Protecting from Meddling Web Applications

The current trend of web2.0 (or AJAX) is to abstract all processing from the local computer resources and just present the final 'drawing' of the web application, which contains only forms or lightweight widgets that pose very low security threat. However there are a lot of software companies that are still sticking to some old school (read outdated and insecure) programming technologies for web applications, that can leave your security cracked wide open.

So, how do you protect from web applications that wish to meddle with your computer.

Example scenario:

A vehicle service company has created an online ticketing system for fast problem reporting and resolution. A rent-a-car company which uses the vehicle service needs to use the application for logging of faults to their fleet. At first use, the web application does not work on any computer at the rent-a-car company. After some analysis, the security administrator concludes that the web application requires to install an ActiveX control on the client PCs in order to work - a function explicitly denied by the security policy.
Since business comes before security, the rent-a-car managers decide that everything must be done in order for the service web application to work properly. Thus, the ActiveX control is set as trusted and everything is fine.

Two months later, the service company ticketing web server crashes. At the same time, during regular fleet inventory, the rent-a-car company concludes that 17 luxury rentals are missing and have not been seen for at least a week. The GPS locators of the cars are found at an abandoned parking structure connected to a car battery.

Suspecting the system administrators are in on the theft, the police brings in forensic teams that sift the system for incriminating evidence. They discover none, but find a trojan horse that tampers with database records in the ActiveX control downloaded from the web server of the vehicle service company.The vehicle service company is contacted for investigation and it is concluded that the web server is formatted. It crashed due to corruption of several system files on the web server on the day when the 17 cars went missing. The manufacturer of the Web Ticketing application is also contacted and his ActiveX control is analyzed. The original ActiveX control does not contain any foul play code.

After the incident, the rent-a-car company files a damages suit against the service company, and the vehicle service company fires the administrator for gross negligence.

Analysis:
The entire chain of events in this scenario is a simple case of non-core competence comedy of errors:
  1. Both companies have a completely non-IT core business, and as such are most likely to use the cheapest product on the market, as long as it works.
  2. Their security awareness is an afterthought.The rent-a-car company trusted a foreign application and installed it on their computers.
  3. The foreign application was downloaded from the Internet, and there was no way to confirm that the application is unmodified.
  4. At the same time, the vehicle service company hosted a web application using their resources without proper knowledge and implementation of security
  5. ActiveX as a technology is risky - it has no technological security - it just relies on the user's permission to trust and install itself. After that the applications have unrestricted access to anything the user has access to - even hardware (keyboard, disk drives, network...)
Conclusion and Recommendations:
There are simple and effective strategic steps to alleviate the risks of this scenario

If you are in a role similar to the vehicle service provider
  1. Focus on core competence and outsource the application hosting to a reputable IT hosting company
  2. When purchasing applications - add a functional requirement for minimal interference to the client side systems
  3. Request a periodical reporting on security of the hosted application from an independent source (auditor)
  4. Request that all code and information transferred via the internet to be signed by an code signing certificate issued from a trusted issuer.
If you are in a role similar to the rent-a-car company
  1. Have a strict security policy and don't allow foreign code within your network (create isolated tunnels, separate isolated stations or similar level of isolation)
  2. Request a periodical reporting on security of the hosted application from an independent source (auditor)
  3. Request that all code and information transferred via the internet to be signed by an code signing certificate issued from a trusted issuer

Talkback and comments are most welcome

Related posts

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software development

Security challenges in software development


2 comments:

Aice Nice Concepts said...

information securities are really important specially in database, we should also think like a hacker to know important securities in web sites... I'm very interested to learn all of these specially in database. your posts are relevant and informative.

Bozidar Spirovski said...

Thank you for the nice comment. Please post here if you wish a specific topic covered

Designed by Posicionamiento Web