PhishingConventional Aspects of SecurityThe human factor of securityThe human factor: configurationSlide 5The human factor: neglectThe human factor: deceitSlide 8Experiment DesignGender EffectsPowerPoint PresentationEthical and accurate assessmentsSlide 13Slide 14Mutual authentication in the “real world”How does the typical Internet user identify phishing?Spear Phishing and Data Mining Current attack style:Spear Phishing and Data Mining More sophisticated attack style:How can information be derived?Let’s start from the end!Slide 21Approximate price list:Password Reset: Typical QuestionsProblem 1: Data MiningProblem 2: People ForgetIntuitionOur Approach (1)Our Approach (2)And next?Countermeasures?Interesting?Phishing [email protected] Aspects of Security•Computational assumptions–E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman•Adversarial model–E.g., access to data/hardware, ability to corrupt, communication assumptions, goals•Verification methods–Cryptographic reductions to assumptions, BAN logic•Implementation aspects–E.g., will the communication protocol leak information that is considered secret in the application layer?The human factor of securityConfigurationNeglectDeceitThe human factor: configuration Weak passwordsWith Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion of Wireless Home Routers” (Journal of Digital Forensic Practice, Volume 1, Special Issue 3, November 2006)Wireless firmware updateShows that more than 50% of APs are vulnerablewardrivingrootkittingThe human factor: configuration Weak passwordsWith Stamm, Ramzan: “Drive-By Pharming” (Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apple’s are at risk. Firmware update tested on only a few. Paper in submission)Wireless nvram value setting“Use DNS server x.x.x.x”And worse: geographic spread!The human factor: neglectThe human factor: deceit(Threaten/disguise - image credit to Ben Edelman)The human factor: deceitSelf: “Modeling and Preventing Phishing Attacks” (Panel, Financial Crypto, 2005 - notion of spear phishing)With Jagatic, Johnson, Menczer: “Social Phishing” (Communications of the ACM, Oct 2007)With Finn, Johnson: “Why and How to Perform Fraud Experiments” (IEEE Security and Privacy,March/April 2008)Experiment DesignGender EffectsTo MaleTo FemaleTo AnyFromMaleFromFemaleFromAny0%10%20%30%40%50%60%70%80%Success RateFrom Male53%78%68%From Female68%76%73%From Any65%77%72%To MaleTo FemaleTo AnyBeBayAEthical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006)Reality:3 credentials124BAEthical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006)Attack:1 (spoof)2 credentialsBAEthical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments: A study of (ROT13) rOnl auction query features” (WWW, 2006)Experiment:3 (spoof)A12eBay4 credentialsYield (incl spam filtering loss): 11% + 3% …“eBay greeting” removed: same-125Mutual authenticationin the “real world” With Tsow,Shah,Blevis,Lim,“What Instills Trust? A Qualitative Study of Phishing” (Abstract at Usable Security, 2007)starting with 4901How does the typical Internet user identify phishing?Spear Phishing and Data Mining Current attack style:Approx 3% of adult Americans report to have been victimized.Spear Phishing and Data Mining More sophisticated attack style:“context aware attack”How can information be derived?Jane SmithJose Garcia… and little Jimmy GarciaJane Garcia, Jose GarciaLet’s start from the end! “Little” Jimmy his parentstheir marriage licenseand Jimmy’s mother’s maiden name: SmithMore reading: Griffith and Jakobsson, "Messin' with Texas:Deriving Mother's Maiden Names Using Public Records."www.browser-recon.infoApproximate price list:PayPal user id + password $1 + challenge questions $15Why?Password Reset:Typical Questions•Make of your first car•Mother’s maiden name •City of your birth •Date of birth •High school you graduated from•First name of your / your sister’s best friend•Name of your pet•How much wood would a woodchuck …Problem 1: Data Mining •Make of your first car?–Until 1998, Ford has >25% market share•First name of your best friend?–10% of males named James (Jim), John, or Robert (Bob or Rob) + Facebook does not help•Name of your first / favorite pet?–Top pet names are onlineProblem 2: People Forget•Name of the street you grew up on?–There may have been more than one•First name of your best friend / sisters best friend?–Friends change, what if you have no sister?•City in which you were born?–NYC? New York? New York City? Manhattan? The Big Apple?•People lie to increase security … then forget!Intuition Preference-based authentication:•preferences are more stable than long-term memory (confirmed by psychology research)•preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) … especially dislikes!Our Approach (1)Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.comOur Approach (2)And next? http://www. democratic-party.us/LiveEarthhttp://www. democratic-party.us/LiveEarthCountermeasures?•Technical –Better filters–CardSpace–OpenId•Educational–SecurityCartoon–Suitable user interfaces•LegalInteresting?Internships at PARC / meet over coffee /
View Full Document
Unlocking...