QUIZ 3
What other methods are there to clickjack?
(1) Decoy UI underneath, with victim UI made transparent using CSS opacity. (2) Have a very small iframe scrolled to the appropriate place on victim UI. (3) The attacker hides the target UI (as a frame, or as a separate window) underneath his own, and reveal it only milliseconds before the anticipated user click - very difficult (source: slides)
What can you do with clickjacking?
(1) steal personal information, like logins, (2) steal endorsement and other social media benefits, likejacking, (3) enable certain browser/app/system settings without user knowing, change Flash settings to enable video/audio capture, (4) fooling ad-networks, cost money for competitors and get paid from your own site. (source: slides)
Sample JavaScript for frame busting?
<script type="text/javascript"> if (top != self) top.location = self.location; </script> (source: slides)
What is X-Frame-Options header?
A header that allows or disallows rendering of the document when isnide an iframe (can be SAMEORIGIN, ALLOW-FROM, or DENY) (source: slides)
Improving upon passwords
Add biometrics For example, keystroke dynamics or voiceprint Revocation is often a problem with biometrics Graphical passwords Goal: easier to remember? no need to write down? Password managers Examples: LastPass, KeePass, built into browsers Two-factor authentication Leverages user's phone (or other device) for authentication
Password policies
Allow long and random passwords with good mix of characters, numbers and symbols Never store password as plaintext. Use strong one-way hash function to store them server side
What exactly is hijacked in clickjacking?
Any single-click action. Key events are much harder to hijack because the typing by the user will be invisible (they will probably notice) (source: slides)
What is cracking passwords "en masse"?
Assumes user password choice is random. Guess in order: SHA1("aaaaaa"), SHA1("aaaaab"), etc.
Salt
Attackers may try to use pre-generated hashes of passwords. If each passwords has a long unique salt to it, the attackers won't have them in their hashes. They could recreated their hashs to passwords with the salt, but because a salt is unique per password, they'd have to regenerate the whole set of hashes to passwords again per salt (meaning per password)
What is the difference between first and third-party cookies?
Browsers automatically include cookies with HTTP responses First-party cookie: belongs to top-level domain Third-party cookie: belongs to a domain of embedded content. Trackers included in other sites use third-party cookies containing unique identifiers to create browsing profiles
Describe Mask Attacks
Brute-force example: Want to crack a password Julia1983 Traditional brute-force will require 62^9 combinations @ 100M/sec = 4 years Mask Attacks Don't look for all chars in all positions. More specific brute-force with candidate key space (e.g., name followed by year, first letter J, 4 digit year, only first digit capitalized) Key-space J%c%c%c%c%d%d%d%d = 26^4*10^4 = 466976 combinations @ 100M/sec < 1 second
How can a webpage figure out which sites you visited previously?
Color of links - CSS :visited property getComputedStyle() Cached Web content timing DNS timing The tracker basically loads all the webpages of interest on its webpage and when rendered, it can see which of those website of interest have you visited. One use. Allows someone to keep track of the competitors that a user visited and give appropriate deals based on that information in real time.
What does admeld do?
Complex business relationships in the requests to third-parties made by the browser. In particular, trackers often cooperate, and it is insufficient to simply consider trackers in isolation. As depicted, a website may embed one third-party tracker, which in turn serves as an aggregator for a number of other third-party trackers. We observed this behavior to be common among advertising networks. For example, admeld.com is often embedded by websites, and it makes further requests to trackers like turn.com and invitemedia.com. In these requests, admeld.com includes the information necessary to track the user, including the top-level page and the pseudonym from admeld.com's own tracker-owned cookie. This means that turn.com does not need to set its own client-side state, but rather can rely entirely on admeld.com.
Explain cookie respawning
Cookie respawning is the process of recreating browser cookies from information in that has been deleted. With cookie respawning, companies can take information stored in flash cookies and use it to recreate a cookie in a browser. There are concerns that cookie respawning can violate a user's privacy and become problematic for the operation of the computer in the same way that any kind of cookie storage can ultimately challenge an operating system. With local storage, web applications can store data locally within the user's browser. Before HTML5, application data had to be stored in cookies, included in every server request. Local storage is more secure, and large amounts of data can be stored locally, without affecting website performance. Unlike cookies, the storage limit is far larger (at least 5MB) and information is never transferred to the server. Local storage is per origin (per domain and protocol). All pages, from one origin, can store and access the same data. [w3schools]
Sources of tracking
Cookies, fingerprinting of browsers
What is frame-busting?
Defensive code in the UI to ensure that the current frame is the most top level. Makes victim UI not show in a frame. Frame busting typically consists of a conditional statement and a counter-action that navigates the top page to the correct page. (source: slides)
What is a dictionary attack?
Dictionary attack is possible because many passwords come from a small dictionary Attacker can pre‐compute Hash(word) for every word in the dictionary - this only needs to be done once! This is an offline attack Once password file is obtained, cracking is instantaneous Sophisticated password guessing tools are available Take into account freq. of letters, password patterns, etc. In UNIX, /etc/passwd is world-readable Contains user IDs and group IDs which are used by many system programs
Defenses against tracking
Do not track. Private browsing mode. Clear cookies. Clear local storage. Reroute ads to localhost
What is happening here? <head> <style> body { display : none;} </style> </head> <body> <script> if (self == top) { var theBody = document.getElementsByTagName('body')[0] theBody.style.display = "block" } else { top.location = self.location } </script> </body>
Don't display anything first, then even if someone unloads something, it won't work. --- Display only if you are on top. If you are not on top then make yourself top. When the page is loaded, the style sheet hides all content on the page. If JavaScript is disabled, the page will remain blank. Similarly, if the page is framed, it will either remain blank or it will attempt to frame bust. If the frame busting code is blocked, say by hooking the unload event or doing a 204 flushing attack, the page will remain blank. The script only reveals the document's contents if the page is not running in a frame. NoScript, will not be able to use the site. Designers might want to have a fallback mechanism if such is the case. (source: slides)
How to mitigate clickjacking?
Frame busting, block top.location by using onbeforeunload(), (IE8) forbid JavaScript in the frame, (Chrome) HTML5 sandbox attribute allows scripts and forms but forbids top navigation. (source: slides)
What is a shadow password?
Hashed password is no longer stored in a world-readable file Hashed passwords are stored in /etc/shadow file which is only readable by system administrator (root)
Why is Encryption not better than Hashing to store passwords.
Hasing is a one way function. Encryptions can be decrypted with a key. If an attacket get's a key and the hashes, they can get all the passwords. If the attacker just get's hashes, there is no "math function" they can run on an arbitrary hash to get the password, forcing them to do brute force, or try use a table of common passwords to hashes.
Third-Party Cookie Blocking and how to get around it
In some browsers, Third-party cookie blocking means third-party cookies cannot be set, but they CAN be sent. So if a third-party cookie is somehow set, it can be used. Facebook can set a first-party cookie when the user visits facebook.com; in browsers other than Firefox, this cookie, once set, is available to Facebook from a third- party position (when embedded on another page).
Other password security risks?
Keystroke loggers Hardware Software (spyware) Shoulder surfing Same password at multiple sites Usability - Hard-‐to-‐remember passwords? - Carry a physical object all the time? Denial of service Stolen wallet Attacker tries to authenticate as you, account locked after three failures - "Suspicious" credit card usage Social engineering
How does a Facebook like button work?
Many of these sites, primarily social networking sites, expose social widgets like the Facebook "Like" button, the Twitter "tweet" button etc. These widgets can be included by websites to allow users logged in to these social networking sites to like, tweet, or +1 the embedding webpage. Slide shows the interaction between Facebook, a site embedding a "Like" button, and the user's browser. The requests made to facebook.com to render this button allow Facebook to track the user across sites just as Doubleclick can — though note that unlike Doubleclick, Facebook sets its tracker-owned cookie from a first-party position when the user voluntarily visits facebook.com.
Explain private browsing mode
Private browsing mode, does not primarily address the threat model of web tracking. Instead, private browsing mode aims to protect browser state from adversaries with physical access to the machine. While the clearing of cookies when exiting private browsing mode can help increase a user's privacy in the face of tracking, private browsing mode does not aim to keep a user's browsing history private from remote servers.
Explain Rainbow Tables (RT)
Reduce function does not inverse hash function, it is just a function that processes the hash and produces some output. It can be a very simple function It is a practical example of a space/time trade-off, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash (previous slide). A pre-computed table for reversing cryptographic hash functions It's possible for two different passwords to result in the same hash so it's not even important to find out what the original password Advantage: Takes very short time to crack passwords Disadvantage: storage (meh!)
How to make hash functions better for encrypting passwords?
Run it multiple times. Add salt. Use Bcrypt. Make hash functions slower.
How to slow down?
