Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~

Slides:



Advertisements
Similar presentations
Yahoo! OpenID and OAuth 1 Allen Tom Yahoo! Membership Architect OpenID Foundation Board
Advertisements

11/2/2013 2:02:38 AM 5864_ER_FED 1 Importing Certificates into Lotus Notes R6.
Unified Communications Bill Palmer ADNET Technologies, Inc.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Eloqua Providing Industry-Leading Management Tools May 2009.
Eloqua Providing Industry-Leading Management Tools.
1 An Update on Multihoming in IPv6 Report on IETF Activity IPv6 Technical SIG 1 Sept 2004 APNIC18, Nadi, Fiji Geoff Huston.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
1 Network-Level Spam Detection Nick Feamster Georgia Tech.
Cyber Defence Data Exchange and Collaboration Infrastructure (CDXI)
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
0 - 0.
B-CERB complete protection against phishing copyright 2008 by Wheel.
Introduction Lesson 1 Microsoft Office 2010 and the Internet
Proposal for a Pilot Project: Using DKIM to Create a Trust Channel Dave Crocker Brandenburg InternetWorking bbiw.net Dave Crocker Brandenburg InternetWorking.
Why Eve & Mallory Love Android
1 Mailing list software in the war against spam May 2005 Serge Aumont serge.aumont cru.fr.
Location Based Services and Privacy Issues
© 2012 Eloqua, Inc. Confidential 1 Deliverability and IP Warming Overview and Implementation Using Eloqua.
Addition 1’s to 20.
Week 1.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Paul Vanbosterhaut Managing Director, Vircom Europe January 2007 ModusGate™ 4.4 Smart Assurance Gateway Not Just Warmed-over Open Source Technology…
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
Best Internet Permission Marketing is the way to make advertising work again!
Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Norman SecureSurf Protect your users when surfing the Internet.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Pilot project proposal: AffiL Affiliated domain names for trust Dave Crocker Brandenburg InternetWorking bbiw.net
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
1 The Business Case for DomainKeys Identified Mail.
PHISHING AND SPAM INTRODUCTION There’s a good chance that in the past week you have received at least one that pretends to be from your bank,
Taking Common Action Against Spam Internet Society of China Beijing – 2004 Dave Crocker Brandenburg InternetWorking
Wireless and Security CSCI 5857: Encoding and Encryption.
DNS-based Message-Transit Authentication Techniques D. Crocker Brandenburg InternetWorking D. Crocker Brandenburg InternetWorking.
A Trust Overlay for Operations: DKIM and Beyond Dave Crocker Brandenburg Internet Working bbiw.net Apricot / Perth 2006 Dave Crocker Brandenburg.
1 Dr. David MacQuigg, President Open-mail.org Stopping Abuse – An Engineer’s Perspective University of Arizona ECE 596c August 2006.
Technology Considerations for Spam Control 3 rd AP Net Abuse Workshop Busan Dave Crocker Brandenburg InternetWorking
A Retrospective on Future Anti-Spam Standards Internet Society of China Beijing – September, 2004 Dave Crocker Brandenburg InternetWorking
Marketing Amanda Freeman. Design Guidelines Set your width to pixels Avoid too many tables Flash, JavaScript, ActiveX and movies will not.
RUCUS - IETF 71 1 Lessons Learned From IETF Antispam Work Jim Fenton.
Preserve and Enhance: Balancing Goals for the Internet APRICOT Kuala Lumpur – 2004 Dave Crocker Brandenburg InternetWorking APRICOT Kuala Lumpur – 2004.
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 ICT and E-Business Strategies For Development Geneva, October.
Copyright ©2015 WatchGuard Technologies, Inc. All Rights Reserved WatchGuard Training WatchGuard XCS What’s New in version 10.1.
Spam. Is spam a problem? Bandwidth hogging -> slower, costlier Discourages use of net ( , e-commerce) Productivity -> loss of time and money Receiver.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Proposal for DKIM Pilot Project: Making Authentication Useful Dave Crocker Brandenburg InternetWorking Dave Crocker Brandenburg InternetWorking.
CERN - IT Department CH-1211 Genève 23 Switzerland t OIS Update on the anti spam system at CERN Pawel Grzywaczewski, CERN IT/OIS HEPIX fall.
THE LARGEST NAME SERVICE ACTING AS A PHONE BOOK FOR THE INTERNET The Domain Name System click here to next page 1.
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Stop Those Prying Eyes Getting to Your Data
Other DKIM-Related Drafts
CS 465 Secure Last Updated: Nov 30, 2017.
By Ian Foster, Jon Larson, Max Masich, Alex C
Distributed Peer-to-peer Name Resolution
1/16/2019 4:44 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
How We Fight Against Scam
Cybersecurity Simplified: Phishing
Presentation transcript:

Fighting Abuse with Trust: Enhancing the paradigm Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~ 2 Feb 12 Dave Crocker Trusted Domain Project (trusteddomain.org) Brandenburg InternetWorking (bbiw.net) FCC ~ 2 Feb 12

2 2 Abuse and TrustFCC / 2 Feb 12 Internet Abuse Advertising (spam) – Aggressive, legimitate companies – Deceptive, criminal-like organizations Fraud – Phishing – Illegal purchases Destruction (DDOS) – Extortion – Anger Well-organized – Extensive, hierarchical underground economy – Trans-national "The Net is too Open" – Or, "an error in Internet design is a failure to authenticate users" – Just like the real world... Abuse is a social problem – Social problems are not amenable to technical solutions

3 3 Abuse and TrustFCC / 2 Feb 12 It's Persistent and Spreading 20 years of: Look for bad actors, using IP Address of neighbor Looking for bad content Progress? Excellent filtering engines protect receivers No significant change across open Internet Victories are ephemeral This is an arms race and the enemy is well-funded, bright and aggressive Abuse will end on the Internet when it ends on the streets... Web IM Blogs VOIP mobile…

4 4 Abuse and TrustFCC / 2 Feb 12 Mistrust vs. Trust MistrustMistrust Receiver is on their own: Forced to make guesses Sender/Receiver collaboration TrustTrust MistrustMistrust

5 5 Abuse and TrustFCC / 2 Feb 12 Different and Complementary Mistrust Sender actively trying to trick receiver Content is usually spoofed Heuristics (Bayes, Blacklists, etc.) to distinguish valid from spoofed … Look for content to reject Trust Sender is collaborating, at least for identifier With valid identifier can be an assessment (reputation) not confused by noise of bad actors DKIM, SPF, DMARC, Whitelists, DNSSec, DANE, Repute, OpenDKIM … Look for content to accept

6 6 Abuse and TrustFCC / 2 Feb 12 Trust is Becoming Fashionable This week's announcement of DMARC: Google, Microsoft, PayPal, Facebook and other big names have announced a new anti-spam and phishing project, [that] will use 'a feedback loop between legitimate senders and receivers to make impersonation more difficult' -- Slashgear 30jan12 Forthcoming Book: Liars and Outliers: Enabling the Trust that Society Needs to Thrive, Bruce Schneier

7 7 Abuse and TrustFCC / 2 Feb 12 Roles & Responsibilities, Tussles & Trust Actors People, organizations and processes that are responsible for sets of actions Examples: Author, Recipient, Mailing list, Operator Administrative [Management] Domains (ADMD) Components organized under an integrated span of control, with common, internal trust Example: Within organization, versus between

8 8 Abuse and TrustFCC / 2 Feb 12 A Negotiation View of Send/Receive or Pub/Sub Sending Operator Receiving Operator AuthorRecipient Publish Assurance ProtectUser

9 9 Abuse and TrustFCC / 2 Feb 12 Trust Begins with Authenticated Names Domain Name Organizational boundary Organizational boundary, not network topology More stable and reliable than IP Address Easier to manage than personal identifiers Sub-domain names permit added flexibility Personal name Necessary only when the trust is independent of a larger organization

10 Abuse and TrustFCC / 2 Feb 12 Identifying Content Streams Multiple types of content Corporate Transactions (purchase order, order confirmation...) Proposals Marketing mass mailings Customer Support Label them with subdomains sales.bbiw.net newsletter.bbiw.net personal.bbiw.net Allow different reputations to develop

11 Abuse and TrustFCC / 2 Feb 12 Warning: Naming is Confusing (Even From: Field is Complex) Dave Crocker "Display Name" never validated! Mailbox controlled by ADMD System or Organization (ADMD) Users only see the Display Name... Trust mechanisms are (mostly) for operators, not users! Human factors issues make end-users poor enforcers of security Saying that better security requires better user training is dereliction of duty...

12 Abuse and TrustFCC / 2 Feb 12 Naming and Other Applications Some are like – IM, VOIP Some have no visible naming (Web) – But the structure of data permits adding attributes – So add one with a name Popular Web security – TLS s – TLS (https) channel object – Protects channel, not "object" – Really only privacy and a bit of server Active IETF efforts – SPF, DKIM – SPF, DKIM for mail – DANE – DANE for better channel (TLS) certification – Websec – Websec for better Web content (object) certification – OAuth – OAuth for Web authorization (login) – Repute – Repute to query reputation information – draft-dispatch-ono: – draft-dispatch-ono: Referencing and Validating User Attributes

13 Abuse and TrustFCC / 2 Feb 12 An Amateur's View of Security Ambiguous uses of terminology Security, authentication, validation, certification, privacy Very high barriers to entry Administration, operations, end-user usability For example: certificates... Authentication/Validation of... Actor – author vs. recipient vs. handler Content validity – content is truthful vs. accurate vs....? Compare precision and implications: XML Signatures provide integrity, message authentication, and/or signer authentication DKIM... permit[s] verification of the source and message contents DKIM permits a person, role, or organization to claim some responsibility for a message

14 Abuse and TrustFCC / 2 Feb 12 Trust Service Architecture AssessmentDatabase IdentifierValidatorIdentifierValidator Identifier Signer IdentityAssessorIdentityAssessor HandlingFilter ResponsibleIdentity RecipientRecipient Author TrustService DKIM Problem Reports (ARF) Auth-Results

15 Abuse and TrustFCC / 2 Feb 12 Authentication as a Part of… Identity Who does this purport to be? (IP Address or Domain Name) Authentication Is it really them? Authorization What are they allowed to do? Assessment (Reputation) What do I think of the agency giving them that permission? (eg, History or Accreditation) Scope of DKIM Certification Link identifier to identity

16 Abuse and TrustFCC / 2 Feb 12 Assessment History (statistical reputation) Past performance is indicator of future behavior But what if there is no history (eg, new name)? Affiliation (objective information) Membership in recognized group is a good sign eg, fcc.gov, "member FDIC", 501(3)(c) Vouching/Reputation service (opinion) Trust those who you trust say are trustworthy...

17 Abuse and TrustFCC / 2 Feb 12 Challenges Complexity and usability Additional layer of service and operations Requires excellent quality control Subjet to social engineering Funding Standalone reputation services have failed Reduced functionality Every packet is patted down when crossing administrative domain boundary? Functional fixedness bad Trust mechanisms primarily being considered for finding bad actors!

18 Abuse and TrustFCC / 2 Feb 12 Thank you...

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.