Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ShapeShifter: Beatable, But We'll Hear More About It

Soulskill posted about 8 months ago | from the unknown-sample dept.

Security 102

Slashdot contributor Bennett Haselton writes: "A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user's browser. Most programmers will immediately spot several ways that the system can be defeated, but it may still slow attackers down or divert them towards other targets." Read on for the rest of Bennett's thoughts.

When a ShapeShifter appliance is installed in a datacenter alongside a web server, it takes the website's content and rewrites it before sending it to the user's browser, using techniques to obfuscate the contents such as changing the names of various form fields, or perhaps using obfuscated JavaScript to generate the page contents. (Many Slashdotters will understand these terms, but if you're not sure what I mean by "changing form fields" or "obfuscated JavaScript," it's a bit too technical to explain within this article. Suffice to say that obfuscated JavaScript is itself not a new idea; you can see a demonstration here, which takes simple JavaScript code and rewrites it in such a way that it's much harder to scan automatically, but the code still does the same thing.) The idea is that by obscuring the webpage contents, ShapeShifter makes it harder for bots and malware to conduct automated attacks against the website, since the bots now have to be smart enough to parse the obfuscated JavaScript or decipher the renamed form fields.

The idea has attracted glowing reviews from tech writers, including some who say they can "barely stay awake for a lot of startup pitches" but who were evidently enthralled by this one. My first reaction was that it's not hard to think of ways that this system can be defeated, and some readers will have thought of some ways to attack it even before finishing the previous paragraph. However, the attacks will perhaps require some malware and bot writers to rewrite their malicious programs to target websites in new ways. It remains to be seen how long that will take, and whether Shape will have a countermove after bots evolve to defeat their systems.

If you watch the video on Shape Security's website and pay close attention to their claims, note that they never actually say that ShapeShifter can stop malware from stealing a user's credentials — perhaps a deliberate omission for honesty's sake, since their technology, as they've described it, cannot prevent that. If your machine is infected with malware, and you're filling out a form on a website, the malware can eavesdrop at the level of the user interface to watch what you're typing into a form -- and if you fill out a form which contains a password field, or which contains a string of numbers that pass the credit card number checksum, the malware can capture the entire form contents and silently transmit it back to the attacker. No amount of obfuscation and shapeshifting in the HTML can stop the malware from capturing your password at the user interface level.

Now consider, instead, two of the claims actually made in the ShapeShifter video:

"Financial sites face man-in-the-browser attacks. This kind of bot waits for a legitimate user to authenticate, and then manipulates financial transactions. By disrupting the scripts that Man-in-the-Browser bots rely on, the ShapeShifter allows banks to safely serve their customers, even when their customers are infected with malware."

and

"On e-commerce sites, account takeover has evolved into a serious source of losses. 60% of users use the same password across multiple sites. When user credentials on one site are compromised, attackers program bots to test user credentials on other sites. The ShapeShifter prevents bots from testing stolen credentials on your website."

What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials, or from testing those credentials on other sites. However, I would argue that once your credentials have been stolen successfully, 90% of the damage has been done. ShapeShifter can't do anything to stop a human from testing your stolen credentials manually, and if the attacker has already infected your machine, they can use your machine as a proxy when testing out your credentials, so that the target website doesn't even notice a login from an unusual IP address.

And is it even true that ShapeShifter can stop bots from automating an attack against a target website? Even if a website relayed through ShapeShifter has its HTML obfuscated with JavaScript and re-named form fields, it's still easy to write scripts that automate the act of launching a web browser and filling content into those form fields — such as entering a username and password into two fields, and submitting them to see if the website accepts the login. I'm not sure (it's been a long time since I've written browser automation code, using frameworks like Selenium), but I think you can even automate the interaction "silently," without actually opening up a visible browser window. Which, of course, means you can do it on a user's machine that has been conscripted into a botnet, without the user knowing what's going on.

Now, automating interaction with a website through the browser, may be harder than writing a script to interact with the website at the network level. But as long as someone figures out a way to do it, they can sell the method and the toolkit to others. (The credit card security breach at Target was carried out using software that a 17-year-old wrote and sold off-the-shelf on the black market.)

What about straight denial-of-service attacks, where an attacker doesn't care about breaking into a website or stealing data, but simply wants to take it offline by flooding it with traffic? Could ShapeShifter protect against those types of attacks? It depends on the type of attack. If you're trying to take down a website simply by sending an overwhelming number of requests for the website's front page, and nothing else, then ShapeShifter wouldn't be able to mitigate this attack, since every incoming front-page request still has to be passed through to the web server being protected, and if that's too much for the web server to handle, it will still go down. On the other hand, some denial-of-service attacks use more sophisticated tricks, like running a search query on the target website — knowing that handling a search query requires a lot more processing power than simply serving up the site's front page, so it would take a smaller number of requests to effectively tie up the webserver. If ShapeShifter can effectively stop bots from logging in to a website, running search queries, or performing other actions that are resource-intensive, then that type of denial-of-service attack could be stopped or slowed down.

