Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets - PowerPoint PPT Presentation

About This Presentation
Title:

Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

Description:

SpoofGuard is added to IE tool bar. User configuration ... Collaboration with RSA Security to implement PwdHash on one-time RSA SecurID passwords. ... – PowerPoint PPT presentation

Number of Views:417
Avg rating:3.0/5.0
Slides: 30
Provided by: johnc312
Category:

less

Transcript and Presenter's Notes

Title: Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets


1
Combating Online Identity Theft
Spoofguard, PwdHash, Spyware, Botnets
  • John Mitchell (Stanford)

2
Problem Online Identity Theft
  • Password phishing
  • Forged email and fake web sites steal passwords
  • Passwords used to withdraw money, degrade trust
  • Password theft
  • Criminals break into servers and steal password
    files
  • Spyware
  • Keyloggers steal passwords, product activation
    codes, etc.
  • Botnets
  • Networks of compromised end-user machines spread
    SPAM, launch attacks, collect and share stolen
    information
  • Magnitude
  • Hundreds of millions in direct loss per year
  • Significant Indirect loss in brand erosion
  • Loss of confidence in online transactions
  • Inconvenience of restoring credit rating,
    identity

3
TRUST team
  • Stanford
  • D Boneh, J Mitchell, D Dill, Jennifer Granick
    (Law School)
  • A Bortz, N Chou, C Jackson, N Miyake, R Ledesma,
    B Ross, E Stinson, Y Teraguchi,
  • Berkeley
  • D Tygar, R Dhamija, ,,,
  • Deidre Mulligan (UC Berkeley Law),
  • CMU
  • A Perrig, D Song
  • B Parno, C Kuo
  • Partners and collaborators
  • US Secret Service, DHS/SRI Id Theft Tech Council,
    RSA Securities,
  • R Rodriguez, D Maughan,
  • And growing

4
Phishing Attack
Sends email There is a problem with your eBuy
account
Password sent to bad guy
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username
and password.
5
Sample phishing email
6
How does this lead to spoof page?
  • Link displayed
  • https//www.start.earthlink.net/track?billing.asp
  • Actual link in html email
  • sourcehttps//start.earthlink.net/track?id101fe8
    4398a866372f999c983d8973e77438a993847183bca43d7ad4
    7e99219a907871c773400b8328898787762curlhttp//20
    2.69.39.30/snkee/billing.htm?session_id8495...
  • Website resolved to
  • http//202.69.39.30/snkee/billing.htm?session_id8
    495...

7
Spoof page
http//202.69.39.30/snkee/....
8
Typical properties of spoof sites
  • Show logos found on the honest site
  • Copied jpg/gif file, or link to honest site
  • Have suspicious URLs
  • Ask for user input
  • Some ask for CCN, SSN, mothers maiden name,
  • HTML copied from honest site
  • May contain links to the honest site
  • May contain revealing mistakes
  • Short lived
  • Cannot effectively blacklist spoof sites
  • HTTPS uncommon

9
SpoofGuard browser extension
  • SpoofGuard is added to IE tool bar
  • User configuration
  • Pop-up notification as method of last resort

10
Berkeley Dynamic Security Skins
  • Automatically customize secure windows
  • Visual hashes
  • Random Art - visual hash algorithm
  • Generate unique abstract image for each
    authentication
  • Use the image to skin windows or web content
  • Browser generated or server generated

11
Browser Generated Images
  • Browser chooses random number and generates image
  • Can be used to modify border or web elements

12
Server Generated Images
  • Server, browser independently generate same image
  • Server can customize its own page

13
CMU Phoolproof prevention
  • Eliminates reliance on perfect user behavior
  • Protects against keyloggers, spyware.
  • Uses a trusted mobile device to perform mutual
    authentication with the server

14
Password Phishing Problem
Bank A
pwdA
pwdA
Fake Site
  • User cannot reliably identify fake sites
  • Captured password can be used at target site

15
Common Password Problem
Bank A
high security site
pwdA
Site B
  • Phishing attack or break-in at site B reveals pwd
    at A
  • Server-side solutions will not keep pwd safe
  • Solution Strengthen with client-side support

16
What is PwdHash?
  • Lightweight browser extension
  • Impedes password theft
  • Invisible to server
  • Compute site-specific password that appears
    ordinary to server that received is
  • Invisible to user
  • User indicates password to be hashed by alert
    sequence (_at__at_) at beginning of pwd

17
Password Hashing
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
  • Generate a unique password per site
  • HMACfido123(banka.com) ? Q7a0ekEXb
  • HMACfido123(siteb.com) ? OzX2ICiqc
  • Hashed password is not usable at any other site
  • Protects against password phishing
  • Protects against common password problem

