Chapter 8 - Application Security

Question 1

What can hackers gain by taking over application programs?

Answer 1

If an attacker can take over an application, they can execute commands with whatever privileges the application has. Most applications have root permissions, so this is… pretty bad.

Question 2

What is the most popular way for hackers to take over hosts?

Answer 2

The most popular way for hackers to take over hosts is by taking over applications.

Question 3

What is a buffer?

Answer 3

A buffer is an area of RAM where programs temporarily store data.

Question 4

What is a buffer overflow attack?

Answer 4

A buffer overflow attack is an attack that relies on forcing too much data into the buffer of a program. When the buffer “overflows”, it overflows into the “address” field of the buffer, which directs where control goes after the buffer entry is “popped off” the stack. This new overwritten address points back into the over-filled buffer, where code is waiting to be executed.

Question 5

What impacts can a buffer overflow have?

Answer 5

A buffer overflow’s effects can range from absolutely nothing, to crashing a server, to running illicit code.

Question 6

Why is patching applications more time-consuming than patching operating systems?

Answer 6

Most firms will have a very small number of different operating systems to keep patched, verses a veritable “fleet” of applications.

Question 7

Why must you know a server’s role to know how to protect it?

Answer 7

Knowing a server’s role is vital to knowing how to protect it because you will be able to understand what applications and services can be removed or permissions reduced and still allow the server to fulfill its function.

Question 8

Why is it important to minimize both main applications and subsidiary applications?

Answer 8

It is important to minimize main and subsidiary applications because applications are the main source of vulnerability in machines today. Few applications means fewer possible avenues of attack.

Question 9

Why are security baselines needed for installing applications?

Answer 9

Security baselines are needed for installing applications because they will tell an installer what optional programs will be needed in an install, or what automatically-installed programs should be removed.

Question 10

Why is it important to minimize permissions for application programs?

Answer 10

It is important to minimize permissions for application programs for the same reasons that it is important to limit permissions for users; having unneeded extra access is a vulnerability if the program is compromised.

Question 11

Why is application-level authentication superior to operating system authentication?

Answer 11

Application-level authentication is superior to OS authentication because, unlike OS authentication which gives broad access to the computer, application-level authentication can give a narrower field of permissions

Question 12

Why should cryptographic protections be used between a user an applications?

Answer 12

Uh. Cryptographic protections should be used because they offer strong protection. Duh.

Question 13

What is a login screen bypass attack?

Answer 13

A login screen bypass attack is when the attacker types a URL of a page beyond the login screen when the login screen appears.

Question 14

What is a cross-site scripting (XSS) attack?

Answer 14

A cross-site scripting (XSS) attack is when an attacker sends a link to a user of a site that uses reflection prompting them to log in. This link has a script hidden at the end of it that reflects the user’s input to the attacker.

Question 15

What is an SQL Injection attack?

Answer 15

An SQL injection attack is when the attacker inputs an SQL command into a user input field in the form, which then is executed if the form is programmed poorly.

Question 16

What attitude should programmers have about user input?

Answer 16

User input is not to be trusted.

Question 17

What training should programmers who do custom programming have?

Answer 17

Programmers who do custom programming should get training in secure programming in general, focusing on their particular language.

Question 18

What risks do webservice and e-commerce service create for corporations?

Answer 18

Attacks on webservices and e-commerce services can disrupt service, harm a company’s reputation, and expose private information.

Question 19

What is the difference between WWW service and e-commerce service?

Answer 19

WWW service encompasses basic things like webhosting, retrieving static and dynamic pages. E-commerce services are things like online catalogs, shopping carts, checkout systems, and the like.

Question 20

What kinds of external access are needed for e-commerce?

Answer 20

E-commerce needs access to external sources, such as merchant banks, credit card number checking services, etc.

Question 21

Does the webmaster or e-commerce administrator have control over the security of other servers?

Answer 21

The webmaster/e-commerce administrator does not have control over the security of other servers.

Question 22

Why are custom programs especially vulnerable?

Answer 22

Custom programs are especially vulnerable because most firms do a poor job of ensuring the hardening of internally-developed applications. Most common programming languages have a tendency to produce common security failure modes that are pretty well-known.

