tripwire
play

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan - PowerPoint PPT Presentation

Dec 26, 2022 •301 likes •798 views

Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial

  1. Tripwire Inferring Internet Site Compromise Joe DeBlasio Stefan Savage UC San Diego Geoffrey M. Voelker Alex C. Snoeren

  2. On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial damage Compromise can come many sources Phishing, brute forcing, malware, password re-use 2

  3. On account compromise Compromise of email/social network/etc is devastating Personal/professional reputational, financial damage Compromise can come many sources Phishing, brute forcing, malware, password re-use 3

  4. Password re-use from data breaches Site A’s usernames and passwords exposed… …then attacker uses leaked credentials on unrelated Site B > 40% of users reuse passwords; 25% usually use only one [1] [1] Das, Anupam, et al. "The tangled web of password reuse." Symposium on Network and Distributed System Security (NDSS). 2014. 4

  5. Natural & valuable target: email accounts Most sites have email address Natural to try password on email Email accounts are valuable https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ 5

  6. 6

  7. We have no idea how many sites are compromised This work: getting more insight into compromise prevalence 7

  8. Detecting site compromise Publicly known compromises are attacker- or site-identified But what about when - attackers are quiet, and - sites cannot or will not help? 3rd party detection may expose additional compromises 8

  9. Tripwire Technique for 3 rd -party compromise detection using password re-use attacks 9

  10. Tripwire : detecting compromise via re-use attacks 1. Partner with a major email provider Create many distinct email accounts to act as honeypots A@ PW1 Email B@ Provider PW2 C@ PW3 10

  11. Tripwire : detecting compromise via re-use attacks 2. Register for accounts on services you want to monitor Unique email per site, password shared between them A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 11

  12. Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 12

  13. Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 🍰 @ PW3 13

  14. Tripwire : detecting compromise via re-use attacks 3. Monitor email accounts for login Email logins indicate compromise of corresponding site A@ Site A PW1 Email B@ Site B Provider PW2 C@ Site C PW3 🍰 @ PW3 14

  15. Tripwire : our contribution Proof of concept implementation & study ~2300 sites under measurement; prototype crawler Fresh compromises detected 19 compromises over 24 months; only one previously public Large and small sites affected Largest site has ~50m users; >100m users impacted across Today’s plan: Registration , Compromises , Disclosure 15

  16. Ethical considerations We did not receive consent from sites under measurement (doing so may compromise integrity and is impractical) We believe that technical burden on sites is low (created few accounts, accounts unused, rate-limited) We have obscured compromised sites’ identities (limits reputational damage from involuntary inclusion) We consulted our group’s & institution’s counsel 16

  17. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Tripwire Process 17

  18. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Full identity created e.g. full name, address, phone, mother’s maiden name, etc. Plausible usernames AngryNeighbor1234 Two types of passwords - “Easy to crack” Website1 - “Hard to crack” QpFAiy5BfB 18

  19. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Multiple accounts with differing PW strengths allows inference of breach severity Only accounts with easy passwords accessed? Breach contained well-hashed passwords. Accounts with hard and easy passwords accessed? Plain text or weak hashing. 19

  20. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Send usernames and passwords to email provider Provider creates matching email accounts Availability of username used as proxy for global availability 20

  21. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Automated crawler registers for accounts Best effort! Developers try to make this process hard to automate! Skips ineligible, confusing, or non-English sites e.g. can not support sites that require a credit card, fails complicated CAPTCHAs. 21

  22. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Crawler provided URL and identity URLs from Alexa rankings; crawled approximately top 30k PhantomJS-based, Javascript-capable crawler Load page → Find registration → Fill form → Email verification If succeeds, registers again with additional identity (with different password type) 22

  23. Generate Create email Register on Monitor UNs / PWs accounts websites accounts Email provider monitors ALL created accounts for logins Reports back all successful logins events Provider does not know what accounts have been used Provider only has list of all usernames >100k unused email accounts– none were ever accessed Strong evidence that email provider was not breached 23

  24. Sites Monitored Of ~30k sites considered ~45% are not in English ~20% fail to load or are otherwise ineligible Crawler succeeds on ~20% of eligible sites: 2,300 sites total So, what did we find? ~1% of sites measured were compromised! 24

