07-Mitchell-Tygar-Online-ID-Theft-Phishing-and-Malware-2007
advertisement
Online ID Theft, Phishing, and Malware
Primary faculty
Stanford: Boneh, Mitchell
Berkeley: Tygar,Mulligan
CMU: Perrig, Song
TRUST, Berkeley Meetings, March 19-21, 2007
Topics
Phishing detection and prevention
–
–
–
Browser extensions, Server support
Cache and link attacks, timing attacks, …
Authentication using trusted platforms
User interface issues
–
–
Smartphone, Virtualization, Password token
Tricky problem: users are fooled
Do users understand EULAs? (need I ask?)
Malware detection and mitigation
–
–
Signature generation
Behavioral botnet detection
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
2
Some of the team
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
3
Classical phishing attack
Sends email: “There is a problem
with your eBuy account”
Password sent
to bad guy
password?
User clicks on email link
to www.ebuj.com.
User thinks it is ebuy.com, enters
eBuy username and password.
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
4
Modern threats
Spear phishing
–
Man-in-the-middle attacks
–
–
–
Install via worms, or as browser infections
Acoustic emanations
Botnets
–
–
Forward communication to honest server
Attack one-time passwords, server defenses
Cookie theft
Keyloggers
–
Targeted email to known customers, evade spam filter
Host keyloggers, send spam, steal credentials, etc.
Vint Cerf: as many as ¼ of all machines on Internet
Many user interface issues related to deception
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
5
Basic questions
Security of human/computer systems
–
–
Phishing: not attack on OS, network protocol, or computer application
Attack on user through the user’s computer
Web authentication
–
–
–
–
Implicit notion of process user visiting site
Many complexities: ads, redirects, mashups
Privacy expectations and laws
–
–
How can clients and servers authenticate each other?
Passwords are low entropy but easy to remember
Images, other indicators easy to spoof, esp. if attacker has info about user
Isolation for web “sessions”
–
Deception works because user has incomplete and unreliable information, or does
not understand the information that is presented
Users transmit sensitive information to web sites
What privacy can they expect? How can this be guaranteed?
Part of the problem is to identify and articulate the core issues
–
Principled understanding of web activity will lead to more secure browser
design, clearer understanding of contract between browser and server,
better server practices
TRUST, Berkeley Meetings, March 19-21, 2007
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
7
Berkeley: Dynamic Security Skins
Automatically customize secure windows
Visual hashes
–
–
–
–
Random Art - visual hash algorithm
Generate unique abstract image for each
authentication
Use the image to “skin” windows or web content
Browser generated or server generated
Commercial spin-off
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
8
CMU Phoolproof prevention
Eliminates reliance on perfect user behavior
Protects against keyloggers, spyware.
Uses a trusted mobile device to perform
mutual authentication with the server
password?
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
9
SafeHistory
Adaptive phishing attacks (a super-phish):
–
–
SafeHistory:
–
Phishing site queries browser’s visited links:
<style>a#visited {
background: url(track.php?example.com);
}</style>
<a href="http://example.com/">Hi</a>
Presents phishing page based on visited links
(www.safehistory.com)
Enforce “same origin policy” on browser state
Tech transfer: Available as Firefox extension
–
www.safehistory.com
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
10
PwdHash
www.pwdhash.com
Browser extension for stronger pwd auth.
–
–
Mostly transparent to users
Main challenge: block Javascript-based attacks
pwd
Hash( pwd, domain-name )
Recent work:
–
–
–
Tech transfer: integrate with RSA SecurID server
Consistent interface for IE and Firefox extensions
Computerworld 2006 Horizon award
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
11
Berkeley: Understanding EULAs
Confirmed previous study: EULAs are not effective in informing
users even when agreements are read by user
–
Users exhibit high installation rates, lack of knowledge about
program & high regret
Short notice before or after the installation can significantly
influence users’ behavior if subjects paused to read them
–
–
–
–
Lower installation rates, but still noticeable regret
Reading times correlated with decision making & regret
Post notice more effective in grabbing attention of every user
Other support mechanisms needed to help user
Last TRUST Review: Stanford study on spyware motivated by EULA legal issues
TRUST, Berkeley Meetings, March 19-21, 2007
Malware detection
Minesweeper: Automatically Identifying
Trigger-based Behavior in Programs
–
Panorama: Capturing System-wide
Information Flow for Malware Detection and
Analysis
–
Dawn Song, CMU
Dawn Song, CMU
BotSwat: Host-based behavioral bot detection
–
Liz Stinson, John Mitchell, Stanford
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
13
Privacy ID Theft Issues in ePassports
Recent RFID passport
requirements in U.S. and
Germany
Uses Basic Access Control
Passport holder has no
way of knowing if their
passport is being scanned.
