RE: Review of threat trees

Sorry, I read that wrong.

I was concentrating on just getting rid of attacks. I don't see much
good in luring user to a legitimate site for our purposes. Ideas for
combined heading?

Thx
Bill 




-----Original Message-----
From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
Sent: Thursday, June 28, 2007 3:35 PM
To: Doyle, Bill
Cc: Rachna Dhamija; public-wsc-wg@w3.org
Subject: Re: Review of threat trees

Huh?  I'm talking about combining these two threat trees.  That's
something that we *are* empowered to fix.

serge

Doyle, Bill wrote:
> 
> Millions of ways to break use agents and new ones each day.
> Don't talk about or loose time with items that we are not empowered
to
> fix. Concentrate on the ones we are.
> 
> Bill
> 
> 
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
> Sent: Thursday, June 28, 2007 1:23 PM
> To: Doyle, Bill
> Cc: Rachna Dhamija; public-wsc-wg@w3.org
> Subject: Re: Review of threat trees
> 
> Maybe this has already been discussed, but from the user's
perspective,
> how do the luring attacks differ from site impersonation?  In both
> cases
> the user thinks they are going to a trusted site, but end up at a
> different untrusted site.  In terms of recommendations for security
> indicators, I'm not sure we need to differentiate here.
> 
> serge
> 
> Doyle, Bill wrote:
>> Tyler, started a review - stopped in item 4, will get back to it.
>>  
>> Seems like we have some issues with threat trees.
>>  
>> I noted items that I thought had scope issues
>>  
>> 1. luring attacks
>>  D. all
>>  E  all 
>>  F  all
>>  
>> 2.Site impersonation
>>  A. ii.
>>  
>> 4. Cross-site scripting - only interested in is how the user agent
>> responds to certain attacks in this class.
>>  
>> From text, the pretense of the attack is injection of cone into
>> vulnerable web applications, server side processing is out of scope
> and
>> attacking the server is out of scope.
>>  
>> Thought - Restructure section to note user agent actions and ability
> to
>> retain secure posture in the face of Cross-site scripting threats.
>> Server sends data that does X. Leave out how / why this occurs, it
> just
>> does.
>>  
>> B
>>  
>>  
>>  
>>  
>>  
>>  
>>
>>  
>>
>>
>
-----------------------------------------------------------------------
> -
>>     *From:* public-wsc-wg-request@w3.org
>>     [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Doyle, Bill
>>     *Sent:* Wednesday, June 27, 2007 6:46 AM
>>     *To:* Rachna Dhamija
>>     *Cc:* public-wsc-wg@w3.org
>>     *Subject:* RE: Public comments on threat trees
>>
>>     Thanks - was wondering what was up.
>>      
>>     Will take a look at it. Usually the MITRE infosec group does not
>>     hold back much, depends on who gets a hold of it.
>>      
>>     Bill
>>      
>>
>>
>
-----------------------------------------------------------------------
> -
>>         *From:* Rachna Dhamija [mailto:rachna.w3c@gmail.com]
>>         *Sent:* Tuesday, June 26, 2007 8:52 PM
>>         *To:* Doyle, Bill
>>         *Cc:* public-wsc-wg@w3.org
>>         *Subject:* Re: Public comments on threat trees
>>
>>         Bill,
>>
>>         There is currently no "owner" (Stuart S is transitioning
> jobs,
>>         and I don't know if he is still participating in the
>>         workgroup).   I've been adding attacks as I think of them
and
>>         have flattened it out to be more of an outline, rather than
a
>>         "tree".  We still need to add links to examples and to
> identify
>>         which branches are in and out of scope. 
>>
>>         I'm not sure that we'll ever be "done" with adding new
> attacks,
>>         so this is a good time as any to get comments and find
things
> we
>>         have missed.  Perhaps you and Stephen F might like to make
> one
>>         pass through it first.
>>
>>         http://www.w3.org/2006/WSC/wiki/ThreatTrees
>>
>>         Rachna
>>
>>         On 6/25/07, *Doyle, Bill* < wdoyle@mitre.org
>>         <mailto:wdoyle@mitre.org>> wrote:
>>
>>             Are threat trees ready for public comments? If so I will
>>             send the a wiki link out to MITRE infosec list.
>>              
>>             If threat tree owner can respond and provide any intro
> and
>>             link it would be appreciated.
>>              
>>             Regards
>>             Bill Doyle
>>             wdoyle@mitre.org <mailto:wdoyle@mitre.org>
>>              
>>              
>>              
>>
>>
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Thursday, 28 June 2007 21:00:38 UTC