Impersonation. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Transcription

1 Impersonation CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin March 1, 2011

2 Announcements Midterm next Tuesday March 8th Scope is course material up through today You can bring a single sheet of notes Two-sided, viewable w/o assistance (FYI: you might want to keep this for the final) My office hours the week of March 7th will be by appointment Guest lecture this Thursday (March 3rd), Prof. David Wagner Reminder, HW #2 due 5PM on Friday

3 Goals For Today A broad look at the problem of impersonation: threats based on something not being what it appears to be Web attacks: misleading users regarding their clicks Phishing: misleading users regarding with whom they are interacting CAPTCHAs: telling humans apart from bots Analyzing headers for legitimacy (time permitting)

4 Attacks on User Volition Browser assumes clicks & keystrokes = clear indication of what the user wants to do Constitutes part of the user s trusted path Attack #1: commandeer the focus of user-input Attack #2: mislead the user regarding true focus ( click-jacking )

5 Click-Jacking Demo #1: you think you re typing to a familiar app, but you re not (demo)

6 Click-Jacking Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are (demo)

7

8

9 Let s click here!

10 Click-Jacking Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are You might click on what the attacker wants no matter where you click! (demo)

11 Click-Jacking Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are Demo #3: you definitely meant to click somewhere else

12

13

14

15

16

17

18 Why Does Firefox Make You Wait? to keep you from being tricked into clicking!

19 Defending Against Clickjacking Main defense: frame busting Web site ensures that its vulnerable pages can t be included as a frame inside another browser frame

20 Attacker implements this by placing Twitter s page in a Frame inside their own page. Otherwise they wouldn t overlap.

21 Defending Against Clickjacking Main defense: frame busting Web site ensures that its vulnerable pages can t be included as a frame inside another browser frame So user can t be looking at it with something invisible overlaid on top nor have the site invisible above something else Conceptually implemented with Javascript like: if (top.location!= self.location) top.location = self.location; (Note: actually quite tricky to get this right!)

22 Related UI Sneakiness Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are Demo #3: you definitely meant to click somewhere else Demo #4: you ve got a lot on your mind (demo) 22

23 Related UI Sneakiness Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are Demo #3: you definitely meant to click somewhere else Demo #4: you ve got a lot on your mind (demo) Tabnabbing 23

24 Related UI Sneakiness Demo #1: you think you re typing to a familiar app, but you re not Demo #2: you don t think you re typing to a familiar app, but you are Demo #3: you definitely meant to click somewhere else Demo #4: you ve got a lot on your mind (demo) Tabnabbing Demo #5: you re living in The Matrix 24

25 Browser in Browser Apparent browser is just a fully interactive image generated by script running in real browser!

26 5 Minute Break Questions Before We Proceed?

27 Phishing

28

29

30

31

32

33

34 The Problem of Phishing Arises due to mismatch between reality & user s: Perception of how to assess legitimacy Mental model of what attackers can control Both and Web Coupled with: Deficiencies in how web sites authenticate In particular, replayable authentication that is vulnerable to theft How can we tell when weʼre being phished?

35

36

37 Check the URL before clicking? <a href=" onclick="location='

38

39 Exploits a misfeature in IE that interprets a number here as a 32-bit IP address

40 0xbd5947e3 = dig - x ; <<>> DiG APPLE- P2 <<>> - x ;; global options: +cmd ;; Got answer: ;; - >>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ; in- addr.arpa. IN PTR ;; ANSWER SECTION: in- addr.arpa IN PTR cliente.interjato.com.br. ;; AUTHORITY SECTION: in- addr.arpa IN NS ns2.interjato.com.br in- addr.arpa IN NS ns1.interjato.com.br. ;; Query time: 511 msec ;; SERVER: #53( ) ;; WHEN: Tue Mar 1 17:37: ;; MSG SIZE rcvd: 132

41 whois # The following results may also be obtained via: # e # NetRange: CIDR: /8 OriginAS: NetName: NET189 NetHandle: NET Parent: NetType: Allocated to LACNIC inetnum: /20 aut- num: AS28184 abuse- c: EMR5 owner: TECHNET NETWORKING LTDA ownerid: / responsible: Erich matos Rodrigues country: BR

42 Check the URL in address bar?

43

44

45 Homograph A;acks Interna=onal domain names can use interna=onal character set E.g., Chinese contains characters that look like /.? = A"ack: Legi=mately register var.cn buy legi=mate set of HTTPS cer=ficates for it and then create a subdomain: webapp unsec homepage.var.cn

46 Check for padlock?

47

48 Add a clever.favicon with a picture of a padlock

49 Check for green glow in address bar?

50 Check for everything?

51 Browser in Browser

52 Spear Phishing Targeted phishing that includes details that seemingly must mean it s legitimate

53 Yep, this is itself a spear-phishing attack!

54 Sophisticated phishing Context-aware phishing 10% users fooled Spoofed includes info related to a recent ebay transaction/listing/purchase Social phishing 70% users fooled Send spoofed appearing to be from one of the victim s friends (inferred using social networks) West Point experiment Cadets received a spoofed near end of semester: There was a problem with your last grade report; click here to resolve it. 80% clicked.