18
Many additional issues
  • Malicious javascript in browser
  • Implement keystroke logger, keep scripts from
    reading user password entry
  • Password reset problem
  • Internet café
  • Dictionary attacks (defense added salt)
  • Try it!
  • http//crypto.stanford.edu/SpoofGuard/
  • http//crypto.stanford.edu/PwdHash/

19
Tech Transfer
  • SpoofGuard
  • Some SpoofGuard heuristics now used in eBay
    toolbar and Earthlink ScamBlocker.
  • Very effective against basic phishing attacks.
  • PwdHash
  • Collaboration with RSA Security to implement
    PwdHash on one-time RSA SecurID passwords.
  • RSA SecurID passwords vulnerable to online
    phishing
  • PwdHash helps strengthen SecurID passwords
  • New browser extensions for privacy
  • SafeCache and SafeHistory

20
Botnets
  • Collection of compromised hosts
  • Spread like worms and viruses
  • Once installed, respond to remote commands
  • Platform for many attacks
  • Spam forwarding
  • Keystroke logging
  • Distributed denial of service attacks
  • What more could a cybercriminal ask for?

21
Botnet facts
  • Platforms
  • Most bots are compromised Windows machines
  • Most controllers are compromised Unix hosts
    running ircd
  • Example bot software
  • Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot,
    Phatbot.
  • Versatile launching point for many attacks
  • 70 of spam from bots (MessageLabs, October
    2004).
  • Most worms and viruses used to propagate bot
    software
  • Most denial of service attacks are orchestrated
    using bots

22
GLBC malware-infected hosts
23
Building a Bot Network
compromise attempt
Win XP
compromise attempt
compromise attempt
compromise attempt
Win XP
24
Building a Bot Network
compromise attempt
Win XP compromised
install bot software
compromise attempt
compromise attempt
compromise attempt
Win XP compromised
install bot software
25
Step 2
Win XP
Win XP
. . . /connect jade.va.us.dal.net /join hacker .
. .
. . . /connect jade.va.us.dal.net /join hacker .
. .
jade.va.dal.net
26
Step 3
(125927pm) -- A9-pcgbdv (A9-pcgbdv_at_140.134.36.12
4) has joined (owned) Users 1646 (125927pm)
(BadGuy) .ddos.synflood 216.209.82.62 (125927pm
) -- A6-bpxufrd (A6-bpxufrd_at_wp95-81.introweb.nl)
has joined (owned) Users 1647 (125927pm) --
A9-nzmpah (A9-nzmpah_at_140.122.200.221) has left
IRC (Connection reset by peer) (125928pm)
(BadGuy) .scan.enable DCOM (125928pm) --
A9-tzrkeasv (A9-tzrkeas_at_220.89.66.93) has joined
(owned) Users 1650
27
Underground commerce
  • Market in access to bots
  • Botherd Collects and manages bots
  • Sample rates
  • Non-exclusive access to botnet 10 per machine
  • Exclusive access 25.
  • Payment via compromised account or cash to
    dropbox
  • Identity Theft
  • Keystroke logging
  • Complete identities available for 25 - 200
  • Rates depend on financial situation of
    compromised person
  • Include all info from PC files, plus all websites
    of interest with passwords/account info used by
    PC owner
  • At 200, usually includes full credit report
  • Lloyd Taylor, Keynote
    Systems, SFBay InfraGard Board

28
Detect and disabling botnets
  • Unique characteristic rallying
  • Bots spread like worms and trojans
  • Payloads may be common backdoors
  • Centralized control of botnet is characteristic
    feature
  • Current efforts
  • Spyware project with Stanford Law School
  • CMU botnet detection
  • Based on methods that bots use to hide themselves
  • Stanford host-based bot detection
  • Taint analysis, comparing network buffer and
    syscall args
  • Botnet and spyware survival
  • Spyblock virtualization and containment of pwd,
    etc.

29
Future challenges
  • Criminals become increasingly sophisticated
  • In 25 years of law enforcement, this is the
    closest thing Ive seen to the perfect crime
    Don Wilborn
  • Increasing interest at server side
  • Losses are significant
  • Need improved platform security
  • Protect assets from crimeware
  • Need improved web authentication
  • Basic science can be applied to solve problem
    challenge-response, two-factor auth,
  • Social awareness, legal issues, and human factors
  • Studies with Law Clinics user studies
  • Technology transfer
  • More free software, RSA Security,
Write a Comment
User Comments (0)
About PowerShow.com