Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Phishing

    Enviado por

    Vinay Teja Reddy
    25 visualizações31 páginas

    Direitos autorais

    © Attribution Non-Commercial (BY-NC)

    Formatos disponíveis

    PPT, PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    25 visualizações31 páginas

    Phishing

    Enviado por

    Vinay Teja Reddy

    Direitos autorais:

    Attribution Non-Commercial (BY-NC)
    Baixe no formato PPT, PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 31

    Phishing

    markus.jakobsson@parc.com

    Conventional Aspects of Security


    Computational assumptions
    E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman

    Adversarial model
    E.g., access to data/hardware, ability to corrupt, communication assumptions, goals

    Verification methods
    Cryptographic reductions to assumptions, BAN logic

    Implementation aspects
    E.g., will the communication protocol leak information that is considered secret in the application layer?

    The human factor of security

    Deceit

    Neglect

    Configuration

    The human factor: configuration


    Weak passwords
    With Tsow, Yang, Wetzel: Warkitting: the Drive-by Subversion of Wireless Home Routers
    (Journal of Digital Forensic Practice, Volume 1, Special Issue 3, November 2006)

    wardriving rootkitting Shows that more than 50% of APs are vulnerable

    The human factor: configuration


    Weak passwords
    With Stamm, Ramzan: Drive-By Pharming
    (Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apples are at risk. Firmware update tested on only a few. Paper in submission)

    Use DNS server x.x.x.x And worse: geographic spread!

    The human factor: neglect

    The human factor: deceit

    (Threaten/disguise - image credit to Ben Edelman)

    The human factor: deceit

    Self: Modeling and Preventing Phishing Attacks


    (Panel, Financial Crypto, 2005 - notion of spear phishing)

    With Jagatic, Johnson, Menczer: Social Phishing


    (Communications of the ACM, Oct 2007)

    With Finn, Johnson: Why and How to Perform Fraud Experiments (IEEE Security and Privacy,March/April 2008)

    Experiment Design

    Gender Effects
    80% 70% 60% Success Rate 50% 40% 30% 20% 10% 0% From Any From Female From Male To Any To Female To Male

    To Male From Male From Female From Any 53% 68% 65%

    To Female 78% 76% 77%

    To Any 68% 73% 72%

    Ethical and accurate assessments


    With Ratkiewicz Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features (WWW, 2006)

    Reality:

    1 A 4 eBay

    3 credentials

    Ethical and accurate assessments


    With Ratkiewicz Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features (WWW, 2006)

    Attack:

    1 (spoof) 2 credentials

    Ethical and accurate assessments


    With Ratkiewicz Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features (WWW, 2006)

    Experiment:

    1 B A
    1

    5 eBay 4 credentials

    Yield (incl spam filtering loss): 11% +-3% eBay greeting removed: same

    Mutual authentication in the real world


    With Tsow,Shah,Blevis,Lim, What Instills Trust? A Qualitative Study of Phishing (Abstract at Usable Security, 2007)

    starting with 4901

    How does the typical Internet user identify phishing?

    Spear Phishing and Data Mining


    Current attack style:

    Approx 3% of adult Americans report to have been victimized.

    Spear Phishing and Data Mining


    More sophisticated attack style:

    context aware attack

    How can information be derived?


    Jane Smith Jose Garcia

    Jane Garcia, Jose Garcia

    and little Jimmy Garcia

    Lets start from the end!


    Little Jimmy his parents their marriage license

    and Jimmys mothers maiden name: Smith More reading: Griffith and Jakobsson, "Messin' with Texas: Deriving Mother's Maiden Names Using Public Records."

    www.browser-recon.info

    Approximate price list:


    PayPal user id + password + challenge questions $1 $15

    Why?

    Password Reset: Typical Questions


    Make of your first car Mothers maiden name City of your birth Date of birth High school you graduated from First name of your / your sisters best friend Name of your pet How much wood would a woodchuck

    Problem 1: Data Mining


    Make of your first car?
    Until 1998, Ford has >25% market share

    First name of your best friend?


    10% of males named James (Jim), John, or Robert (Bob or Rob) + Facebook does not help

    Name of your first / favorite pet?


    Top pet names are online

    Problem 2: People Forget


    Name of the street you grew up on?
    There may have been more than one

    First name of your best friend / sisters best friend?


    Friends change, what if you have no sister?

    City in which you were born?


    NYC? New York? New York City? Manhattan? The Big Apple?

    People lie to increase security then forget!

    Intuition
    Preference-based authentication:
    preferences are more stable than longterm memory (confirmed by psychology research) preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) especially dislikes!

    Our Approach (1)

    Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com

    Our Approach (2)

    And next?

    http://www. democratic-party.us/LiveEarth

    http://www. democratic-party.us/LiveEarth

    Countermeasures?
    Technical
    Better filters CardSpace OpenId

    Educational
    SecurityCartoon Suitable user interfaces

    Legal

    Interesting?
    Internships at PARC / meet over coffee / etc.

    markus.jakobsson@parc.com

    Você também pode gostar