A few years back, I wrote a short explainer about User Gestures, a web platform concept whereby certain sensitive operations (e.g. opening a popup window) will first attempt to confirm whether the user intentionally requested the action. As noted in that post, gestures are a weak primitive — while checking whether the user clicked orContinue reading “Attacker Techniques: Gesture Jacking”
Tag Archives: InfoSecTTP
Cloaking, Detonation, and Client-side Phishing Detection
Today, most browsers integrate security services that attempt to protect users from phishing attacks: for Microsoft’s Edge, the service is Defender SmartScreen, and for Chrome, Firefox, and many derivatives, it’s Google’s Safe Browsing. URL Reputation services do what you’d expect — they return a reputation based on the URL, and the browser will warn/block loadingContinue reading “Cloaking, Detonation, and Client-side Phishing Detection”
The Blind Doorkeeper Problem, or, Why Enclaves are Tricky
When trying to protect a secret on a client device, there are many strategies, but most of them are doomed. However, as a long-standing problem, many security experts have tried to chip away at its edges over the years. Over the last decade there’s been growing interest in using enclaves as a means to protectContinue reading “The Blind Doorkeeper Problem, or, Why Enclaves are Tricky”
Defense Techniques: Blocking Protocol Handlers
Application Protocols represent a compelling attack vector because they’re the most reliable and cross-browser compatible way to escape a browser’s sandbox, and they work in many contexts (Office apps, some PDFs handlers, some chat/messaging clients, etc). Some protocol handlers are broadly used, while others are only used for particular workflows which may not be relevantContinue reading “Defense Techniques: Blocking Protocol Handlers”
Attack Techniques: Steganography
Attackers are incentivized to cloak their attacks to avoid detection, keep attack chains alive longer, and make investigations more complicated. One type of cloaking involves steganography, whereby an attacker embeds hidden data inside an otherwise innocuous file. For instance, an attacker might embed their malicious code inside an image file, not in an attempt toContinue reading “Attack Techniques: Steganography”
Security: The Impact of Time
Two years ago, I wrote a long post about the importance of time, and how practical time machines can help reduce emergencies into more mundane workitems. Today, we revisit the same topic, with a focus on the Security impact of time. Races In many ways, the story of modern security is a story about races,Continue reading “Security: The Impact of Time”
Beware: URLs are Pointers to Mutable Entities
Folks often like to think of URLs as an entity that can be evaluated: “Is it harmless, or is it malicious?” In particular, vendors of security products tend to lump URLs in with other IoCs (indicators of compromise) like the hash of a known-malicious file, a malicious/compromised digital certificate, or a known-malicious IP address. Unfortunately,Continue reading “Beware: URLs are Pointers to Mutable Entities”
Attack Techniques: Fullscreen Abuse
It’s extremely difficult to prevent attacks when there are no trustworthy pixels on the screen, especially if a user doesn’t realize that none of what they’re seeing should be trusted. Unfortunately for the browsing public, the HTML5 Fullscreen API can deliver this power to an attacker. Today (and for over a decade now), an attackingContinue reading “Attack Techniques: Fullscreen Abuse”
Defensive Techniques: Application Guard
Earlier this year, I mentioned that I load every phishing URL I’m sent to see what it does and whether it tries to use any interesting new techniques. While Edge’s “Enhanced Security Mode” reduces the risks of 0-day attacks against the browser itself, another great defense available for enterprise users is Microsoft Defender Application Guard.Continue reading “Defensive Techniques: Application Guard”
Attack Techniques: QR Codes
As outlined in earlier posts in this series, attackers know that security software can detect their phishing lures and block users from even seeing the lure if it contains a known-phishing URL. For example, both Windows Live and Gmail block email that is believed to contain phishing links. If your enterprise uses Microsoft Defender forContinue reading “Attack Techniques: QR Codes”
text/plain 