The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

.NET Technology. Introduction Overview of.NET What.NET means for Developers, Users and Businesses Two.NET Research Projects:.NET Generics AsmL.

Passwords Don’t Get No Respect – Or, How to Make the Most of Weak Shared Secrets Burt Kaliski, RSA Laboratories DIMACS Workshop on Theft in E-Commerce.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

1 Cypak core technology A new, cool and convenient way to identify your customers Combat fraud and keep your customer happy.

Software Certification and Attestation Rajat Moona Director General, C-DAC.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial.

Password?. Project CLASP: Common Login and Access rights across Services Plan

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Ho Ting Chung, Zeturl ( ) 1.  Authentication  Encryption 2.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Stronger Password Authentication Using Browser Extensions Blake Ross, Collin Jackson, Nick Miyake, Dan Boneh, John Mitchell Stanford University

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Trustworthy User Interface Design: Dynamic Security Skins Rachna Dhamija and J.D. Tygar University of California, Berkeley TIPPI Workshop June 13, 2005.

Web Browser Privacy and Security Part I. Usable Privacy and Security Carnegie Mellon University Spring 2007 Cranor/Hong

Enterprise Portal Authentication: who are you? Authorization: what are you permitted to do? Personalization: the web pages you see are dynamically created.

Authentication for Humans Rachna Dhamija SIMS, UC Berkeley DIMACS Workshop on Usable Privacy and Security Software July 7, 2004.

The Internet 8th Edition Tutorial 1 Browser Basics.

Dreamweaver 8 Concepts and Techniques Introduction Web Site Development and Macromedia Dreamweaver 8.

Password Authentication J. Mitchell CS 259. Password fileUser exrygbzyf kgnosfix ggjoklbsz … kiwifruit hash function.

Why Johnny Can’t Encrypt A Usability Evaluation of GPG 5.0 Presented by Yin Shi.

Strong Password Protocols

Trust and Semantic Attacks- Phishing Hassan Takabi October 20, 2009.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

Purpose Intended Audience and Presenter Contents Proposed Presentation Length Intended audience is all distributor partners and VARs Content may be customized.

Authentication Approaches over Internet Jia Li

INTRODUCTION TO WEB DATABASE PROGRAMMING

Authentication Deniable Authentication Protection Against Dictionary Attacks Isidora Petreska Dimitar Gosevski and.

Masud Hasan Secue VS Hushmail Project 2.

KAIST Web Wallet: Preventing Phishing Attacks by Revealing User Intentions Min Wu, Robert C. Miller and Greg Little Symposium On Usable Privacy and Security.

Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.

Presented by: Lin Jie Authors: Xiaoyuan Suo, Ying Zhu and G. Scott. Owen.

EMerge Browser Managed Security Platform Module 3: Startup eMerge Certification Course  Physical connection  TCP/IP Characteristics of PC  Initial connection.

XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 1 1 Browser Basics Introduction to the Web and Web Browser Software Tutorial.

Unit 1: Protection and Security for Grid Computing Part 2

10/20/2015 ©2006 Scott Miller, University of Victoria 1 User Authentication Content Generation The Use of Cookies Content Pooling Rev 1.5.

Deepnet Unified Authentication for Outlook Anywhere.

1 After completing this lesson, you will be able to: Transfer your files to the Internet. Choose a method for posting your Web pages. Use Microsoft’s My.

D´ej`a Vu: A User Study Using Images for Authentication Rachna Dhamija,Adrian Perrig SIMS / CS, University of California Berkeley 報告人：張淯閎.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Reducing Trust Domain with TXT Daniel De Graaf. TXT overview Original TPM – Static Root of Trust – BIOS, all boot ROMs, bootloader, hypervisor, OS TPM.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

Web Application for Mobile access to students exam Information.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.

Phishing & Pharming. 2 Oct to July 2005 APWG.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Beavercreek High School BYOD Student Training: Wi-Fi Login and Authentication Portal.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

KERBEROS SYSTEM Kumar Madugula.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Innovation is Our Passion Online Banking Past, Present and Future.

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

Web Site Development and Macromedia Dreamweaver 8

Conveying Trust Serge Egelman.

Strengthening Password-based Authentication

Presentation transcript:

The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

Limited Human Skills Property Limited password recall Hard to parse domain names

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 1.Security is often the secondary goal 3. General purpose graphics property 4. Golden arches property 5. Barn door property

Users Don’t Check Certificates

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

Firefox Browser: 4 SSL indicators

Firefox browser - No unsecure indicators

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 1.Train users not to automatically trust a logo or brand 5. Barn door property

The golden arches property

Security Properties for Usability 1. Limited human skills property 2. Unmotivated users property 3. General purpose graphics property 4. Golden arches property 5. Barn door property

Strong Password Protocols Stanford Web PwdHash Password Authenticated Key Agreement –EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc… H(password, siteID)Password Protocol Password

Password Authenticated Key Agreement Advantages: –preserve familiar use of passwords user doesn’t need a trusted device secret stored in memory of the user –server doesn’t store password –no passwords sent over the network –user authentication (& mutual authentication) But how to enter the password?

Our Solution: Usability Goals User must be able to verify password prompt, before entering password Rely on human skills –To login, recognize 1 image & recall 1 password –To verify server, compare 2 images Hard to spoof security indicators

Trusted Password Window Dedicated window Trusted path  customization Random photo assigned or chosen Image stored in browser, do not have to go through server Image overlaid across window User recognizes image first –then enters password Password not sent to server

Security Indicators How can user distinguish secure windows? –Static indicators (SSL) Can be spoofed User do not really examine it –User customized indicators (Passmark/Petnames) Require extra efforts from the user –Automated customized indicators

Our Solution: Dynamic Security Skins  Automatically customize secure windows  Visual hashes – Random Art - visual hash algorithm – Generate unique abstract image for each authentication – Use the image to “skin” windows or web content – Browser generated or server generated

Browser Generated Images  Browser chooses random number and generates image  Can be used to modify border or web elements

Server Generated Images  Server & browser independently generate same image  Server can customize its own page

Conclusions Benefits: –Achieves mutual authentication –Resistant to phishing and spoofing –Relies on human skills Weaknesses: –Users must check images easier than checking a cert –Local storage of personal image reduces portability, requires security –Doesn’t address spyware, keyloggers

Status and Future Work Iterative design & “lo-fi” testing of interface Formal user study DSS Mozilla extension

Customized Indicators: Petname Toolbar

Automated Indicators: Secure Random Dynamic Boundaries