Chapter 4.2 Information Security{0}
ASP.NET is a widely used web application framework that allows programmers to make web sites, web applications, and web services. The article, “Hacking tool exploits faulty AES cookie encryption implementations” by Robert Westervelt points out the weakness of the ASP.NET web applications. In the article, Westervelt talks about Padding Orcale Exploit Tool (POET) that is created by two researchers Juliano Rizzo and Thai Doung. This tool can decode the information that is stored in the cookies. It can also crack information such as view states, form authencation tickets, membership password, user data and anything that is developed using the frameworks of application programming interface (API). POET can affect more than 25% of the internet web sites. Depending on the kind of application installed by sever, POET can go from decode sensitive information to taking over the total system (Westervelt, 2010).
The POET works by tricking the web server behind the application into giving up sensitive information in an error message. It uses the uses the error data returned by server to break the encryption. The picture above shows couple of the steps how the cookies are decoded using POET (please click on the picture to zoom in) (Westervelt, 2010).
This tool is anticipated to be very dangerous because it can be used by attacker to gain information to users’ banking information and personal information without having any encryption key. People who save information in cookies can be vulnerable to the attack of these tools. The researcher’s purpose to create this tool was to make the security community to become serious about using better application to protect sensitive information of the users (Westervelt, 2010).
This article relates to the material in Chapter 4.2 in the textbook. In this section Baltzan and Phillips focuses on the importance of protection of the information. Technology allows businesses to determine valuable information about their customers that is valuable intellectual capital for them. If such information is not protect it can impact the businesses negatively. A hacking tool like POET can be very dangerous to the sensitive information of business if well security polices and security plans are not implemented. According to the book, two line of defense can be used to protect information: People and Technology. Businesses can information security policies and information security plans to protect information of the company and their customers. Technology can be used to protect information by setting passwords and id that identify the users and by preventing and detecting possible attacks (Baltzan & Phillips, pp.150).
Attacker who uses POET can be an example of hacker that is also discussed in section 4.2 in the textbook. Hackers are people with lots of knowledge about computers who attack other people’s computers (Baltzan & Phillips, pp 156).
I liked this article because it talks about cookies. I have always felt uncomfortable saving my information in the cookies such as usernames and passwords. Now that I learned from this article how the cookies could be dangerous, I would not want to save any important information in the cookies.
Work Cited
Westervelt, Robert.(2010), “ Hacking tool exploits faulty AES cookie encryption implementations” Retrieved on 20 Sept. 2010. From
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1520252,00.html
Baltzan & Phillips, Business Driven Information Systems, 2nd Edition, McGraw-Hill, Inc. 2009.