RE: [WEB SECURITY] MachineID fingerprinting

["Tom Stripling" <tstripling@xxxxxxxxxxxxxx>]

Robert,

I have evaluated several machineid implementations and found each of
them to provide minimal, if any, benefit to the overall security of the
application.  The fault doesn't typically lie in the technology/products
themselves, but rather in the way these products are implemented.

I have yet to see an organization that has employed technology like this
without explicitly allowing it to be bypassed when a user is on another
computer.  Bank of America can't afford to actually prevent you from
accessing your account from another computer.  Doing so would infuriate
their users.  So, they fall back to a single challenge question.  Most
of these challenge questions have no complexity requirements and there
is often no lockout policy associated with them.  Furthermore, they are
often the type of questions that have a finite number of easily
guessable answers ("What state were you born in?", etc).

These types of fallback mechanisms provide a weaker backdoor for
attackers looking to bypass the machineid technology, and they're much
more likely to be attacked, IMHO.

Also, since machineid fingerprinting changes the application's
authentication process (making it more complicated), I have seen a
number of organizations create some very serious vulnerabilities by
trying to add a machineid product into an existing application.  Doing
this incorrectly can enable an attacker to bypass portions of the
authentication process, to enumerate usernames, or to do other nasty
things that actually weaken the security of the app.

Regards,
Tom
http://www.securityps.com


-----Original Message-----
From: robert@xxxxxxxxxxxxx [mailto:robert@xxxxxxxxxxxxx] 
Sent: Tuesday, August 07, 2007 11:24 PM
To: websecurity@xxxxxxxxxxxxx
Subject: [WEB SECURITY] MachineID fingerprinting 

Yo list!

Has anyone had any experience with machineid technologies on the list?
Specifically the ability to identify 1 machine
and the ability to identify multiple users on the same machine either
using javascript or via an installed application.

For example Bank of america uses this technology to some exist to
remember your machine and provide
additional challenge responses if it doesn't recognize it. If you've
evaluated a technology and found
it to be worthless I am also interested in finding out why.

Thanks
- Robert
http://www.webappsec.org/
http://www.cgisecurity.com/

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]




----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]