Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)

Problem: Online Identity Theft • Password phishing • Forged email and fake web sites steal passwords • Passwords used to withdraw money, degrade trust • Password theft • Criminals break into servers and steal password files • Spyware • Keyloggers steal passwords, product activation codes, etc. • Botnets • Networks of compromised end-user machines spread SPAM, launch attacks, collect and share stolen information • Magnitude • $$$ Hundreds of millions in direct loss per year • Significant Indirect loss in brand erosion • Loss of confidence in online transactions • Inconvenience of restoring credit rating, identity Online identity theft, J.C. Mitchell

TRUST team • Stanford • D Boneh, J Mitchell, D Dill, Jennifer Granick (Law School) • A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y Teraguchi, … • Berkeley • D Tygar, R Dhamija, ,,, • Deidre Mulligan (UC Berkeley Law), … • CMU • A Perrig, D Song • B Parno, C Kuo • Partners and collaborators • US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, … • R Rodriguez, D Maughan, … • And growing … Online identity theft, J.C. Mitchell

Phishing Attack password? Sends email: “There is a problem with your eBuy account” Password sent to bad guy User clicks on email link to www.ebuj.com. User thinks it is ebuy.com, enters eBuy username and password. Online identity theft, J.C. Mitchell

Sample phishing email Online identity theft, J.C. Mitchell

How does this lead to spoof page? • Link displayed • https://www.start.earthlink.net/track?billing.asp • Actual link in html email • source:https://start.earthlink.net/track?id=101fe84398a866372f999c983d8973e77438a993847183bca43d7ad47e99219a907871c773400b8328898787762c&url=http://202.69.39.30/snkee/billing.htm?session_id=8495... • Website resolved to • http://202.69.39.30/snkee/billing.htm?session_id=8495... Online identity theft, J.C. Mitchell

Spoof page http://202.69.39.30/snkee/.... Online identity theft, J.C. Mitchell

Typical properties of spoof sites • Show logos found on the honest site • Copied jpg/gif file, or link to honest site • Have suspicious URLs • Ask for user input • Some ask for CCN, SSN, mother’s maiden name, … • HTML copied from honest site • May contain links to the honest site • May contain revealing mistakes • Short lived • Cannot effectively blacklist spoof sites • HTTPS uncommon Online identity theft, J.C. Mitchell

SpoofGuard browser extension • SpoofGuard is added to IE tool bar • User configuration • Pop-up notification as method of last resort Online identity theft, J.C. Mitchell

Berkeley: Dynamic Security Skins • Automatically customize secure windows • Visual hashes • Random Art - visual hash algorithm • Generate unique abstract image for each authentication • Use the image to “skin” windows or web content • Browser generated or server generated Online identity theft, J.C. Mitchell

Browser Generated Images • Browser chooses random number and generates image • Can be used to modify border or web elements Online identity theft, J.C. Mitchell

Server Generated Images • Server, browser independently generate same image • Server can customize its own page Online identity theft, J.C. Mitchell

CMU Phoolproof prevention password? • Eliminates reliance on perfect user behavior • Protects against keyloggers, spyware. • Uses a trusted mobile device to perform mutual authentication with the server Online identity theft, J.C. Mitchell

Password Phishing Problem • User cannot reliably identify fake sites • Captured password can be used at target site Bank A pwdA pwdA Fake Site Online identity theft, J.C. Mitchell

Common Password Problem pwdA = pwdB low security site • Phishing attack or break-in at site B reveals pwd at A • Server-side solutions will not keep pwd safe • Solution: Strengthen with client-side support Bank A high security site pwdA Site B Online identity theft, J.C. Mitchell

What is PwdHash? • Lightweight browser extension • Impedes password theft • Invisible to server • Compute site-specific password that appears “ordinary” to server that received is • Invisible to user • User indicates password to be hashed by alert sequence (@@) at beginning of pwd Online identity theft, J.C. Mitchell

Password Hashing pwdA = pwdB • Generate a unique password per site • HMACfido:123(banka.com)  Q7a+0ekEXb • HMACfido:123(siteb.com)  OzX2+ICiqc • Hashed password is not usable at any other site • Protects against password phishing • Protects against common password problem hash(pwdA, BankA) Bank A hash(pwdB, SiteB) Site B Online identity theft, J.C. Mitchell

Many additional issues • Malicious javascript in browser • Implement keystroke logger, keep scripts from reading user password entry • Password reset problem • Internet café • Dictionary attacks (defense: added salt) • Try it! http://crypto.stanford.edu/SpoofGuard/ http://crypto.stanford.edu/PwdHash/ Online identity theft, J.C. Mitchell

