[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [WEB SECURITY] MachineID fingerprinting
- From: "Esam Gharish" <egharish@xxxxxxxxx>
- Subject: Re: [WEB SECURITY] MachineID fingerprinting
- Date: Wed, 8 Aug 2007 20:06:56 +0100
------=_Part_8913_31551952.1186600016672
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello all,
MAC Addresses can be spoofed...and if you are looking for a secure system,
don't rely on the authenticity of mac addresses.
You may wish to verify this by looking at the following URLs...or just do a
google search on "Mac Address Spoofing".
http://en.wikipedia.org/wiki/MAC_address
http://ezine.daemonnews.org/200406/netgraph.html
If you are looking to secure communications between client and server
machines, you might be interested in using SSLExplorer.
You can read about it from here.
http://www.sshtools.com/showSslExplorer.do
And you can download it from here.
http://sourceforge.net/projects/sslexplorer/
On 8/8/07, Walt Williams <walt.williams@gmail.com> wrote:
>
> you may benefit from reading the defcon presentation on how easily
> things like this are spoofed.
>
> On 8/8/07, robert@webappsec.org <robert@webappsec.org> wrote:
> > I am talking about device fingerprinting not IP fingerprinting.
> > I am specifically looking for people who have reviewed such technologies
> and their experiences with them (not
> > a vendor response).
> >
> >
> > Regards,
> > - Robert
> > http://www.webappsec.org/
> > http://www.cgisecurity.com/
> > >
> > > A web server can identify the IP address of incoming requests - maybe
> that
> > > is what the Bank of America do. But this can easily be sidestepped if
> your
> > > request goes through a proxy.
> > >
> > >
> > > Robert Purvis
> > > Principal Technical Specialist
> > >
> > >
> > > Systems and Service Delivery
> > > NHS Connecting for Health
> > > 01392 206691
> > > robert.purvis@nhs.net
> > > www.connectingforhealth.nhs.uk
> > >
> > > -----Original Message-----
> > > From: robert@webappsec.org [mailto:robert@webappsec.org]
> > > Sent: 08 August 2007 05:24
> > > To: websecurity@webappsec.org
> > > Subject: [WEB SECURITY] MachineID fingerprinting
> > >
> > > Yo list!
> > >
> > > Has anyone had any experience with machineid technologies on the list?
> > > Specifically the ability to identify 1 machine and the ability to
> identify
> > > multiple users on the same machine either using javascript or via an
> > > installed application.
> > >
> > > For example Bank of america uses this technology to some exist to
> remember
> > > your machine and provide additional challenge responses if it doesn't
> > > recognize it. If you've evaluated a technology and found it to be
> worthless
> > > I am also interested in finding out why.
> > >
> > > Thanks
> > > - Robert
> > > http://www.webappsec.org/
> > > http://www.cgisecurity.com/
> > >
> > >
> ----------------------------------------------------------------------------
> > > Join us on IRC: irc.freenode.net #webappsec
> > >
> > > Have a question? Search The Web Security Mailing List Archives:
> > > http://www.webappsec.org/lists/websecurity/
> > >
> > > Subscribe via RSS:
> > > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> > >
> > >
> > >
> > > **********************************************************************
> > > This message may contain confidential and privileged information.
> > > If you are not the intended recipient please accept our apologies.
> > > Please do not disclose, copy or distribute information in this e-mail
> > > or take any action in reliance on its contents: to do so is strictly
> > > prohibited and may be unlawful. Please inform us that this message has
> > > gone astray before deleting it. Thank you for your co-operation.
> > >
> > > NHSmail is used daily by over 100,000 staff in the NHS. Over a million
> > > messages are sent every day by the system. To find out why more and
> > > more NHS personnel are switching to this NHS Connecting for Health
> > > system please visit www.connectingforhealth.nhs.uk/nhsmail
> > > **********************************************************************
> > >
> >
> >
> >
> ----------------------------------------------------------------------------
> > Join us on IRC: irc.freenode.net #webappsec
> >
> > Have a question? Search The Web Security Mailing List Archives:
> > http://www.webappsec.org/lists/websecurity/
> >
> > Subscribe via RSS:
> > http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
> >
> >
>
>
> --
> Walt Williams, CISSP, SSCP
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
------=_Part_8913_31551952.1186600016672
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Hello all,<br><br>MAC Addresses can be spoofed...and if you are looking for a secure system, don't rely on the authenticity of mac addresses. <br><br>You may wish to verify this by looking at the following URLs...or just do a google search on "Mac Address Spoofing".
