Online id theft phishing and malware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Online ID Theft, Phishing, and Malware PowerPoint PPT Presentation


  • 91 Views
  • Uploaded on
  • Presentation posted in: General

Online ID Theft, Phishing, and Malware. Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song. Topics. Phishing detection and prevention Browser extensions, Server support Cache and link attacks, timing attacks, … Authentication using trusted platforms

Download Presentation

Online ID Theft, Phishing, and Malware

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Online id theft phishing and malware

Online ID Theft, Phishing, and Malware

Primary faculty

Stanford: Boneh, Mitchell

Berkeley: Tygar,Mulligan

CMU: Perrig, Song


Topics

Topics

  • Phishing detection and prevention

    • Browser extensions, Server support

    • Cache and link attacks, timing attacks, …

    • Authentication using trusted platforms

      • Smartphone, Virtualization, Password token

  • User interface issues

    • Tricky problem: users are fooled

    • Do users understand EULAs? (need I ask?)

  • Malware detection and mitigation

    • Signature generation

    • Behavioral botnet detection

"Title", J.Q. Speaker-Name


Some of the team

Some of the team

"Title", J.Q. Speaker-Name


Classical phishing attack

Classical phishing attack

password?

Sends email: “There is a problem with your eBuy account”

Password sent to bad guy

User clicks on email link to www.ebuj.com.

User thinks it is ebuy.com, enters eBuy username and password.

"Title", J.Q. Speaker-Name


Modern threats

Modern threats

  • Spear phishing

    • Targeted email to known customers, evade spam filter

  • Man-in-the-middle attacks

    • Forward communication to honest server

    • Attack one-time passwords, server defenses

  • Cookie theft

  • Keyloggers

    • Install via worms, or as browser infections

    • Acoustic emanations

  • Botnets

    • Host keyloggers, send spam, steal credentials, etc.

    • Vint Cerf: as many as ¼ of all machines on Internet

  • Many user interface issues related to deception

"Title", J.Q. Speaker-Name


Basic questions

Basic questions

  • Security of human/computer systems

    • Phishing: not attack on OS, network protocol, or computer application

    • Attack on user through the user’s computer

      • Deception works because user has incomplete and unreliable information, or does not understand the information that is presented

  • Web authentication

    • How can clients and servers authenticate each other?

    • Passwords are low entropy but easy to remember

    • Images, other indicators easy to spoof, esp. if attacker has info about user

  • Isolation for web “sessions”

    • Implicit notion of process  user visiting site

    • Many complexities: ads, redirects, mashups

  • Privacy expectations and laws

    • Users transmit sensitive information to web sites

    • What privacy can they expect? How can this be guaranteed?

  • Part of the problem is to identify and articulate the core issues

    • Principled understanding of web activity will lead to more secure browser design, clearer understanding of contract between browser and server, better server practices


Online id theft phishing and malware

"Title", J.Q. Speaker-Name

7


Berkeley dynamic security skins

Berkeley: Dynamic Security Skins

  • Automatically customize secure windows

  • Visual hashes

    • Random Art - visual hash algorithm

    • Generate unique abstract image for each authentication

    • Use the image to “skin” windows or web content

    • Browser generated or server generated

  • Commercial spin-off

"Title", J.Q. Speaker-Name


Cmu phoolproof prevention

CMU Phoolproof prevention

Eliminates reliance on perfect user behavior

Protects against keyloggers, spyware.

Uses a trusted mobile device to perform mutual authentication with the server

password?

"Title", J.Q. Speaker-Name

9


Safehistory

SafeHistory

Adaptive phishing attacks (a super-phish):

Phishing site queries browser’s visited links:

<style>a#visited {

background: url(track.php?example.com);

}</style>

<a href="http://example.com/">Hi</a>

Presents phishing page based on visited links

SafeHistory: (www.safehistory.com)

Enforce “same origin policy” on browser state

Tech transfer: Available as Firefox extension

www.safehistory.com

"Title", J.Q. Speaker-Name

10


Pwdhash www pwdhash com

PwdHash www.pwdhash.com

Browser extension for stronger pwd auth.

