B
Premium,MVM
join:2000-10-28
| reply to eburger68
Re: Anatomy of a Drive-by-Install
The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?
They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...?
-- B
--
In a realm outside causality and function |
|
metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA
1 edit | said by B  :The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install? They show what the users SEE under each browser, but don't seem to discuss what the user would do or click next, or what he or she could do at that point to avoid the infections...? -- B the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it.
--
When you are leaving.. heaven is a distance not a place. --Carissas Weird |
|
eburger68
Premium,MVM
join:2001-04-28
1 edit | metrodust:
said by metrodust :the simple answer to aviod infection would be to not click OK on the box that has the big yellow signs and the words INVALID and NOT TRUSTED all over it. It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
The fact that the user has not elected to trust the CA has NOTHING to do with the trustworthiness of the Java applet itself. IST could have just as easily used a cert from Thawte/Verisign, which would be trusted by default through the user's browser.
In fact, we see this all the time with ActiveX controls installed by spyware/adware through Internet Explorer, almost all of which are signed with certs issued by Thawte/Verisign. The fact that the ActiveX control has been signed with a cert issued by a trusted CA says absolutely *nothing* about the trustworthiness of the ActiveX control itself, because Thawte/Verisign will issues certs to just about anyone under any name. See Ben Edelman's recent discussion of this problem for more information:
»www.benedelman.org/news/020305-1.html
And what if IST were to get a new signing cert from Thawte/Verisign? Would you then advise users that the app was "trustworthy"?
Of course not, because the real problem lies elsewhere. The real problem with Java applet Warning box is that it provides no useful information whatsoever to the user. None. Most users aren't going to be familiar with "Integrated Search Technologies," which sounds like an innocuous enough company. Still worse, there's not even a link, such as the much maligned ActiveX Security Warning box provides, for the user to get more information or read the EULA associated with the program.
And given that users will encounter these Java applet Warning boxes (or similar looking ones) frequently in the surfing around the Net, it's a serious problem that they don't have any useful method for distinguishing between trustworthy and non-trustworthy Java applets. The same holds true for ActiveX controls, though at least users can get to a EULA of some sort and Microsoft has implemented some changes in XP SP2 to take those Security Warning boxes out of users' faces.
It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits. Always has been. In fact, those kinds of exploit-based installations really only took off in the last year or so. Since the beginning in 2000, the spyware/adware problem has largely been the depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes.
Eric L. Howes |
|
redxii
too big to fail
Premium,Mod
join:2001-02-26
Texas
Host:
/dev/null
Broadband Tweaks
Suddenlink
ISDN
Fiber Optic
2 edits | said by eburger68 :It is a myth that the spyware/adware problem has been driven primarily by installations through security exploits .... depressing story of users getting bamboozled by adware vendors into "consenting" to the installation of unwanted software through a combination of trickery, poor information, and still poorer installation processes. I posted this in an earlier thread, about ActiveX and IST: »Re: 180Solutions Buying Legitimacy? .. Don't know if you've seen it yet. I believe it supports your claim that it is a myth.
That is the Internet Explorer equivalent of the Java/Mozilla exploit. What I posted is found on exactly the same pages where there Java/Mozilla exploit are, only when viewed in IE.
Also, I should mention the click_run_to_remove_virus.exe was unable to execute under a limited account.
--
Asus A7N8X-X, Athlon XP 2400+ @ 2.0GHz, 1024MB DDR RAM (@ PC2100), GeForce FX 5600Ultra 128MB, Samsung SD-616T 16x DVD-ROM and Sony CRX215E1 48x24x48 CD-RW, 40GB & 120GB HDD.
Y I Hate L-i-n-u-x |
|
metrodust
Hey Thats Mine
join:1999-12-10
Seattle, WA | reply to eburger68
the bottom line is still lack of education on the end-users part. |
|
xblock
join:2004-12-16
Willoughby, OH
| reply to B
B.
"The Porter/Hertens article seems to omit a rather important little detail -- what does the user have to do, if anything, in order to allow the spyware to install?"
In the case of IE SP1- they have to do nothing. Just hit the web page which appears blank. I posed this question to my son (a 7 year old) and asked him what happened when he hit the web page on the IE SP1 page. He said "nothing happens Dad". Obviously if you look at the packet log a lot things happpen.
In the case of IE SP2- The user will see an elaborate movie explaining how to accept the installation. But there is reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the little movie, aside from install instructions, is a large sign that says THEY MUST INSTALL it.
In the Firefox the user is presented with a java prompt which asks them to install, but the key factor here is again no EULA is presented.
Much more analysis is planned on that piece- we worked on it over the weekend to get some dialogue started. It was like digging into a hole and finding a pool of water, the further we swam into the water the more stuff we found until we realized it wasn't water we were wading through but more like a high-stream sewer. So we took one aspect of the problem and focused on it. There are a myriad of things that can be studied and learned from that page.
The idea for this piece was taken from watching how my son (an eight year old) interacted with a web page and a discussion with my wife ( a teacher) about how kids interact with web pages in her lab.
So naturally prevention is important, if not the cornerstone of the problem, but we wanted to focus on what the user sees versus what it is actually happening and how the entire installation is mixed up with inadequate diclosure, confusing prompts, and no real attempt to tell the user what is going to happen.
regards,
Wayne |
|
johnpro
join:2005-03-11
Brisbane Oz
2 edits | reply to eburger68
It's purely a convenient coincidence that Integrated Search Technologies happens to be using an expired certificate from a CA not yet "trusted" by users (most of whom won't understand what it would take to "trust" a CA/issuer in the first place).
*************
I have never trusted "trust us certification" for a number of reasons.
Trust is built up over time. Anyone can claim they are trustworthy.
Look at Truste certification for example. This company certifies that giants such as microsoft and intel are trutworthy. I happen to agree with them.
However they also certify that dubiates such as idownload and lycos are also trustworthy.
As one scribe recently wrote ...can truste be trusted!
My emails to truste were just ignored when I asked them to clarify their position of certification on many of the bad guys in the industry.
Verisign et al also have difficulties. Most players do not know the significance of these certificates anyway.
jp |
|
