Combating Online Identity Theft Spoofguard, PwdHash, Spyware, Botnets

1
Combating Online Identity Theft
Spoofguard, PwdHash, Spyware, Botnets

• John Mitchell (Stanford)

2
Problem Online Identity Theft

• Password phishing
• Forged email and fake web sites steal passwords
• Passwords used to withdraw money, degrade trust
• Password theft
• Criminals break into servers and steal password
  files
• Spyware
• Keyloggers steal passwords, product activation
  codes, etc.
• Botnets
• Networks of compromised end-user machines spread
  SPAM, launch attacks, collect and share stolen
  information
• Magnitude
• Hundreds of millions in direct loss per year
• Significant Indirect loss in brand erosion
• Loss of confidence in online transactions
• Inconvenience of restoring credit rating,
  identity

3
TRUST team

• Stanford
• D Boneh, J Mitchell, D Dill, Jennifer Granick
  (Law School)
• A Bortz, N Chou, C Jackson, N Miyake, R Ledesma,
  B Ross, E Stinson, Y Teraguchi,
• Berkeley
• D Tygar, R Dhamija, ,,,
• Deidre Mulligan (UC Berkeley Law),
• CMU
• A Perrig, D Song
• B Parno, C Kuo
• Partners and collaborators
• US Secret Service, DHS/SRI Id Theft Tech Council,
  RSA Securities,
• R Rodriguez, D Maughan,
• And growing

4
Phishing Attack
Sends email There is a problem with your eBuy
account
Password sent to bad guy
User clicks on email link to www.ebuj.com.
User thinks it is ebuy.com, enters eBuy username
and password.
5
Sample phishing email
6
How does this lead to spoof page?

• Link displayed
• https//www.start.earthlink.net/track?billing.asp
  
• Actual link in html email
• sourcehttps//start.earthlink.net/track?id101fe8
  4398a866372f999c983d8973e77438a993847183bca43d7ad4
  7e99219a907871c773400b8328898787762curlhttp//20
  2.69.39.30/snkee/billing.htm?session_id8495...
• Website resolved to
• http//202.69.39.30/snkee/billing.htm?session_id8
  495...

7
Spoof page
http//202.69.39.30/snkee/....
8
Typical properties of spoof sites

• Show logos found on the honest site
• Copied jpg/gif file, or link to honest site
• Have suspicious URLs
• Ask for user input
• Some ask for CCN, SSN, mothers maiden name,
• HTML copied from honest site
• May contain links to the honest site
• May contain revealing mistakes
• Short lived
• Cannot effectively blacklist spoof sites
• HTTPS uncommon

9
SpoofGuard browser extension

• SpoofGuard is added to IE tool bar
• User configuration
• Pop-up notification as method of last resort

10
Berkeley Dynamic Security Skins

• Automatically customize secure windows
• Visual hashes
• Random Art - visual hash algorithm
• Generate unique abstract image for each
  authentication
• Use the image to skin windows or web content
• Browser generated or server generated

11
Browser Generated Images

• Browser chooses random number and generates image
• Can be used to modify border or web elements

12
Server Generated Images

• Server, browser independently generate same image
• Server can customize its own page

13
CMU Phoolproof prevention

• Eliminates reliance on perfect user behavior
• Protects against keyloggers, spyware.
• Uses a trusted mobile device to perform mutual
  authentication with the server

14
Password Phishing Problem
Bank A
pwdA
pwdA
Fake Site

• User cannot reliably identify fake sites
• Captured password can be used at target site

15
Common Password Problem
Bank A
high security site
pwdA
Site B

• Phishing attack or break-in at site B reveals pwd
  at A
• Server-side solutions will not keep pwd safe
• Solution Strengthen with client-side support

16
What is PwdHash?

• Lightweight browser extension
• Impedes password theft
• Invisible to server
• Compute site-specific password that appears
  ordinary to server that received is
• Invisible to user
• User indicates password to be hashed by alert
  sequence (_at__at_) at beginning of pwd

17
Password Hashing
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B

• Generate a unique password per site
• HMACfido123(banka.com) ? Q7a0ekEXb
• HMACfido123(siteb.com) ? OzX2ICiqc
• Hashed password is not usable at any other site
• Protects against password phishing
• Protects against common password problem

