1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Enabling Secure Internet Access with ISA Server
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Papers on Web-based Fraud and Identity Theft Kevin Kane Design and Analysis of Secure Protocols Fall 2004.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
Configuring Windows Internet Explorer 7 Security Lesson 5.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Internet Phishing Not the kind of Fishing you are used to.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Phishing – Read Behind The Lines Veljko Pejović
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
1 Enabling Secure Internet Access with ISA Server.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureSurf Protect your users when surfing the Internet.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Presented By Jay Dani.  Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine,
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.
TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)
Prevent Cross-Site Scripting (XSS) attack
Chapter 6: Forms JavaScript - Introductory. Previewing the Product Registration Form.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
XHTML Introductory1 Forms Chapter 7. XHTML Introductory2 Objectives In this chapter, you will: Study elements Learn about input fields Use the element.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Internet Browsing the world. Browse Internet Course contents Overview: Browsing the world Lesson 1: Internet Explorer Lesson 2: Save a link for future.
Phishing Pharming Spam. Phishing: Definition  A method of identity theft carried out through the creation of a website that seems to represent a legitimate.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Chapter 8 Collecting Data with Forms. Chapter 8 Lessons Introduction 1.Plan and create a form 2.Edit and format a form 3.Work with form objects 4.Test.
ITCS373: Internet Technology Lecture 5: More HTML.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
BY : MUHAMMAD KHUZAIMI B. ISHAK 4 ADIL PUAN MAZITA INFORMATION AND COMMUNICATION OF TECHNOLOGY.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
An Evaluation of Extended Validation and Picture-in-Picture Phishing Attacks Collin Jackson et. all Presented by Roy Ford.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Phishing & Pharming. 2 Oct to July 2005 APWG.
JavaScript and Ajax (Internet Background) Week 1 Web site:
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.
Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Conveying Trust Serge Egelman.
Protect Your Computer Against Harmful Attacks!
Stronger Password Authentication Using Browser Extensions
Chapter 9: Configuring Internet Explorer
Presentation transcript:

1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford University PORTIA Project

2 Phishing Attack password? Spam “There is a problem with your eBay account.” User clicks on link to go to badguy.com. User thinks it is ebay.com, and enters eBay username and password. Information is sent to the bad guy.

3 Sample phishing

4 How does this lead to spoof page? u Link displayed u Actual link in html source: 8a866372f999c983d8973e77438a bca43d7 ad47e99219a907871c773400b c&url= u Website resolved to

5 Spoof page

6 Magnitude of problem u Fastest growing crime on the Internet.  Primary targets: attacks/month (2004) JulyJuneMay…Jan Citibank …34 US Bank …2 eBay …51

7 Properties of Spoof Sites u Ask for user input, e.g. password. Some ask for CCN, SSN, mother’s maiden name, … u HTML copied from honest site Contain links to the honest site Logos from honest site. Copied jpg/gif file, or link to honest site Can contain revealing mistakes  Clever spoof pages contain Javascript to fool user. u Short lived Blacklisting spoof sites has limited success. u HTTPS uncommon

8 Thanks!  Robert Rodriguez  Chris Von Holt  Alissa Cooper  Tom Pageler  Greg Crabb Many more …

9 What can we do about phishing? u Spam filter: Phishing starts with , so stop it there. Non-trivial: phishing s look like ordinary . u Browser-side methods (plug-ins) Detect spoof web site. Warn user. Improve browser password management. u Server-side methods: Use strong user authentication instead of pwds. –Certificates or security tokens. This talk: SpoofGuard

10 Our project at Stanford u Two browser plug-ins available for download: SpoofGuard : –Alerts user when browser is viewing a spoofed web page. –Uses variety of heuristics to identify spoof pages. PwdHash : –Simple mechanism for improving password management by the browser.  Will SpoofGuard solve the phishing problem? As likely to end phishing as first virus scanner was to end viruses A new type of anomaly detection problem

11 SpoofGuard: Detect Phishing Web Sites

12 SpoofGuard Browser Plug-in u Compute spoof index: Weighted sum of several spoof measures Depends on current page and history u Provides two forms of information: Passive stoplight in toolbar: green, yellow, red Active pop-up when necessary –Stop outgoing information to malicious web site u Challenges: Must be easy for novice users. Detect malicious pages Minimize false alarms

13 Stateless Page Evaluation u URL Check: Similar to well known site – – IP address instead of host name – Other tricks Use reverse DNS to find domain if IP address u Image Check: Is image associated with different domain in image-domain database

14 Stateless Page Evaluation II u Link Check: Run URL check on links on the page If significant fraction fail, raise alert u Password Check: Pages with password field are more suspicious than the one without Check for HTTPS and valid certificate

15 Stateful Page Evaluation u History Check: Site is assumed OK if in user’s history file Very important for reducing false alarm rate u Domain Check: Is current domain “similar” to a domain in the history list? u Check: Suspicious if page is referred by link