  25. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 25

  26. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 BitcoinTalk.org 26

  27. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 BitcoinTalk.org used salted sha256_crypt 27

  28. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Hard Passwords Accessed 28

  29. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Alexa < 500 in home country 29

  30. Hard? Alexa* Category Hard? Alexa* Category ✔ ✔ A 500 Deals K 20500 Classifieds B 8500 Gaming L 11000 Adult ✔ C 5500 BitTorrent M 20000 Vacations ✔ D 20500 Wallpapers N 11500 Gaming E 16000 Gaming O 18000 Outdoors F 18500 Gaming P ? 1500 Adult ✔ ✔ G 17500 RSS Feeds Q 22000 Tourism ✔ ✔ H 17500 Marketing R 22500 Press ✔ I 7500 Horoscopes S 4000 BTC Forum ✔ J 20500 Gaming * Rounded up to nearest 500 Same company; >30m users 30

  31. Login Activity More than 1750 distinct account accesses Most via IMAP, but also SMTP, POP, web and mobile API Most accounts are not abused– little indication to user ~25% used for spam; one password changed 31

  32. A (2) B (83) C (27) D (99) ( (22) CRPSrRPLsHG 6LtH ) (119) G (243) H (90) I (152) J (11) K (4) / (9) 0 (570) 1 (23) 2 (1) 3 (3) 4 (27) KDrG 5 (77) HDsy 6 (6) 7/15 9/15 11/15 1/16 3/16 5/16 7/16 9/16 11/16 1/17 DDtH

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

STEP 3: OPTIMIZE THE TRIPWIRE OFFER An irresistible, super- WHAT IS A low-ticket offer that

STEP 3: OPTIMIZE THE TRIPWIRE OFFER An irresistible, super- WHAT IS A low-ticket offer that

STEP 3: OPTIMIZE THE TRIPWIRE OFFER An irresistible, super- WHAT IS A low-ticket offer that exists for one reason TRIPWIRE? and one reason only to convert prospects into BUYERS! In other words, Tripwires change relationships

799 views • 44 slides
TRIPWIRE ENTERPRISE SERVER - UBIT Tech Review February 2019 John Ball

TRIPWIRE ENTERPRISE SERVER - UBIT Tech Review February 2019 John Ball

TRIPWIRE ENTERPRISE SERVER - UBIT Tech Review February 2019 John Ball john@buffalo.edu 1 What is Tripwire? Enterprise Security Configuration Management (SCM) tool Standards Compliance software - File

155 views • 11 slides
STEP 2: OPTIMIZE THE LEAD MAGNET 1 Lead Magnet Whats your number? 2 Tripwire

STEP 2: OPTIMIZE THE LEAD MAGNET 1 Lead Magnet Whats your number? 2 Tripwire

STEP 2: OPTIMIZE THE LEAD MAGNET 1 Lead Magnet Whats your number? 2 Tripwire Want to get coffee? 3 Core Offer Can I take you to dinner? 4 Profit Maximizer Will you marry me? 5 Return Path (Flowers, date

586 views • 27 slides
Using Tripwire to check cluster system integrity Elio P erez Calle Miguel C ardenas Montes

Using Tripwire to check cluster system integrity Elio P erez Calle Miguel C ardenas Montes

Using Tripwire to check cluster system integrity Elio P erez Calle Miguel C ardenas Montes Francisco Javier Rodr guez Calonge CIEMAT Madrid, Spain Computing in High Energy Physics Interlaken, Switzerland, 2004 P erez Calle, C

132 views • 9 slides
COMPUTER SYSTEMS PROGRAMMING CS201 Hello! Im Chris Kim . Im a software engineer at

COMPUTER SYSTEMS PROGRAMMING CS201 Hello! Im Chris Kim . Im a software engineer at

COMPUTER SYSTEMS PROGRAMMING CS201 Hello! Im Chris Kim . Im a software engineer at Tripwire. I studied Computer Science here at PSU. 2 Kimchi 3 ABOUT THIS Why are we COURSE here? 4 ABOUT THIS COURSE This course gives you an

398 views • 20 slides
Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris

Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris

Camera Trapping + ML Benjamin C. Evans Dr. Allan Tucker Brunel University London Dr. Chris Carbone Instute of Zoology @ ZSL Camera Trapping? Automacally triggered cameras Triggers include Infrared (most common) Tripwire Timer