<br><a href="http://en.wikipedia.org/wiki/MAC_address";>http://en.wikipedia.org/wiki/MAC_address</a><br><a href="http://ezine.daemonnews.org/200406/netgraph.html";>http://ezine.daemonnews.org/200406/netgraph.html</a><br><br>
If you are looking to secure communications between client and server machines, you might be interested in using SSLExplorer.<br><br>You can read about it from here.<br><a href="http://www.sshtools.com/showSslExplorer.do";>
http://www.sshtools.com/showSslExplorer.do</a><br><br>And you can download it from here.<br><a href="http://sourceforge.net/projects/sslexplorer/";>http://sourceforge.net/projects/sslexplorer/</a><br><br><br><br><div><span class="gmail_quote">
On 8/8/07, <b class="gmail_sendername">Walt Williams</b> <<a href="mailto:walt.williams@gmail.com";>walt.williams@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
you may benefit from reading the defcon presentation on how easily<br>things like this are spoofed.<br><br>On 8/8/07, <a href="mailto:robert@webappsec.org";>robert@webappsec.org</a> <<a href="mailto:robert@webappsec.org";>
robert@webappsec.org</a>> wrote:<br>> I am talking about device fingerprinting not IP fingerprinting.<br>> I am specifically looking for people who have reviewed such technologies and their experiences with them (not
<br>> a vendor response).<br>><br>><br>> Regards,<br>> - Robert<br>> <a href="http://www.webappsec.org/";>http://www.webappsec.org/</a><br>> <a href="http://www.cgisecurity.com/";>http://www.cgisecurity.com/
</a><br>> ><br>> > A web server can identify the IP address of incoming requests - maybe that<br>> > is what the Bank of America do. But this can easily be sidestepped if your<br>> > request goes through a proxy.
<br>> ><br>> ><br>> > Robert Purvis<br>> > Principal Technical Specialist<br>> ><br>> ><br>> > Systems and Service Delivery<br>> > NHS Connecting for Health<br>> > 01392 206691
<br>> > <a href="mailto:robert.purvis@nhs.net";>robert.purvis@nhs.net</a><br>> > <a href="http://www.connectingforhealth.nhs.uk";>www.connectingforhealth.nhs.uk</a><br>> ><br>> > -----Original Message-----
<br>> > From: <a href="mailto:robert@webappsec.org";>robert@webappsec.org</a> [mailto:<a href="mailto:robert@webappsec.org";>robert@webappsec.org</a>]<br>> > Sent: 08 August 2007 05:24<br>> > To: <a href="mailto:websecurity@webappsec.org";>
websecurity@webappsec.org</a><br>> > Subject: [WEB SECURITY] MachineID fingerprinting<br>> ><br>> > Yo list!<br>> ><br>> > Has anyone had any experience with machineid technologies on the list?
<br>> > Specifically the ability to identify 1 machine and the ability to identify<br>> > multiple users on the same machine either using javascript or via an<br>> > installed application.<br>> ><br>
> > For example Bank of america uses this technology to some exist to remember<br>> > your machine and provide additional challenge responses if it doesn't<br>> > recognize it. If you've evaluated a technology and found it to be worthless
<br>> > I am also interested in finding out why.<br>> ><br>> > Thanks<br>> > - Robert<br>> > <a href="http://www.webappsec.org/";>http://www.webappsec.org/</a><br>> > <a href="http://www.cgisecurity.com/";>
http://www.cgisecurity.com/</a><br>> ><br>> > ----------------------------------------------------------------------------<br>> > Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec
<br>> ><br>> > Have a question? Search The Web Security Mailing List Archives:<br>> > <a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/</a><br>> ><br>
> > Subscribe via RSS:<br>> > <a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br>> ><br>> ><br>> ><br>> > **********************************************************************
<br>> > This message may contain confidential and privileged information.<br>> > If you are not the intended recipient please accept our apologies.<br>> > Please do not disclose, copy or distribute information in this e-mail
<br>> > or take any action in reliance on its contents: to do so is strictly<br>> > prohibited and may be unlawful. Please inform us that this message has<br>> > gone astray before deleting it. Thank you for your co-operation.
<br>> ><br>> > NHSmail is used daily by over 100,000 staff in the NHS. Over a million<br>> > messages are sent every day by the system. To find out why more and<br>> > more NHS personnel are switching to this NHS Connecting for Health
<br>> > system please visit <a href="http://www.connectingforhealth.nhs.uk/nhsmail";>www.connectingforhealth.nhs.uk/nhsmail</a><br>> > **********************************************************************<br>> >
<br>><br>><br>> ----------------------------------------------------------------------------<br>> Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net</a> #webappsec<br>><br>> Have a question? Search The Web Security Mailing List Archives:
<br>> <a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/</a><br>><br>> Subscribe via RSS:<br>> <a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss
</a> [RSS Feed]<br>><br>><br><br><br>--<br>Walt Williams, CISSP, SSCP<br><br>----------------------------------------------------------------------------<br>Join us on IRC: <a href="http://irc.freenode.net";>irc.freenode.net
</a> #webappsec<br><br>Have a question? Search The Web Security Mailing List Archives:<br><a href="http://www.webappsec.org/lists/websecurity/";>http://www.webappsec.org/lists/websecurity/</a><br><br>Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss";>http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br><br></blockquote></div><br>
------=_Part_8913_31551952.1186600016672--
Brought to you by http://www.webappsec.org
Search this site
|