'Active cookies' for better security?
With 'pharming' technology, the cyber crooks put directly false information on domain name servers. Even if you manually type an URL, especially when using a Wi-Fi connection, you can't be sure that your request is not redirected to a wrong place. And there are no commercial tools to protect you today. But now, Indiana University researchers have found a parade with active cookies, which are pieces of cached and sandboxed executable code, such as JavaScript objects. These active cookies will help authenticate your browser by a server. And even if this kind of software is more targeted towards auctioneers and financial services providers, you might be glad one day that these companies use this new mechanism of protection against the bad guys.
Let's start by the definition of pharming given by Indiana University.
Pharming is obtaining personal or private (usually financial) information through domain spoofing. Rather than spamming with malicious and mischievous e-mail requests for users to visit fake Web sites which appear legitimate, pharming "poisons" a domain name server by planting false information in the server, resulting in a user's request being redirected elsewhere. The browser, however, tells users they are at the correct Web site.
As there are no commercial tools able to protect you against this kind of attack, Indiana researchers led by Markus Jakobsson, founder of RavenWhite Inc., have developed the concept of active cookies.
RavenWhite provides a new use of cookies, which are coded pieces of information stored on a person's computer that identify that computer during the current and subsequent visits to a Web site. Active cookies can be used in some situations where traditional cookies are not practical. Jakobsson's invention helps protect against known types of pharming attacks and man-in-the-middle attacks, but also against new attacks.
Below are two images showing the effect of active cookies against a pharming attack(Credit: RavenWhite Inc./Indiana University). And please note that the DNS authority is represented on these diagrams by an old supercomputer from Cray Research -- where I've worked in the past.
This software mechanism should be able to protect you from new kinds of attacks, such as these new ones recently discovered by Indiana University computer scientists.
[Mark] Meiss discovered a technique that allows an attacker to hijack almost any Wi-Fi (wireless fidelity) connection with the purpose of redirecting users to incorrect sites. He recently verified that the technique works in a local hotspot, a location where Wi-Fi users pick up an active signal. "There is no way a user can determine that this attack takes place," explained Meiss.
[And Alex] Tsow discovered that consumer routers can be trivially modified to stealthily redirect users to fake sites. He showed a browser window where he typed eBay into the address bar, but where the loaded content showed the Web page of the Anti-Phishing Working Group.
The computer scientists have presented their results in a paper called "Active Cookies for Browser Authentication" (PDF format, 23 pages, 1.27 MB), from which the above diagram has been extracted. Here are some of the conclusions.
Active cookies have certain drawbacks, like their limited persistence and their lack of support for roaming users. And they do not offer security against strong attacks like active corruption of routers on the client-server path, as more holistic cryptographic solutions can. But active cookies can provide a potent defense against virulent attacks like pharming that can defeat even hardware authentication tokens. Their outstanding feature is that they create no real change in user experience and are easy to administer on the server side.
An important area for future research is the ways in which active cookies can harmonize with existing authentication tools. We believe that active cookies can work on mobile platforms, such as cell phones, and are investigating such deployments.
Will active cookies be successful? We'll see.
Sources: Indiana University news release, February 17, 2006; and various web sites
You'll find related stories by following the links below.