Presentation is loading. Please wait.

Presentation is loading. Please wait.

Messaging Anti-Abuse Working Group MAAWG | maawg.org | San Francisco, CA 2011 WHY WE MUST ASK WHY Markus Jakobsson, Principal Scientist, PayPal Keynote,

Published byAllyson Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "Messaging Anti-Abuse Working Group MAAWG | maawg.org | San Francisco, CA 2011 WHY WE MUST ASK WHY Markus Jakobsson, Principal Scientist, PayPal Keynote,"— Presentation transcript:

1 Messaging Anti-Abuse Working Group MAAWG | maawg.org | San Francisco, CA 2011 WHY WE MUST ASK WHY Markus Jakobsson, Principal Scientist, PayPal Keynote, June 7, 2011 MAAWG 22 nd General Meeting, San Francisco, CA

2 Why Did the Internet Turn out as it Did? We first designed it to provide features, then for usability. We never designed it with abuse in mind. We did not try to predict the future. And now we are in a pickle.

3 Predicting An Unsupervised Future “Predicting the future is much too easy, anyway. You look at the people around you, the street you stand on, the visible air you breathe, and predict more of the same. To hell with more. I want better.” Ray Bradbury

4 To Hell With More. I want better. Who? Where? What? Weak Authentication Malware Spoofing Why? Before we can address any problem, we need to know why it occurs. Talk focus: mobile Internet. Will be huge – and we can ask “why” before it is too late.

5 Web/App Spoofing: Why Works? Where? An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker Jakobsson/Leddy: www.spoofkiller.com

6 Web/App Spoofing: Why Works? Where? An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker Traditional countermeasures address this part (locks, colors, warnings – a user communication problem) Jakobsson/Leddy: www.spoofkiller.com

7 Web/App Spoofing: Why Works? Where? An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker An attacker is successful if 1.The victim is tricked, and as a result 2.The victim acts, benefitting the attacker Can we address this instead? Jakobsson/Leddy: www.spoofkiller.com

8 Imagine a World Where… Where? GOOD SITE + NAÏVE USER = SUCCESS Jakobsson/Leddy: www.spoofkiller.com SPOOF SITE + NAÏVE USER (SAME ACTION) = ABORT

9 Here is How to Do It! Where? Jakobsson/Leddy: www.spoofkiller.com Got cert? LOG IN NOW ABORT Y N

10 We are all Pavlov’s dogs! Where? Jakobsson/Leddy: www.spoofkiller.com

11 Demo time! Where? Jakobsson/Leddy: www.spoofkiller.com Demo produced by Hossein Siadaty

12 Jakobsson/Leddy: www.spoofkiller.com

13

14 Take-Home Message Where? Jakobsson/Leddy: www.spoofkiller.com It is more important to understand people than to understand computers.

15 Now: Authentication Jakobsson/Akavipat: www.fastword.me Who? Peopl e hate passwords – especially on handsets Slow to enter … … and then you realize you mistyped something! At the same time, recall rates are low for passwords … and reset is difficult / insecure / expensive PINs are faster … … but not very secure … and reuse is rampant

16 Understanding usability issues Jakobsson/Akavipat: www.fastword.me Who? Q. Why are passwords more painful than text? A. Text uses auto-correction/completion! Q. Why are passwords more painful than text? A. Text uses auto-correction/completion!

17 Understanding recall issues Jakobsson/Akavipat: www.fastword.me Who? Q. Why are (good) passwords hard to recall? A. Good passwords are weird! Q. Why are (good) passwords hard to recall? A. Good passwords are weird! (Ebbinghausen, 1885)

18 A stab at a solution Jakobsson/Akavipat: www.fastword.me Who? Not so secure, you say? Approx. 64k words only. Auto correct works frogfroffrofrffrof

19 A stab at a solution Jakobsson/Akavipat: www.fastword.me Who? Auto correct works frog flat work

20 A Look at Speed Jakobsson/Akavipat: www.fastword.me Who?

21 A Look at Security Jakobsson/Akavipat: www.fastword.me Who? Average password Average fastword

22 Forgot your fastword? Hint: “frog” Jakobsson/Akavipat: www.fastword.me Who? EFFECTIVE RECALL: 0.36+(1-0.36)*0.48=0.67 …. 67%

23 Forgot your fastword? Hint: “frog” Jakobsson/Akavipat: www.fastword.me Who? Average fastword Average password

24 Big-Picture Insight Who? We can improve as basic things as passwords – if we ask “why”. Jakobsson/Akavipat: www.fastword.me

25 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com Problem: Power

26 Dealing with Malware What? Three truths: 1.Nasty malware is active 2.Active routines are in RAM 3.Algorithms: time-space trade-off Three truths: 1.Nasty malware is active 2.Active routines are in RAM 3.Algorithms: time-space trade-off Jakobsson/Johansson: www.fatskunk.com

27 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com cache RAM 1.Swap out all programs (malware may refuse) monolith kernel

28 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com monolith kernel 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) cache RAM

29 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) monolith kernel cache RAM

30 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) 3. Compute keyed digest of all RAM (access order unknown a priori) monolith kernel cache RAM

31 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) 3. Compute keyed digest of all RAM (access order unknown a priori) monolith kernel cache RAM

32 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) 3. Compute keyed digest of all RAM (access order unknown a priori) monolith kernel cache RAM External verifier provides this

33 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com 1.Swap out all programs (malware may refuse) 2.Overwrite all “free” RAM pseudo-random content(malware refuses again) 3. Compute keyed digest of all RAM (access order unknown a priori) monolith kernel cache RAM External verifier will time this (and check result of computation) External verifier will time this (and check result of computation)

34 Dealing with Malware What? Jakobsson/Johansson: www.fatskunk.com Malware has options: 1.Swap out and become inactive 2.Stay, cause delay, be detected 3.Refuse connection, be detected 4.Die and remain unnoticed Malware has options: 1.Swap out and become inactive 2.Stay, cause delay, be detected 3.Refuse connection, be detected 4.Die and remain unnoticed

35 After test passed What? Jakobsson/Johansson: www.fatskunk.com Scan flash for inactive malware, make secure backup to cloud, DRM, password manager, virtualized phone setup, banking app, vote casting, unlock data/apps, …

36 More detail: unlocking data/apps What? Jakobsson/Johansson: www.fatskunk.com Application Encrypted storage of data and routines Encrypted storage of data and routines FLASH RAM Application Decrypted storage of data and routines Decrypted storage of data and routines GET KEY FROM VERIFIER. LOAD

37 THE FUTURE MATTERS TODAY Why? Jakobsson/Johansson: www.fatskunk.com Anticipating problems gives us time to innovate.

38 Why does user education fail? A final why Contact me to talk spoofing, authentication, malware, mobile, education … and “why”!

Download ppt "Messaging Anti-Abuse Working Group MAAWG | maawg.org | San Francisco, CA 2011 WHY WE MUST ASK WHY Markus Jakobsson, Principal Scientist, PayPal Keynote,"

Similar presentations

1 Identification Who are you? How do I know you are who you say you are?

1 Identification Who are you? How do I know you are who you say you are?
Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.

Smartphone and Mobile Device Security IT Communication Liaisons Meeting October 11, 2012 Theresa Semmens, CITSO.
Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab.
Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal.

Bootstrapping Mobile PINs Using Passwords Markus Jakobsson Debin Liu Information Risk Management PayPal.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Passwords suck Nico Smit November 2014. “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.

Passwords suck Nico Smit November “The million passwords dilemma:”  Just like having a million keys suck, so also having a million usernames and.
1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,

1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Fastwords Markus Jakobsson Ruj Akavipat. A Bit about Authentication 2 1 2 3 4 5 Short battery life Slow Web connection Lack of coverage Poor voice quality.

Fastwords Markus Jakobsson Ruj Akavipat. A Bit about Authentication Short battery life Slow Web connection Lack of coverage Poor voice quality.
What you don’t know CAN hurt you!

What you don’t know CAN hurt you!
POP QUIZ!!! What kind of software is Medisoft? Name ONE of the 4 things that you can do to data in Medisoft. What is the Medisoft Program Date? What key.

POP QUIZ!!! What kind of software is Medisoft? Name ONE of the 4 things that you can do to data in Medisoft. What is the Medisoft Program Date? What key.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Iron Key and Portable Drive Security Zakary Littlefield.

Iron Key and Portable Drive Security Zakary Littlefield.
Security Security is critical in the storage and transmission of information loss of information can not only cause problems to the organisation but can.

Security Security is critical in the storage and transmission of information loss of information can not only cause problems to the organisation but can.
Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.

Apr 4, 2003Mårten Trolin1 Previous lecture TLS details –Phases Handshake Securing messages –What the messages contain –Authentication.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
By Anthony McDougle and Loren Klingman.  The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing.

By Anthony McDougle and Loren Klingman.  The average user does not have secure passwords ◦ Simple passwords ◦ Reusing the same password ◦ Never changing.
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
Welcome To. Improving Remote File Transfer Speeds By The Solution For: 300-400%

Welcome To. Improving Remote File Transfer Speeds By The Solution For: %

Similar presentations

Ads by Google