18
Many additional issues

• Malicious javascript in browser
• Implement keystroke logger, keep scripts from
  reading user password entry
• Password reset problem
• Internet café
• Dictionary attacks (defense added salt)
• Try it!
• http//crypto.stanford.edu/SpoofGuard/
• http//crypto.stanford.edu/PwdHash/

19
Tech Transfer

• SpoofGuard
• Some SpoofGuard heuristics now used in eBay
  toolbar and Earthlink ScamBlocker.
• Very effective against basic phishing attacks.
• PwdHash
• Collaboration with RSA Security to implement
  PwdHash on one-time RSA SecurID passwords.
• RSA SecurID passwords vulnerable to online
  phishing
• PwdHash helps strengthen SecurID passwords
• New browser extensions for privacy
• SafeCache and SafeHistory

20
Botnets

• Collection of compromised hosts
• Spread like worms and viruses
• Once installed, respond to remote commands
• Platform for many attacks
• Spam forwarding
• Keystroke logging
• Distributed denial of service attacks
• What more could a cybercriminal ask for?

21
Botnet facts

• Platforms
• Most bots are compromised Windows machines
• Most controllers are compromised Unix hosts
  running ircd
• Example bot software
• Korgobot, SpyBot, Optix Pro, rBot, SDBot, Agobot,
  Phatbot.
• Versatile launching point for many attacks
• 70 of spam from bots (MessageLabs, October
  2004).
• Most worms and viruses used to propagate bot
  software
• Most denial of service attacks are orchestrated
  using bots

22
GLBC malware-infected hosts
23
Building a Bot Network
compromise attempt
Win XP
compromise attempt
compromise attempt
compromise attempt
Win XP
24
Building a Bot Network
compromise attempt
Win XP compromised
install bot software
compromise attempt
compromise attempt
compromise attempt
Win XP compromised
install bot software
25
Step 2
Win XP
Win XP
. . . /connect jade.va.us.dal.net /join hacker .
. .
. . . /connect jade.va.us.dal.net /join hacker .
. .
jade.va.dal.net
26
Step 3
(125927pm) -- A9-pcgbdv (A9-pcgbdv_at_140.134.36.12
4) has joined (owned) Users 1646 (125927pm)
(BadGuy) .ddos.synflood 216.209.82.62 (125927pm
) -- A6-bpxufrd (A6-bpxufrd_at_wp95-81.introweb.nl)
has joined (owned) Users 1647 (125927pm) --
A9-nzmpah (A9-nzmpah_at_140.122.200.221) has left
IRC (Connection reset by peer) (125928pm)
(BadGuy) .scan.enable DCOM (125928pm) --
A9-tzrkeasv (A9-tzrkeas_at_220.89.66.93) has joined
(owned) Users 1650
27
Underground commerce

• Market in access to bots
• Botherd Collects and manages bots
• Sample rates
• Non-exclusive access to botnet 10 per machine
• Exclusive access 25.
• Payment via compromised account or cash to
  dropbox
• Identity Theft
• Keystroke logging
• Complete identities available for 25 - 200
• Rates depend on financial situation of
  compromised person
• Include all info from PC files, plus all websites
  of interest with passwords/account info used by
  PC owner
• At 200, usually includes full credit report
• Lloyd Taylor, Keynote
  Systems, SFBay InfraGard Board

28
Detect and disabling botnets

• Unique characteristic rallying
• Bots spread like worms and trojans
• Payloads may be common backdoors
• Centralized control of botnet is characteristic
  feature
• Current efforts
• Spyware project with Stanford Law School
• CMU botnet detection
• Based on methods that bots use to hide themselves
• Stanford host-based bot detection
• Taint analysis, comparing network buffer and
  syscall args
• Botnet and spyware survival
• Spyblock virtualization and containment of pwd,
  etc.

29
Future challenges

• Criminals become increasingly sophisticated
• In 25 years of law enforcement, this is the
  closest thing Ive seen to the perfect crime
  Don Wilborn
• Increasing interest at server side
• Losses are significant
• Need improved platform security
• Protect assets from crimeware
• Need improved web authentication
• Basic science can be applied to solve problem
  challenge-response, two-factor auth,
• Social awareness, legal issues, and human factors
• Studies with Law Clinics user studies
• Technology transfer
• More free software, RSA Security,