This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In order to build high security into a web application, it is essential to conduct security analysis of the system. This involves identification of potential threats and their analysis to come up with the most appropriate response for ensuring the security of the system. This process is known as threat modelling. Threat modelling allows identifying and rating threats and involves addressing the top threats (Meier et al, 2003) .Threat modelling involves understanding the system, identifying threats (irrespective of whether they are exploitable or not) and security requirements in the process (Myagmar et al, 2005). While some suggest identifying security requirements to enable better focus while conducting threat modelling (Oladimeji et al, 2006). Myagmar et al (2005) suggest conducting threat modelling and deriving security requirements instead of relying on standard security requirements and thereby creating security requirements specific to the system. However, Gandotra et al, (2009) advise that "It is important to be systematic during the threat modeling process to ensure that as many as possible threats and vulnerabilities are discovered by developers not by attackers". The nature and subject of this research demands following the latter approach since the research seeks to understand the current issues and threats and coming up with security requirements and solution to overcome these threats.
In order to conduct threat modelling and arrive at a solution, the security system engineering method proposed by Myagmar et al (2005) will be used. According to this, there are three phases to system security engineering:
Conducting threat modelling
Derive security requirements
Propose a solution
This method is depicted in the figure below:
Figure 1: System Security Engineering
The three phases are explained in brief in the following sub sections.
Phase 1: Threat Modeling
The approach for threat modeling suggested by Myagmar et al (2005), Meier et al (2003), Oladimeji et al (2006) & Wernli (2009) were studied and none of these could be directly applied to the social network applications directly. Now, some of social networking Web sites are involved in E-Commerce by accepting credit or debit card to buy gift online (Lee and Fung, 2007). Therefore we adopt threat model indirectly based on this approach that best fits the requirements:
Identify the components
This involves identifying the various components required to utilize social networking functionalities.
Create an architecture overview
This step involves creating a model of the architecture of the social networking applications.
This step involves identifying all threats to each of the components that were derived in step 1. This requires understanding the possible attack strategies on each of the components. The attack strategies will utilize the attack tree methods.
Attack tree methods provide a visual representation for analyzing the security of the system (Myagmar et al, 2005). This is a top-down approach allowing a systematic analysis of the security of the system. By adding up the cost or complexity of the sub-goals, the overall cost of securing the system can be arrived at.
Attack tree analysis begins with the goal of the attack at the top. This goal is then branched into sub-goals, which represent the various events leading to the main goal. The sub-goals can have 'AND' and 'OR' relationships to indicate their dependency or independency with other sub-goals (Oladimeji et al, 2006).
Analysis of the attack tree would also lead to the identification of assets that are critical from the security perspective.
Categorize the threats
The identified threats can be categorized based on the STRIDE or CIA system (Myagmar et al 2005; Torr, 2005; Wernli, 2009). The two systems are explained in brief in the tables below.
Table 1: Threat Categorization - STRIDE
Table 2: Threat Categorization - CIA
For the purpose of this thesis, since the discussion is based on security of authentication credentials, STRIDE seems to be an obvious option over CIA.
Rate the threats:
This step involves prioritizing the threats based on rank assigned to it thereby helping in understanding the ones that need to be addressed on high priority. The rating also provides an idea regarding the probability of the threat occurring and the possible impact if it occurs. This step helps identify those threats that may require no further action except educating users about it while others may require technical solutions and may warrant immediate attention.
The DREAD methodology (Damage potential, Reproducibility, Exploitability, Affected Users, and Discoverability) is used to evaluate the risk and rate the threats (Oladimeji et al, 2006; Wernli, 2009). The rating table provided by Meier et al (2003) will be utilized for ranking the threats.
Table 3: DREAD Method (Meier et al, 2003)
Threat modeling details are discussed in Chapter 4.
Phase 2: Security Requirements
The threat model prepared in first phase should help derive the security requirements of the social networking systems. If the security requirements are not well defined and has faults, then the application cannot be considered secure (Myagmar et al, 2005). The security requirements of social networking systems are discussed in Chapter 5.
Phase 3: Propose Solution
Based on the threat modeling and the security requirements derived from it, the authentication system of the top US 5 social networking sites are analyzed. This helps understand the weaknesses and strengths of each of the authentication mechanisms of each of these systems. Based on this understanding, a solution will be proposed that overcomes the weaknesses of these sites while retaining the strengths. The proposed solution will be discussed in detail in Chapter 6.
