A confused deputy attack

A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect against this whereas ACL-based systems … Continue reading A confused deputy attack

A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation. In information security, the confused deputy problem is often cited as an example of why capability-based security is important, as capability systems protect against this whereas ACL-based systems do not.

Confidence trick based scams are based on gaining the trust of a victim in order for an attacker to use them as a confused deputy. For example in Salting, an attacker presents a victim with what appears to be a mineral-rich mine. In this case an attacker is using a victim’s greed to persuade them to perform an action that the victim would not normally do.

When checking out at a grocery store, the cashier will scan the barcode of each item to determine the total cost. A thief could replace barcodes on his items with those of cheaper items. In this attack the cashier is a confused deputy that is using seemingly valid barcodes to determine the total cost.

A cross-site request forgery (CSRF) is an example of a confused deputy attack that uses the web browser to perform sensitive actions against a web application. A common form of this attack occurs when a web application uses a cookie to authenticate all requests transmitted by a browser. Using JavaScript an attacker can force a browser into transmitting authenticated HTTP requests.

The Samy computer worm used Cross-Site Scripting (XSS) to turn the browser’s authenticated MySpace session into a confused deputy. Using XSS the worm forced the browser into posting an executable copy of the worm as a MySpace message which was then viewed and executed by friends of the infected user.

Clickjacking is an attack where the user acts as the confused deputy. In this attack a user thinks they are harmlessly browsing a website (an attacker-controlled website) but they are in fact tricked into performing sensitive actions on another website.[3]

An FTP bounce attack can allow an attacker to indirectly connect to TCP ports that the attacker’s machine has no access to, using a remote FTP server as the confused deputy.

Another example relates to personal firewall software. It can restrict internet access for specific applications. Some applications circumvent this by starting a browser with a specific URL. The browser has authority to open a network connection, even though the application does not. Firewall software can attempt to address this by prompting the user in cases where one program starts another which then accesses the network. However, the user frequently does not have sufficient information to determine whether such an access is legitimate—false positives are common, and there is a substantial risk that even sophisticated users will become habituated to clicking ‘OK’ to these prompts.[4]

Not every program that misuses authority is a confused deputy. Sometimes misuse of authority is simply a result of a program error. The confused deputy problem occurs when the designation of an object is passed from one program to another, and the associated permission changes unintentionally, without any explicit action by either party. It is insidious because neither party did anything explicit to change the authority.

Personal VPN

You can use a free program called Hotspot Shield and it will hide your IP Address. http://www.hotspotshield.com/ VPN PROVIDER LIST The Anonymous US Privacy IP service  Use your PPTP or OpenVPN service on all your devices! Extend the same security, anonymity, and preferred IP location that VPN has always provided to all of your wireless devices. […]

You can use a free program called Hotspot Shield and it will hide your IP Address. 

http://www.hotspotshield.com/

VPN PROVIDER LIST

The Anonymous US Privacy IP service 

Use your PPTP or OpenVPN service on all your devices! Extend the same security, anonymity, and preferred IP location that VPN has always provided to all of your wireless devices. Sabai Technologies VPN wireless routers utilize your current VPN service to create a home VPN network in just five minutes of setup.

Advanced features such as dual gateway make wired or wirelessly connect your: Tablets, Laptops, Smart Phones, Streaming Devices, Smart TV or Game Consoles simple and easy. Sabai Technology has wireless VPN routers for anyone, whether you are connecting just a few devices in a small space or connecting hundreds of devices in a business setting.

Not sure which VPN Router is right for you? Try the Ultimate VPN Router Comparison Guide.

A VPN (Virtual Private Network) creates a secure tunnel between you and a safe server that encrypts and protects you and your information. In this day and age where governments and companies are spying on virtually everyone, we all need this type of protection.

Resist the urge to use a free or very cheap VPN service. In exchange for providing the free service, you agree to let them look at your data for marketing purposes.

A lot of people outside of the USA cannot access certain video and other websites that are only available from American IP addresses. This is also true in other countries where people lining outside their home country can no longer access sites restricted to their country. A Personal VPN with servers in that country will easily resolve this issue.

For a premium product we suggest this Personal VPN service which is reliable and secure. They run many servers throughout the Americas, Asia and Europe. Offering both TCP and UDP OpenVPN connections allows them to thwart blocking schemes that other vendors can’t penetrate. Also offered is a PPTP/L2TP or OpenVPN service for smart phones and tablets like iPhone, iPad, Android phones and Android tablets like the Samsung Galaxy. Additionally, they provide multiple ports to access the VPN, further enhancing their ability to beat the web blocks. Finally, they change – and never repeat – their IP addresses often, making it very problematic for ISP’s to block their IP addresses.

If you are only interested in basic service, with servers in 5 countries, we recommend this inexpensive no frills entry level VPN Service. It provides Both OpenVPN and PPTP/L2TP VPN servers to the USA allowing you to secure your connection, prevent wireless hotspot hacks, and unblock websites from around the world.

For an offshore only VPN service and secure email products, which operates only in countries with strong privacy laws, we recommend this Offshore VPN Service. They operate OpenVPN, PPTP and L2TP servers in several offshore locations and provide several unique and useful security products.

Router configuration

Before you can start configuring your router for HMA! Pro VPN, the first step is to check if it’s compatible.Some routers like the ASUS RT-N16 can connect to the VPN without needing to flash custom firmware (like DD-WRT, OpenWRT or Tomato firmware). Please refer to the Connection Instructions page for links to setup instructions.If you don’t know if your routers is compatible or not, you can try to adapt the settings from the other tutorials.

 

But most routers need to be at least compatible with DD-WRT firmware, so it can be flashed and the router configured for HMA! Pro VPN.
You can check if your router supports this @ the DD-WRT router database or the DD-WRT supported devices list

How to install the DD-WRT firmare: http://www.dd-wrt.com/wiki/index.php/Installation

For a list of all available router-related tutorials, see Tutorials:Router Configuration