Wikipedia talk:WikiProject Computer Security

List of trojan horses

Look at that article; it's a mess.

• Which vendor's detections are we relying on? As I stated earlier, Vendor "A" can have completely different detections from Vendors "B" and "C". Are we going by Symantec's classification? Kaspersky? NOD32? Avira?????!!!!!!!
• Continuing on that point: Today's polymorphic viruses can contain many characteristics of several different kinds of malware. Take conflicker. It's a worm first of all; it attacks network shares. It also is an exploit; it exploits a vulnerability in the server service. It also does a host of other "bad" things, such as modify the hosts files, etc. etc. A "bad" hacker could easily obtain a copy of Confliker (I did too), and modify it to his pleasing, maybe adding rootkit like abilities. Then, there would be at least 3 classifications ... Vendors "A" saying rootkit, "B" saying exploit, and "C" saying conflicker.

This list of pointless unless we reach a consensus on who's definition to trust. Or, we could cross reference the detections ... however AV-test has already done that here

The above is not just theoretical; it's real. I have ran across a plethora of malware samples that overlap categories and vendors disagreeing over detections.

• Also, what do we do about generic detections? Are they of importance? They can be used to detect a plethora of malware as well, not just trojans.

We must reach a consensus on the above; otherwise I see good reason to delete this pointless article. And that's considering the "imperfect" clause at the beginning of the article. Thanks for hearing me out. I apologize for the tone; I am not angry. TechOutsider (talk) 03:37, 21 February 2009 (UTC)Techoutsdier

Anyone is free to comment on this, un/fortunatly, I am off to take some IT Training/testing, I will be back on March 1st, I'll imput my Ideas to everyone elses. Wish me luck. Sephiroth storm (talk) 05:25, 22 February 2009 (UTC)

Tagging

Tagging has begun today, I am removing WP:Malware and CCISTF tags, and replacing them with ours. For the moment, we will be taking on the responsibilities of both. Sephiroth storm (talk) 14:53, 22 December 2008 (UTC)

Before we start taking on these tasks, we should probably just call on a bot to move them all. Ask Tinu Cherian .. he has the bot for his account to take care of it. blurpeace ^{(talk - contributions)} 19:14, 23 December 2008 (UTC)

LoA

I am currently on LoA until I complete the Rifle Range. Sephiroth storm (talk) 02:51, 6 January 2009 (UTC)

let me know if there's anything in particular I can lend a hand with. I'm only a couple months in as far as wiki is concerned, so I can't write any bots or anything, but if there's any grunt work to do, just drop a message on my talk page. Ched (talk) 01:43, 19 January 2009 (UTC)

How to Join

How do I join the WikiProject?

Securityadvisor - Talk | Contribs 00:18, 23 January 2009 (UTC)

Securityadvisor, I think you just add yourself to the list of participants on the project page, and get to work! I intend on going through the list of work items on the project page, and adding some articles when I can. This is my first active involvement in a project, but I think I can be a great help! Although I see there hasn't been much activity on this project for a while, no? Abs0lutZ3RO (talk) 04:08, 27 January 2009 (UTC)

Actually, this project is very active! We are about to start with monthly tasks, which members can assign to themselves. As far as membership in the project, yes, Add your name to the project list and start working on our articles.Sephiroth storm (talk) 21:51, 29 January 2009 (UTC)

Notes on Computer Security Categories

The current subcategories of Computer security seem somewhat ad hoc. Let's discuss a more systematic approach that will allow us to determine missing articles.

Here is the strawman draft framework to more general categories, and how existing subcategories map (in italic font):

• Dimension 1: 'Where' - this top-level subcategory is related to the areas of computer security
  • Software
    • Operating system security
  • Hardware
  • Network
    • Computer network security
  • Information
    • Data security
    • Internet privacy (privacy does not belong to computer security in the strict sense)
  • Social

• Dimension 2: 'When' - this top level subcategory is related to various processes related to computer security
  • Development
  • Acquisition
  • Governance
  • Operations
    • Controls
      • Access control
      • Authentication methods
      • Cryptography
      • End-to-end security (this subcategory should be removed and merged with others)
      • Identity management systems (this subcategory is very similar to authentication methods)

