User Interface Security

1
User Interface Security
2
I. History

• The word "phishing" comes from the phrase early
  internet criminals used to describe a process of
  faking emails to "phish" for passwords and
  financial data from users.
• The use of "ph" instead of "f" is most likely a
  shift from other popular hacker terms like
  phreaking.
• The word itself was coined in 1996 by hackers who
  would steal America OnLine (AOL) accounts by
  presenting themselves as admins requesting
  passwords to verify account information.

3
II. Attack Vectors

• Man-in-the-middle attacks
• Transparent Proxy
• DNS Cache Poisoning
• URL Obfuscation

4
II. Attack Vectors

• URL Obfuscation attacks Tactics and Examples
• Bad domain names
• Friendly login URLs
• Third-party shortened URLs
• Host name obfuscation

5
II. Attack Vectors

• Cross-site Scripting Attacks
• Make use of custom URL code injection into a
  valid web-based application
• Preset Session Attack
• Observing Client Data

6
III. Social Engineering

• Definition
• Purpose
• Tactics and Examples
• Phone Based Phishing
• Internet Based Phishing
• Common Victims

7
IV. Message Delivery

• Official looking and sounding emails
• Copies of legitimate corporate emails with minor
  URL changes
• HTML based email used to obfuscate target URL
  information
• Standard virus/worm attachments to emails

8
IV. Message Delivery

• A plethora of anti spam-detection inclusions
• Crafting of personalized or unique email
  messages
• Fake postings to popular message boards and
  mailing lists
• Use of fake Mail From addresses and open mail
  relay for disguising the source of the email

9
IV. Message Delivery
10
Methods to protect/defend yourself from attacks

• Never click a link in an email, type the URL
  yourself
• Nobody needs to verify your passwords EVER
• Run anti-virus/spyware and firewall and dont
  click on suspect attachments
• Only provide personal information when you
  initiate the transaction, never when someone
  requests it

11
Methods to protect/defend yourself from attacks

• Watch credit card and bank statements for small
  withdrawals
• Encrypt or shred sensitive info
• Dont provide unnecessary info
• Lying is ok

12
V. Defense - Client-Side

• Desktop protection technologies
• Utilization of appropriate less sophisticated
  communication settings
• User application-level monitoring solutions
• Locking-down browser capabilities
• Digital signing and validation of email
• General security awareness

13
Desktop Protection Agents

• Local Anti-Virus protection
• Personal Firewall
• Personal IDS
• Personal Anti-Spam
• Spyware Detection

14
E-Mail Sophistication

• HTML Based E-Mail Easy to embed scripting
  elements, obfuscate true destination links or
  automatically render embedded multimedia
  elements.
• Attachment Blocking Most of email applications
  are capable of blocking dangerous attachments
  in emails.

15
Browser Capabilities

• Disable pop-up window functionality
• Disable ActiveX controls
• Disable Java run time support
• Disable all multimedia and auto-play/auto-execute
  extensions
• Prevent the storage of non-secure cookies
• Disable any downloads to be run automatically
  from the browser, instead it should be downloaded
  locally and checked with local anti-virus program

16
Tools For The Browser

• SpoofGuard
• Dynamic Security Skins
• ViWiD Visible Watermarking based Defense
  against Phishing

17
Digitally Signed E-Mail

• Secure the content of outgoing e-mails and
  confirms
• senders identity through the third party
  certificate agency
• authenticity of the content through the same
  mathematical process that provides identity
  information

18
Creating a Digital Signature
19
Verifying a Digital Signature
20
VI. Server-Side Defense

• Improving customer awareness
• Providing validation information for official
  communications
• Using strong token-based authentication systems
• Keeping naming systems simple and understandable

21
Strong Token-based Authentication

• Time Dependence, Sense of Trust
• Setup Times, User Education

22
Custom Web-Application Security

• Content Validation
• Session Handling
• URL Qualification
• Authentication Processes
• Image Regulation

23
VII. Enterprise Level Defense

• Automatic validation of sending email server
  addresses
• Digital signing of email services
• Monitoring of corporate domains and notification
  of similar registrations
• Perimeter or gateway protection agents
• Third-party managed services

