Online (in)security: The current threat landscape Nikolaos Tsalis

Size: px

Start display at page:

Download "Online (in)security: The current threat landscape Nikolaos Tsalis"

Susan Maxwell
5 years ago
Views:

1 Online (in)security: The current threat landscape Nikolaos Tsalis November 2015

gr) Information Security & Critical Infrastructure

2 Online (in)security: The current threat landscape Nikolaos Tsalis Information Security & Critical Infrastructure Protection Laboratory Dept. of Informatics, Athens University of Economics & Business

3 Background Info Information Security & Critical Infrastructure Protection (INFOSEC) Laboratory Dept. of Informatics, Athens University of Economics & Business, Greece Research topics Critical Information Systems Security Web Security Cloud Computing Smartphone Forensics Security and Privacy in Online Social Networks 3

4 Topics at a glance 1. Introduction 2. Part 1 Browser Controls Methodology Proposed categorization Results 3. Part 2 Security and privacy add-ons Methodology Observations Proposed categorization Results 4. Part 3 Phishing and malware protection Methodology Results 5. Conclusions 4

5 OWASP Top 10 5

6 What about the average user? Does she know if there are any available security mechanisms? Does she know which are they? Does she know how to use them properly? Are they effective? 6

7 Tested browsers 7

8 Methodology Browser controls (n=32) Enumeration of browsers : graphical interfaces and available hidden menus if any e.g. about:config in Mozilla Firefox 8

Proposed categorization Content controls Privacy controls Browser management controls Third-party software controls Web browsing controls Block location data Browser update Auto

Disable Java Disable JavaScript Disable plugin Malware protection Modify user-agent Phishing protection External plugin check SSL/TLS version selection Block pop-ups Private

9 Proposed categorization Content controls Privacy controls Browser management controls Third-party software controls Web browsing controls Block location data Browser update Auto update extensions Certificate warning Block cookies Block referrer Certificate manager Block third-party cookies Proxy server Enable DNT Search engine manager History manager Disable Java Disable JavaScript Disable plugin Malware protection Modify user-agent Phishing protection External plugin check SSL/TLS version selection Block pop-ups Private browsing Local blacklist Disable extension Master password Block images Auto update plugins Task manager Manually update extensions Manually update plugins Report rogue Website Website checking 9

10 Results 40.00% 35.00% 34.40% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 15.65% 21.90% 12.50% 25% 0.00% Apple Safari Google Chrome Internet Explorer Mozilla Firefox Opera Unavailable controls 10

11 Methodology Browser add-ons (n=227) Enumeration of browsers security and privacy add-ons, that were available in each repository. Browser Safari Chrome Internet Explorer No 38 N/A (65) 7 Firefox 1327 (65) Opera 52 11

12 Observations Variety of available add-ons for each browser Confusing grouping of add-ons in repository 1 st level categorization 2 nd level categorization Safari Firefox None Opera 12

13 Proposed Categorization 1. Content filtering: Block content (advertisements, cookies, images, pop-ups, etc.) 2. Parental control: Includes traffic filters to block websites containing inappropria te material 3. Passwords: Generators Managers 4. Plain proxy: Simple proxy without any encryption included 5. Privacy: Privacy protection add-ons (e.g. privacy settings manager) 6. Protection from rogue websites: Antivirus blacklists Malware blacklists Phishing blacklists Reputation blacklists Sandbox 7. Third-party software management: Blocking thirdparty software (e.g. Flash, Java, JavaScript, etc.) 8. Tracking: Blocking website(s) that track user s online behavior Social Media (SM) redirection 9. Traffic encryption via proxy: Proxy that encrypts user s traffic 13

14 Results Traffic encryption via proxy 2.63% 26.32% Tracking Privacy 0% Plain proxy 36.84% Passwords Passwords 18.42% Parental Control Content Filtering 5.26% 7.70% 20.00% Protection from rogue sites 10.53% Privacy Plain proxy Third-party software 18.42% Protection from rogue sites 15.40% Tracking 5.26% Third-party software 12.30% Traffic encryption via proxy 7.70% 8% 15.40% 23.00% Parental Control Content Filtering 15.40% 14

