Chapter 2. Online Vulnerabilities

Terms you need to understand

Java

JavaScript

ActiveX

Cookies

Cross-site scripting

SMTP relay

Lightweight Directory Access Protocol (LDAP)

Wireless Application Protocol (WAP)

Wireless local area network (WLAN)

Wi-Fi

Wired Equivalent Privacy (WEP)

Back doors

Techniques you need to master

Understanding the common vulnerabilities present in web-based technologies

Knowing the common vulnerabilities of LDAP services

Recognizing the more common considerations in performing a site survey

A common saying about the only truly secure computer is that it is one left in its box and connected to nothing. Although this might be an oversimplification, it is true that the moment a computer is connected to a network, the requirements for securing against unwanted intrusion multiply. In this chapter, you will examine vulnerabilities common to many standard technologies that may be exposed by connecting to the Internet.

Web Vulnerabilities

One primary area of network security involves the use of a public web server. Web security includes client-side vulnerabilities presented by ActiveX or JavaScript code running within the client’s browser, server-side vulnerabilities such as Perl, Active Server Page (ASP), and common gateway interface (CGI) scripting exploits and buffer overflows used to run undesirable code on the server, and other forms of web-related security vulnerabilities such as those involving the transfer of cookies or unsigned applets.

Java and JavaScript

Many websites use a scripting language created originally by the Netscape Corporation and now known as JavaScript. Unlike the server-side compilation Java language created by Sun Microsystems, JavaScript code is transferred to the client’s browser, where it is interpreted and used to control the manipulate many browser settings.

Java Vulnerabilities

Unlike many languages, Java’s capability to operate on many different computer platforms has made it a popular option for web delivery of application content. Java code is compiled from intermediate bytecode within a platform’s Java Virtual Machine (JVM), allowing the same Java application to run properly on a Linux, Mac OS, or Windows platform. Because Java is a precompiled language, a Java-based mini-program, called an applet, may present many security risks to the client, including those identified in Table 2.1. Applets execute when the client machine’s browser loads the hosting web page.

Table 2.1. Some Identified Vulnerabilities of the Java Language

JavaScript Vulnerabilities

Unlike precompiled Java applets, JavaScript is interpreted within the client’s browser environment. Because it must be compiled and executed within the client’s environment, JavaScript vulnerabilities must be addressed based on the operating system and browser version in use on each client. Table 2.2 identifies the most common vulnerabilities; remember, however, that new vulnerabilities are regularly discovered.

Table 2.2. Some Identified Vulnerabilities of JavaScript

ActiveX Controls

Microsoft developed a precompiled application technology that can be embedded in a web page in the same way as Java applets. This technology is referred to as ActiveX, and its controls share many of the same vulnerabilities present in embedded Java applets.

ActiveX controls may be digitally signed using an Authenticode signature, which is verified by its issuing certificate authority (CA). Unlike Java applets, where browser configuration settings control the possible behavior of the applet, ActiveX controls are restricted based on whether they are signed. ActiveX controls do not have restrictions on which forms of action they may enact.

If a user configures his browser to allow execution of unsigned ActiveX controls, controls from any source performing any action may be enacted by visiting a website hosting the control embedded within the HTML page.

Cookies

To overcome the limitations of a stateful connection when scaled to global website deployments, the Netscape Corporation created a technology using temporary files stored in the client’s browser cache to maintain settings across multiple pages, servers, or sites. These small files are known as cookies and may be used to maintain data such as user settings between visits to the same site on multiple days, or to track user browsing habits such as those used by sites hosting DoubleClick banner advertisements.

Privacy Issues

Many sites require that browsing clients be configured to accept cookies to store information such as configuration settings or shopping-cart data for electronic commerce sites. Cookies may be used to track information such as the name and IP address of the client system and the operating system and browser client being used. Additional information includes the name of the target and previous URLs, along with any specific settings set within the cookie by the host website.

If cookies are accessed across many sites, they may be used to track the user’s browsing habits and present the user with targeted advertising or content. Many users believe this is a violation of their privacy.

