W3C home > Mailing lists > Public > public-usable-authentication@w3.org > July 2006

Re: Secure Chrome and Secure MetaData (correction)

From: James A. Donald <jamesd@echeque.com>
Date: Thu, 06 Jul 2006 12:48:20 +1000
Message-ID: <44AC79F4.2060308@echeque.com>
To: spam filter <spam+w3c@jeff-nelson.com>, public-usable-authentication@w3.org

     --
Chris Drake wrote:
 > 1. Confidence Tricks
 >
 >    1.1. phishing emails
 >     1.1.1. to lure victims to spoof sites
 >     1.1.2. to lure victims into installing malicious code
 >     1.1.3. to lure victims towards O/S vulnerabilities to inject
 >            malicious code
 >     1.1.4. to lure victims into revealing information directly via
 >            reply or via embedded FORMS within the email
 >
 >    1.2. telephone phishing
 >     1.2.1. to directly extract auth info
 >     1.2.2. to direct victim to spoof site
 >
 >    1.3. person-to-person phishing / situation engineering
 >     1.3.1. to directly extract auth info (ask)
 >     1.3.2. to direct victim to spoof site

All of these rely both on impersonation, AND on users being trained to 
reveal shared secrets on demand in a wide variety of contexts and 
environments.  So we need to both make impersonation difficult, and also 
reduce this unilateral revelation of widely shared secrets, reduce this 
use of widely shared secrets.

 >     1.3.3. shoulder surfing (aka 4.5.2)
 >     1.3.4. physical attack - see 4.7

These attacks are rare, because people are instinctively on guard 
against them - observe behavior at ATMs.  ATM shoulder surfing tends to 
be resisted so forcefully that there is no sharp line between ATM 
shoulder surfing and ATM mugging.  It is more a martial arts problem 
than a software engineering problem.

 >    1.4. typographic attacks
 >     1.4.1. spoofing (eg: paypa1.com - using a number 1 for a little L)
 >     1.4.2. direct download of malicious code
 >     1.4.3. browser exploit injection

The classic instance of browser exploit injection was a bug in the 
Microsoft image viewer that allowed a carefully crafted image to contain 
assembly code that the image viewer would execute with the full 
authority of the user.  I don't see that this constitutes a "typographic 
attack"

 >    1.5. online phishing
 >     1.5.1. pop-up/pop-behind windows to spoof sites
 >     1.5.2. floating <DIV> or similar elements (eg: emulating an entire
 >            browser UI)

Untrusted and possibly hostile data should not have sufficient authority 
over the viewer's display to do this - the concept of "secure chrome" is 
largely about preventing this attack.

Related attacks resulting from excess authority over the viewer display 
are those porn sites that will not let you leave - every time you close 
one popup, two more are spawned.

A more malevolent attack using the same principle (excess authority over 
the display) is the web page that *insists* you download and execute an 
active X component, and sits in your face, until you do so, refusing to 
be dismissed.  Supposedly the function of the Active X component is to 
allow you to view the web page correctly, but in practice, it usually 
uses your modem to auto dial an extremely expensive sex talk line in 
some foreign country, one whose topic is as embarrassing as possible to 
discourage the victim from creating a fuss, and/or takes over your 
computer for a zombie net.

