Title: Phishing basics Dont try this at home.
1Phishing basics(Dont try this at home.)
2Phishing example
Dear U.S. Bank Customer, J 6 rampant
seventeen polynomial forfeiture weed inflow
Murray At U.S. Bank, we take security very
seriously. As many customers already know,
Microsoft Internet Explorer has significant
'holes' or vulnerabilities that virus creators
can easily take advantage of. At U.S. Bank, we
maintain your personal information and data
according to strict standards of security and
confidentiality as described in the Terms and
Conditions that govern your use of this site.
Online access to your account portfolio is only
possible through a secure web browser. In order
to further protect your account, we have
introduced some new important security standards
and browser requirements. U.S. Bank security
systems require that your computer system is
compatible with our new standards. This
security update will be effective immediately.
Please sign on to U.S. Bank Online Banking in
order to verify security update installation.
Failure to do so may result in your account being
compromised. rhubarb Nelson cord Sincerely,
8 D pawnshop dismal likewise 72 192 The U.S.Bank
Security Department Team.
Truth
Good news
Request
Threat
Anti-spam filter text
3What is phishing?
Technology
Social engineering
4What is the problem?
- Technology that does things it should not do,
and doesnt do things it should do. - People who do things they should not do, and do
not do things they should do. - (Ask a general question
- get a general answer!)
5Lets look at some common attacks!
- and lets consider possible countermeasures,
too
6Spoofing Mail
7First, connect to a computer on the IU
network. (not required if sending mail to
someone at IU)
8telnet mail-relay.iu.edu 25
Next, use telnet to connect to the Mail Transfer
Authority (e.g. mail-relay.iu.edu)
9HELO graceland.net
Next, identify yourself with the HELO command
(you can lie here)
10MAIL FROM elvis_at_graceland.net
Say who the mail is coming from. In this case,
the MTA doesnt care who it comes
from (elvis_at_graceland.net)
11RCPT TO sstamm_at_indiana.edu
Say for whom the mail is destined. This MTA
accepts mail for any IU user from anybody on the
internet.
12DATA From Elvis Presley T
o Sid Subject Dont step
on My blue suede shoes! -The King .
Type the email. This includes the To, From,
Subject fields that will show up in the targets
mail client.
13QUIT
Close the connection to the MTA. It will
immediately deliver the email.
14The victim gets an email that appears to be from
The King.
15But a closer look at the headers reveals the
originating server, which is not graceland.net
16The problem? Recall Mail Relays
- Open Relay senders not authenticated
- Closed Relay senders must have account
17Could this problem be avoided using Digital
Signatures?
18How does a digital signature(e.g., RSA) work?
SKAlice
PKAlice
mHello Bob.
mHello Bob.
Bit string0011 01
Bit string0011 01
Digitally sign
Verify
signature0001 01
signature0001 01
Send Message, signature, certificate
19How do you know what public key to use?
Attack!
Bits n bytes (01..1, 1101...11) (11..0,
100111) (11..1, 010010)
Bits n bytes (01..1, 001101) (11..0,
100111) (11..1, 010010)
Interpretation (Bob, PKEve) (Joe,
PKJoe) (Lucy,PKLucy)
Interpretation (Bob, PKBob) (Joe,
PKJoe) (Lucy,PKLucy)
20Our problem
- There
- is
- no
- ubiquitous
- public key infrastructure
- !
21Although, a PKI would not immediately solve the
problem, either.
- Homograph attacks use foreign alphabets or
similar-looking characters to register domains
these can later get a valid certificate!
22Another problemRecall Addressing
- Q I dont want to type numbers, cant I just
type google.com? - A Yes, thanks to the Domain Name System (DNS)
23Another problemRecall Addressing
- Q I dont want to type numbers, cant I just
type google.com? - A Yes, thanks to the Domain Name System (DNS)
10.0.2.3
10.0.2.3
verybadplace.com
This is referred to as pharming.
24Another phishing problem Spam
- Web Page Harvesting
- Online Address Books
- Viruses (Address Book Harvesting)
- Email Traffic Monitoring
- Random Guessing
- Exhaustive Search (a_at_iu.edu )
- Web bugs can be used to find active email
accounts.
25Spam Filters Protection
- Mail can be filtered when it is
- Sent (by originating server)
- En route (by servers along the way)
- Delivered (on destinations PC)
26Blacklist Filtering
Deny mail from addresses on the list
On the list!Go Away!
To sid_at_iu.edu From viagra_at_hotmail.com Subject
free ViAgRa!
viagra_at_hotmail.com noreply_at_beernuts.org vicki_at_por
n-site.com
To sid_at_iu.edu From markus_at_iu.edu Subject free
money!
27Whitelist Filtering
Allow only mail from addresses on the list
Not on the list!
To sid_at_iu.edu From viagra_at_hotmail.com Subject
free ViAgRa!
markus_at_iu.edu Prez_at_bigcorp.net fred00_at_hotmail.com
To sid_at_iu.edu From markus_at_iu.edu Subject free
money!
28Collaborative Filtering
- Clients give spam to authority
- Authority archives all reported spam
- Clients ask authority if a message is spam
- Authority could be clients mail server
29Bayesian Filtering
- Operates in two modes first learns, then filters
- More email seen better accuracy
TRAINING
FILTERING
- Analyzes messages
- Asks user to identify spam
- Learns from user feedback
- Analyzes messages
- Classifies messages as spam or not
More Info
30Message Signing
What Really Happens
SigMS_bob
Valid(Sig,M,P_bob)?
Bobs machine signs with his private key
Alices machine verifies using Bobs public key
31Another phishing problemPassword reuse
- Rogue sites obtain user names and passwords, and
try them elsewhere (perhaps trying a few
derivations, too.) - Hackers and insiders obtain user names and
passwords from honest sites, and try them
elsewhere etc.
32Possible fix PwdHash
In Human-memorized password and URL Out
Site-customized password
33And a non-technical problem
You are here
Attackers are here
34Current attack style
Approx 3 of adult Americans report to have been
victimized.
35More sophisticated attack style
context aware attack a.k.a. spear phishing
Preliminary tests show 50-75 would have been
victimized.