Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Mining

phishing

advertisement 
Phishing
markus.jakobsson@parc.com
Conventional Aspects of Security
• Computational assumptions
– E.g., existence of a one-way function, RSA assumption,
Decision Diffie-Hellman
• Adversarial model
– E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals
• Verification methods
– Cryptographic reductions to assumptions, BAN logic
• Implementation aspects
– E.g., will the communication protocol leak information that
is considered secret in the application layer?
The human factor of security
Deceit
Neglect
Configuration
The human factor: configuration
Weak passwords
With Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion
of Wireless Home Routers”
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)
wardriving
rootkitting
Shows that more than
50% of APs are vulnerable
The human factor: configuration
Weak passwords
With Stamm, Ramzan: “Drive-By Pharming”
(Symantec press release, Feb 15, 2007; top story on Google Tech news
on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think
all APs but Apple’s are at risk. Firmware update tested on only a few.
Paper in submission)
“Use DNS server x.x.x.x”
And worse: geographic spread!
The human factor: neglect
The human factor: deceit
(Threaten/disguise - image credit to Ben Edelman)
The human factor: deceit
Self: “Modeling and Preventing Phishing Attacks”
(Panel, Financial Crypto, 2005 - notion of spear phishing)
With Jagatic, Johnson, Menczer: “Social Phishing”
(Communications of the ACM, Oct 2007)
With Finn, Johnson: “Why and How to Perform
Fraud Experiments”
(IEEE Security and Privacy,March/April 2008)
Experiment Design
Gender Effects
80%
70%
Success Rate
60%
50%
40%
30%
20%
10%
0%
To Any
From
Any
To Female
From
Female
To Male
From
Male
To Male
To Female
To Any
From Male
53%
78%
68%
From Female
68%
76%
73%
From Any
65%
77%
72%
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Reality:
2
1
B
A
4
eBay
3 credentials
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Attack:
1 (spoof)
A
2 credentials
B
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
A
Experiment:
2
2
1
B
A
1
5 eBay
4 credentials
Yield (incl spam filtering loss): 11% +-3% …“eBay greeting” removed: same
Mutual
authentication
in the “real world”
With Tsow,Shah,Blevis,Lim,
“What Instills Trust? A
Qualitative Study of Phishing”
(Abstract at Usable Security,
2007)
starting with 4901
How does the typical Internet
user identify phishing?
Spear Phishing and Data Mining
Current attack style:
Approx 3% of adult Americans report to have been victimized.
Spear Phishing and Data Mining
More sophisticated attack style:
“context aware attack”
How can information be derived?
Jane Smith
Jose Garcia
Jane Garcia, Jose Garcia
… and little Jimmy Garcia
Let’s start from the end!
“Little” Jimmy
his parents
their marriage
license
and Jimmy’s mother’s maiden name: Smith
More reading: Griffith and Jakobsson, "Messin' with Texas:
Deriving Mother's Maiden Names Using Public Records."
www.browser-recon.info
Approximate price list:
PayPal user id + password
+ challenge questions
Why?
$1
$15
Password Reset:
Typical Questions
•
•
•
•
•
•
•
•
Make of your first car
Mother’s maiden name
City of your birth
Date of birth
High school you graduated from
First name of your / your sister’s best friend
Name of your pet
How much wood would a woodchuck …
Problem 1: Data Mining
• Make of your first car?
– Until 1998, Ford has >25% market share
• First name of your best friend?
– 10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help
• Name of your first / favorite pet?
– Top pet names are online
Problem 2: People Forget
• Name of the street you grew up on?
– There may have been more than one
• First name of your best friend / sisters best friend?
– Friends change, what if you have no sister?
• City in which you were born?
– NYC? New York? New York City? Manhattan? The Big
Apple?
• People lie to increase security … then forget!
Intuition
Preference-based authentication:
• preferences are more stable than longterm memory (confirmed by psychology
research)
• preferences are rarely documented (in
contrast to city of birth, brand of first car,
etc.) … especially dislikes!
Our Approach (1)
Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com
Our Approach (2)
And next?
http://www. democratic-party.us/LiveEarth
http://www. democratic-party.us/LiveEarth
Countermeasures?
• Technical
– Better filters
– CardSpace
– OpenId
• Educational
– SecurityCartoon
– Suitable user interfaces
• Legal
Interesting?
Internships at PARC / meet over coffee / etc.
markus.jakobsson@parc.com
Related documents
The following malicious email was received by members of the
The following malicious email was received by members of the
Internet Safety - CFFinfo
Internet Safety - CFFinfo
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
Security Awareness for ISACA
Security Awareness for ISACA
Highly-Optimized Provably
Highly-Optimized Provably
Presentation - myroyalmail
Presentation - myroyalmail
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
Error report - Finanssivalvonta
Error report - Finanssivalvonta
Phishing & Botnets - Information Security Pro
Phishing & Botnets - Information Security Pro
optional - EmailTracing
optional - EmailTracing
Some Technical Suggestions for Institutions Targeted By
Some Technical Suggestions for Institutions Targeted By
Document9387706 9387706
Document9387706 9387706
FinalReportV10
FinalReportV10
PHishLurkV14
PHishLurkV14
Download
advertisement