[4262] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Jay Heiser)
Thu Feb 6 12:14:48 1997
Date: Thu, 06 Feb 1997 10:10:58 -0500
From: Jay Heiser <Jay@homecom.com>
Reply-To: jay@homecom.com
To: WWW-SECURITY@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Brian Toole wrote:
>
> The only "trick" here is to lure the user into
> downloading the application, and in this case, having
> a certificate actually helps the process, rather
> than hindering it. "Oooh. It's signed, so it
> is safe to use."
>
I don't remember anything in the original story of the German Quicken
hack on TV that had anything to do with a certificate. It was a
demonstration on how ActiveX could be used to modify the hard drive of
the system running the browser and one possible bad result. My
knowledge of Microsoft's certification infrastructure is limited, but I
have no reason to believe that a piece of ActiveX code is trusted just
because it has a certificate associated with it -- if you want to fork()
& exec() a new discussion of that I'd be happy to learn more.
What would it take to 'lure a user into downloading an application?'
I'm assuming that this is going to happen. All good new capabilities
bring bad new problems. What I'm not convinced yet is that it will
happen an unacceptable number of times. If you want to attack someone
through the web, I only see 3 possibilities:
1) put attack code on a public server you own
2) masquerade as someone else to set up a web server that can't be
traced back to you
3) hack someone else's site and insert your code
People that attack computers tend to do so anonymously. If they don't,
they get caught.
Spoofing a web server or renting one under an alias is possible, but it
would get shut down once it was discovered as hostile. It would be
difficult to create a site that attracted a lot of attention, but
couldn't be traced back to an owner. Not impossible.
You've described case 3, and I think this offers the most potential for
damage. If you want to get your attack code in front of as many people
as possible, the way to do it is to place it in a high-traffic area.
The wired legal community has been waiting for the first litigation
involving the concept of 'downstream liability.' In essence, having an
Internet site that was [easily] hacked and used to launch attacks
against other sites would leave the hacked site legally liable for
damage caused to the other sites (presumably, the site owner would have
deeper pockets than the hacker). My limited legal understanding of this
is that it would be similar to a swimming pool owner with an inadequate
fence, which could be considered an 'attractive nuisance.'
Assuming that attack code becomes a problem on the web, will all web
site owners have to worry about being hacked and hit with a downstream
liability suit?