Uses an ISO14443
contactless RFID chip from
Inferion with 64K memory
Contains JPEGs of photos
and fingerprints
TRUST, Berkeley Meetings, March 19-21, 2007
ePassports
• Guessing the Access key: access key is derived
from MRZ, which consists of passport #, year of
birth, and check digits. But passport #s are
sequential, implying a correlation between date of
issue and #. If you can see the passport holder, can
a hacker guess someone’s birthday year?
• Traceability: RFID systems uses fixed unique low
level tag identifiers, making an ePassport traceable.
• Eavesdropping: “Listening” to a legitimate readerRFID conversation
• Othen overlooked: Fallback: What if my
biometric identity has been compromised.. How
can I prove “it wasn’t me”?
TRUST, Berkeley Meetings, March 19-21, 2007
Research Spotlight
Chris Karlof
Cookie
Managment
David Wagner
• Locked IP Cookies
• Doppelganger
Umesh Shankar
Doug Tygar
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
16
Cookie Management
Cookies are both a challenge and opportunity
for ID theft protection
Doppelganger: a system for automatically
sensing how cookies are used
IP locked cookies: a framework alternative to
anti-phishing, anti-pharming
–
Unlike existing solutions (SiteKey) robust against
man-in-the-middle-attacks
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
17
Berkeley: Doppelganger
(Karlof, U. Shankar)
Flexible automatic cookie management
Notes when cookies makes difference to web
page
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
18
Berkeley: Locked IP cookies
Powerful solution to Phishing
(Karlof, Tygar, Wagner)
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
19
Research Spotlight
Li Zhuang
Keyboard
Acoustic
Emanations
Feng Zhou
Doug Tygar
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
20
Keyboard Acoustic Sniffing
Acoustic emanations from keyboard
Alice’s
password
21
Example of statistical learning techniques in computer
security (vulnerability analysis, detection)
TRUST, Berkeley Meetings, March 19-21, 2007
Overview
Initial training
Subsequent recognition
wave signal
wave signal
Feature Extraction
Feature Extraction
Unsupervised Learning
Keystroke Classifier
Language Model Correction
Language Model Correction
(optional)
Sample Collector
Classifier Builder
recovered keystrokes
keystroke classifier
recovered keystrokes
22
TRUST, Berkeley Meetings, March 19-21, 2007
Two Copies of Recovered Text
Before spelling
and grammar
correction
After spelling
and grammar
correction
_____ = errors in recovery
23
= errors in corrected by grammar
TRUST, Berkeley Meetings, March 19-21, 2007
Experiment
Single keyboard
–
–
Logitech Elite Duo wireless keyboard
4 data sets recorded in two settings
–
24
Quiet & noisy
Keystrokes are clearly separable from consecutive keys
Automatically extract keystroke positions in the
signal with some manual error correction
TRUST, Berkeley Meetings, March 19-21, 2007
Data sets
Recording length
Number of words
Number of keys
Set 1
~12 min
~400
~2500
Set 2
~27 min
~1000
~5500
Set 3
~22 min
~800
~4200
Set 4
~24 min
~700
~4300
Set 1 (%)
Set 2 (%)
Set 3 (%)
Set 4 (%)
Word
Char
Word
Char
Word
Char
Word
Char
Initial
35
76
39
80
32
73
23
68
Final
90
96
89
96
83
95
80
92
25
TRUST, Berkeley Meetings, March 19-21, 2007
Research Spotlight
Andrew Bortz
Timing Attacks
Web servers are
vulnerable to timing
attacks that reveal
useful phishing
information
Dan Boneh
Palash Nandy
John Mitchell
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
26
Spear-Phishing
Targeted email to known potential victims,
e.g., customers of specific bank
–
–
–
Beat existing techniques for filtering
Higher success rate
Lower detection rate
But need to know sites a user visits
–
Generally hard to obtain this type of data
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
27
Forget your password?
