Security of Web Servers and Web Services

Security of Web Servers and Web Services

Volker Hockmann (Techniker Krankenkasse, Hamburg, Germany), Heinz D. Knoell (University of Lueneburg, Germany) and Ernst L. Leiss (University of Houston, USA)
DOI: 10.4018/978-1-60566-014-1.ch173
OnDemand PDF Download:
$37.50

Abstract

Web servers and the Web services associated with them have become increasingly important in the last few years. Online banking, e-mail, and money, business- to-business (B2B), and business-to-client (B2C) transactions are growing rapidly. It is difficult to imagine modern business without these forms of networking. However, there are also significant negative aspects. In many cases, due to competitive pressures, companies and government agencies had to implement these services very fast, often too fast and without any appreciation of the concepts of security and protection. As a consequence, it turns out that a hacker can misuse with little effort these Web services or compromise the underlying database (e.g., to obtain access to credit cards numbers or social insurance information). A very significant percentage of the population in developed and developing countries is using wired and wireless connections for reading e-mails, accessing newsgroups, or using Internet banking. All these services are running on a Web server. Most Web servers are running the Apache or the Microsoft Internet Information Server (IIS) (all versions of both servers [Apache 1.3.x/2.x, IIS 3-6]) (Netcraft, 2006). Of these, older versions of the Internet Information Server are especially vulnerable to numerous attacks. Therefore, an attacker is in a position to break, with little effort, into many Web servers running IIS 4 or 5. However, the Apache Web server (running on Windows systems) is also vulnerable to similar attacks. Moreover, using a Web server based on UNIX or Linux is not a guarantee for a secure system. UNIX and Linux systems are also affected by inherent weaknesses and vulnerabilities such as buffer overflows and the handling of format strings (ZDNet, 2006). Readers who like to have more general insight are referred to works by Leiss (1990) and Garfinkel and Spafford (2002). These books give broader perspectives on Internet security.
Chapter Preview
Top

Introduction

Web servers and the Web services associated with them have become increasingly important in the last few years. Online banking, e-mail, and money, business-to-business (B2B), and business-to-client (B2C) transactions are growing rapidly. It is difficult to imagine modern business without these forms of networking.

However, there are also significant negative aspects. In many cases, due to competitive pressures, companies and government agencies had to implement these services very fast, often too fast and without any appreciation of the concepts of security and protection. As a consequence, it turns out that a hacker can misuse with little effort these Web services or compromise the underlying database (e.g., to obtain access to credit cards numbers or social insurance information).

A very significant percentage of the population in developed and developing countries is using wired and wireless connections for reading e-mails, accessing newsgroups, or using Internet banking. All these services are running on a Web server. Most Web servers are running the Apache or the Microsoft Internet Information Server (IIS) (all versions of both servers [Apache 1.3.x/2.x, IIS 3-6]) (Netcraft, 2006). Of these, older versions of the Internet Information Server are especially vulnerable to numerous attacks. Therefore, an attacker is in a position to break, with little effort, into many Web servers running IIS 4 or 5.

However, the Apache Web server (running on Windows systems) is also vulnerable to similar attacks. Moreover, using a Web server based on UNIX or Linux is not a guarantee for a secure system. UNIX and Linux systems are also affected by inherent weaknesses and vulnerabilities such as buffer overflows and the handling of format strings (ZDNet, 2006).

Readers who like to have more general insight are referred to works by Leiss (1990) and Garfinkel and Spafford (2002). These books give broader perspectives on Internet security.

Top

Hacker, Cracker, And Attacker

In many technical articles as well as in the popular IT press one can read about hackers and crackers; sometimes there are references to cyberpunks and script-kiddies. But, what is a hacker, when is a hacker a cracker? What is the definition of a script-kiddie?

A hacker is someone with substantial technical know-how. A hacker (and it is almost always a male) is very interested in developing and administrating systems. The hacker is frequently motivated by a search for knowledge and interest in improving the hacker’s systems and programs. A cracker on the other hand is someone who is often more interested in breaking into a server to access data or to subvert the functioning of the server. The cracker may also break into systems for money (Davis, 2002; Pipkin, 2002).

Script-kiddie is a derogative term for someone who is interested in computers but does not have enough knowledge to break into systems using personal ideas or scripts. Therefore, a scrip-kiddie uses existing and frequently well-known and easy-to-find (often downloadable) techniques and programs. A very dangerous aspect of this process is that script-kiddies do not know enough about the tools and relations between the tools and the compromised system. Often they are destroying more with their lack of knowledge than they intended (HoneyNet, 2000).

However, for the affected user, it does not greatly matter what kind of attacker is trying to break into the system. Maybe it is one of the company’s own employees, who only wants to “improve” a system. Or it is a former employee who wants to retaliate for some perceived injustice. Or a script-kiddie just found a new and interesting tool to hack into a Web server and has by pure coincidence deleted all customer data on a company’s server.

All of these attackers are in a position to hack into a system, either intentionally and knowingly or more or less accidentally. In the next section we will talk about “the attacker.” This means all types of persons who are able to destroy, change, or delete data on systems.

Key Terms in this Chapter

Blog: Blog can be defined as easily produced, updatable Web pages that individuals can use to express their views on the subject matter.

Podcasting: Podcasting can be defined as Internet-based audio relay medium. Audio files are commonly created in mp3 format and posted on the Web for others to listen.

Synchronous Communication: Synchronous communication can be defined as real- time communication between two people. Examples include face-to-face or phone communication.

Videoblogging: Videoblogging is the use of video conferencing software to communicate and collaborate audiovisually over the Internet.

Asynchronous Communication: Asynchronous communication can be defined as communication occurring at different times between two people. This form of communication commonly lacks immediate response. Examples include e-mail or voice mail communication.

Culture: Culture can be defined as a distinct set of beliefs, values, traditions, and behaviors that exists in a society.

Group Work: Group work can be defined as a kind of activity in which 2, 3, or 4 individuals commonly work together to achieve a specified task.

Vandalism: Vandalism is a deliberate destruction of construct or content against the will of the proprietor or owner.

Wikipedia: Wikipedia is a multilingual and free encyclopedia on the Internet.

Cultural Relativism: Cultural relativism is the judgment of a particular culture in its own set of values, beliefs, and standards.

Complete Chapter List

Search this Book:
Reset