Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford.

Similar presentations


Presentation on theme: "1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford."— Presentation transcript:

1 1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford University PORTIA Project

2 2 Phishing Attack password? Spam email: “There is a problem with your eBay account.” User clicks on email link to go to badguy.com. User thinks it is ebay.com, and enters eBay username and password. Information is sent to the bad guy.

3 3 Sample phishing email

4 4 How does this lead to spoof page? u Link displayed https://www.start.earthlink.net/track?billing.asp u Actual link in html email source:https://start.earthlink.net/track?id=101fe8439 8a866372f999c983d8973e77438a993847183bca43d7 ad47e99219a907871c773400b8328898787762c&url= http://202.69.39.30/snkee/billing.htm?session_id=8495... u Website resolved to http://202.69.39.30/snkee/billing.htm?session_id=8495...

5 5 Spoof page http://202.69.39.30/snkee/....

6 6 Magnitude of problem u Fastest growing crime on the Internet.  Primary targets: attacks/month (2004) http://www.antiphishing.org JulyJuneMay…Jan Citibank682492370…34 US Bank622251167…2 eBay255285293…51

7 7 Properties of Spoof Sites u Ask for user input, e.g. password. Some ask for CCN, SSN, mother’s maiden name, … u HTML copied from honest site Contain links to the honest site Logos from honest site. Copied jpg/gif file, or link to honest site Can contain revealing mistakes  Clever spoof pages contain Javascript to fool user. u Short lived Blacklisting spoof sites has limited success. u HTTPS uncommon

8 8 Thanks!  Robert Rodriguez  Chris Von Holt  Alissa Cooper  Tom Pageler  Greg Crabb Many more …

9 9 What can we do about phishing? u Spam filter: Phishing starts with email, so stop it there. Non-trivial: phishing emails look like ordinary email. u Browser-side methods (plug-ins) Detect spoof web site. Warn user. Improve browser password management. u Server-side methods: Use strong user authentication instead of pwds. –Certificates or security tokens. This talk: SpoofGuard

10 10 Our project at Stanford u Two browser plug-ins available for download: SpoofGuard : –Alerts user when browser is viewing a spoofed web page. –Uses variety of heuristics to identify spoof pages. PwdHash : –Simple mechanism for improving password management by the browser.  Will SpoofGuard solve the phishing problem? As likely to end phishing as first virus scanner was to end viruses A new type of anomaly detection problem

11 11 SpoofGuard: Detect Phishing Web Sites http://crypto.stanford.edu/SpoofGuard

12 12 SpoofGuard Browser Plug-in u Compute spoof index: Weighted sum of several spoof measures Depends on current page and history u Provides two forms of information: Passive stoplight in toolbar: green, yellow, red Active pop-up when necessary –Stop outgoing information to malicious web site u Challenges: Must be easy for novice users. Detect malicious pages Minimize false alarms

13 13 Stateless Page Evaluation u URL Check: Similar to well known site –www.ebay-fixit.com –www.ebau.com IP address instead of host name –http://123.123.123.123/ Other tricks –www.ebay.com@123.123.123.123 Use reverse DNS to find domain if IP address u Image Check: Is image associated with different domain in image-domain database

14 14 Stateless Page Evaluation II u Link Check: Run URL check on links on the page If significant fraction fail, raise alert u Password Check: Pages with password field are more suspicious than the one without Check for HTTPS and valid certificate

15 15 Stateful Page Evaluation u History Check: Site is assumed OK if in user’s history file Very important for reducing false alarm rate u Domain Check: Is current domain “similar” to a domain in the history list? u Email Check: Suspicious if page is referred by email link

16 16 POST Data Evaluation u Intercepts and checks POST data Keep hashed triples If known user & password are sent to different domain, raise alert level Exception for search engines High alert: warn user and allow to cancel operation POST: user_name=ice&password=cream Suspicious server User

17 17 SpoofGuard User Interface u SpoofGuard is added to IE tool bar Traffic light –Report green, yellow, red altert level Pop-up as method of last resort

18 18 Evaluation of SpoofGuard u Detect sample spoofs Tested on 12 spoofs from SF ECTF u Acceptable false alarm rate Used ourselves for several weeks Can get false alarms on first visit to site –SpoofGuard learns which sites you trust –Does not popup on subsequent visits u Negligible performance impact But: Clever phisher can defeat most tests

19 19 PwdHash: Improved Pwd Mgmt http://crypto.stanford.edu/PwdHash

20 20 The common pwd problem u Web users use the same username/password at many sites. Users use their banking pwd at low security sites. u The problem: break-in to low security site reveals banking username/passwords. u Ideal solution: strong auth. protocols (SecureID/PKI) Unlike pwd, requires HW or has limited mobility.

21 21 A Simple Solution u Browser plug-in that converts a user’s pwd into a unique pwd per site. 1.Locate all pwd HTML elements on page: 2.Whenever focus leaves a password field, replace contents of field with HMAC pwd (domain-name) 3.Password hash is sent to web site instead of pwd. u (some) Protection against phishing: Spoof site only sees hash of user’s pwd.

22 22 Pwd Hashing – an old idea u Hash pwd with realm provided by remote site: HTTP 1.1 Digest Authentication Kerberos 5 u Hash pwd with network service name: Gabber, Gibbons, Matyas, Mayer [FC ’96]. Proxy. Abadi, Bharat, Marais [PTO ’97] u Challenge: implementing in a modern browser.

23 23 Plug-in Challenges u Pwd reset after plug-in install u Javascript attacks u What salt to use in hash? u How to encode resulting hash? u When to compute hash? u Internet Café u Dictionary attacks u Design goal: transparent to user.

24 24 Problem 1: pwd reset u After install, requires users to reset their pwds. u On pwd reset page, plug-in must not hash old pwd. Plug-in identifies pwd reset page as having three pwd fields. Plug-in does not hash first pwd field. (turns blue) Plug-in remembers to hash all pwd fields on future invocations of this reset page u To disable/toggle hashing: double-click in pwd field. u Problem: phishers could create a spoof pwd reset page and obtain pwds in the clear. Plug-in warns user when it sends pwd un-hashed.

25 25 Problem 2: Cafe’s u Users cannot install plug-in at Internet Cafe’s.  We provide a web site for remote hashing: http://crypto.stanford.edu/PwdHash/ u Hash computed in Javascript. Resulting hash copied into clipboard.

26 26 Problem 3: Javascript attacks u Malicious site can create Javascript to steal user’s unhashed password. Record all key-strokes sent to page Change target-domain-name on submit Mask regular text field as a password field –Even worse: as each keystroke is typed into field, send to evil site. (?)

27 27 Javascript attacks (cont.) u Defense 1: Keyboard intercept. System traps all keyboard events to window. If keystroke intended for pwd field, replace with ‘%’ –Browser never sees pwd. On ‘BeforeNavigate2’ event, replace ‘%%’ in POST data with hashed pwd. u Defense 2: key-stream monitor. System records all passwords user types (hashed). System traps all keyboard events to window. If key-stream ever contains a pwd not in pwd field, alert user.

28 28 Problem 4: what salt to use? u For few sites, domain of pwd reset page  domain of pwd use page passport reset page = services.passport.net passport use page = login.passport.net  Incorrect pwd-hash is registered at site.  Config file tells plug-in what salt to use and how to encode hash:

29 29 Problem 5: Dictionary attacks u Main point: low security site never sees user’s pwd. u Dictionary attacks: After phishing or break-in to low security site, attacker obtains pwd hashes. Attacker can attempt dictionary attack on hashes. –Succeeds on  15% of pwds (unlike 100% today) –Fundamental limitation of pwd authentication. Unavoidable when user’s key is low-entropy. u Defense: plug-in enables user to specify a global plug-in pwd used to strengthen all pwd hashes. –Defense against dict. attacks for savvy users.

30 30 Alternative designs u Better security against Javascript attacks: Modify pwd UI:1. User hits ctrl-P in password field. 2. Plug-in displays password dialog box. 3. User enters password into dialog box. Plug-in embeds hashed-pwd directly into out-going POST data. ( BeforeNavigate2 event) Javascript on page can’t see pwd and cannot spoof dialog box. Downside: confusing to users. u Better salt for pwd: Get salt from SSL certificate. Not possible with current plug-in support in IE. Microsoft could do this …

31 31 Try it out! u Plug-ins continue to evolve and improve: Easier deployment and use. Proxy-based solutions (not browser plug-ins) Strengthen spoof page identification. Deployment through Mozilla and billeo. http://crypto.stanford.edu/SpoofGuard

32 32 crypto.stanford.edu/SpoofGuard


Download ppt "1 Client-side defenses against web-based identity theft Students:Robert Ledesma, Blake Ross, Yuka Teraguchi Faculty:Dan Boneh and John Mitchell Stanford."

Similar presentations


Ads by Google