• • • Incident response
      • Computer forensics
      • Computer security procedures/Information technology audit

• • Assurance
  • Research
    • Computer security models
  • History

• Dimension 3: 'How' - this top-level subcategory is related to various approaches to computer security
  • Regulation
  • Standards
    • Computer security procedures/computer security standards

• • Education
  • Certification and Accredication
    • Computer security procedures/computer security qualifications
    • Computer security procedures/computer security accreditations

• • Computer security tools
    • Security software
  • Exploitation/Hacking
    • Hacking
    • Security exploits

• Dimension 4: 'Who" - this top level category is related to people and organizations involved in computer security
  • Computer security organizations
  • People associated with computer security
  • Security software companies

-- Equilibrioception (talk) 04:29, 31 January 2009 (UTC)

More Notes on Computer Security Categories

I agree that the categories need a lot of work. Here's a list I put together from "out of the box" (my memory, and some extreme lateral thinking) of things that relate to Threats to Authentication Procedures and Data. The main problem with "categories" is that security people like them, and hackers ignore them - and there's quite a few places where classes of hacker-tricks simply don't fit neatly inside existing categories or analogies.

Background

There is a bewildering array of tricks, techniques, and technologies that exist to steal passwords, attack password systems, and circumvent authentication security.

The List

Here is the list:

• 1. Confidence Tricks

• • 1.1. Phishing emails
    • 1.1.1. to lure victims to spoof sites
    • 1.1.2. to lure victims into installing malicious code
    • 1.1.3. to lure victims towards O/S vulnerabilities to inject malicious code
    • 1.1.4. to lure victims into revealing information directly via reply or via embedded FORMS within the email

• • 1.2. telephone phishing
    • 1.2.1. to directly extract auth info
    • 1.2.2. to direct victim to spoof site

• • 1.3. person-to-person phishing / situation engineering
    • 1.3.1. to directly extract auth info (ask)
    • 1.3.2. to direct victim to spoof site
    • 1.3.3. shoulder surfing (aka 4.5.2)
    • 1.3.4. physical attack of user - see 4.7
    • 1.3.5. physical attack of user resources (eg: computer theft)
    • 1.3.6. physical attack of server resources (eg: server/hosting-facility compromise)

• • 1.4. typographic attacks
    • 1.4.1. purpose: spoofing (eg: paypa1.com - using a number 1 for a little L)
    • 1.4.2. purpose: direct download of malicious code
    • 1.4.3. purpose: browser exploit injection

• • 1.5. online phishing
    • 1.5.1. pop-up/pop-behind windows to spoof sites
    • 1.5.2. floating <DIV> or similar elements (eg: emulating an entire browser UI)

• 2. Remote Technical Tricks

• • 2.1. spoof techniques
    • 2.1.1. vanilla fake look-alike spoof web sites
    • 2.1.2. CGI proxied look-alike web site (server CGI talks to real site in real time - "man in the middle attack")
    • 2.1.3. popup windows hiding the address bar (3.4.1/3.4.2)
    • 2.1.4. <DIV> simulated browsers (1.5.2)

• • 2.2. iframe exploits (eg: 1.5.1/1.1.3) (spammers buy iframes to launch 1.5 and 1.4 attacks)
  • 2.3. p2p filesharing publication of products modified to remove/limit protection - PGP, IE7, Mozilla, ...
  • 2.4. DNS poisoning (causes correct URL to go to spoof server)
  • 2.4.1 client "hosts" file modification
  • 2.4.2 ISP's DNS servers compromised
  • 2.5. traffic sniffing (eg: at ISP, telco, WiFi, LAN, phone tap...)
  • 2.6. proxy poisoning (correct URL returns incorrect HTML)
  • 2.7. browser exploits (correct URL returns incorrect HTML)
  • 2.8. targeted proxy attack
    • 2.8.1. directs to vanilla spoof web site (2.1.1)
    • 2.8.2. uses CGI re-writing to proxy legitimate site (eg: convert HTTPS into HTTP to activate traffic sniffing) (2.1.2)
    • 2.8.3 activates 5.7
  • 2.9. Authorized exploitation - see 3.5.
  • 2.10. Exploiting outdated technology - eg: old browsers allowing frames from site A to read content in site B.
  • 2.11. undismissable download dialogues (eg: active-X) - see 3.3

