More unintended consequences of browser leakage

Joerg Resch at Kuppinger Cole points us to new research showing  how social networks can be used in conjunction with browser leakage to provide accurate identification of users who think they are browsing anonymously.

Joerg writes:

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network.

The Practical Attack to De-Anonymize Social Network Users begins with what is known as “history stealing”.  

Browsers don’t allow web sites to access the user’s “history” of visited sites.  But we all know that browsers render sites we have visited in a different color than sites we have not.  This is available programmatically through javascript by examining the a:visited style.  So malicious sites can play a list of URLs and examine the a:visited style to determine if they have been visited, and can do this without the user being aware of it.

This attack has been known for some time, but what is novel is its use.  The authors claim the groups in all major social networks are represented through URLs, so history stealing can be translated into “group membership stealing”.  This brings us to the core of this new work.  The authors have developed a model for the identification characteristics of group memberships – a model that will outlast this particular attack, as dramatic as it is.

The researchers have created a demonstration site that works with the European social network Xing.  Joerg tried it out and, as you can see from the table at left, it identified him uniquely – although he had done nothing to authenticate himself.  He says,

“Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I´m a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That´s weird!”

Since I’m not a user of Xing I can’t explore this first hand.

Joerg goes on to ask if history-stealing is a crime?  If it’s not, how mainstream is this kind of analysis going to become?  What is the right legal framework for considering these issues?  One thing for sure:  this kind of demonstration, as it becomes widely understood, risks profoundly changing the way people look at the Internet.

To return to the idea of minimal disclosure for the browser, why do sites we visit need to be able to read the a:visited attribute?  This should again be thought of as “fingerprinting”, and before a site is able to retrieve the fingerprint, the user must be made aware that it opens the possibility of being uniquely identified without authentication.

News ::  Feed!



Povezani zapisi:

08-25-2010 4:06

More On PCI DSS 2.0 « #PCI

More On PCI DSS 2.0 « #PCI

Simplicity or Complexity – Which is More Secure?

On May 19, 2010, Dr. Patricia Muoio of the ODNI (Office of the Director of National Intelligence) gave a thought-provoking presentation at a symposium hosted by NITRD (Networking and Information Research and Development), which is the name of a program that “… provides a framework in which many Federal agencies come together to coordinate their networking and information technology (IT) research and development (R&D) efforts.” … see www.nitrd.gov

The name of the symposium was “Toward a Federal Cybersecurity Research Agenda: The Game-Changing Themes,” and the particular topic covered by Dr. Muoio in the “Government Overview” session had to do with “moving target” approaches. The underlying proposition is that, in order to outwit the bad guys, one should be agile and stay one step ahead of the attackers by making security systems so complex that those with evil intentions will not be able to keep up. Currently, it would appear that the shoe is on the other foot, with the attackers keeping victims on the defensive by being state-of-the-art and staying ahead of the owners’ efforts to protect information assets.

More than a decade ago, Bruce Schneier wrote a piece in his Crypto-Gram Newsletter of March 15, 2000, with the title “Software Complexity and Security,” available at http://www.schneier.com/crypto-gram-0003.html. The opening sentence of the article is: “The future of digital systems is complexity, and complexity is the worst enemy of security.” He ends the article with the words: “Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity. Unfortunately, simplicity goes against everything our digital future stands for.”

While Bruce was referring to the underlying software that infosec professionals are trying to protect, I believe that the same goes for security systems. If we embark on a complexity race with the bad guys, we may end up the losers. The real, though likely impossible-to-do answer, is to simplify underlying software, platforms and infrastructure and have correspondingly simple security systems. However, even if we are not able to roll back complexity, we need to do something in terms of the designs and structures of systems. The subprime mortgage fiasco, the “flash crash” of May 6, 2010, and the Gulf oil gush catastrophe are all recent examples of complexity resulting in disaster and making for much more complicated recoveries.

I bemoaned the increasing complexity in a column “The Death of K.I.S.S.” in Securities Information Magazine, in 1994. I pointed out that systems had become so complex that it was no longer possible for an individual or a group of individuals to know and understand every aspect of the systems that they are responsible for supporting.

A real-life example of the detrimental impact of complexity is the April 27, 2010 New York Times front-page article by Elisabeth Bumilller with the title “We Have Met the Enemy and He Is PowerPoint,” with due deference to Pogo. The article is accompanied by a very complicated “… PowerPoint diagram meant to portray the complexity of American strategy in Afghanistan…” According to Gen. Stanley A. McChrystal, then leader of the American and NATO forces in Afghanistan, “When we understand that slide, we’ll have won the war.” As for the war in Afghanistan, so it is for computer systems and their protection. We are continuing to build ever more complex systems, so how can we hope to protect them?

