clickjacking phishing
play

CLICKJACKING & PHISHING CMSC 414 FEB 28 2019 Town Hall - PowerPoint PPT Presentation

Nov 11, 2022 •184 likes •1.29k views

CLICKJACKING & PHISHING CMSC 414 FEB 28 2019 Town Hall tonight CSIC 1115, 5pm-7pm There is insufficient space in Iribe Virtually no student group space No TA space Extra space is going to non-CS UMIACS

  1. 
 Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Authority The owner of is indeed BoA Certificate

  2. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Authority Certificate

  3. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Certificate Authority

  4. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Certificate Authority

  5. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Certificate Certificate Authority

  6. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Certificate Certificate Authority

  7. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? Browser Website Certificate Certificate Certificate Authority

  8. Public Key Infrastructures (PKIs) How can users truly know with whom they are communicating? ✓ Browser Website Certificate Certificate Certificate Authority

  9. MAKING AN OBSERVATION amazon.com-deals.com Me

  10. MAKING AN OBSERVATION amazon.com-deals.com What does this mean to you? Me

  11. MAKING AN OBSERVATION Somehow, com-deals.com got a certificate 
 that looks like amazon.com amazon.com-deals.com What does this mean to you? Me

  12. MAKING AN OBSERVATION This appears to be prevalent

  13. MAKING AN OBSERVATION This appears to be prevalent

  14. MAKING AN OBSERVATION This appears to be prevalent…like really prevalent

  15. MAKING AN OBSERVATION This appears to be prevalent…like really prevalent

  16. The actual website amazon.com-deals.com The apparent website

  17. The actual website amazon.com-deals.com The apparent website ASKING A QUESTION

  18. The actual website amazon.com-deals.com The apparent website ASKING A QUESTION WHAT DO YOU THINK ARE SOME GOOD QUESTIONS WE COULD ASK?

  19. ASKING SOME QUESTIONS

  20. ASKING SOME QUESTIONS How often does this happen?

  21. ASKING SOME QUESTIONS How often does this happen? Who is giving these attackers certificates?

  22. ASKING SOME QUESTIONS How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates?

  23. ASKING SOME QUESTIONS How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates? What can we do to stop this kind of attack?

  24. HOW DO WE ANSWER THESE QUESTIONS? How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates? What can we do to stop this kind of attack?

  25. HOW DO WE ANSWER THESE QUESTIONS? How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates? What can we do to stop this kind of attack? WE NEED A DATASET

  26. HOW DO WE ANSWER THESE QUESTIONS? How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates? What can we do to stop this kind of attack? WE NEED A DATASET GET *ALL* OF THE CERTIFICATES!

  27. RESEARCH DATASETS If it doesn’t exist, collect it If it does exist, download it If you do something new with the data, share it

  28. RESEARCH DATASETS If it doesn’t exist, collect it If it does exist, download it If you do something new with the data, share it PART OF BEING A GOOD RESEARCHER IS KNOWING WHAT DATA IS OUT THERE (EXPERIENCE WITH TIME)

  29. RESEARCH DATASETS If it doesn’t exist, collect it If it does exist, download it If you do something new with the data, share it PART OF BEING A GOOD RESEARCHER IS KNOWING WHAT DATA IS OUT THERE (EXPERIENCE WITH TIME) YOUR ADVISOR WILL HELP WITH THIS

  30. CERTIFICATE DATASETS IT IS NOW POSSIBLE TO DOWNLOAD 
 ALL KNOWN CERTIFICATES ON THE WEB!

  31. DEVISING A SOLUTION

  32. DEVISING A SOLUTION Certificate dataset C Each certificate has ≥ 1 domain name 315,284,603 total domain names amazon.com-deals.com

  33. DEVISING A SOLUTION Certificate dataset C Each certificate has ≥ 1 domain name 315,284,603 total domain names Website popularity dataset P Alexa top- 10,000 most popular websites google.com youtube.com amazon.com-deals.com amazon.com

  34. DEVISING A SOLUTION Certificate dataset C Each certificate has ≥ 1 domain name 315,284,603 total domain names Website popularity dataset P Alexa top- 10,000 most popular websites We need an algorithm Search in each certificate in C for a popular website from P google.com youtube.com amazon.com-deals.com amazon.com

