Phishing [email protected]. Conventional Aspects of Security Computational assumptions...
-
date post
24-Jan-2016 -
Category
Documents
-
view
213 -
download
0
Transcript of Phishing [email protected]. Conventional Aspects of Security Computational assumptions...
![Page 2: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/2.jpg)
Conventional Aspects of Security• Computational assumptions
– E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman
• Adversarial model– E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals
• Verification methods– Cryptographic reductions to assumptions, BAN logic
• Implementation aspects– E.g., will the communication protocol leak information that
is considered secret in the application layer?
![Page 3: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/3.jpg)
The human factor of security
Configuration
NeglectDeceit
![Page 4: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/4.jpg)
The human factor: configuration
Weak passwordsWith Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion of Wireless Home Routers”
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)
Wireless
firmware update
Shows that more than 50% of APs are vulnerable
wardrivingrootkitting
![Page 5: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/5.jpg)
The human factor: configuration Weak passwords
With Stamm, Ramzan: “Drive-By Pharming”
(Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apple’s are at risk. Firmware update tested on only a few. Paper in submission)
Wireless nvram
value setting
“Use DNS server x.x.x.x”
And worse: geographic spread!
![Page 6: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/6.jpg)
The human factor: neglect
![Page 7: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/7.jpg)
The human factor: deceit
(Threaten/disguise - image credit to Ben Edelman)
![Page 8: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/8.jpg)
The human factor: deceit
Self: “Modeling and Preventing Phishing Attacks” (Panel, Financial Crypto, 2005 - notion of spear phishing)With Jagatic, Johnson, Menczer: “Social Phishing” (Communications of the ACM, Oct 2007)With Finn, Johnson: “Why and How to Perform Fraud Experiments” (IEEE Security and Privacy,March/April 2008)
![Page 9: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/9.jpg)
Experiment Design
![Page 10: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/10.jpg)
Gender Effects
To Male
To Female
To Any
FromMale
FromFemale
FromAny
0%
10%
20%
30%
40%
50%
60%
70%
80%
Success Rate
From Male 53% 78% 68%
From Female 68% 76% 73%
From Any 65% 77% 72%
To Male To Female To Any
![Page 11: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/11.jpg)
![Page 12: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/12.jpg)
B
eBay
A
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Reality:
3 credentials
1 2
4
![Page 13: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/13.jpg)
BA
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Attack:
1 (spoof)
2 credentials
![Page 14: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/14.jpg)
BA
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Experiment: 3 (spoof)
A
1
2
eBay
4 credentialsYield (incl spam filtering loss): 11% + 3% …“eBay greeting” removed: same-
1
2
5
![Page 15: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/15.jpg)
Mutual authentication
in the “real world”
With Tsow,Shah,Blevis,Lim,“What Instills Trust? A Qualitative Study of Phishing” (Abstract at Usable Security, 2007)
starting with 4901
![Page 16: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/16.jpg)
How does the typical Internet user identify phishing?
![Page 17: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/17.jpg)
Spear Phishing and Data Mining Current attack style:
Approx 3% of adult Americans report to have been victimized.
![Page 18: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/18.jpg)
Spear Phishing and Data Mining More sophisticated attack style:
“context aware attack”
![Page 19: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/19.jpg)
How can information be derived?
Jane Smith Jose Garcia
… and little Jimmy Garcia
Jane Garcia, Jose Garcia
![Page 20: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/20.jpg)
Let’s start from the end!
“Little” Jimmy
his parentstheir marriage license
and Jimmy’s mother’s maiden name: Smith
More reading: Griffith and Jakobsson, "Messin' with Texas:Deriving Mother's Maiden Names Using Public Records."
![Page 21: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/21.jpg)
www.browser-recon.info
![Page 22: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/22.jpg)
Approximate price list:
PayPal user id + password $1
+ challenge questions $15
Why?
![Page 23: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/23.jpg)
Password Reset:Typical Questions
• Make of your first car• Mother’s maiden name • City of your birth • Date of birth • High school you graduated from• First name of your / your sister’s best friend• Name of your pet• How much wood would a woodchuck …
![Page 24: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/24.jpg)
Problem 1: Data Mining
• Make of your first car?– Until 1998, Ford has >25% market share
• First name of your best friend?– 10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help
• Name of your first / favorite pet?– Top pet names are online
![Page 25: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/25.jpg)
Problem 2: People Forget
• Name of the street you grew up on?– There may have been more than one
• First name of your best friend / sisters best friend?– Friends change, what if you have no sister?
• City in which you were born?– NYC? New York? New York City? Manhattan? The
Big Apple?
• People lie to increase security … then forget!
![Page 26: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/26.jpg)
Intuition
Preference-based authentication:• preferences are more stable than long-
term memory (confirmed by psychology research)
• preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) … especially dislikes!
![Page 27: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/27.jpg)
Our Approach (1)
Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com
![Page 28: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/28.jpg)
Our Approach (2)
![Page 29: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/29.jpg)
And next?
http://www. democratic-party.us/LiveEarth
http://www. democratic-party.us/LiveEarth
![Page 30: Phishing markus.jakobsson@parc.com. Conventional Aspects of Security Computational assumptions –E.g., existence of a one-way function, RSA assumption,](https://reader035.fdocuments.in/reader035/viewer/2022081603/56649d5c5503460f94a3b1f1/html5/thumbnails/30.jpg)
Countermeasures?
• Technical – Better filters– CardSpace– OpenId
• Educational– SecurityCartoon– Suitable user interfaces
• Legal