ShapeShifter: Beatable, But We'll Hear More About It 102
When a ShapeShifter appliance is installed in a datacenter alongside a web server, it takes the website's content and rewrites it before sending it to the user's browser, using techniques to obfuscate the contents such as changing the names of various form fields, or perhaps using obfuscated JavaScript to generate the page contents. (Many Slashdotters will understand these terms, but if you're not sure what I mean by "changing form fields" or "obfuscated JavaScript," it's a bit too technical to explain within this article. Suffice to say that obfuscated JavaScript is itself not a new idea; you can see a demonstration here, which takes simple JavaScript code and rewrites it in such a way that it's much harder to scan automatically, but the code still does the same thing.) The idea is that by obscuring the webpage contents, ShapeShifter makes it harder for bots and malware to conduct automated attacks against the website, since the bots now have to be smart enough to parse the obfuscated JavaScript or decipher the renamed form fields.
The idea has attracted glowing reviews from tech writers, including some who say they can "barely stay awake for a lot of startup pitches" but who were evidently enthralled by this one. My first reaction was that it's not hard to think of ways that this system can be defeated, and some readers will have thought of some ways to attack it even before finishing the previous paragraph. However, the attacks will perhaps require some malware and bot writers to rewrite their malicious programs to target websites in new ways. It remains to be seen how long that will take, and whether Shape will have a countermove after bots evolve to defeat their systems.
If you watch the video on Shape Security's website and pay close attention to their claims, note that they never actually say that ShapeShifter can stop malware from stealing a user's credentials — perhaps a deliberate omission for honesty's sake, since their technology, as they've described it, cannot prevent that. If your machine is infected with malware, and you're filling out a form on a website, the malware can eavesdrop at the level of the user interface to watch what you're typing into a form -- and if you fill out a form which contains a password field, or which contains a string of numbers that pass the credit card number checksum, the malware can capture the entire form contents and silently transmit it back to the attacker. No amount of obfuscation and shapeshifting in the HTML can stop the malware from capturing your password at the user interface level.
Now consider, instead, two of the claims actually made in the ShapeShifter video:
"Financial sites face man-in-the-browser attacks. This kind of bot waits for a legitimate user to authenticate, and then manipulates financial transactions. By disrupting the scripts that Man-in-the-Browser bots rely on, the ShapeShifter allows banks to safely serve their customers, even when their customers are infected with malware."
and
"On e-commerce sites, account takeover has evolved into a serious source of losses. 60% of users use the same password across multiple sites. When user credentials on one site are compromised, attackers program bots to test user credentials on other sites. The ShapeShifter prevents bots from testing stolen credentials on your website."
What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials, or from testing those credentials on other sites. However, I would argue that once your credentials have been stolen successfully, 90% of the damage has been done. ShapeShifter can't do anything to stop a human from testing your stolen credentials manually, and if the attacker has already infected your machine, they can use your machine as a proxy when testing out your credentials, so that the target website doesn't even notice a login from an unusual IP address.
And is it even true that ShapeShifter can stop bots from automating an attack against a target website? Even if a website relayed through ShapeShifter has its HTML obfuscated with JavaScript and re-named form fields, it's still easy to write scripts that automate the act of launching a web browser and filling content into those form fields — such as entering a username and password into two fields, and submitting them to see if the website accepts the login. I'm not sure (it's been a long time since I've written browser automation code, using frameworks like Selenium), but I think you can even automate the interaction "silently," without actually opening up a visible browser window. Which, of course, means you can do it on a user's machine that has been conscripted into a botnet, without the user knowing what's going on.
Now, automating interaction with a website through the browser, may be harder than writing a script to interact with the website at the network level. But as long as someone figures out a way to do it, they can sell the method and the toolkit to others. (The credit card security breach at Target was carried out using software that a 17-year-old wrote and sold off-the-shelf on the black market.)
What about straight denial-of-service attacks, where an attacker doesn't care about breaking into a website or stealing data, but simply wants to take it offline by flooding it with traffic? Could ShapeShifter protect against those types of attacks? It depends on the type of attack. If you're trying to take down a website simply by sending an overwhelming number of requests for the website's front page, and nothing else, then ShapeShifter wouldn't be able to mitigate this attack, since every incoming front-page request still has to be passed through to the web server being protected, and if that's too much for the web server to handle, it will still go down. On the other hand, some denial-of-service attacks use more sophisticated tricks, like running a search query on the target website — knowing that handling a search query requires a lot more processing power than simply serving up the site's front page, so it would take a smaller number of requests to effectively tie up the webserver. If ShapeShifter can effectively stop bots from logging in to a website, running search queries, or performing other actions that are resource-intensive, then that type of denial-of-service attack could be stopped or slowed down.
So, at least based on the product description from the company itself, can ShapeShifter stop malware from stealing your users' logins on your site? Definitely not. Can ShapeShifter stop a botnet from conducting automated attacks against your user interface? For some types of botnets, maybe, but probably not in the long run. Will ShapeShifter be able to evolve a defense against bots that use browser automation? It's hard to see what they could possibly do in response. One of the company founders says, "We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," but without knowing what those countermoves are, we only have their word to go on.
But in spite of my misgivings, I wouldn't predict on that basis that the product won't sell a lot of units. Some companies may buy the box without realizing that it does nothing to prevent their users' credentials from being compromised by malware, and that it provides only limited protection against automated attacks. Some companies may realize the limitations of the protection, but decide to buy it anyway because it looks good to their investors or their cybersecurity insurance underwriters. In such situations, even just the appearance of proactivity can be worth a million dollars a year.
In other words ... (Score:5, Insightful)
We don't actually provide any extra security, you'll still get ripped off, but we'll see if we can't momentarily confuse the malware with the classic "Hey, look over there" trick.
But, in the meantime, we'll mangle your web pages so we can convince you something is actually happening.
This sounds less than useful on first skimming. In fact, it sounds like an obfuscated snake-oil salesman.
Attn: Bennett Haselton (Score:5, Insightful)
I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.
Haven't I heard this pitch before? (Score:5, Insightful)
"Our Patented Secret Sauce(tm) will add Obscurity(tm) to your Security, allowing it to defeat 100% of existing exploits!"
...In much the same way that moving the doorknob from the left side of your door to the right side will prevent intruders from opening it tomorrow the same way they did yesterday. It's a nice idea, but unless it makes existing web pages completely unusable by humans as well as bots, it's only going to be a speed bump for exploits to get over.
"system can be defeated" (Score:4, Insightful)
"..most programmers will immediately spot several ways that the system can be defeated..."
So I don't get it. You are
.
Meh (Score:5, Insightful)
Probably breaks screen readers (Score:5, Insightful)
Re:"system can be defeated" (Score:5, Insightful)
Considering the source is Bennett Haselton, I think it's less a slashvertisment for the product so much as it is a slashvertisment for Bennett Haselton.
Re:In other words ... (Score:1, Insightful)