Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Online Privacy A Module of the CYC Course – Personal Security

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Testing Web Applications. Applications Architecture Client Server Architecture.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Phishing – Read Behind The Lines Veljko Pejović

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

1 Invasive Browser Sniffing and Countermeasures Aditya Sinha Harshvardhan Kelkar.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

The OWASP Foundation OWASP Chennai Phishing.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Prevent Cross-Site Scripting (XSS) attack

The Internet A Wide Area Network across the world The network of networks –Lots of smaller networks joined together.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Security, Social and Legal Issues Regarding Software and Internet.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Web Design (1) Terminology. Coding ‘languages’ (1) HTML - Hypertext Markup Language - describes the content of a web page CSS - Cascading Style Sheets.

VENKAT DEEP RAJAN SUMALATHA REDDY KARTHIK INJARAPU CPSC 620 CLEMSON UNIVERSITY.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.

BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.

Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.

Search Engine using Web Mining COMS E Web Enhanced Information Mgmt Prof. Gail Kaiser Presented By: Rupal Shah (UNI: rrs2146)

Oversight Wc3.org –Standards body –Ensure interoperability with HTML –Growth of the web.

ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:

Automatic and Precise Client-Side Protection against CSRF Attacks.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

The Internet What is the Internet? The Internet is a lot of computers over the whole world connected together so that they can share information. It.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Ideal in addition to fast VPN Service Provider using Secure VPN Access.

Exposing Private Information by Timing Web Applications Stephen Kleinheider.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.

CSCE 548 Student Presentation Ryan Labrador

15 Basic Web Designing Tips

Ofer Shezaf, CTO, Breach Security

Cross-Site Request Forgeries: Exploitation and Prevention

Cross-Site Request Forgery (CSRF) Attack Lab

Active Man in the Middle Attacks

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Invasive Browser Sniffing and Countermeasures

Cross Site Request Forgery (CSRF)

Exposing Private Information by Timing Web Applications

Presentation transcript:

Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm

The Scenario Grandma goes to evil site Gets sniffed Gets phishing Loses money

Summary Example phishing attacks Context-aware phishing attacks Browser-recon attack Other Solutions Our Solution

Context Aware Attacks Data about targets obtained Used to customize s Yields higher vulnerability rate

Context: Social Networks Mine site for relationships (Alice knows Bob) Spoof from victim’s friend People trust their friends (and that which spoofs them)

Context: Browser-Recon Phisher mines browsers –Browsing history –Cached data Attacker can discover affiliations Easy to pair browser history with address

Context: Cache Recon GET /index.html GET /pics/pic1.jpg GET /pics/pic2.jpg … Pic1.jpg is Not in Cache (pic1.jpg is not cached)

Context: Cache Recon GET /index.html … Pic1.jpg IS in Cache (pic1.jpg is cached)

Context: Cache Recon Phishing page forces 3 sequential loads: –Img1 on phisher’s server –Img2 on site in question (e.g. Bank) –Img3 on phisher’s server Load Time ~ Time(Img3) - Time(Img1) Short load time = cache hit (Felten & Schneider, “Timing Attacks on Web Privacy” 7th ACM Conference in Computer & Communication Security, 2000.)

Context: Cache Recon GET pic1.jpg GET pic2.jpg GET logout.jpg (Felten & Schneider, “Timing Attacks on Web Privacy” 7th ACM Conference in Computer & Communication Security, 2000.)

Context: History Recon Link 1 Link 2 Link 3 a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } Link 1 Link 2 Link 3 What You See:The Code:

Context: History Recon Link 1 Link 3 a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … Link 1 Link 2 Link 3 What You See:The Code: Link 2

Context: History Recon a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … What You See:The Code:

History Recon + GET (lots of links) GET GET Phisher can now associate Alice with link 1 and 42 Auto-Fill Identity Extraction

“Chameleon” Attack

Solutions to Browser-recon Client-Side Solutions: –Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, –CSS limiting –“User-Paranoia” (regularly clear history, cache, keep no bookmarks) Server-Side Solution: –Make URLs impossible to guess

Solution Goals Requirements 1.Hard to guess any pages or resources served by SP 2.Search engines can still index and search SP

Formal Goal Specification

Solution Techniques Two techniques: 1.Customize URLs with pseudonyms 2.Pollute Client State (fill cache/history with related sites not visited by client) Hiding vs. obfuscating Internal (protected) URLs hidden Entry point (public) URLs obfuscated

Solution to Browser-recon S C GET /

Solution to Browser-recon SBSB C STST GET /?13fc021bGET / T Domain of S

Pseudonyms Establishing a pseudonym Using a pseudonym Pseudonym validity check –Via Cookies –Via HTTP-REFERER –Via Message Authentication Codes

Pseudonyms Robot Policies –Dealing with search engines –Robots.txt “standard” (no problem if cheating) Pollution Policy –Pollute entrance URLs –How to choose pollutants? What about links to offsite data? Bookmarks?

Example Bank.com C GET /page.html?83fa029GET /page.html

Example Go to G Log in Bank.com C hm

Example Go to G Log in Bank.com C hm

Example Go to G Log in Bank.com C hm

Example Go to G Log in Bank.com C hm

Example Go to G Log in Bank.com C T

Client’s Perception

Policies Offsite Redirection Policy Data Replacement Policy Client vs. Robot Distinction

Special Cases Cache pollution reciprocity Shared/Transfer Pseudonyms

Security Argument Perfect privacy of internal pages N-privacy of entrance pages Searchability

Prototype Details Java App simulating an HTTP server Pseudonyms: 64-bit random number –java.security.SecureRandom Experimental Client: –Shell script + CURL SBSB STST

Experimental Results

General Considerations Forwarding user-agent Translate Cookies Optimizations

Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm ?