Presentation is loading. Please wait.

Presentation is loading. Please wait.

TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)

Published byToby Hart Modified over 9 years ago

Similar presentations

Presentation on theme: "TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)"— Presentation transcript:

1 TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)

2 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell2 Problem: Online Identity Theft Password phishing – Forged email and fake web sites steal passwords – Passwords used to withdraw money, degrade trust Password theft – Criminals break into servers and steal password files Spyware – Keyloggers steal passwords, product activation codes, etc. Botnets – Networks of compromised end-user machines spread SPAM, launch attacks, collect and share stolen information Magnitude – $$$ Hundreds of millions in direct loss per year – Significant Indirect loss in brand erosion Loss of confidence in online transactions Inconvenience of restoring credit rating, identity

3 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell3 TRUST team Stanford – D Boneh, J Mitchell, D Dill, Jennifer Granick (Law School) – A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y Teraguchi, … Berkeley – D Tygar, R Dhamija,,,, – Deidre Mulligan (UC Berkeley Law), … CMU – A Perrig, D Song – B Parno, C Kuo Partners and collaborators – US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, … – R Rodriguez, D Maughan, … And growing …

4 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell4 Phishing Attack password? Sends email: “There is a problem with your eBuy account” User clicks on email link to www.ebuj.com. User thinks it is ebuy.com, enters eBuy username and password. Password sent to bad guy

5 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell5 Sample phishing email

6 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell6 How does this lead to spoof page? Link displayed – https://www.start.earthlink.net/track?billing.asp Actual link in html email – source:https://start.earthlink.net/track?id=101fe843 98a866372f999c983d8973e77438a993847183bca 43d7ad47e99219a907871c773400b83288987877 62c&url=http://202.69.39.30/snkee/billing.htm?sess ion_id=8495... Website resolved to – http://202.69.39.30/snkee/billing.htm?session_id=8 495...

7 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell7 Spoof page http://202.69.39.30/snkee/....

8 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell8 Typical properties of spoof sites Show logos found on the honest site – Copied jpg/gif file, or link to honest site Have suspicious URLs Ask for user input – Some ask for CCN, SSN, mother’s maiden name, … HTML copied from honest site – May contain links to the honest site – May contain revealing mistakes Short lived – Cannot effectively blacklist spoof sites HTTPS uncommon

9 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell9 SpoofGuard browser extension SpoofGuard is added to IE tool bar – User configuration – Pop-up notification as method of last resort

10 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell10 Berkeley: Dynamic Security Skins Automatically customize secure windows Visual hashes – Random Art - visual hash algorithm – Generate unique abstract image for each authentication – Use the image to “skin” windows or web content – Browser generated or server generated

11 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell11 Browser Generated Images Browser chooses random number and generates image Can be used to modify border or web elements

12 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell12 Server Generated Images Server, browser independently generate same image Server can customize its own page

13 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell13 CMU Phoolproof prevention Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server password?

14 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell14 Password Phishing Problem User cannot reliably identify fake sites Captured password can be used at target site Bank A Fake Site pwd A

15 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell15 Common Password Problem Phishing attack or break-in at site B reveals pwd at A – Server-side solutions will not keep pwd safe – Solution: Strengthen with client-side support Bank A low security site high security site pwd A pwd B = pwd A Site B

16 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell16 What is PwdHash? Lightweight browser extension Impedes password theft Invisible to server – Compute site-specific password that appears “ordinary” to server that received is Invisible to user – User indicates password to be hashed by alert sequence (@@) at beginning of pwd

17 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell17 Password Hashing Generate a unique password per site – HMAC fido:123 (banka.com)  Q7a+0ekEXb – HMAC fido:123 (siteb.com)  OzX2+ICiqc Hashed password is not usable at any other site – Protects against password phishing – Protects against common password problem Bank A hash(pwd B, SiteB) hash(pwd A, BankA) Site B pwd A pwd B =

18 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell18 Many additional issues Malicious javascript in browser – Implement keystroke logger, keep scripts from reading user password entry Password reset problem Internet café Dictionary attacks (defense: added salt) Try it! http://crypto.stanford.edu/SpoofGuard/ http://crypto.stanford.edu/PwdHash/

19 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell19 Tech Transfer SpoofGuard – Some SpoofGuard heuristics now used in eBay toolbar and Earthlink ScamBlocker. – Very effective against basic phishing attacks. PwdHash – Collaboration with RSA Security to implement PwdHash on one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords New browser extensions for privacy – SafeCache and SafeHistory

20 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell20 Botnets Collection of compromised hosts – Spread like worms and viruses – Once installed, respond to remote commands Platform for many attacks – Spam forwarding – Keystroke logging – Distributed denial of service attacks What more could a cybercriminal ask for?

