Online id theft phishing and malware
1 / 49

Online ID Theft, Phishing, and Malware - PowerPoint PPT Presentation

  • Uploaded on

Online ID Theft, Phishing, and Malware. Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song. Topics. Phishing detection and prevention Browser extensions, Server support Cache and link attacks, timing attacks, … Authentication using trusted platforms

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Online ID Theft, Phishing, and Malware' - phiala

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Online id theft phishing and malware

Online ID Theft, Phishing, and Malware

Primary faculty

Stanford: Boneh, Mitchell

Berkeley: Tygar,Mulligan

CMU: Perrig, Song


  • Phishing detection and prevention

    • Browser extensions, Server support

    • Cache and link attacks, timing attacks, …

    • Authentication using trusted platforms

      • Smartphone, Virtualization, Password token

  • User interface issues

    • Tricky problem: users are fooled

    • Do users understand EULAs? (need I ask?)

  • Malware detection and mitigation

    • Signature generation

    • Behavioral botnet detection

"Title", J.Q. Speaker-Name

Some of the team
Some of the team

"Title", J.Q. Speaker-Name

Classical phishing attack
Classical phishing attack


Sends email: “There is a problem with your eBuy account”

Password sent to bad guy

User clicks on email link to

User thinks it is, enters eBuy username and password.

"Title", J.Q. Speaker-Name

Modern threats
Modern threats

  • Spear phishing

    • Targeted email to known customers, evade spam filter

  • Man-in-the-middle attacks

    • Forward communication to honest server

    • Attack one-time passwords, server defenses

  • Cookie theft

  • Keyloggers

    • Install via worms, or as browser infections

    • Acoustic emanations

  • Botnets

    • Host keyloggers, send spam, steal credentials, etc.

    • Vint Cerf: as many as ¼ of all machines on Internet

  • Many user interface issues related to deception

"Title", J.Q. Speaker-Name

Basic questions
Basic questions

  • Security of human/computer systems

    • Phishing: not attack on OS, network protocol, or computer application

    • Attack on user through the user’s computer

      • Deception works because user has incomplete and unreliable information, or does not understand the information that is presented

  • Web authentication

    • How can clients and servers authenticate each other?

    • Passwords are low entropy but easy to remember

    • Images, other indicators easy to spoof, esp. if attacker has info about user

  • Isolation for web “sessions”

    • Implicit notion of process  user visiting site

    • Many complexities: ads, redirects, mashups

  • Privacy expectations and laws

    • Users transmit sensitive information to web sites

    • What privacy can they expect? How can this be guaranteed?

  • Part of the problem is to identify and articulate the core issues

    • Principled understanding of web activity will lead to more secure browser design, clearer understanding of contract between browser and server, better server practices

Berkeley dynamic security skins
Berkeley: Dynamic Security Skins

  • Automatically customize secure windows

  • Visual hashes

    • Random Art - visual hash algorithm

    • Generate unique abstract image for each authentication

    • Use the image to “skin” windows or web content

    • Browser generated or server generated

  • Commercial spin-off

"Title", J.Q. Speaker-Name

Cmu phoolproof prevention
CMU Phoolproof prevention

Eliminates reliance on perfect user behavior

Protects against keyloggers, spyware.

Uses a trusted mobile device to perform mutual authentication with the server


"Title", J.Q. Speaker-Name



Adaptive phishing attacks (a super-phish):

Phishing site queries browser’s visited links:

<style>a#visited {

background: url(track.php?;


<a href="">Hi</a>

Presents phishing page based on visited links

SafeHistory: (

Enforce “same origin policy” on browser state

Tech transfer: Available as Firefox extension

"Title", J.Q. Speaker-Name


Pwdhash www pwdhash com

Browser extension for stronger pwd auth.

Mostly transparent to users

Main challenge: block Javascript-based attacks

Recent work:

Tech transfer: integrate with RSA SecurID server

Consistent interface for IE and Firefox extensions

Computerworld 2006 Horizon award

pwd  Hash( pwd, domain-name )

"Title", J.Q. Speaker-Name


Berkeley understanding eulas
Berkeley: Understanding EULAs

Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user

Users exhibit high installation rates, lack of knowledge about program & high regret

Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them

Lower installation rates, but still noticeable regret

Reading times correlated with decision making & regret

Post notice more effective in grabbing attention of every user

Other support mechanisms needed to help user

Last TRUST Review: Stanford study on spyware motivated by EULA legal issues

Malware detection
Malware detection

Minesweeper: Automatically Identifying Trigger-based Behavior in Programs

Dawn Song, CMU

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis

Dawn Song, CMU

BotSwat: Host-based behavioral bot detection

Liz Stinson, John Mitchell, Stanford

"Title", J.Q. Speaker-Name


Recent RFID passport requirements in U.S. and Germany

Uses Basic Access Control

Passport holder has no way of knowing if their passport is being scanned.

Uses an ISO14443 contactless RFID chip from Inferion with 64K memory

Contains JPEGs of photos and fingerprints

Privacy ID Theft Issues in ePassports


  • Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year?

  • Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable.

  • Eavesdropping: “Listening” to a legitimate reader-RFID conversation

  • Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?

