Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler.

Slides:



Advertisements
Similar presentations
Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Advertisements

K-State IT Security Training Ken Stafford CIO and Vice Provost for IT Services Harvard Townsend Chief Information Security Officer
S CENARIOS FOR THE F UTURE OF THE C ANADIAN P AYMENTS S YSTEM A UTHENTICATION AND I DENTITY W ORKSHOP N OVEMBER 3, 2010 Greg Wolfond.
A Software Keylogger Attack By Daniel Shapiro. Social Engineering Users follow “spoofed” s to counterfeit sites Users “give up” personal financial.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Dan Boneh CS155 Computer Security Looking for undergrad research? Come see me!
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Securing Online Transactions with a Trusted Digital Identity Dave Steeves - Security Software Engineer Microsoft’s.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Cyber X-Force-SMS alert system for threats.
FIT3105 Smart card based authentication and identity management Lecture 4.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Payment Fraud Trends : What Can you do? Protect Yourself and Your Business from Financial Fraud.
FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
Web Browser Security Team iBrowse Sha-Myra Richardson John Darr.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Quiz Review.
Norman SecureSurf Protect your users when surfing the Internet.
INTRODUCTION Coined in 1996 by computer hackers. Hackers use to fish the internet hoping to hook users into supplying them the logins, passwords.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
Market Trends Enterprise Web Applications Cloud Computing SaaS Applications BYOD Data Compliance Regulations 30 Second Elevator Pitch Web browsers have.
Information Security 2013 Roadshow. Roadshow Outline  Why We Care About Information Security  Safe Computing Recognize a Secure Web Site (HTTPS) How.
Confidential On-line Banking Risks & Countermeasures By Vishal Salvi – CISO HDFC Bank IBA Banking Security Summit 2009.
Cyber Crimes.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
C OMPUTER C ONCEPTS Unit 1 Concept 3 – Solving Technological Problems.
Computer & Network Security
1.2 Security. Computer security is a branch of technology known as information security, it is applied to computers and networks. It is used to protect.
Fostering worldwide interoperabilityGeneva, July 2009 How to counter web-based attacks on the Internet in Korea Heung Youl YOUM Chairman of Korea.
“Stronger” Web Authentication: A Security Review Cory Scott.
 A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. It is deliberately.
PLUG IT IN SIX Protecting Your Information Assets.
Security, Social and Legal Issues Regarding Software and Internet.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Android Security Auditing Slides and projects at samsclass.info.
0 1 WHAT KEEPS USERS AWAY? 2 47% 46% 43% 39% 40% 50% 45% 34% 21% 15% 20% 19% 13% 26% 20% 12% I fear that my account information will be viewed by an unauthorized.
Copyright ©2005 CNET Networks, Inc. All rights reserved. Practice safety Learn how to protect yourself against common attacks.
Presidio Bank Business Online Banking Security Overview.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
Financial Sector Cyber Attacks Malware Types & Remediation Best Practices
Pacific Northwest Digital Government Summit Security – How Much is Enough? June 20, 2006 SA Kenneth A. Schmutz.
Security A Payments Perspective Terry Dooley EVP & CIO SHAZAM Network.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Your Interactive Guide to the Digital World Discovering Computers 2012 Chapter 11 Manage Computing Securely, Safely and Ethically.
1 Law, Ethical Impacts, and Internet Security. 2 Legal Issues vs. Ethical Issues Ethics — the branch of philosophy that deals with what is considered.
Cybersecurity Test Review Introduction to Digital Technology.
Security risks in a network. Remote access  When you connect a computer to a network it is visible to all other computers on the network. When you connect.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Digital Security Jesline James! 9cc. Contents  The CREATORS!!!! =] The CREATORS!!!! =]  What is Digital Security? What is Digital Security?  How does.
Information Systems Design and Development Security Risks Computing Science.
Issues for Computer Users, Electronic Devices, Computer and Safety.
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Analysing s Michael Jones. Overview How works Types of crimes associated with Mitigations Countermeasures Michael Jones2Analsysing s.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
Internet Security TEAMS March 18 th, ISP:Internet Service Provider.
TOPIC: Web Security (Part-4)
IT Security  .
TECHNOLOGY GUIDE THREE
Authentication 2.0: User Generated Security
How to Protect Yourself from ID Theft and Social Engineering
What every consumer should know
Scams, Identity Theft, and Viruses Kelly & Caitlin
Computer Security.
Chapter Goals Discuss the CIA triad
Presentation transcript:

Transaction Generators: Root Kits for Web By: Collin Jackson, Dan Bonch, John Mitchell Presented by Jeff Wheeler

Outline Current Phishing Attacks –Focused on stealing user credentials Response –Stronger Authentication and back end analytics Anticipated Attack Vector –Transaction Generator Malware Countermeasures –CAPTCHA, Randomized Transaction Pages, Transaction Confirmation

Current Phishing Attacks Steal User Credentials –Directing users to a spoofed web page –Key-logging

Crimeware-spreading URLs infecting PCs with password-stealing code rose 93 percent in Q1, 2008 to 6,500 sites. (apwg_report_Q1_2008)

The number of unique keyloggers and crimeware-oriented malicious applications detected rose to 430 in March (apwg_report_Q1_2008)

Response to Phishing Methods –Transaction authentication –Site-to-user authentication –Challenge questions –Device identification –Knowledge-based authentication (KBA) –Out-of-band authentication –Hardware tokens –Software and toolbar tokens –Transaction signing –CAP / EMV

Transaction Generator Malware Allows criminals to manipulate user accounts directly without stealing user credentials or subverting authentication mechanisms To the web site, a transaction generator looks identical to a legitimate transaction A transaction generator can hide its transactions

What does a Transaction Generator Do? Quietly sits on a user computer User authenticates Session cookie issued –Reside in application environment, and are fully accessible by malware Transaction Generator creates transactions

Additional work of a stealth Transaction Generator Hide transactions from users –Amazon purchase for blender Malware hides all references on order history page to anything containing the word blender –Credit card purchase to Amazon Hide all purchases from Amazon on recent transactions for the blender purchase amount Transactions are hidden through the malware, the site providing information is unaware the user does receives incorrect information

Uses of a Transaction Generator Pump and dump stock schemes –Boost the price of penny stocks Purchasing goods –When one blender is not enough Election system fraud –Voting at home systems Financial theft –Bill pay to transfer money

Countermeasures CAPTCHA –Create code to compute response –Use ChaCha type network of solvers Randomized Transaction pages –Increase difficulty of hiding unauthorized transactions Transaction Confirmation

Confirmation agent is isolated from malware, either via VM or separate hardware A browser extension to function as a relay between the confirmation agent and the remote site Verification via key exchange Security relies on 2 properties –The agents secret key must be isolated from malware –Malware must be prevented from injecting mouse clicks into the agents dialog

Ideal Solution Prevent malware from getting into the browser

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.