1 / 49

Online ID Theft, Phishing, and Malware

Online ID Theft, Phishing, and Malware. Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song. Topics . Phishing detection and prevention Browser extensions, Server support Cache and link attacks, timing attacks, … Authentication using trusted platforms

cassie
Download Presentation

Online ID Theft, Phishing, and Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online ID Theft, Phishing, and Malware Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song

  2. Topics • Phishing detection and prevention • Browser extensions, Server support • Cache and link attacks, timing attacks, … • Authentication using trusted platforms • Smartphone, Virtualization, Password token • User interface issues • Tricky problem: users are fooled • Do users understand EULAs? (need I ask?) • Malware detection and mitigation • Signature generation • Behavioral botnet detection "Title", J.Q. Speaker-Name

  3. Some of the team "Title", J.Q. Speaker-Name

  4. Classical phishing attack password? Sends email: “There is a problem with your eBuy account” Password sent to bad guy User clicks on email link to www.ebuj.com. User thinks it is ebuy.com, enters eBuy username and password. "Title", J.Q. Speaker-Name

  5. Modern threats • Spear phishing • Targeted email to known customers, evade spam filter • Man-in-the-middle attacks • Forward communication to honest server • Attack one-time passwords, server defenses • Cookie theft • Keyloggers • Install via worms, or as browser infections • Acoustic emanations • Botnets • Host keyloggers, send spam, steal credentials, etc. • Vint Cerf: as many as ¼ of all machines on Internet • Many user interface issues related to deception "Title", J.Q. Speaker-Name

  6. Basic questions • Security of human/computer systems • Phishing: not attack on OS, network protocol, or computer application • Attack on user through the user’s computer • Deception works because user has incomplete and unreliable information, or does not understand the information that is presented • Web authentication • How can clients and servers authenticate each other? • Passwords are low entropy but easy to remember • Images, other indicators easy to spoof, esp. if attacker has info about user • Isolation for web “sessions” • Implicit notion of process  user visiting site • Many complexities: ads, redirects, mashups • Privacy expectations and laws • Users transmit sensitive information to web sites • What privacy can they expect? How can this be guaranteed? • Part of the problem is to identify and articulate the core issues • Principled understanding of web activity will lead to more secure browser design, clearer understanding of contract between browser and server, better server practices

  7. "Title", J.Q. Speaker-Name 7

  8. Berkeley: Dynamic Security Skins • Automatically customize secure windows • Visual hashes • Random Art - visual hash algorithm • Generate unique abstract image for each authentication • Use the image to “skin” windows or web content • Browser generated or server generated • Commercial spin-off "Title", J.Q. Speaker-Name

  9. CMU Phoolproof prevention Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server password? "Title", J.Q. Speaker-Name 9

  10. SafeHistory Adaptive phishing attacks (a super-phish): Phishing site queries browser’s visited links: <style>a#visited { background: url(track.php?example.com); }</style> <a href="http://example.com/">Hi</a> Presents phishing page based on visited links SafeHistory: (www.safehistory.com) Enforce “same origin policy” on browser state Tech transfer: Available as Firefox extension www.safehistory.com "Title", J.Q. Speaker-Name 10

  11. PwdHash www.pwdhash.com Browser extension for stronger pwd auth. Mostly transparent to users Main challenge: block Javascript-based attacks Recent work: Tech transfer: integrate with RSA SecurID server Consistent interface for IE and Firefox extensions Computerworld 2006 Horizon award pwd  Hash( pwd, domain-name ) "Title", J.Q. Speaker-Name 11

  12. Berkeley: Understanding EULAs Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user Users exhibit high installation rates, lack of knowledge about program & high regret Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them Lower installation rates, but still noticeable regret Reading times correlated with decision making & regret Post notice more effective in grabbing attention of every user Other support mechanisms needed to help user Last TRUST Review: Stanford study on spyware motivated by EULA legal issues

  13. Malware detection Minesweeper: Automatically Identifying Trigger-based Behavior in Programs Dawn Song, CMU Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Dawn Song, CMU BotSwat: Host-based behavioral bot detection Liz Stinson, John Mitchell, Stanford "Title", J.Q. Speaker-Name 13

  14. Recent RFID passport requirements in U.S. and Germany Uses Basic Access Control Passport holder has no way of knowing if their passport is being scanned. Uses an ISO14443 contactless RFID chip from Inferion with 64K memory Contains JPEGs of photos and fingerprints Privacy ID Theft Issues in ePassports

  15. ePassports • Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year? • Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable. • Eavesdropping: “Listening” to a legitimate reader-RFID conversation • Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?