So, at least based on the product description from the company itself, can ShapeShifter stop malware from stealing your users' logins on your site? Definitely not. Can ShapeShifter stop a botnet from conducting automated attacks against your user interface? For some types of botnets, maybe, but probably not in the long run. Will ShapeShifter be able to evolve a defense against bots that use browser automation? It's hard to see what they could possibly do in response. One of the company founders says, "We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," but without knowing what those countermoves are, we only have their word to go on.

But in spite of my misgivings, I wouldn't predict on that basis that the product won't sell a lot of units. Some companies may buy the box without realizing that it does nothing to prevent their users' credentials from being compromised by malware, and that it provides only limited protection against automated attacks. Some companies may realize the limitations of the protection, but decide to buy it anyway because it looks good to their investors or their cybersecurity insurance underwriters. In such situations, even just the appearance of proactivity can be worth a million dollars a year.

cancel ×

102 comments

Sorry! There are no comments related to the filter you selected.

What Could Go Wrong? (0)

Anonymous Coward | about 8 months ago | (#46038063)

How about using this type of technology to remove parts of sites they don't like? or perhaps inserting ads or tracking code or anything else you can imagine.

It's a matter of when, not if, these devices will be hacked and then the people on the wrong side of them will get targeted attacks just for them. Special! (not so much)

Re:What Could Go Wrong? (2)

leuk_he (194174) | about 8 months ago | (#46038255)

Instead of one target to attack (the target website), there are now 2 targets to attack: the shapeshifter obfuscation box and the target website.

Re:What Could Go Wrong? (2)

Em Adespoton (792954) | about 8 months ago | (#46039113)

Instead of one target to attack (the target website), there are now 2 targets to attack: the shapeshifter obfuscation box and the target website.

Indeed -- and if you target the web server and not shapeshifter, then you get free malware obfuscation that will likely bypass many malware scanners. Nothing like getting the local server to do the malware author's job for them -- I see these setups as being very desirable infection targets, as nobody will be sure whether the malicious code appended to the data stream is intentional or not.

Re:What Could Go Wrong? (1)

Big Hairy Ian (1155547) | about 8 months ago | (#46044165)

Yep much easier just to write a really shite ASP site like the UK Goobermint does :)

Re:What Could Go Wrong? (1)

eis2718bob (659933) | about 8 months ago | (#46038747)

Anyone remember from Gödel, Escher, Bach:
"I cannot be played on record player X"

Who will win, Tortoise or the Crab?

Re:What Could Go Wrong? (0)

Anonymous Coward | about 8 months ago | (#46038853)

Who will win, Tortoise or the Crab?

Never bet against Sponge Bob.

Re:What Could Go Wrong? (1)

maxwell demon (590494) | about 8 months ago | (#46039395)

That indeed was the first thing which came to my mind when reading the summary.

In other words ... (4, Insightful)

gstoddart (321705) | about 8 months ago | (#46038083)

What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials

We don't actually provide any extra security, you'll still get ripped off, but we'll see if we can't momentarily confuse the malware with the classic "Hey, look over there" trick.

But, in the meantime, we'll mangle your web pages so we can convince you something is actually happening.

This sounds less than useful on first skimming. In fact, it sounds like an obfuscated snake-oil salesman.

Google already bought "that" company (1)

Dharkfiber (555328) | about 8 months ago | (#46040647)

It was called Greenborder and it was in the early 2ks: http://googlesystem.blogspot.c... [blogspot.com]

Re:In other words ... (1)

rioki (1328185) | about 8 months ago | (#46043661)

They basically lost the sale to me at the 18. word: polymorphism Do these marketing schmucks even know what that word means? If I built a automated malware filtering technology I would use a whole other set of technobable, like "advanced pastern recognition", "dynamic filtering", "machine learning" and maybe even "neural network". They not only fail to build a product that actually does something for their users, but also fail to properly sell it to anybody remotely technical.

Re:In other words ... (1, Insightful)

bennetthaselton (1016233) | about 8 months ago | (#46044279)

I don't think the system will work, but I thought they appeared to be using "polymorphism" correctly (rewriting code so that it's harder for a dumb bot to parse it, but so that it does the same thing as the original code when it's executed).

Attn: Bennett Haselton (5, Insightful)

kruach aum (1934852) | about 8 months ago | (#46038095)

I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.

Re:Attn: Bennett Haselton (-1)

Anonymous Coward | about 8 months ago | (#46038303)

Slashdot needs an opinion columnist in order to pretend that it's an actual news source, and Ben provides that at the right price (free) with fewer spelling errors, on average, than the actual news "editors" create.

