1 / 31

Phishing

Phishing. markus.jakobsson@parc.com. Conventional Aspects of Security. Computational assumptions E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman Adversarial model E.g., access to data/hardware, ability to corrupt, communication assumptions, goals

mmalcom
Download Presentation

Phishing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Phishing markus.jakobsson@parc.com

  2. Conventional Aspects of Security • Computational assumptions • E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman • Adversarial model • E.g., access to data/hardware, ability to corrupt, communication assumptions, goals • Verification methods • Cryptographic reductions to assumptions, BAN logic • Implementation aspects • E.g., will the communication protocol leak information that is considered secret in the application layer?

  3. The human factor of security Successful Neglect Deceit attack Configuration

  4. The human factor: configuration Weak passwords With Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion of Wireless Home Routers” (Journal of Digital Forensic Practice, Volume 1, Special Issue 3, November 2006) Wireless firmware update wardriving rootkitting Shows that more than 50% of APs are vulnerable

  5. The human factor: configuration Weak passwords With Stamm, Ramzan: “Drive-By Pharming” (Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apple’s are at risk. Firmware update tested on only a few. Paper in submission) Wireless nvram value setting “Use DNS server x.x.x.x” And worse: geographic spread!

  6. The human factor: neglect

  7. The human factor: deceit (Threaten/disguise - image credit to Ben Edelman)

  8. The human factor: deceit Self: “Modeling and Preventing Phishing Attacks” (Panel, Financial Crypto, 2005 - notion of spear phishing) With Jagatic, Johnson, Menczer: “Social Phishing” (Communications of the ACM, Oct 2007) With Finn, Johnson: “Why and How to Perform Fraud Experiments” (IEEE Security and Privacy,March/April 2008)

  9. Experiment Design

  10. Gender Effects

  11. eBay Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) Reality: 2 1 B A 3 credentials 4

  12. Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) Attack: B 1 (spoof) A 2 credentials

  13. eBay Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) A 2 Experiment: 3 (spoof) 2 1 B A 1 5 4 credentials Yield (incl spam filtering loss): 11% + 3% …“eBay greeting” removed: same -

  14. starting with 4901 Mutual authenticationin the “real world” With Tsow,Shah,Blevis,Lim, “What Instills Trust? A Qualitative Study of Phishing” (Abstract at Usable Security, 2007)

  15. How does the typical Internet user identify phishing?

  16. Spear Phishing and Data Mining Current attack style: Approx 3% of adult Americans report to have been victimized.

  17. Spear Phishing and Data Mining More sophisticated attack style: “context aware attack”

  18. Jane Garcia, Jose Garcia … and little Jimmy Garcia How can information be derived? Jose Garcia Jane Smith

  19. their marriage license his parents and Jimmy’s mother’s maiden name: Smith Let’s start from the end! “Little” Jimmy More reading: Griffith and Jakobsson, "Messin' with Texas: Deriving Mother's Maiden Names Using Public Records."

  20. www.browser-recon.info

  21. Approximate price list: PayPal user id + password $1 + challenge questions $15 Why?

  22. Password Reset:Typical Questions • Make of your first car • Mother’s maiden name • City of your birth • Date of birth • High school you graduated from • First name of your / your sister’s best friend • Name of your pet • How much wood would a woodchuck …

  23. Problem 1: Data Mining • Make of your first car? • Until 1998, Ford has >25% market share • First name of your best friend? • 10% of males named James (Jim), John, or Robert (Bob or Rob) + Facebook does not help • Name of your first / favorite pet? • Top pet names are online

  24. Problem 2: People Forget • Name of the street you grew up on? • There may have been more than one • First name of your best friend / sisters best friend? • Friends change, what if you have no sister? • City in which you were born? • NYC? New York? New York City? Manhattan? The Big Apple? • People lie to increase security … then forget!

  25. Intuition Preference-based authentication: • preferences are more stable than long-term memory (confirmed by psychology research) • preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) … especially dislikes!

  26. Our Approach (1) Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

  27. Our Approach (2)

  28. And next? http://www. democratic-party.us/LiveEarth http://www. democratic-party.us/LiveEarth

  29. Countermeasures? • Technical • Better filters • CardSpace • OpenId • Educational • SecurityCartoon • Suitable user interfaces • Legal

  30. Interesting? Internships at PARC / meet over coffee / etc. markus.jakobsson@parc.com

More Related