SpoofingIntroductionWhat is Spoofing?Security Relevant DecisionsContextContext Spoofing (Examples)Context SpoofingConsequencesWhat is Web Spoofing?Web Spoofing AttackHow does the Attack Work?Slide 12Slide 13Forms“Secure” ConnectionsStarting the AttackCompleting the IllusionStatus LineLocation LineViewing Document SourceTracing the AttackerWhat can we do?Slide 23Slide 24ResourcesSpoofingRafael Sabino10/28/2004Introduction•What is spoofing?•Context and Security relevant decisions•Phishing•Web spoofing•RemediesWhat is Spoofing?•Dictionary.com definitions:–To deceive–A hoaxSecurity Relevant Decisions•Decisions that can lead to undesirable results•Examples•Accepting data as being true and accurateContext•The browser, text, and pictures•Names of objects•Timing of eventsContext Spoofing (Examples)•http://www.antiphishing.org/phishing_archive.htmlContext Spoofing •Spoofed emails have upwards of 20% success rates•Costs billions of dollars to the industry•Brand names attacked:7. Bestbuy8. Microsoft MSN9. FBI1. Citigroup2. Wachovia3. Bank of America4. Yahoo!5. Ebay6. PaypalConsequences•Unauthorized Surveillance•Tampering•Identity theftWhat is Web Spoofing?•Creating a shadow copy of the world wide web•Shadow copy is funneled through attackers machine•Data tamperingWeb Spoofing Attack•The physical world can also be spoofed•Security relevant decisions and contextHow does the Attack Work?•Step : 1 Rewriting the URL:•Example:–home.netscape.com–www.attacker.com/http://home.netscape.comHow does the Attack Work?1. Request Spoof URLwww.attacker.orgwww.server.com2. Request real URL3. Real Pagecontents4. Change page5. Spoofed pageHow does the Attack Work?•Once attacker server obtains the real URL, it modifies all links•Rewritten page is provided to victim’s browser•This funnels all information•Is it possible to spoof the whole web?Forms•Submitted data goes to the attackers server•Allows for tampering•Attacker can also modify returned data“Secure” Connections•Everything will work the same•Secure connection indicator will be turned on•Secure connection is with attacker’s server•“Secure” connections are a false sense of securityStarting the Attack•Put links in popular places•Emails•Search EnginesCompleting the Illusion•There are cues that can destroy the illusion:–Status line–Location line–Viewing document source•These can be virtually eliminatedStatus Line•Displays URL links points to•Displays name of server being contacted•JavaScript is the solutionLocation Line•Displays URL of current page•User can type in any URL•JavaScript is the solutionViewing Document Source•Menu bar allows user to see pages’ source•JavaScript can be used to create a fake menu barTracing the Attacker•Is possible if attacker uses his/her own machine•Stolen computers are used to launch attacks•Hacked computers are used as wellWhat can we do?•Short term solution:–JavaScript–Location line is visible–Pay attention to location line•Be selective with your featuresWhat can we do?•Do not reply to or click on a link that will lead you to a webpage asking you for info.•Look for the presence of a padlock and https://. Both most be present for a connection to be secure•Keep up with updatesWhat can we do?•Check your bank / credit card statements•To report suspicious activity, send email to Federal Trade Commision: [email protected]•If you are a victim, file a complaint at www.ftc.govResources•www.antiphishing.com•http://www.cs.princeton.edu/sip/pub/spoofing.html•Gary McGraw and Edward W. Felten. Java Security: Hostile Applets, Holes and Antidotes. John Wiley and Sons, New York,
View Full Document