The cross-site request forgery (CSRF) attack as a browser exploit has been around for awhile; but it has been considered unworkable in modern browsers. Unfortunately, it has raised its ugly head again and is likely to be a real threat in today’s corporate Intranets and ever-more-extensive cloud environments.
This revived form of CSRF attack uses forged tokens to exploit a browser's cascading style sheets (CSSs) history and the trust that a Website has in a user's browser. This essentially is the opposite to cross-site scripting (XSS), which exploits the trust a user has for a particular site.
Here's how CSRF hacking now works: When a user visits a Website, a random token is normally appended to the URL by the Website in order to set up the link between site and browser, and also to prevent such attacks. The hacker interferes with this process by using man-in-the-middle (MITM) techniques, which are also used in phishing exploits. The hacker's token is held in the user’s browser history, appearing, for instance, as "http://yourbank.com/?param1=val1&token=a01et." When the trusted Website is next accessed, the planted token, now containing login details, can be used to access the user’s account by the MITM hacker.
What's making this now possible are new scripting techniques that enable hackers to guess the random unique token and drag other unique tokens from the user's browser. This is an example of using "brute force," but it is carefully gauged so it will not multiply browser requests, alert firewalls, or cause a request to fail or a browser to time out.
A token number can be easily obtained -- especially when just five numbers are required for a token -- without any alerts being raised, using a technique called client-side attack that generates very little traffic. The CSRF attack achieves this by reading the browser history, collecting information about trusted Websites, and generating tokens for those sites only -- eliminating the need to create an unnecessary quantity of tokens.
So this technique can pass undetected through most firewalls and therefore through to most servers. It gives hackers the ability to scan intranets and therefore corporate networks with endless possibilities for the hacking community to use to their advantage.
Our research has found that CSRF attacks easily pass through both Google Chrome and Firefox 3.5 but, interestingly, not through Internet Explorer 8.0. However, IE8 is easily defeated by a new JavaScript "Ping" Sweep attack, which can work across a corporate Intranet and collate Web history.
When successfully generating this type of attack in our lab, it only took from 58 seconds on the latest version of Google's Chrome (version 2.0.172.37) to 568 seconds on Mozilla's latest Firefox (version 3.5) to pass through and obtain the necessary data.
Interestingly, Microsoft's IE8 does seem to stop the attack, apparently by its newer and finer timeout mechanism.
On Firefox, the initial attack can be halted by using NoScript, which is often switched off on trusted sites. On Chrome, the attack happens within the sandbox, and since the PC isn't threatened, it gets away with it.
What can be done? Here are few suggestions for developers:
There is an urgent need for the number of digits in CSS tokens to be increased to at least eight, which would increase the number of requests needed to generate tokens randomly and defeat the hack.
Store any similar tokens in a hidden form field, rather than within a URL.
Use random tokens for every submission. Do not accept old tokens, even within a session.
For the end user:
Set your browser to private browsing mode.
If you use Firefox version 2.0, use the "SafeHistory" plug-in (unfortunately there is no update available for later versions of Firefox).
Internet Explorer 8.0 does appear to stop the CSFR hack (though we don't mean to create an advertisement for Microsoft).
Both the CSRF token hack using CSS history and the JavaScript "Ping" Sweep attack have been released into the hacking community as PoC (proof of concept) vulnerabilities.
Not quite the Internet equivalent of the plans for an "atomic weapon," but getting ever closer.
— Jart Armin, Editor of RBNexploit.com, a watch blog on the infamous RBN (Russian Business Network), and HostExploit.com
Jason, I'm not sure if you could be more correct. Maybe somewhere in defining "ease of use", "reduced security and safety" needs to be included.
If a complex piece of manufacturing was designed with "ease of use" as the primary focus, how many workers would be missing limbs and digits? Security features, while they shouldn't criple a product, need to be in place and will almost always have to reduce the ease of use.
I'm glad all of my power tools have safety locks and other features because, quite frankly, I can be clumsy and dangerous. :-)
I was not surprised to see congress fussing over what P2P software does instead of questioning why any computer used for sensitive data would have been permitted to install p2p software -- or why employees entrusted with sensitive data would have moved that data to a non-secured computer
Jason :="Ease of use will always override the ability to lock a user out of administrative level tasks"
very good post
I have heard the "Ease of Use" argument many, many times.