I mean, the writing is crap, but that's true of the news summaries, too.

Re:Attn: Bennett Haselton (-1)

bennetthaselton (1016233) | about 8 months ago | (#46038425)

Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?

Re:Attn: Bennett Haselton (3, Interesting)

rudy_wayne (414635) | about 8 months ago | (#46038481)

Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?

Yes

(a) ShapeShifter is digital snake oil

(b) Yes. as has already been proven by his writing in the past.

Re:Attn: Bennett Haselton (-1, Redundant)

bennetthaselton (1016233) | about 8 months ago | (#46038625)

Do you have an *argument* that the analysis in the post is incorrect? A grammatically correct sentence is not an argument. Be substantive, not articulate. Think MIT, not Harvard.

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46038701)

Here's another sentence: I don't care.

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46038705)

Do you have an *argument* to prove that your disproportionate coverage on slashdot as not being unethical in some way? Be substantive, not articulate.

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46038919)

You want to write a blog? Go set up your won site. I see that shlashwhore.org is available.

Re:Attn: Bennett Haselton (4, Informative)

OzPeter (195038) | about 8 months ago | (#46038723)

Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?

Irrelevant to the OPs assertion that if you want to write a blog do it elsewhere.

I agree with OP that this style of "submission" is not what /. is about and making me read all this in order to get to the comments is bullshit.

Re:Attn: Bennett Haselton (0, Offtopic)

bennetthaselton (1016233) | about 8 months ago | (#46039287)

If you're not interested in the article, why on earth were you interested in the comments?

Anyway, there's only one coherent argument for doing or not doing something, and that's whether the positives outweigh the negatives. That also applies to posting articles which are different from most Slashdot articles. If you have an argument that the negatives outweight the positives, fine. But saying "Slashdot is not your blog" is not an argument.
br. Again, be substantive, not articulate. Think MIT, not Harvard.

Re:Attn: Bennett Haselton (2)

OzPeter (195038) | about 8 months ago | (#46039351)

saying "Slashdot is not your blog" is not an argument.

Yes it is

Re:Attn: Bennett Haselton (3, Informative)

Hognoxious (631665) | about 8 months ago | (#46039833)

If you're not interested in the article, why on earth were you interested in the comments?

Because they're not written by you?

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46038787)

Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?

Better Hearsay, or whatever this incapable author's name really is, appears to be astroturfing for a "just trust us" product what creates as many potential security issues as it *claims to prevent.

*claims: just because some zero credibility, no-nothing hack of a blogger makes a statement about a product they were clearly compensated for reviewing doesn't make the statement true or accurate. It just makes it something else some wannabe posted on the internet.

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46040275)

Its not astroturfing when he ends it with: "But it seems pretty useless in every case it is trying to sell it to you"

Re:Attn: Bennett Haselton (1)

Hognoxious (631665) | about 8 months ago | (#46051391)

It is, because nobody has the willpower to read that far.

Re:Attn: Bennett Haselton (1)

weilawei (897823) | about 8 months ago | (#46040315)

Screw your post. I don't care WHAT it says. Use Slashdot like the rest of us, not like your personal blog. Post it to your journal if you desire to use Slashdot as hosting, then LINK to your goddamn "article". I'm SURE they'll happily post it, but goddamn, stop posting this garbage in the summaries.

Re:Attn: Bennett Haselton (1)

bennetthaselton (1016233) | about 8 months ago | (#46040511)

The only argument for doing anything is that the positives outweigh the negatives. On that basis, you haven't provided any reason why to write the content somewhere else and then link to it, instead of posting it on Slashdot.

Re:Attn: Bennett Haselton (1)

weilawei (897823) | about 8 months ago | (#46041055)

Did I not just say to use your journal, which IS posting it to Slashdot? Did I not just say to link to it, which is ALSO posting on Slashdot? I didn't say not to post anymore. I said something to the effect of "do it the same way as the rest of us." You need to work on your reading comprehension.

Re:Attn: Bennett Haselton (1)

bennetthaselton (1016233) | about 8 months ago | (#46044295)

Oh, when you said "post it to your journal", I thought you meant, post it on a journal hosted on some third-party site.

But still, the point still stands: you haven't given any kind of reason why it would be better to post it on a Slashdot journal and link to it, instead of running it the way it's running now. Surely it's not hard for anyone to read the one-paragraph summary and then decide whether they want to click through to the rest of the article. So what's the problem?

Re:Attn: Bennett Haselton (1)

Aighearach (97333) | about 8 months ago | (#46038577)

... stop it before it gets to the children!!!

Re:Attn: Bennett Haselton (0)

Anonymous Coward | about 8 months ago | (#46038707)

stop shitting up /.

