[Prev][Next][Index][Thread]
cloak & dagger on the net
>From the current web review, this article straddles a bunch of issues:
security, commerce, privacy, just to name a few.
Original article at:
http://www.webreview.com/97/03/21/feature/index.html
Serena
******************************************************************************
by
Jonathan Steinberg
Professor Edward Felten.
Princeton Computer
Science building.
Somewhere in the halls of one of
America's
most respectable universities, a group
of
graduate students appear to be doing
something kind of sleazy.
Professor Edward Felten of Princeton
University and several of his graduate
students are creating a false sense of
security
around a Web user, a false World Wide
Web that will trick a user into thinking
he or
she is actually surfing the Web. At some
site
within this parallel universe, they will
ask for
confidential information, like a credit
card
number. And when the user submits it --
they'll snatch it up.
It's called a spoofing attack, and it's
the latest
security hole in the Internet that
Felten and his
Secure Internet Programming (SIP) group
in Princeton's computer science
department
have sought to expose, with the higher
purpose of making executable content on
the
Web secure.
When Felten and his team began pointing
out
security flaws in Java code and Web
browsers last year, he feared that the
companies who make these programs would
hate him. Most of these flaws would
allow a
malicious hacker to gain access to files
on a
Web user's computer, to alter or delete
them,
or to send a virus -- and that wouldn't
make
the software vendor look good. But to
Felten's surprise, the opposite has
happened:
the developers have embraced him and now
help fund his venture.
Web Spoofing
SIP was born during a late-night
discussion in
November 1995 when grad students Dan
Wallach and Drew Dean were talking about
the potential security pitfalls that
executables
like Java pose to the Web. They brought
the
idea to Felten, and together they formed
the
Secure Internet Programming group, with
the
goal of finding and exposing these
flaws.
Felten and Professor Andrew Appel advise
the team, which includes Wallach, Dean,
and
grad students Dirk Balfanz and George
Chesakov.
Related Web Review
articles:
"No Guarantees: It's a
dangerous universe and
getting more so all the
time"
Web Review, Bleeding
Edge
April 12, 1996
Java Flaw Opens Door to
Hackers
Java Bug Could Let
Hackers Target New
Host
Download the Princeton
team's paper on Web
Spoofing
Each team member is free to pursue
projects
of individual interest, or work together
as a
team on larger projects, like the
group's most
recent work on spoofing. To accomplish
the
spoofing, an attacker lures a user to a
connection with his or her server. When
the
user clicks to move on to another page,
the
attacker's server actually fetches the
page,
changes all the links in it to keep the
user on
the attacker's server, and serves it to
the user.
The attacker can camouflage this with
some
Javascript that delivers the original
URL of
the fetched page to the user's browser's
location bar. The user is an unwitting
prisoner, and any sensitive data he or
she
sends -- even over a secure connection
--
reaches the attacker's server.
Needless to say Felten keeps Java and
JavaScript turned off on his browser
"unless
there's a fun game or something I wanna
play." Every Web user is at some risk
from
malicious applets, but Felten more than
most:
What hacker wouldn't love to crash his
machine?
Corporate Connections
SIP doesn't produce any new
end-products.
It finds problems and reports them to
companies and the press. Its resources
don't
allow it to develop new software and
compete with Sun and Microsoft. And
while
they release the results of their
research, they
don't go so far as to release the code
that
would make these security flaws easy to
exploit (as a true cracker might).
Felten describes his team's work as
"basic
research," but it seems highly applied.
One of
its strengths has been its quick
response to
investigating new Internet applications,
with
no other mandate (like development) to
get in
the way of that mission.
Much of the support for that mission
comes
from the companies who may have
initially
been embarrassed by its revelations, but
who
ultimately benefit from this inexpensive
R&D.
SIP's $200,000 annual budget includes
contributions from Bellcore, JavaSoft (a
division of Sun Microsystems), and
Microsoft. (While Netscape doesn't fund
SIP, founder and chairman Jim Clark made
a
pilgrimage to the group last fall.)
While helping private corporations
improve
their software may raise a few academic
eyebrows, Felten believes the group has
an
important voice in making the Web a
safer
place, with or without corporate
support.
Although he has considered starting a
private
company, he says he enjoys academic
life,
teaching, and interacting with the
professors
and students that surround him. He
recently
led a seminar that developed a secure,
Web-based voting system for student
government elections at Princeton, and
serves
as the coordinator for all the
independent
work of undergraduate juniors. Before
the
Internet, he was primarily interested in
parallel
computing, and he continues to research
and
teach in that field.
What's Next?
The team is just beginning to look at
push
media like Pointcast and Marimba, which
Felten feels are quite similar to
browsers.
"There's a mix of push and pull in all
these
things," he says, adding that a push
server's
ability to automatically update the
receiver's
application to send programs to a user's
computer is worth serious investigation.
The
group's broad charter -- all mechanisms
for
transporting information over the
Internet -- is
also leading it to look at the most
popular
browser plug-ins.
Despite all he's learned, Felten sees
commerce as more or less safe on the
Internet, and he has no qualms about
using his
credit card to buy airline tickets over
the Net.
"There are all kinds of things your
computer
can do to cost you money," he explains,
"but
having your credit card number
intercepted
during a transaction is not one of the
more
frightening ones."