more on Web Spoofing

To: ils310@listserv.oit.unc.edu
Subject: more on Web Spoofing
From: Serena Fenton <fents@unc.edu>
Date: Fri, 21 Mar 1997 06:49:42 -0500
Reply-To: fents@unc.edu
Sender: owner-ils310@listserv.oit.unc.edu
>From the Princeton paper that the Web Review article is based on.  The
paper can be viewed at: 
http://www.geocities.com/CapeCanaveral/3498/spoofing.htm

Web Spoofing: An Internet Con Game
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach
 
Technical Report 540–96 (revised Feb. 1997)
Department of Computer Science, Princeton University

Introduction
This paper describes an Internet security attack that could endanger the
privacy of World Wide Web users and the integrity of their data.  The
attack can be carried out on today’s systems, endangering users of the
most common Web browsers, including Netscape Navigator and Microsoft
Internet Explorer.
Web spoofing allows an attacker to create a "shadow copy" of the entire
World Wide Web.  Accesses to the shadow Web are funneled through the
attacker’s machine, allowing the attacker to monitor all of the victim’s
activities including any passwords or account numbers the victim
enters.  The attacker can also cause false or misleading data to be sent
to Web servers in the victim’s name, or to the victim in the name of any
Web server.  In short, the attacker observes and controls everything the
victim does on the Web.
We have implemented a demonstration version of this attack.  
Spoofing Attacks
In a spoofing attack, the attacker creates misleading context in order
to trick the victim into making an inappropriate security-relevant
decision.  A spoofing attack is like a con game: the attacker sets up a
false but convincing world around the victim.  The victim does something
that would be appropriate if the false world were real.  Unfortunately,
activities that seem reasonable in the false world may have disastrous
effects in the real world.
Spoofing attacks are possible in the physical world as well as the
electronic one.  For example, there have been several incidents in which
criminals set up bogus automated-teller machines , typically in the
public areas of shopping malls.   The machines would accept ATM cards
and ask the person to enter their PIN code.  Once the machine had the
victim’s PIN, it could either eat the card or "malfunction" and return
the card.  In either case, the criminals had enough information to copy
the victim’s card and use the duplicate.  In these attacks, people were
fooled by the context they saw: the location of the machines, their size
and weight, the way they were decorated, and the appearance of their
electronic displays.....