Session Values

Cookies may also be used to store session settings across multiple actual connections to a web server. This proves helpful when connecting to a distributed server farm, where each page access might be handled by a separate physical server, preventing the use of session variables to maintain details from one page to another.

This is useful in electronic commerce sites where a shopping cart application might add items from multiple pages to a total invoice before being transferred to a billing application. These cookies are also useful to provide custom user configuration settings on subsequent entries to web portals whose content is presented in a dynamic manner.

The danger to maintaining session information is that sites may access cookies stored in the browser’s cache that may contain details on the user’s e-commerce shopping habits, along with many user details that could possibly include sensitive information identifying the user or allowing access to secured sites.

Common Gateway Interface Vulnerabilities

A server-side interpretation option includes the use of common gateway interface (CGI) script, often written in the Perl language. Because these scripts are interpreted on the server system, generally utilizing user input values, they are highly subject to exploitation in many ways. Most exploits can be grouped into two general categories:

• CGI scripts may leak information about the server.

• CGI scripts used to process user input data may be exploited to execute unwanted commands on the server.

These exploits may allow the identification of configuration details of the server that may be helpful to later unauthorized access attempts, a process often referred to as profiling.

Because any process that can execute functionality on the server has inherent access rights, improperly formed CGI scripts could be used to execute arbitrary commands on the server, change server configuration settings, and even create unauthorized user accounts on the server that could later be used to gain greater control over the server.

CGI script creation requires many considerations for security, including the following:

• Poorly written CGI scripts may leak information about the server, such as the directory structure and any running applications and daemons.

• Data input should always include a default value and character limitations to avoid buffer overflow exploitation.

• CGI wrapper scripts should be used when possible to perform pre-execution checks on input, change the ownership of the process, or restrict process access within the file system.

• Many standard scripts are installed in default web server installations. These are in known folder locations and often contain sample code that is not designed for security and may include well-known exploits.

• It is possible for poorly written CGI scripts to pass user input data directly to the shell environment, which could allow a properly formatted input value to execute arbitrary commands on the web server.

Browser Threats

The evolution of web network applications, Web 2.0 interactive interfaces, and other browser-based secure and anonymous-access resources available via the HTTP and HTTPS protocols presents an “anytime/anywhere” approach to enterprise network resource availability. As more applications are migrated into the browser, attackers have an increasingly large attack surface area for interception and interaction with user input and for directed attacks against web-based resources. The global nature of the Internet allows attackers to place web-based traps in countries of convenience, where law enforcement efforts are complicated by international legal variance.

Browser-based vulnerabilities you should know for the exam include the following:

• Session hijacking—Because browsers access resources on a remote server using a predefined port (80 for HTTP or 443 for HTTPS), browser traffic is easily identifiable by an attacker who may elect to hijack legitimate user credentials and session data for unauthorized access to secured resources. Although Secure Sockets Layer (SSL) traffic is encrypted between endpoints, an attacker who crafts a web proxy with SSL can allow a user to connect securely to this proxy system and then establish a secured link from the proxy to the user’s intended resource, capturing plain-text data transport on the proxy system even though the user recieves all appropriate responses for a secured connection.

• Cross-site scripting (XXS)—By placing malicious executable code on a website, an attacker can cause an unknowing browser user to conduct unauthorized access activities, expose confidential data, and provide logging of successful attacks back to the attacker without the user being aware of their participation. XXS vulnerabilities can be used to hijack the user’s session or to cause the user accessing malware-tainted Site A to unknowingly attack Site B on behalf of the attacker who planted code on Site A.

• Add-in vulnerabilities—Active content within websites offers an attractive attack space for aggressors, who may craft special “drivers” required for content access that are in fact Trojans or other forms of malware. Other attackers craft malware to take advantage of unpatched add-ins to directly inject code or gain access to a user’s system when a vulnerable browser is directed to an infected website.

• Buffer overflows—Like desktop and system-based applications, many web browser applications offer an attacker a mechanism for providing input in the form of a crafted uniform resource locator (URL) value. By extending the input values beyond the memory space limitations of the expected input values, an attacker can inject code into adjacent memory space to allow execution of arbitrary code on the web server.

