Two Technical Phishing Countermeasures - PowerPoint PPT Presentation

1 / 9
About This Presentation
Title:

Two Technical Phishing Countermeasures

Description:

Two Technical Phishing Countermeasures – PowerPoint PPT presentation

Number of Views:30
Avg rating:3.0/5.0
Slides: 10
Provided by: BurtKa6
Category:

less

Transcript and Presenter's Notes

Title: Two Technical Phishing Countermeasures


1
Two Technical Phishing Countermeasures
  • Burt Kaliski, Chief Scientist, RSA Security
  • North Shore Technology Council 23 March 2005

2
Exploiting Trust
  • Phishing is a social engineering attack that
    exploits users trust in the familiar to gain
    access to private information
  • Basic approach
  • Attacker sends an email that appears to be from
    a source the user might trust
  • User clicks on an apparently innocuous link in
    the email and is taken to a site that looks like
    the right one but which is actually the
    attackers
  • User discloses passwords and other sensitive
    information, e.g., account numbers

3
The Basic Problems
  • Attackers can make emails (and Web pages!) look
    like the real thing
  • Not just the content, but also the From
    address can be forged
  • User interface for authentication generally
    doesnt authenticate the Web site just the
    user
  • Passwords and other sensitive information are
    often sent directly to the application, whether
    trustworthy or not
  • In general, users dont have good tools to tell
    the familiar from the authentic

4
A Multifaceted Response
  • Many avenues are being pursued to deal with the
    problems
  • Find the phishing sites and shut them down
  • Filter email to flag or reduce the bait
  • Equip users to recognize and not respond to
    attacks
  • Two technical solutions of interest here
  • Authenticate the emails, so user can tell where
    they really came from
  • Improve the protocols and interfaces for user
    authentication so that credentials wont be
    learned even if attackers ask for them

5
Authenticating the Emails
  • Problem From address can be forged
  • Solution Verify that message comes from
    authorized sender
  • SenderID (Meng Weng Wong / Microsoft)
  • Senders domain lists authorized mail servers in
    DNS
  • Recipient checks email postmark against list
  • DomainKeys (Yahoo!)
  • Senders domain posts public key domain signs
    all messages
  • Recipient verifies digital signature
  • Challenge Users need to decide which senders to
    trust

6
Improving the Protocols and Interfaces
  • Problem Passwords are sent directly to attackers
  • Solution Better interfaces and protocols!
  • Password hashing (classical see Stanford
    PwdHash)
  • Interface automatically hashes password (slowly)
    with application identifier before sending it
  • Attacker has to search for password, which is a
    deterrent
  • Extensions Two-factor and mutual authentication
  • Password-based key agreement (Bellovin-Merritt,
    et al.)
  • Challenge Interfaces need to be integrated into
    browsers, operating systems, so that attackers
    cant bypass them

7
A Special Control Sequence?
  • What if you could ensure that your password were
    protected by typing a special control sequence
    beforehand?
  • e.g., Alt-Password
  • Control sequence would automatically invoke the
    stronger interface and protocols for protecting
    the password
  • If this were standard on operating systems and
    browsers, and you learned to use it, would your
    confidence be increased?
  • Overall goal Trustworthy Interfaces for Personal
    Information and Credentials (TIPIC) should become
    typical

8
Contact Information
  • Burt KaliskiChief Scientist, RSA
    Securitybkaliski_at_rsasecurity.comwww.rsasecurity.
    com/rsalabs

9
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com