RE: [WEB SECURITY] MachineID fingerprinting

[<Glenn.Everhart@xxxxxxxxx>]

This kind of thing has been done for copy protection for ages.
Sometimes it is implemented with (often) hidden files and the like seeded somewhere on
a file structure. Sometimes people look at a bunch of file creation times, hardware MAC
addresses of NIC boards, combinatorial functions of peripherals, or the like. You could
look at where on disk some files exist (and have that break with the first defragmentation)
and the more facts about a system you gather - model numbers of disks, CPU, amount of memory,
and so on into the night - the more you have a fingerprint of a system that probably is unique.

The problem with it is the fingerprint generally will change as people maintain their systems,
replace disks, add memory, and so on. If hidden files or "secret" contents in files that are just sitting
around get cleaned up, your tag becomes useless.

Over many years, this kind of thing caused lots of trouble for people who tried it for copy
protection, enough so that it was largely abandonned as a bad idea.

If you make it part of a financial decision such a "fingerprint" will also become a sitting duck
to be attacked by malware as well.

To be successful and robust I would suggest that a customer token should be predictable by the authenticating end (which "machine fingerprints" generally are not), it must be stable in its operation,
it must resist attack by malware which can be expected to know ALL about it, and it should require some kind of user input so that having an authentication attempt means at least that it was consciously wanted by the customer. A better system would authenticate both ways and allow also that something about a transaction could be positively affirmed by the customer, again in some way to resist malware, after each transaction. (A book which I think was named Security Engineering had a short story about "Mafia in the middle" which is a good thought exercise in this connection.)

I can think of a couple ways to do this at least but they are not precisely the kind of cheap solutions that I have seen discussed. (However they might work, where others would not.)

Glenn Everhart


-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx]
Sent: Wednesday, August 08, 2007 1:25 PM
To: robert.purvis@xxxxxxx
Cc: robert@xxxxxxxxxxxxx; websecurity@xxxxxxxxxxxxx
Subject: Re: [WEB SECURITY] MachineID fingerprinting


I am talking about device fingerprinting not IP fingerprinting. 
I am specifically looking for people who have reviewed such technologies and their experiences with them (not
a vendor response).


Regards,
- Robert 
http://www.webappsec.org/
http://www.cgisecurity.com/
> 
> A web server can identify the IP address of incoming requests - maybe that
> is what the Bank of America do. But this can easily be sidestepped if your
> request goes through a proxy. 
> 
> 
> Robert Purvis 
> Principal Technical Specialist 
> 
> 
> Systems and Service Delivery 
> NHS Connecting for Health 
> 01392 206691 
> robert.purvis@xxxxxxx 
> www.connectingforhealth.nhs.uk 
> 
> -----Original Message-----
> From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
> Sent: 08 August 2007 05:24
> To: websecurity@xxxxxxxxxxxxx
> Subject: [WEB SECURITY] MachineID fingerprinting 
> 
> Yo list!
> 
> Has anyone had any experience with machineid technologies on the list?
> Specifically the ability to identify 1 machine and the ability to identify
> multiple users on the same machine either using javascript or via an
> installed application.
> 
> For example Bank of america uses this technology to some exist to remember
> your machine and provide additional challenge responses if it doesn't
> recognize it. If you've evaluated a technology and found it to be worthless
> I am also interested in finding out why.
> 
> Thanks
> - Robert
> http://www.webappsec.org/
> http://www.cgisecurity.com/
> 
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
> 
> Have a question? Search The Web Security Mailing List Archives: 
> http://www.webappsec.org/lists/websecurity/
> 
> Subscribe via RSS: 
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> 
> 
> 
> **********************************************************************
> This message  may  contain  confidential  and  privileged information.
> If you are not  the intended  recipient please  accept our  apologies.
> Please do not disclose, copy or distribute  information in this e-mail
> or take any  action in reliance on its  contents: to do so is strictly
> prohibited and may be unlawful. Please inform us that this message has
> gone  astray  before  deleting it.  Thank  you for  your co-operation.
> 
> NHSmail is used daily by over 100,000 staff in the NHS. Over a million
> messages  are sent every day by the system.  To find  out why more and
> more NHS personnel are  switching to  this NHS  Connecting  for Health
> system please visit www.connectingforhealth.nhs.uk/nhsmail
> **********************************************************************
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]


-----------------------------------------
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law.  If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED.  Although this transmission and
any attachments are believed to be free of any virus or other
defect that might affect any computer system into which it is
received and opened, it is the responsibility of the recipient to
ensure that it is virus free and no responsibility is accepted by
JPMorgan Chase & Co., its subsidiaries and affiliates, as
applicable, for any loss or damage arising in any way from its use.
 If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format. Thank you.

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]