[4285] in WWW Security List Archive
Re: Sceptic about (Funds Transfer w/o PIN)
daemon@ATHENA.MIT.EDU (John Matthews)
Fri Feb 7 14:55:50 1997
Date: Sat, 8 Feb 1997 04:50:01 +1100 (EST)
From: John Matthews <knytmare@nectar.com.au>
To: Jay Heiser <Jay@homecom.com>
cc: WWW-SECURITY@ns2.rutgers.edu
In-Reply-To: <32F9F482.5307@HomeCom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
John Johnson WWW http://www.novatech.net.au
Technical Director email novatech@novatech.net.au (business)
NovaTech Internet Security knytmare@nectar.com.au (private)
Australia's Leading Dedicated Internet and Network Security Consultants
On Thu, 6 Feb 1997, Jay Heiser wrote:
> Brian Toole wrote:
> >
>
> > The only "trick" here is to lure the user into
> > downloading the application, and in this case, having
> > a certificate actually helps the process, rather
> > than hindering it. "Oooh. It's signed, so it
> > is safe to use."
> >
>
> I don't remember anything in the original story of the German Quicken
> hack on TV that had anything to do with a certificate. It was a
> demonstration on how ActiveX could be used to modify the hard drive of
> the system running the browser and one possible bad result. My
> knowledge of Microsoft's certification infrastructure is limited, but I
> have no reason to believe that a piece of ActiveX code is trusted just
> because it has a certificate associated with it -- if you want to fork()
> & exec() a new discussion of that I'd be happy to learn more.
>
> What would it take to 'lure a user into downloading an application?'
> I'm assuming that this is going to happen. All good new capabilities
> bring bad new problems. What I'm not convinced yet is that it will
> happen an unacceptable number of times. If you want to attack someone
> through the web, I only see 3 possibilities:
> 1) put attack code on a public server you own
> 2) masquerade as someone else to set up a web server that can't be
> traced back to you
> 3) hack someone else's site and insert your code
G'day
> ###### 4? as demostrated recently very clever javascripting allows a
remote site (web site) to issue a comand to ftp all directory names and
request file transfers (ftp) to the remote site whilst you fill in a
long form to enter a competition
this technology worries folks as it is us who gets to play with it all
and they just her about it beside we get paid to look after it
so how about we look at the larger picture???
there are a number of faults with a lot of these applet style scripting
that folks are finding possible yes they are great but... where do we
draw the line to it (i know this sounds yea the end is niegh ..but wait)
if we form a convention somewhere (anyone care to donate at site or list??)
so specify the allowed and not allowed out of these and direc some
thought into this I am sure we could get a decent idea of what is too
free and restart these processes before they are ingrained forever
One whould hope that the likes of Sun &Netscape would be involved as they
are the main players in this.. votes may be taken and anyone can have a
say if it is constructive... Group concencess being judge and jury
if there is a expence to parties out there for this reseach and
development...i think it would be worthwhile.. better a cheap product
now that may not be everything we need but we hope it is??????
or one that fills the requirements of no flaws or possible breaches of
security at a higher cost ... there is a definate need for some more
information on what is possible verifiable and documented to help this
happen..
anyone with other ideas ??
> People that attack computers tend to do so anonymously. If they don't,
> they get caught.
>
> Spoofing a web server or renting one under an alias is possible, but it
> would get shut down once it was discovered as hostile. It would be
> difficult to create a site that attracted a lot of attention, but
> couldn't be traced back to an owner. Not impossible.
>
> You've described case 3, and I think this offers the most potential for
> damage. If you want to get your attack code in front of as many people
> as possible, the way to do it is to place it in a high-traffic area.
>
> The wired legal community has been waiting for the first litigation
> involving the concept of 'downstream liability.' In essence, having an
> Internet site that was [easily] hacked and used to launch attacks
> against other sites would leave the hacked site legally liable for
> damage caused to the other sites (presumably, the site owner would have
> deeper pockets than the hacker). My limited legal understanding of this
> is that it would be similar to a swimming pool owner with an inadequate
> fence, which could be considered an 'attractive nuisance.'
>
> Assuming that attack code becomes a problem on the web, will all web
> site owners have to worry about being hacked and hit with a downstream
> liability suit?
>
