Anne Papina: Welcome to the "Web Security" conference!
Today we welcome Dr. Edward Felten, co-author of "Java Security: Hostile Applets, Holes and Antidotes" (Wiley). Today we will discuss several dangerous Web security flaws as well as tell you simple things you can do to protect yourself. Also joining us is Dr. Gary McGraw, co-author of Java Security. In light of recent security flaws discovered in MS Internet Explorer, it's important to have the facts so that you can surf the Web with confidence. This conference is being hosted by the Java(tm) Users Support Forum GO JAVAUSER. Drs McGraw & Felten, do you have anything you'd like to add?
Edward Felten: We'd be happy to talk about anything pertaining to Web security, though our book focuses on Java.
Gary McGraw: With all the new systems like Java, ActiveX, plugins and so on, security is more complicated than ever
Edward Felten: The recent MS Internet Explorer flaws are a good example. They mostly involved interactions between separate parts of the software: browser and OS, file system and browser, and so on.
Question from - Steve O'Keefe: I'm concerned with Netscape's cookies. If I give my cookie to someone, does that mean they can track my browsing?
Edward Felten: Technically, they give the cookie to you. If you accept the cookie, then your browser will give it back to their site the next time your browser goes to their site.
Gary McGraw: Yes. Cookies are meant to save you time loggin in and stuff, but they can be used to track your usage.
Edward Felten: That means they can tell it's the same person who was there before. It's no big deal if (say) the New York Times knows you're the same person who read the paper yesterday. It's probably not even a big deal if they know which sections you personally read, though some people would have problems with that. What worries people is when cookies are used in clever ways to track people across sites. That can only happen if the sites are cooperating in some way.
Gary McGraw: A lot of people think that Web browsing is anonymous. Cookies are a good example of why that is not always true.
Edward Felten: Right. You should assume when you browse the Web that the sites you visit know who you are. There are some tools designed to provide anonymous browsing. The best-known one is www.anonymizer.com
Gary McGraw: Plus your browser is a blabbermouth. It tells the Web site you visit what machine and OS you have, what kind of browser you're using and so on.
Question from - Steve O'Keefe: My main concern is not that the New York Times knows what sections I read, but could they find out what other sites I visited from the cookie?
Edward Felten: They could. One way this can happen is if the sites have banner advertisements. Most Web ads are inline images (within the page you are visiting). The advertising images themselves are loaded from a third-party site. That third-party advertising agency could give you a cookie when you visit the NY Times site. When you visit (hypothetically, of course) Playboy, if they have a banner ad from the same advertiser, your browser will go back to the advertiser and will present the cookie you got at the NY Times site.
Gary McGraw: Communicator (Netscape 4) will have a way of setting things so your browser does not take cookies.
Edward Felten: The result is that the advertiser learns that you visited both the Times and Playboy. If lots of sites use the same online ad agencies (and they often do), that means a lot of information about browsing patterns in the hands of the advertisers. If you use Netscape 4, you can configure it to avoid this, as Gary said.
Gary McGraw: You know the direct marketing people. They love to track demographics right down to the block you live on.
Question from - Jamie Baxter: Is Netscape Navigator more secure than Internet Explorer?
Edward Felten: I'm not really in the business of product endorsements, since I have to work closely with both companies. I honestly think they have comparable security levels. Gary?
Gary McGraw: That is a tough question. Lets avoid a direct answer and just say that MSIE is interesting because it is so closely integrated with the desktop. Some of the recent MSIE problems are a result of that. And just to be fair, the recent Shockwave problems have to do with Plugins and Netscape. Apparently Shockwave can read your mail.
Question from - Jamie Baxter: Can you give us an example of any real harm done as a result of insecure browsing?
Edward Felten: Sure. About a month ago, some people in Canada and the U.S. got burned by a browsing-related scam, some to the tune of $10,000. The bad guys put up a Web site promising nudie pictures, only you had to download a special viewing program to see them. The viewing program contained a Trojan horse. It silently hung up the phone connection to your ISP, and redialed an Internet Service Provider in the Republic of Moldova. That costs about $3 a minute, and the Moldovan phone company pays a bounty to the people who receive the expensive calls. Later, when you told your software to hang up the phone, it wouldn't --- you'd stay connected until you shut off your machine or tried to make a phone call.
Gary McGraw: Another famous example in the news had to do with ActiveX misusing Intuit's Quicken program to transfer funds to some cracker's accounts. The Chaos Computer Club set this up as a publicity stunt and a warning. They are in Germany
Question from - buddy: Would you describe some security measures to prevent damage from files received via Java down load?
Edward Felten: If you're really scared, you can always disable Java,
though that's not much fun. Our book has a list of a few simple things
you can do to protect yourself.