24
Mail Server Authentication
25
Domain Monitoring

• Domain Name expiry and renewal
• Registration of similarly named domains
• Hyphenated names,
• country specific,
• mixed-case ambiguities

26
Gateway Services

• Gateway Anti-virus Scanning
• Gateway Anti-Spam Filtering
• Gateway Content Filtering
• Proxy services

27
VIII. Government

• FBI Intervention
• SLAM-Spam initiative
• Operation WEB-SNARE
• Operations E-Con Cyber Sweep
• Cyber Division
• InfraGuard
• Digital PhishNet

28
International Cooperation in Enforcement

• Organization for Economic Cooperation and
  Development (OECD)
• OECD Spam Task Force
• International Telecommunications Union (ITU)
• European Union (EU)
• International Consumer Protection Enforcement
  Network (ICPEN)
• Asia-Pacific Economic Cooperation (APEC)

29
Phishing Links

• Courtney, David. "Anti-Phishing 101." May 6,
  2005. eWeek Magazine. http//www.eweek.com/article
  2/0,1895,1813653,00.asp
• Microsoft Corporation. "Anti-Phishing White
  Paper." 2005. Microsoft publishing.
  http//www.microsoft.com/downloads/
• Arnold, Chris. "Tips to Avoid Internet Identity
  Theft, E-Mail Scams." August 11, 2004. NPR.
  http//www.npr.org/templates/story/story.php?story
  Id3845410
• Herzberg, Amir and Gbara, Ahmad. "TrustBar
  Protecting (even Naïve) Web Users from Spoofing
  and Phishing Attacks." November 7, 2004.
  Cryptology ePrint Archive. http//eprint.iacr.org/
  2004/155
• Roberts, Paul. "Online Identity Theft Many
  Medicines, No Cure." November 26, 2004. PCWorld
  Magazine. http//www.pcworld.com/news/article/0,ai
  d,118709,00.asp
• Anti-Phishing Working Group. "What is Phishing
  and Pharming?" 2005. APWG. http//www.antiphishing
  .org/
• Litan, Avivah. "Phishing Attack Victims Likely
  Targets for Identity Theft." May 4, 2005.
  Gartner. http//www.gartner.com/resources/120800/
  120804/phishing_attack.pdf

30
Phishing Links

• Honeynet Project and Research Alliance. "Know
  your Enemy Phishing." May 16, 2005. The Honeynet
  Project. http//www.honeynet.org/papers/phishing/
  
• Kay, Russell. "Phishing." January 19, 2004.
  ComputerWorld Magazine. http//www.computerworld.c
  om/securitytopics/security/story/0,10801,89096,00.
  html
• Radcliff, Deborah. "Phear of Phishing." June 17,
  2004. ComputerWorld Magazine. http//www.computerw
  orld.com.au/index.php/id1368408307fp16fpid0
• Next Generation Security Software Ltd. "The
  Phishing Guide Understanding and Preventing
  Phishing Attacks." September 2004. NGS
  Consulting. http//www.ngssoftware.com/papers/NISR
  -WP-Phishing.pdf
• Radcliff, Deborah. "Fighting back against
  phishing." April 21, 2004. ComputerWorld
  Magazine. http//www.net-security.org/article.php?
  id672
• McMillan, Robert. "California Makes Phishing
  Illegal." October 3, 2005. PCWorld Magazine and
  IDG News Service.
• http//www.pcworld.com/resource/article/0,aid,1228
  18,pg,1,RSS,RSS,00.asp
• Gross, Grant. "Anti-Phishing Act of 2005." March
  7, 2005. PCWorld Magazine. http//www.pcworld.com/
  news/article/0,aid,119912,00.asp
• Anti-Phishing Working Group. "Phishing Attack
  Trends Report." June 2004. APWG.http//antiphishi
  ng.org/apwg_phishing_activity_report_august_05.pdf
  

31
About

• Gordana Lozo
• Patrick Gill
• Veronica Peshterianu
• Chris Scheibe
• Stacy Kim

32

• Questions?