online id theft, phishing, and malware

TRUST, Berkeley Meetings, March 19-21, 2007

Online ID Theft, Phishing, and Malware

Primary faculty

Stanford: Boneh, Mitchell

Berkeley: Tygar,Mulligan

CMU: Perrig, Song

TRUST, Berkeley Meetings, March 19-21, 2007"Title", J.Q. Speaker-Name 2

Topics

Phishing detection and prevention– Browser extensions, Server support– Cache and link attacks, timing attacks, …– Authentication using trusted platforms

Smartphone, Virtualization, Password token

User interface issues– Tricky problem: users are fooled– Do users understand EULAs? (need I ask?)

Malware detection and mitigation– Signature generation– Behavioral botnet detection


Some of the team


Classical phishing attack

password?

Sends email: “There is a problem with your eBuy account”

User clicks on email link to www.ebuj.com.

User thinks it is ebuy.com, enters eBuy username and password.

Password sent to bad guy


Modern threats

Spear phishing– Targeted email to known customers, evade spam filter

Man-in-the-middle attacks– Forward communication to honest server– Attack one-time passwords, server defenses

Cookie theft Keyloggers

– Install via worms, or as browser infections– Acoustic emanations

Botnets– Host keyloggers, send spam, steal credentials, etc.– Vint Cerf: as many as ¼ of all machines on Internet

Many user interface issues related to deception


Basic questions

Security of human/computer systems– Phishing: not attack on OS, network protocol, or computer application– Attack on user through the user’s computer

Deception works because user has incomplete and unreliable information, or does not understand the information that is presented

Web authentication– How can clients and servers authenticate each other?– Passwords are low entropy but easy to remember– Images, other indicators easy to spoof, esp. if attacker has info about user

Isolation for web “sessions”– Implicit notion of process user visiting site– Many complexities: ads, redirects, mashups

Privacy expectations and laws– Users transmit sensitive information to web sites– What privacy can they expect? How can this be guaranteed?

Part of the problem is to identify and articulate the core issues– Principled understanding of web activity will lead to more secure browser

design, clearer understanding of contract between browser and server, better server practices


Berkeley: Dynamic Security Skins

Automatically customize secure windows Visual hashes

– Random Art - visual hash algorithm – Generate unique abstract image for each

authentication– Use the image to “skin” windows or web content– Browser generated or server generated

Commercial spin-off


CMU Phoolproof prevention

Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform

mutual authentication with the server

password?


SafeHistory

Adaptive phishing attacks (a super-phish):– Phishing site queries browser’s visited links:

<style>a#visited { background: url(track.php?example.com);

}</style><a href="http://example.com/">Hi</a>

– Presents phishing page based on visited links SafeHistory: (www.safehistory.com)

– Enforce “same origin policy” on browser state Tech transfer: Available as Firefox extension

– www.safehistory.com


pwd Hash( pwd, domain-name )

PwdHash www.pwdhash.com

Browser extension for stronger pwd auth.– Mostly transparent to users– Main challenge: block Javascript-based attacks

Recent work:– Tech transfer: integrate with RSA SecurID server– Consistent interface for IE and Firefox extensions– Computerworld 2006 Horizon award


Berkeley: Understanding EULAs

Confirmed previous study: EULAs are not effective in informing users even when agreements are read by user

– Users exhibit high installation rates, lack of knowledge about program & high regret

Short notice before or after the installation can significantly influence users’ behavior if subjects paused to read them

– Lower installation rates, but still noticeable regret– Reading times correlated with decision making & regret– Post notice more effective in grabbing attention of every user– Other support mechanisms needed to help user

Last TRUST Review: Stanford study on spyware motivated by EULA legal issues


Malware detection

Minesweeper: Automatically Identifying Trigger-based Behavior in Programs– Dawn Song, CMU

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis– Dawn Song, CMU

BotSwat: Host-based behavioral bot detection– Liz Stinson, John Mitchell, Stanford


Recent RFID passport requirements in U.S. and Germany

Uses Basic Access Control

Passport holder has no way of knowing if their passport is being scanned.

Uses an ISO14443 contactless RFID chip from Inferion with 64K memory

Contains JPEGs of photos and fingerprints

Privacy ID Theft Issues in ePassports


• Guessing the Access key: access key is derived from MRZ, which consists of passport #, year of birth, and check digits. But passport #s are sequential, implying a correlation between date of issue and #. If you can see the passport holder, can a hacker guess someone’s birthday year?

• Traceability: RFID systems uses fixed unique low level tag identifiers, making an ePassport traceable.