15 Results Traffic encryption via proxy 11.00% 42.00% Tracking Third-party software 13.00% 24.00% Privacy Plain proxy 13% Content Filtering 5.77% Protection from rogue sites 23.08% Privacy 23.08% Plain proxy 4% 15.00% Passwords Parental Control 28.85% Tracking Third-party software 18.00% Protection from rogue sites 13.46% Traffic encryption via proxy 21.15% Passwords 8.00% Parental Control 39.00% Content Filtering 5.77% 15.38% 15

16 25.00% 25.00% 19.34% 18.40% 14.15% 8.49% Content Filtering Parental Control 7.07% 6% Passwords Plain proxy 9.43% Privacy Protection Third-party from rogue software sites Tracking Traffic encryption via proxy 16

4 Phishing and malware protection Safari Mobile To evaluate the protection against phishing Chrome Mobile Opera Mini attacks, we collected phishing

17 Methodology Browser ios Android Phishing and malware protection Safari Mobile To evaluate the protection against phishing Chrome Mobile Opera Mini attacks, we collected phishing URLs that were reported by PhishTank. To evaluate the protection against malware attacks, we used the open source Collective Intelligence Framework (CIF), which allows the collection and analysis of malicious threat information from a large number of trusted sources Browser Firefox Mobile Opera Mobile Windows 7 Chrome Firefox Internet Explorer Opera 'Browser' is the pre-installed browser in Android 17

Phishing URL Detection 100.00% 90.00% 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% 48.40% 41.70% 77.90% 13.70% 9.90% 8.40% 93.00% 86.70% 76% 16% 5.70% 5.90% 7.30% 8% 1.

18 Phishing URL Detection % 90.00% 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% 48.40% 41.70% 77.90% 13.70% 9.90% 8.40% 93.00% 86.70% 76% 16% 5.70% 5.90% 7.30% 8% 1.30% IE (Win) Opera (Win) Chrome (Win) Firefox (Win) Opera Mobile (Android) 85.40% 11.10% 3.40% Firefox Mobile (Android) 38.70% 34.90% 26.40% Safari Mobile (ios) Blocked False Negatives Non Phishing 18

19 Malicious URL Detection 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 40.90% 30.00% 12.90% 58.30% 29.10% 28.90% 20.00% 39.40% 40.60% 5.00% 52.10% 42.90% 11.90% 48.80% 39.40% 9.90% 45.80% 44.30% 0.00% IE (Win) Opera (Win) Chrome (Win) Firefox (Win) Opera Mobile (Android) Firefox Mobile (Android) Blocked False Negatives Non Phishing 19

20 Conclusions There is an adequate amount of controls available for the average user Although, it is still unclear if: Alice knows which are they how to use them and If these mechanisms offer a proper level of protection All comes down to the user 20

21 I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, Nothing -- you're screwed. Bruce Schneier 21

22 References 1. Theoharidou, M., Tsalis, N., Gritzalis, D., In Cloud we trust: Risk-assessment-as-a-service, in Proc. of the 7 th IFIP International Conference on Trust Management, pp , Springer (AICT 401), Spain, Tsalis N., Mylonas A., Gritzalis D., An intensive analysis of the availability of security and privacy browser add-ons, in Proc. of the 10 th International Conference on Risks and Security of Internet and Systems (CRISIS-2015), Springer (LNCS), Greece, Tsalis N., Virvilis N., Mylonas A., Apostolopoulos A., Gritzalis D., Browser blacklists: A utopia of phishing protection, in Security and Cryptography, M. Obaidad and A. Holzinger (Eds.), Lecture Notes (CCIS), Springer, Tsalis, N., Theoharidou, M., Gritzalis, D., Return on security investment for Cloud platforms, in Proc. of the Economics of Security in the Cloud Workshop, pp , IEEE Press, United Kingdom, Virvilis N., Mylonas A., Tsalis N., Gritzalis D., "Security busters: Web browser security vs. rogue sites", Computers & Security, Vol. 52. pp , July Virvilis, N., Tsalis, N., Mylonas, A., Gritzalis, D., "Mobile devices: A phisher's paradise", in Proc. of the 11 th International Conference on Security and Cryptography (SECRYPT-2014), pp , ScitePress, Austria,

Security and privacy in the smartphone ecosystem: Final progress report

Security and privacy in the smartphone ecosystem: Final progress report Alexios Mylonas Athens University of Economics & Business Overview 2 Research Motivation Related work Objective Approach Methodology