r3 - 01 Aug 2006 - 16:21:10 - AshkanSoltaniYou are here: OSAF > Journal Web > ContributorNotes > AshkanSoltani > EcosystemSecurityConsiderations
Security Considerations for the Ecosystem
Todo
1. Ashkan summarize the thread + Listing out security scenarios + Listing out proposals 2. Extract test scenarios from 2 threads: + Anonymous access with tickets + Adding items to collections via email 3. Write up proposal for anonymous access with tickets issue + Compare dictionary attacks on tickets to dictionary attacks on username/passwords 4. Find numbers re: users signing up for accounts on the webEntrypoints:
- via SMTP
- via Chandler desktop (Not in scope)
- via ChandlerAPI? (cAPI)
- via ScoobyAPI? (what if its spoofed - is that in scope?)
- via HTTP using tickets
- via HTTP using an login account
Potential Unauthorized Scenarios
| NAME | Harmfulness | Difficulty | Likelyness | Description |
|---|---|---|---|---|
| SMTP-lost | Med | Low | ?Med? | malicious user obtains calendar email via lost/misplaced mail message and creates new calendar items |
| SMTP-dict | Med | Hard | Low | malicious user obtains 'calendar' email addr via dictionary attack and creates new calendar items |
| HTTP-ro-tick-lost | Low | Low | Low? | malicious user obtains read-only HTTP access url due to lost/misplaced ticket |
| HTTP-ro-tick-dict | Low | High | High | malicious user obtains read-only HTTP access url due to dictionary attack |
| HTTP-ro-pass-lost | Low | Low | Low | malicious user obtains read-only HTTP access via a lost password |
| HTTP-ro-pass-dict | Low | Med | High | malicious user obtains read-only HTTP access via a dictionary password attack |
| HTTP-rw-tick-lost | High | Low | Low? | malicious user obtains read-write HTTP access due to lost/misplaced ticket |
| HTTP-rw-tick-dict | High | High | High | malicious user obtains read-write HTTP access due to dictionary attack |
| HTTP-rw-pass-lost | High | Low | Low | malicious user obtains read-write HTTP access due to lost/misplaced ticket |
| HTTP-rw-pass-dict | High | Med | High | malicious user obtains read-write HTTP access due to dictionary password attack |
| cAPI-tick-lost | ?? | Low | ?? | malicious user obtains access to cosmo server via lost/misplaced ticket or hacking the API |
| cAPI-tick-dict | ?? | Med | ?? | malicious user obtains access to cosmo server via dictionary attack or hacking the API |
| cAPI-pass-lost | ?? | Low | ?? | malicious user obtains access to cosmo server via lost/misplaced password or hacking the API |
| cAPI-pass-dict | ?? | Med | ?? | malicious user obtains access to cosmo server via dictionary password attack or hacking the API |
Assumptions:
- Dictionary attack for tickets is easier than username/password
- Hash is more predictable. Code to generate hash can be taken from src code
Questions:
- Are sAPI/cAPI the same?
- Is cAPI-tick same as HTTP-tick?
- What about exploiting the application via SMTP injection to resources you're not supposed to have access to?
- Example of 'trust' where small group collaborator wouldn't knowingly share their ticket. Yes, but ERRORs do happen.
- smtp spoofed email
Possible Approaches:
- whitelist 'who's allowed to send emails'
- quarantine/triage incoming calander events (may not show up in time)
- use 'weak' passwords
- use 'expiring' email aliases
- use SMTP/HTTP throttling and dynamic blocking to mitigate dictionary attacks for tickets/email-addresses
Notes on communication with Cosmo
- caldav is what scooby and chandler use, altho they use different parts of it
- json-rpc is what scooby will use after its merged into cosmo
Log In
Except where otherwise noted, this site and its content are licensed by OSAF under an Creative Commons License, Attribution Only 3.0.
See list of page contributors for attributions.
See list of page contributors for attributions.