Question 23

What is website defacement? Why is it damaging?

Answer 23

Website defacement is exactly what it sounds, where an attacker vandalizes the website of its victim. It can be damaging because it can be made to look like actual, intentional changes by the victim, saying “out of business” or something like that.

Question 24

What are directory transversal attacks?

Answer 24

Directory transversal attacks are attacks that use URLs to navigate to the root directory of the webserver in order to obtain system files, hashes, etc.

Question 25

Where is an application proxy firewall placed relative to the webserver?

Answer 25

With an application proxy firewall, it is placed between the webserver and the rest of the network.

Question 26

In staged development, what three servers do companies use?

Answer 26

In staged development, companies use the development, test, and production servers.

Question 27

What permissions does the developer have on the development server? On the testing server? On the production server?

Answer 27

On the development server, developers have extensive permissions. On the test server, developers have no access permissions. On production, developers have no permissions.

Question 28

On what servers do testers have access permissions?

Answer 28

Testers only have access permissions on test servers.

Question 29

Why do hackers attack browsers?

Answer 29

Hackers attack browsers because they are generally far less secure than servers.

Question 30

What is mobile code? Why is it called mobile code?

Answer 30

Mobile code is code that is embedded in a webpage that is executed when “visited”. It is called mobile code because the code is moved from the webserver to the client.

Question 31

What is a client-side script?

Answer 31

A client-side script is a script that is executed on the client’s machine.

Question 32

What is a java applet?

Answer 32

A Java applet is a small web program embedded in a website.

Question 33

Why is Active-X dangerous?

Answer 33

Active-X is dangerous because it can do almost anything on the client machine, and does not have much in the way of security safeguards.

Question 34

Why is it bad to go to a malicious website?

Answer 34

Malicious websites are bad because they are often host to malicious mobile code, or will deliver attack scripts.

Question 35

Why is malware that allows an attacker to execute a single command on a user’s computer not really be limited to just a single command?

Answer 35

Because that command might just be “open a command prompt”.

Question 36

What may happen on a compromised computer if a user mistypes the host name in URL?

Answer 36

On a compromised computer, when the user mistypes a URL, they might be taken to an unwanted web-page, due to the DNS-handling routine having been Trojanized.

Question 37

What dangers do cookies create?

Answer 37

Cookies have the danger about them of storing sensitive information.

Question 38

Why are HTML bodies in e-mail messages dangerous?

Answer 38

HTML bodies in e-mail messages are dangerous because they allow for the execution of mobile code.

Question 39

What three problems does spam create?

Answer 39

Spam clogs up mailboxes, slows user computers, and requires users to spend time deleting the unwanted messages.

Question 40

Why is spam filtering dangerous?

Answer 40

Spam filtering is dangerous because it may filter out legitimate messages.

Question 41

For what reason should companies filter sexually or racially-harassing message content?

Answer 41

If they do not filter sexually or racially harassing content, companies may be held responsible.

Question 42

What is extrusion prevention?

Answer 42

Extrusion prevention is a form of filtering that looks for words such as “confidential” in an attempt to keep IP and other sensitive information from leaving a company through legitimate routes.

Question 43

What is PII, and why must it be prevented from leaving the firm?

Answer 43

PII, also known as personally identifiable information, is information that could be used to identify or impersonate a person. It must be prevented from leaving a firm, because loss of such information opens a firm up to lawsuits and the like.

Question 44

Is encryption widely used in email?

Answer 44

Encryption is not widely used in email.

Question 45

What part of the email process does SSL/TSL usually secure?

Answer 45

SSL/TSL generally encrypts transmission between an email client and its mail server. This is not

Question 46

What standards of email encryption provide end-to-end security?

Answer 46

S/MIME and PGP both use digital signatures, which allow for end-to-end security.

Question 47

What does RTP add to compensate for the limitations of UDP?

Answer 47

RTP, or the Real Time Protocol, adds two things to compensate for the lossy nature of UDP:

• The RTP header has a sequence number that helps order packets that might arrive out of order.
• The RTP header has a timestamp to figure out how to play sounds at just the right time.

Question 48

Distinguish between transport and signalling.

