ShapeShifter: Beatable, But We'll Hear More About It 102
When a ShapeShifter appliance is installed in a datacenter alongside a web server, it takes the website's content and rewrites it before sending it to the user's browser, using techniques to obfuscate the contents such as changing the names of various form fields, or perhaps using obfuscated JavaScript to generate the page contents. (Many Slashdotters will understand these terms, but if you're not sure what I mean by "changing form fields" or "obfuscated JavaScript," it's a bit too technical to explain within this article. Suffice to say that obfuscated JavaScript is itself not a new idea; you can see a demonstration here, which takes simple JavaScript code and rewrites it in such a way that it's much harder to scan automatically, but the code still does the same thing.) The idea is that by obscuring the webpage contents, ShapeShifter makes it harder for bots and malware to conduct automated attacks against the website, since the bots now have to be smart enough to parse the obfuscated JavaScript or decipher the renamed form fields.
The idea has attracted glowing reviews from tech writers, including some who say they can "barely stay awake for a lot of startup pitches" but who were evidently enthralled by this one. My first reaction was that it's not hard to think of ways that this system can be defeated, and some readers will have thought of some ways to attack it even before finishing the previous paragraph. However, the attacks will perhaps require some malware and bot writers to rewrite their malicious programs to target websites in new ways. It remains to be seen how long that will take, and whether Shape will have a countermove after bots evolve to defeat their systems.
If you watch the video on Shape Security's website and pay close attention to their claims, note that they never actually say that ShapeShifter can stop malware from stealing a user's credentials — perhaps a deliberate omission for honesty's sake, since their technology, as they've described it, cannot prevent that. If your machine is infected with malware, and you're filling out a form on a website, the malware can eavesdrop at the level of the user interface to watch what you're typing into a form -- and if you fill out a form which contains a password field, or which contains a string of numbers that pass the credit card number checksum, the malware can capture the entire form contents and silently transmit it back to the attacker. No amount of obfuscation and shapeshifting in the HTML can stop the malware from capturing your password at the user interface level.
Now consider, instead, two of the claims actually made in the ShapeShifter video:
"Financial sites face man-in-the-browser attacks. This kind of bot waits for a legitimate user to authenticate, and then manipulates financial transactions. By disrupting the scripts that Man-in-the-Browser bots rely on, the ShapeShifter allows banks to safely serve their customers, even when their customers are infected with malware."
and
"On e-commerce sites, account takeover has evolved into a serious source of losses. 60% of users use the same password across multiple sites. When user credentials on one site are compromised, attackers program bots to test user credentials on other sites. The ShapeShifter prevents bots from testing stolen credentials on your website."
What both of these claims are essentially saying that once your credentials have been stolen, ShapeShifter can mitigate the damage by preventing a bot from executing transactions using those stolen credentials, or from testing those credentials on other sites. However, I would argue that once your credentials have been stolen successfully, 90% of the damage has been done. ShapeShifter can't do anything to stop a human from testing your stolen credentials manually, and if the attacker has already infected your machine, they can use your machine as a proxy when testing out your credentials, so that the target website doesn't even notice a login from an unusual IP address.
And is it even true that ShapeShifter can stop bots from automating an attack against a target website? Even if a website relayed through ShapeShifter has its HTML obfuscated with JavaScript and re-named form fields, it's still easy to write scripts that automate the act of launching a web browser and filling content into those form fields — such as entering a username and password into two fields, and submitting them to see if the website accepts the login. I'm not sure (it's been a long time since I've written browser automation code, using frameworks like Selenium), but I think you can even automate the interaction "silently," without actually opening up a visible browser window. Which, of course, means you can do it on a user's machine that has been conscripted into a botnet, without the user knowing what's going on.
Now, automating interaction with a website through the browser, may be harder than writing a script to interact with the website at the network level. But as long as someone figures out a way to do it, they can sell the method and the toolkit to others. (The credit card security breach at Target was carried out using software that a 17-year-old wrote and sold off-the-shelf on the black market.)
