Interesting thread here...anyone considering "mutual authentication" (i.e. user defined server image or something similar)?
Best, Bill ---------- Forwarded message ---------- From: Mailvaganam, Hari <[email protected]> Date: Mon, Apr 15, 2013 at 12:19 PM Subject: [windows-hied]: Unauthorized Screen-Scraping of Authentications To: "[email protected]" <[email protected]> Hi List: There were two recent identified cases of unauthorized external applications screen-scraping authentication to the University of British Columbia's (UBC) credential system. Case 1: A website requested users to enter their UBC credentials to validate their UBC affiliation; upon entering of UBC credentials, unbeknown to the user, the website programatically screen-scraped authentications to a valid UBC student application. Case 2: An iPhone application performed similar screen-scraped process as described in case 1 above; in this scenario, the iOS application also screen-scraped the user's course time-table and maintained a copy of the user's UBC's credentials within the iPhone application. For case 1, an IP block was placed on the UBC network which halted the screen-scraped events; for case 2, an IP block would not have been effective, as the screen-scraped events originate directly from the iPhone (the dynamic IP address is derived from the telco operator, or wireless internet connection, and pattern is not discernible). Questions: A. What are your institution's policies w.r.t screen-scraping of authentications by unauthorized entities? B.What technical processes do you have in-place to identify, or impede, unauthorized screen-scraping of authentications? C: For case 2, where there is an identified unauthorized activity, what technical steps could you recommend for blocking access (whereby distributed nature of iPhone application usage do not facilitate blocking by IP address)? Thank you for all feedback and direction. Please do not hesitate to let me know if you have any questions or suggestions. Best regards, Hari _________________________________________ Hari Mailvaganam Sr. Programmer Analyst, Identity and Access Management Information Technology | Engage. Envision. Enable. The University of British Columbia Office: 604-827-5117 | Cell: 604-836-4489 Web: www.it.ubc.ca Skype: harimailvaganam --++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**== windows-hied mailing list [email protected] https://mailman.stanford.edu/mailman/listinfo/windows-hied -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