Peer-to-Peer Networking

Internet-based services often make use of the same client-server or n-tier (three or more layers including client, middle processing tiers, and server or source computers) architecture as their older enterprise-based applications. However, many services have evolved to a more decentralized architecture of resource availability better suited to the global Internet. These services negotiate connections directly between clients, without requiring access to a single central server.

The common BitTorrent file-sharing application is an example of this type of resource-sharing peer-to-peer (P2P) solution, allowing users to transport files between remote clients without passing through a central server for access. This presents difficulties for access restriction because any two clients may negotiate connections using random ports and protocols, bypassing traffic analysis and access control restrictions.

Instant Messaging

Enterprise and personal instant messaging (IM) clients such as AOL, Yahoo! Messenger, and Windows Live Messenger enable users to rapidly check availability and communicate both synchronously and asynchronously with peers, family members, and co-workers. These applications have increased in sophistication to include video and audio teleconferencing, file-sharing, and desktop/application-sharing capabilities in addition to the basic textual chat functions from early server operator communications clients.

Attackers develop viral malware capable of spreading through contacts listings within IM clients. Others focus on capturing IM traffic and cached logs of past conversations, in an attempt to obtain useful or harmful information. The file-transfer and desktop-sharing capabilities of many clients present challenges against unauthorized data sharing, while creative attackers make use of the audio and video capabilities to directly “tap” unwary IM users.

Simple Mail Transport Protocol Relay

Although not specifically a web-related problem, the possible exploitation of Simple Mail Transport Protocol (SMTP) relay agents to send out large numbers of spam email messages is included because many web servers include a local SMTP service used by server-side processes to perform Mailto functions needed within the website.

Spammers search for unprotected SMTP relay services running on public servers, which may then be used to resend SMTP messages to obscure their true source.

Protocol Vulnerabilities

Many protocols contain common vulnerabilities that may be manipulated to allow unauthorized access, including SSL connections and Lightweight Directory Access Protocol (LDAP).

SSL/TLS

Transport Layer Security (TLS), including SSL encapsulated, data transfer may be exploited in many ways. The encapsulated data stream could potentially be compromised through cryptographic identification of the key, although modern 128-bit keys are considered to be beyond a reasonable level of encryption.

SSL connections are also particularly vulnerable during the handshake process, where client and server exchange details of the shared encryption keys to be used. Malformed certificates may be used to exploit the parsing libraries used by SSL agents, allowing the compromise of security details and possible code execution on the compromised system. Many forms of buffer overrun may also be used during the SSL handshake process, to compromise the secured connection, along with code execution and system compromise possibilities.

SSL certificates may also be used to establish links vulnerable to packet sniffing by using compromised self-signed or expired certificates. Configuring client browsers to raise an alert when blocking content provided through self-signed certificates can help to reduce this threat. Other exploits include the use of small key sizes, outdated certificate revocation lists, and other mechanisms intended to provide weak or compromised SSL certificates.

LDAP

Lightweight Directory Access Protocol provides access to directory services, including that used by the Microsoft Active Directory. LDAP was created as a “lightweight” alternative to earlier implements of the X.500 Directory Access Protocol and communicates on port 389. Its widespread use influences many other directory systems, including the Directory Service Markup Language (DSML), Service Location Protocol (SLP), and commercial products such as Microsoft Active Directory. Variations of LDAP share many common vulnerabilities, including the following:

• Buffer overflow vulnerabilities may be used to enact arbitrary commands on the LDAP server.

• Format string vulnerabilities may result in unauthorized access to enact commands on the LDAP server or impair its normal operation.

• Improperly formatted requests may be used to create an effective denial-of-service (DoS) attack against the LDAP server, preventing it from responding to normal requests.

File Transfer Protocol Vulnerabilities

Another common publicly exposed service involves the File Transfer Protocol (FTP) defined within the TCP/IP suite. FTP servers provide user access to upload or download files between client systems and a networked FTP server. FTP servers include many potential security issues, including anonymous file access and unencrypted authentication.

