Tag: security

Introduction to Object Technologies

Object orientated technology has brought software development past procedural programming and into a world where programmes can be readily reused. This of course vastly simplifies development of applications because any programmer can leverage existing modules quickly and efficiently. OPerating systems and applications are created as multiple modules that are slotted together to create a functional working program. This has many advantages but one of the major ones is that any module can be replaced or updated at any time without having to update the entire operating system.

It can be difficult to visualise these concepts, but just imagine your web browser as a container into which users can add objects that provide extra functionality. These users don’t need to be programmers either, anybody can download an object from a web server into the container. It could be something like an applet or an Active X component which improves or adds functionality. It could even be something that adds an extra utility to the browser, perhaps an app that performs currency exchange or looks up the websites address or page rank.

This is not new technology but it is slowly changing the world. It might be surprising to hear that Windows NT was actually built on this object orientated technology. Within this system printers, computers and other devices were viewed as objects. It is much easier to see within later versions that use the Active Directory as we can see it more clearly where even users and groups are classed as individual objects.

The definition of an object really is the crucial point in this development. It can be virtually anything, either a parcel of data, a piece of code all these with and external interface which the user can utilise to perform the function. The crucial point is that any, all or some of these objects can be readily combined to produce something of value to the user. All the objects can interact with each other by exchanging data or messages. The client server model which has served the technology space for so long becomes rather outdated to a point. Simply stated any object can become either a client or server (or even both).

Harvey Blount
@Good Proxy Sites

Confidentiality Using XML Encryption

Just like every other type of communication method that exists online, you can use encryption for securing XML documents. In fact it is recommended if possible that all important XML documents should be encrypted completely before being transmitted across the wire. The document would then be decrypted using the appropriate key when it reaches it’s correct destination.

There is a problem with this however, in that when you encrypt something you also obfuscate the entire message. This means that unfortunately some parts of an XML message will need to be sent using clear text only. Take for example SOAP messages, these are a format that computers use to exchange rpc (remote procedure calls) over the internet. Although you can encrypt certain parts of the SOAP message, at a minimum the headers must be in clear text otherwise intermediary devices would not be able to see routing and other important information.

The other alternative is to encrypt the channel itself, typically using something like SSL or SSH. This ensures that the message is protected in transit by encrypting the entire channel. However there is another issues here that channel encryption only protects the two endpoints, the message will otherwise be displayed in clear text. These problems were real issues for XML developers and to combat them - the XML encryption standard was developed.

The primary goal of this standard is to allow the partial and secure encryption of any XML document. The encryption standard, very much like other XML standards like the signature protocol has quite a lot of different parts. This is to enable the standard to deal with all sorts of different contingencies, however the core functions are quite simple and easy to follow.

Any encrypted element in an XML document is identified using the following element - , this element consists of two distinct parts -

  • An optional element that gives information. The element is actually the same one that is defined in the XML signature specification.
  • A element that can either include the actual data which is being encrypted inside the element. Alternatively it can contain a reference to the encrypted data enclosed in a element.

For instance XML encryption may be used in something like an online payment system which sends orders through an XML document. The order document may contain all the information about the order including sensitive information like the payment details, credit card numbers all contained in a element. In this example most of the order should be left in clear text so that it can be processed quickly, but the payment information should be encrypted and decrypted only when the payment is actually being processed. XML encryption allows this facility by ensuring the specific encryption of certain parts of the document - i.e the payment information.

James Hassenberg: Technical Blogger.

 

Capturing Authentication Credentials

There are many issues with using proxy servers, however one of the biggest concerns is those which use basic authentication. It is extremely important that a proxy configured with such authentication does not forward the Proxy_Authorization: header to any origin server. If this happens it is a simple task to intercepts this header, gain access to the user’s name and password and ultimately access to the proxy server itself. Basic Authentication does not involve encryption so they are transmitted in clear text so are exceptionally vulnerable.