 > 2. Remote Technical Tricks
 >
 >    2.1. spoof techniques
 >     2.1.1. vanilla fake look-alike spoof web sites
 >     2.1.2. CGI proxied look-alike web site (server CGI talks to real
 >            site in real time - "man in the middle attack")
 >     2.1.3. popup windows hiding the address bar (3.4.1/3.4.2)
 >     2.1.4. <DIV> simulated browsers (1.5.2)
 >
 >    2.2. iframe exploits (eg: 1.5.1/1.1.3) (spammers buy iframes to
 >         launch 1.5 and 1.4 attacks)
 >    2.3. p2p filesharing publication of products modified to
 >         remove/limit protection - PGP, IE7, Mozilla, ...
 >    2.4. DNS poisoning (causes correct URL to go to spoof server)
 >    2.5. traffic sniffing (eg: at ISP, telco, WiFi, LAN, phone tap...)
 >    2.6. proxy poisoning (correct URL returns incorrect HTML)
 >    2.7. browser exploits (correct URL returns incorrect HTML)
 >    2.8. targeted proxy attack
 >     2.8.1. directs to vanilla spoof web site (2.1.1)
 >     2.8.2. uses CGI re-writing to proxy legitimate site (eg: convert
 >            HTTPS into HTTP to activate traffic sniffing) (2.1.2)
 >     2.8.3  activates 5.7
 >    2.9.  Authorized exploitation - see 3.5.
 >
 >
 > 3. Local Technical Tricks
 >
 >    3.2. Software vulnerabilities (aka exploits - eg - 1.1.3)
 >     3.1.1. Known
 >     3.1.2. Unknown
 >
 >    3.2. Browser "toolbars" (grant unrestricted DOM access to SSL data)
 >
 >    3.3. Trojans
 >     3.3.1. Standalone modified/hacked legitimate products (eg: PGP or
 >            a MSIE7) with inbuilt protection removed/modified.
 >     3.3.2. Bogus products (eg: the anti-spyware tools manufactured by
 >            the Russian spam gangs)
 >     3.3.3. Legitimate products with deliberate secret functionality
 >            (eg: warez keygens, sony/CD-Rom music piracy-block addins)
 >     3.3.4. Backdoors (activate remote control and 3.4.1/3.4.2)
 >
 >    3.4. Viruses
 >     3.4.1. General - keyloggers, mouse/screen snapshotters
 >     3.4.2. Targeted - specifically designed for certain victim sites
 >            (eg paypal/net banking) or certain victim actions (eg:
 >            password entry, detecting typed credit card numbers)
 >
 >    3.5. Authorized exploitation (authority (eg: Microsoft WPA/GA,
 >         Police, ISP, MSS, FBI, CIA, MI5, Feds...) engineer a Trojan or
 >         Viral exploit to be shipped down the wire to local PC,
 >         potentially being legitimately signed/authenticated software.)
 >
 >    3.6. Visual tricks
 >     3.6.1. browser address bar spoofing
 >     3.6.2. address bar hiding
 >
 >    3.7. Hardware attacks
 >     3.7.1. keylogger devices
 >     3.7.2. TEMPEST
 >     3.7.3. malicious hardware modification (token mods, token
 >            substitution, auth device substitution/emulation/etc)
 >
 >    3.8. Carnivore, DCS1000, Altivore, NetMap, Echelon, Magic Lantern,
 >         RIPA, SORM...
 >
 > 4. Victim Mistakes
 >
 >    4.1. writing down passwords
 >    4.2. telling people passwords
 >     4.2.1. deliberately (eg: friends/family)
 >     4.2.2. under duress (see 4.7)
 >    4.3. picking weak passwords
 >    4.4. using same passwords in more than one place
 >    4.5. inattentiveness when entering passwords
 >     4.5.1. not checking "https" and padlock and URL
 >     4.5.2. not preventing shoulder surfing
 >    4.6. permitting accounts to be "borrowed"
 >    4.7. physical attack (getting mugged)
 >     4.7.1. to steal auth info
 >     4.7.2. to acquire active session
 >     4.7.3. to force victim to take action (eg: xfer money)
 >    4.8. allowing weak lost-password "questions"/procedures
 >
 >
 > 5. Implementation Oversights
 >
 >    5.1. back button
 >    5.2. lost password procedures
 >    5.3. confidence tricks against site (as opposed to user)
 >    5.4. insecure cookies (non-SSL session usage)
 >    5.5. identity theft? site trusts user's lies about identity
 >    5.6. trusting form data
 >    5.7. accepting auth info over NON-SSL (eg: forgetting to check
 >         $ENV{HTTPS} is 'on' when performing CGI password checks)
 >    5.8. allowing weak lost-password "questions"/procedures
 >    5.9. replay
 >    5.10. robot exclusion (eg: block mass password guessing)
 >    5.11. geographical exclusion (eg: block logins from Korea)
 >    6.12. user re-identification - eg - "We've never seen you using
 >          Mozilla before"
 >    6.13. site-to-user authentication
 >    6.14. allowing users to "remember" auth info in browser (permits
 >          local attacks by unauthorised users)
 >    6.15. blocking users from being allowed to "remember" auth info in
 >          browser (facilitates spoofing / keyloggers)
 >    6.16. using cookies (may permit local attacks by unauthorised
 >          users)
 >    6.17. not using cookies (blocks site from identifying malicious
 >          activity or closing co-compromised accounts)
 >
 >
 > 6. Denial of Service attacks
 >
 >    6.1. deliberate failed logins to lock victim out of account
 >    6.2. deliberate failed logins to acquire out-of-channel subsequent
 >         access (eg: password resets)


Notably missing from your list is cross site scripting and session 
fixation attacks - which are flaws in web sites, rather than flaws in 
the internet protocols and architecture.  Each particular website has 
all the tools it needs to create web sites that resist session fixation 
and cross site scripting, but they usually do not, and it is in fact 
hard to build a large site that does not contain bugs that allow session 
fixation and/or cross site scripting.  The cure lies in in fixing the 
tools with which web sites are programmed - in fixing the languages in 
which web sites are programmed to make this kind of error less likely. 
Also, if a standard login mechanism was built in the browser and/or 
operating system, instead of each website rolling their own, they would 
be less likely to roll their own wrongly.  Built in login would take 
care of 99.9% of session fixation attacks, and most cross site scripting 
attacks.

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      X4W475db7hpev0naSKV4sqlWhxanEd3CZFzJJoks
      4i+VSGjfZ0WyxW3/FPQ9odEHjkUXcH4KCmwZmCI9O
Received on Thursday, 6 July 2006 02:48:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:14 GMT