Anonymous Access

Many FTP servers include the ability for anonymous access in their default installation configuration. Anonymous access (also known as “blind” FTP) is a popular method to provide general access to publicly available downloads such as a mirror site that contains a new open-access license (OAL) software distribution, or the newest version of Linux. Here, it is unnecessary and even undesirable to require every possible user to first obtain an account and password to access the download area, and so an option is provided to allow anonymous access.

The problem with this form of access is that any user may download (and potentially upload) any file desired. This might result in a server’s available file storage and network access bandwidth being rapidly consumed for purposes other than those intended by the server’s administrator. If unauthorized file upload is allowed along with download, illegal file content could be placed on the server for download, without the knowledge of the system’s administrator.

Unencrypted Authentication

Even when user authentication is required, FTP passes the username and password in an unencrypted (plain-text) form, allowing packet sniffing of the network traffic to read these values, which may then be used for unauthorized access to the server.

Secure variations of the FTP protocol ensure that data cannot be intercepted during transfer and allow the use of more secure transfer of user access credentials during FTP logon. However, the same certificate vulnerabilities discussed earlier in this chapter apply here, too.

Wireless Network Vulnerabilities

Many new technological solutions being embraced by the mobile workforce include mobile data connected equipment such as cell phones, text pagers, and personal digital assistants (PDAs). Mobile equipment may make use of many different communications standards, including long-range mobile communications using the Wireless Application Protocol (WAP) or i-Mode standards, and wireless local area network (WLAN) communications using the 802.11 wireless fidelity (Wi-Fi) or Bluetooth standards.

WAP and i-Mode

Wireless technologies such as mobile data cell phones include the ability to present web content in textual format using the Compact Wireless Application Protocol (CWAP) utilized over Japan’s i-Mode standard, or the Wireless Markup Language (WML) supported by the WAP standard. Both standards also enable users to access email, IM, newsgroups, and other types of data.

The WAP standard includes several other standard specifications, such as the following:

• Wireless Application Environment (WAE)—Specifies the framework used to develop applications for mobile devices, including cell phones, data pagers, and PDAs

• Wireless Session Layer (WSL)—Equivalent to the session layer of the Open Systems Interconnection (OSI) model

• Wireless Transport Layer (WTL)—Equivalent to the transport layer of the OSI model

• Wireless Transport Layer Security (WTLS)—Specifies a WTL security standard based on the TLS standard, optimized for low-bandwidth communications with possible lengthy delay between packet transmission and receipt, which is referred to as latency.

WLANs

New technologies using radio frequency transmissions are beginning to replace wired office networks and provide network support for mobile Bluetooth- and for 802.1x-enabled devices. Popular coffee chains, college campuses, apartment complexes, and home users are taking advantage of the rapid proliferation of 802.11b technology using the 2.4GHz unregulated range of frequencies made popular by many vendors producing Wi-Fi network equipment.

The 802.11 specifications extend the carrier sense multiple access with collision avoidance (CSMA/CA) method of connectivity specified within the Ethernet protocol to provide wireless network access. To avoid data collisions, CSMA/CA protocols require the device to sense whether the carrier is already busy and to wait a random amount of time to check again, only initiating a signal when there is no traffic.

Wired Equivalent Privacy

Specifications for the Wired Equivalent Privacy (WEP) standard are detailed within the 802.11b (Wi-Fi) specification. This specification details a method of data encryption and authentication that may be used to establish a more secured wireless connection.

Wi-Fi Protected Access

The Wi-Fi Protected Access (WPA and later WPA2) standards were developed by the Wi-Fi Alliance to replace the WEP protocol while the 802.11i standard was being developed. The WPA includes many of the functions of the 802.11i protocol but relies on the Rivest Cipher 4 (RCA4), which is considered vulnerable to keystream attacks. The later WPA2 standard was certified to include the full 802.11i standard after its final approval.

802.11i

The 802.11i-2004 amendment to the 802.11 specification is a set of standards for securing wireless netwrk communications, replacing the earlier vulnerable WEP standard with an Advanced Encryption Standard (AES) block cipher and allows for origin authentication to help protect against rogue WAP man-in-the-middle attacks.

