Re: Review of threat trees

Maybe this has already been discussed, but from the user's perspective,
how do the luring attacks differ from site impersonation?  In both cases
the user thinks they are going to a trusted site, but end up at a
different untrusted site.  In terms of recommendations for security
indicators, I'm not sure we need to differentiate here.

serge

Doyle, Bill wrote:
> Tyler, started a review - stopped in item 4, will get back to it.
>  
> Seems like we have some issues with threat trees.
>  
> I noted items that I thought had scope issues
>  
> 1. luring attacks
>  D. all
>  E  all 
>  F  all
>  
> 2.Site impersonation
>  A. ii.
>  
> 4. Cross-site scripting - only interested in is how the user agent
> responds to certain attacks in this class.
>  
> From text, the pretense of the attack is injection of cone into
> vulnerable web applications, server side processing is out of scope and
> attacking the server is out of scope.
>  
> Thought - Restructure section to note user agent actions and ability to
> retain secure posture in the face of Cross-site scripting threats.
> Server sends data that does X. Leave out how / why this occurs, it just
> does.
>  
> B
>  
>  
>  
>  
>  
>  
> 
>  
> 
>     ------------------------------------------------------------------------
>     *From:* public-wsc-wg-request@w3.org
>     [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Doyle, Bill
>     *Sent:* Wednesday, June 27, 2007 6:46 AM
>     *To:* Rachna Dhamija
>     *Cc:* public-wsc-wg@w3.org
>     *Subject:* RE: Public comments on threat trees
> 
>     Thanks - was wondering what was up.
>      
>     Will take a look at it. Usually the MITRE infosec group does not
>     hold back much, depends on who gets a hold of it.
>      
>     Bill
>      
> 
>         ------------------------------------------------------------------------
>         *From:* Rachna Dhamija [mailto:rachna.w3c@gmail.com]
>         *Sent:* Tuesday, June 26, 2007 8:52 PM
>         *To:* Doyle, Bill
>         *Cc:* public-wsc-wg@w3.org
>         *Subject:* Re: Public comments on threat trees
> 
>         Bill,
> 
>         There is currently no "owner" (Stuart S is transitioning jobs,
>         and I don't know if he is still participating in the
>         workgroup).   I've been adding attacks as I think of them and
>         have flattened it out to be more of an outline, rather than a
>         "tree".  We still need to add links to examples and to identify
>         which branches are in and out of scope. 
> 
>         I'm not sure that we'll ever be "done" with adding new attacks,
>         so this is a good time as any to get comments and find things we
>         have missed.  Perhaps you and Stephen F might like to make one
>         pass through it first.
> 
>         http://www.w3.org/2006/WSC/wiki/ThreatTrees
> 
>         Rachna
> 
>         On 6/25/07, *Doyle, Bill* < wdoyle@mitre.org
>         <mailto:wdoyle@mitre.org>> wrote:
> 
>             Are threat trees ready for public comments? If so I will
>             send the a wiki link out to MITRE infosec list.
>              
>             If threat tree owner can respond and provide any intro and
>             link it would be appreciated.
>              
>             Regards
>             Bill Doyle
>             wdoyle@mitre.org <mailto:wdoyle@mitre.org>
>              
>              
>              
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Thursday, 28 June 2007 17:24:04 UTC