TRUST, Washington, D.C. Meeting January 9–10, 2006
Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets
John Mitchell (Stanford)
Online identity theft, J.C. Mitchell 2TRUST, Washington, D.C. Meeting January 9–10, 2006
Problem: Online Identity Theft
Password phishing– Forged email and fake web sites steal passwords– Passwords used to withdraw money, degrade trust
Password theft– Criminals break into servers and steal password files
Spyware– Keyloggers steal passwords, product activation codes, etc.
Botnets– Networks of compromised end-user machines spread SPAM,
launch attacks, collect and share stolen information Magnitude
– $$$ Hundreds of millions in direct loss per year– Significant Indirect loss in brand erosion
Loss of confidence in online transactions Inconvenience of restoring credit rating, identity
Online identity theft, J.C. Mitchell 3TRUST, Washington, D.C. Meeting January 9–10, 2006
TRUST team
Stanford– D Boneh, J Mitchell, D Dill, Jennifer Granick (Law School)
– A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y
Teraguchi, …
Berkeley
– D Tygar, R Dhamija, ,,,
– Deidre Mulligan (UC Berkeley Law), …
CMU
– A Perrig, D Song
– B Parno, C Kuo
Partners and collaborators
– US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, …
– R Rodriguez, D Maughan, …
And growing …
Online identity theft, J.C. Mitchell 4TRUST, Washington, D.C. Meeting January 9–10, 2006
Phishing Attack
password?
Sends email: “There is a problem with your eBuy account”
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username and password.
Password sent to bad guy
Online identity theft, J.C. Mitchell 5TRUST, Washington, D.C. Meeting January 9–10, 2006
Sample phishing email
Online identity theft, J.C. Mitchell 6TRUST, Washington, D.C. Meeting January 9–10, 2006
How does this lead to spoof page?
Link displayed– https://www.start.earthlink.net/track?billing.asp
Actual link in html email – source:https://start.earthlink.net/track?
id=101fe84398a866372f999c983d8973e77438a993847183bca43d7ad47e99219a907871c773400b8328898787762c&url=http://202.69.39.30/snkee/billing.htm?session_id=8495...
Website resolved to– http://202.69.39.30/snkee/billing.htm?
session_id=8495...
Online identity theft, J.C. Mitchell 7TRUST, Washington, D.C. Meeting January 9–10, 2006
Spoof pagehttp://202.69.39.30/snkee/....
Online identity theft, J.C. Mitchell 8TRUST, Washington, D.C. Meeting January 9–10, 2006
Typical properties of spoof sites
Show logos found on the honest site– Copied jpg/gif file, or link to honest site
Have suspicious URLs Ask for user input
– Some ask for CCN, SSN, mother’s maiden name, …
HTML copied from honest site– May contain links to the honest site– May contain revealing mistakes
Short lived– Cannot effectively blacklist spoof sites
HTTPS uncommon
Online identity theft, J.C. Mitchell 9TRUST, Washington, D.C. Meeting January 9–10, 2006
SpoofGuard browser extension
SpoofGuard is added to IE tool bar– User configuration – Pop-up notification as method of last resort
Online identity theft, J.C. Mitchell 10TRUST, Washington, D.C. Meeting January 9–10, 2006
Berkeley: Dynamic Security Skins
Automatically customize secure windows Visual hashes
– Random Art - visual hash algorithm – Generate unique abstract image for each
authentication– Use the image to “skin” windows or web content– Browser generated or server generated
Online identity theft, J.C. Mitchell 11TRUST, Washington, D.C. Meeting January 9–10, 2006
Browser Generated Images
Browser chooses random number and generates image Can be used to modify border or web elements
Online identity theft, J.C. Mitchell 12TRUST, Washington, D.C. Meeting January 9–10, 2006
Server Generated Images
Server, browser independently generate same image Server can customize its own page
Online identity theft, J.C. Mitchell 13TRUST, Washington, D.C. Meeting January 9–10, 2006
CMU Phoolproof prevention
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform
mutual authentication with the server
password?
Online identity theft, J.C. Mitchell 14TRUST, Washington, D.C. Meeting January 9–10, 2006
Password Phishing Problem
User cannot reliably identify fake sites Captured password can be used at target site
Bank A
Fake Site
pwdApwdA
Online identity theft, J.C. Mitchell 15TRUST, Washington, D.C. Meeting January 9–10, 2006
Common Password Problem
Phishing attack or break-in at site B reveals pwd at A– Server-side solutions will not keep pwd safe– Solution: Strengthen with client-side support
Bank A
low security site
high security site
pwdA
pwdB
= pwdA
Site B
Online identity theft, J.C. Mitchell 16TRUST, Washington, D.C. Meeting January 9–10, 2006
What is PwdHash?
Lightweight browser extension Impedes password theft Invisible to server
– Compute site-specific password that appears “ordinary” to server that received is
Invisible to user– User indicates password to be hashed by alert
sequence (@@) at beginning of pwd
Online identity theft, J.C. Mitchell 17TRUST, Washington, D.C. Meeting January 9–10, 2006
Password Hashing
Generate a unique password per site– HMACfido:123(banka.com) Q7a+0ekEXb– HMACfido:123(siteb.com) OzX2+ICiqc
Hashed password is not usable at any other site – Protects against password phishing– Protects against common password problem
Bank A
hash(pwdB, SiteB)
hash(pwdA, BankA)
Site B
pwdA
pwdB
=
Online identity theft, J.C. Mitchell 18TRUST, Washington, D.C. Meeting January 9–10, 2006
Many additional issues
Malicious javascript in browser– Implement keystroke logger, keep scripts from
reading user password entry
Password reset problem Internet café Dictionary attacks (defense: added salt) Try it!
http://crypto.stanford.edu/SpoofGuard/
http://crypto.stanford.edu/PwdHash/
Online identity theft, J.C. Mitchell 19TRUST, Washington, D.C. Meeting January 9–10, 2006
Tech Transfer
SpoofGuard– Some SpoofGuard heuristics now used in
eBay toolbar and Earthlink ScamBlocker.– Very effective against basic phishing attacks.