To be fair, shitting where many, many others have already shit is the way nature works.

Re:Attn: Bennett Haselton (1)

bluefoxlucid (723572) | about 8 months ago | (#46038771)

This is actually rather interesting, and is better than soliciting a "Look at this cool link I found!" from the user. I agree with the post--this is basically a giant ass-dance of "We make it move around more so it's harder to hit! That's security!" (that's an arms race, which we live in already; and it's an automated one that we already have software to mitigate--the fucking web browser). He's provided me a source to point and say, "This smart fellow understands and says the same thing I am," since I would look at this shit and go "uh no" and non-savvy management would go "but it says security!"

He misses things like the technology completely fucking up any kind of caching you want to do, or neutering itself to not do that. Also the "changing form field names" thing... it better change them back on the way back in (and how does it track that i.e. from shared IP addresses? Cookies?), because otherwise your web apps are in for a world of hurt!

Re:Attn: Bennett Haselton (1)

bennetthaselton (1016233) | about 8 months ago | (#46044303)

I think someone else commented about caching, and my response was that I think most websites that would use Shapeshifter, serve most of their HTML content dynamically, so it wouldn't have been cached anyway, or shouldn't be.

As for re-naming the fields, yes I assume that the Shapeshifter has to do some kind of stateful tracking to remember what the renamed fields correspond to, so it can rename them back on the way in. I don't think shared IP addresses would be a problem. You just have to remember, "I renamed the form field "firstname" to "xsdf9045" and sent it to IP address a.b.c.d., so when a form submission comes back from that IP containing the string "xsdf9045", change it back to "firstname".

Thank you, Bennett Haselton (1)

Khopesh (112447) | about 8 months ago | (#46039097)

I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.

Bennett, please disregard that. People do like summaries and quick reads, which is what the quoted first paragraph you provided delivers. Slashdot's audience is a little too accustomed to having to click on links to see the real article ("mindless link propagation"). Coupling that with the fact that nobody actually RTFA, you get comments like what we see above.

Frankly, I'm happy to see original content on Slashdot (well, beyond book reviews and Ask Slashdot). Thank you for contributing a real story directly to this site rather than posting it elsewhere and linking it in a Slashdot article.

(That said, I do agree with krauch aum that "length does not equal insight," I just happen to have differed in opinion about whether this article has insight. I'd also agree that this reads a little more like a blog than I'd personally like; I'm happier with items that are more like news articles than op-eds. I'd still rate this as a good write-up overall.)

Re:Thank you, Bennett Haselton (1)

OzPeter (195038) | about 8 months ago | (#46039383)

(That said, I do agree with krauch aum that "length does not equal insight," I just happen to have differed in opinion about whether this article has insight. I'd also agree that this reads a little more like a blog than I'd personally like; I'm happier with items that are more like news articles than op-eds. I'd still rate this as a good write-up overall.)

So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?

Re:Thank you, Bennett Haselton (1)

Khopesh (112447) | about 8 months ago | (#46039527)

So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?

No. While there is room for improvement, the article is good and Bennett is not "shitting up /." I was suggesting that Bennett disregard the highly negative tone of that comment. I did not say that the article was perfect or that the criticisms of this thread were entirely without merit.

While I agree that "length does not equal insight," I think that there is insight in the article and that its length is fine. Sure, it could benefit from more concision, but most articles fall in that category. The prose is a bit "bloggy" but not unacceptably. Again, there is room for improvement but that's not enough to make this a bad read.

Re:Thank you, Bennett Haselton (1, Flamebait)

weilawei (897823) | about 8 months ago | (#46041131)

The problem lies not with him posting. It lies with him posting in a manner that's effectively off-limits to the rest of us. Do you see ANYONE else routinely (every day, every other day, whatever) making Slashdot's front page and being able to put what amounts to an opinion piece in TFS? This is an ethical problem. He's a contributor, like the rest of us--he should have to do it the same way we're stuck doing it. There is a well established norm here, and Bullshit Hasselton continually violates it, with the knowing support of the editors.

Re:Thank you, Bennett Haselton (1)

bennetthaselton (1016233) | about 8 months ago | (#46044381)

The only argument for doing something, or not doing something, is whether the positives outweigh the negatives.

I am aware the way my articles get posted is not the standard format, but so what? If everyone else drives to work in a blue car and I show up in a green car, who cares?

Re:Thank you, Bennett Haselton (1)

bennetthaselton (1016233) | about 8 months ago | (#46044327)

Thanks. I saw the title "Thank you, Bennett Haselton" and I was all revved up to deal with more sarcasm. Oh well I'm sure there will be more after all.