What about straight denial-of-service attacks, where an attacker doesn't care about breaking into a website or stealing data, but simply wants to take it offline by flooding it with traffic? Could ShapeShifter protect against those types of attacks? It depends on the type of attack. If you're trying to take down a website simply by sending an overwhelming number of requests for the website's front page, and nothing else, then ShapeShifter wouldn't be able to mitigate this attack, since every incoming front-page request still has to be passed through to the web server being protected, and if that's too much for the web server to handle, it will still go down. On the other hand, some denial-of-service attacks use more sophisticated tricks, like running a search query on the target website — knowing that handling a search query requires a lot more processing power than simply serving up the site's front page, so it would take a smaller number of requests to effectively tie up the webserver. If ShapeShifter can effectively stop bots from logging in to a website, running search queries, or performing other actions that are resource-intensive, then that type of denial-of-service attack could be stopped or slowed down.
So, at least based on the product description from the company itself, can ShapeShifter stop malware from stealing your users' logins on your site? Definitely not. Can ShapeShifter stop a botnet from conducting automated attacks against your user interface? For some types of botnets, maybe, but probably not in the long run. Will ShapeShifter be able to evolve a defense against bots that use browser automation? It's hard to see what they could possibly do in response. One of the company founders says, "We are populating our roadmap for the next five, six or seven steps cybercriminals will make and figuring out a countermove," but without knowing what those countermoves are, we only have their word to go on.
But in spite of my misgivings, I wouldn't predict on that basis that the product won't sell a lot of units. Some companies may buy the box without realizing that it does nothing to prevent their users' credentials from being compromised by malware, and that it provides only limited protection against automated attacks. Some companies may realize the limitations of the protection, but decide to buy it anyway because it looks good to their investors or their cybersecurity insurance underwriters. In such situations, even just the appearance of proactivity can be worth a million dollars a year.
Re: (Score:2)
Instead of one target to attack (the target website), there are now 2 targets to attack: the shapeshifter obfuscation box and the target website.
Re: (Score:2)
Instead of one target to attack (the target website), there are now 2 targets to attack: the shapeshifter obfuscation box and the target website.
Indeed -- and if you target the web server and not shapeshifter, then you get free malware obfuscation that will likely bypass many malware scanners. Nothing like getting the local server to do the malware author's job for them -- I see these setups as being very desirable infection targets, as nobody will be sure whether the malicious code appended to the data stream is intentional or not.
Re: (Score:2)
Re: (Score:1)
Anyone remember from Gödel, Escher, Bach:
"I cannot be played on record player X"
Who will win, Tortoise or the Crab?
Re: (Score:1)
That indeed was the first thing which came to my mind when reading the summary.
In other words ... (Score:5, Insightful)
We don't actually provide any extra security, you'll still get ripped off, but we'll see if we can't momentarily confuse the malware with the classic "Hey, look over there" trick.
But, in the meantime, we'll mangle your web pages so we can convince you something is actually happening.
This sounds less than useful on first skimming. In fact, it sounds like an obfuscated snake-oil salesman.
Google already bought "that" company (Score:1)
Re: (Score:2)
They basically lost the sale to me at the 18. word: polymorphism Do these marketing schmucks even know what that word means? If I built a automated malware filtering technology I would use a whole other set of technobable, like "advanced pastern recognition", "dynamic filtering", "machine learning" and maybe even "neural network". They not only fail to build a product that actually does something for their users, but also fail to properly sell it to anybody remotely technical.
Re: (Score:1, Insightful)
Attn: Bennett Haselton (Score:5, Insightful)
I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.
Re: (Score:2)
... stop it before it gets to the children!!!
Re: (Score:2)
This is actually rather interesting, and is better than soliciting a "Look at this cool link I found!" from the user. I agree with the post--this is basically a giant ass-dance of "We make it move around more so it's harder to hit! That's security!" (that's an arms race, which we live in already; and it's an automated one that we already have software to mitigate--the fucking web browser). He's provided me a source to point and say, "This smart fellow understands and says the same thing I am," since I wo
Re: (Score:1)
As for re-naming the fields, yes I assume that the Shapeshifter has to do some kind of stateful tracking to remember what the renamed fields correspond to, so it can rename them back on the way in. I don't think shared IP addresses would be a problem. You just have to remember, "I re
Thank you, Bennett Haselton (Score:2)
I don't know what kind of system of black mail has given you the power to turn /. into your personal blog, but please stop using it like one. Length does not equal insight, your posts are not more or less important than those of other users, stop shitting up /.