427 views • 11 slides
Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion

Intrusion Detection System Amir Hossein Payberah payberah@yahoo.com 1 Contents Intrusion Detection Systems Tripwire Snort 2 IDS (Definition) Intrusion Detection is the process of monitoring the events occurring in a computer

571 views • 30 slides
Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael Assante President, NBISE David H. Tobey, Ph.D. Director of Research The Need for Cyber Defenders &quot;Everywhere I go, across the country, CEOs and

595 views • 27 slides
Homeland Security Exercise Evaluation Program (HSEEP) Pat Anders Manager, Health Emergency

Homeland Security Exercise Evaluation Program (HSEEP) Pat Anders Manager, Health Emergency

Homeland Security Exercise Evaluation Program (HSEEP) Pat Anders Manager, Health Emergency Preparedness Exercises Office of Health Emergency Preparedness 2 Target Audience The target audience for HSEEP training includes: Exercise Planning

1.5k views • 96 slides
Upgrading Distribution Resilience: A DOE-OE Solicitation Tuesday, April 7, 2015 Hosted by Todd

Upgrading Distribution Resilience: A DOE-OE Solicitation Tuesday, April 7, 2015 Hosted by Todd

Energy Storage Technology Advancement Partnership (ESTAP) Webinar: Upgrading Distribution Resilience: A DOE-OE Solicitation Tuesday, April 7, 2015 Hosted by Todd Olinsky-Paul ESTAP Project Director, CESA Housekeeping State &amp; Federal

828 views • 58 slides
Use Case Analysis for Smart Cities and Communities Gyu Myoung Lee ITU-T Chair of FG-DPM, WP3/13

Use Case Analysis for Smart Cities and Communities Gyu Myoung Lee ITU-T Chair of FG-DPM, WP3/13

Workshop on Smart Sustainable Cities Samarkand, Uzbekistan, 1-2 June 2017 Use Case Analysis for Smart Cities and Communities Gyu Myoung Lee ITU-T Chair of FG-DPM, WP3/13 Co-chair, Q16/13 and Q4/20 Rapporteur LJMU UK/ KAIST Korea

829 views • 26 slides
Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo,

Forward Error Correction using Erasure Codes using Erasure Codes Reference : L. Rizzo, Effective Erasure Codes for Reliable Computer Communication Protocols, ACM p SIGCOMM Computer Communication Review , April 1997 Erasure codes (Simon

705 views • 25 slides
Generic RTP Payload Format for Forward Error Correction in Video Applications

Generic RTP Payload Format for Forward Error Correction in Video Applications

Generic RTP Payload Format for Forward Error Correction in Video Applications draft-bsong-avt-rtp-gfec-00.txt Hao Qin hqin@mail.xidian.edu.cn Summary Aim: To reduce the impact of packet loss to a video receiver. Solution:

328 views • 8 slides
Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers

Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers

ATP TCP Reducing the Latency-Tail of Short-Lived Flows: Adding Forward Error Correction in Data Centers Klaus-Tycho Foerster Demian Jaeger David Stolz Roger Wattenhofer ETH Zurich 1 Time is Money 2 Datacenter Traffic S. Kandula et al.,

138 views • 10 slides
Protect your Bits: An introduction to gr-fec FOSDEM 19, Free Software Radio Devroom Martin

Protect your Bits: An introduction to gr-fec FOSDEM 19, Free Software Radio Devroom Martin

Protect your Bits: An introduction to gr-fec FOSDEM 19, Free Software Radio Devroom Martin Braun Representin Ettus Research &amp; GNU Radio Forward Error Correction 101 In the 1940s, Shannon came up with most of the theory we use

475 views • 20 slides
Peer-to-Peer Networks 12 Fast Download, Part II Arne Vater Technical Faculty Computer Networks

Peer-to-Peer Networks 12 Fast Download, Part II Arne Vater Technical Faculty Computer Networks

Peer-to-Peer Networks 12 Fast Download, Part II Arne Vater Technical Faculty Computer Networks and Telematics University of Freiburg Forward Error Correction uses plain blocks for distribution plus k linearly independent code blocks -