Site Surveys

To optimize network layout within each unique location, a site survey is necessary before implementing any WLAN solution. This is particularly important in distributed wireless network configurations spanning multiple buildings or open natural areas, where imposing structures and tree growth may affect network access in key areas.

A site survey should include a physical and electronic review of the desired physical and logical structure of the network, selection of possible technologies, and several other factors, including the following:

• Federal, state, and local laws and regulations related to the proposed network solution.

• Potential sources of radio frequency (RF) interference, including local broadcast systems, motors, fans, and other types of equipment that generate RF interference. This includes an analysis of potential channel overlap between wireless access point (WAP) hardware.

• Available locations for WAP hardware installation and physical network integration connectivity.

• Any special requirements of users, applications, and network equipment that must function over the proposed wireless network solution.

• Whether a point-to-point (ad hoc or wireless bridge) or multipoint wireless solution is required. In most solutions, point-to-multipoint connectivity will be required to support multiple wireless clients from each WAP connected to the physical network.

All wireless networks share several common security vulnerabilities related to their use of RF broadcasts, which may potentially be detected and compromised without the knowledge of the network administrator. Data transported over this medium is available to anyone with the proper equipment, and so must be secured through encryption and encapsulation mechanisms not subject to public compromise.

Network Device and Transmission Media Vulnerabilities

Wired and wireless networking relies on a system of underlying devices responsible for coordinating the transport and security of networked data. Namespace services facilitate translation from human-readable addresses to their numeric equivalents, where routers then determine the proper network connections to transfer data packets to identified endpoint network segments. Switches and hubs allow distribtion of data packets to individual endpoints, with myriad dedicated transport systems available for encryption, access control, and other functions necessary to internetwork communications.

You should be familiar with vulnerabilities associated with these network devices, including the following:

• Privilege escalation—This vulnerability represents the accidental or intentional access to resources not intended for access by the user. Application flaws can allow a normal user access to administrative functions reserved for privileged accounts, or to access features of an application reserved for other users. An example of the latter is if User A can read User B’s email without specific authorization.

• Weak passwords—Any resource exposed on a network may be attacked to gain unauthorized access. The most common form of authentication and user access control is the username/password combination, which can be significantly weakened as a security measure if a “weak” password is selected. Automated and social engineering assaults on passwords are easier when a password is short, lacking in complexity (complexity here meaning a mixture of character case, numbers, and symbols), derived from a common word found in the dictionary, or derived from easily guessible personal information such as birthdays, family names, pet names, and similar details.

• Back doors—Back doors are application code functions created intentionally or unintentionally that enable unauthorized access to networked resources. Many times during application development, software designers put in shortcut entry points to allow rapid code evaluation and testing. If not removed before application deployment, such entry points can present the means for an attacker to gain unauthorized access later. Other back doors may be inserted by the application designers purposefully, presenting later threats to the network if applications are never reviewed by another application designer before deployment.

• Default accounts—Many networking devices and services are initially installed with a default set of user credentials, such as Oracle’s Scott/Tiger and IBM’s qsecofr/qsecofr. Unless these credentials are removed and replaced with unique strong logon credentials, they present an avenue for network attack.

• Default identification broadcast—Wireless networks often announce their service set identifier (SSID) to allow mobile devices to discover available WAPs. Turning off this broadcast can reduce the vulnerability of a broadcast packet sniffer readily identifying a WAP, but is not truly secure because the SSID is broadcast in plain text whenever a client connects to the network. Turning off SSID broadcast should be considered a “best practice,” along with conducting the site survey, selecting channels not already in use in the area, requiring WPA2 (or newer) encryption, and restricting access to a known list of Wi-Fi MAC addresses where possible.

• Denial of service (DoS)—Unlike resources located on the local system, network resources are much more vulnerable to DoS attacks. These attacks attempt to block access to resources by overwhelming network availability, instead of attempting to directly access the resources through unauthorized means. By blocking access to a website or network resource, the attacker effectively prevents authorized availability.

