Monthly Archives: September 2010

Why I Love ABE

19 Sep 2010

ABE, the Application Boundaries Enforcer which is included in NoScript is something I take advantage of. It allows you to define rules that prevent ClickJacking/UI redressing and CSRF. It allows you to restrict what sites can direct your browser (form/link/redirect) to a another site. You can also prohibit embedding certian sites (think ClickJacking/UI Redressing attacks).

So how can one take advantage of this? I offer a snippet of my ABE “USER” policy.

Protection for my internet banking, this still allows a JavaScript redirect from http://www.nab.com.au and then I check the EV cert to make sure it wasn’t tampered with.

Site ib.nab.com.au
Accept ALL from SELF
Anonymize

Protection for Google Apps, allows me to load a bookmark to https://mail.google.com/a/stevenroddis.com which redirects to a login page on https://www.google.com. I have not included Google Sites, because I don’t use it and I’m not sure if it can contain arbitrary JavaScript.

Site mail.google.com docs.google.com spreadsheets.google.com panel.dreamhost.com
Accept ALL from mail.google.com https://www.google.com docs.google.com spreadsheets.google.com panel.dreamhost.com
Deny

The next two rules allow me to click on links outside my site that bring me to my site, but it won’t authenticate me for that request, so they can’t do damage.

Site http://stevenroddis.com http://www.stevenroddis.com
Accept ALL from stevenroddis.com www.stevenroddis.com
Anonymize
Site https://www.stevenroddis.com
Accept ALL from SELF
Anonymize

After some tweaking with the Google Apps rule, I haven’t had any false positives. So I’m continuing to enjoy enhanced proactive protection.

Cheers,

Steve

Can Banks Please Stop Doing This?

2 Sep 2010

Bank: Hi I’m <name> from <bank> may I speak to Steven Roddis?
Me: Hi, I’m speaking.
Bank: We are doing a survey, to confirm who you are I need to ask you some questions, is that ok?
Me: Your going to ask me questions that only <bank> and I know, how do I know you are <bank>?
Bank: Um, I can give you my employee number or you can listen to our hold music.
Me: That can all be spoofed, I don’t want to be rude but this conversation can’t be authenticated without one of us taking a leap of faith. So I’ll end it here, have a nice day.
Bank: You too, good day.

I got this call just a week ago, however it just hit me. I am usually at my desk, one method of authenticating a call is for me to pick some numbers, a word or a phrase and they send this as a message on their internet banking site to me. So once I login I can see it. This of course doesn’t work if you call me outside. But the question is: why are you authenticating someone for a survey?