ImpersonationCS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/March 1, 2011Announcements• Midterm next Tuesday March 8th– Scope is course material up through today– You can bring a single sheet of notes• Two-sided, viewable w/o assistance• (FYI: you might want to keep this for the final)• My office hours the week of March 7th willbe by appointment• Guest lecture this Thursday (March 3rd),Prof. David Wagner• Reminder, HW #2 due 5PM on FridayGoals For Today• A broad look at the problem of impersonation:threats based on something not being what itappears to be• Web attacks: misleading users regarding theirclicks• Phishing: misleading users regarding withwhom they are interacting• CAPTCHAs: telling humans apart from “bots”• Analyzing email headers for legitimacy (timepermitting)Attacks on User Volition• Browser assumes clicks & keystrokes =clear indication of what the user wantsto do– Constitutes part of the user’s trusted path• Attack #1: commandeer the focus ofuser-input• Attack #2: mislead the user regardingtrue focus (“click-jacking”)Click-Jacking• Demo #1: you think you’re typing to a familiar app, but you’re not (demo)Click-Jacking• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are (demo)Let’s click here!Click-Jacking• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are• You might click on what the attacker wants no matter where you click! (demo)Click-Jacking• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are• Demo #3: you definitely meant to click somewhere elseWhy Does Firefox Make You Wait?… to keep you from being tricked into clicking!Defending AgainstClickjacking• Main defense: frame busting• Web site ensures that its “vulnerable” pagescan’t be included as a frame inside anotherbrowser frameAttacker implements this by placing Twitter’s page in a “Frame”inside their own page. Otherwise they wouldn’t overlap.Defending AgainstClickjacking• Main defense: frame busting• Web site ensures that its “vulnerable” pagescan’t be included as a frame inside anotherbrowser frame– So user can’t be looking at it with something invisibleoverlaid on top …– … nor have the site invisible above something else• Conceptually implemented with Javascript like:if#(top.location#!=#self.location)####top.location#=#self.location;• (Note: actually quite tricky to get this right!)Related UI Sneakiness22• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are• Demo #3: you definitely meant to click somewhere else• Demo #4: you’ve got a lot on your mind (demo)Related UI Sneakiness23• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are• Demo #3: you definitely meant to click somewhere else• Demo #4: you’ve got a lot on your mind (demo)•TabnabbingRelated UI Sneakiness24• Demo #1: you think you’re typing to a familiar app, but you’re not• Demo #2: you don’t think you’re typing to a familiar app, but you are• Demo #3: you definitely meant to click somewhere else• Demo #4: you’ve got a lot on your mind (demo)•Tabnabbing• Demo #5: you’re living in The Matrix“Browser in Browser”Apparent browser is justa fully interactive imagegenerated by scriptrunning in real browser!5 Minute BreakQuestions Before We Proceed?PhishingThe Problem of Phishing• Arises due to mismatch between reality & user’s:– Perception of how to assess legitimacy– Mental model of what attackers can control• Both Email and Web• Coupled with:– Deficiencies in how web sites authenticate• In particular, “replayable” authentication that is vulnerable totheft• How can we tell when weʼre being phished?Check&the&URL&before&clicking?<a#href="http://www.ebay.com/"###onclick="location='http ://hackrz.com/'">Exploits a misfeature in IE that interpretsa number here as a 32-bit IP address0xbd5947e3 = 189.89.71.227dig#Cx#189.89.71.227;#<<>>#DiG#9.6.0CAPPLECP2#<<>>#Cx#189.89.71.227;;#global#options:#+cmd;;#Got#answer:;;#C>>HEADER<<C#opcode:#QUERY,#status:#NOERROR,#id:#24037;;#flags:#qr#rd#ra;#QUERY:#1,#ANSWER:#1,#AUTHORITY:#2,#ADDITIONAL:#0;;#QUESTION#SECTION:;227.71.89.189.inCaddr.arpa. IN PTR;;#ANSWER#SECTION:227.71.89.189.inCaddr.arpa.#86400#IN PTR###############################227.71.89.189.cliente.interjato.com.br.;;#AUTHORITY#SECTION:71.89.189.inCaddr.arpa. 86399 IN NS ns2.interjato.com.br.71.89.189.inCaddr.arpa. 86399 IN NS ns1.interjato.com.br.;;#Query#time:#511#msec;;#SERVER:#128.32.153.21#53(128.32.153.21);;#WHEN:#Tue#Mar##1#17:37:52#2011;;#MSG#SIZE##rcvd:#132whois#189.89.71.227##The#following#results#may#also#be#obtained#via:##http://whois.arin.net/rest/nets;q=189.89.71.227?showDetails=true&showARIN=false#NetRange:#######189.0.0.0#C#189.255.255.255CIDR:###########189.0.0.0/8OriginAS:NetName:########NET189NetHandle:######NETC189C0C0C0C1Parent:NetType:########Allocated#to#LACNIC......inetnum:#####189.89.64/20#autCnum:#####AS28184abuseCc:#####EMR5owner:#######TECHNET#NETWORKING#LTDAownerid:#####000.872.797/0001C17responsible:#Erich#matos#Rodriguescountry:#####BRCheck&the&URL&in&address&bar?Homograph&A;acks• Interna=onal &do ma i n&n a mes &can &u seinterna=onal&character&set– E.g.,&Chinese&contains&characters&that&look&like&/&.&?&=• A"ack:&Legi=mately®ister&var.cn&…• …&buy&legi=mate&set&of&HTTPS&cer=ficates&for&it&…• …&and&then&create&a&subdomain:&&&&www.pnc.com⁄webapp⁄unsec⁄homepage.var.cnCheck&for&padlock?→Add&a&clever&.favicon&with&a&picture&of&a&padlockCheck&for&“ green&glow”&in&address&bar?Check&for&everything?“Browser&in&Browser”“Spear Phishing”Targeted phishing that includes detailsthat seemingly must mean it’s legitimateYep, this is itself aspear-phishing attack!Sophisticated phishing• Context-aware phishing – 10% users fooled– Spoofed email includes info related to a recenteBay transaction/listing/purchase• Social phishing – 70% users fooled– Send spoofed
View Full Document
Unlocking...