Identify the components
For using a social networking system, three categories of components are involved:
The end-user or end-user terminal: This would be the end-user who utilizes the social networking application either through his desktop, laptop or mobile phone.
Server: This is the terminal that accepts the user queries and responds to it.
Communication channel: This is the medium used for the transmission of the data e.g. internet.
Create an architecture overview
The architecture overview is modeled based on the components identified in section 4.1.
For authentication, the end-user of the social networking site will use his terminal to communicate with the server over the communication channel. The server then communicates with its back-end to identify and authenticate the user. In case of multiple-channel authentication, there will be additional communication channels such as a GSM in case of SMS and landline in case of a voice call. Multi-factor authentication such as password generators is also depicted in the model.
Figure 2: Social Networking System Model
In order to identify and rate threats, it is essential to understand the various attack strategies possible. Based on this, the threats will be identified and threat profiles will be created.
Attack Strategies on End-user and End-user Terminal
The target in this case is the end-user, end-user terminals and passwords that are generated one-time.
1. Social Engineering Attack
Social engineering attacks involve using technical or non-technical strategies to dig up information from the end-user. This requires that the end-user does not suspect anything fishy and therefore readily gives away their authentication credentials. Several methods can be employed in order to perform social engineering attack. These methods can be broadly categorized into technical and non-technical methods. The technical method mainly involves phishing while the non-technical methods involve a call or mail to the user.
Phishing: Phishing involves the combination of social engineering attack with spoofing techniques thereby tricking a user into divulging confidential information including authentication credentials that an attacker requires to impersonate the user (Engin & Kruegel 2005). Phishing attacks can be divided into two types - spoofing of emails and websites. Pharming is explained in detail in section 22.214.171.124.
Spoofing of emails is an old type of attack wherein the flaws of SMTP protocol are utilized in order to fake the email address from where the email is originating (that is, the FROM email header) (Ollman, 2004). The attacker sends spoofed emails that persuade the users to divulge their confidential information. With increasing user awareness about this type of attack, however, their success rate has reduced.
This has led to the modification of this attack so that instead of asking for confidential information, the email requests to follow a link that is basically a spoof of the organizational web site. The spoof web site appears just like the actual web site and appears to be as legitimate as possible which makes it difficult for the user to suspect. The main reason for the success of this kind of phishing is that users rely on the content of a web site instead of its URL to determine its legitimacy (Dhamija et al, 2006).
Phishing can also be carried out using malwares and Trojans. These can be delivered via emails, web sites, instant messaging programs, etc. Emails are used to send malicious content while the same may be present on such web sites. Instant messaging programs are also used to send malicious contents, spoof web site links, etc.
URL Obfuscation: Phishing attacks involve tricking users to follow a link to a spoof web site. Even though there have been attempts by most social network web sites to increase user awareness about checking the URL before providing authentication credentials, many studies indicate that users still do not check the URL of the web site (Florencio et al, 2007). URL can be obfuscated by several methods as explained below:
Fake Domain Names: Attackers intentionally utilize domain names that are similar to that of the organization's genuine web site domain name.
URL with Login: This was an old trick that is no longer supported by most web browsers now. It involved using a URL of the format http://username:password@hostname/path.
Host Name Obfuscation: This involves using IP addresses instead of the domain name thereby tricking the users.
Vishing: This involves calling a user and impersonating as employees or agents of the target organizations in an attempt to acquire information. Emails may also be sent to call up a certain number that is used by the attacker to obtain the confidential information.
2. Special Knowledge Attack
This involves taking advantage of the fact that the user might have stored the authentication credentials. Social networking sites may not always allow for your choice of user names and the user might end up with a user name that is not easy to remember. Also, with so many user names and passwords to remember, it is not unlikely that users prefer to write them down. Users can either write them down on a paper or in a file stored on their computer, or may even use their web browser's auto-fill feature to store the password.
Shoulder Surfing: An attacker can observe a user when s/he is providing his/her authentication credentials and figure them out. This type of attack targets a particular user and cannot be conducted on a large scale. While this may not be a problem for those users who typically visit the web sites from home, those who use cyber cafes or computers in public areas are susceptible to such attacks. Cameras may also be used for this purpose.
Simple Brute Force Attacks: Like shoulder surfing, simple brute force attack also usually targets a particular user. In simple brute force attack, an attacker continually tries different permutations of authentication credentials in order to obtain access to the account. This type of attack works especially well when the password is non-numeric and also when the attacker knows the user personally. However, simple brute force attacks are easier to detect and the usual strategy of most social networking websites is to lock or block the account after a few (usually 3 or 5) unsuccessful attempts to login (Florencio et al, 2007).