As for "concision", I really do want to spell things out less and repeat them fewer times, but every time I do that, some readers will miss points that I thought were implicit, or miss something because I said it only once. In the Fifth Amendment article, probably my most heavily criticized one to date:
http://yro.slashdot.org/story/... [slashdot.org]
I said about 185 times that the answer I was looking for should be in the form of a scenario that illustrated why the Fifth Amendment was better than an alternate rule under which the defendant had to answer questions under the same rules as any other witnesses. Out of hundreds of angry comments, I think only three came up with actual scenarios. (And those were interesting cases I hadn't thought of, which led to more thought-provoking discussion.)

Re:Attn: Bennett Haselton (1)

u38cg (607297) | about 8 months ago | (#46044825)

I just want them to make him an offical author so I can BLOCK BLOCK BLOCK.

I notice /. has taken to blocking the ohno tage...

But will it block (1)

Anonymous Coward | about 8 months ago | (#46038103)

Slashvertisements?

Re:But will it block (2)

Desler (1608317) | about 8 months ago | (#46038641)

No, it will "polymorphically" add Slashvertisements to the pages you get served.

Re:But will it block (1)

Em Adespoton (792954) | about 8 months ago | (#46039127)

No, it will "polymorphically" add Slashvertisements to the pages you get served.

... maybe it'll prevent dupes?

Re:But will it block (0)

Anonymous Coward | about 8 months ago | (#46039055)

Slashvertisements?

In this case I believe the correct term is Suckvertisements?

Deploy properly configured NoScript (0)

Anonymous Coward | about 8 months ago | (#46038107)

Save a million dollars a year.

Headless browser (0)

Anonymous Coward | about 8 months ago | (#46038121)

obfuscation is not security.

Odo (1)

rossdee (243626) | about 8 months ago | (#46038245)

Rene Auberjenois was not available for comment

No one gives a shit... (0)

Anonymous Coward | about 8 months ago | (#46038251)

about Bennett Haselton's thoughts. He has no particular expertise in the (many) areas he comments on, nor does anyone find his thoughts insightful. Why is he accorded such special treatment on ./?

Re:No one gives a shit... (5, Funny)

larry bagina (561269) | about 8 months ago | (#46038621)

Dice devop here. We've been testing ShapeShifter to reduce dupes and it works quite well. This is actually a story about the new paging algorithm in Linux 3.1.6-rc. Shapeshifter noticed it was a dupe and turned it into a barely coherent word salad. If anybody knows how to configure this thing to produce better content, we're hiring -- check the dice.com job board to apply.

Re:No one gives a shit... (2)

Em Adespoton (792954) | about 8 months ago | (#46039143)

If anybody knows how to configure this thing to produce better content, we're hiring -- check the dice.com job board to apply.

http://interconnected.org/home... [interconnected.org]

It's time to reKant!

Malware with a keylogger (0)

Anonymous Coward | about 8 months ago | (#46038259)

What does this software to do protect me against that?

Haven't I heard this pitch before? (5, Insightful)

Minwee (522556) | about 8 months ago | (#46038299)

"Our Patented Secret Sauce(tm) will add Obscurity(tm) to your Security, allowing it to defeat 100% of existing exploits!"

...In much the same way that moving the doorknob from the left side of your door to the right side will prevent intruders from opening it tomorrow the same way they did yesterday. It's a nice idea, but unless it makes existing web pages completely unusable by humans as well as bots, it's only going to be a speed bump for exploits to get over.

Re:Haven't I heard this pitch before? (1)

Anonymous Coward | about 8 months ago | (#46038535)

Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.

From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use. If the page is written to override formatting with each object defining its own exact position, then adjacency in the source is meaningless, and the bot will have to chart the positions of drawn objects to identify which field is which.

Short form: it makes scripting access to the page more computation intensive, like having 20 doorknobs, one of which will randomly be connected so that it opens the door.

Re:Haven't I heard this pitch before? (2)

mythosaz (572040) | about 8 months ago | (#46038675)

Presumably it'll add hidden fields as well - who knows.

This will, of course, break your favorite form-filling auto-complete software.

If I'm the logon page for my bank or mortgage company, I have no REAL issue with them sending me a "more secure" logon page, and I can live with not having my browser pre-populate my logon name or email address.

Re:Haven't I heard this pitch before? (0)

Anonymous Coward | about 8 months ago | (#46038741)

Never, ever, ever, ever believe that you can be more clever or more dedicated than a hacker.

Unless you have a mathematical proof of your security, and there's an exponential cost difference between your cost and the attacker's cost, then the solution is fundamentally broken.

The hacker is seeking millions, nay billions of dollars in fortune. (Or maybe trying to avoid a bullet in his head.) You're pounding away at the keyboard for a relative pittance, reading Slashdot to drown out suicidal thoughts.

Re:Haven't I heard this pitch before? (1)

Hognoxious (631665) | about 8 months ago | (#46051429)

and there's an exponential cost difference

"Big". That's the word you're looking for.

