Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phishing Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Phishing Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,"— Presentation transcript:

1 Phishing markus.jakobsson@parc.com

2 Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman Adversarial model –E.g., access to data/hardware, ability to corrupt, communication assumptions, goals Verification methods –Cryptographic reductions to assumptions, BAN logic Implementation aspects –E.g., will the communication protocol leak information that is considered secret in the application layer?

3 The human factor of security Configuration Neglect Deceit

4 The human factor: configuration Weak passwords With Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion of Wireless Home Routers” (Journal of Digital Forensic Practice, Volume 1, Special Issue 3, November 2006) Wireless firmware update Shows that more than 50% of APs are vulnerable wardriving rootkitting

5 The human factor: configuration Weak passwords With Stamm, Ramzan: “Drive-By Pharming” (Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apple’s are at risk. Firmware update tested on only a few. Paper in submission) Wireless nvram value setting “Use DNS server x.x.x.x” And worse: geographic spread!

6 The human factor: neglect

7 The human factor: deceit (Threaten/disguise - image credit to Ben Edelman)

8 The human factor: deceit Self: “Modeling and Preventing Phishing Attacks” (Panel, Financial Crypto, 2005 - notion of spear phishing) With Jagatic, Johnson, Menczer: “Social Phishing” (Communications of the ACM, Oct 2007) With Finn, Johnson: “Why and How to Perform Fraud Experiments” ( IEEE Security and Privacy,March/April 2008)

9 Experiment Design

10 Gender Effects

11

12 B eBay A Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) Reality: 3 credentials 1 2 4

13 B A Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) Attack: 1 (spoof) 2 credentials

14 B A Ethical and accurate assessments With Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006) Experiment: 3 (spoof) A 1 2 eBay 4 credentials Yield (incl spam filtering loss): 11% + 3% …“eBay greeting” removed: same - 1 2 5

15 Mutual authentication in the “real world” With Tsow,Shah,Blevis,Lim, “What Instills Trust? A Qualitative Study of Phishing” (Abstract at Usable Security, 2007) starting with 4901

16 How does the typical Internet user identify phishing?

17 Spear Phishing and Data Mining Current attack style: Approx 3% of adult Americans report to have been victimized.

18 Spear Phishing and Data Mining More sophisticated attack style: “context aware attack”

19 How can information be derived? Jane Smith Jose Garcia … and little Jimmy Garcia Jane Garcia, Jose Garcia

20 Let’s start from the end! “Little” Jimmy his parents their marriage license and Jimmy’s mother’s maiden name: Smith More reading: Griffith and Jakobsson, "Messin' with Texas: Deriving Mother's Maiden Names Using Public Records."

21 www.browser-recon.info

22 Approximate price list: PayPal user id + password $1 + challenge questions$15 Why?

23 Password Reset: Typical Questions Make of your first car Mother ’ s maiden name City of your birth Date of birth High school you graduated from First name of your / your sister ’ s best friend Name of your pet How much wood would a woodchuck …

24 Problem 1: Data Mining Make of your first car? –Until 1998, Ford has >25% market share First name of your best friend? –10% of males named James (Jim), John, or Robert (Bob or Rob) + Facebook does not help Name of your first / favorite pet? –Top pet names are online

25 Problem 2: People Forget Name of the street you grew up on? –There may have been more than one First name of your best friend / sisters best friend? –Friends change, what if you have no sister? City in which you were born? –NYC? New York? New York City? Manhattan? The Big Apple? People lie to increase security … then forget!

26 Intuition Preference-based authentication: preferences are more stable than long- term memory (confirmed by psychology research) preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) … especially dislikes!

27 Our Approach (1) Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

28 Our Approach (2)

29 And next? http://www. democratic-party.us/LiveEarth

30 Countermeasures? Technical –Better filters –CardSpace –OpenId Educational –SecurityCartoon –Suitable user interfaces Legal

31 Interesting? Internships at PARC / meet over coffee / etc. markus.jakobsson@parc.com

Download ppt "Phishing Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,"

Similar presentations

What is identity theft? How does identity theft occur? How do you protect yourself? What do you do if you are a victim? Jane Doe Certified Consumer Credit.

What is identity theft? How does identity theft occur? How do you protect yourself? What do you do if you are a victim? Jane Doe Certified Consumer Credit.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
Laboratory for Education and Research in Secure Systems Engineering (LERSSE) Networked Systems Laboratory (NetSysLab) Department of Electrical & Computer.

Laboratory for Education and Research in Secure Systems Engineering (LERSSE) Networked Systems Laboratory (NetSysLab) Department of Electrical & Computer.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Breaking Trust On The Internet

Breaking Trust On The Internet
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Online Identity Authentication and Data Broker SNAP Director’s Conference September 23, 2013.

Online Identity Authentication and Data Broker SNAP Director’s Conference September 23, 2013.
Security on Web 2.0 Krasznay Csaba. Google Search Trends.

Security on Web 2.0 Krasznay Csaba. Google Search Trends.
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.

STOP.THINK.CONNECT™ NATIONAL CYBERSECURITY AWARENESS CAMPAIGN SMALL BUSINESS PRESENTATION.
S. Stamm, Z. Ramzan, and M. Jakobsson Presented by Anh Le.

S. Stamm, Z. Ramzan, and M. Jakobsson Presented by Anh Le.
Lecture 16 Secure Social Networking. Overview What is Social Networking? The Good, the Bad and the Ugly How to protect yourself How to protect your children.

Lecture 16 Secure Social Networking. Overview What is Social Networking? The Good, the Bad and the Ugly How to protect yourself How to protect your children.
Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.

Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.
Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.

Session # 48 Security on Your Campus: How to Protect Privacy Information Robert Ingwalson.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Similar presentations

Ads by Google