Bennett, please disregard that. People do like summaries and quick reads, which is what the quoted first paragraph you provided delivers. Slashdot's audience is a little too accustomed to having to click on links to see the real article ("mindless link propagation"). Coupling that with the fact that nobody actually RTFA, you get comments like what we see above.
Frankly, I'm happy to see original content on Slashdot (well, beyond book reviews and Ask Slashdot). Thank you for contributing a real story di
Re: (Score:2)
(That said, I do agree with krauch aum that "length does not equal insight," I just happen to have differed in opinion about whether this article has insight. I'd also agree that this reads a little more like a blog than I'd personally like; I'm happier with items that are more like news articles than op-eds. I'd still rate this as a good write-up overall.)
So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?
Re: (Score:2)
So you agree with the OP on length and quality and "bloginess", but you suggest that Bennet disregards those comments?
No. While there is room for improvement, the article is good and Bennett is not "shitting up /." I was suggesting that Bennett disregard the highly negative tone of that comment. I did not say that the article was perfect or that the criticisms of this thread were entirely without merit.
While I agree that "length does not equal insight," I think that there is insight in the article and that its length is fine. Sure, it could benefit from more concision, but most articles fall in that category. The pr
Re: (Score:2, Flamebait)
Re: (Score:1)
I am aware the way my articles get posted is not the standard format, but so what? If everyone else drives to work in a blue car and I show up in a green car, who cares?
Re: (Score:2)
Re: (Score:1)
As for "concision", I really do want to spell things out less and repeat them fewer times, but every time I do that, some readers will miss points that I thought were implicit, or miss something because I said it only once. In the Fifth Amendment article, probably my most heavily criticized one to date:
http://yro.slashdot.org/story/... [slashdot.org]
I said about 185
Re: (Score:2)
I notice /. has taken to blocking the ohno tage...
Re:Attn: Bennett Haselton (Score:4, Interesting)
Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?
Yes
(a) ShapeShifter is digital snake oil
(b) Yes. as has already been proven by his writing in the past.
Re:Attn: Bennett Haselton (Score:5, Informative)
Do you have an argument that either (a) ShapeShifter is not an important topic, or (b) that the analysis in the post is incorrect?
Irrelevant to the OPs assertion that if you want to write a blog do it elsewhere.
I agree with OP that this style of "submission" is not what /. is about and making me read all this in order to get to the comments is bullshit.
Re: (Score:3)
saying "Slashdot is not your blog" is not an argument.
Yes it is
Re:Attn: Bennett Haselton (Score:4, Informative)
Because they're not written by you?
Re: (Score:2)
It is, because nobody has the willpower to read that far.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
But still, the point still stands: you haven't given any kind of reason why it would be better to post it on a Slashdot journal and link to it, instead of running it the way it's running now. Surely it's not hard for anyone to read the one-paragraph summary and then decide whether they want to click through to the rest of the article. So what's the problem?
But will it block (Score:1)
Slashvertisements?
Re: (Score:2)
No, it will "polymorphically" add Slashvertisements to the pages you get served.
Re: (Score:1)
No, it will "polymorphically" add Slashvertisements to the pages you get served.
... maybe it'll prevent dupes?
Odo (Score:2)
Rene Auberjenois was not available for comment
Re:No one gives a shit... (Score:5, Funny)
Dice devop here. We've been testing ShapeShifter to reduce dupes and it works quite well. This is actually a story about the new paging algorithm in Linux 3.1.6-rc. Shapeshifter noticed it was a dupe and turned it into a barely coherent word salad. If anybody knows how to configure this thing to produce better content, we're hiring -- check the dice.com job board to apply.