Re:Haven't I heard this pitch before? (1)

foobar bazbot (3352433) | about 8 months ago | (#46039161)

Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.

From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use. If the page is written to override formatting with each object defining its own exact position, then adjacency in the source is meaningless, and the bot will have to chart the positions of drawn objects to identify which field is which.

Of course it also breaks/complexifies, in exactly the same way, any features in the user's browser that attempt to autofill or autocomplete fields based on past content. In fact, it may even combine with those features to present minor security problems like autofilling your password in a non-password field, where it will be visible to bystanders and/or TEMPEST snoops. (I note you specified "non-password fields", which would avoid this problem.)

Re:Haven't I heard this pitch before? (1)

Em Adespoton (792954) | about 8 months ago | (#46039253)

So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use.

...which is exactly how many of these programs work. Field labels tell the bot nothing; what they usually do is fuzz the site and test the results. If the field names change, so what?

Now, if the site uses images instead of text, and the images are generated and labelled randomly and on the fly, and the fields are randomized, this technique may stop forum spam and aid captcha in keeping out bots. It won't really do much against malware though.

Actually, this gives me a great idea for a new captcha mechanism: the captcha actually asks you about some other page element that is based on page randomization. It'd probably work better than the broken systems that are currently in use in most places.

Re:Haven't I heard this pitch before? (1)

Vitriol+Angst (458300) | about 8 months ago | (#46046829)

How is this any better than using a CAPTCHA?

One field to prove you are human AND you preserve the auto-fill features that people enjoy. AND, you save a bunch of money on another layer of complexity if someone calls and says; "your page is broken, dude -- that's lame!"

Browser Compatibility (2)

marciot (598356) | about 8 months ago | (#46038301)

I forsee this breaking websites in weird ways, because what they thought was an invariant change was not for the entirely of browsers out there.

Point in case, the people surfing the web using telnet to port 80 are going to be very pissed.

Re:Browser Compatibility (1)

tacokill (531275) | about 8 months ago | (#46038399)

Point in case, the people surfing the web using telnet to port 80 are going to be very pissed.

I bet all 8 of those people could learn a workaround.
C'mon....are we really worried about a use case for telnet websurfing?

Re:Browser Compatibility (2)

mythosaz (572040) | about 8 months ago | (#46038695)

I want to know who's using telnet for web-pages filled with javascript forms.

Re:Browser Compatibility (2)

foobar bazbot (3352433) | about 8 months ago | (#46039189)

I want to know who's using telnet for web-pages filled with javascript forms.

Bruce Schneier. And he uses port 443.

Re:Browser Compatibility (1)

mythosaz (572040) | about 8 months ago | (#46041033)

I want to know who's using telnet for web-pages filled with javascript forms.

Bruce Schneier. And he uses port 443.

I'm now in favor of this... ...and any technology that keeps Bruce off the web.

"Do you always look at it encoded?" (1)

Guppy (12314) | about 8 months ago | (#46040641)

C'mon....are we really worried about a use case for telnet websurfing?

Porn, of course. After a while you don't even see the code anymore -- just blonde, brunette, redhead...

Re:Browser Compatibility (0)

Anonymous Coward | about 8 months ago | (#46038753)

Changing field names will break browsers. Firefox suggests my name (and if I let it, my password) based on the field names. With obfuscation, I will have to type everything myself.

Humans will not have problems filling in forms - but neither will bots. Bots can do what the humans do, rely on the readable label instead of the coded field name. So no "help", but sure to cause trouble.

"system can be defeated" (3, Insightful)

csumpi (2258986) | about 8 months ago | (#46038357)

The summary says:

"..most programmers will immediately spot several ways that the system can be defeated..."

So I don't get it. You are /vertising a product, that you know doesn't work?

.

Re:"system can be defeated" (5, Insightful)

CanHasDIY (1672858) | about 8 months ago | (#46038377)

Considering the source is Bennett Haselton, I think it's less a slashvertisment for the product so much as it is a slashvertisment for Bennett Haselton.

Re:"system can be defeated" (0)

bennetthaselton (1016233) | about 8 months ago | (#46044409)

Can you hear me now? (tm)

Re:"system can be defeated" (1)

CanHasDIY (1672858) | about 8 months ago | (#46045515)

Unfortunately.

Re:"system can be defeated" (1)

bennetthaselton (1016233) | about 8 months ago | (#46038461)

It's a heads-up because rightly or wrongly, I think this product will be in the news for a while, and so the deserved skepticism needs to get up and running too.

Re:"system can be defeated" (1)

OneAhead (1495535) | about 8 months ago | (#46041833)

Why is this insightful? I know TFA is light on content and tedious to read, but its last 2 paragraphs do appear to say "the thing is basically useless" (in a long-winded way). Not quite the kind of publicity I would be happy with if I were that company.