"FWIW" I think we mis-state the capability of the general level computer user. I think general level users would be only too happy to use a _standardized_ install procedure to update their computers with the software they want to use.
the guy who gets knocked out is the advertising guy who wants to use the latest cool crap to show off some flashy ad -- none of which we have any interest in seeing or having.
so far the ad man has had his way with the software. but that could be changing as the revolt against malware picks up steam
Readers should be aware that when storage protection keys are used properly one running program cannot read (let alone alter) memory assigned to a different program using a different protect key. This is a Storage Protection error and results in an ABEND. All modern documents must be treated as executable files. As a result, any program, such as a browser, used to process a modern document, such as a web page, must be run in RING3 using a restricted user ID -- i.e. "in the Sand Box" -- so that the document can be made harmless: if it tries anything funny -- error or otherwise -- the program that is processing that document is ABENDed. I think it is going to take Federal product liability law to force the change. But it needs to be done if we are going to go on with electronic commerce
*** I was walking down by the lakefront today...garbage everywhere there too! Shame (damn end users). Don't want SwineFlu? Wash yer friggin hands 5x/day! AAaand, don't kiss pigs! Hmm, I wonder if AIDS has been cured yet? Golly geez whiz, I wish they'd make a PERFECT OS for our PERFECT world! ***
Love it...
If they ever did get there... I would be out of a job... :)
*** I was walking down by the lakefront today...garbage everywhere there too! Shame (damn end users). Don't want SwineFlu? Wash yer friggin hands 5x/day! AAaand, don't kiss pigs! Hmm, I wonder if AIDS has been cured yet? Golly geez whiz, I wish they'd make a PERFECT OS for our PERFECT world! ***
Seriously, the problem is never one-sided. Unless you're my wife - It's my fault. Kidding aside...
Operating Systems such as the Microsoft variants over the years have been built for ease of use. Not ease of use for the technically savvy mind you, but for those individuals that struggled with the very concept of why they needed a computer in the first place. On top of ease of use came "cool features" to answer the question of why you needed a computer in the first place.
This ease of use coupled with cool, but questionably necessary, features creates most of the problems.
Let's face it, file association in Windows is a farse. Windows first of all depends on the extension of the file. Linux, on the other hand looks at the "magic numbers" (file signatures in the header) and could care less about the extension.
There are third-party solutions to help protect the average user, but none are "average user" proof. Even tools like NoScript, Spyware Terminator, Adaware, pick your poison, all require you to have an understanding of what you're blocking and why. If you don't, you'll decide it is not worth the effort and will eventually allow everything - ease of use prevails.
One of the best products I have seen to protect Windows systems is Bit9 Parity. Complete whitelisting of applications and you can even protect yourself from your own administrators. This option obviously works best in environments where your builds are identical, but can work in more flexible environments.
But, this doesn't solve the average user problem.
Ease of use will always override the ability to lock a user out of administrative level tasks.
So where do we draw the line? What level of control does the OS take away from the user? Sure, I think a more locked down approach is necessary, but you will always need to have a loophole to allow access to those users that want it.
Yeah, alas. but ya know what? sometimes you have to just kinda beat the drum for a while and then alll of a sudden ya look around and ya got a whole party goin' on
Notes
the file associations really are not the problem. it is what is in the document and what the document processing program does with that content that matters.
open a web page, -- what executes? you ain't got a clue: web pages are a real can of worms these days. so your browser must be able to run a program of un-known nature with impunity. until that is made to happen when you buy a new computer the hackers will send you a thank-you card for enhancing their systems.
My friend Greg -- I had mentioned him earlier -- was COMSEC custodian in our Signal Unit of the ARNG. He bought one of those cute little Netbooks that are all the thing these days.
It came with a well known (but free(intro) version) of a popular A/V program pre-installed.
but he promptly picked up w32.ackpra.a
when I explained to him the vulnerabilities inherrent in ms/Windows he noted "you can't be serious"
Well Mike, you've been on this Security band-wagon touting the x86 built-in protections for some time now and it appears to be going nowhere...
