Conveying Trust Serge Egelman.

Slides:

Advertisements

Similar presentations

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Advertisements

PHISHING AND ANTI-PHISHING TECHNIQUES Sumanth, Sanath and Anil CpSc 620.

Online Examination System CLASS MARKER University of Pune Helios Cloud Services.

Web browsers It’s a software application for retrieving and presenting information on WWW. An information resource is identified by a Uniform Resource.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

CMU Usable Privacy and Security Laboratory A Brief History of Semantic Attacks or How Not to Get Screwed Online Serge Egelman.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

Identity Theft and Safe Computing Keeping yourself You by good habits and good technology.

FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Authentication Beyond Authentication - an e-banking and e-government perspective - Sean Michael Wykes CTO - Nascent Technology Consultants

11 CONFIGURE INTERNET EXPLORER Chapter 5. Chapter 5: Configure Internet Explorer2 CHAPTER OVERVIEW AND OBJECTIVES  Configuring Accessibility and Language.

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

How It Applies In A Virtual World

Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

CMU Usable Privacy and Security Laboratory Phinding Phish: An Evaluation of Anti-Phishing Toolbars Yue Zhang, Serge Egelman, Lorrie.

The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.

SURFING THE WEB PRIVACY, SAFETY, AND RELIABLE SOURCES.

Grid Chemistry System Architecture Overview Akylbek Zhumabayev.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.

A practical overview on how the bad guys adopt and circumvent security initiatives Commercial – in - Confidence Alex Shipp Imagineer.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.

MODULE 3 Internet Basics © Paradigm Publishing, Inc.1.

Phishing & Pharming. 2 Oct to July 2005 APWG.

By: Jasmin Smith  ability to control what information one reveals about one’s self over the Internet.

Innovation is Our Passion Online Banking Past, Present and Future.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

IT Security Awareness Day October 19, 2016

Outline The basic authentication problem

Web Browser presentation Name/ Hassan AL-Abdulmohsen

ISYM 540 Current Topics in Information System Management

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites

Network security threats

Mozilla Firefox Who is Mozilla? What is Firefox?

Protect Your Computer Against Harmful Attacks!

CS 142 Lecture Notes: Network Security

CS 142 Lecture Notes: Network Security

Office 365 Identity Management

A few tricks to take you beyond the basics

Web Security Advanced Network Security Peter Reiher August, 2014

Strong Password Authentication Protocols

HOW DO I KEEP MY COMPUTER SAFE?

Chapter 3: Protecting Your Data and Privacy

CS 142 Lecture Notes: Securing the Connection

EXPLORING THE INTERNET

Operating System Concepts

Electronic Payment Security Technologies

Internet Vocabulary Beth Felton McKelvey.

Chapter 9: Configuring Internet Explorer

Week 7 - Wednesday CS363.

Getting Started With LastPass Enterprise

Presentation transcript:

Conveying Trust Serge Egelman

Portal to The Interweb Threats to privacy: Web browser is central Phishing Information interception Fraudulent sites Web browser is central Email IM Detection must occur here

In The Beginning… Man-in-the-middle Sniffing SSL solved these Browser SSL indicators Locks Keys Borders URL bar

SSL Indicators Microsoft IE Mozilla Firefox Safari

But What About Phishing? Toolbars User notification Audio Pop-ups Indicators Community ratings Heuristics

Phishing Toolbars Clear Search Scans email using heuristics

Phishing Toolbars Cloudmark Community ratings

Phishing Toolbars eBay Toolbar Community ratings

Phishing Toolbars SpoofGuard URL analysis Password analysis Image analysis

Phishing Toolbars Trustbar (Mozilla) Analyzes known sites Analyzes certificate information

Phishing Toolbars Trustwatch Site ratings

But Do They Work? No 25 Sites tested Cloudmark: 10 (40%) identified Netcraft: 19 (76%) identified Spoofguard: 10 (40%) identified Trustwatch: 9 (36%) identified

Activity #1 Download a phishing toolbar: Pros? Cons? Is it usable? http://www.cloudmark.com/desktop/download/ http://pages.ebay.com/ebay_toolbar/ http://crypto.stanford.edu/SpoofGuard/ http://trustbar.mozdev.org/ http://toolbar.trustwatch.com/ http://toolbar.netcraft.com/ Pros? Cons? Is it usable? How could it be circumvented?

Other Browser Plugins Previously mentioned toolbars Phishing Fraudulent sites Limited intelligence

Password Hashing Many users use same passwords Hashing solves this One compromise leads to many Knowing real password doesn’t help Hashing solves this Passwords hashed automatically with domain name User doesn’t know the difference Mozilla extension

Dynamic Security Skins User remembers one image Trusted window User remembers one password Ease of use Sites get hashed password Matches two patterns to trust server Generated using a shared secret

Trusted Window

Verifying Sites

Using Tokens Two factor authentication SecureID Smart cards Something you have Usually cryptographic SecureID Smart cards Random cryptographic tokens Scratch cards

Using Phones Client side certificates Keys linked to domain names Private keys generated/stored on phone New key for each phone Keys linked to domain names Key generated upon new connection Bluetooth No server modifications

Current Browser Support Hardware drivers Crappy browser support Example Simple text box Make using the device unobtrusive Activity #2

False Sense of Security JavaScript tricks ING example MITM Spyware Stored images Bank of America example CAPTCHAs

Activity #3 What security features really need to be prominent?