[Owasp-appsensor-project] New Detection Point Candidate: AE13: Deviation from normal GEO location during login

Fri Sep 30 12:05:32 EDT 2011

Dennis,
This is a great point, but having done the geo-location stuff before, I'll
say you must build in a reasonable buffer. Most of the products can only at
*best* (if you believe their marketing hype :>) get to city level
resolution, so what you usually see is some distance correlation occurring
where you compare the new IP and if < say 50 miles, we can think it might be
the same person. There's also an issue here with timing - a person may
logically fly around the world, still using your app, and the geo changes
significantly. Depending on your risk model to your app, obviously that may
not work. However, geo can sometimes be helpful as an obvious attack. If
someone is using your app in New York, then 30 minutes later in London, then
it's probably a safe bet that's a different person and you've got an issue.
I definitely think this can help show "obvious" malicious behavior at times
and have seen it personally work.

Thanks,
John

On Fri, Sep 30, 2011 at 11:53 AM, Dennis Groves <dennis.groves at gmail.com>wrote:

> the problem with this is that more and more people are going mobile thanks
> to iPhones and Droids. And their IP's are guaranteed to change during a
> session as they swap cell towers.
>
>
> --
> Dennis Groves <http://about.me/dennis.groves>, MSc
> dennis.groves at gmail.com
>
> *"What is the use of living, if it be not to strive for noble causes and
> make this muddled world a better place for those who will live in it after
> we have gone."*
>
> *-- Winston Churchill, October 10th, 1908*
>
>
>
> On Fri, Sep 30, 2011 at 4:47 PM, Colin Watson <colin.watson at owasp.org>wrote:
>
>> Ryan
>>
>> Good idea.
>>
>> The related "SE5 Source Location Changes During Session" is just
>> session specific, but this new new idea is concerns information about
>> a user learnt (or set) over time.  So I was thinking it perhaps ought
>> to be a User Trend (UT) code?  But since it specifically mentions
>> login, it could be an Authentication Exception (AE) instead?
>>
>> Does it need to be just login?  Maybe if it were more generic, it
>> might also be used post authentication on say a banking payment
>> transfer function i.e. we don't care where they log in from, but if
>> the amount is more than $5,000 we will take more notice of their
>> location.
>>
>> So perhaps "UT4 Deviation from normal Geo Location"?
>>
>> Colin
>>
>> On 30 September 2011 16:30, Ryan Barnett <ryan.barnett at owasp.org> wrote:
>> > Most users normally log into an application from 1 or a few Geographic
>> > locations.  If the application learns these GeoIP locations, it can then
>> > detect when a user is logging into the application from a different
>> > location.  This would help to identify possible account hijacking
>> attacks
>> > (from phishing, banking trojans).
>> > --
>> > Ryan Barnett
>> > _______________________________________________
>> > Owasp-appsensor-project mailing list
>> > Owasp-appsensor-project at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>> >
>> >
>> _______________________________________________
>> Owasp-appsensor-project mailing list
>> Owasp-appsensor-project at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>
>
> _______________________________________________
> Owasp-appsensor-project mailing list
> Owasp-appsensor-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-appsensor-project/attachments/20110930/461c4ca6/attachment-0001.html 