Meh (4, Insightful)

stewsters (1406737) | about 8 months ago | (#46038371)

Obfuscation and field renaming are old things on the server. It helps against casual attackers, but it also makes it harder to debug. It can also introduce errors and other security flaws if you are not careful.

Probably breaks screen readers (5, Insightful)

DMUTPeregrine (612791) | about 8 months ago | (#46038373)

This probably ends up breaking screen readers, and therefore would put the sites using it in violation of the Americans with Disabilities Act. If it doesn't break screen readers then it is easy to write a bot that gets the data anyway. So if it works it's illegal.

Re:Probably breaks screen readers (1)

bennetthaselton (1016233) | about 8 months ago | (#46038509)

That's a very good point, I hadn't thought of that.

The fact that this got moderated lower than "kruach aum"s non-post seems to support the point that Slashdot comment ratings are a crap shoot.

Re:Probably breaks screen readers (2)

DMUTPeregrine (612791) | about 8 months ago | (#46038965)

Well, it's now +5, Insightful.

I've found that screen readers provide a good quick test for many security systems: if it works with screen readers, then it's probably not just an obfuscatory scam. If it breaks them, it's almost certainly useless for real security. It also provides a good test for usability: if your system breaks when a disabled person tries to use it, your system probably isn't that usable by non-disabled people either, and it's certainly not robust.

Re:Probably breaks screen readers (1)

Hognoxious (631665) | about 8 months ago | (#46039869)

That's because, despite your retarded advice about dealing with cops, you aren't a fucking lawyer.

Slashdot, advertising shit since Dice bought it. (1)

Anonymous Coward | about 8 months ago | (#46038391)

Where is the link so we can crowdfund this turd of a project? Or are you just trying to drum up some press to present to investors?

In either case you should probably come up with something better than security through obscurity.

changing variable & field names (0)

Anonymous Coward | about 8 months ago | (#46038423)

It only adds a hurdle for malware, but might cause a bad guy to not bother. But just like putting a security company sign in your yard, it tells hackers what tool to use for the job.

Box with blinking lights... (5, Funny)

tekrat (242117) | about 8 months ago | (#46038445)

I once proposed a product at my company that we called "job security" -- it was simply a rackmount box with a metric fuck-ton of blinking lights, and ports on the back to connect ethernet cables that run nowhere.

And the idea behind it was that you buy the unit, install it in your datacenter, and when you're about to get laid off, you point frantically to the box and scream "Oh, yeah, well, who's going to run *that* for you?"

Frankly, this new product sounds like my idea with a bit more of a story behind it. I suppose had we actually *made* the box, we would have eventually figured out some technical sounding crap to go along with it -- my guess is that's the step represented as "?????" followed by "profit".

Re:Box with blinking lights... (0)

Anonymous Coward | about 8 months ago | (#46039165)

"Ah, yes, das blinkenlichten box (TM)... We should probably get two of those. No 'single point of failure' and all that..."

Re:Box with blinking lights... (2)

Quince alPillan (677281) | about 8 months ago | (#46039305)

Funny you should mention this. I used to work for a company that actually made one of these boxes (blinking lights and all) out of painted plywood and put important sounding labels on it like "Main AC", "Generator", "Battery Backup", "Firewall", and "Rack A/B/C" with a simplistic diagram of how the power management system actually worked. They installed it into the server room and hooked a bunch of thick cables to it but didn't actually do anything (the lights were powered by AA batteries).

Occasionally marketing would bring customers (read: CEO/CFO, etc) into the server room to show them the blinking lights to prove that the system was "top notch" and monitored 24/7.

It was later replaced by a wall of monitors showing Nagios graphs that didn't actually measure anything important.

Perhaps the easiest way to defeat such a system: (1)

shellster_dude (1261444) | about 8 months ago | (#46038447)

Though this tool might prevent DOM traversal and node name referencing, it most certainly will strive to keep the website layout the same, from the user's point of view. Therefore, a simple bypass is to look for inputs via relative page positioning. That should completely bypass the anti-bot automation functionality. This type of check would be easiest to perform at a lower-level, but it certainly can be done via bot injected Javascript.

A bad idea from several angles (2)

tlambert (566799) | about 8 months ago | (#46038453)

A bad idea from several angles

(1) It obfuscate malware fingerprints for code fingerprint based malware detectors on consumer machines, making it more likely you will be hit by an attack, rather than less likely

(2) It increases the code size and therefore the data usage for the consumer downloading the web pages in question

(3) By effectively generating a new web page each time, it damages the ability to cache, costing the site itself more bandwidth as well, not just the end user

I can see companies like Verizon with monthly data caps loving this a lot, but it's probably not worth it to almost everyone else.