• 3. Local Technical Tricks

• • 3.2. Software vulnerabilities (aka exploits - eg - 1.1.3)
    • 3.1.1. Known
    • 3.1.2. Unknown

• • 3.2. Browser "toolbars" (grant unrestricted DOM access to SSL data)

• • 3.3. Trojans
    • 3.3.1. Standalone modified/hacked legitimate products (eg: PGP or a MSIE7) with inbuilt protection removed/modified.
    • 3.3.2. Bogus products (eg: the anti-spyware tools manufactured by the Russian spam gangs)
    • 3.3.3. Legitimate products with deliberate secret functionality (eg: warez keygens, sony/CD-Rom music piracy-block addins)
    • 3.3.4. Backdoors (activate remote control and 3.4.1/3.4.2)

• • 3.4. Viruses
    • 3.4.1. General - keyloggers, mouse/screen snapshotters
    • 3.4.2. Targeted - specifically designed for certain victim sites (eg paypal/net banking) or certain victim actions (eg: password entry, detecting typed credit card numbers)

• • 3.5. Authorized exploitation
    • 3.5.1. An authority (eg: Microsoft WPA/GA, Police, ISP, MSS, FBI, CIA, MI5, Feds...) Engineers "legitimately" signed & authenticated Trojan/Viral software to be shipped down the wire (eg: during "Windows Update") to victim PC
    • 3.5.2. Privileged persons (eg government, company staff, datacenter staff, hackers) "legitimately" compromise servers or steal secrets serverside.

• • 3.6. Visual tricks
    • 3.6.1. browser address bar spoofing
    • 3.6.2. address bar hiding

• • 3.7. Hardware attacks
    • 3.7.1. keylogger devices
    • 3.7.2. TEMPEST
    • 3.7.3. malicious hardware modification (token mods, token substitution, auth device substitution/emulation/etc)

• • 3.8. Carnivore, DCS1000, Altivore, NetMap, Echelon, Magic Lantern, RIPA, SORM... see 3.5

• 4. Victim Mistakes

• • 4.1. writing down passwords
  • 4.2. telling people passwords
    • 4.2.1. deliberately (eg: friends/family)
    • 4.2.2. under duress (see 4.7)
  • 4.3. picking weak passwords
  • 4.4. using same passwords in more than one place
  • 4.5. inattentiveness when entering passwords
    • 4.5.1. not checking "https" and padlock and URL
    • 4.5.2. not preventing shoulder surfing
  • 4.6. permitting accounts to be "borrowed"
  • 4.7. physical attack (getting mugged)
    • 4.7.1. to steal auth info
    • 4.7.2. to acquire active session
    • 4.7.3. to force victim to take action (eg: xfer money)
  • 4.8. allowing weak lost-password "questions"/procedures
  • 4.9. people using outdated older technology (see 2.10)

• 5. Implementation Oversights

• • 5.1. back button
  • 5.2. lost password procedures
  • 5.3. confidence tricks against site (as opposed to user)
  • 5.4. insecure cookies (non-SSL session usage)
  • 5.5. identity theft? site trusts user's lies about identity - see 7.1
  • 5.6. trusting form data
  • 5.7. accepting auth info over NON-SSL (eg: forgetting to check $ENV{HTTPS} is 'on' when performing CGI password checks)
  • 5.8. allowing weak lost-password "questions"/procedures
  • 5.9. replay
  • 5.10. robot exclusion (eg: block mass password guessing)
  • 5.11. geographical exclusion (eg: block logins from Korea)
  • 6.12. user re-identification - eg - "We've never seen you using Mozilla before"
  • 6.13. site-to-user authentication
  • 6.14. allowing users to "remember" auth info in browser (permits local attacks by unauthorised users)
  • 6.15. blocking users from being allowed to "remember" auth info in browser (facilitates spoofing / keyloggers)
  • 6.16. using cookies (may permit local attacks by unauthorised users)
  • 6.17. not using cookies (blocks site from identifying malicious activity or closing co-compromised accounts)
  • 6.18. preventing foreign script in web site context (eg: cookie theft, bogus injected login screens on live site, etc) - also called Cros-Site-Scripting or XSS
  • 6.19. input data sanitization. eg: someone typing this in a "name" input box: <script>alert(document.cookie)</script>
  • 6.20. output data sanitization. eg: allowing this to be printed in a form value= field without escaping the quotes ' onclick='alert(document.cookie)
  • 6.21. cryptographic oversights - using time() or rand() or pseudo-random functions to generate cookies or IDs or session keys (all can be esaily guessed)
  • 6.22. sessions: omitting key protection (eg: using serial integers when generating session keys/cookies/etc)
  • 6.23. data: omitting key protection (eg: using unprotected database key ID's in hidden <form> elements)
  • 6.24. ? XmlHttpRequests - might allow XSS or browser-based spoofing via proxy
  • 6.25. ? Other crypto attacks on implimentations

