Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Empowering Users

A security system is never complete without user participation. Users have a unique perspective that allows them to spot security problems that administrators and developers may overlook. But to participate in security, users need knowledge and tools. It is up to you to provide the knowledge and tools they need. In this section, you will learn about:

Educating users

Involving users

Educating Users

With the increasing dependence on the Internet for financial and business transactions comes an increasing threat of Internet crime. Identity theft, fraud, and online scams are rampant, and Web site security can only go so far. At some point, users must take responsibility for protecting themselves.

Despite great advances in security technology and techniques, users consistently fall for the same scams they fell for since the very beginning of electronic communication. For example, users will click links on HTML pages and e-mails and will eagerly enter account information in an e-mail-based form, and many users will divulge their passwords to someone who claims to be an administrator or help-desk technician.

Many users of online financial institutions and other Web sites have fallen victim to spoofed e-mails intended to steal user account information, an attack know as phishing. In these cases, users receive an e-mail such as that shown in Figure 1.12, explaining an account problem and asking them to authenticate using the provided form. The form submits the personal information to a Web server controlled by the fraudster and then transparently forwards the information on to the real Web site. The user is not aware that his or her information has been stolen until it is too late. Fortunately, these e-mails are notorious for poor English grammar and spelling, such as the word unnormally in Figure 1.12.

Figure 1.12: Example eBay Scam E-Mail

Another variation of the scam is to send users an e-mail that looks like plaintext but that is actually an HTML-based e-mail. Links appear to be one (legitimate) URL but take the user to another URL with a fake login form that looks identical to the original. Yet another variation is to encode or obscure the URL in such a way as to trick the user into thinking she is visiting one site while she is, in fact, visiting another.

If users are not aware of the techniques used by scammers, fraudsters, and identity thieves, the users will consistently fall victim to these social-engineering techniques. Users who are not smart about security may fall victim to account hijacking or identity theft and put themselves as well as others at risk.

Security Policies

Through various media, educate users about the security risks involved with using your Web application.

If possible, provide a user forum to discuss security issues.

Never provide links or forms in e-mails sent to users; ask them to simply log in to their account.

Involving Users

Once I was talking with a friend about a scam e-mail sent to customers of a major bank, asking them to log in to their accounts through a form provided in the e-mail. I mentioned that a surprisingly large number of users fell for the scam, despite the obviously poor grammar in the e-mail message. My friend mentioned that he had actually received that e-mail and was proud to say that he immediately recognized it as a scam and deleted the message. But how many users could he have protected if he had instead reported the e-mail to the company?

Many users are aware of scams, fraud, or other suspicious incidents and never report them. My friend’s reasons for not reporting the suspicious e-mail was that first, someone else probably will, and second, he wouldn’t even know where to start to report the e-mail.

Users can play a great role in security if you make it easy for them. Since some users are already technically savvy and security-educated, you should give those users access to advanced security tools or security options. For example, some advanced users might want to set an option to only allow access to their accounts from specific IP address ranges. Advanced users might also want access to advanced security reports for their accounts.

If users have no way of identifying and reporting security incidents, the impact of a security incident could be larger than necessary. Design the system in such a way that all account actions are easily audited and reported. Provide conspicuous links for identifying and reporting security incidents. Create a modular design that allows users to easily customize their own security options.

Security Policies

Allow users access to a history of account transactions and events.

Provide users a clear and easy way to report security incidents, and ask them to report anything suspicious.

If possible, provide a user forum to discuss security issues and incidents.

Allow advanced security options for those who want to use them.

Provide users a way to revoke or delete accounts they no longer want to use.