21 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell21 Botnet facts Platforms – Most bots are compromised Windows machines – Most controllers are compromised Unix hosts running ircd Example bot software: – Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot, Phatbot. Versatile launching point for many attacks – 70% of spam from bots (MessageLabs, October 2004). – Most worms and viruses used to propagate bot software – Most denial of service attacks are orchestrated using bots Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, and creating more bots. – Jim Lippard, Director, Information Security Operations, Global Crossing

22 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell22 GLBC: malware-infected hosts

23 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell23 Building a Bot Network Attacker Win XP FreeBSDMac OS X compromise attempt Win XP

24 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell24 Building a Bot Network Attacker Win XP compromised FreeBSDMac OS X compromise attempt Win XP compromised install bot software

25 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell25 Step 2... /connect jade.va.us.dal.net /join #hacker... Win XP... /connect jade.va.us.dal.net /join #hacker... Win XP... /connect jade.va.us.dal.net /join #hacker... Win XP jade.va.dal.net

26 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell26 Step 3 (12:59:27pm) -- A9-pcgbdv (A9-pcgbdv@140.134.36.124) has joined (#owned) Users : 1646 (12:59:27pm) (BadGuy).ddos.synflood 216.209.82.62 (12:59:27pm) -- A6-bpxufrd (A6-bpxufrd@wp95- 81.introweb.nl) has joined (#owned) Users : 1647 (12:59:27pm) -- A9-nzmpah (A9-nzmpah@140.122.200.221) has left IRC (Connection reset by peer) (12:59:28pm) (BadGuy).scan.enable DCOM (12:59:28pm) -- A9-tzrkeasv (A9-tzrkeas@220.89.66.93) has joined (#owned) Users : 1650

27 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell27 Underground commerce Market in access to bots – Botherd: Collects and manages bots Sample rates – Non-exclusive access to botnet: 10¢ per machine – Exclusive access: 25¢. – Payment via compromised account or cash to dropbox Identity Theft – Keystroke logging – Complete identities available for $25 - $200+ Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest with passwords/account info used by PC owner At $200+, usually includes full credit report [Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]

28 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell28 Detect and disabling botnets Unique characteristic: “rallying” – Bots spread like worms and trojans – Payloads may be common backdoors – Centralized control of botnet is characteristic feature Current efforts – Spyware project with Stanford Law School – CMU botnet detection Based on methods that bots use to hide themselves – Stanford host-based bot detection Taint analysis, comparing network buffer and syscall args – Botnet and spyware survival Spyblock: virtualization and containment of pwd, etc.

29 TRUST, Washington, D.C. Meeting January 9–10, 2006Online identity theft, J.C. Mitchell29 Future challenges Criminals become increasingly sophisticated – “In 25 years of law enforcement, this is the closest thing I’ve seen to the perfect crime” – Don Wilborn Increasing interest at server side – Losses are significant Need improved platform security – Protect assets from crimeware Need improved web authentication – Basic science can be applied to solve problem: challenge- response, two-factor auth, … Social awareness, legal issues, and human factors – Studies with Law Clinics; user studies Technology transfer – More free software, RSA Security, …

Download ppt "TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets John Mitchell (Stanford)"

Similar presentations

Primary Threats to Computer Security

Primary Threats to Computer Security
What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via

What is Bad ? Spam, Phishing, Scam, Hoax and Malware distributed via
Protect your PC virus, worm, Trojan horse, phishing, spam, botnet and zombies, spoofing, social engineering, identity theft, spyware, rootkits Click.

Protect your PC virus, worm, Trojan horse, phishing, spam, botnet and zombies, spoofing, social engineering, identity theft, spyware, rootkits Click.
What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.

What are computer viruses and its types? Computer Viruses are malicious software programs that damage computer program entering into the computer without.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Threats To A Computer Network

Threats To A Computer Network
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.

Don’t Lose Your Identity – Protect Yourself from Spyware Dan Frommer Sherry Minton.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford.

1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.
PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew.

PORTIA Project 1 Mitigating Online ID Theft: Phishing and Spyware Students:Blake Ross, Collin Jackson, Nick Miyake, Yuka Teraguchi, Robert Ladesma, Andrew.
Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.

Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.
Issues Raised by ICT.

Issues Raised by ICT.

Similar presentations

Ads by Google