• Eavesdropping: “Listening” to a legitimate reader-RFID conversation

• Othen overlooked: Fallback: What if my biometric identity has been compromised.. How can I prove “it wasn’t me”?

ePassports


Research Spotlight

Cookie Managment

• Locked IP Cookies• Doppelganger

Doug Tygar

Chris Karlof

David Wagner

Umesh Shankar


Cookie Management

Cookies are both a challenge and opportunity for ID theft protection

Doppelganger: a system for automatically sensing how cookies are used

IP locked cookies: a framework alternative to anti-phishing, anti-pharming– Unlike existing solutions (SiteKey) robust against

man-in-the-middle-attacks

"Title", J.Q. Speaker-Name 17


Berkeley: Doppelganger

(Karlof, U. Shankar) Flexible automatic cookie management Notes when cookies makes difference to web

page



Berkeley: Locked IP cookies

Powerful solution to Phishing (Karlof, Tygar, Wagner)



Research Spotlight

KeyboardAcoustic

Emanations

Li Zhuang

Feng Zhou

Doug Tygar


Keyboard Acoustic Sniffing

Acoustic emanations from keyboard

Example of statistical learning techniques in computer security (vulnerability analysis, detection)

Alice’spassword


Overview

Initial training

Unsupervised Learning

Language Model Correction

Sample Collector

Classifier Builder

keystroke classifierrecovered keystrokes

Feature Extraction

wave signal

Subsequent recognition

Feature Extraction

wave signal

Keystroke Classifier

Language Model Correction(optional)

recovered keystrokes


Two Copies of Recovered Text

Before spelling and grammar correction

After spelling and grammar correction

_____ = errors in recovery = errors in corrected by grammar


Experiment

Single keyboard– Logitech Elite Duo wireless keyboard– 4 data sets recorded in two settings

Quiet & noisy Keystrokes are clearly separable from consecutive keys

– Automatically extract keystroke positions in the signal with some manual error correction


Recording length Number of words Number of keys

Set 1 ~12 min ~400 ~2500

Set 2 ~27 min ~1000 ~5500

Set 3 ~22 min ~800 ~4200

Set 4 ~24 min ~700 ~4300

Set 1 (%) Set 2 (%) Set 3 (%) Set 4 (%)

Word Char Word Char Word Char Word Char

Initial 35 76 39 80 32 73 23 68

Final 90 96 89 96 83 95 80 92

Data sets


Research Spotlight

Timing AttacksAndrew Bortz

Web servers are vulnerable to timing attacks that reveal useful phishing information

Palash Nandy

Dan Boneh

John Mitchell


Spear-Phishing

Targeted email to known potential victims, e.g., customers of specific bank– Beat existing techniques for filtering– Higher success rate– Lower detection rate

But need to know sites a user visits– Generally hard to obtain this type of data


Forget your password?

Most sites have “Forgot my password” pages

– These pages frequently leak whether an email is valid or not at that site


Direct Timing

Time a login attempt The response time of the

server depends on whether the email address used is valid or not

This problem affects every tested web site!


Cross-Site Timing Attack

Hijack a user’s browser session to time sites Many timing dependencies on the user’s

relationship with the target site Here, we can distinguish logged in from not


Solutions and Future Work

Good solutions are server-side– Client-side solutions exist only for cross-site timing,

and they are brittle

Controlling response time to mitigate attacks– Eliminate problem by making every response take

the same amount of time– If that is impossible, then “round” the amount of

response time

Future work:– Apache module to control response time

automatically


Research Spotlight

User Interfaces

An Evaluation of Extended

Validation andPicture-in-Picture Phishing Attacks

Collin Jackson

Dan Simon,Desney Tan

Adam Barth


Anti-Phishing Features in IE7


Picture-in-Picture Attack


Results: Is this site legitimate?

Future– More user studies, UI evaluations


Research Spotlight

Minesweeper:

Automatically Identifying Trigger-based Behavior in Programs

Dawn Song

Dawn Song


Research Spotlight

BotSwat

Host-based behavioral bot detection

Dawn Song

Elizabeth StinsonJohn Mitchell


Botnet

bot master Intermediary

IRC svr

IRC svr

IRC svr

...


sample bot commands

execute {0,1} <prog_path> [params]

killprocess <proc_name>

makedir <loc_path>

http.execute <URL> <local_path>

ping <host/IP> <num> <size> <t_out>

scan <IP> <port> <delay>redirect <loc_port> <rem_host> <rem_port>

ddos.httpflood <URL> <#> <ref> <recurse?>


BotSwat

bind(…) CreateProcessA(…) NtCreateFile(…)...

S

O

U

R

C

E

S

S

I

N

K

S

?? ? ?


Host-based bot detection


ID TheftKnowledge Transfer


Technology Transition Plan

PwdHash: RSA Security (www.pwdhash.com)– Initial integration completed fall 2006– Hope to convince IE team to embed natively in IE

SpyBlock deployment:– Available at http://getspyblock.com/– Relevant companies: Mocha5, VMWare– Dialog with companies about transaction generators

SafeHistory: Microsoft, Mozilla.– Available at www.safehistory.com


Public relations activities

News articles on PwdHash:

– Many articles in popular press, still appearing

– Computerworld Horizon Award: August 2006

SafeHistory & SafeCache:– WWW ’06 paper

Timing attacks– WWW ’07 paper

SpyBlock and transaction generation– Report completed; conference paper in process


PwdHash and RSA SecurID

Tech transfer: available as IE and Firefox extensions– Working to convince MS to embed natively into IE

Integration with RSA SecurID:– Motivation: “man in the middle” phishing attacks

Defeats one-time password systems

– Phase I: apply PwdHash to one-time passwords Requires updates to SecurID server and PwdHash

– Phase II: authenticate server to client Planned for next year

online id theft, phishing, and malware

Documents