online id theft, phishing, and malware
DESCRIPTION
Online ID Theft, Phishing, and Malware. Primary faculty Stanford: Boneh, Mitchell Berkeley: Tygar,Mulligan CMU: Perrig, Song. Topics. Phishing detection and prevention Browser extensions, Server support Cache and link attacks, timing attacks, … Authentication using trusted platforms - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/1.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Online ID Theft, Phishing, and Malware
Primary faculty
Stanford: Boneh, Mitchell
Berkeley: Tygar,Mulligan
CMU: Perrig, Song
![Page 2: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/2.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 2
Topics
Phishing detection and prevention– Browser extensions, Server support– Cache and link attacks, timing attacks, …– Authentication using trusted platforms
Smartphone, Virtualization, Password token
User interface issues– Tricky problem: users are fooled– Do users understand EULAs? (need I ask?)
Malware detection and mitigation– Signature generation– Behavioral botnet detection
![Page 3: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/3.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 3
Some of the team
![Page 4: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/4.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 4
Classical phishing attack
password?
Sends email: “There is a problem with your eBuy account”
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username and password.
Password sent to bad guy
![Page 5: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/5.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 5
Modern threats
Spear phishing– Targeted email to known customers, evade spam filter
Man-in-the-middle attacks– Forward communication to honest server– Attack one-time passwords, server defenses
Cookie theft Keyloggers
– Install via worms, or as browser infections– Acoustic emanations
Botnets– Host keyloggers, send spam, steal credentials, etc.– Vint Cerf: as many as ¼ of all machines on Internet
Many user interface issues related to deception
![Page 6: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/6.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Basic questions
Security of human/computer systems– Phishing: not attack on OS, network protocol, or computer application– Attack on user through the user’s computer
Deception works because user has incomplete and unreliable information, or does not understand the information that is presented
Web authentication– How can clients and servers authenticate each other?– Passwords are low entropy but easy to remember– Images, other indicators easy to spoof, esp. if attacker has info about user
Isolation for web “sessions”– Implicit notion of process user visiting site– Many complexities: ads, redirects, mashups
Privacy expectations and laws– Users transmit sensitive information to web sites– What privacy can they expect? How can this be guaranteed?
Part of the problem is to identify and articulate the core issues– Principled understanding of web activity will lead to more secure browser
design, clearer understanding of contract between browser and server, better server practices
![Page 7: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/7.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 7
![Page 8: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/8.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 8
Berkeley: Dynamic Security Skins
Automatically customize secure windows Visual hashes
– Random Art - visual hash algorithm – Generate unique abstract image for each
authentication– Use the image to “skin” windows or web content– Browser generated or server generated
Commercial spin-off
![Page 9: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/9.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 9
CMU Phoolproof prevention
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform
mutual authentication with the server
password?
![Page 10: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/10.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 10
SafeHistory
Adaptive phishing attacks (a super-phish):– Phishing site queries browser’s visited links:
<style>a#visited { background: url(track.php?example.com);
}</style><a href="http://example.com/">Hi</a>
– Presents phishing page based on visited links SafeHistory: (www.safehistory.com)
– Enforce “same origin policy” on browser state Tech transfer: Available as Firefox extension
– www.safehistory.com
![Page 11: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/11.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 11
pwd Hash( pwd, domain-name )
PwdHash www.pwdhash.com
Browser extension for stronger pwd auth.– Mostly transparent to users– Main challenge: block Javascript-based attacks
Recent work:– Tech transfer: integrate with RSA SecurID server– Consistent interface for IE and Firefox extensions– Computerworld 2006 Horizon award
![Page 12: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/12.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Understanding EULAs
Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user
– Users exhibit high installation rates, lack of knowledge about program & high regret
Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them
– Lower installation rates, but still noticeable regret– Reading times correlated with decision making & regret– Post notice more effective in grabbing attention of every user– Other support mechanisms needed to help user
Last TRUST Review: Stanford study on spyware motivated by EULA legal issues
![Page 13: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/13.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 13
Malware detection
Minesweeper: Automatically Identifying Trigger-based Behavior in Programs– Dawn Song, CMU
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis– Dawn Song, CMU
BotSwat: Host-based behavioral bot detection– Liz Stinson, John Mitchell, Stanford
![Page 14: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/14.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Recent RFID passport requirements in U.S. and Germany
Uses Basic Access Control
Passport holder has no way of knowing if their passport is being scanned.
