This is summary(insight). I want to change this paragraph using more easier othe
ID: 3872702 • Letter: T
Question
This is summary(insight). I want to change this paragraph using more easier other words. Could you change this things?
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The bank site in Estonia was an easy target. Juhan noticed the flaw when he viewed the source code of the bank’s Web pages. The code used a hid- den form element that contained the filename of a form template, which was loaded by the CGI script and displayed to users in their Web browser. He changed the hidden variable to point to the server’s password file, and, voilà, the password file was displayed in his browser. Amazingly, the file was not shadowed, so he had access to all the encrypted passwords, which he later cracked.
The Dixie bank hack provides another example of the need for defense in depth. In this instance, the bank’s network appeared to be flat; that is, without significant protection beyond the single Citrix server. Once any system on the network was compromised, the attacker could connect to every other system on the network. A defense-in-depth model could have prevented Gabriel from gaining access to the AS/400.
The bank’s information security staff was lulled into a false sense of secu- rity in having an external audit performed, which may have unreasonably raised the confidence level in their overall security posture. While per- forming a security assessment or audit is an important step to measure your resilience against an attack, an even more crucial process is properly managing the network and all the systems that are on it.
The online bank site should have required that all Web application devel- opers adhere to fundamental secure programming practices, or require auditing of any code put into production. The best practice is to limit the amount of user input that is passed to a server-side script. Using hard- coded filenames and constants, while not eloquent, raises the level of assurance in the security of the application.
Lax network monitoring and poor password security on the exposed Citrix server were the biggest mistakes in this case, and would likely have prevented Gabriel from roaming through their network, installing key- stroke loggers, shadowing other authorized users, and planting Trojan programs. The hacker wrote a little script and put it into the administra- tor’s startup folder so when he logged in, it would run the pwdump3 program silently. Of course, he already had administrator rights. The hacker was lying in wait for a domain administrator to log in so he could hijack his privileges and automatically extract the password hashes from the primary domain controller. The hidden script is often called a Trojan or a trapdoor.
Explanation / Answer
The changes made in the answer are:
The bank that was situated in Estonia was an easy target to hack. Juhan noticed the weakness when he viewed the source code of the bank’s Web pages. The code used a hid- den form element that contained the filename of a form template, which was loaded by the CGI(common gateway interface) script and displayed to users in their Web browser. He changed the hidden variable to point to the server’s password file, and, voilà, the password file was displayed in his browser. Amazingly, the file was not shadowed, so he had access to all the encrypted passwords(which are basically not easy to decode ), which he later cracked.
The Dixie bank hack provides another example of the need for defense in depth. In this instance, the bank’s network appeared to be flat; that is, without significant protection beyond the single Citrix server. Once any system on the network was compromised, the attacker could connect to every other system on the network. A defense-in-depth model could have prevented Gabriel from gaining access to the AS/400.
The bank’s information security staff was lulled into a false sense of security in having an external audit performed, which may have unreasonably raised the confidence level in their overall security posture. While performing a security assessment or audit is an important step to measure your resilience against an attack, an even more crucial process is properly managing the network and all the systems that are on it.
The online bank site should have required that all Web application developers stick to fundamental secure programming practices, or require auditing of any code put into production. The best practice is to limit the amount of user input that is passed to a server-side script. Using hard- coded filenames and constants, while not eloquent, raises the level of assurance in the security of the application.
Lax network monitoring and poor password security on the exposed Citrix server were the biggest mistakes in this case, and would likely have prevented Gabriel from roaming through their network, installing key- stroke loggers, shadowing other authorized users, and planting Trojan programs. The hacker wrote a little script and put it into the administrator’s startup folder so when he logged in, it would run the pwdump3 program(which is used to crack password) silently. Of course, he already had administrator rights. The hacker was lying in wait for a domain administrator to log in so he could hijack his privileges(special right) and automatically extract the password hashes from the primary domain controller. The hidden script is often called a Trojan or a trapdoor.
Related Questions
drjack9650@gmail.com
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.