3. Identity Theft or Impersonation
In section 2.4, real-life examples of two victims of impersonation were provided. Attackers pretended to be the victim and created a user account on the victim's name obtaining access to their social network and harming them by misusing their account. Schneier (2009) wrote an article that explains how one could easily create fake accounts in social networking sites.
Attack Strategies on End-user Terminal
Authentication credentials can also be obtained through the user's terminal (desktop, laptop, or mobile phone). There are many ways of achieving this -
By compromising user's terminal
By stealing terminals
By obtaining physical access to the terminal
By exploiting the vulnerabilities of web browsers
1. Snooping using Malwares
Snooping is stealing of user's confidential information. Malwares are malicious software that gets installed on a user's terminal through social engineering attacks i.e. without the knowledge of the user about the harm it could do. Malwares allow an attacker to monitor the actions on the terminal thereby enabling them to take advantage. Viruses, Trojan horses, and spywares are examples of malwares. Malware creation has grown by a staggering 25,000% since 2000 (Milletary, 2007). Malwares can be easily reconfigured to target multiple sites, changing and adding new sites as required. Presently,
according to a report by Sophos (2010), the increase in the rate of malware and spam attacks currently stands at 70% on users of social networking websites like facebook and twitter. Malwares are of the following types:
Key-loggers: Key-loggers are a type of electronic surveillance software that is capable of capturing and recording the keystrokes and mouse clicks made by a user. These keystrokes and mouse clicks are then communicated to the attacker through the malware. These are software key-loggers. Hardware key-loggers are also available but are limited in its usage since it requires physical access to the user's PC. This method works well for public computers in cyber cafes for example. Use of virtual keyboards prevents this type of attack.
Screen loggers: Screen loggers are also a type of electronic surveillance software. These software search the terminal for sensitive information. This includes the registry, the auto-fill feature of web browsers, etc. With screen loggers, the attackers took an image of this screen to break the second level as well.
Trojan Horses: The strongest type of malware attack can be carried out using Trojans. Trojans can perform a host of other attacks already discussed like snooping using key logging or screen logging, or attacks on the communication channel (network sniffing, MITM attacks, etc. - see section 4.3.3. for more details). User awareness regarding phishing techniques has led to the attackers looking for alternate methods and Trojan seems to have answer to their needs. It is worth noting here that in 2000, there were 81% viruses and 14% Trojans in all of malwares while in 2007, there were 5% viruses and 90+% Trojans (Milletary, 2007).
2. Token Theft
Tokens are usually small hardware devices that can be easily lost or stolen. These could then be misused. If the authentication is based on token alone, then it becomes easier for the attacker. However, even in two-factor authentication, it provides the attacker with one factor of authentication and the other factor such as passwords can be identified using other types of attacks discussed earlier.
Attack Tree of End-user and End-user Terminal
The attack tree of the end-user and end-user terminal can therefore be derived as:
Figure 3: Attack Tree of End-user and End-user Terminal
Attack Strategies on Communication Channel
The communication channel which is usually the internet is used for transmitting data from the user's terminal to the social networking server and vice versa. The attack strategies include redirecting traffic, sniffing, hijacking sessions, and man-in-the-middle attacks.
1. Traffic Redirection
One of the attack strategies on communication channel is to redirect traffic. This can be achieved by redirecting the traffic to a fraudulent web site, creating a rogue DHCP server or wireless access point. These are explained in brief below:
Pharming: Pharming attack redirects traffic to a fraudulent website. In this case, pharming would mean theft of authentication credentials of a user through redirection to a fraudulent web site. This can be easily achieved by changing the hosts file on a user's terminal. It can also be achieved by exploiting the weaknesses in the DNS server software. DNS poisoning is one method whereby an authentic URL is resolved into an IP address that leads to the fraudulent web site (Ollman, 2004).
Rogue DHCP Server: A Dynamic Host Configuration Protocol or DHCP server is a networking protocol that is utilized for retrieving information like which IP address is assigned to which machine and other networking related configuration information. If a rogue DHCP server is set up, then an attacker can send fraudulent network information. This can enable redirection of traffic.
Rogue Wireless Access Point: With free wireless access available in public locations such as cafés, airports, etc., they also have become favorite targets of attackers. An attacker can set up a rogue wireless access point which can be accessed by a user who would continue working normally while providing the attacker access to all information including authentication credentials.
