RE: TPM against XSS and Phishing

["Marco M. Morana" <marco.m.morana () gmail com>]

Chris

Both XSS and phishing are delivered as social engineering attacks.
Implicitly the user might trust the link with the XSS attack vector or an
email pointing to a malicious/phished site link. Is social engineering the
root cause? No. Social engineering is probably the less path of resistance
threat agent. If you apply an attack tree to phishing or XSS this is
probably what an attacker will select after first considering the odds of
being successful and the costs involved. Basically hackers choose the path
of least resistance as well highest bang for the money... The root cause of
the vulnerability is a different story. In the case of XSS, this is well
know web site vulnerability due to the lack of filtering and output
encoding. An ethical hack of the web application or even better a secure
code review will found this vulnerability and allow the site owner to
mitigate the risk. The risk is for an attacker to exploit XSS to steal
confidential data on the client browser.

In the case of phishing it really depends on the attack vector. Actually XSS
is one of the may possible ways to deliver phishing attacks. XSS is just
another attack vector. Other attack vectors can be XFS (Cross Frame
Scripting) to frame the login page within a malicious frame to steal
username and password. In the case of a phishing that uses as proxy to MiTM
(Man In The Middle) the root cause is non repudiation and mutual
authentication via PKI can be a valid countermeasure. If PKI is deployed the
secrecy of the private key is what the attacker will go after. The best way
to store a private key is trough a secure key store. Also a factor that
uniquely identifies the client can be stored in a secure kernel. This are
solutions that have already being analyzed (see Tricipher). The problem is
IHMO that the best for security is not the best for usability and total cost
of ownership (TCO). If am an a CIO of a bank that is what drives my decision
to deploy such solution. Basically I am still taking the risk because the
loss is not worth the cost of deploying it. That's why you got a compromise
that is a multifactor authentication control such as Sitekey and an RSA
token or Cyota risk authentication. The chance (for an new technology) is
that recently (2007 and 2008) the wave is of phishing is shifting and this
MFA controls (RSA tokens, Cyota etc) are becoming useless. Botnets such as
Rockphish and proxy based MiTM phishing attacks make this MFA solutions
in-effective to mitigate the new phishing threats. Also the fraud and
identity theft data and the losses are in the billion of $$ (see Gartner and
FTC data). So TPM might be part of the solution but you need much more than
that: I elaborated on an anti-phishing tool proposal on my blog:
http://securesoftware.blogspot.com/2008/04/anti-phishing-tool-proposal.html
I am open to advice and suggestions as well as sponsorship.:)

Regards

Marco 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Charis
Sent: Tuesday, May 13, 2008 10:22 PM
To: security-basics () securityfocus com
Subject: TPM against XSS and Phishing

Hi,
Can anyone help me on how the use of secure boot(using a TPM) on vista could
prevent XSS and phishing attacks?
Thanks in advance
Charis