Re: (Score:2)
If anybody knows how to configure this thing to produce better content, we're hiring -- check the dice.com job board to apply.
http://interconnected.org/home... [interconnected.org]
It's time to reKant!
Haven't I heard this pitch before? (Score:5, Insightful)
"Our Patented Secret Sauce(tm) will add Obscurity(tm) to your Security, allowing it to defeat 100% of existing exploits!"
...In much the same way that moving the doorknob from the left side of your door to the right side will prevent intruders from opening it tomorrow the same way they did yesterday. It's a nice idea, but unless it makes existing web pages completely unusable by humans as well as bots, it's only going to be a speed bump for exploits to get over.
Re: (Score:1)
Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.
From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
So, imagine a page that draws the same way every time you load it, but internally t
Re: (Score:3)
Presumably it'll add hidden fields as well - who knows.
This will, of course, break your favorite form-filling auto-complete software.
If I'm the logon page for my bank or mortgage company, I have no REAL issue with them sending me a "more secure" logon page, and I can live with not having my browser pre-populate my logon name or email address.
Re: (Score:2)
"Big". That's the word you're looking for.
Re: (Score:2)
Somewhat. If I read correctly, this shuffles terms each page request while (allegedly) maintaining the same form factor. This means the HTML and script look different each time (not just one single change), but the page displays consistently for human users.
From a form imitation perspective, this means a pre-built bot will have to find obscure details of important fields instead of relying on things like the field name tag.
So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use. If the page is written to override formatting with each object defining its own exact position, then adjacency in the source is meaningless, and the bot will have to chart the positions of drawn objects to identify which field is which.
Of course it also breaks/complexifies, in exactly the same way, any features in the user's browser that attempt to autofill or autocomplete fields based on past content. In fact, it may even combine with those features to present minor security problems like autofilling your password in a non-password field, where it will be visible to bystanders and/or TEMPEST snoops. (I note you specified "non-password fields", which would avoid this problem.)
Re: (Score:1)
So, imagine a page that draws the same way every time you load it, but internally the non-password fields are randomly given name tags of 'field1' through 'field5'. Some times the username is field1, some times the recipient name is field1, and some times the amount to be transferred is field1. If those fields are shaped identically, a bot will have difficulty identifying which is which without parsing adjacent objects and looking for the drawn keywords that humans use.
...which is exactly how many of these programs work. Field labels tell the bot nothing; what they usually do is fuzz the site and test the results. If the field names change, so what?
Now, if the site uses images instead of text, and the images are generated and labelled randomly and on the fly, and the fields are randomized, this technique may stop forum spam and aid captcha in keeping out bots. It won't really do much against malware though.
Actually, this gives me a great idea for a new captcha mechanis
Re: (Score:2)
How is this any better than using a CAPTCHA?
One field to prove you are human AND you preserve the auto-fill features that people enjoy. AND, you save a bunch of money on another layer of complexity if someone calls and says; "your page is broken, dude -- that's lame!"
Browser Compatibility (Score:3)
I forsee this breaking websites in weird ways, because what they thought was an invariant change was not for the entirely of browsers out there.
Point in case, the people surfing the web using telnet to port 80 are going to be very pissed.
Re: (Score:2)
I bet all 8 of those people could learn a workaround.
C'mon....are we really worried about a use case for telnet websurfing?
Re: (Score:3)
I want to know who's using telnet for web-pages filled with javascript forms.
Re: (Score:3)
I want to know who's using telnet for web-pages filled with javascript forms.
Bruce Schneier. And he uses port 443.
Re: (Score:2)
I want to know who's using telnet for web-pages filled with javascript forms.
Bruce Schneier. And he uses port 443.
I'm now in favor of this... ...and any technology that keeps Bruce off the web.
"Do you always look at it encoded?" (Score:2)
C'mon....are we really worried about a use case for telnet websurfing?
Porn, of course. After a while you don't even see the code anymore -- just blonde, brunette, redhead...
"system can be defeated" (Score:4, Insightful)
"..most programmers will immediately spot several ways that the system can be defeated..."