Mostly transparent to users

Main challenge: block Javascript-based attacks

Recent work:

Tech transfer: integrate with RSA SecurID server

Consistent interface for IE and Firefox extensions

Computerworld 2006 Horizon award

pwd  Hash( pwd, domain-name )

"Title", J.Q. Speaker-Name

11


Berkeley understanding eulas

Berkeley: Understanding EULAs

Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user

Users exhibit high installation rates, lack of knowledge about program & high regret

Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them

Lower installation rates, but still noticeable regret

Reading times correlated with decision making & regret

Post notice more effective in grabbing attention of every user

Other support mechanisms needed to help user

Last TRUST Review: Stanford study on spyware motivated by EULA legal issues


Malware detection

Malware detection

Minesweeper: Automatically Identifying Trigger-based Behavior in Programs

Dawn Song, CMU

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis

Dawn Song, CMU

BotSwat: Host-based behavioral bot detection

Liz Stinson, John Mitchell, Stanford

"Title", J.Q. Speaker-Name

13


Online id theft phishing and malware

Recent RFID passport requirements in U.S. and Germany

Uses Basic Access Control

Passport holder has no way of knowing if their passport is being scanned.

Uses an ISO14443 contactless RFID chip from Inferion with 64K memory

Contains JPEGs of photos and fingerprints

Privacy ID Theft Issues in ePassports


Online id theft phishing and malware

ePassports

  • Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year?

  • Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable.

  • Eavesdropping: “Listening” to a legitimate reader-RFID conversation

  • Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?


Research spotlight

Research Spotlight

Chris Karlof

Cookie Managment

David Wagner

  • Locked IP Cookies

  • Doppelganger

Umesh Shankar

Doug Tygar

"Title", J.Q. Speaker-Name

16


Cookie management

Cookie Management

  • Cookies are both a challenge and opportunity for ID theft protection

  • Doppelganger: a system for automatically sensing how cookies are used

  • IP locked cookies: a framework alternative to anti-phishing, anti-pharming

    • Unlike existing solutions (SiteKey) robust against man-in-the-middle-attacks

"Title", J.Q. Speaker-Name


Berkeley doppelganger

Berkeley: Doppelganger

  • (Karlof, U. Shankar)

  • Flexible automatic cookie management

  • Notes when cookies makes difference to web page

"Title", J.Q. Speaker-Name


Berkeley locked ip cookies

Berkeley: Locked IP cookies

  • Powerful solution to Phishing

  • (Karlof, Tygar, Wagner)

"Title", J.Q. Speaker-Name


Research spotlight1

Research Spotlight

Li Zhuang

Keyboard

Acoustic Emanations

Feng Zhou

Doug Tygar

"Title", J.Q. Speaker-Name

20


Keyboard acoustic sniffing

Keyboard Acoustic Sniffing

Alice’spassword

  • Acoustic emanations from keyboard

  • Example of statistical learning techniques in computer security (vulnerability analysis, detection)


Overview

Overview

Language Model Correction

keystroke classifierrecovered keystrokes

Initial training

Subsequent recognition

wave signal

wave signal

Feature Extraction

Feature Extraction

Unsupervised Learning

Keystroke Classifier

Language Model Correction

(optional)

Sample Collector

Classifier Builder

recovered keystrokes


Two copies of recovered text

Two Copies of Recovered Text

Before spelling and grammar correction

After spelling and grammar correction

_____ = errors in recovery

= errors in corrected by grammar


Experiment

Experiment

  • Single keyboard

    • Logitech Elite Duo wireless keyboard

    • 4 data sets recorded in two settings

      • Quiet & noisy

      • Keystrokes are clearly separable from consecutive keys

    • Automatically extract keystroke positions in the signal with some manual error correction


Data sets

Data sets


Research spotlight2

Research Spotlight

Andrew Bortz

Timing Attacks

Web servers are vulnerable to timing attacks that reveal useful phishing information

Dan Boneh

Palash Nandy

John Mitchell

"Title", J.Q. Speaker-Name

26


Spear phishing

Spear-Phishing

  • Targeted email to known potential victims, e.g., customers of specific bank

    • Beat existing techniques for filtering

    • Higher success rate

    • Lower detection rate

  • But need to know sites a user visits

    • Generally hard to obtain this type of data

"Title", J.Q. Speaker-Name


Forget your password

Forget your password?