There are six of them:
(1) Know what Web sites you're visiting. (Stay out of bad neighborhoods.)
(2) Know what browser version you're using, and whether you have Java
enabled.
Gary McGraw: The Java language has a built in security model that tries to protect you from hostile code. Sorry Ed.
Edward Felten: (3) Use up-to-date browsers with the latest security updates and patches.
Gary McGraw: Here's another: (3a) learn about the security models set up in your browser software and the Java system!
Edward Felten: (4) Pay attention to all those security warnings your browser displays. They are there for a reason.
Gary McGraw: Also keep an eye on the news. These days really important security bugs get lots of press
Edward Felten:
(5) If the information on your computer is truly critical, use drastic
measures, like turning off Java, or browsing on a separate computer. and
finally,
(6) assess your risks, so you know what you have to lose if something
goes wrong.
Gary McGraw: People with especially critical data might consider even connecting to the Net in the first place.
Question from - buddy: How about viruses via email?
Gary McGraw: The thing that makes Java so interesting is that it makes running somebody else's code automatic and as easy as surfing the Web, And yep, e-mail with "executable content" suffers from the same problem. Say somebody mails you a cool new program and it runs when you read your mail. It could be a Trojan horse or a virus.
Edward Felten: Or if you have an HTML-enabled mail program, any Web-based attack can be an email-based attack.
Gary McGraw: The people who designed Java tried to make it impossible to do bad things with applets. They were not always succcessful. But they did make a real honest effort to solve a tough problem. running untrusted code safely.
Question from - Rex Morrow: I was preparing my question and see you have already answered it but here goes. In view of recent publicity here in New Zealand, where we have had people browsing the web, and then being billed by the local telephone company for calls to overseas: Is there any way we can become aware of this while that activity is happening?
Edward Felten: I can't think of an easy way to tell. You could set things up so that dialing activity is audible, but the attacker can always turn down the sound before dialing.
Gary McGraw: You should always keep your ears and eyes open on the Web. One good idea would be to avoid loading suspicious software and executing it. The Moldava thing was actually done like that. It was not a Java applet. If it had been, it is unlikely that it would have been able to do the bad things it did.
Edward Felten: The heart of the problem is that PC operating systems don't have a good way to contain programs that are running. But Java does, so Java gives you the possibility of running downloaded programs securely.
Gary McGraw: Hence the comment earlier about MSIE being tied to the Win32 desktop. Our book addresses how Java tried to protect you. How it works. And how it sometimes doesn't.
Question from - Robert Kitchenham: Are e-mail messages sent from a compuserve account to an internet address secure? Is it safe to give out credit card information for a purchase in this way?
Gary McGraw: I would never use unencrypted e-mail to send anyone my credit card number.
Edward Felten: If you send data over the net unencrypted, there's a decent chance that somebody will be able to overhear it. There have been hundreds or thousands of cases of people "snooping" on net connections.
Gary McGraw: It is too easy for somebody to "sniff" packets for data like credit card numbers and collect them automatically.
Edward Felten: The solution to this problem is to use an email-encrypting tool like PGP or S/MIME, but most mailers don't support that yet.
Gary McGraw: You can write a program to do it....that is why I don't like it when people respond, "but what about giving your waiter a credit card at a restaurant." One of these years, all Internet packets will be able to be encrypted *and* authenticated for origin.
Edward Felten: You can even buy off-the-shelf net snooping tools, since there are legitimate reasons for people to snoop on their own nets: for example, to diagnose problems.
Question from - Steve O'Keefe: When I give my credit card using a supposedly "Secure" form in Netscape, can I comfortably rely on that security?
Edward Felten: I think it's secure enough for credit card numbers.
Gary McGraw: Lets put it this way. I trust SSL to order books from MIT Press on the Web.
Edward Felten: After all, the law limits your liability to $50 unless you behave improperly.
Gary McGraw: The problem is not really the connection though. What do the people at the other end do with your ccard info?
Edward Felten: In the real world, most credit card fraud is perpetrated by merchants and their employees.
Gary McGraw: Do they store it in an unsecure database in plaintext on the Web??! Horrors. Ed's Web spoofing stuff had an example of abusing the SSL things.
Edward Felten: Right. We found that it's possible to trick people into believing they have a "secure" connection when they really don't.
Gary McGraw: Web spoofing is a way of taking control of somebody's view of the Web. Then you control what they see and find out where they go.
Edward Felten: Everything looks right: the little blue key (or lock) icon lights up, "Get Document Info" gives correct-looking information, but the bad guy is really spying on all of your transactions.
Gary McGraw: See the SIP (secure internet programming) website for more info http://www.cs.princeton.edu/sip
Edward Felten: You can get a pointer to a more detailed paper about Web Spoofing there.