PwdHash– Collaboration with RSA Security to implement
PwdHash on one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords
New browser extensions for privacy– SafeCache and SafeHistory
Online identity theft, J.C. Mitchell 20TRUST, Washington, D.C. Meeting January 9–10, 2006
Botnets
Collection of compromised hosts– Spread like worms and viruses– Once installed, respond to remote commands
Platform for many attacks– Spam forwarding– Keystroke logging – Distributed denial of service attacks
What more could a cybercriminal ask for?
Online identity theft, J.C. Mitchell 21TRUST, Washington, D.C. Meeting January 9–10, 2006
Botnet facts
Platforms– Most bots are compromised Windows machines– Most controllers are compromised Unix hosts running ircd
Example bot software: – Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot, Phatbot.
Versatile launching point for many attacks– 70% of spam from bots (MessageLabs, October 2004).– Most worms and viruses used to propagate bot software– Most denial of service attacks are orchestrated using bots
Botnets are the primary infrastructure of criminal activity on the Internet, used most heavily for spamming, phishing, and creating more bots.
– Jim Lippard, Director, Information Security Operations, Global Crossing
Online identity theft, J.C. Mitchell 22TRUST, Washington, D.C. Meeting January 9–10, 2006
GLBC: malware-infected hosts
Unique Infected IPs
0
50000
100000
150000
200000
250000
300000
3500009
/29
/20
03
11
/29
/20
03
1/2
9/2
00
4
3/2
9/2
00
4
5/2
9/2
00
4
7/2
9/2
00
4
9/2
9/2
00
4
11
/29
/20
04
1/2
9/2
00
5
3/2
9/2
00
5
5/2
9/2
00
5
GLBC UniqueInfected IPs
Online identity theft, J.C. Mitchell 23TRUST, Washington, D.C. Meeting January 9–10, 2006
Building a Bot Network
Attacker
Win XP
FreeBSD
Mac OS X
compromise attempt
compromise attempt
compromise attempt
compromise attempt Win XP
Online identity theft, J.C. Mitchell 24TRUST, Washington, D.C. Meeting January 9–10, 2006
Building a Bot Network
Attacker
Win XP
compromised
FreeBSD
Mac OS X
compromise attempt
compromise attempt
compromise attempt
compromise attempt Win XP
compromisedinstall bot software
install bot software
Online identity theft, J.C. Mitchell 25TRUST, Washington, D.C. Meeting January 9–10, 2006
Step 2
. . .
/connect jade.va.us.dal.net
/join #hacker
. . .
Win XP. . .
/connect jade.va.us.dal.net
/join #hacker
. . .
Win XP. . .
/connect jade.va.us.dal.net
/join #hacker
. . .
Win XP
jade.va.dal.net
Online identity theft, J.C. Mitchell 26TRUST, Washington, D.C. Meeting January 9–10, 2006
Step 3
(12:59:27pm) -- A9-pcgbdv ([email protected]) has joined (#owned) Users : 1646
(12:59:27pm) (BadGuy) .ddos.synflood 216.209.82.62
(12:59:27pm) -- A6-bpxufrd ([email protected]) has joined (#owned) Users : 1647
(12:59:27pm) -- A9-nzmpah ([email protected]) has left IRC (Connection reset by peer)
(12:59:28pm) (BadGuy) .scan.enable DCOM
(12:59:28pm) -- A9-tzrkeasv ([email protected]) has joined (#owned) Users : 1650
Online identity theft, J.C. Mitchell 27TRUST, Washington, D.C. Meeting January 9–10, 2006
Underground commerce
Market in access to bots – Botherd: Collects and manages bots
Sample rates– Non-exclusive access to botnet: 10¢ per machine– Exclusive access: 25¢.– Payment via compromised account or cash to dropbox
Identity Theft– Keystroke logging– Complete identities available for $25 - $200+
Rates depend on financial situation of compromised person Include all info from PC files, plus all websites of interest with
passwords/account info used by PC owner At $200+, usually includes full credit report
[Lloyd Taylor, Keynote Systems, SFBay InfraGard Board ]
Online identity theft, J.C. Mitchell 28TRUST, Washington, D.C. Meeting January 9–10, 2006
Detect and disabling botnets
Unique characteristic: “rallying”– Bots spread like worms and trojans– Payloads may be common backdoors– Centralized control of botnet is characteristic feature
Current efforts– Spyware project with Stanford Law School– CMU botnet detection
Based on methods that bots use to hide themselves
– Stanford host-based bot detection Taint analysis, comparing network buffer and syscall args
– Botnet and spyware survival Spyblock: virtualization and containment of pwd, etc.
Online identity theft, J.C. Mitchell 29TRUST, Washington, D.C. Meeting January 9–10, 2006
Future challenges
Criminals become increasingly sophisticated– “In 25 years of law enforcement, this is the closest thing I’ve
seen to the perfect crime” – Don Wilborn Increasing interest at server side
– Losses are significant Need improved platform security
– Protect assets from crimeware Need improved web authentication
– Basic science can be applied to solve problem: challenge-response, two-factor auth, …
Social awareness, legal issues, and human factors– Studies with Law Clinics; user studies
Technology transfer– More free software, RSA Security, …