361 views • 13 slides
X-Lap : A Systems Approach for Cross-Layer Profjling and Latency Analysis for Cyber-Physical

X-Lap : A Systems Approach for Cross-Layer Profjling and Latency Analysis for Cyber-Physical

X-Lap : A Systems Approach for Cross-Layer Profjling and Latency Analysis for Cyber-Physical Networks RTN 2017 Stefan Reif, Timo Hnig, Wolfgang Schrder-Preikschat Department of Computer Science 4 (Distributed Systems and Operating Systems)

682 views • 36 slides
Mbone Jitter Characteristics Media Repair Taxonomy Media Repair Sender Based Receiver Based

Mbone Jitter Characteristics Media Repair Taxonomy Media Repair Sender Based Receiver Based

Overview A Survey of Packet-Loss Recovery Techniques Colin Perkins, Orion Hodson and Vicky Hardman Department of Computer Science University College London (UCL) Development of IP Multicast London, UK Light-weight session

569 views • 7 slides
CS24 FRESHMAN SEMINAR FOR CS SCHOLARS WEEK 10 - NETWORKING U N I V E R S I T Y O F C A L I F

CS24 FRESHMAN SEMINAR FOR CS SCHOLARS WEEK 10 - NETWORKING U N I V E R S I T Y O F C A L I F

Spring 2015 - Berkeley, CA CS24 FRESHMAN SEMINAR FOR CS SCHOLARS WEEK 10 - NETWORKING U N I V E R S I T Y O F C A L I F O R N I A - B E R K E L E Y 31 M A R C H 2 015 2 TELEGRAPH AND BANCROFT (1960) 3

448 views • 21 slides
BATS: Achieving the Capacity of Networks with Packet Loss Raymond W. Yeung Institute of Network

BATS: Achieving the Capacity of Networks with Packet Loss Raymond W. Yeung Institute of Network

BATS: Achieving the Capacity of Networks with Packet Loss Raymond W. Yeung Institute of Network Coding The Chinese University of Hong Kong Joint work with Shenghao Yang (IIIS, Tsinghua U) R.W. Yeung (INC@CUHK) BATS Codes 1 / 29 Outline

700 views • 32 slides
Coding for loss tolerant systems Workshop APRETAF, 22 janvier 2009 Mathieu Cunche, Vincent Roca

Coding for loss tolerant systems Workshop APRETAF, 22 janvier 2009 Mathieu Cunche, Vincent Roca

Coding for loss tolerant systems Workshop APRETAF, 22 janvier 2009 Mathieu Cunche, Vincent Roca INRIA, quipe Plante INRIA Rhne-Alpes Mathieu Cunche, Vincent Roca The erasure channel Erasure codes Reed-Solomon codes LDPC

543 views • 26 slides
DP-QPSK Receiver OPTI 500, Spring 2012, Lecture 16, Coherent Transmitters and Receivers 1

DP-QPSK Receiver OPTI 500, Spring 2012, Lecture 16, Coherent Transmitters and Receivers 1

DP-QPSK Receiver OPTI 500, Spring 2012, Lecture 16, Coherent Transmitters and Receivers 1 Discovery Semiconductor Coherent Transmitter OPTI 500, Spring 2012, Lecture 16, Coherent Transmitters and Receivers 2 Discovery Semiconductor

430 views • 5 slides
Reliable Communication for Datacenters Mahesh Balakrishnan Cornell University Mahesh

Reliable Communication for Datacenters Mahesh Balakrishnan Cornell University Mahesh

Maelstrom Ricochet Conclusion Reliable Communication for Datacenters Mahesh Balakrishnan Cornell University Mahesh Balakrishnan Reliable Communication for Datacenters Maelstrom Ricochet Conclusion Datacenters Internet Services (90s)

1.03k views • 89 slides
Computing and Communications 1. Introduction Ying Cui Department of Electronic Engineering

Computing and Communications 1. Introduction Ying Cui Department of Electronic Engineering

1896 1920 1987 2006 Computing and Communications 1. Introduction Ying Cui Department of Electronic Engineering Shanghai Jiao Tong University, China 2018, Autumn 1 COURSE INFORMATION 2 Lecture Time: Monday 8:00-9:40am, Sep 10-Dec 24

662 views • 39 slides

More recommend