Forgot your password?
typodupeerror
Security Technology

ShapeShifter: Beatable, But We'll Hear More About It 102

Posted by Soulskill
from the unknown-sample dept.
Slashdot contributor Bennett Haselton writes: "A California company called Shape Security claims that their network box can disable malware attacks, by using polymorphism to rewrite webpages before they are sent to the user's browser. Most programmers will immediately spot several ways that the system can be defeated, but it may still slow attackers down or divert them towards other targets." Read on for the rest of Bennett's thoughts.

When a ShapeShifter appliance is installed in a datacenter alongside a web server, it takes the website's content and rewrites it before sending it to the user's browser, using techniques to obfuscate the contents such as changing the names of various form fields, or perhaps using obfuscated JavaScript to generate the page contents. (Many Slashdotters will understand these terms, but if you're not sure what I mean by "changing form fields" or "obfuscated JavaScript," it's a bit too technical to explain within this article. Suffice to say that obfuscated JavaScript is itself not a new idea; you can see a demonstration here, which takes simple JavaScript code and rewrites it in such a way that it's much harder to scan automatically, but the code still does the same thing.) The idea is that by obscuring the webpage contents, ShapeShifter makes it harder for bots and malware to conduct automated attacks against the website, since the bots now have to be smart enough to parse the obfuscated JavaScript or decipher the renamed form fields.

The idea has attracted glowing reviews from tech writers, including some who say they can "barely stay awake for a lot of startup pitches" but who were evidently enthralled by this one. My first reaction was that it's not hard to think of ways that this system can be defeated, and some readers will have thought of some ways to attack it even before finishing the previous paragraph. However, the attacks will perhaps require some malware and bot writers to rewrite their malicious programs to target websites in new ways. It remains to be seen how long that will take, and whether Shape will have a countermove after bots evolve to defeat their systems.

If you watch the video on Shape Security's website and pay close attention to their claims, note that they never actually say that ShapeShifter can stop malware from stealing a user's credentials — perhaps a deliberate omission for honesty's sake, since their technology, as they've described it, cannot prevent that. If your machine is infected with malware, and you're filling out a form on a website, the malware can eavesdrop at the level of the user interface to watch what you're typing into a form -- and if you fill out a form which contains a password field, or which contains a string of numbers that pass the credit card number checksum, the malware can capture the entire form contents and silently transmit it back to the attacker. No amount of obfuscation and shapeshifting in the HTML can stop the malware from capturing your password at the user interface level.

Now consider, instead, two of the claims actually made in the ShapeShifter video:

"Financial sites face man-in-the-browser attacks. This kind of bot waits for a legitimate user to authenticate, and then manipulates financial transactions. By disrupting the scripts that Man-in-the-Browser bots rely on, the ShapeShifter allows banks to safely serve their customers, even when their customers are infected with malware."

and

"On e-commerce sites, account takeover has evolved into a serious source of losses. 60% of users use the same password across multiple sites. When user credentials on one site are compromised, attackers program bots to test user credentials on other sites. The ShapeShifter prevents bots from testing stolen credentials on your website."

What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials, or from testing those credentials on other sites. However, I would argue that once your credentials have been stolen successfully, 90% of the damage has been done. ShapeShifter can't do anything to stop a human from testing your stolen credentials manually, and if the attacker has already infected your machine, they can use your machine as a proxy when testing out your credentials, so that the target website doesn't even notice a login from an unusual IP address.

And is it even true that ShapeShifter can stop bots from automating an attack against a target website? Even if a website relayed through ShapeShifter has its HTML obfuscated with JavaScript and re-named form fields, it's still easy to write scripts that automate the act of launching a web browser and filling content into those form fields — such as entering a username and password into two fields, and submitting them to see if the website accepts the login. I'm not sure (it's been a long time since I've written browser automation code, using frameworks like Selenium), but I think you can even automate the interaction "silently," without actually opening up a visible browser window. Which, of course, means you can do it on a user's machine that has been conscripted into a botnet, without the user knowing what's going on.

Now, automating interaction with a website through the browser, may be harder than writing a script to interact with the website at the network level. But as long as someone figures out a way to do it, they can sell the method and the toolkit to others. (The credit card security breach at Target was carried out using software that a 17-year-old wrote and sold off-the-shelf on the black market.)

What about straight denial-of-service attacks, where an attacker doesn't care about breaking into a website or stealing data, but simply wants to take it offline by flooding it with traffic? Could ShapeShifter protect against those types of attacks? It depends on the type of attack. If you're trying to take down a website simply by sending an overwhelming number of requests for the website's front page, and nothing else, then ShapeShifter wouldn't be able to mitigate this attack, since every incoming front-page request still has to be passed through to the web server being protected, and if that's too much for the web server to handle, it will still go down. On the other hand, some denial-of-service attacks use more sophisticated tricks, like running a search query on the target website — knowing that handling a search query requires a lot more processing power than simply serving up the site's front page, so it would take a smaller number of requests to effectively tie up the webserver. If ShapeShifter can effectively stop bots from logging in to a website, running search queries, or performing other actions that are resource-intensive, then that type of denial-of-service attack could be stopped or slowed down.

So, at least based on the product description from the company itself, can ShapeShifter stop malware from stealing your users' logins on your site? Definitely not. Can ShapeShifter stop a botnet from conducting automated attacks against your user interface? For some types of botnets, maybe, but probably not in the long run. Will ShapeShifter be able to evolve a defense against bots that use browser automation? It's hard to see what they could possibly do in response. One of the company founders says, "We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," but without knowing what those countermoves are, we only have their word to go on.

But in spite of my misgivings, I wouldn't predict on that basis that the product won't sell a lot of units. Some companies may buy the box without realizing that it does nothing to prevent their users' credentials from being compromised by malware, and that it provides only limited protection against automated attacks. Some companies may realize the limitations of the protection, but decide to buy it anyway because it looks good to their investors or their cybersecurity insurance underwriters. In such situations, even just the appearance of proactivity can be worth a million dollars a year.

This discussion has been archived. No new comments can be posted.

ShapeShifter: Beatable, But We'll Hear More About It

Comments Filter:
  • In other words ... (Score:5, Insightful)

    by gstoddart (321705) on Wednesday January 22, 2014 @03:00PM (#46038083) Homepage

    What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials

    We don't actually provide any extra security, you'll still get ripped off, but we'll see if we can't momentarily confuse the malware with the classic "Hey, look over there" trick.

    But, in the meantime, we'll mangle your web pages so we can convince you something is actually happening.

    This sounds less than useful on first skimming. In fact, it sounds like an obfuscated snake-oil salesman.

    • It was called Greenborder and it was in the early 2ks: http://googlesystem.blogspot.c... [blogspot.com]
    • by rioki (1328185)

      They basically lost the sale to me at the 18. word: polymorphism Do these marketing schmucks even know what that word means? If I built a automated malware filtering technology I would use a whole other set of technobable, like "advanced pastern recognition", "dynamic filtering", "machine learning" and maybe even "neural network". They not only fail to build a product that actually does something for their users, but also fail to properly sell it to anybody remotely technical.

      • Re: (Score:1, Insightful)

        I don't think the system will work, but I thought they appeared to be using "polymorphism" correctly (rewriting code so that it's harder for a dumb bot to parse it, but so that it does the same thing as the original code when it's executed).
  • by kruach aum (1934852) on Wednesday January 22, 2014 @03:01PM (#46038095)

    I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.

    • by Aighearach (97333)

      ... stop it before it gets to the children!!!

    • This is actually rather interesting, and is better than soliciting a "Look at this cool link I found!" from the user. I agree with the post--this is basically a giant ass-dance of "We make it move around more so it's harder to hit! That's security!" (that's an arms race, which we live in already; and it's an automated one that we already have software to mitigate--the fucking web browser). He's provided me a source to point and say, "This smart fellow understands and says the same thing I am," since I wo

      • I think someone else commented about caching, and my response was that I think most websites that would use Shapeshifter, serve most of their HTML content dynamically, so it wouldn't have been cached anyway, or shouldn't be.

        As for re-naming the fields, yes I assume that the Shapeshifter has to do some kind of stateful tracking to remember what the renamed fields correspond to, so it can rename them back on the way in. I don't think shared IP addresses would be a problem. You just have to remember, "I re
    • I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.

      Bennett, please disregard that. People do like summaries and quick reads, which is what the quoted first paragraph you provided delivers. Slashdot's audience is a little too accustomed to having to click on links to see the real article ("mindless link propagation"). Coupling that with the fact that nobody actually RTFA, you get comments like what we see above.

      Frankly, I'm happy to see original content on Slashdot (well, beyond book reviews and Ask Slashdot). Thank you for contributing a real story di

      • by OzPeter (195038)

        (That said, I do agree with krauch aum that "length does not equal insight," I just happen to have differed in opinion about whether this article has insight. I'd also agree that this reads a little more like a blog than I'd personally like; I'm happier with items that are more like news articles than op-eds. I'd still rate this as a good write-up overall.)

        So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?

        • by Khopesh (112447)

          So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?

          No. While there is room for improvement, the article is good and Bennett is not "shitting up /." I was suggesting that Bennett disregard the highly negative tone of that comment. I did not say that the article was perfect or that the criticisms of this thread were entirely without merit.

          While I agree that "length does not equal insight," I think that there is insight in the article and that its length is fine. Sure, it could benefit from more concision, but most articles fall in that category. The pr

          • Re: (Score:2, Flamebait)

            by weilawei (897823)
            The problem lies not with him posting. It lies with him posting in a manner that's effectively off-limits to the rest of us. Do you see ANYONE else routinely (every day, every other day, whatever) making Slashdot's front page and being able to put what amounts to an opinion piece in TFS? This is an ethical problem. He's a contributor, like the rest of us--he should have to do it the same way we're stuck doing it. There is a well established norm here, and Bullshit Hasselton continually violates it, with the
            • The only argument for doing something, or not doing something, is whether the positives outweigh the negatives.

              I am aware the way my articles get posted is not the standard format, but so what? If everyone else drives to work in a blue car and I show up in a green car, who cares?
              • by weilawei (897823)
                It's good that you recognize it finally. But a more apt analogy is that everyone drives to work in a car, and you drive a tank down the middle of the road.
          • Thanks. I saw the title "Thank you, Bennett Haselton" and I was all revved up to deal with more sarcasm. Oh well I'm sure there will be more after all.

            As for "concision", I really do want to spell things out less and repeat them fewer times, but every time I do that, some readers will miss points that I thought were implicit, or miss something because I said it only once. In the Fifth Amendment article, probably my most heavily criticized one to date:
            http://yro.slashdot.org/story/... [slashdot.org]
            I said about 185
    • by u38cg (607297)
      I just want them to make him an offical author so I can BLOCK BLOCK BLOCK.

      I notice /. has taken to blocking the ohno tage...

  • by Anonymous Coward

    Slashvertisements?

    • by Desler (1608317)

      No, it will "polymorphically" add Slashvertisements to the pages you get served.

      • No, it will "polymorphically" add Slashvertisements to the pages you get served.

        ... maybe it'll prevent dupes?

  • by rossdee (243626)

    Rene Auberjenois was not available for comment

  • by Minwee (522556) <dcr@neverwhen.org> on Wednesday January 22, 2014 @03:17PM (#46038299) Homepage

    "Our Patented Secret Sauce(tm) will add Obscurity(tm) to your Security, allowing it to defeat 100% of existing exploits!"

    ...In much the same way that moving the doorknob from the left side of your door to the right side will prevent intruders from opening it tomorrow the same way they did yesterday. It's a nice idea, but unless it makes existing web pages completely unusable by humans as well as bots, it's only going to be a speed bump for exploits to get over.

    • by Anonymous Coward

      Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.

      From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
      So, imagine a page that draws the same way every time you load it, but internally t

      • by mythosaz (572040)

        Presumably it'll add hidden fields as well - who knows.

        This will, of course, break your favorite form-filling auto-complete software.

        If I'm the logon page for my bank or mortgage company, I have no REAL issue with them sending me a "more secure" logon page, and I can live with not having my browser pre-populate my logon name or email address.

      • Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.

        From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
        So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use. If the page is written to override formatting with each object defining its own exact position, then adjacency in the source is meaningless, and the bot will have to chart the positions of drawn objects to identify which field is which.

        Of course it also breaks/complexifies, in exactly the same way, any features in the user's browser that attempt to autofill or autocomplete fields based on past content. In fact, it may even combine with those features to present minor security problems like autofilling your password in a non-password field, where it will be visible to bystanders and/or TEMPEST snoops. (I note you specified "non-password fields", which would avoid this problem.)

      • So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use.

        ...which is exactly how many of these programs work. Field labels tell the bot nothing; what they usually do is fuzz the site and test the results. If the field names change, so what?

        Now, if the site uses images instead of text, and the images are generated and labelled randomly and on the fly, and the fields are randomized, this technique may stop forum spam and aid captcha in keeping out bots. It won't really do much against malware though.

        Actually, this gives me a great idea for a new captcha mechanis

      • How is this any better than using a CAPTCHA?

        One field to prove you are human AND you preserve the auto-fill features that people enjoy. AND, you save a bunch of money on another layer of complexity if someone calls and says; "your page is broken, dude -- that's lame!"

  • by marciot (598356) on Wednesday January 22, 2014 @03:17PM (#46038301)

    I forsee this breaking websites in weird ways, because what they thought was an invariant change was not for the entirely of browsers out there.

    Point in case, the people surfing the web using telnet to port 80 are going to be very pissed.

    • by tacokill (531275)
      Point in case, the people surfing the web using telnet to port 80 are going to be very pissed.

      I bet all 8 of those people could learn a workaround.
      C'mon....are we really worried about a use case for telnet websurfing?
      • by mythosaz (572040)

        I want to know who's using telnet for web-pages filled with javascript forms.

        • I want to know who's using telnet for web-pages filled with javascript forms.

          Bruce Schneier. And he uses port 443.

          • by mythosaz (572040)

            I want to know who's using telnet for web-pages filled with javascript forms.

            Bruce Schneier. And he uses port 443.

            I'm now in favor of this... ...and any technology that keeps Bruce off the web.

      • C'mon....are we really worried about a use case for telnet websurfing?

        Porn, of course. After a while you don't even see the code anymore -- just blonde, brunette, redhead...

  • by csumpi (2258986) on Wednesday January 22, 2014 @03:22PM (#46038357)
    The summary says:

    "..most programmers will immediately spot several ways that the system can be defeated..."

    So I don't get it. You are /vertising a product, that you know doesn't work?

    .
  • Meh (Score:5, Insightful)

    by stewsters (1406737) on Wednesday January 22, 2014 @03:24PM (#46038371)
    Obfuscation and field renaming are old things on the server. It helps against casual attackers, but it also makes it harder to debug. It can also introduce errors and other security flaws if you are not careful.
  • by DMUTPeregrine (612791) on Wednesday January 22, 2014 @03:24PM (#46038373) Journal
    This probably ends up breaking screen readers, and therefore would put the sites using it in violation of the Americans with Disabilities Act. If it doesn't break screen readers then it is easy to write a bot that gets the data anyway. So if it works it's illegal.
    • That's a very good point, I hadn't thought of that.

      The fact that this got moderated lower than "kruach aum"s non-post seems to support the point that Slashdot comment ratings are a crap shoot.
      • Well, it's now +5, Insightful.