Uses an ISO14443 contactless RFID chip from Inferion with 64K memory
Contains JPEGs of photos and fingerprints
Privacy ID Theft Issues in ePassports
![Page 15: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/15.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
• Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year?
• Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable.
• Eavesdropping: “Listening” to a legitimate reader-RFID conversation
• Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?
ePassports
![Page 16: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/16.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 16
Research Spotlight
Cookie Managment
• Locked IP Cookies• Doppelganger
Doug Tygar
Chris Karlof
David Wagner
Umesh Shankar
![Page 17: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/17.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Cookie Management
Cookies are both a challenge and opportunity for ID theft protection
Doppelganger: a system for automatically sensing how cookies are used
IP locked cookies: a framework alternative to anti-phishing, anti-pharming– Unlike existing solutions (SiteKey) robust against
man-in-the-middle-attacks
"Title", J.Q. Speaker-Name 17
![Page 18: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/18.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Doppelganger
(Karlof, U. Shankar) Flexible automatic cookie management Notes when cookies makes difference to web
page
"Title", J.Q. Speaker-Name 18
![Page 19: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/19.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Locked IP cookies
Powerful solution to Phishing (Karlof, Tygar, Wagner)
"Title", J.Q. Speaker-Name 19
![Page 20: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/20.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 20
Research Spotlight
KeyboardAcoustic
Emanations
Li Zhuang
Feng Zhou
Doug Tygar
![Page 21: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/21.jpg)
TRUST, Berkeley Meetings, March 19-21, 200721
Keyboard Acoustic Sniffing
Acoustic emanations from keyboard
Example of statistical learning techniques in computer security (vulnerability analysis, detection)
Alice’spassword
![Page 22: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/22.jpg)
TRUST, Berkeley Meetings, March 19-21, 200722
Overview
Initial training
Unsupervised Learning
Language Model Correction
Sample Collector
Classifier Builder
keystroke classifierrecovered keystrokes
Feature Extraction
wave signal
Subsequent recognition
Feature Extraction
wave signal
Keystroke Classifier
Language Model Correction(optional)
recovered keystrokes
![Page 23: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/23.jpg)
TRUST, Berkeley Meetings, March 19-21, 200723
Two Copies of Recovered Text
Before spelling and grammar correction
After spelling and grammar correction
_____ = errors in recovery = errors in corrected by grammar
![Page 24: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/24.jpg)
TRUST, Berkeley Meetings, March 19-21, 200724
Experiment
Single keyboard– Logitech Elite Duo wireless keyboard– 4 data sets recorded in two settings
Quiet & noisy Keystrokes are clearly separable from consecutive keys
– Automatically extract keystroke positions in the signal with some manual error correction
![Page 25: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/25.jpg)
TRUST, Berkeley Meetings, March 19-21, 200725
Recording length Number of words Number of keys
Set 1 ~12 min ~400 ~2500
Set 2 ~27 min ~1000 ~5500
Set 3 ~22 min ~800 ~4200
Set 4 ~24 min ~700 ~4300
Set 1 (%) Set 2 (%) Set 3 (%) Set 4 (%)
Word Char Word Char Word Char Word Char
Initial 35 76 39 80 32 73 23 68
Final 90 96 89 96 83 95 80 92
Data sets
![Page 26: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/26.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 26
Research Spotlight
Timing AttacksAndrew Bortz
Web servers are vulnerable to timing attacks that reveal useful phishing information
Palash Nandy
Dan Boneh
John Mitchell
![Page 27: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/27.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 27
Spear-Phishing
Targeted email to known potential victims, e.g., customers of specific bank– Beat existing techniques for filtering– Higher success rate– Lower detection rate
But need to know sites a user visits– Generally hard to obtain this type of data
![Page 28: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/28.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 28
Forget your password?
