Impersonation CS 161 Computer Security Prof Vern Paxson TAs Devdatta Akhawe Mobin Javed Matthias Vallentin http inst eecs berkeley edu cs161 March 1 2011 Announcements Midterm next Tuesday March 8th Scope is course material up through today You can bring a single sheet of notes Two sided viewable w o assistance FYI you might want to keep this for the final My office hours the week of March 7th will be by appointment Guest lecture this Thursday March 3rd Prof David Wagner Reminder HW 2 due 5PM on Friday Goals For Today A broad look at the problem of impersonation threats based on something not being what it appears to be Web attacks misleading users regarding their clicks Phishing misleading users regarding with whom they are interacting CAPTCHAs telling humans apart from bots Analyzing email headers for legitimacy time permitting Attacks on User Volition Browser assumes clicks keystrokes clear indication of what the user wants to do Constitutes part of the user s trusted path Attack 1 commandeer the focus of user input Attack 2 mislead the user regarding true focus click jacking Click Jacking Demo 1 you think you re typing to a familiar app but you re not demo Click Jacking Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are demo Let s click here Click Jacking Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are You might click on what the attacker wants no matter where you click demo Click Jacking Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are Demo 3 you definitely meant to click somewhere else Why Does Firefox Make You Wait to keep you from being tricked into clicking Defending Against Clickjacking Main defense frame busting Web site ensures that its vulnerable pages can t be included as a frame inside another browser frame Attacker implements this by placing Twitter s page in a Frame inside their own page Otherwise they wouldn t overlap Defending Against Clickjacking Main defense frame busting Web site ensures that its vulnerable pages can t be included as a frame inside another browser frame So user can t be looking at it with something invisible overlaid on top nor have the site invisible above something else Conceptually implemented with Javascript like if top location self location top location self location Note actually quite tricky to get this right Related UI Sneakiness Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are Demo 3 you definitely meant to click somewhere else Demo 4 you ve got a lot on your mind demo 22 Related UI Sneakiness Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are Demo 3 you definitely meant to click somewhere else Demo 4 you ve got a lot on your mind demo Tabnabbing 23 Related UI Sneakiness Demo 1 you think you re typing to a familiar app but you re not Demo 2 you don t think you re typing to a familiar app but you are Demo 3 you definitely meant to click somewhere else Demo 4 you ve got a lot on your mind demo Tabnabbing Demo 5 you re living in The Matrix 24 Browser in Browser Apparent browser is just a fully interactive image generated by script running in real browser 5 Minute Break Questions Before We Proceed Phishing The Problem of Phishing Arises due to mismatch between reality user s Perception of how to assess legitimacy Mental model of what attackers can control Both Email and Web Coupled with Deficiencies in how web sites authenticate In particular replayable authentication that is vulnerable to theft How can we tell when we re being phished Check the URL before clicking a href http www ebay com onclick location http hackrz com Exploits a misfeature in IE that interprets a number here as a 32 bit IP address 0xbd5947e3 189 89 71 227 dig x 189 89 71 227 DiG 9 6 0 APPLE P2 x 189 89 71 227 global options cmd Got answer HEADER opcode QUERY status NOERROR id 24037 flags qr rd ra QUERY 1 ANSWER 1 AUTHORITY 2 ADDITIONAL 0 QUESTION SECTION 227 71 89 189 in addr arpa IN PTR ANSWER SECTION 227 71 89 189 in addr arpa 86400 IN PTR 227 71 89 189 cliente interjato com br AUTHORITY SECTION 71 89 189 in addr arpa 86399 71 89 189 in addr arpa 86399 IN IN NS NS Query time 511 msec SERVER 128 32 153 21 53 128 32 153 21 WHEN Tue Mar 1 17 37 52 2011 MSG SIZE rcvd 132 ns2 interjato com br ns1 interjato com br whois 189 89 71 227 The following results may also be obtained via http whois arin net rest nets q 189 89 71 227 showDetails true showARIN e NetRange 189 0 0 0 189 255 255 255 CIDR 189 0 0 0 8 OriginAS NetName NET189 NetHandle NET 189 0 0 0 1 Parent NetType Allocated to LACNIC inetnum 189 89 64 20 aut num AS28184 abuse c EMR5 owner TECHNET NETWORKING LTDA ownerid 000 872 797 0001 17 responsible Erich matos Rodrigues country BR Check the URL in address bar Homograph A acks Interna onal domain names can use interna onal character set E g Chinese contains characters that look like A ack Legi mately register var cn buy legi mate set of HTTPS cer cates for it and then create a subdomain www pnc com webapp unsec homepage var cn Check for padlock Add a clever favicon with a picture of a padlock Check for green glow in address bar Check for everything Browser in Browser Spear Phishing Targeted phishing that includes details that seemingly must mean it s legitimate Yep this is itself a spear phishing attack Sophisticated phishing Context aware phishing 10 users fooled Spoofed email includes info related to a recent eBay transaction listing purchase Social phishing 70 users fooled Send spoofed email appearing to be from one of the victim s friends inferred using social networks West Point experiment Cadets received a spoofed email near end of semester There was a problem with your last grade report click here to resolve it 80 clicked CAPTCHAs CAPTCHAs Reverse Turing Test present user a challenge that s easy for a human to solve hard for a program to solve One common approach distorted text that s difficult for character recognition algorithms to decipher Problems Issues with CAPTCHAs Inevitable arms race as solving algorithms get better defense erodes or gets harder for humans Issues with CAPTCHAs Inevitable arms race as solving algorithms …
View Full Document
Unlocking...