I believe that hope lies in decoupling system components … that is, introducing the computer system equivalent of circuit breakers. If a module is overheating, there should be some way of disconnecting it from the rest of the system in order to avoid a ripple effect. This is similar to isolating sections of the electricity grid so that a failure of one segment does not bring down others.

In my opinion, the answer lies in simplifying systems and minimizing their attack surfaces. Perhaps we’ll have to give up some functionality, perhaps not. Perhaps it will cost more, perhaps not, especially when you include the cost of system compromises and failures due to attacks. In any event, it is worth a try since the greater-complexity approach does not appear to be working.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Bruce Schneier, Dr. Patricia Muoio, NITRD, ODNI, software complexity, spotlight

Feed enhanced by Better Feed from Ozh

Simplicity or Complexity – Which is More Secure?

On May 19, 2010, Dr. Patricia Muoio of the ODNI (Office of the Director of National Intelligence) gave a thought-provoking presentation at a symposium hosted by NITRD (Networking and Information Research and Development), which is the name of a program that “… provides a framework in which many Federal agencies come together to coordinate their networking and information technology (IT) research and development (R&D) efforts.” … see www.nitrd.gov

The name of the symposium was “Toward a Federal Cybersecurity Research Agenda: The Game-Changing Themes,” and the particular topic covered by Dr. Muoio in the “Government Overview” session had to do with “moving target” approaches. The underlying proposition is that, in order to outwit the bad guys, one should be agile and stay one step ahead of the attackers by making security systems so complex that those with evil intentions will not be able to keep up. Currently, it would appear that the shoe is on the other foot, with the attackers keeping victims on the defensive by being state-of-the-art and staying ahead of the owners’ efforts to protect information assets.

More than a decade ago, Bruce Schneier wrote a piece in his Crypto-Gram Newsletter of March 15, 2000, with the title “Software Complexity and Security,” available at http://www.schneier.com/crypto-gram-0003.html. The opening sentence of the article is: “The future of digital systems is complexity, and complexity is the worst enemy of security.” He ends the article with the words: “Secure systems should be cut to the bone and made as simple as possible. There is no substitute for simplicity. Unfortunately, simplicity goes against everything our digital future stands for.”

While Bruce was referring to the underlying software that infosec professionals are trying to protect, I believe that the same goes for security systems. If we embark on a complexity race with the bad guys, we may end up the losers. The real, though likely impossible-to-do answer, is to simplify underlying software, platforms and infrastructure and have correspondingly simple security systems. However, even if we are not able to roll back complexity, we need to do something in terms of the designs and structures of systems. The subprime mortgage fiasco, the “flash crash” of May 6, 2010, and the Gulf oil gush catastrophe are all recent examples of complexity resulting in disaster and making for much more complicated recoveries.

I bemoaned the increasing complexity in a column “The Death of K.I.S.S.” in Securities Information Magazine, in 1994. I pointed out that systems had become so complex that it was no longer possible for an individual or a group of individuals to know and understand every aspect of the systems that they are responsible for supporting.

A real-life example of the detrimental impact of complexity is the April 27, 2010 New York Times front-page article by Elisabeth Bumilller with the title “We Have Met the Enemy and He Is PowerPoint,” with due deference to Pogo. The article is accompanied by a very complicated “… PowerPoint diagram meant to portray the complexity of American strategy in Afghanistan…” According to Gen. Stanley A. McChrystal, then leader of the American and NATO forces in Afghanistan, “When we understand that slide, we’ll have won the war.” As for the war in Afghanistan, so it is for computer systems and their protection. We are continuing to build ever more complex systems, so how can we hope to protect them?

I believe that hope lies in decoupling system components … that is, introducing the computer system equivalent of circuit breakers. If a module is overheating, there should be some way of disconnecting it from the rest of the system in order to avoid a ripple effect. This is similar to isolating sections of the electricity grid so that a failure of one segment does not bring down others.

In my opinion, the answer lies in simplifying systems and minimizing their attack surfaces. Perhaps we’ll have to give up some functionality, perhaps not. Perhaps it will cost more, perhaps not, especially when you include the cost of system compromises and failures due to attacks. In any event, it is worth a try since the greater-complexity approach does not appear to be working.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Bruce Schneier, Dr. Patricia Muoio, NITRD, ODNI, software complexity, spotlight

Feed enhanced by Better Feed from Ozh