490 likes | 630 Views
Online ID Theft, Phishing, and Malware. Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song. Topics. Phishing detection and prevention Browser extensions, Server support Cache and link attacks, timing attacks, … Authentication using trusted platforms
E N D
Online ID Theft, Phishing, and Malware Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song
Topics • Phishing detection and prevention • Browser extensions, Server support • Cache and link attacks, timing attacks, … • Authentication using trusted platforms • Smartphone, Virtualization, Password token • User interface issues • Tricky problem: users are fooled • Do users understand EULAs? (need I ask?) • Malware detection and mitigation • Signature generation • Behavioral botnet detection "Title", J.Q. Speaker-Name
Some of the team "Title", J.Q. Speaker-Name
Classical phishing attack password? Sends email: “There is a problem with your eBuy account” Password sent to bad guy User clicks on email link to www.ebuj.com. User thinks it is ebuy.com, enters eBuy username and password. "Title", J.Q. Speaker-Name
Modern threats • Spear phishing • Targeted email to known customers, evade spam filter • Man-in-the-middle attacks • Forward communication to honest server • Attack one-time passwords, server defenses • Cookie theft • Keyloggers • Install via worms, or as browser infections • Acoustic emanations • Botnets • Host keyloggers, send spam, steal credentials, etc. • Vint Cerf: as many as ¼ of all machines on Internet • Many user interface issues related to deception "Title", J.Q. Speaker-Name
Basic questions • Security of human/computer systems • Phishing: not attack on OS, network protocol, or computer application • Attack on user through the user’s computer • Deception works because user has incomplete and unreliable information, or does not understand the information that is presented • Web authentication • How can clients and servers authenticate each other? • Passwords are low entropy but easy to remember • Images, other indicators easy to spoof, esp. if attacker has info about user • Isolation for web “sessions” • Implicit notion of process user visiting site • Many complexities: ads, redirects, mashups • Privacy expectations and laws • Users transmit sensitive information to web sites • What privacy can they expect? How can this be guaranteed? • Part of the problem is to identify and articulate the core issues • Principled understanding of web activity will lead to more secure browser design, clearer understanding of contract between browser and server, better server practices
Berkeley: Dynamic Security Skins • Automatically customize secure windows • Visual hashes • Random Art - visual hash algorithm • Generate unique abstract image for each authentication • Use the image to “skin” windows or web content • Browser generated or server generated • Commercial spin-off "Title", J.Q. Speaker-Name
CMU Phoolproof prevention Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server password? "Title", J.Q. Speaker-Name 9
SafeHistory Adaptive phishing attacks (a super-phish): Phishing site queries browser’s visited links: <style>a#visited { background: url(track.php?example.com); }</style> <a href="http://example.com/">Hi</a> Presents phishing page based on visited links SafeHistory: (www.safehistory.com) Enforce “same origin policy” on browser state Tech transfer: Available as Firefox extension www.safehistory.com "Title", J.Q. Speaker-Name 10
PwdHash www.pwdhash.com Browser extension for stronger pwd auth. Mostly transparent to users Main challenge: block Javascript-based attacks Recent work: Tech transfer: integrate with RSA SecurID server Consistent interface for IE and Firefox extensions Computerworld 2006 Horizon award pwd Hash( pwd, domain-name ) "Title", J.Q. Speaker-Name 11
Berkeley: Understanding EULAs Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user Users exhibit high installation rates, lack of knowledge about program & high regret Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them Lower installation rates, but still noticeable regret Reading times correlated with decision making & regret Post notice more effective in grabbing attention of every user Other support mechanisms needed to help user Last TRUST Review: Stanford study on spyware motivated by EULA legal issues
Malware detection Minesweeper: Automatically Identifying Trigger-based Behavior in Programs Dawn Song, CMU Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Dawn Song, CMU BotSwat: Host-based behavioral bot detection Liz Stinson, John Mitchell, Stanford "Title", J.Q. Speaker-Name 13
Recent RFID passport requirements in U.S. and Germany Uses Basic Access Control Passport holder has no way of knowing if their passport is being scanned. Uses an ISO14443 contactless RFID chip from Inferion with 64K memory Contains JPEGs of photos and fingerprints Privacy ID Theft Issues in ePassports
ePassports • Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year? • Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable. • Eavesdropping: “Listening” to a legitimate reader-RFID conversation • Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?
