Security of Web Servers and Web Services

Introduction

Web servers and the Web services associated with them have become increasingly important in the last few years. Online banking, e-mail, and money, business-to-business (B2B), and business-to-client (B2C) transactions are growing rapidly. It is difficult to imagine modern business without these forms of networking.

However, there are also significant negative aspects. In many cases, due to competitive pressures, companies and government agencies had to implement these services very fast, often too fast and without any appreciation of the concepts of security and protection. As a consequence, it turns out that a hacker can misuse with little effort these Web services or compromise the underlying database (e.g., to obtain access to credit cards numbers or social insurance information).

A very significant percentage of the population in developed and developing countries is using wired and wireless connections for reading e-mails, accessing newsgroups, or using Internet banking. All these services are running on a Web server. Most Web servers are running the Apache or the Microsoft Internet Information Server (IIS) (all versions of both servers [Apache 1.3.x/2.x, IIS 3-6]) (Netcraft, 2006). Of these, older versions of the Internet Information Server are especially vulnerable to numerous attacks. Therefore, an attacker is in a position to break, with little effort, into many Web servers running IIS 4 or 5.

However, the Apache Web server (running on Windows systems) is also vulnerable to similar attacks. Moreover, using a Web server based on UNIX or Linux is not a guarantee for a secure system. UNIX and Linux systems are also affected by inherent weaknesses and vulnerabilities such as buffer overflows and the handling of format strings (ZDNet, 2006).

Readers who like to have more general insight are referred to works by Leiss (1990) and Garfinkel and Spafford (2002). These books give broader perspectives on Internet security.

Hacker, Cracker, And Attacker

In many technical articles as well as in the popular IT press one can read about hackers and crackers; sometimes there are references to cyberpunks and script-kiddies. But, what is a hacker, when is a hacker a cracker? What is the definition of a script-kiddie?

A hacker is someone with substantial technical know-how. A hacker (and it is almost always a male) is very interested in developing and administrating systems. The hacker is frequently motivated by a search for knowledge and interest in improving the hacker’s systems and programs. A cracker on the other hand is someone who is often more interested in breaking into a server to access data or to subvert the functioning of the server. The cracker may also break into systems for money (Davis, 2002; Pipkin, 2002).

Script-kiddie is a derogative term for someone who is interested in computers but does not have enough knowledge to break into systems using personal ideas or scripts. Therefore, a scrip-kiddie uses existing and frequently well-known and easy-to-find (often downloadable) techniques and programs. A very dangerous aspect of this process is that script-kiddies do not know enough about the tools and relations between the tools and the compromised system. Often they are destroying more with their lack of knowledge than they intended (HoneyNet, 2000).

However, for the affected user, it does not greatly matter what kind of attacker is trying to break into the system. Maybe it is one of the company’s own employees, who only wants to “improve” a system. Or it is a former employee who wants to retaliate for some perceived injustice. Or a script-kiddie just found a new and interesting tool to hack into a Web server and has by pure coincidence deleted all customer data on a company’s server.

All of these attackers are in a position to hack into a system, either intentionally and knowingly or more or less accidentally. In the next section we will talk about “the attacker.” This means all types of persons who are able to destroy, change, or delete data on systems.