Re: An attack on paypal --> secure UI for browsers
Tim Dierks wrote:
- Get browser makers to design better ways to communicate to users that UI elements can be trusted. For example, a proposal I saw recently which would have the OS decorate the borders of "trusted" windows with facts or images that an attacker wouldn't be able to predict: the name of your dog, or whatever. (Sorry, can't locate a link right now, but I'd appreciate one.)
It was none other than Microsoft's NGSCB, nee Palladium. See http://news.com.com/2100-1012_3-1000584.html?tag=fd_top: NEW ORLEANS--Microsoft is trying to make security obvious. The software giant plans to visually alter document or application windows that contain private information that's secured through Microsoft's Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium. Secure windows will look different than regular, unsecured windows in order to remind users that they are looking at confidential material, Peter Biddle, product unit manager for Microsoft, said Thursday at the Windows Hardware Engineering Conference (WinHEC) here. ... The border of a secured page may contain information--such as the names of all the dogs that someone has ever owned--to make the data instantly recognizable as sound to the individual owner, as well as difficult to replicate. A hacker can create a spoof page with dogs' names running along the border but, in all likelihood, not one reading "Buffy, Skip and Jack Daniels--and in that order," Biddle said. ... Information on secured windows will vanish if another window is placed on top of it or shifted to the background. Erasing the information will prevent certain types of attacks and remind people that they're dealing with confidential material, Biddle said. When the secure window returns to the top of the stack, the information will reappear, he said. I don't see how this is going to work. The concept seems to assume that there is a distinction between "trusted" and "untrusted" programs. But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone. If you've loaded a Trojan application onto your machine, it can create an NCA, which would presumably be eligible to put up a "trusted" window. So either you have to configure a different list of doggie names for every NCA (one for your banking program, one for Media Player, one for each online game you play, etc.), or else each NCA gets access to your Secret Master List of Doggie Names. The first possibility is unmanageable and the second means that the trustedness of the window is meaningless. So what good is this? What problem does it solve? --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
Take this with a grain of salt. I'm no expert. However: I'd guess that no applications (besides the secure nexus) would have access to your "list of doggie names", just the ability to display it. The list just indicates that you are seeing a window from one of your partitioned and verified applications. I would also assume the window would get decorated with the name of the trusted application (not just your secret list). Thus you only need a single secret list to handle all of your "authorized" applications. -AdamL On Mon, 2003-06-09 at 22:00, Nomen Nescio wrote: <snip>
I don't see how this is going to work. The concept seems to assume that there is a distinction between "trusted" and "untrusted" programs. But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone. If you've loaded a Trojan application onto your machine, it can create an NCA, which would presumably be eligible to put up a "trusted" window.
So either you have to configure a different list of doggie names for every NCA (one for your banking program, one for Media Player, one for each online game you play, etc.), or else each NCA gets access to your Secret Master List of Doggie Names. The first possibility is unmanageable and the second means that the trustedness of the window is meaningless.
So what good is this? What problem does it solve? -- Adam Lydick <adam.lydick@verizon.net>
For example, a proposal I saw recently which would have the OS decorate the borders of "trusted" windows with facts or images that an attacker wouldn't be able to predict: the name of your dog, or whatever.
But if the system is rooted, then the attacker merely has to find the "today's secret word" entry in the registry and do the same thing. Unless Windows is planning on getting real kernel-level kinds of protection.
It was none other than Microsoft's NGSCB, nee Palladium. See http://news.com.com/2100-1012_3-1000584.html?tag=fd_top:
See previous sentence. :) /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
It's simple. It solves the problem that Microsoft Salesmen have. In order to sell shit, you have to make it look like gold. Cee Eee Ohs have heard it said that Microsoft software is insecure crap. Now the Microsoft Salesmen can do fancy demos with pretty colors and slick Operators Are standing By, Act Now, *New*, Don't Delay, Improved, Secure, Bells Whistles and Coolness demos and sign the suckers up. Just like the wonderful ads that peppered NYC when Ex-Pee came out saying "Reliable, and Secure." ----------------------Kaos-Keraunos-Kybernetos--------------------------- + ^ + :25Kliters anthrax, 38K liters botulinum toxin, 500 tons of /|\ \|/ :sarin, mustard and VX gas, mobile bio-weapons labs, nukular /\|/\ <--*-->:weapons.. Reasons for war on Iraq - GWB 2003-01-28 speech. \/|\/ /|\ :Found to date: 0. Cost of war: $800,000,000,000 USD. \|/ + v + : The look on Sadam's face - priceless! --------_sunder_@_sunder_._net_------- http://www.sunder.net ------------ On Tue, 10 Jun 2003, Nomen Nescio wrote:
I don't see how this is going to work. The concept seems to assume that there is a distinction between "trusted" and "untrusted" programs. But in the NGSCB architecture, Nexus Computing Agents (NCAs) can be written by anyone. If you've loaded a Trojan application onto your machine, it can create an NCA, which would presumably be eligible to put up a "trusted" window.
So either you have to configure a different list of doggie names for every NCA (one for your banking program, one for Media Player, one for each online game you play, etc.), or else each NCA gets access to your Secret Master List of Doggie Names. The first possibility is unmanageable and the second means that the trustedness of the window is meaningless.
So what good is this? What problem does it solve?
participants (4)
-
Adam Lydick -
Nomen Nescio -
Rich Salz -
Sunder