• 6. Denial of Service attacks

• • 6.1. deliberate failed logins to lock victim out of account
  • 6.2. deliberate failed logins to acquire out-of-channel subsequent access (eg: password resets)

• 7. Enrollment attacks

• • 7.1. Deliberate wrongdoer creates new set of credentials (eg: via identity theft)
  • 7.2. Identity squatters "register" your name/nickname/persona prior to you.

• 8. Please contribute to this document! (click the "edit" button above)

203.206.137.129 (talk) 03:08, 9 March 2009 (UTC)

Notes on Terminology

The current emergent term for 'Computer Security' is 'Cybersecurity'. For example, there is DHS National Cybersecurity Division. 'Cyberspace' is considered part of US National Critical Infrastructure, see [National Strategy to Secure Cyberspace]. This document uses the term 'cybersecurity'. See also [Obama Unveils Cybersecurity agenda]. Wikipedia already has a redirect link for 'Cybersecurity', as a synonym for "Computer Security'.

There are three related areas:

• Security
• Privacy
• Safety

Currently one of the subcategories for 'Computer Security' is "Internet Privacy'. This is incorrect. However, our project can make a decision to include 'Privacy' and 'Safety' into the scope of the project. This makes sense, as many of the approaches are quite similar.

-- Equilibrioception (talk) 04:29, 31 January 2009 (UTC)

so are you suggesting that we open our scope to all articles dealing with privacy issues? I can see how this can work, articles like Peer guardian privacy software would fall under. Can you identify these categories and place them here? Sephiroth storm (talk) 20:37, 16 February 2009 (UTC)

Tagging Computer Security articles

Hi, I added a 'Computer Security' tag to Talk:Cyberspace. I've noticed, that there are many articles are tagged as

   {{WikiProject Computing|class=Start|importance=|security=yes|security-importance=High}}

where there is an additional parameter "security=yes". See for example Talk:Access control. Shall we convert such articles to the new 'Computer Security' tag ? I believe, it is a good idea to use 'Computer Security' tag, because this will simplify management of the lists of articles for our project. Does anyone know an automated way of doing this ?

-- Equilibrioception (talk) 05:48, 31 January 2009 (UTC)

Yes, Tinucherian has a bot that can assist us, what we have to do is get a list of all the relevant categories that fall under our scope. Once we do that, then we can ask Tinu to send his bot through to tag each of the articles. Would anyone like to assist on this? Sephiroth storm (talk) 20:34, 16 February 2009 (UTC)

Currently we have two category spaces in Computer Security: Computer Security and Information articles and Computer Security Articles. The tag in the Computer Security Project places articles into the Computer Security Category. I have added a temporary table to the project to show statistics for Computer Security. I suggest we consolidate the two spaces asap.

-- Equilibrioception (talk) 19:30, 23 February 2009 (UTC)

Awards

I will try to award members with Barnstars as I see their contributions to Computer Security articles. if an editor shows a desire for such, I also have no problem recommending some of our editors for adminship, if they show the capacity for such. In any case our first award was given today to TechOutsider for his work on the Malwarebytes article, bringing it from deletion review to start class article! Thank You for your service! Sephiroth storm (talk) 20:34, 16 February 2009 (UTC)