Difference between revisions of "Identity Pathology"

From MgmtWiki
Jump to: navigation, search
(Solutions)
(Problems)
 
(22 intermediate revisions by the same user not shown)
Line 8: Line 8:
  
 
There are three entities that are in play here.
 
There are three entities that are in play here.
#The user on a user device (aka a user agent).
+
#The user on a user device (aka a user agent) possibly with some of the [[User Information]] resident in the cloud at a user_info_endpoint.
#The resource provider (aka a relying party.)
+
#The resource provider (aka a [[Relying Party]].)
#Identifier and Attribute Providers.
+
#[[Identifier or Attribute Provider]]s.
 +
 
 +
The page on [[Identity Theft]] describes an [[Identity Pathology]] involving another party that has traditionally not been treated the same way as other [[Data Controller]]s, the Credit Reporting Agencies. See that page for more details on attacks against financial accounts.
  
 
==Problems==
 
==Problems==
 +
 +
Threats against authentication, federation or user private data, as that can be used in spoofing.
  
 
* Attacks at the user device or user agent.
 
* Attacks at the user device or user agent.
**User private data, including credentials used in authentication.
+
**User private data, including credentials used in authentication or secret seed value.
**Data of the user's contacts data.
+
**Theft of user device or second factor token
 +
**Data of the user's contacts' email address for spamming.
 
**Insertion of malware on the user's device.
 
**Insertion of malware on the user's device.
 
**Interception of legitimate user connections to valuable resources, including elevation of priviledge.
 
**Interception of legitimate user connections to valuable resources, including elevation of priviledge.
 
* Attacks on the transmission of user private data.
 
* Attacks on the transmission of user private data.
**Interception of legitimate user connections to valuable resources.
+
**Interception of legitimate user connections to steal authentication data.
 
**Misdirection or misleading connection to attacker sites.
 
**Misdirection or misleading connection to attacker sites.
**Man in the middle attacks.
+
**Hijacking a legitimate user connection (Man in the middle attacks).
 
* Spoofing attacks at the resource site.
 
* Spoofing attacks at the resource site.
**Using data acquired by social engineering.
+
**Online guessing, when user lock-out or time-out is not applied.
 +
**Binding of attacker's token to the user's profile at the resource
 +
**Reuse or Replay of user credentials
 +
***User reliance on passwords alone is known to result in password reuse, so if an attack succeeds on one site, it may work on others.
 +
**Using data acquired by social engineering, such as using a pretext for the user to enable the authentication.
 +
***Complex passwords that are unique to one site or service will force users to write down passwords which can be found.
 
**Initiating connections through other compromised sites, including compromised Identifier or Attribute Providers.
 
**Initiating connections through other compromised sites, including compromised Identifier or Attribute Providers.
 
* Misuse of user private data.
 
* Misuse of user private data.
 
**Releasing data to others.
 
**Releasing data to others.
 
**Data breaches.
 
**Data breaches.
 +
**Social engineering at provider based on partial knowledge of user private data
 +
* Social engineering at the user level
 +
** [https://in.bgu.ac.il/en/pages/news/information_manipulation.aspx How We Can Be Manipulated Into Sharing Private Information Online Revealed in Study by BGU Researchers]
  
 
==Solutions==
 
==Solutions==
These are the mitigations that should be considered based on the risk profile for the resource being protected.
+
*These are the mitigations that should be considered based on the risk profile for the resource being protected.
 
+
*"Malware" encompasses computer viruses (code injection), computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits, malicious Browser Helper Object (BHOs) etc.
"Malware" encompasses computer viruses (code injection), computer "worms", ransomware, spyware, adware, trojan horses, keyloggers, rootkits, rootkits, malicious Browser Helper Object (BHOs) and other malicious software.
+
*What's an identity exploit worth? How about up to $100,000.<ref>Microsoft Identity Bounty Program https://www.microsoft.com/en-us/msrc/bounty-microsoft-identity?rtc=1&SilentAuth=1&wa=wsignin1.0</ref>
 +
* [https://media.defense.gov/2020/Dec/17/2002554125/-1/-1/0/AUTHENTICATION_MECHANISMS_CSA_U_OO_198854_20.PDF Detecting Abuse of Authentication Mechanisms] National Security Agency | Cybersecurity Advisory. (2020-12)
  
 
==References==
 
==References==
Line 39: Line 53:
  
 
[[Category:Glossary]]
 
[[Category:Glossary]]
 +
[[Category:Privacy]]
 +
[[Category:Security]]
 +
[[Category:Identity]]

Latest revision as of 17:08, 28 December 2020

Full Title or Meme

A list of various ways in which identity information can be misused or misappropriated on the internet.

Context

User private data is required for release of web resources. Minimizing the amount of data released or its misuse after release is the object of this effort to collect a list of the various attacks and their mitigations.

There are three entities that are in play here.

  1. The user on a user device (aka a user agent) possibly with some of the User Information resident in the cloud at a user_info_endpoint.
  2. The resource provider (aka a Relying Party.)
  3. Identifier or Attribute Providers.

The page on Identity Theft describes an Identity Pathology involving another party that has traditionally not been treated the same way as other Data Controllers, the Credit Reporting Agencies. See that page for more details on attacks against financial accounts.

Problems

Threats against authentication, federation or user private data, as that can be used in spoofing.

  • Attacks at the user device or user agent.
    • User private data, including credentials used in authentication or secret seed value.
    • Theft of user device or second factor token
    • Data of the user's contacts' email address for spamming.
    • Insertion of malware on the user's device.
    • Interception of legitimate user connections to valuable resources, including elevation of priviledge.
  • Attacks on the transmission of user private data.
    • Interception of legitimate user connections to steal authentication data.
    • Misdirection or misleading connection to attacker sites.
    • Hijacking a legitimate user connection (Man in the middle attacks).
  • Spoofing attacks at the resource site.
    • Online guessing, when user lock-out or time-out is not applied.
    • Binding of attacker's token to the user's profile at the resource
    • Reuse or Replay of user credentials
      • User reliance on passwords alone is known to result in password reuse, so if an attack succeeds on one site, it may work on others.
    • Using data acquired by social engineering, such as using a pretext for the user to enable the authentication.
      • Complex passwords that are unique to one site or service will force users to write down passwords which can be found.
    • Initiating connections through other compromised sites, including compromised Identifier or Attribute Providers.
  • Misuse of user private data.
    • Releasing data to others.
    • Data breaches.
    • Social engineering at provider based on partial knowledge of user private data
  • Social engineering at the user level

Solutions

  • These are the mitigations that should be considered based on the risk profile for the resource being protected.
  • "Malware" encompasses computer viruses (code injection), computer worms, ransomware, spyware, adware, trojan horses, keyloggers, rootkits, malicious Browser Helper Object (BHOs) etc.
  • What's an identity exploit worth? How about up to $100,000.[1]
  • Detecting Abuse of Authentication Mechanisms National Security Agency | Cybersecurity Advisory. (2020-12)

References

  1. Microsoft Identity Bounty Program https://www.microsoft.com/en-us/msrc/bounty-microsoft-identity?rtc=1&SilentAuth=1&wa=wsignin1.0