Question from - Anne P./Moderator: With more businesses establishing an online presence ... what options does a business have for improving online security?
Edward Felten: The most important thing is to safeguard the security of your Web server.
Gary McGraw: You need to assess your risks and manage them accordingly. Some machines should never be in the Net.
Edward Felten: There are plenty of books with information on how to do that, but the general idea is to turn off services that you don't need, turn off login accounts that you don't need, and keep up to date on the known vulnerabilities.
Gary McGraw: Of course, the most secure machine is one that is "off" and is buried in a hole.
Edward Felten: The next best thing is to have an "expendable" Web Server machine that has no other purpose.
Gary McGraw: I think the number one thing is to learn as much as you can about the Net and the Web.
Edward Felten: Then if somebody penetrates your Web server, you only lose your site data, which you have a backup copy of (right?).
Gary McGraw: Sure. backups...that's the ticket. Things like Java and ActiveX make the security story more complicated. If you're interested in using Java to do on-line business or interactive code, why not read our book?
Anne P./Moderator: Now would be a good time to give us information on how to get your book!
Gary McGraw: Most bookstores have it now. But you can always buy it over the Web. Check out amazon.com
Edward Felten: The book's Web site is http://www.rstcorp.com/java-security.html
Anne P./Moderator: The ISBN is 0-471-17842. BTW, the "Java Security" book can be ordered at 1-800-225-5945
Gary McGraw: There is info there about how to order, a Java security Hotlist with many links, pointers to popular press articles, blurbs, and so on. There's also a CD-ROM BTW.
Question from - Jamie Baxter: Can you tell us about using CGI scripts to protect against Java Applet theft?
Edward Felten: What do you mean by "Java Applet theft"?
Gary McGraw: What is Java applet theft?
Jamie Baxter: When someone steals the code from your web page for a Java Applet that you have created.
Gary McGraw: If you are woried about that, you might consider having an applet "front end" and keeping the proprietary code on your server.
Edward Felten: Once you let somebody download your applet, you should assume they can disassemble it.
Gary McGraw: But then you have a server bottleneck (a problem with CGI solutions) Keep in mind that though Java applets are easily disassembled back to source, 486 code is too!
Edward Felten: There is a very good Java decompiler available, so unless you run some kind of obfuscator on your applet, people can almost get your exact source code back. Bummer.
Question from - Steve O'Keefe: Recently, a civil servant in Washington State was publicly reprimanded for spending hours online at porn sites. I have two questions related to this: 1. How was that information compiled, and 2. Do you forsee a scenario where web surveillance and security flaws could literally topple a government?
Gary McGraw: 1) sounds like his employer was monitoring his Web usage. It is easy to do that. I think that is an invasion of privacy myself...but the employee was supposed to be working I suppose.
Edward Felten: The law seems to allow employers to monitor their employees' email and net access. Not everybody is happy about that. Security flaws can be very embarrassing. For example, when the CIA Web site is hacked, it makes the CIA, and by implication the rest of the government, look stupid.
Gary McGraw: E-mail can also be used as evidence against employers. For things like race and sex discrimination. Some famous examples of that in the news lately. I don't know about toppling the government.
Edward Felten: Email evidence goes back at least to the Iran/Contra case, when Ollie North's email was being recorded on backup tapes. He thought he had deleted it, but it was still there.
Gary McGraw: The thing about the DOJ and CIA Website hacks is that the PR people run those sites, not the infosec folks.
Edward Felten: And in the Rodney King beating case, some of the cops typed email-type messages to each other afterward; those ended up as evidence.
Question from - Steve O'Keefe: Would using PGP have helped secure those e-mail messages?
Gary McGraw: Yep. With PGP, unscrambling the message without a key is very hard.
buddy: I wanted to thank you to both authors.
Gary McGraw: You're welcome. I hope you enjoy(ed) the book!
Edward Felten: You're welcome.
Anne P./Moderator: I'd like to thank our guests as well! Do you have any last words of advice for us?
Edward Felten: Be skeptical.
Gary McGraw: Here's a nice little poem that summarizes what I think of Java security. THis is by Peter Neumann
Java is Hot. Java is Cool.
Its use is riddled with holes that fool.
Java security takes us all back to school.
(hmm, actually I think "holes" is "risks"...sorry PGN.)
Edward Felten: That's all. Peter is a computer scientist, not a poet.
Anne P./Moderator: Thanks! The name of the book again is "Java Security: Hostile Applets, Holes, and Antidotes" (Wiley) and it can be found in bookstores everywhere, as well as ordered at 800-225-5945
Gary McGraw: see http://www.rstcorp.com/java-security.html
For more information about this and other conference transcripts, please email 74431.2303@compuserve.com.
Copyright 1997 Glenbrook Systems, Inc. All Rights Reserved.