[4271] in WWW Security List Archive
RE: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (Christine Chang)
Thu Feb 6 20:16:34 1997
From: Christine Chang <cchang@microsoft.com>
To: "'jay@homecom.com'" <jay@homecom.com>
Cc: "'WWW-SECURITY@ns2.rutgers.edu'" <WWW-SECURITY@ns2.rutgers.edu>
Date: Thu, 6 Feb 1997 15:04:28 -0800
Errors-To: owner-www-security@ns2.rutgers.edu
Jay Heiser wrote:
I don't remember anything in the original story of the German Quicken hack
on TV that had anything to do with a certificate.
That's our impression as well. We are learning more about this particular
situation, but it seems that the code was not signed. As we learn more,
we'll let you know.
The purpose of Authenticode is to enable users to make educated decisions
about downloading code. If a user trusts a particular publisher based on
past experience, then it makes sense to download that publisher's code. By
no means does a certificate imply that the user should trust the publisher
automatically. The point that was made previously applies; it's a matter of
education.
As a side note, publishers are liable for their signed code. They must
pledge when enrolling for their certificate with VeriSign that they will
not distribute malicious signed code (essentially). Once VeriSign is
notified that a publisher has broken its pledge, VeriSign will work with
the publisher to ensure that it complies with the pledge.
Christine
-----Original Message-----
From: Jay Heiser [SMTP:Jay@homecom.com]
Sent: Thursday, February 06, 1997 7:11 AM
To: WWW-SECURITY@ns2.rutgers.edu
Subject: Re: Sceptic about (Funds Transfer w/o PIN)
Brian Toole wrote:
>
> The only "trick" here is to lure the user into
> downloading the application, and in this case, having
> a certificate actually helps the process, rather
> than hindering it. "Oooh. It's signed, so it
> is safe to use."
>
I don't remember anything in the original story of the German Quicken
hack on TV that had anything to do with a certificate. It was a
demonstration on how ActiveX could be used to modify the hard drive of
the system running the browser and one possible bad result. My
knowledge of Microsoft's certification infrastructure is limited, but I
have no reason to believe that a piece of ActiveX code is trusted just
because it has a certificate associated with it -- if you want to fork()
& exec() a new discussion of that I'd be happy to learn more.
What would it take to 'lure a user into downloading an application?'
I'm assuming that this is going to happen. All good new capabilities
bring bad new problems. What I'm not convinced yet is that it will
happen an unacceptable number of times. If you want to attack someone
through the web, I only see 3 possibilities:
1) put attack code on a public server you own
2) masquerade as someone else to set up a web server that can't be
traced back to you
3) hack someone else's site and insert your code
People that attack computers tend to do so anonymously. If they don't,
they get caught.
Spoofing a web server or renting one under an alias is possible, but it
would get shut down once it was discovered as hostile. It would be
difficult to create a site that attracted a lot of attention, but
couldn't be traced back to an owner. Not impossible.
You've described case 3, and I think this offers the most potential for
damage. If you want to get your attack code in front of as many people
as possible, the way to do it is to place it in a high-traffic area.
The wired legal community has been waiting for the first litigation
involving the concept of 'downstream liability.' In essence, having an
Internet site that was [easily] hacked and used to launch attacks
against other sites would leave the hacked site legally liable for
damage caused to the other sites (presumably, the site owner would have
deeper pockets than the hacker). My limited legal understanding of this
is that it would be similar to a swimming pool owner with an inadequate
fence, which could be considered an 'attractive nuisance.'
Assuming that attack code becomes a problem on the web, will all web
site owners have to worry about being hacked and hit with a downstream
liability suit?