Answer 48

Transport is the actual exchange of voice data between two parties. Signaling is any communication that manages the network (triggering ringing, call disconnection, etc).

Question 49

What are the two main signaling standards in VoIP?

Answer 49

The two main signaling standards in VoIP are H.323 and SIP (Session Initiation Protocol).

Question 50

What does the registrar server do?

Answer 50

The registar server, after verifying credentials, adds the user’s location to its registration database, which is used by proxy servers to route calls.

Question 51

What type of SIP message does a VoIP phone use when it wants to connect to another VoIP phone? How is this message routed to the called VoIP phone?

Answer 51

A VoIP phone sends a SIP INVITE message to another VoIP phone in order to request a connection. It does this by first sending the INVITE to the sender’s SIP Proxy Server, which looks for another proxy server in the recipient’s network, which then receives the INVITE.

Question 52

Are SIP proxy servers involved during transport transmissions? Explain.

Answer 52

SIP proxy servers are not involved in transport transmissions. During transmission, the two VoIP phones communicate directly in transport mode, using RTP packets, unless the servers are needed for supervisory signalling.

Question 53

What two types of communication does the media gateway translate between the VoIP network and the PSTN?

Answer 53

The PSTN gateway is used for translation when calling between a switched phone and a VoIP phone.

Question 54

What is eavedropping?

Answer 54

Eavesdropping is the act of listening in to a phone call without permission.

Question 55

Why can DoS attacks against VoIP be successful even if they only increase latency slightly?

Answer 55

DoS attacks against VoIP can be successful even if they only increase latency slightly because it can make the call laggy and unintelligible.

Question 56

Why is caller impersonation especially dangerous on VoIP?

Answer 56

Caller impersonation on VoIP can allow an attacker to use caller ID to falsely display information, causing them to look more legitimate.

Question 57

Why are hacking and malware dangerous in VoIP?

Answer 57

Hacking and malware are dangerous to VoIP because once a device is “owned”, further attacks using the compromised device become almost effortless.

Question 58

What is toll fraud?

Answer 58

Toll fraud is what happens when an attacker uses a corporate VoIP system to place free long-distance and international phone calls. These exploits tend to be shared among groups of people, and can get expensive fast.

Question 59

What is SPIT? Why is it more disruptive than SPAM?

Answer 59

SPIT is the VoIP version of spam, in the form of phone calls, which are much harder to ignore.

Question 60

What authentication methods are common on IP telephones?

Answer 60

IP telephones use several forms of authentication, from usernames and passwords, PINs, or even using SPI Identity to sign SIP messages using private keys.

Question 61

What dose SIP Identity ensure?

Answer 61

SIP Identity ensures that messages that are being received from the second-level domain they claim to be coming from.

Question 62

How can eavesdropping on VoIP be thwarted?

Answer 62

Eavesdropping on VoIP can be thwarted with encryption, plain and simple.

Question 63

What sound quality problems may encryption create with VoIP?

Answer 63

Encryption on VoIP may cause a small delay, from 5 ms to 15 ms.

Question 64

Why do firewalls have problems with typical VoIP traffic?

Answer 64

Firewalls have trouble with traditional VoIP traffic because they have a hard time not adding latency, being forced to either use little or no filtering on transport packets, instead focusing on signalling packets.

Question 65

For SIP signalling, what port has to be opened on firewalls?

Answer 65

For SIP signalling, port 5060 must be opened on a firewall.

Question 66

Why is NAT transversal problematic?

Answer 66

NAT transversal is problematic because NAT tends to change destination IP addresses, which will then prevent VoIP from functioning properly.

Question 67

How are VLANs useful in VoIP?

Answer 67

VLANs can help VoIP by segregating VoIP to a separate VLAN than the servers and clients, reducing the risk of attack.

Question 68

In instant messaging, what does a presence server do?

Answer 68

Presence servers allow the two parties in an instant message conversation to locate one another, after which, peer-to-peer conversation takes over.

Question 69

What does a relay server do?

Answer 69

A relay server is what IM messages pass through, allowing IM firms to filter out illegal or inappropriate content.

Question 70

For corporate IM, what are the advantages of using a relay server instead of only a presence server?

Answer 70

A relay server allows for IMs to be monitored, logged, or filtered.