Phishing - PowerPoint PPT Presentation

About This Presentation
Title:

Phishing

Description:

E.g., existence of a one-way function, RSA assumption, Decision Diffie-Hellman ... How much wood would a woodchuck ... Problem 1: Data Mining. Make of your first car? ... – PowerPoint PPT presentation

Number of Views:140
Avg rating:3.0/5.0
Slides: 32
Provided by: tg17
Category:
Tags: phishing

less

Transcript and Presenter's Notes

Title: Phishing


1
Phishing
  • markus.jakobsson_at_parc.com

2
Conventional Aspects of Security
  • Computational assumptions
  • E.g., existence of a one-way function, RSA
    assumption, Decision Diffie-Hellman
  • Adversarial model
  • E.g., access to data/hardware, ability to
    corrupt, communication assumptions, goals
  • Verification methods
  • Cryptographic reductions to assumptions, BAN
    logic
  • Implementation aspects
  • E.g., will the communication protocol leak
    information that is considered secret in the
    application layer?

3
The human factor of security
Successful
Neglect
Deceit
attack
Configuration
4
The human factor configuration
  • Weak passwords
  • With Tsow, Yang, Wetzel Warkitting the
    Drive-by Subversion of Wireless Home Routers
  • (Journal of Digital Forensic Practice, Volume 1,
  • Special Issue 3, November 2006)

Wireless firmware update
wardriving rootkitting
Shows that more than 50 of APs are vulnerable
5
The human factor configuration
  • Weak passwords
  • With Stamm, Ramzan Drive-By Pharming
  • (Symantec press release, Feb 15, 2007 top story
    on Google Tech news on Feb 17 Cisco warns their
    77 APs are vulnerable, Feb 21 we think all APs
    but Apples are at risk. Firmware update tested
    on only a few. Paper in submission)

Wireless nvram value setting
Use DNS server x.x.x.x
And worse geographic spread!
6
The human factor neglect
7
The human factor deceit
(Threaten/disguise - image credit to Ben Edelman)
8
The human factor deceit
Self Modeling and Preventing Phishing Attacks
(Panel, Financial Crypto, 2005 - notion of
spear phishing) With Jagatic, Johnson, Menczer
Social Phishing (Communications of the ACM,
Oct 2007) With Finn, Johnson Why and How to
Perform Fraud Experiments (IEEE Security
and Privacy,March/April 2008)
9
Experiment Design
10
Gender Effects
11
(No Transcript)
12
Ethical and accurate assessments
With Ratkiewicz Designing Ethical Phishing
Experiments A study of (ROT13) rOnl auction
query features (WWW, 2006)
Reality
2
B
1
A
3 credentials
4
13
Ethical and accurate assessments
With Ratkiewicz Designing Ethical Phishing
Experiments A study of (ROT13) rOnl auction
query features (WWW, 2006)
Attack
B
1 (spoof)
A
2 credentials
14
Ethical and accurate assessments
With Ratkiewicz Designing Ethical Phishing
Experiments A study of (ROT13) rOnl auction
query features (WWW, 2006)
A
2
Experiment
3 (spoof)
2
1
B
A
1
5
4 credentials
Yield (incl spam filtering loss) 11 3
eBay greeting removed same
-
15
Mutual authenticationin the real world
With Tsow,Shah,Blevis,Lim, What Instills Trust?
A Qualitative Study of Phishing (Abstract at
Usable Security, 2007)
16
How does the typical Internet user identify
phishing?
17
Spear Phishing and Data Mining Current attack
style
Approx 3 of adult Americans report to have been
victimized.
18
Spear Phishing and Data Mining More sophisticated
attack style
context aware attack
19
How can information be derived?
Jose Garcia
Jane Smith
20
Lets start from the end!
Little Jimmy
More reading Griffith and Jakobsson, "Messin'
with Texas Deriving Mother's Maiden Names Using
Public Records."
21
www.browser-recon.info
22
Approximate price list
  • PayPal user id password 1
  • challenge questions 15

Why?
23
Password ResetTypical Questions
  • Make of your first car
  • Mothers maiden name
  • City of your birth
  • Date of birth
  • High school you graduated from
  • First name of your / your sisters best friend
  • Name of your pet
  • How much wood would a woodchuck

24
Problem 1 Data Mining
  • Make of your first car?
  • Until 1998, Ford has gt25 market share
  • First name of your best friend?
  • 10 of males named James (Jim), John, or Robert
    (Bob or Rob) Facebook does not help
  • Name of your first / favorite pet?
  • Top pet names are online

25
Problem 2 People Forget
  • Name of the street you grew up on?
  • There may have been more than one
  • First name of your best friend / sisters best
    friend?
  • Friends change, what if you have no sister?
  • City in which you were born?
  • NYC? New York? New York City? Manhattan? The Big
    Apple?
  • People lie to increase security then forget!

26
Intuition
  • Preference-based authentication
  • preferences are more stable than long-term memory
    (confirmed by psychology research)
  • preferences are rarely documented (in contrast to
    city of birth, brand of first car, etc.)
    especially dislikes!

27
Our Approach (1)
Demo at Blue-Moon-Authentication.com, info at
I-forgot-my-password.com
28
Our Approach (2)
29
And next?
http//www. democratic-party.us/LiveEarth
http//www. democratic-party.us/LiveEarth
30
Countermeasures?
  • Technical
  • Better filters
  • CardSpace
  • OpenId
  • Educational
  • SecurityCartoon
  • Suitable user interfaces
  • Legal

31
Interesting?
  • Internships at PARC / meet over coffee / etc.
  • markus.jakobsson_at_parc.com
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Phishing" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!