Phishing [email protected]
Jan 24, 2016
Phishing
Conventional Aspects of Security• Computational assumptions
– E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman
• Adversarial model– E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals
• Verification methods– Cryptographic reductions to assumptions, BAN logic
• Implementation aspects– E.g., will the communication protocol leak information that
is considered secret in the application layer?
The human factor of security
Configuration
NeglectDeceit
The human factor: configuration
Weak passwordsWith Tsow, Yang, Wetzel: “Warkitting: the Drive-by Subversion of Wireless Home Routers”
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)
Wireless
firmware update
Shows that more than 50% of APs are vulnerable
wardrivingrootkitting
The human factor: configuration Weak passwords
With Stamm, Ramzan: “Drive-By Pharming”
(Symantec press release, Feb 15, 2007; top story on Google Tech news on Feb 17; Cisco warns their 77 APs are vulnerable, Feb 21; we think all APs but Apple’s are at risk. Firmware update tested on only a few. Paper in submission)
Wireless nvram
value setting
“Use DNS server x.x.x.x”
And worse: geographic spread!
The human factor: neglect
The human factor: deceit
(Threaten/disguise - image credit to Ben Edelman)
The human factor: deceit
Self: “Modeling and Preventing Phishing Attacks” (Panel, Financial Crypto, 2005 - notion of spear phishing)With Jagatic, Johnson, Menczer: “Social Phishing” (Communications of the ACM, Oct 2007)With Finn, Johnson: “Why and How to Perform Fraud Experiments” (IEEE Security and Privacy,March/April 2008)
Experiment Design
Gender Effects
To Male
To Female
To Any
FromMale
FromFemale
FromAny
0%
10%
20%
30%
40%
50%
60%
70%
80%
Success Rate
From Male 53% 78% 68%
From Female 68% 76% 73%
From Any 65% 77% 72%
To Male To Female To Any
B
eBay
A
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Reality:
3 credentials
1 2
4
BA
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Attack:
1 (spoof)
2 credentials
BA
Ethical and accurate assessmentsWith Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Experiment: 3 (spoof)
A
1
2
eBay
4 credentialsYield (incl spam filtering loss): 11% + 3% …“eBay greeting” removed: same-
1
2
5
Mutual authentication
in the “real world”
With Tsow,Shah,Blevis,Lim,“What Instills Trust? A Qualitative Study of Phishing” (Abstract at Usable Security, 2007)
starting with 4901
How does the typical Internet user identify phishing?
Spear Phishing and Data Mining Current attack style:
Approx 3% of adult Americans report to have been victimized.
Spear Phishing and Data Mining More sophisticated attack style:
“context aware attack”
How can information be derived?
Jane Smith Jose Garcia
… and little Jimmy Garcia
Jane Garcia, Jose Garcia
Let’s start from the end!
“Little” Jimmy
his parentstheir marriage license
and Jimmy’s mother’s maiden name: Smith
More reading: Griffith and Jakobsson, "Messin' with Texas:Deriving Mother's Maiden Names Using Public Records."
www.browser-recon.info
Approximate price list:
PayPal user id + password $1
+ challenge questions $15
Why?
Password Reset:Typical Questions
• Make of your first car• Mother’s maiden name • City of your birth • Date of birth • High school you graduated from• First name of your / your sister’s best friend• Name of your pet• How much wood would a woodchuck …
Problem 1: Data Mining
• Make of your first car?– Until 1998, Ford has >25% market share
• First name of your best friend?– 10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help
• Name of your first / favorite pet?– Top pet names are online
Problem 2: People Forget
• Name of the street you grew up on?– There may have been more than one
• First name of your best friend / sisters best friend?– Friends change, what if you have no sister?
• City in which you were born?– NYC? New York? New York City? Manhattan? The
Big Apple?
• People lie to increase security … then forget!
Intuition
Preference-based authentication:• preferences are more stable than long-
term memory (confirmed by psychology research)
• preferences are rarely documented (in contrast to city of birth, brand of first car, etc.) … especially dislikes!
Our Approach (1)
Demo at Blue-Moon-Authentication.com, info at I-forgot-my-password.com
Our Approach (2)
And next?
http://www. democratic-party.us/LiveEarth
http://www. democratic-party.us/LiveEarth
Countermeasures?
• Technical – Better filters– CardSpace– OpenId
• Educational– SecurityCartoon– Suitable user interfaces
• Legal