 

It might be that this user name and password allows minimal rights however there is a much bigger issue. Many users, will reuse their username and password for other functions. The password that allows minimal access to an unimportant proxy server will often allow access to the users email, online banking and Paypal account. Identity thieves always value usernames and passwords of any sort even on unimportant services like forums, the reality is that they often allow access to more important services.

Although you can stop authentication credentials for the proxy being forwarded on, this does not apply to usernames and passwords intended to the final destination. In fact this is the reason many hacked proxies are made available online by hackers - they want to intercept your credentials. This is why people who constantly searching for new proxies are putting themselves and their personal data at great risk. They may think that they saved themselves a few bucks by relaying their connection through an Australian proxy to watch ABC iView, but in reality they may actually find their bank account cleared out by the administrator of the server.

In reality there is no practical solution to protecting your data via an untrusted proxy server. Even using SSL does not completely help as there are various MiM attacks on SSL sessions which can be implemented if you can manipulate the connection via a proxy server. The only solution is to never use a third party untrusted proxy server for anything

Source : http://www.theninjaproxy.org/tv/a-fake-uk-ip-address/

How Does ICAP Work?

In brief, the protocol functions as follows. An HTTP message is passed by an ICAP client to the ICAP server. The server processes the message and sends a reply back to the customer. An ICAP client can be both a Web proxy server or even a Web client. An ICAP server can support services that are expressly requested by customers.

As an instance of the protocol’s use, envision the following situation. An ICAP server implements an access control service : two services, and an antivirus service. Hosts inside a network have access to the Internet via a Web proxy server.

Based on the above situation, the access control service supplied by the ICAP server checks whether a Web client can connect to a Website requested by the client. More particularly, the Web client sends an HTTP request to the proxy server. The access control service of the ICAP server checks if the customer can see or not the site. Eventually, the ICAP server either enables the proxy server to continue with the petition or otherwise, reacts with an informative HTTP message, which is redirected to the Web client by the proxy server.

The service, on the flip side, checks whether information passed through the proxy server are impacted with a virus. The ICAP server scans the incoming information for viruses. The ICAP server responds with a Web page telling the user about the difficulty, if a virus is detected. In order to improve the checks it’s best to send the test virus from a variety of sources. So for example you could buy a US IP and generate the test virus from an American server, in order to protect the perimeter. Many IT Security professionals routinely buy proxy services and VPNs in order to test the integrity of both their internal and external security.

The ICAP protocol is easily extended so that it could control other kinds of info rather than just HTTP requests and answers. For instance, it might be expanded to manage email messages. The format of an e-mail message is just like the format of an HTTP reply. In general, every object or piece of data can be called an HTTP object. For instance, a simple file can be enclosed into an item that contains the real content of the file in addition to file descriptors (Content - Length, Content - Type ) in the and Day, Content Language, kind of HTTP headers.

XML Web Services and Security

Because a large amount of web services are largely built on XML, this has led to many new standards being developed in order to supply the basic security infrastructure to support it’s use. Here is a quick list (which is by no means complete) of some developing technologies which may be of use to the reader. It will hopefully flag up some further reading for any one new to XML development.

XML Signature - an XML specification for digital signatures. These are essential to provide authentication, integrity of the message and of course non-repudiation.

XML Encryption - a companion to XML Signature - this addresses the need to encrypt and decrypt XML documents and sections of documents.

XML Key Management Specification (XKMS) - definition of messages and protocols for exchanging and distributing public keys. It also has the facility to distribute these keys between unknown transaction clients.

Security Assertion Markup Language (SAML) - protocol for exchanging authentication and authorization information.

In addition to these important XML concepts, there are other technologies which should be considered. For information and articles on security and anonymity particularly in large scale infrastructures - there is a lot of good advice particularly concerning proxies on this technology website - http://www.anonymous-proxies.org/ .

Other useful reading areas would be on more web technologies such as SOAP, WSDL and UDDI. Although these technologies all perform very useful services to any XML developer, they are particularly vulnerable to interception and eavesdropping attacks ‘on the wire’. Because XML is often transmitted in clear text - SSL should be used for any private information.