Re: Review of threat trees from Serge Egelman on 2007-06-29 (public-wsc-wg@w3.org from June 2007)

From: Serge Egelman <egelman@cs.cmu.edu>
Date: Fri, 29 Jun 2007 13:25:44 -0400
To: "Doyle, Bill" <wdoyle@mitre.org>
CC: Rachna Dhamija <rachna.w3c@gmail.com>, public-wsc-wg@w3.org
Message-ID: <46854098.9080704@cs.cmu.edu>
Well, the common theme here is that the user visits a page that they
think is another page.  So I think all of these attacks would fall under
 "site impersonation," that or maybe something like "semantic attacks."

serge

Doyle, Bill wrote:
> Sorry, I read that wrong.
> 
> I was concentrating on just getting rid of attacks. I don't see much
> good in luring user to a legitimate site for our purposes. Ideas for
> combined heading?
> 
> Thx
> Bill 
> 
> 
> 
> 
> -----Original Message-----
> From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
> Sent: Thursday, June 28, 2007 3:35 PM
> To: Doyle, Bill
> Cc: Rachna Dhamija; public-wsc-wg@w3.org
> Subject: Re: Review of threat trees
> 
> Huh?  I'm talking about combining these two threat trees.  That's
> something that we *are* empowered to fix.
> 
> serge
> 
> Doyle, Bill wrote:
>> Millions of ways to break use agents and new ones each day.
>> Don't talk about or loose time with items that we are not empowered
> to
>> fix. Concentrate on the ones we are.
>>
>> Bill
>>
>>
>> -----Original Message-----
>> From: Serge Egelman [mailto:egelman@cs.cmu.edu] 
>> Sent: Thursday, June 28, 2007 1:23 PM
>> To: Doyle, Bill
>> Cc: Rachna Dhamija; public-wsc-wg@w3.org
>> Subject: Re: Review of threat trees
>>
>> Maybe this has already been discussed, but from the user's
> perspective,
>> how do the luring attacks differ from site impersonation?  In both
>> cases
>> the user thinks they are going to a trusted site, but end up at a
>> different untrusted site.  In terms of recommendations for security
>> indicators, I'm not sure we need to differentiate here.
>>
>> serge
>>
>> Doyle, Bill wrote:
>>> Tyler, started a review - stopped in item 4, will get back to it.
>>>  
>>> Seems like we have some issues with threat trees.
>>>  
>>> I noted items that I thought had scope issues
>>>  
>>> 1. luring attacks
>>>  D. all
>>>  E  all 
>>>  F  all
>>>  
>>> 2.Site impersonation
>>>  A. ii.
>>>  
>>> 4. Cross-site scripting - only interested in is how the user agent
>>> responds to certain attacks in this class.
>>>  
>>> From text, the pretense of the attack is injection of cone into
>>> vulnerable web applications, server side processing is out of scope
>> and
>>> attacking the server is out of scope.
>>>  
>>> Thought - Restructure section to note user agent actions and ability
>> to
>>> retain secure posture in the face of Cross-site scripting threats.
>>> Server sends data that does X. Leave out how / why this occurs, it
>> just
>>> does.
>>>  
>>> B
>>>  
>>>  
>>>  
>>>  
>>>  
>>>  
>>>
>>>  
>>>
>>>
> -----------------------------------------------------------------------
>> -
>>>     *From:* public-wsc-wg-request@w3.org
>>>     [mailto:public-wsc-wg-request@w3.org] *On Behalf Of *Doyle, Bill
>>>     *Sent:* Wednesday, June 27, 2007 6:46 AM
>>>     *To:* Rachna Dhamija
>>>     *Cc:* public-wsc-wg@w3.org
>>>     *Subject:* RE: Public comments on threat trees
>>>
>>>     Thanks - was wondering what was up.
>>>      
>>>     Will take a look at it. Usually the MITRE infosec group does not
>>>     hold back much, depends on who gets a hold of it.
>>>      
>>>     Bill
>>>      
>>>
>>>
> -----------------------------------------------------------------------
>> -
>>>         *From:* Rachna Dhamija [mailto:rachna.w3c@gmail.com]
>>>         *Sent:* Tuesday, June 26, 2007 8:52 PM
>>>         *To:* Doyle, Bill
>>>         *Cc:* public-wsc-wg@w3.org
>>>         *Subject:* Re: Public comments on threat trees
>>>
>>>         Bill,
>>>
>>>         There is currently no "owner" (Stuart S is transitioning
>> jobs,
>>>         and I don't know if he is still participating in the
>>>         workgroup).   I've been adding attacks as I think of them
> and
>>>         have flattened it out to be more of an outline, rather than
> a
>>>         "tree".  We still need to add links to examples and to
>> identify
>>>         which branches are in and out of scope. 
>>>
>>>         I'm not sure that we'll ever be "done" with adding new
>> attacks,
>>>         so this is a good time as any to get comments and find
> things
>> we
>>>         have missed.  Perhaps you and Stephen F might like to make
>> one
>>>         pass through it first.
>>>
>>>         http://www.w3.org/2006/WSC/wiki/ThreatTrees
>>>
>>>         Rachna
>>>
>>>         On 6/25/07, *Doyle, Bill* < wdoyle@mitre.org
>>>         <mailto:wdoyle@mitre.org>> wrote:
>>>
>>>             Are threat trees ready for public comments? If so I will
>>>             send the a wiki link out to MITRE infosec list.
>>>              
>>>             If threat tree owner can respond and provide any intro
>> and
>>>             link it would be appreciated.
>>>              
>>>             Regards
>>>             Bill Doyle
>>>             wdoyle@mitre.org <mailto:wdoyle@mitre.org>
>>>              
>>>              
>>>              
>>>
>>>
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/
Received on Friday, 29 June 2007 17:26:14 UTC