So I don't get it. You are
.
Re:"system can be defeated" (Score:5, Insightful)
Considering the source is Bennett Haselton, I think it's less a slashvertisment for the product so much as it is a slashvertisment for Bennett Haselton.
Re: (Score:2)
Unfortunately.
Re: (Score:1)
Re: (Score:2)
Meh (Score:5, Insightful)
Probably breaks screen readers (Score:5, Insightful)
Re: (Score:1)
The fact that this got moderated lower than "kruach aum"s non-post seems to support the point that Slashdot comment ratings are a crap shoot.
Re: (Score:3)
I've found that screen readers provide a good quick test for many security systems: if it works with screen readers, then it's probably not just an obfuscatory scam. If it breaks them, it's almost certainly useless for real security. It also provides a good test for usability: if your system breaks when a disabled person tries to use it, your system probably isn't that usable by non-disabled people either, and it's certainly not robust.
Re: (Score:2)
That's because, despite your retarded advice about dealing with cops, you aren't a fucking lawyer.
Slashdot, advertising shit since Dice bought it. (Score:1)
Where is the link so we can crowdfund this turd of a project? Or are you just trying to drum up some press to present to investors?
In either case you should probably come up with something better than security through obscurity.
Box with blinking lights... (Score:5, Funny)
I once proposed a product at my company that we called "job security" -- it was simply a rackmount box with a metric fuck-ton of blinking lights, and ports on the back to connect ethernet cables that run nowhere.
And the idea behind it was that you buy the unit, install it in your datacenter, and when you're about to get laid off, you point frantically to the box and scream "Oh, yeah, well, who's going to run *that* for you?"
Frankly, this new product sounds like my idea with a bit more of a story behind it. I suppose had we actually *made* the box, we would have eventually figured out some technical sounding crap to go along with it -- my guess is that's the step represented as "?????" followed by "profit".
Re: (Score:3)
Funny you should mention this. I used to work for a company that actually made one of these boxes (blinking lights and all) out of painted plywood and put important sounding labels on it like "Main AC", "Generator", "Battery Backup", "Firewall", and "Rack A/B/C" with a simplistic diagram of how the power management system actually worked. They installed it into the server room and hooked a bunch of thick cables to it but didn't actually do anything (the lights were powered by AA batteries).
Occasionally ma
Perhaps the easiest way to defeat such a system: (Score:2)
A bad idea from several angles (Score:3)
A bad idea from several angles
(1) It obfuscate malware fingerprints for code fingerprint based malware detectors on consumer machines, making it more likely you will be hit by an attack, rather than less likely
(2) It increases the code size and therefore the data usage for the consumer downloading the web pages in question
(3) By effectively generating a new web page each time, it damages the ability to cache, costing the site itself more bandwidth as well, not just the end user
I can see companies like Verizon with monthly data caps loving this a lot, but it's probably not worth it to almost everyone else.
Re: (Score:1)
Definitely agree on #1 and #2. I'm not sure about #3 because I think most big sites already generate most of their HTML content dynamically, which means it won't be cached anyway, or shouldn't be.
HTTPS (Score:2)
Re: (Score:1)
HTTPS are easy for a bot to access, to crawl, to test passwords against, and to log in to if the bot has valid credentials. HTTPS prevents eavesdropping, not automated access.
ShapeShifter is equally useful (or useless) for a site whether the site runs https or not.
ShapeShifter (Score:2)
Breaking search indexes one obfuscated jrofvgr ng n gvzr.
Re: (Score:1)
symptomatic relief (Score:2)
They're treating the symptoms of the problem, not the cause. This is usually a bad idea.
Breaks User Scripts/Styles? (Score:2)
So does this mean Greasemonkey and Stylish won't work on pages using this technique? I hope it doesn't spread widely.
Actually, I guess Greasemonkey scripts could be written to tease out what they need anyway, but it would be much harder.
press release, much? (Score:2)
The real value here is it enables much more granular logging.
I object to this article, however, on grounds that this is not news. It's a press release, and crap like this is why I only visit slashdot every few months any more.