Tech Transfer • SpoofGuard • Some SpoofGuard heuristics now used in eBay toolbar and Earthlink ScamBlocker. • Very effective against basic phishing attacks. • PwdHash • Collaboration with RSA Security to implement PwdHash on one-time RSA SecurID passwords. • RSA SecurID passwords vulnerable to online phishing • PwdHash helps strengthen SecurID passwords • New browser extensions for privacy • SafeCache and SafeHistory Online identity theft, J.C. Mitchell

Botnets • Collection of compromised hosts • Spread like worms and viruses • Once installed, respond to remote commands • Platform for many attacks • Spam forwarding • Keystroke logging • Distributed denial of service attacks • What more could a cybercriminal ask for? Online identity theft, J.C. Mitchell

Botnet facts Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, and creating more bots. – Jim Lippard, Director, Information Security Operations, Global Crossing • Platforms • Most bots are compromised Windows machines • Most controllers are compromised Unix hosts running ircd • Example bot software: • Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot, Phatbot. • Versatile launching point for many attacks • 70% of spam from bots (MessageLabs, October 2004). • Most worms and viruses used to propagate bot software • Most denial of service attacks are orchestrated using bots Online identity theft, J.C. Mitchell

GLBC: malware-infected hosts Online identity theft, J.C. Mitchell

Building a Bot Network FreeBSD Attacker Mac OS X compromise attempt Win XP compromise attempt compromise attempt compromise attempt Win XP Online identity theft, J.C. Mitchell

Building a Bot Network FreeBSD Attacker Mac OS X compromise attempt Win XP compromised install bot software compromise attempt compromise attempt compromise attempt Win XP compromised install bot software Online identity theft, J.C. Mitchell

Step 2 Win XP . . . /connect jade.va.us.dal.net /join #hacker . . . Win XP Win XP . . . /connect jade.va.us.dal.net /join #hacker . . . . . . /connect jade.va.us.dal.net /join #hacker . . . jade.va.dal.net Online identity theft, J.C. Mitchell

Step 3 (12:59:27pm) -- A9-pcgbdv (A9-pcgbdv@140.134.36.124) has joined (#owned) Users : 1646 (12:59:27pm) (BadGuy) .ddos.synflood 216.209.82.62 (12:59:27pm) -- A6-bpxufrd (A6-bpxufrd@wp95-81.introweb.nl) has joined (#owned) Users : 1647 (12:59:27pm) -- A9-nzmpah (A9-nzmpah@140.122.200.221) has left IRC (Connection reset by peer) (12:59:28pm) (BadGuy) .scan.enable DCOM (12:59:28pm) -- A9-tzrkeasv (A9-tzrkeas@220.89.66.93) has joined (#owned) Users : 1650 Online identity theft, J.C. Mitchell

Underground commerce • Market in access to bots • Botherd: Collects and manages bots • Sample rates • Non-exclusive access to botnet: 10¢ per machine • Exclusive access: 25¢. • Payment via compromised account or cash to dropbox • Identity Theft • Keystroke logging • Complete identities available for $25 - $200+ • Rates depend on financial situation of compromised person • Include all info from PC files, plus all websites of interest with passwords/account info used by PC owner • At $200+, usually includes full credit report [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ] Online identity theft, J.C. Mitchell

Detect and disabling botnets • Unique characteristic: “rallying” • Bots spread like worms and trojans • Payloads may be common backdoors • Centralized control of botnet is characteristic feature • Current efforts • Spyware project with Stanford Law School • CMU botnet detection • Based on methods that bots use to hide themselves • Stanford host-based bot detection • Taint analysis, comparing network buffer and syscall args • Botnet and spyware survival • Spyblock: virtualization and containment of pwd, etc. Online identity theft, J.C. Mitchell

Future challenges • Criminals become increasingly sophisticated • “In 25 years of law enforcement, this is the closest thing I’ve seen to the perfect crime” – Don Wilborn • Increasing interest at server side • Losses are significant • Need improved platform security • Protect assets from crimeware • Need improved web authentication • Basic science can be applied to solve problem: challenge-response, two-factor auth, … • Social awareness, legal issues, and human factors • Studies with Law Clinics; user studies • Technology transfer • More free software, RSA Security, … Online identity theft, J.C. Mitchell

Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

Presentation Transcript

Identity theft

Identity Theft

Identity Theft

Mitigating Online ID Theft: Phishing and Spyware

Identity Theft

Identity Theft Online

Identity Theft

Identity Theft

Identity Theft

Identity Theft

Identity Theft

Identity Theft Online

Identity Theft

IDENTITY THEFT

IDENTITY THEFT

Identity Theft

IDENTITY THEFT:

Identity Theft

Identity Theft

Identity Theft

Identity Theft

Identity Theft and Online Identity Solutions