Research Spotlight Chris Karlof Cookie Managment David Wagner • Locked IP Cookies • Doppelganger Umesh Shankar Doug Tygar "Title", J.Q. Speaker-Name 16
Cookie Management • Cookies are both a challenge and opportunity for ID theft protection • Doppelganger: a system for automatically sensing how cookies are used • IP locked cookies: a framework alternative to anti-phishing, anti-pharming • Unlike existing solutions (SiteKey) robust against man-in-the-middle-attacks "Title", J.Q. Speaker-Name
Berkeley: Doppelganger • (Karlof, U. Shankar) • Flexible automatic cookie management • Notes when cookies makes difference to web page "Title", J.Q. Speaker-Name
Berkeley: Locked IP cookies • Powerful solution to Phishing • (Karlof, Tygar, Wagner) "Title", J.Q. Speaker-Name
Research Spotlight Li Zhuang Keyboard Acoustic Emanations Feng Zhou Doug Tygar "Title", J.Q. Speaker-Name 20
Keyboard Acoustic Sniffing Alice’spassword • Acoustic emanations from keyboard • Example of statistical learning techniques in computer security (vulnerability analysis, detection)
Overview Language Model Correction keystroke classifierrecovered keystrokes Initial training Subsequent recognition wave signal wave signal Feature Extraction Feature Extraction Unsupervised Learning Keystroke Classifier Language Model Correction (optional) Sample Collector Classifier Builder recovered keystrokes
Two Copies of Recovered Text Before spelling and grammar correction After spelling and grammar correction _____ = errors in recovery = errors in corrected by grammar
Experiment • Single keyboard • Logitech Elite Duo wireless keyboard • 4 data sets recorded in two settings • Quiet & noisy • Keystrokes are clearly separable from consecutive keys • Automatically extract keystroke positions in the signal with some manual error correction
Research Spotlight Andrew Bortz Timing Attacks Web servers are vulnerable to timing attacks that reveal useful phishing information Dan Boneh Palash Nandy John Mitchell "Title", J.Q. Speaker-Name 26
Spear-Phishing • Targeted email to known potential victims, e.g., customers of specific bank • Beat existing techniques for filtering • Higher success rate • Lower detection rate • But need to know sites a user visits • Generally hard to obtain this type of data "Title", J.Q. Speaker-Name
Forget your password? • Most sites have “Forgot my password” pages • These pages frequently leak whether an email is valid or not at that site "Title", J.Q. Speaker-Name
Direct Timing • Time a login attempt • The response time of the server depends on whether the email address used is valid or not • This problem affects every tested web site! "Title", J.Q. Speaker-Name
Cross-Site Timing Attack • Hijack a user’s browser session to time sites • Many timing dependencies on the user’s relationship with the target site • Here, we can distinguish logged in from not "Title", J.Q. Speaker-Name
Solutions and Future Work • Good solutions are server-side • Client-side solutions exist only for cross-site timing, and they are brittle • Controlling response time to mitigate attacks • Eliminate problem by making every response take the same amount of time • If that is impossible, then “round” the amount of response time • Future work: • Apache module to control response time automatically "Title", J.Q. Speaker-Name
Research Spotlight Collin Jackson User Interfaces Dan Simon, Desney Tan An Evaluation of Extended Validation andPicture-in-Picture Phishing Attacks Adam Barth "Title", J.Q. Speaker-Name 32
Anti-Phishing Features in IE7 "Title", J.Q. Speaker-Name
Picture-in-Picture Attack "Title", J.Q. Speaker-Name
Results: Is this site legitimate? • Future • More user studies, UI evaluations "Title", J.Q. Speaker-Name
Research Spotlight Minesweeper: Automatically Identifying Trigger-based Behavior in Programs Dawn Song Dawn Song "Title", J.Q. Speaker-Name
Research Spotlight BotSwat Host-based behavioral bot detection Elizabeth Stinson John Mitchell Dawn Song "Title", J.Q. Speaker-Name
Botnet bot master Intermediary IRC svr IRC svr IRC svr ...
sample bot commands execute {0,1} <prog_path> [params] killprocess <proc_name> makedir <loc_path> http.execute <URL> <local_path> ping <host/IP> <num> <size> <t_out> scan <IP> <port> <delay> redirect <loc_port> <rem_host> <rem_port> ddos.httpflood <URL> <#> <ref> <recurse?>
BotSwat S O U R C E S ? ? ? ? S I N K S CreateProcessA(…) NtCreateFile(…) bind(…) ...
Host-based bot detection "Title", J.Q. Speaker-Name
Technology Transition Plan • PwdHash: RSA Security (www.pwdhash.com) • Initial integration completed fall 2006 • Hope to convince IE team to embed natively in IE • SpyBlock deployment: • Available at http://getspyblock.com/ • Relevant companies: Mocha5, VMWare • Dialog with companies about transaction generators • SafeHistory: Microsoft, Mozilla. • Available at www.safehistory.com
Public relations activities • News articles on PwdHash: • Many articles in popular press, still appearing • Computerworld Horizon Award: August 2006 • SafeHistory & SafeCache: • WWW ’06 paper • Timing attacks • WWW ’07 paper • SpyBlock and transaction generation • Report completed; conference paper in process
PwdHash and RSA SecurID • Tech transfer: available as IE and Firefox extensions • Working to convince MS to embed natively into IE • Integration with RSA SecurID: • Motivation: “man in the middle” phishing attacks • Defeats one-time password systems • Phase I: apply PwdHash to one-time passwords • Requires updates to SecurID server and PwdHash • Phase II: authenticate server to client • Planned for next year