Invasive Browser Sniffing and Countermeasures - PowerPoint PPT Presentation
Title:
Invasive Browser Sniffing and Countermeasures
Description:
Additionally, email address can be obtained through the auto-fill field extraction (see Fil s riddle site) Segway: so now they know where you ve been, ... – PowerPoint PPT presentation
Number of Views:39
Avg rating:3.0/5.0
Title: Invasive Browser Sniffing and Countermeasures
1
Invasive Browser Sniffing and Countermeasures
- Markus Jakobsson Sid Stamm
2
The Scenario
- Grandma goes to evil site
- Gets sniffed
- Gets phishing email
- Loses money
3
Summary
- Example phishing attacks
- Context-aware phishing attacks
- Browser-recon attack
- Other Solutions
- Our Solution
4
(No Transcript)
5
(No Transcript)
6
Context Aware Attacks
- Data about targets obtained
- Used to customize emails
- Yields higher vulnerability rate
7
Context Social Networks
- Mine site for relationships(Alice knows Bob)
- Spoof email from victims friend
- People trust their friends (and that which spoofs
them)
8
Context Browser-Recon
- Phisher mines browsers
- Browsing history
- Cached data
- Attacker can discover affiliations
- Easy to pair browser history with email address
9
Context Cache Recon
Pic1.jpg is Not in Cache
(pic1.jpg is not cached)
10
Context Cache Recon
Pic1.jpg IS in Cache
(pic1.jpg is cached)
11
Context Cache Recon
- Phishing page forces 3 sequential loads
- Img1 on phishers server
- Img2 on site in question (e.g. Bank)
- Img3 on phishers server
- Load Time Time(Img3) - Time(Img1)
- Short load time cache hit
(Felten Schneider, Timing Attacks on Web
Privacy7th ACM Conference in Computer
Communication Security, 2000.)
12
Context Cache Recon
(Felten Schneider, Timing Attacks on Web
Privacy7th ACM Conference in Computer
Communication Security, 2000.)
13
Context History Recon
What You See
The Code
ltstylegt a color blue id1visited color
red id2visited color red id3visited
color red lt/stylegt lta idid1
hrefx.comgtLink 1lt/agt lta idid2
hrefy.comgtLink 2lt/agt lta idid3
hrefz.comgtLink 3lt/agt
Link 1
Link 2
Link 3
14
Context History Recon
What You See
The Code
ltstylegt a color blue id1visited
background url(e.com/?id1) id2visited
background url(e.com/?id2)
lt/stylegt lta idid1 hrefx.comgtLink
1lt/agt lta idid2 hrefy.comgtLink 2lt/agt lta idid3
hrefz.comgtLink 3lt/agt
Link 1
Link 2
Link 3
15
Context History Recon
What You See
The Code
ltstylegt a color blue id1visited
background url(e.com/?id1) id2visited
background url(e.com/?id2)
lt/stylegt lta idid1 hrefx.comgtlt/agt lta
idid2 hrefy.comgtlt/agt lta idid3
hrefz.comgtlt/agt
16
History Recon Email
Auto-Fill Identity Extraction
17
Chameleon Attack
18
Solutions to Browser-recon
- Client-Side Solutions
- Jackson, Bortz, Boneh Mitchell, Protecting
browser state from web privacy attacks, To
appear in WWW06, 2006. - CSS limiting
- User-Paranoia (regularly clear history, cache,
keep no bookmarks) - Server-Side Solution
- Make URLs impossible to guess
19
Solution Goals
- Requirements
- Hard to guess any pages or resources served by SP
- Search engines can still index and search SP
20
Formal Goal Specification
21
Formal Goal Specification
22
Solution Techniques
- Two techniques
- Customize URLs with pseudonymshttp//chase.com/pa
ge.html?39fc938f - Pollute Client State (fill cache/history with
related sites not visited by client) - Hiding vs. obfuscating
- Internal (protected) URLs hidden
- Entry point (public) URLs obfuscated
23
Solution to Browser-recon
GET /
C
24
Solution to Browser-recon
GET /?13fc021b
GET /
C
Domain of S
25
Pseudonyms
- Establishing a pseudonym
- Using a pseudonym
- Pseudonym validity check
- Via Cookies
- Via HTTP-REFERER
- Via Message Authentication Codes
26
Pseudonyms
- Robot Policies
- Dealing with search engines
- Robots.txt standard (no problem if cheating)
- Pollution Policy
- Pollute entrance URLs
- How to choose pollutants?
- What about links to offsite data?
- Bookmarks?
27
Example
Bank.com
10.0.0.1
C
28
Example
lta hrefhttp//www.g.comgtGo to Glt/agt lta
hrefhttp//10.0.0.1/login.jspgtLog inlt/agt ltimg
src/img/hi.gifgt
hm
Bank.com
10.0.0.1
C
29
Example
lta hrefhttp//www.g.comgtGo to Glt/agt lta
hrefhttp//Bank.com/login.jspgtLog inlt/agt ltimg
src/img/hi.gifgt
hm
Bank.com
10.0.0.1
C
30
Example
lta hrefhttp//Bank.com/redir?www.g.comgtGo to
Glt/agt lta hrefhttp//Bank.com/login.jspgtLog
inlt/agt ltimg src/img/hi.gifgt
hm
Bank.com
10.0.0.1
C
31
Example
lta hrefhttp//Bank.com/redir?www.g.com?83fa029gt
Go to Glt/agt lta hrefhttp//Bank.com/login.jsp?83f
a029gtLog inlt/agt ltimg src/img/hi.gif?83fa029gt
hm
Bank.com
10.0.0.1
C
32
Example
lta hrefhttp//Bank.com/redir?www.g.com?83fa029gt
Go to Glt/agt lta hrefhttp//Bank.com/login.jsp?83f
a029gtLog inlt/agt ltimg src/img/hi.gif?83fa029gt
T
Bank.com
10.0.0.1
C
33
Clients Perception
34
Policies
- Offsite Redirection Policy
- Data Replacement Policy
- Client vs. Robot Distinction
35
Special Cases
Shared/Transfer Pseudonyms
Cache pollution reciprocity
36
Security Argument
- Perfect privacy of internal pages
- N-privacy of entrance pages
- Searchability
37
Prototype Details
- Java App simulating an HTTP server
- Pseudonyms 64-bit random number
- java.security.SecureRandom
- Experimental Client
- Shell script CURL
38
Experimental Results
39
Experimental Results
40
Experimental Results
41
Experimental Results
42
General Considerations
- Forwarding user-agent
- Translate Cookies
- Optimizations
43
Invasive Browser Sniffing and Countermeasures
?
- Markus Jakobsson Sid Stamm
Recommended
CrystalGraphics Presentations