  • Most sites have “Forgot my password” pages

    • These pages frequently leak whether an email is valid or not at that site

"Title", J.Q. Speaker-Name


Direct timing

Direct Timing

  • Time a login attempt

  • The response time of the server depends on whether the email address used is valid or not

  • This problem affects every tested web site!

"Title", J.Q. Speaker-Name


Cross site timing attack

Cross-Site Timing Attack

  • Hijack a user’s browser session to time sites

  • Many timing dependencies on the user’s relationship with the target site

  • Here, we can distinguish logged in from not

"Title", J.Q. Speaker-Name


Solutions and future work

Solutions and Future Work

  • Good solutions are server-side

    • Client-side solutions exist only for cross-site timing, and they are brittle

  • Controlling response time to mitigate attacks

    • Eliminate problem by making every response take the same amount of time

    • If that is impossible, then “round” the amount of response time

  • Future work:

    • Apache module to control response time automatically

"Title", J.Q. Speaker-Name


Research spotlight3

Research Spotlight

Collin Jackson

User Interfaces

Dan Simon,

Desney Tan

An Evaluation of Extended Validation andPicture-in-Picture Phishing Attacks

Adam Barth

"Title", J.Q. Speaker-Name

32


Anti phishing features in ie7

Anti-Phishing Features in IE7

"Title", J.Q. Speaker-Name


Picture in picture attack

Picture-in-Picture Attack

"Title", J.Q. Speaker-Name


Results is this site legitimate

Results: Is this site legitimate?

  • Future

    • More user studies, UI evaluations

"Title", J.Q. Speaker-Name


Research spotlight4

Research Spotlight

Minesweeper:

Automatically Identifying Trigger-based Behavior in Programs

Dawn Song

Dawn Song

"Title", J.Q. Speaker-Name


Research spotlight5

Research Spotlight

BotSwat

Host-based behavioral bot detection

Elizabeth Stinson

John Mitchell

Dawn Song

"Title", J.Q. Speaker-Name


Botnet

Botnet

bot master

Intermediary

IRC svr

IRC svr

IRC svr

...


Sample bot commands

sample bot commands

execute {0,1} <prog_path> [params]

killprocess <proc_name>

makedir <loc_path>

http.execute <URL> <local_path>

ping <host/IP> <num> <size> <t_out>

scan <IP> <port> <delay>

redirect <loc_port> <rem_host> <rem_port>

ddos.httpflood <URL> <#> <ref> <recurse?>


Botswat

BotSwat

S

O

U

R

C

E

S

?

?

?

?

S

I

N

K

S

CreateProcessA(…)

NtCreateFile(…)

bind(…)

...


Host based bot detection

Host-based bot detection

"Title", J.Q. Speaker-Name


Id theft knowledge transfer

ID TheftKnowledge Transfer


Technology transition plan

Technology Transition Plan

  • PwdHash: RSA Security(www.pwdhash.com)

    • Initial integration completed fall 2006

    • Hope to convince IE team to embed natively in IE

  • SpyBlock deployment:

    • Available at http://getspyblock.com/

    • Relevant companies: Mocha5, VMWare

    • Dialog with companies about transaction generators

  • SafeHistory: Microsoft, Mozilla.

    • Available at www.safehistory.com


Public relations activities

Public relations activities

  • News articles on PwdHash:

    • Many articles in popular press, still appearing

    • Computerworld Horizon Award: August 2006

  • SafeHistory & SafeCache:

    • WWW ’06 paper

  • Timing attacks

    • WWW ’07 paper

  • SpyBlock and transaction generation

    • Report completed; conference paper in process


Online id theft phishing and malware

"Title", J.Q. Speaker-Name


Online id theft phishing and malware

"Title", J.Q. Speaker-Name


Pwdhash and rsa securid

PwdHash and RSA SecurID

  • Tech transfer: available as IE and Firefox extensions

    • Working to convince MS to embed natively into IE

  • Integration with RSA SecurID:

    • Motivation: “man in the middle” phishing attacks

      • Defeats one-time password systems

    • Phase I: apply PwdHash to one-time passwords

      • Requires updates to SecurID server and PwdHash

    • Phase II: authenticate server to client

      • Planned for next year


  • Login