    This type of attack is often used for Internet extortion schemes, where an attacking botnet of tens of thousands of zombied client systems can be used to consume all available connections to a business website. The business is contacted with an account to which an amount of money should be sent, whereupon the attack is ended and service is restored. Many fringe service industries, such as online casinos, are regularly targeted with this type of attack.

• Hubs and supervisory ports—Certain types of networking equipment provide attackers with access to inspect network traffic for interception of user credentials, security encryption traffic, and other forms of sensitive transmitted data. Before the development of network switches, hubs were commonly used to distribute data packets to endpoint ports. Hubs do not provide data isolation between endpoint ports, allowing any node to observe data traffic to and from all other nodes on the same device. Switches provide this isolation in more updated networks, but an exposed supervisory port can be exploited by an attacker for the same purposes. Physical access control to the networking closet is critical to protect switched networks against this form of attack.

• Vampire taps—Data traffic over coaxial network cabling can be intercepted and inspected by an attacker through the use of a vampire tap, which pierces the cable at an arbitrary point and allows direct connection to the data transport wiring. Similar technologies can be applied to modern fiber-optic media, allowing interception of data traffic without a detectable presence on the network. Physical access control to areas where network media is exposed is critical to protecting against unauthorized taps.

Exam Prep Questions

1. Which of the following are client-side web technologies? (Select all that apply.)

A. ActiveX controls

B. JavaScript

C. CGI scripts

D. Cookies

E. Java applets

2. Which of the following is a common bandwidth for 802.11b communications?

A. 19.2Kbps

B. 64Kbps

C. 1.5MBps

D. 10Mbps

E. 11Mbps

F. 100Mbps

3. Why do spammers value unsecured SMTP relay servers?

A. They provide faster network access.

B. They can be used to hide the origin of a message.

C. They can access internal mailing lists.

D. They cannot be blacklisted.

4. Which of the following are good uses for cookies? (Select two correct answers.)

A. Maintaining user portal settings between sessions

B. Storing credit card and user identification data

C. Storing a listing of items within a shopping cart application

D. Maintaining password and logon information for easy return to visited secured sites

E. Providing details regarding the network settings in use by the client, such as its IP address

5. Which of the following are potential exploits for CGI scripts? (Select all that apply.)

A. Providing information on processes running on the server.

B. Executing arbitrary commands on the client.

C. Samples may not include proper security.

D. Buffer overflows may occur.

E. Arbitrary commands may be executed on the server.

6. Which of the following is a WLAN technology that uses the Ethernet protocols?

A. Bluetooth

B. IETF

C. WAP

D. i-Mode

E. Wi-Fi

7. An attacker places code within a web page that executes when a client’s browser opens the web page, causing the client’s browser to attempt to access a secured banking site in another city. This is an example of what type of attack?

A. Cross-site scripting

B. Man-in-the-middle

C. Session hijacking

D. Buffer overflow

8. Which of the following are potential vulnerabilities of the FTP service? (Select two correct answers.)

A. Buffer overflow

B. Execution of arbitrary commands

C. Anonymous access

D. Unencrypted credentials

E. Cache mining

9. Which encryption standard is currently considered the best for Wi-Fi connections?

A. HTTPS

B. WAP

C. WEP

D. WPA

E. WPA2

10. Which of the following statements about Java and JavaScript is true?

A. Java applets can be used to execute arbitrary instructions on the server.

B. JavaScript code can continue running even after the applet is closed.

C. JavaScript can provide access to files of known name and path.

D. Java applets can be used to send email as the user.

E. Java applets allow access to cache information.

Answers to Exam Prep Questions

1. A, B, D, E. Client-side web technologies include ActiveX controls, JavaScript interpreted code, cookies, and Java applets. Cookies might also be considered a server-side technology because the web server may access them and store information within cookies; however, they reside in the client system’s browser cache. Answer C is incorrect because CGI scripts are stored and interpreted on the web server.

