portia project 1 mitigating online id theft: phishing and spyware students:blake ross, collin...
Post on 22-Dec-2015
214 views
TRANSCRIPT
![Page 1: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/1.jpg)
1
PORTIA Project
Mitigating Online ID Theft:Phishing and Spyware
Students: Blake Ross, Collin Jackson, Nick Miyake,
Yuka Teraguchi, Robert Ladesma,
Andrew Morrison
Faculty: Dan Boneh and John Mitchell
Special thanks to the SF-ECTF and SS.
![Page 2: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/2.jpg)
2
Sample phishing email
![Page 3: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/3.jpg)
3
Sample phishing sitehttp://202.69.39.30/snkee/....
![Page 4: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/4.jpg)
4
Magnitude of problem
Fastest growing crime on the Internet.
Trends: keyloggers from phishing sites.
http://www.antiphishing.org
2004-5 Mar Feb Jan … July Jan
spoofs/ month
2870 2686 2602 … 1634 113
# targets 78 68 64 … 13 7
March, 05:
80% at 8 brands, average uptime 5.8 days, 81% of targets are financial
![Page 5: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/5.jpg)
5
What can we do about phishing?
Spam filter:•Phishing starts with email, so stop it there.•Non-trivial: phishing emails look like ordinary
email.
Client-side methods:•Anti-phishing using browser plug-ins.•Anti-spyware using Virtual Machine Monitors.
Server-side methods:•Personalized web pages.• Improved user authentication (e.g. tokens or certs).
![Page 6: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/6.jpg)
6
PORTIA ID Protection Work
Long term effort to develop online ID protection tools.
SpoofGuard: (NDSS ’04)• Alerts user when browser is viewing a spoofed web page.• Uses variety of heuristics to identify spoof pages.• A new type of anomaly detection problem.
PwdHash: (Usenix Sec ’05)
• Simple mechanism for strengthening password web auth.
SpyBlock: (under development)
• A Virtual Machine (VM) approach to SpyWare defense.
![Page 7: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/7.jpg)
7
PORTIA Project
1. SpoofGuard:Detect Phishing Web Sites
http://crypto.stanford.edu/SpoofGuard
![Page 8: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/8.jpg)
8
SpoofGuard Browser Plug-in
Compute spoof index: •Weighted sum of several spoof measures•Depends on current page and browsing history
Provides two forms of information:•Passive alerts in toolbar.•Active blocking when necessary.
Challenges: •Must be easy for novice users.•Detect malicious pages yet minimize false
alarms.
![Page 9: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/9.jpg)
9
Sample Heuristics
History Check:•Site is assumed OK if in user’s history list.
Domain Check:•Check similarity to domain in history list.
Email Check:•Suspicious if page is reached by following email
link
Impact:• Ebay toolbar, Yahoo! toolbar, WholeSecure
•Multiple requests for Firefox support.
![Page 10: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/10.jpg)
10
Current/future work
SpamAssassin extensions:•Download pages that URL’s in incoming email
point to.•Run SpoofGuard heuristics on downloaded
pages.
Spam archive scanning:•Automatic detection of new phishing sites.•www.spamarchive.org
![Page 11: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/11.jpg)
11
PORTIA Project
2. PwdHash: Improved Pwd Mgmt
http://crypto.stanford.edu/PwdHash
![Page 12: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/12.jpg)
12
Strengthen Web Pwd Auth
Current web auth: cleartext password over SSL• Vulnerable to phishing.• Vulnerable to break-ins at low security sites.
Simple improvement: Browser plug-in that converts a user’s pwd into a unique pwd per site:
1. Locate all pwd HTML elements on page:
2. When form is submitted replace all pwd’s by:PRFpwd(domain-name)
3. Phishing site only sees hash of Ebay password.
The challenge: Extremely hard to implement securelyin a modern browser!
![Page 13: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/13.jpg)
13
PwdHash Challenges
1. Javascript attacks2. Pwd reset after plug-in install
3. Dictionary attacks (sol: EKE or SFE for equality test)
4. What salt to use in hash?
5. How to encode resulting hash?
6. Internet Café
Our design goal: transparent to user.
Impact: 1. Google: PhD intern.2. TIPPI working group: MS, Mozilla,
RSA
![Page 14: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/14.jpg)
14
Javascript attacks
Phishing site can create Javascript to steal user’s unhashed password.
• Record all key-strokes sent to page
• Change target-domain-name on submit
• Mask regular text field as a password field
![Page 15: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/15.jpg)
15
Javascript attacks (cont.)
Defense 1: Password prefix / Password key
•Ask user to start all passwords with “@@”
•Plus-in traps all keyboard events to window.
•When “@@” detected, replace subseq. keys with
‘%’– Browser never sees pwd.
•On ‘BeforeNavigate2’ event, replace ‘%%%’ in POST data with hashed pwd.
•Alert user if “@@” detected in key stream while focus not on pwd field.
![Page 16: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/16.jpg)
16
Pwd Salting – an old idea
Hash pwd with realm provided by remote site:
•HTTP 1.1 Digest Authentication
•Kerberos 5
Hash pwd with network service name:
•Gabber, Gibbons, Mattias, Mayer [FC ’97].
Proxy.•Abadi, Bharat, Marais [PTO ’97]
Challenge: implementing securely in a modernbrowser.
![Page 17: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/17.jpg)
17
PORTIA Project
SpyBlock
Spyware defense tool
Current work
![Page 18: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/18.jpg)
18
SpyBlock design
Proxy VM keeps sensitive user info away from SpyWare.
User hits pwdkey before and after typing sensitive info.
VMWare ACE Server / Xen
Guest OS
Firefox Proxy VM
SpyW
are
apps
https page
PwdKey
KeysJunk
https
junkdata
![Page 19: PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew](https://reader030.vdocument.in/reader030/viewer/2022032704/56649d7a5503460f94a5d8ea/html5/thumbnails/19.jpg)
19
Summary
Long term effort focused on ID protection tools.
Current tools: SpoofGuard, PwdHash,
Current/future work: SpyBlock
Strong focus on technology transfer:• Interns help do tech transfer.•Source code available on PORTIA web site.
Close collaboration with SF-ECTF.