        I've found that screen readers provide a good quick test for many security systems: if it works with screen readers, then it's probably not just an obfuscatory scam. If it breaks them, it's almost certainly useless for real security. It also provides a good test for usability: if your system breaks when a disabled person tries to use it, your system probably isn't that usable by non-disabled people either, and it's certainly not robust.
      • That's because, despite your retarded advice about dealing with cops, you aren't a fucking lawyer.

  • Where is the link so we can crowdfund this turd of a project? Or are you just trying to drum up some press to present to investors?

    In either case you should probably come up with something better than security through obscurity.

  • by tekrat (242117) on Wednesday January 22, 2014 @03:30PM (#46038445) Homepage Journal

    I once proposed a product at my company that we called "job security" -- it was simply a rackmount box with a metric fuck-ton of blinking lights, and ports on the back to connect ethernet cables that run nowhere.

    And the idea behind it was that you buy the unit, install it in your datacenter, and when you're about to get laid off, you point frantically to the box and scream "Oh, yeah, well, who's going to run *that* for you?"

    Frankly, this new product sounds like my idea with a bit more of a story behind it. I suppose had we actually *made* the box, we would have eventually figured out some technical sounding crap to go along with it -- my guess is that's the step represented as "?????" followed by "profit".

    • Funny you should mention this. I used to work for a company that actually made one of these boxes (blinking lights and all) out of painted plywood and put important sounding labels on it like "Main AC", "Generator", "Battery Backup", "Firewall", and "Rack A/B/C" with a simplistic diagram of how the power management system actually worked. They installed it into the server room and hooked a bunch of thick cables to it but didn't actually do anything (the lights were powered by AA batteries).

      Occasionally ma

  • Though this tool might prevent DOM traversal and node name referencing, it most certainly will strive to keep the website layout the same, from the user's point of view. Therefore, a simple bypass is to look for inputs via relative page positioning. That should completely bypass the anti-bot automation functionality. This type of check would be easiest to perform at a lower-level, but it certainly can be done via bot injected Javascript.
  • by tlambert (566799) on Wednesday January 22, 2014 @03:31PM (#46038453)

    A bad idea from several angles

    (1) It obfuscate malware fingerprints for code fingerprint based malware detectors on consumer machines, making it more likely you will be hit by an attack, rather than less likely

    (2) It increases the code size and therefore the data usage for the consumer downloading the web pages in question

    (3) By effectively generating a new web page each time, it damages the ability to cache, costing the site itself more bandwidth as well, not just the end user

    I can see companies like Verizon with monthly data caps loving this a lot, but it's probably not worth it to almost everyone else.

    • I thought I replied to this already, not sure if the post got deleted, but:

      Definitely agree on #1 and #2. I'm not sure about #3 because I think most big sites already generate most of their HTML content dynamically, which means it won't be cached anyway, or shouldn't be.
  • by Yaur (1069446)
    IF your bank or e-commerce site isn't using HTTPS run away, if they are this thing is at best useless.
    • ShapeShifter might work or it might not (probably not), but I don't see how https has anything to do with it.

      HTTPS are easy for a bot to access, to crawl, to test passwords against, and to log in to if the bot has valid credentials. HTTPS prevents eavesdropping, not automated access.

      ShapeShifter is equally useful (or useless) for a site whether the site runs https or not.
  • Breaking search indexes one obfuscated jrofvgr ng n gvzr.

  • They're treating the symptoms of the problem, not the cause. This is usually a bad idea.

  • So does this mean Greasemonkey and Stylish won't work on pages using this technique? I hope it doesn't spread widely.

    Actually, I guess Greasemonkey scripts could be written to tease out what they need anyway, but it would be much harder.

  • The real value here is it enables much more granular logging.

    I object to this article, however, on grounds that this is not news. It's a press release, and crap like this is why I only visit slashdot every few months any more.

Good salesmen and good repairmen will never go hungry. -- R.E. Schenk

Working...