Typosquatting on software repositories - eek, didn't want to know this

Ouch! We need a defence against this in general, and on SAFEnetwork for that matter (as in typosquatting on URLs):

He offers the following suggested defenses, but these are not effective against domain typosquatting:

Prevent Direct Code Execution on Installations This one is easy. Make sure that the software that unpacks and installs a third party package (pip or npm) does not allow the execution of code that originates from the package itself. Only when the user explicitly loads the package, the library code should be executed.

Generate a List of Potential Typo Candidates Generate Levenshtein distance candidates for the most downloaded N packages of the repository and alarm administrators on registration of such a candidate.

Analyze 404 logfiles and prevent registration of often shadow installed packages Whenever a user makes a typo by installing a package and the package is not registered yet, a 404 logfile entry on the repository server is created (because the install HTTP requests targets a non-existent resource). Parse these failed installations and prevent all such names that are shadow-installed more than a reasonable threshold per month.

3 Likes

This is a totally legit concern. Could it be mitigated by some sort of a registry where people could vouch for apps? Users could decide whom they trust as a reliable authorities on whether stuff is legit (i.e. we don’t need to assume there has to be a central authority), and stuff would only be accepted if it has a sufficient number of votes, and no votes against.

1 Like

Easy - use a Petname System

DNS & Anti-Phishing Tool

As mentioned earlier, that two domain names can be quite close to each other (typo squatting), intentionally or unintentionally, which can lead to phishing or pharming attacks, Petname Systems can be a useful tool to thwart this type of attack. The domain name itself represents the Pointer. The title in the title bar of the browser for that domain name is the given Nickname. In the user interface (the browser), the user can provide a Petname for each domain name. All the interactions with that domain will be indicated by the Petname in the user interface. Providing a Petname for each domain name will impose a trust relationship to that domain name. Absence of Petname will indicate the absence of a trust relationship.

On the background of the above scenarios, the typical e-commerce transaction scenario can be analyzed. A user frequently shops online and places his trust in PayPal to process his online transaction. Now to safely process his transaction he can define a Petname for PayPal in his browser. Assume that the user visits an e-commerce site that offers an item he wants to buy, but the users does not trust the site to know his credit card details. Luckily the site allows him to pay through PayPal, so he is redirected to www.paypal.com when the transaction enters the payment phase. Assuming that he has already defined a Petname for PayPal, his browser should indicate the Petname for it and he feels confident that it really is PayPal, and authorizes the transaction. Assuming that the e-commerce site is fraudulent, and redirects him to www.paypa1.com (note that it is “1”, not a small “L”) to phish him, his browser will not find a corresponding Petname because the domain name does not match. The missing Petname will alert him that the PayPal site is fraudulent, and that he should abort the transaction.

Security Usability of Petname Systems

2 Likes

In a slightly different context, I proposed something like this for the launcher: themes.

Accounts could specify a color scheme, a wallpaper, an icon pack, and a sound theme maybe, and apps could request them from the launcher upon start. If an app shows up with the proper theme, we can be sure it’s connecting through the launcher to that specific account. This idea was closely tied to another, that I think we should be able to log in to the launcher with multiple accounts at the same time (e.g. work, personal, i-am-batman, etc), and it would be nice to be able to differentiate between the fragments of my split personality with a glance.

1 Like

I was (and really still am) very excited about that. Yes, that is definitely in the same vein as these “mistake squatting” attacks. Has anyone here watched Mr. Robot?

This is the world we live in. People relying on each other’s mistakes. To manipulate one another and use one another - even relate to one another. The warm messy circle of humanity.

Yeah…dark…but the point’s still there. Mitigating these in any way would go a long way to actually making the world a better place.

1 Like