16 POST Data Evaluation u Intercepts and checks POST data Keep hashed triples If known user & password are sent to different domain, raise alert level Exception for search engines High alert: warn user and allow to cancel operation POST: user_name=ice&password=cream Suspicious server User

17 SpoofGuard User Interface u SpoofGuard is added to IE tool bar Traffic light –Report green, yellow, red altert level Pop-up as method of last resort

18 Evaluation of SpoofGuard u Detect sample spoofs Tested on 12 spoofs from SF ECTF u Acceptable false alarm rate Used ourselves for several weeks Can get false alarms on first visit to site –SpoofGuard learns which sites you trust –Does not popup on subsequent visits u Negligible performance impact But: Clever phisher can defeat most tests

19 PwdHash: Improved Pwd Mgmt

20 The common pwd problem u Web users use the same username/password at many sites. Users use their banking pwd at low security sites. u The problem: break-in to low security site reveals banking username/passwords. u Ideal solution: strong auth. protocols (SecureID/PKI) Unlike pwd, requires HW or has limited mobility.

21 A Simple Solution u Browser plug-in that converts a user’s pwd into a unique pwd per site. 1.Locate all pwd HTML elements on page: 2.Whenever focus leaves a password field, replace contents of field with HMAC pwd (domain-name) 3.Password hash is sent to web site instead of pwd. u (some) Protection against phishing: Spoof site only sees hash of user’s pwd.

22 Pwd Hashing – an old idea u Hash pwd with realm provided by remote site: HTTP 1.1 Digest Authentication Kerberos 5 u Hash pwd with network service name: Gabber, Gibbons, Matyas, Mayer [FC ’96]. Proxy. Abadi, Bharat, Marais [PTO ’97] u Challenge: implementing in a modern browser.

23 Plug-in Challenges u Pwd reset after plug-in install u Javascript attacks u What salt to use in hash? u How to encode resulting hash? u When to compute hash? u Internet Café u Dictionary attacks u Design goal: transparent to user.

24 Problem 1: pwd reset u After install, requires users to reset their pwds. u On pwd reset page, plug-in must not hash old pwd. Plug-in identifies pwd reset page as having three pwd fields. Plug-in does not hash first pwd field. (turns blue) Plug-in remembers to hash all pwd fields on future invocations of this reset page u To disable/toggle hashing: double-click in pwd field. u Problem: phishers could create a spoof pwd reset page and obtain pwds in the clear. Plug-in warns user when it sends pwd un-hashed.

25 Problem 2: Cafe’s u Users cannot install plug-in at Internet Cafe’s.  We provide a web site for remote hashing: u Hash computed in Javascript. Resulting hash copied into clipboard.

26 Problem 3: Javascript attacks u Malicious site can create Javascript to steal user’s unhashed password. Record all key-strokes sent to page Change target-domain-name on submit Mask regular text field as a password field –Even worse: as each keystroke is typed into field, send to evil site. (?)

27 Javascript attacks (cont.) u Defense 1: Keyboard intercept. System traps all keyboard events to window. If keystroke intended for pwd field, replace with ‘%’ –Browser never sees pwd. On ‘BeforeNavigate2’ event, replace ‘%%’ in POST data with hashed pwd. u Defense 2: key-stream monitor. System records all passwords user types (hashed). System traps all keyboard events to window. If key-stream ever contains a pwd not in pwd field, alert user.

28 Problem 4: what salt to use? u For few sites, domain of pwd reset page  domain of pwd use page passport reset page = services.passport.net passport use page = login.passport.net  Incorrect pwd-hash is registered at site.  Config file tells plug-in what salt to use and how to encode hash:

29 Problem 5: Dictionary attacks u Main point: low security site never sees user’s pwd. u Dictionary attacks: After phishing or break-in to low security site, attacker obtains pwd hashes. Attacker can attempt dictionary attack on hashes. –Succeeds on  15% of pwds (unlike 100% today) –Fundamental limitation of pwd authentication. Unavoidable when user’s key is low-entropy. u Defense: plug-in enables user to specify a global plug-in pwd used to strengthen all pwd hashes. –Defense against dict. attacks for savvy users.

30 Alternative designs u Better security against Javascript attacks: Modify pwd UI:1. User hits ctrl-P in password field. 2. Plug-in displays password dialog box. 3. User enters password into dialog box. Plug-in embeds hashed-pwd directly into out-going POST data. ( BeforeNavigate2 event) Javascript on page can’t see pwd and cannot spoof dialog box. Downside: confusing to users. u Better salt for pwd: Get salt from SSL certificate. Not possible with current plug-in support in IE. Microsoft could do this …

31 Try it out! u Plug-ins continue to evolve and improve: Easier deployment and use. Proxy-based solutions (not browser plug-ins) Strengthen spoof page identification. Deployment through Mozilla and billeo.

32 crypto.stanford.edu/SpoofGuard

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.