Research spotlight
Research Spotlight

Chris Karlof

Cookie Managment

David Wagner

  • Locked IP Cookies

  • Doppelganger

Umesh Shankar

Doug Tygar

"Title", J.Q. Speaker-Name


Cookie management
Cookie Management

  • Cookies are both a challenge and opportunity for ID theft protection

  • Doppelganger: a system for automatically sensing how cookies are used

  • IP locked cookies: a framework alternative to anti-phishing, anti-pharming

    • Unlike existing solutions (SiteKey) robust against man-in-the-middle-attacks

"Title", J.Q. Speaker-Name

Berkeley doppelganger
Berkeley: Doppelganger

  • (Karlof, U. Shankar)

  • Flexible automatic cookie management

  • Notes when cookies makes difference to web page

"Title", J.Q. Speaker-Name

Berkeley locked ip cookies
Berkeley: Locked IP cookies

  • Powerful solution to Phishing

  • (Karlof, Tygar, Wagner)

"Title", J.Q. Speaker-Name

Research spotlight1
Research Spotlight

Li Zhuang


Acoustic Emanations

Feng Zhou

Doug Tygar

"Title", J.Q. Speaker-Name


Keyboard acoustic sniffing
Keyboard Acoustic Sniffing


  • Acoustic emanations from keyboard

  • Example of statistical learning techniques in computer security (vulnerability analysis, detection)


Language Model Correction

keystroke classifierrecovered keystrokes

Initial training

Subsequent recognition

wave signal

wave signal

Feature Extraction

Feature Extraction

Unsupervised Learning

Keystroke Classifier

Language Model Correction


Sample Collector

Classifier Builder

recovered keystrokes

Two copies of recovered text
Two Copies of Recovered Text

Before spelling and grammar correction

After spelling and grammar correction

_____ = errors in recovery

= errors in corrected by grammar


  • Single keyboard

    • Logitech Elite Duo wireless keyboard

    • 4 data sets recorded in two settings

      • Quiet & noisy

      • Keystrokes are clearly separable from consecutive keys

    • Automatically extract keystroke positions in the signal with some manual error correction

Research spotlight2
Research Spotlight

Andrew Bortz

Timing Attacks

Web servers are vulnerable to timing attacks that reveal useful phishing information

Dan Boneh

Palash Nandy

John Mitchell

"Title", J.Q. Speaker-Name


Spear phishing

  • Targeted email to known potential victims, e.g., customers of specific bank

    • Beat existing techniques for filtering

    • Higher success rate

    • Lower detection rate

  • But need to know sites a user visits

    • Generally hard to obtain this type of data

"Title", J.Q. Speaker-Name

Forget your password
Forget your password?

  • Most sites have “Forgot my password” pages

    • These pages frequently leak whether an email is valid or not at that site

"Title", J.Q. Speaker-Name

Direct timing
Direct Timing

  • Time a login attempt

  • The response time of the server depends on whether the email address used is valid or not

  • This problem affects every tested web site!

"Title", J.Q. Speaker-Name

Cross site timing attack
Cross-Site Timing Attack

  • Hijack a user’s browser session to time sites

  • Many timing dependencies on the user’s relationship with the target site

  • Here, we can distinguish logged in from not

"Title", J.Q. Speaker-Name

Solutions and future work
Solutions and Future Work

  • Good solutions are server-side

    • Client-side solutions exist only for cross-site timing, and they are brittle

  • Controlling response time to mitigate attacks

    • Eliminate problem by making every response take the same amount of time

    • If that is impossible, then “round” the amount of response time

  • Future work:

    • Apache module to control response time automatically

"Title", J.Q. Speaker-Name

Research spotlight3
Research Spotlight

Collin Jackson

User Interfaces

Dan Simon,

Desney Tan

An Evaluation of Extended Validation andPicture-in-Picture Phishing Attacks

Adam Barth

"Title", J.Q. Speaker-Name


Anti phishing features in ie7
Anti-Phishing Features in IE7

"Title", J.Q. Speaker-Name

Picture in picture attack
Picture-in-Picture Attack

"Title", J.Q. Speaker-Name

Results is this site legitimate
Results: Is this site legitimate?

  • Future

    • More user studies, UI evaluations

"Title", J.Q. Speaker-Name

Research spotlight4
Research Spotlight


Automatically Identifying Trigger-based Behavior in Programs

Dawn Song

Dawn Song

"Title", J.Q. Speaker-Name

Research spotlight5
Research Spotlight


Host-based behavioral bot detection

Elizabeth Stinson

John Mitchell

Dawn Song

"Title", J.Q. Speaker-Name


bot master


IRC svr

IRC svr

IRC svr


Sample bot commands
sample bot commands

execute {0,1} <prog_path> [params]

killprocess <proc_name>

makedir <loc_path>

http.execute <URL> <local_path>

ping <host/IP> <num> <size> <t_out>

scan <IP> <port> <delay>

redirect <loc_port> <rem_host> <rem_port>

ddos.httpflood <URL> <#> <ref> <recurse?>






















Host based bot detection
Host-based bot detection

"Title", J.Q. Speaker-Name

Id theft knowledge transfer

ID TheftKnowledge Transfer

Technology transition plan
Technology Transition Plan

  • PwdHash: RSA Security (

    • Initial integration completed fall 2006

    • Hope to convince IE team to embed natively in IE

  • SpyBlock deployment:

    • Available at

    • Relevant companies: Mocha5, VMWare

    • Dialog with companies about transaction generators

  • SafeHistory: Microsoft, Mozilla.

    • Available at

Public relations activities
Public relations activities

  • News articles on PwdHash:

    • Many articles in popular press, still appearing

    • Computerworld Horizon Award: August 2006

  • SafeHistory & SafeCache:

    • WWW ’06 paper

  • Timing attacks

    • WWW ’07 paper

  • SpyBlock and transaction generation

    • Report completed; conference paper in process

Pwdhash and rsa securid
PwdHash and RSA SecurID

  • Tech transfer: available as IE and Firefox extensions

    • Working to convince MS to embed natively into IE

  • Integration with RSA SecurID:

    • Motivation: “man in the middle” phishing attacks

      • Defeats one-time password systems

    • Phase I: apply PwdHash to one-time passwords

      • Requires updates to SecurID server and PwdHash

    • Phase II: authenticate server to client

      • Planned for next year