2. Man-in-the-middle (MITM) Attacks
This is when the attacker becomes a medium between the user and the server so that when the user tries to log into a social networking site, it actually connects the user to the attacker's server who in turn connects to that social networking site. Since all the information is passing to the social networking server via the attacker's server, the attacker is able to save all confidential information including authentication credentials on his server. This type of attack also enables the attacker to modify information that it receives from the user's machine when sending it across to the social networking server. Since the user is able to access all services and perform all the transactions normally, the use remains unaware of the MITM attack (Milletary, 2007).
3. Session Hijack
Session hijacking involves exploiting the session key usually used for managing user information in a web application. This is implemented generally by using cookies which can be easily stolen from a user's computer by an attacker using an MITM attack for example.
4. Network Sniffing
Network sniffing works is quite similar to the MITM attack except that the attacker is not in the middle but rather disguises as the server for a user and vice versa.
Attack Tree of Communication Channel
The attack tree of the communication channel in a social networking site can therefore be derived as:
Figure 4: Attack Tree of Communication Channel
Attack Strategies on Social Networking Server
Bulk Guessing Attack
Bulk guessing attack is explained nicely in Florencio et al (2007) with a simple example. Assume that a social networking web site has 10 million users. If this social networking web site allows passwords of 6 digits, it would mean that on an average, considering each possible combination of passwords based on 6 digits, each password will be used by about ten different users. Based on this information, an attacker could then use a brute force attack to guess user names for a given password. Unlike brute force attack that would require multiple logins for a particular user name, this method would require only one login attempt per user. It is noteworthy, however, that 10 million attempts would be required to get 10 successful logins (Florencio et al, 2007). The success rate of this attack can be reduced by using longer passwords with combination of alphabets, numbers and symbols to make the guess work difficult.
Social Networking Policy Violation
All social networking web sites have their policies to protect the privacy of their users. According to these policies, system administrators and other employees are allowed to have access to the user information for strictly business purposes only. Employees who have access to the sensitive information can intentionally leak or accidentally expose a user account. This can usually occur if the social networking system has poor access control or has adopted a poor authentication methodology.
Attack Tree of Social Networking Server
The attack tree of the communication channel in a social networking site can therefore be derived as:
Figure 5: Attack Tree of Social Networking Server
Attack Tree of the Social Networking System
The figure below shows an attack tree of the social networking system. Unlike a bank where the objective of an attacker is to get financial gain, the end-goal of an attacker of a social networking system could be many. The common goal is to obtain credentials which can then be used to obtain sensitive information about the user to obtain financial gain, defame him/her or the organization where s/he works, stalk or harass the user, etc. Hence, the attack tree starts with the common goal of obtaining credentials represented by a diamond. This is broken down into the components that an attacker could target to achieve the goal. The components are represented with rectangular boxes. Next within each component, hexagonal boxes are used to show the possible ways of attacking that component which are broken down into attack strategies represented again by hexagonal boxes. Attack vectors that could lead to achievement of an attack strategy are represented using circles. Attack vectors may need to combined with other attack vectors in an 'AND' or 'OR' relationship in order to achieve an attack strategy (Oladimeji et al, 2006).
Figure 6: Attack Tree of the Social Networking System
The attack tree helps us identify the threats to the social networking system in terms of authentication. From the attack tree, it can be concluded that authentication credential can be obtained:
through phishing (URL obfuscation, fake web site, and spoofed email)
by stealing (credentials on paper, using brute force or shoulder surfing)
by snooping (malware)
by obtaining physical access to terminal or token (malware)
by network sniffing
by redirecting transaction traffic (malwares)
by modifying transaction (MITM)
by hijacking session
by modifying traffic (pharming)
through bulk guessing attack
through policy violation
The attack tree analysis helped in identifying the assets that are critical to the security of the social networking system. These include:
Authentication mechanism integrity
Based on the information gathered in previous steps,
Table 4: Template for Threat Profile
Table 5: Threat Profile 1
Table 6: Threat Profile 2
Table 7: Threat Profile 3
Table 8: Threat Profile 4
Table 9: Threat Profile 5
Table 10: Threat Profile 6
Table 11: Threat Profile 7
Table 12: Threat Profile 8
Table 13: Threat Profile 9
Table 14: Threat Profile 10
Table 15: Threat Profile 11
Table 16: Threat Profile 12
One of the advantages of threat modeling is that it allows threats to be rated and thereby prioritize. Based on the total score and rating, the threats have been sorted to give a priority list:
Table 17: Threat Prioritization based on rating