Really, when I think about it the biggest thing MS has done with their GUI-based OS; it's that they have made things too easy!!
I'm talking about associating files with apps...
Simply removing that feature completely from the OS would eliminate your every document is an executable contention, which you are correct they are -- but only because the Windows OS allows you to make them so...
It's that simple really, oh I know you'd need to construct a mechanism to identify legitimate binary executables, but that wouldn't be too hard now would it??
Anything else would be treated as a data file, un-functional to the user with a direct click, including files from the web...
C/Net -- latest data breech all this hacking is an intolerable situation. the first thing that needs done is to set up software inverntory controls so that malware can be detected more quickly.
this would only be a stop-gap as it is hard to guess how much damage a good malware program could do in say -- 60 seconds
As long as they continue that line of thinking they won't make any progress. they have to learn: all modern documents are executable and for that reason your O/S must be constructed such that you can run any garbage program with impunity. The x86 chps provide the ability to do that if you run your application programs strictly in RING3 under a restricted logon
as long as Microsoft allows Windows to be attacked through the application program doorway they will just have a mess on their hands -- which will die abruptly as soon as a viable alternative is offered.
"Hackers will always be there to make our work difficult and it is good to be on the game so as to protect our work."
In fact, hackers make our work possible. It would be pointless to try to secure computing environments if there were no threat to them.
Thanks Jart, for bringing us your insight. You never fail to bring forward important issues.
I'm not a big MS fan, but I do recognize that MS, for the most part, owns the enterprise. So, it is nice to see that IE8 stops it. Unfortunately, since IE has such a bad rap, I would bet that the number of enterprises that have deployed IE8 are a minority.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Router hacking and modem security is in the news again, thanks to a presentation at Black Hat in Las Vegas this week and to the associated sensational press response.
Any discussions regarding the online adult, or porn, industry provoke polarized views. It is not an easy subject to approach from any angle, due to the taboo on these sites, which also has benefited cybercriminals, who very quickly learned in the early days of the Internet that users of such services were open to all manner of exploitation.
If you are anything like me, you have probably been scratching your head at the recent Russian spy saga involving the “illegals,” or a gang of more than 10 spies who apparently infiltrated themselves into American social networks, online and off.
Getting to Work on Smart Work: How IT Is Transforming the Implementation of the 'Internet of Things' Organizations in all industry sectors are becoming more instrumented, interconnected, and intelligent -- and that's changing the way they approach virtually every facet of their operations. It's up to IT to help organizations adopt a "Three I's" approach that leverages the emerging Internet of Things and enables them to work smarter. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
What kinds of companies are doing the most innovation in the data center? Turns out it's midtier enterprises that are taking the "Just Right" approach.
E-discovery is the requirement to make available all digital information related to, and in conjunction with, a legal proceeding. An appeals court ruled recently to limit the scope of e-discovery searches, which gives corporate counsel and IT executives a bit more power over the e-discovery process.
The release of Microsoft's newest OS raises the question of the company's relevance in an era when Google dominates applications and search, and Apple runs circles around Redmond with its gadgets and user interfaces.
Earlier this year, Heartland Payment Systems was breached by Russian hackers who had also hit 300 other financial institutions. The scope of the Russian operation is mind-blowing and points to a new era in cyber attacks.
Cyber Warfare may be the next frontier for tactical hacking. It has already reared its head in Estonia, Russia, and Georgia, and some say it has been used by North Korea, China, and other world powers. The implications and the potential are both fascinating and scary.
There's a public-policy war on copyright that nobody is winning, and inconsistencies in viewpoint and interpretation seem to be multiplying. We need to step back and think our policies over again, or we risk having a strategy that fails everyone.
Ultraviolet is an industry-wide attempt to standardize video content delivery across multiple platforms. Apart from the fact that it’s based in the cloud, relies on the DRM system, and isn’t backed by Apple… it sounds great!
The FCC's Sixth Broadband Report has a hidden secret. But here’s a hint: The regulatory body plans to regulate broadband as a telecommunications service.
Once defined by epic journeys, planning, and maps, the phrase "on the road" takes on new meaning in a digital age, where we can make all our decisions using our connected devices en route.
Digg
Del.icio.us
Reddit
Email This
TWEET THIS