Most sites have “Forgot my password” pages
– These pages frequently leak whether an email is valid or not at that site
![Page 29: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/29.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 29
Direct Timing
Time a login attempt The response time of the
server depends on whether the email address used is valid or not
This problem affects every tested web site!
![Page 30: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/30.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 30
Cross-Site Timing Attack
Hijack a user’s browser session to time sites Many timing dependencies on the user’s
relationship with the target site Here, we can distinguish logged in from not
![Page 31: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/31.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 31
Solutions and Future Work
Good solutions are server-side– Client-side solutions exist only for cross-site timing,
and they are brittle
Controlling response time to mitigate attacks– Eliminate problem by making every response take
the same amount of time– If that is impossible, then “round” the amount of
response time
Future work:– Apache module to control response time
automatically
![Page 32: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/32.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 32
Research Spotlight
User Interfaces
An Evaluation of Extended
Validation andPicture-in-Picture Phishing Attacks
Collin Jackson
Dan Simon,Desney Tan
Adam Barth
![Page 33: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/33.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 33
Anti-Phishing Features in IE7
![Page 34: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/34.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 34
Picture-in-Picture Attack
![Page 35: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/35.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 35
Results: Is this site legitimate?
Future– More user studies, UI evaluations
![Page 36: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/36.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 36
Research Spotlight
Minesweeper:
Automatically Identifying Trigger-based Behavior in Programs
Dawn Song
Dawn Song
![Page 37: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/37.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 37
Research Spotlight
BotSwat
Host-based behavioral bot detection
Dawn Song
Elizabeth StinsonJohn Mitchell
![Page 38: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/38.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Botnet
bot master Intermediary
IRC svr
IRC svr
IRC svr
...
![Page 39: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/39.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
sample bot commands
execute {0,1} <prog_path> [params]
killprocess <proc_name>
makedir <loc_path>
http.execute <URL> <local_path>
ping <host/IP> <num> <size> <t_out>
scan <IP> <port> <delay>redirect <loc_port> <rem_host> <rem_port>
ddos.httpflood <URL> <#> <ref> <recurse?>
![Page 40: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/40.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
BotSwat
bind(…) CreateProcessA(…) NtCreateFile(…)...
S
O
U
R
C
E
S
S
I
N
K
S
?? ? ?
![Page 41: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/41.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 41
Host-based bot detection
![Page 42: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/42.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
ID TheftKnowledge Transfer
![Page 43: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/43.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
![Page 44: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/44.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Technology Transition Plan
PwdHash: RSA Security (www.pwdhash.com)– Initial integration completed fall 2006– Hope to convince IE team to embed natively in IE
SpyBlock deployment:– Available at http://getspyblock.com/– Relevant companies: Mocha5, VMWare– Dialog with companies about transaction generators
SafeHistory: Microsoft, Mozilla.– Available at www.safehistory.com
![Page 45: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/45.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
Public relations activities
News articles on PwdHash:
– Many articles in popular press, still appearing
– Computerworld Horizon Award: August 2006
SafeHistory & SafeCache:– WWW ’06 paper
Timing attacks– WWW ’07 paper
SpyBlock and transaction generation– Report completed; conference paper in process
![Page 46: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/46.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 47
![Page 47: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/47.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 48
![Page 48: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/48.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007
PwdHash and RSA SecurID
Tech transfer: available as IE and Firefox extensions– Working to convince MS to embed natively into IE
Integration with RSA SecurID:– Motivation: “man in the middle” phishing attacks
Defeats one-time password systems
– Phase I: apply PwdHash to one-time passwords Requires updates to SecurID server and PwdHash
– Phase II: authenticate server to client Planned for next year
![Page 49: Online ID Theft, Phishing, and Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062305/56815a91550346895dc80725/html5/thumbnails/49.jpg)
TRUST, Berkeley Meetings, March 19-21, 2007