  16. Research Spotlight Chris Karlof Cookie Managment David Wagner • Locked IP Cookies • Doppelganger Umesh Shankar Doug Tygar "Title", J.Q. Speaker-Name 16

  17. Cookie Management • Cookies are both a challenge and opportunity for ID theft protection • Doppelganger: a system for automatically sensing how cookies are used • IP locked cookies: a framework alternative to anti-phishing, anti-pharming • Unlike existing solutions (SiteKey) robust against man-in-the-middle-attacks "Title", J.Q. Speaker-Name

  18. Berkeley: Doppelganger • (Karlof, U. Shankar) • Flexible automatic cookie management • Notes when cookies makes difference to web page "Title", J.Q. Speaker-Name

  19. Berkeley: Locked IP cookies • Powerful solution to Phishing • (Karlof, Tygar, Wagner) "Title", J.Q. Speaker-Name

  20. Research Spotlight Li Zhuang Keyboard Acoustic Emanations Feng Zhou Doug Tygar "Title", J.Q. Speaker-Name 20

  21. Keyboard Acoustic Sniffing Alice’spassword • Acoustic emanations from keyboard • Example of statistical learning techniques in computer security (vulnerability analysis, detection)

  22. Overview Language Model Correction keystroke classifierrecovered keystrokes Initial training Subsequent recognition wave signal wave signal Feature Extraction Feature Extraction Unsupervised Learning Keystroke Classifier Language Model Correction (optional) Sample Collector Classifier Builder recovered keystrokes

  23. Two Copies of Recovered Text Before spelling and grammar correction After spelling and grammar correction _____ = errors in recovery = errors in corrected by grammar

  24. Experiment • Single keyboard • Logitech Elite Duo wireless keyboard • 4 data sets recorded in two settings • Quiet & noisy • Keystrokes are clearly separable from consecutive keys • Automatically extract keystroke positions in the signal with some manual error correction

  25. Data sets

  26. Research Spotlight Andrew Bortz Timing Attacks Web servers are vulnerable to timing attacks that reveal useful phishing information Dan Boneh Palash Nandy John Mitchell "Title", J.Q. Speaker-Name 26

  27. Spear-Phishing • Targeted email to known potential victims, e.g., customers of specific bank • Beat existing techniques for filtering • Higher success rate • Lower detection rate • But need to know sites a user visits • Generally hard to obtain this type of data "Title", J.Q. Speaker-Name

  28. Forget your password? • Most sites have “Forgot my password” pages • These pages frequently leak whether an email is valid or not at that site "Title", J.Q. Speaker-Name

  29. Direct Timing • Time a login attempt • The response time of the server depends on whether the email address used is valid or not • This problem affects every tested web site! "Title", J.Q. Speaker-Name

  30. Cross-Site Timing Attack • Hijack a user’s browser session to time sites • Many timing dependencies on the user’s relationship with the target site • Here, we can distinguish logged in from not "Title", J.Q. Speaker-Name

  31. Solutions and Future Work • Good solutions are server-side • Client-side solutions exist only for cross-site timing, and they are brittle • Controlling response time to mitigate attacks • Eliminate problem by making every response take the same amount of time • If that is impossible, then “round” the amount of response time • Future work: • Apache module to control response time automatically "Title", J.Q. Speaker-Name

  32. Research Spotlight Collin Jackson User Interfaces Dan Simon, Desney Tan An Evaluation of Extended Validation andPicture-in-Picture Phishing Attacks Adam Barth "Title", J.Q. Speaker-Name 32

  33. Anti-Phishing Features in IE7 "Title", J.Q. Speaker-Name

  34. Picture-in-Picture Attack "Title", J.Q. Speaker-Name

  35. Results: Is this site legitimate? • Future • More user studies, UI evaluations "Title", J.Q. Speaker-Name

  36. Research Spotlight Minesweeper: Automatically Identifying Trigger-based Behavior in Programs Dawn Song Dawn Song "Title", J.Q. Speaker-Name

  37. Research Spotlight BotSwat Host-based behavioral bot detection Elizabeth Stinson John Mitchell Dawn Song "Title", J.Q. Speaker-Name

  38. Botnet bot master Intermediary IRC svr IRC svr IRC svr ...

  39. sample bot commands execute {0,1} <prog_path> [params] killprocess <proc_name> makedir <loc_path> http.execute <URL> <local_path> ping <host/IP> <num> <size> <t_out> scan <IP> <port> <delay> redirect <loc_port> <rem_host> <rem_port> ddos.httpflood <URL> <#> <ref> <recurse?>

  40. BotSwat S O U R C E S ? ? ? ? S I N K S CreateProcessA(…) NtCreateFile(…) bind(…) ...

  41. Host-based bot detection "Title", J.Q. Speaker-Name

  42. ID TheftKnowledge Transfer

  43. Technology Transition Plan • PwdHash: RSA Security (www.pwdhash.com) • Initial integration completed fall 2006 • Hope to convince IE team to embed natively in IE • SpyBlock deployment: • Available at http://getspyblock.com/ • Relevant companies: Mocha5, VMWare • Dialog with companies about transaction generators • SafeHistory: Microsoft, Mozilla. • Available at www.safehistory.com

  44. Public relations activities • News articles on PwdHash: • Many articles in popular press, still appearing • Computerworld Horizon Award: August 2006 • SafeHistory & SafeCache: • WWW ’06 paper • Timing attacks • WWW ’07 paper • SpyBlock and transaction generation • Report completed; conference paper in process

  45. "Title", J.Q. Speaker-Name

  46. "Title", J.Q. Speaker-Name

  47. PwdHash and RSA SecurID • Tech transfer: available as IE and Firefox extensions • Working to convince MS to embed natively into IE • Integration with RSA SecurID: • Motivation: “man in the middle” phishing attacks • Defeats one-time password systems • Phase I: apply PwdHash to one-time passwords • Requires updates to SecurID server and PwdHash • Phase II: authenticate server to client • Planned for next year

More Related