1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools.

Slides:



Advertisements
Similar presentations
SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.
Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.
Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Internet Phishing Not the kind of Fishing you are used to.
Chapter 7: The Web and 1 The Web and Chapter 7.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
URL Obscuring COEN 152/252 Computer Forensics  Thomas Schwarz, S.J
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
FIRST COURSE Computer Concepts Internet and Microsoft Office Get to Know Your Computer.
The Internet & The World Wide Web Notes
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen
With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
IT 210 The Internet & World Wide Web introduction.
Computer Concepts 2014 Chapter 7 The Web and .
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
Prevent Cross-Site Scripting (XSS) attack
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.
2013Dr. Ali Rodan 1 Handout 1 Fundamentals of the Internet.
Staying Safe Online Keep your Information Secure.
Chapter 6 The World Wide Web. Web Pages Each page is an interactive multimedia publication It can include: text, graphics, music and videos Pages are.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Parent Guide for staying connected. To Begin using Skyward Family Access you will need:  A computer connected to the internet  A web browser (Windows.
Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Protecting Students on the School Computer Network Enfield High School.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
How the Web Works Building a Website – Lesson 1. How People Access the Web Browsers People access websites using software called a web browser. To view.
Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Web Design and Development. World Wide Web  World Wide Web (WWW or W3), collection of globally distributed text and multimedia documents and files 
Phishing & Pharming. 2 Oct to July 2005 APWG.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.
Any criminal action perpetrated primarily through the use of a computer.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Computer Security Keeping you and your computer safe in the digital world.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
ISYM 540 Current Topics in Information System Management
Conveying Trust Serge Egelman.
Cross-Site Request Forgeries: Exploitation and Prevention
Computer Security.
Cross Site Request Forgery (CSRF)
Presentation transcript:

1 CPSC156: The Internet Co-Evolution of Technology and Society Lecture 22: April 17, 2007 Browser-based Security and Privacy Tools

2 Privacy and Security Problems Phishing – Spam directs users to spoofed websites – Malicious programs/websites steal info Passwords – Same password used at multiple websites Transaction Generators – “Hijack” user's session with a website

3 Stanford Anti-Phishing Projects SpoofGuard – Notify user about spoofed websites PwdHash – Transparently manage website-specific passwords SafeCache/SafeHistory – Prevent website from learning your prior behavior SpyBlock – Prevent unauthorized transactions

4 Spoofed Websites Why create them? – Steal private info (passwords, SSN, etc.) Users directed to fake websites – Easy to create website – Easy to imitate authentic websites Users typically enticed via spam – Easy to craft believable – Easy to distribute widely Examples:

5 Traditional Indications Indications – Suspicious URLs For example: Requires user to read URL in address bar – Non-HTTPS URL Most authentic websites requiring senstive information use HTTPS Most spoofed websites don't use HTTPS Requires user to read URL in address bar or notice the “lock” icon Problems – Users don't read carefully – Users don't understand what they see

6 SpoofGuard: Overview Goal: Automate detection of spoofs – Don't rely on reactive measures (e.g., blacklists) ‏ Idea: Score each page visited – Score correlated with believe that webpage is a spoof Notify user of scoring results – Low suspicion: traffic light – High suspicion: force user to acknowledge popup Availability: Internet Explorer plugin

7 SpoofGuard: Scoring Criteria URLs and Links – Does the URL have a suspicious pattern? Images – Keep database of images and their domains – Are a page's images similar to ones from a different domain? Passwords – If page asks for a password, does it use HTTPS and have valid certificate? Referring Address – Was user referred from an message (e.g., Hotmail)? Post Data – Store (hash of) posted data and domain – Is posted data same as data previously posted to a different domain?

8 SpoofGuard: Notification Traffic light in toolbar – Indicates score assigned to the page Popup notification – Forces user confirmation – Popup on any detected spoof; or – Popup only when user submits information Intercepts form submission Spoofs usually harmless when only viewing

9 The Same-Origin Principle Began with Netscape Navigator 2.0 – “prevents document[s] or script[s] loaded from one origin from getting or setting properties of a document from a different origin.“ Why? – Information provided to/from a website should not be directly available to another website unless user explicitly provides it Applied to cookies (we've seen this before)

10 Types of Tracking Single-session / Multiple-session – Normal web features (e.g., via special URLs, cookies) ‏ Cooperative tracking – 3rd-party cookies, JavaScript, tags Semi-cooperative tracking – Post link to external image on a forum Non-cooperative tracking – What can one learn without explicitly adding content to another site? We'll see...

11 SafeHistory and SafeCache

12 Content and DNS Caches Why store recently-used information? – Load pages faster, save bandwidth Timing attacks – Content cache 1)User visits 2)User visits which measures how long it takes to load eBay logowww.phishingsite.com – DNS cache 1)User visits 2)User visits which measures how long it takes to lookup IP address for

13 Loading From the Cache Assume contains this HTML: Two different players – Embedding site (mysite.com) The “carrier” for the image – Hosting site (microsoft.com) Location in the network of the image being displayed

14 SafeCache: Overview Cached content is associated with embedding site Whats the difference? – Normally: Request for same hosted content is loaded from cache regardless of embedding site. – With SafeCache: Request for hosted content is loaded from cache only if same embedding site previously cached it. Availability: Mozilla Firefox add-on

15 Visited Links Browser stores history of visited pages Visited links and unvisited links differentiated – Usually by color – Convenience to user But... – Font color can be read by page itself JavaScript and Cascading Style Sheets – Phishing page can determine which websites the user has previously visited

16 SafeHistory: Overview Only two hosts can know if a page is visited – Host of the referrer – Host of the page itself Why only these two hosts? – Referrer could learn this information anyways (it can craft special hyperlinks) – The host of the page itself knows anyways (it can check its server logs) Availability: Mozilla Firefox add-on

17 Password Security Basic Problems – Many passwords easy to guess Based on common words Based on easily discoverable information (e.g., pet name, last name, etc.) Traditional recommendation: use “random” combination of letters and numbers (hard to remember!) – Same password used at multiple websites Stealing password from weakly-secured website gives access to account at highly-secured website Traditional recommendation: use different password at each website (also hard to remember!)

18 Some Other Solutions Password list managers – Store usernames/passwords for each site – Cons: lack of portability, must consult list each time Limited-time Passwords – Example: RSA SecurID Code on device changes every 60 seconds User's password is combination of master password and code displayed on device Cons: must carry device, typically only for single domain

19 PwdHash: Overview Let user remember a single “master” password Transparently convert password into site-specific password As a bonus, provides protection from common phishing attacks! Availability: Mozilla Firefox add-on

20 PwdHash: How It Works 1)Find all password fields on a page  2)User enters before typing password  Signals browser to begin capturing password 3)Browser captures the user password and computes hash: HMAC pwd (domain-name) 4)Hash is stored in password field and submitted to website in place of master password

21 PwdHash: Other Features Protection against common phishing attacks – Domain name is part of hash generation – Example: HMAC ”password” (bankofamerica.com) = “y8JSLKDPFO” HMAC ”password” (bankofamericas.com) = “pDVn5u7UYO” Usable when roaming – – Generates hash within the browser (via JavaScript) – Neither master password nor generated password are ever communicated over network

22 PwdHash: Why the Consider the straightforward approach – Translate passwords when user leaves form field – Use domain name from target of the form But... webpages can execute code (JavaScript) – Monitor keyboard – Change form target before it is submitted Before submission: After submission:

23 PwdHash: Limitations Runs inside browser – No protection against DNS attacks – No protection against spyware – Limited protection for Flash

24 Is Password Security Enough? Consider this scenario 1)User logs into 2)Interacts with website as usual, possibly bidding on items and making purchases But... – Malicious software can send messages over authenticated session – These are called transaction generators (TGs)

25 How TGs Work 1)User logs into website with username and password 2)Website issues “session cookie” which is sent by the user with subsequent messages 3)TG can access this session cookie 4)TG initiates its own transactions using the session cookie TG never needs to know the user's password!

26 SpyBlock: Overview Browser and all applications run within virtual machine (VM) User confirms transactions in trusted environment Availability: Mozilla Firefox add-on under Windows Vista

27 SpyBlock: The Pieces Virtual Machine – Essentially, an operating system running within another operating system Authentication Agent – Runs outside virtual machine, not alongside browser and other applications – Prompts user to confirm transactions Browser Helper – Allows browser to initiate transaction confirmation – Cannot confirm transactions itself

28 SpyBlock: Confirmation 1)Website requests confirmation (request accompanied with transaction details) 2)Browser helper passes transaction details to authentication helper 3)Authentication agent and website have shared key K (or they generate one if necessary) 4)Authentication agent computes hash: T = HMAC K (transaction details) 5)Authentication agent passes T to browser helper, which submits it to the website 6)Website can compute HMAC K (transaction details) itself and verify against T

29 SpyBlock: Downsides Website must support SpyBlock transaction confirmations Though available for free, most people don't run virtual machines Security may be compromised as soon as user runs a single untrusted application outside virtual machine

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.