Re:A bad idea from several angles (1)

bennetthaselton (1016233) | about 8 months ago | (#46038667)

I thought I replied to this already, not sure if the post got deleted, but:

Definitely agree on #1 and #2. I'm not sure about #3 because I think most big sites already generate most of their HTML content dynamically, which means it won't be cached anyway, or shouldn't be.

Re:A bad idea from several angles (0)

Anonymous Coward | about 8 months ago | (#46039267)

I'm not sure about #3 because I think most big sites already generate most of their HTML content dynamically, which means it won't be cached anyway, or shouldn't be.

If the sites are using ESI [wikipedia.org] a large part of the content can be cached without any problems.

This could make automated attacks harder (0)

Anonymous Coward | about 8 months ago | (#46038487)

If the dom, class names, id's etc are rewritten, it could make automated attacks more difficult. Typically automated attacks will have to locate form elements through some selector (that's how selenium works, and you could do the same with phantom.js). But, at least with phantom, you could scan a rendered dom, and actually use the location of the elements (x,y coords) to figure what fields to fill out and submit. If the UI looks the same to the end user, then an automated render will have to show everything in the same location. It may take a little more effort to write a tester script against a given site, but really, writing the tester is probably only 1% of the effort involved. If you make that take twice as long, you've only increased the effort level by an additional 1%. Given the potential problems this rewriting could create for legitimate uses of a predictable or semantic dom, well ... you tell me. Wish I could get this level of exposure for my software products.

HTTPS (1)

Yaur (1069446) | about 8 months ago | (#46038503)

IF your bank or e-commerce site isn't using HTTPS run away, if they are this thing is at best useless.

Re:HTTPS (1)

bennetthaselton (1016233) | about 8 months ago | (#46038539)

ShapeShifter might work or it might not (probably not), but I don't see how https has anything to do with it.

HTTPS are easy for a bot to access, to crawl, to test passwords against, and to log in to if the bot has valid credentials. HTTPS prevents eavesdropping, not automated access.

ShapeShifter is equally useful (or useless) for a site whether the site runs https or not.

Have fun web developers... (0)

Anonymous Coward | about 8 months ago | (#46038571)

This might prevent someone from using CURL to hack a system, but there are ways to simulate a browser in an automated way. My main concern about this is from the perspective of a web developer. The last thing I want is a system that chews up my HTML response in a way that I have no control over. Also, I'd be curious to see what the performance of this appliance is under a full load. I can only imagine how much slower an ASP .NET application would run through it...

ShapeShifter (1)

PaddyM (45763) | about 8 months ago | (#46038663)

Breaking search indexes one obfuscated jrofvgr ng n gvzr.

Re:ShapeShifter (1)

bennetthaselton (1016233) | about 8 months ago | (#46038679)

V frr jung lbh qvq gurer.

Role Reversal (1)

AlphaBro (2809233) | about 8 months ago | (#46039135)

Attackers have been utilizing JavaScript obfuscation for eons, so naturally there are plenty of deobfuscation tools. An updated piece of malware wouldn't even have to drive the browser to circumvent this mitigation, it could simply use a JavaScript engine like V8 or SpiderMonkey to execute the JavaScript that decodes the page, not unlike malware analysts already do.

Not going to work. (0)

Anonymous Coward | about 8 months ago | (#46039709)

The hackers they're trying to target are the ones that will easily bypass this. These people can look at code and fucking destroy it without even thinking about it. It's a gift that could be used for a lot of good sadly it's not.

symptomatic relief (1)

markhahn (122033) | about 8 months ago | (#46039811)

They're treating the symptoms of the problem, not the cause. This is usually a bad idea.

Using obsfucated javascript to generate elements ? (0)

Anonymous Coward | about 8 months ago | (#46044079)

or perhaps using obfuscated JavaScript to generate the page contents.

Yeah, sure. Having a "protection" which forces you to open one of the bigger security-holes a webpage has ...

No, thank you.

On the other hand, this ShapeShifter method could be worth something to someone who wants to make sure his advertisement revenue will be harder to twarth by pesky AdBlock (and-alike) users.

Worst headline of 2014 so far! (0)

Anonymous Coward | about 8 months ago | (#46044645)

The headline is absolutely un-parseable and makes no sense.

Try:

"Malware-stopping product 'Shapeshifter' could improve with more work."

I ...think... that's what the long article is trying to say.

Done (0)

Anonymous Coward | about 8 months ago | (#46045037)

Can't this be broken with document.getElementsByTagName("input") ?

Breaks User Scripts/Styles? (1)

Ken_g6 (775014) | about 8 months ago | (#46050179)

So does this mean Greasemonkey and Stylish won't work on pages using this technique? I hope it doesn't spread widely.

Actually, I guess Greasemonkey scripts could be written to tease out what they need anyway, but it would be much harder.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?