W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Comprehensive list - known Threat and Protection table

From: Chris Drake <christopher@pobox.com>
Date: Sun, 2 Jul 2006 14:28:25 +1000
Message-ID: <35099585.20060702142825@pobox.com>
To: public-usable-authentication@w3.org
CC: dix@ietf.org, idworkshop@googlegroups.com, ietf-http-auth@lists.osafoundation.org

Hi All,

Has anyone attempted to document the threats and/or what protection
we're trying to provide to users ?

If so - please point me - if not - please add-to or amend my list:

########################################
###  Authentication Threat List 1.0  ###
########################################

1. Confidence Tricks

   1.1. phishing emails
    1.1.1. to lure victims to spoof sites
    1.1.2. to lure victims into installing malicious code
    1.1.3. to lure victims towards O/S vulnerabilities to inject
           malicious code
    1.1.4. to lure victims into revealing information directly via
           reply or via embedded FORMS within the email

   1.2. telephone phishing
    1.2.1. to directly extract auth info
    1.2.2. to direct victim to spoof site
    
   1.3. person-to-person phishing / situation engineering
    1.3.1. to directly extract auth info (ask)
    1.3.2. to direct victim to spoof site
    1.3.3. shoulder surfing (aka 4.5.2)
    1.3.4. physical attack - see 4.7

   1.4. typographic attacks
    1.4.1. spoofing (eg: paypa1.com - using a number 1 for a little L)
    1.4.2. direct download of malicious code
    1.4.3. browser exploit injection

   1.5. online phishing
    1.5.1. pop-up/pop-behind windows to spoof sites
    1.5.2. floating <DIV> or similar elements (eg: emulating an entire
           browser UI)


2. Remote Technical Tricks

   2.1. spoof techniques
    2.1.1. vanilla fake look-alike spoof web sites
    2.1.2. CGI proxied look-alike web site (server CGI talks to real
           site in real time - "man in the middle attack")
    2.1.3. popup windows hiding the address bar (3.4.1/3.4.2)
    2.1.4. <DIV> simulated browsers (1.5.2)

   2.2. iframe exploits (eg: 1.5.1/1.1.3) (spammers buy iframes to
        launch 1.5 and 1.4 attacks)
   2.3. p2p filesharing publication of products modified to
        remove/limit protection - PGP, IE7, Mozilla, ...
   2.4. DNS poisoning (causes correct URL to go to spoof server)
   2.5. traffic sniffing (eg: at ISP, telco, WiFi, LAN, phone tap...)
   2.6. proxy poisoning (correct URL returns incorrect HTML)
   2.7. browser exploits (correct URL returns incorrect HTML)
   2.8. targeted proxy attack
    2.8.1. directs to vanilla spoof web site (2.1.1)
    2.8.2. uses CGI re-writing to proxy legitimate site (eg: convert
           HTTPS into HTTP to activate traffic sniffing) (2.1.2)
    2.8.3  activates 5.7
   2.9.  Authorized exploitation - see 3.5.


3. Local Technical Tricks

   3.2. Software vulnerabilities (aka exploits - eg - 1.1.3)
    3.1.1. Known
    3.1.2. Unknown

   3.2. Browser "toolbars" (grant unrestricted DOM access to SSL data)
   
   3.3. Trojans
    3.3.1. Standalone modified/hacked legitimate products (eg: PGP or
           a MSIE7) with inbuilt protection removed/modified.
    3.3.2. Bogus products (eg: the anti-spyware tools manufactured by
           the Russian spam gangs)
    3.3.3. Legitimate products with deliberate secret functionality
           (eg: warez keygens, sony/CD-Rom music piracy-block addins)
    3.3.4. Backdoors (activate remote control and 3.4.1/3.4.2)

   3.4. Viruses
    3.4.1. General - keyloggers, mouse/screen snapshotters
    3.4.2. Targeted - specifically designed for certain victim sites
           (eg paypal/net banking) or certain victim actions (eg:
           password entry, detecting typed credit card numbers)

   3.5. Authorized exploitation (authority (eg: Microsoft WPA/GA,
        Police, ISP, MSS, FBI, CIA, MI5, Feds...) engineer a Trojan or
        Viral exploit to be shipped down the wire to local PC,
        potentially being legitimately signed/authenticated software.)
   
   3.6. Visual tricks
    3.6.1. browser address bar spoofing
    3.6.2. address bar hiding

   3.7. Hardware attacks
    3.7.1. keylogger devices
    3.7.2. TEMPEST
    3.7.3. malicious hardware modification (token mods, token
           substitution, auth device substitution/emulation/etc)

   3.8. Carnivore, DCS1000, Altivore, NetMap, Echelon, Magic Lantern,
        RIPA, SORM...

4. Victim Mistakes

   4.1. writing down passwords
   4.2. telling people passwords
    4.2.1. deliberately (eg: friends/family)
    4.2.2. under duress (see 4.7)
   4.3. picking weak passwords
   4.4. using same passwords in more than one place
   4.5. inattentiveness when entering passwords
    4.5.1. not checking "https" and padlock and URL
    4.5.2. not preventing shoulder surfing
   4.6. permitting accounts to be "borrowed"
   4.7. physical attack (getting mugged)
    4.7.1. to steal auth info
    4.7.2. to acquire active session
    4.7.3. to force victim to take action (eg: xfer money)
   4.8. allowing weak lost-password "questions"/procedures

   
5. Implementation Oversights

   5.1. back button
   5.2. lost password procedures
   5.3. confidence tricks against site (as opposed to user)
   5.4. insecure cookies (non-SSL session usage)
   5.5. identity theft? site trusts user's lies about identity
   5.6. trusting form data
   5.7. accepting auth info over NON-SSL (eg: forgetting to check
        $ENV{HTTPS} is 'on' when performing CGI password checks)
   5.8. allowing weak lost-password "questions"/procedures
   5.9. replay
   5.10. robot exclusion (eg: block mass password guessing)
   5.11. geographical exclusion (eg: block logins from Korea)
   6.12. user re-identification - eg - "We've never seen you using
         Mozilla before"
   6.13. site-to-user authentication
   6.14. allowing users to "remember" auth info in browser (permits
         local attacks by unauthorised users)
   6.15. blocking users from being allowed to "remember" auth info in
         browser (facilitates spoofing / keyloggers)
   6.16. using cookies (may permit local attacks by unauthorised
         users)
   6.17. not using cookies (blocks site from identifying malicious
         activity or closing co-compromised accounts)

   
6. Denial of Service attacks

   6.1. deliberate failed logins to lock victim out of account
   6.2. deliberate failed logins to acquire out-of-channel subsequent
        access (eg: password resets)

        
7. Please contribute to this document!

   7.1. on-list - just reply
   7.2. off-list - send to christopher@pobox.com
   

Contributors:  Chris Drake
v.1.0 - July 2, 2006
#########################################
###  /Authentication Threat List 1.0  ###
#########################################

Kind Regards,
Chris Drake
Received on Sunday, 2 July 2006 04:28:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT