TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard,...

TRUST, Washington, D.C. Meeting January 9–10, 2006

Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

John Mitchell (Stanford)

Online identity theft, J.C. Mitchell 2TRUST, Washington, D.C. Meeting January 9–10, 2006

Problem: Online Identity Theft

Password phishing– Forged email and fake web sites steal passwords– Passwords used to withdraw money, degrade trust

Password theft– Criminals break into servers and steal password files

Spyware– Keyloggers steal passwords, product activation codes, etc.

Botnets– Networks of compromised end-user machines spread SPAM,

launch attacks, collect and share stolen information Magnitude

– $$$ Hundreds of millions in direct loss per year– Significant Indirect loss in brand erosion

Loss of confidence in online transactions Inconvenience of restoring credit rating, identity


TRUST team

Stanford– D Boneh, J Mitchell, D Dill, Jennifer Granick (Law School)

– A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y

Teraguchi, …

Berkeley

– D Tygar, R Dhamija, ,,,

– Deidre Mulligan (UC Berkeley Law), …

CMU

– A Perrig, D Song

– B Parno, C Kuo

Partners and collaborators

– US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, …

– R Rodriguez, D Maughan, …

And growing …


Phishing Attack

password?

Sends email: “There is a problem with your eBuy account”

User clicks on email link to www.ebuj.com.

User thinks it is ebuy.com, enters eBuy username and password.

Password sent to bad guy


Sample phishing email


How does this lead to spoof page?

Link displayed– https://www.start.earthlink.net/track?billing.asp

Actual link in html email – source:https://start.earthlink.net/track?

id=101fe84398a866372f999c983d8973e77438a993847183bca43d7ad47e99219a907871c773400b8328898787762c&url=http://202.69.39.30/snkee/billing.htm?session_id=8495...

Website resolved to– http://202.69.39.30/snkee/billing.htm?

session_id=8495...


Spoof pagehttp://202.69.39.30/snkee/....


Typical properties of spoof sites

Show logos found on the honest site– Copied jpg/gif file, or link to honest site

Have suspicious URLs Ask for user input

– Some ask for CCN, SSN, mother’s maiden name, …

HTML copied from honest site– May contain links to the honest site– May contain revealing mistakes

Short lived– Cannot effectively blacklist spoof sites

HTTPS uncommon


SpoofGuard browser extension

SpoofGuard is added to IE tool bar– User configuration – Pop-up notification as method of last resort


Berkeley: Dynamic Security Skins

Automatically customize secure windows Visual hashes

– Random Art - visual hash algorithm – Generate unique abstract image for each

authentication– Use the image to “skin” windows or web content– Browser generated or server generated


Browser Generated Images

Browser chooses random number and generates image Can be used to modify border or web elements


Server Generated Images

Server, browser independently generate same image Server can customize its own page


CMU Phoolproof prevention

Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform

mutual authentication with the server

password?


Password Phishing Problem

User cannot reliably identify fake sites Captured password can be used at target site

Bank A

Fake Site

pwdApwdA


Common Password Problem

Phishing attack or break-in at site B reveals pwd at A– Server-side solutions will not keep pwd safe– Solution: Strengthen with client-side support

Bank A

low security site

high security site

pwdA

pwdB

= pwdA

Site B


What is PwdHash?

Lightweight browser extension Impedes password theft Invisible to server

– Compute site-specific password that appears “ordinary” to server that received is

Invisible to user– User indicates password to be hashed by alert

sequence (@@) at beginning of pwd


Password Hashing

Generate a unique password per site– HMACfido:123(banka.com) Q7a+0ekEXb– HMACfido:123(siteb.com) OzX2+ICiqc

Hashed password is not usable at any other site – Protects against password phishing– Protects against common password problem

Bank A

hash(pwdB, SiteB)

hash(pwdA, BankA)

Site B

pwdA

pwdB

=


Many additional issues

Malicious javascript in browser– Implement keystroke logger, keep scripts from

reading user password entry

Password reset problem Internet café Dictionary attacks (defense: added salt) Try it!

http://crypto.stanford.edu/SpoofGuard/

http://crypto.stanford.edu/PwdHash/


Tech Transfer

SpoofGuard– Some SpoofGuard heuristics now used in

eBay toolbar and Earthlink ScamBlocker.– Very effective against basic phishing attacks.

PwdHash– Collaboration with RSA Security to implement

PwdHash on one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords

New browser extensions for privacy– SafeCache and SafeHistory


Botnets

Collection of compromised hosts– Spread like worms and viruses– Once installed, respond to remote commands

Platform for many attacks– Spam forwarding– Keystroke logging – Distributed denial of service attacks

What more could a cybercriminal ask for?


Botnet facts

Platforms– Most bots are compromised Windows machines– Most controllers are compromised Unix hosts running ircd

Example bot software: – Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot, Phatbot.

Versatile launching point for many attacks– 70% of spam from bots (MessageLabs, October 2004).– Most worms and viruses used to propagate bot software– Most denial of service attacks are orchestrated using bots

Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, and creating more bots.

– Jim Lippard, Director, Information Security Operations, Global Crossing


GLBC: malware-infected hosts

Unique Infected IPs

0

50000

100000

150000

200000

250000

300000

3500009

/29

/20

03

11

/29

/20

03

1/2

9/2

00

4

3/2

9/2

00

4

5/2

9/2

00

4

7/2

9/2

00

4

9/2

9/2

00

4

11

/29

/20

04

1/2

9/2

00

5

3/2

9/2

00

5

5/2

9/2

00

5

GLBC UniqueInfected IPs


Building a Bot Network

Attacker

Win XP

FreeBSD

Mac OS X

compromise attempt

compromise attempt

compromise attempt

compromise attempt Win XP


Building a Bot Network

Attacker

Win XP

compromised

FreeBSD

Mac OS X

compromise attempt

compromise attempt

compromise attempt

compromise attempt Win XP

compromisedinstall bot software

install bot software


Step 2

. . .

/connect jade.va.us.dal.net

/join #hacker

. . .

Win XP. . .


/join #hacker

. . .

Win XP. . .


/join #hacker

. . .

Win XP

jade.va.dal.net


Step 3

(12:59:27pm) -- A9-pcgbdv ([email protected]) has joined (#owned) Users : 1646

(12:59:27pm) (BadGuy) .ddos.synflood 216.209.82.62

(12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647

(12:59:27pm) -- A9-nzmpah ([email protected]) has left IRC (Connection reset by peer)

(12:59:28pm) (BadGuy) .scan.enable DCOM

(12:59:28pm) -- A9-tzrkeasv ([email protected]) has joined (#owned) Users : 1650


Underground commerce

Market in access to bots – Botherd: Collects and manages bots

Sample rates– Non-exclusive access to botnet: 10¢ per machine– Exclusive access: 25¢.– Payment via compromised account or cash to dropbox

Identity Theft– Keystroke logging– Complete identities available for $25 - $200+

Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest with

passwords/account info used by PC owner At $200+, usually includes full credit report

[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]


Detect and disabling botnets

Unique characteristic: “rallying”– Bots spread like worms and trojans– Payloads may be common backdoors– Centralized control of botnet is characteristic feature

Current efforts– Spyware project with Stanford Law School– CMU botnet detection

Based on methods that bots use to hide themselves

– Stanford host-based bot detection Taint analysis, comparing network buffer and syscall args

– Botnet and spyware survival Spyblock: virtualization and containment of pwd, etc.


Future challenges

Criminals become increasingly sophisticated– “In 25 years of law enforcement, this is the closest thing I’ve

seen to the perfect crime” – Don Wilborn Increasing interest at server side

– Losses are significant Need improved platform security

– Protect assets from crimeware Need improved web authentication

– Basic science can be applied to solve problem: challenge-response, two-factor auth, …

Social awareness, legal issues, and human factors– Studies with Law Clinics; user studies

Technology transfer– More free software, RSA Security, …

Date post:	26-Dec-2015
Category:	Documents
Upload:	toby-hart
View:	217 times
Download:	0 times

TRUST, Washington, D.C. Meeting January 9–10, 2006 Combating Online Identity Theft Spoofguard,...

Documents