Running a password through many iterations of a hashing algorithm to arrive at the stored password Example SHA512crypt - 5000 iterations of SHA512 hash of password and salt bcrypt - uses 128 bit salt and tunable iteration parameter which is specified as a power of 2. Therefore bcrypt 12 will iterate 2^12 times. PBKDF2 - 10K iterations of HMAC like operations on password and salt
Explain third-party advertising
The type of tracking most commonly understood under "third-party tracking" is tracking for the purpose of targeted advertising. When a page like site1.com is rendered on the user's browser, Doubleclick's code will choose an ad to display on the page, e.g., as an image or as an iframe. This ad is hosted by doubleclick.net, not by the embedding page (site1.com). Thus, the cookie that is set as the result of this interaction (again containing a unique identifier for the user) is tracker-owned. As a result, the same unique identifier is associated with the user whenever any site embeds a Doubleclick ad, allowing Doubleclick to create a cross-site browsing profile for that user.
What is z-index
The z-index property specifies the stack order of an element. An element with a greater stack order (z-index) is always in front of an element with a lower stack order. (source: slides)
Slowing down hashing
There are various approaches for breathing life back into old algorithms; key stretching, for example, where an algorithm which is too fast is "slowed" by repeating it over and over again, perhaps thousands of times. But the guidance around the likes of MD5 and SHA is clear and OWASP summarises it quite succinctly: "General hashing algorithms (eg, MD5, SHA-1/256/512) are not recommended for password storage. Instead an algorithm specifically designed for the purpose should be used."
What do attackers want?
To get user to issue requests of interest or send information to the attacker. (source: slides)
Explain how Google Analytics works
To track repeat visitors, the GA (Google Analytics) script sets a cookie on the user's browser that contains a unique identifier. Since the script runs in the page's own context, the resulting cookie is site-owned, not tracker-owned. The GA script transfers this identifier to google-analytics.com by making explicit requests that include custom parameters in the URL containing information like the embedding site, the user identifier (from the cookie), and system information (operating system, browser, screen resolution, geographic information, etc.). Because the identifying cookie is site-owned, identifiers set by Google Analytics across different sites are different. Thus, the user will be associated with a different pseudonym on the two sites, limiting Google Analytics's ability to create a cross-site browsing profile for that user.
Describe the 5 levels of tracking
Tracking 1 (Analytics): The tracker serves as a third-party analytics engine for sites. It can only track users within sites. Tracking 2 (Vanilla): The tracker uses third-party storage that it can get and set only from a third-party position to track users across sites. Tracking * (Forced): The cross-site tracker forces users to visit its domain directly (e.g., popup, redirect), placing it in a first-party position. Tracking 3 (Referred): The tracker relies on a B, C, or E tracker to leak unique identifiers to it, rather than on its own client-side state, to track users across sites. Tracking 4 (Personal): The cross-site tracker is visited by the user directly in other contexts (like facebook)
Describe the process of hacking passwords
Try to identify the hash function used via brute force Try hashes of known words and look for matches Try common variations on dictionary words to look for more matches Try common combos of letters and numbers to look for more matches After you crack a bunch, start to distill the patterns that people use to create passwords Use those patterns to generate more tests
Mitigating Framebusting
Use <iframe security="restricted">. Frames can still display a blank image if it detect's it's not at the top
What is clickjacking?
Victim clicks on evil transparent iframe on victim page and click does something evil (victim doesn't have to know about it). (source: slides)
How does clickjacking work?
Visitor is lured to evil page, evil page puts link with a z-index=1, evil page includes a transparent iframeand positions it over the victim button. A click on the link actually happens to the iframe. Victim button is never clicked. (source: slides)
Advantage of salt
Without salt, attacker can pre-compute hashes of all dictionary words once for all passwords Same hash function on all UNIX machines Identical passwords hash to identical values; one table of hash values can be used for all password files With salt, attacker must compute hashes of all dictionary words for each password entry With 12-bit random salt, same password can hash to 4096 different hash values Attacker must try all dictionary words for each salt value in the password file SALT NEED NOT BE A SECRET Pepper: Secret salt (not stored in password file)
What is ClearClick?
a NoScript specific anti-Clickjacking protection module. Whenever you click a plugin object or a framed page, compares screenshot of page with no transparencies and no overlaying objects page as you see it If the two images differ, raises a "ClearClick warning"
Limitations to X-Frame-Options?
must be added per-page no whitelist (just same origin) web proxies tend to add/strip headers
