Security Basics mailing list archives
RE: TPM against XSS and Phishing
From: "Marco M. Morana" <marco.m.morana () gmail com>
Date: Wed, 14 May 2008 20:55:47 -0400
Chris Both XSS and phishing are delivered as social engineering attacks. Implicitly the user might trust the link with the XSS attack vector or an email pointing to a malicious/phished site link. Is social engineering the root cause? No. Social engineering is probably the less path of resistance threat agent. If you apply an attack tree to phishing or XSS this is probably what an attacker will select after first considering the odds of being successful and the costs involved. Basically hackers choose the path of least resistance as well highest bang for the money... The root cause of the vulnerability is a different story. In the case of XSS, this is well know web site vulnerability due to the lack of filtering and output encoding. An ethical hack of the web application or even better a secure code review will found this vulnerability and allow the site owner to mitigate the risk. The risk is for an attacker to exploit XSS to steal confidential data on the client browser. In the case of phishing it really depends on the attack vector. Actually XSS is one of the may possible ways to deliver phishing attacks. XSS is just another attack vector. Other attack vectors can be XFS (Cross Frame Scripting) to frame the login page within a malicious frame to steal username and password. In the case of a phishing that uses as proxy to MiTM (Man In The Middle) the root cause is non repudiation and mutual authentication via PKI can be a valid countermeasure. If PKI is deployed the secrecy of the private key is what the attacker will go after. The best way to store a private key is trough a secure key store. Also a factor that uniquely identifies the client can be stored in a secure kernel. This are solutions that have already being analyzed (see Tricipher). The problem is IHMO that the best for security is not the best for usability and total cost of ownership (TCO). If am an a CIO of a bank that is what drives my decision to deploy such solution. Basically I am still taking the risk because the loss is not worth the cost of deploying it. That's why you got a compromise that is a multifactor authentication control such as Sitekey and an RSA token or Cyota risk authentication. The chance (for an new technology) is that recently (2007 and 2008) the wave is of phishing is shifting and this MFA controls (RSA tokens, Cyota etc) are becoming useless. Botnets such as Rockphish and proxy based MiTM phishing attacks make this MFA solutions in-effective to mitigate the new phishing threats. Also the fraud and identity theft data and the losses are in the billion of $$ (see Gartner and FTC data). So TPM might be part of the solution but you need much more than that: I elaborated on an anti-phishing tool proposal on my blog: http://securesoftware.blogspot.com/2008/04/anti-phishing-tool-proposal.html I am open to advice and suggestions as well as sponsorship.:) Regards Marco -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Charis Sent: Tuesday, May 13, 2008 10:22 PM To: security-basics () securityfocus com Subject: TPM against XSS and Phishing Hi, Can anyone help me on how the use of secure boot(using a TPM) on vista could prevent XSS and phishing attacks? Thanks in advance Charis
Current thread:
- TPM against XSS and Phishing Charis (May 14)
- Message not available
- Re: TPM against XSS and Phishing Dennis Li (May 14)
- Message not available
- Re: TPM against XSS and Phishing Ali, Saqib (May 14)
- RE: TPM against XSS and Phishing Marco M. Morana (May 15)