X.509 349 time for authorization. Examining E-Commerce Cryptography 351 s Support for Address Hashing Functions 351 Verification Systems (AVSs), Retail AVSs, Block Ciphers 352 CVV2s, and CVC2s to Implementations of PPK Cryptography 352 help reduce fraud due The SSL Protocol 353 to stolen or fraudulent cards. Transport Layer Security (TLS) 355 s Data import analysis of Pretty Good Privacy (PGP) 356 files for errors before S/MIME 357 import. Secure Electronic Transactions (SET) 357 XML Digital Signatures 359 Virtual POS Implementation 362 ICVERIFY 362 Alternative Payment Systems 364 Smart-Card-Based Solutions 365 EMV 365 MONDEX 367 Visa Cash 368 The Common Electronic Purse Specification (CEPS) 369 Proxy Card Payments 369 PayPal 370 Contents xix Amazon Payments 370 Funny Money 371 Beenz 371 Flooz 371 Summary 372 Solutions Fast Track 373 Frequently Asked Questions 379 Tools & Traps, Security Chapter 7 Hacking Your Own Site 381 Alerts, and Damage & Introduction 382 Defense Sidebars Anticipating Various Types of Attacks 382 Make Sure You Don’t Denial of Service Attacks 382 Miss a Thing: Information Leakage Attacks 384 File Access Attacks 385 Tools & Traps…Gauge Your Threat Level with a Misinformation Attacks 386 Honeypot Special File/Database Access Attacks 387 A honeypot (in an Elevation of Privileges Attacks 388 information security context) is a system that is Performing a Risk Analysis on Your Site 389 designed to be broken Determining Your Assets 390 into. Setting up a Why Attackers Might Threaten Your Site honeypot will give you an opportunity to study and How to Find Them 392 tactics of attackers and Testing Your Own Site for Vulnerabilities 395 possibly pick up a new Determining the Test Technique 396 attack or two along the Researching Your Vulnerabilities 399 way. Naturally, the attacker shouldn’t be Mapping Out a Web Server 407 aware that he has broken Using Automated Scanning Tools 409 into a honeypot, and he Hiring a Penetration Testing Team 414 should think that he’s gotten into an ordinary Summary 418 machine with no special Solutions Fast Track 419 monitoring. In fact, a Frequently Asked Questions 423 honeypot machine typically has extensive Chapter 8 Disaster Recovery monitoring in place around it, either on the Planning: The Best Defense 425 machine itself or via the Introduction 426 network. In order for the What Is Disaster Recovery Planning? 426 honeypot to be effective, as much information as Structuring a Disaster Recovery Plan 428 possible must be collected Loss of Data or Trade Secrets 429 about the attacker.