  35. DEVISING A SOLUTION Certificate dataset C Each certificate has ≥ 1 domain name 315,284,603 total domain names Website popularity dataset P Alexa top- 10,000 most popular websites We need an algorithm Search in each certificate in C for a popular website from P ⨯ google.com ⨯ youtube.com amazon.com-deals.com amazon.com ✔

  36. DEVISING A SOLUTION Certificate dataset C Each certificate has ≥ 1 domain name Naive algorithm 
 315,284,603 total domain names 3.15 Trillion checks! Website popularity dataset P Alexa top- 10,000 most popular websites We need an algorithm Search in each certificate in C for a popular website from P ⨯ google.com ⨯ youtube.com amazon.com-deals.com amazon.com ✔

  37. ANALYZING A DATASET How often does this happen? When it happens, does it tend to be malicious? Who is giving these attackers certificates? What can we do to stop this kind of attack? As you analyze a dataset, it is important to 
 really understand the results and the outliers

  38. WHO IS BEING IMPERSONATED?

  39. WHO IS BEING IMPERSONATED?

  40. WHAT TLD’S ARE ATTACKERS USING?

  41. WHO GIVES OUT THESE CERTIFICATES? Largely free domains

  42. WHERE ARE THEY HOSTING THESE DOMAINS? Largely free hosting providers

  43. QUESTIONS YIELD NEW QUESTIONS… informationen.support.cgi.log.ssl.cembra.ch.aktualisieren.amerbay.com (Swiss bank) Why is this domain name so long?!?

  44. QUESTIONS YIELD NEW QUESTIONS… informationen.support.cgi.log.ssl.cembra.ch.aktualisieren.amerbay.com (Swiss bank) Why is this domain name so long?!? Safari on iPhones left-justify in Safari informationen.support.cgi.log.ssl.cem

  45. QUESTIONS YIELD NEW QUESTIONS… informationen.support.cgi.log.ssl.cembra.ch.aktualisieren.amerbay.com (Swiss bank) Why is this domain name so long?!? Safari on iPhones left-justify in Safari informationen.support.cgi.log.ssl.cem Chrome on Android right-justifies cembra.ch.aktualisieren.amerbay.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide

Clickjacking Credit: paper (Clickjacking: Attacks and Defenses Huang et al.) and most slide content (Vern Paxson) Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes

567 views • 24 slides
The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing

The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing

The Art of Phishing : What you should know Arvind Vishwakarma 05/24/2019 Agenda 1. Phishing In a Nutshell 2. Phishing Types & Techniques 3. Phishing Stats & Modern Trends 4. Case-Study 5. Stay Safe 2 Speaker ABOUT ME

478 views • 24 slides
Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing

Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing

Phishing Fishing or Phishing? Definition Phishing: an attempt to trick victims into sharing sensitive information such as passwords, usernames, and credit card details for malicious reasons. Phishing can be in the form of emails, social

530 views • 20 slides
Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the

Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the

School of Fin ine Arts Retreat IT Presentation Rick OToole Phishing Awareness What is Phishing? Phishing is the attempt to obtain personal information such as passwords and logins for malicious purposes. By appearing to be legitimate the

255 views • 13 slides
VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of

THE STATE OF PHISHING ATTACK VECTOR Table of Content Bio What phishing is? Types of Phishing Anatomy of Phishing Counter Measures Reports on Phishing Isaac K. Acheampong Facilities Manager BSc IT, Dip. IT, Sec+ STATE OF

711 views • 34 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking & UI redressing sws2 Click jacking & UI

409 views • 29 slides
Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing?

Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing?

Tech Briefing Email Security (Phishing) VPN File Storage Phishing Awareness What is Phishing? Phishing email messages, websites, and phone calls are designed to steal money or sensitive information. Cybercriminals can do this by installing

264 views • 24 slides
PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing

PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing

PHISHING IN DEPTH (ATTACKS & MITIGATIONS) Table of Content 1.0 Introduction 2.0 Phishing 3.0 Phishing kit 4.0 Types of Phishing 5.0 Avoidance Techniques 6.0 Effect of Phishing on Businesses 7.0 Demos & Practical INTRODUCTION

565 views • 27 slides
Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/

Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/

Clickjacking Revisited A Perceptual View of UI Security Devdatta Akhawe / Warren He / Zhiwei Li/ Reza Moazzezi / Dawn Song University of California, Berkeley Clickjacking is a malicious technique of tricking a Web user into clicking on something

753 views • 39 slides
Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring:

Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring:

Training employees to recognise and avoid phishing threats Agenda Today, we will be exploring: What is phishing? How phishing can damage a business What are the difgerent types of phishing? How to spot a phishing email What to do if

159 views • 12 slides
of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results

PhishEye: Xiao Han Nizar Kheir Live Monitoring Davide Balzarotti of Sandboxed Phishing Kits Summary Motivation Sandboxed phishing kits Implementation Results [APWG Phishing Activity Trends Report 2 nd Quarter 2016] All time high record

921 views • 59 slides
Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing

Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing

Anti-Phishing Security Strategy Angelo P. E. Rosiello Agenda 1. Brief introduction to phishing 2. Strategic defense techniques 3. A new client based solution: DOMAntiPhish 4. Conclusions Nature of Phishing Statistics from the Anti

536 views • 31 slides
Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke

Ne Needle in a Haystack: : Tracking Do Down Elite Ph Phishing g Dom Domains in the Wild Ke Tian, Steve T.K. Jan , Hang Hu, Danfeng Yao, Gang Wang Computer Science, Virginia Tech Phishing is a Big Th Threat Phishing: fraudulent attempt

411 views • 30 slides
Dont Take The Bait: How To Stay Safe From Phishing Goals After this section, youll be able

Dont Take The Bait: How To Stay Safe From Phishing Goals After this section, youll be able

Dont Take The Bait: How To Stay Safe From Phishing Goals After this section, youll be able to: Define phishing Identify signs of a potential phishing email Know where to report phishing emails to and how to report them

168 views • 15 slides
SY306 Web and Databases for Cyber Operations Slide Set #3: CSS

SY306 Web and Databases for Cyber Operations Slide Set #3: CSS

SY306 Web and Databases for Cyber Operations Slide Set #3: CSS http://www.w3schools.com/css/default.asp Style! 1 ClickJacking Attack! Past Clickjacking attacks By loading Adobe Flash plugin settings page into an invisible iframe, an

211 views • 18 slides
Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why

Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why

Phishing By: Joanna Georgiou Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April 22). Why Phishing Works. Gelernter, N., Kalma, S., Magnezi, B., & Porcilan, H. (2017). The Password Reset MitM Attack. What is Phishing? Dhamija, R.,

528 views • 50 slides
Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer December 9, 2013; Washington, DC Funded by the Austrian

1.01k views • 88 slides
Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes

Advanced Operating Systems MS degree in Computer Engineering University of Rome Tor Vergata Lecturer: Francesco Quaglia Kernel level memory management 1. The very base on boot vs memory management 2. Memory Nodes (UMA vs NUMA) 3. x86

1.18k views • 114 slides
Paging Basic method Hardware support TLB Memory Protection Hierarchical Page

Paging Basic method Hardware support TLB Memory Protection Hierarchical Page

BS1 WS19/20 topic-based slides Paging Basic method Hardware support TLB Memory Protection Hierarchical Page Tables Hashed Page Tables Inverted Page Tables Shared Pages Virtual Address space under different

964 views • 75 slides
RAC 10g on Linux Marta Jakubowska-Sobczak, OpenLab fellow Database and Application Services RAC

RAC 10g on Linux Marta Jakubowska-Sobczak, OpenLab fellow Database and Application Services RAC

RAC 10g on Linux Marta Jakubowska-Sobczak, OpenLab fellow Database and Application Services RAC overview RAC a cluster database with a shared cache and a shared storage architecture Setup example Interconnect infrastructure

1.41k views • 29 slides
Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes

Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes Operatius System monitoring

657 views • 27 slides
Order Statistics We often want to compute a median of a list of values. (It gives a more accurate

Order Statistics We often want to compute a median of a list of values. (It gives a more accurate

Order Statistics We often want to compute a median of a list of values. (It gives a more accurate picture than the average sometimes.) More generally, what element has position k in the sorted list? (For example, for percentiles or trimmed means.)

380 views • 13 slides
System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn

System Security I: Introduction TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University System Security 2 Security in computer systems Hardware (System)

838 views • 56 slides
XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam

XPath and XSLT without the pain! Bertrand Delacrtaz ApacheCon EU 2007, Amsterdam bdelacretaz@apache.org www.codeconsult.ch slides revision: 2007-05-04 Goal Learning to learn XPath and XSLT because it takes time... What is XML?

777 views • 33 slides

More recommend