2. E. The 802.11b WLAN specification allows up to 11Mbps wireless connectivity. Answers A and B are incorrect because they specify common modem bandwidth limits, and answer C is incorrect because 1.5MBps is a common speed for cable modem and T1 connectivity. Answers D and F are incorrect because 10Mbps and 100Mbps are common wired LAN data transfer rates.

3. B. Spammers use SMTP relay agents that are not properly secured to relay their SMTP email messages, hiding the true origin of the mail messages. Answer A is incorrect because the targeted server might have a much more limited network connection that the spammer—the key is hiding the source of the messages. Answer C is incorrect because anonymous SMTP relay does not require access to an SMTP server beyond receipt and retransmission. Answer D is incorrect because an SMTP server used to relay spam can easily be blacklisted, requiring effort to reopen normal transfer with major providers after this situation has been identified.

4. A, C. Cookies are well-suited for maintaining user portal settings between sessions and storing a list of items within a shopping cart application. Answers B and D are incorrect because cookies that store user identification data, credit card information, or password and logon details could be exploited to allow others to use this information by mining the client’s cache. Answer E is incorrect because cookies are used to store session information between pages or servers, rather than to store information that the server can obtain for itself, such as the IP address used by the client.

5. A, C, D, E. CGI scripts may be exploited to leak information including details about running server processes and daemons, samples included in some default installations are not intended for security and include well-known exploits, and buffer overflows may allow arbitrary commands to be executed on the server. Answer B is incorrect because CGI scripts do not run on the client system.

6. E. The 802.11b (Wi-Fi) standard uses the CSMA/CA connectivity methods commonly found in Ethernet connectivity. Answer A is incorrect because Bluetooth is based on a different transmission protocol. Answer B is incorrect because the Internet Engineering Task Force (IETF) is a standards organization and not a communications protocol. Answers C and D are incorrect because both WAP and i-Mode are standards used by mobile devices such as cell phones, pagers, and PDAs and are not used to specify WLAN standards.

7. A. When a website redirects the client’s browser to attack yet another site, this is referred to as cross-site scripting. Answer B is incorrect because a man-in-the-middle attack involves intercepting data transmission between two sites and examining, altering, or replacing valid data without alerting either endpoint. Answer C is incorrect because a session hijack occurs when an attacker causes the client’s browser to establish a secure connection to a compromised web server acting as a proxy or redirecting traffic to a secure target site, exposing traffic as it passes through the compromised system. Answer D is incorrect because a buffer overflow occurs when data input exceeds the memory space allocated and injects unanticipated data or programmatic code into executable memory.

8. C, D. FTP servers may be exposed to anonymous access and transfer logon credentials in clear form. Answers A and B are incorrect because the FTP service is not known for common vulnerabilities that may be exploited using buffer overflows to execute arbitrary commands on the server. Answer E is incorrect because the FTP service does not provide access to the browser’s cache.

9. E. The WPA2 standard implements the 802.11i-2004 protocols and is currently the highest standard for Wi-Fi communication security. Answer A is incorrect because the HTTPS protocol allows for secure HTTP connectivity between the client’s browser and a target web server, and is unrelated to the networking medium in use. Answer B is incorrect because a WAP refers to a wireless access point, which is the wireless network hardware that functions in the place of a wired switch. Answer C is incorrect because the WEP standard was proven to be unsecure and has been replaced by the newer WPA standards. Answer D is incorrect because the early WPA standard has been superseded by the WPA2 standard, implementing the full 802.11i-2004.

10. C. An early exploit of JavaScript allowed access to files located on the client’s system if the name and path were known. Answers A, D, and E are incorrect because JavaScript, not Java, can be used to execute arbitrary instructions on the server, send email as the user, and allow access to cache information. Answer B is incorrect because Java, not JavaScript, can continue running even after the applet has been closed.

Additional Reading and Resources

1. Allen, Julia H. The CERT Guide to System and Network Security Practices. Addison-Wesley Professional, 2001.

2. The World Wide Web Security FAQ: http://www.w3.org/Security/Faq/

3. SANS Information Security Reading Room: http://www.sans.org/

4. IEEE Standards Association: http://standards.ieee.org/