Most sites have “Forgot my password” pages
–
These pages frequently leak whether an email is
valid or not at that site
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
28
Direct Timing
Time a login attempt
The response time of the
server depends on
whether the email
address used is valid or
not
This problem affects
every tested web site!
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
29
Cross-Site Timing Attack
Hijack a user’s browser session to time sites
Many timing dependencies on the user’s
relationship with the target site
Here, we can distinguish logged in from not
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
30
Solutions and Future Work
Good solutions are server-side
–
Controlling response time to mitigate attacks
–
–
Client-side solutions exist only for cross-site timing,
and they are brittle
Eliminate problem by making every response take
the same amount of time
If that is impossible, then “round” the amount of
response time
Future work:
–
Apache module to control response time
automatically
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
31
Research Spotlight
Collin Jackson
User Interfaces
Dan Simon,
Desney Tan
An Evaluation of
Extended
Validation and
Picture-in-Picture
Phishing Attacks
Adam Barth
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
32
Anti-Phishing Features in IE7
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
33
Picture-in-Picture Attack
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
34
Results: Is this site legitimate?
Future
–
More user studies, UI evaluations
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
35
Research Spotlight
Minesweeper:
Automatically
Identifying
Trigger-based
Behavior in
Programs
Dawn Song
Dawn Song
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
36
Research Spotlight
BotSwat
Host-based
behavioral bot
detection
Elizabeth Stinson
John Mitchell
Dawn Song
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
37
Botnet
bot master
Intermediary
IRC svr
IRC svr
IRC svr
...
TRUST, Berkeley Meetings, March 19-21, 2007
sample bot commands
execute {0,1} <prog_path> [params]
killprocess <proc_name>
makedir <loc_path>
http.execute <URL> <local_path>
ping <host/IP> <num> <size> <t_out>
scan <IP> <port> <delay>
redirect <loc_port> <rem_host> <rem_port>
ddos.httpflood <URL> <#> <ref> <recurse?>
TRUST, Berkeley Meetings, March 19-21, 2007
S
O
U
R
C
E
S
?
?
BotSwat
?
?
S
I
N
K
bind(…)
CreateProcessA(…)
NtCreateFile(…)
...
S
TRUST, Berkeley Meetings, March 19-21, 2007
Host-based bot detection
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
41
ID Theft
Knowledge Transfer
TRUST, Berkeley Meetings, March 19-21, 2007
TRUST, Berkeley Meetings, March 19-21, 2007
Technology Transition Plan
PwdHash: RSA Security (www.pwdhash.com)
–
–
SpyBlock deployment:
–
–
–
Initial integration completed fall 2006
Hope to convince IE team to embed natively in IE
Available at
http://getspyblock.com/
Relevant companies: Mocha5, VMWare
Dialog with companies about transaction generators
SafeHistory: Microsoft, Mozilla.
–
Available at www.safehistory.com
TRUST, Berkeley Meetings, March 19-21, 2007
Public relations activities
News articles on PwdHash:
–
Many articles in popular press, still appearing
–
Computerworld Horizon Award: August 2006
SafeHistory & SafeCache:
–
Timing attacks
–
WWW ’06 paper
WWW ’07 paper
SpyBlock and transaction generation
–
Report completed; conference paper in process
TRUST, Berkeley Meetings, March 19-21, 2007
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
47
"Title", J.Q. Speaker-Name
TRUST, Berkeley Meetings, March 19-21, 2007
48
PwdHash and RSA SecurID
Tech transfer: available as IE and Firefox extensions
–
Working to convince MS to embed natively into IE
Integration with RSA SecurID:
–
Motivation: “man in the middle” phishing attacks
–
Phase I:
–
Defeats one-time password systems
apply PwdHash to one-time passwords
Requires updates to SecurID server and PwdHash
Phase II: authenticate server to client
Planned for next year
TRUST, Berkeley Meetings, March 19-21, 2007
TRUST, Berkeley Meetings, March 19-21, 2007