55 CAPTCHAs

56

57 CAPTCHAs Reverse Turing Test: present user a challenge that s easy for a human to solve, hard for a program to solve One common approach: distorted text that s difficult for character-recognition algorithms to decipher

58 Problems?

59 Issues with CAPTCHAs Inevitable arms race: as solving algorithms get better, defense erodes, or gets harder for humans

60

61 Issues with CAPTCHAs Inevitable arms race: as solving algorithms get better, defense erodes, or gets harder for humans Accessibility: not all humans can see! Granularity: not all bots are bad! (e.g., crawlers)

62 Issues with CAPTCHAs, con t If generating a CAPTCHA is somewhat expensive, the mechanism itself is a DoS vulnerability

63

64 Issues with CAPTCHAs, con t If generating a CAPTCHA is somewhat expensive, the mechanism itself is a DoS vulnerability Final problem: CAPTCHAs are inherently vulnerable to outsourcing attacks Attacker gets real humans to solve them

65

66

67

68 Analyzing Headers

69

70 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: Headers from ee.lbl.gov in (ee.lbl.gov the [ ]) message by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof for Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from id 1NfHf9-0002n7- Md for Wed, 10 Feb :51: To: Subject: RE: Russian spear phishing attack against.mil and.gov emp From: Message- Id: <E1NfHf9-0002n7- Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

71 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof for Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from To/Subject/From/etc. w63697 by uw03.uniweb.no are with completely local (Exim 4.66) (envelope- from under the attacker s control id 1NfHf9-0002n7- Md for vern@ee.lbl.gov; Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

72 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof for Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from Any w63697 headers by uw03.uniweb.no below them with may local also(exim 4.66) (envelope- from be under the attacker s control id 1NfHf9-0002n7- Md for vern@ee.lbl.gov; Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

73 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi This header tells us about the first delivery for Wed, 10 Feb :51: Received: hop. from uw03.uniweb.no It s supposedly (uw03.uniweb.no reported by [ ]) a by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof machine uw03.uniweb.no, but who knows for <vern@ee.lbl.gov>; Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from <w63697@uw03.uniweb.no>) id 1NfHf9-0002n7- Md for vern@ee.lbl.gov; Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

74 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) However, for headers for subsequent (single- drop); hops Wed, are 10 prepended. Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi So we for can start at the top of the headers, Wed, 10 Feb which :51:50 came Received: from our from trusted uw03.uniweb.no mailer, and (uw03.uniweb.no decide how [ ]) much trustworthy by ee.lbl.gov information (8.14.4/8.14.4) we can find with ESMTP id o1aipmof for <vern@ee.lbl.gov>; Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from <w63697@uw03.uniweb.no>) id 1NfHf9-0002n7- Md for vern@ee.lbl.gov; Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

75 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) This header by ee.lbl.gov is my (8.14.4/8.14.4) own system (vpmini.icir.org) with ESMTP id o1aipmof stating that it for retrieved the message Wed, from 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: mailhost.icsi.berkeley.edu. from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from I trust id vpmini.icir.org, 1NfHf9-0002n7- Md and therefore I believe the previous for vern@ee.lbl.gov; Wed, 10 Feb :51: To: hop vern@ee.lbl.gov really was mailhost.icsi.berkeley.edu. Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

76 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof for Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) mailhost.icsi.berkeley.edu is integrated with (envelope- from fruitcake.icsi.berkeley.edu id 1NfHf9-0002n7- Md (that s why the name is different for in vern@ee.lbl.gov; this header). Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: I trust jeffreyc@cia.gov the ICSI mailer, so I will trust this Received Message- Id: header too. <E1NfHf9-0002n7- Md@uw03.uniweb.no> It tells me that the prior hop was ee.lbl.gov Date: Wed, 10 Feb :51: X- Virus- Scanned: (which I also trust). clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

77 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi for Wed, 10 Feb :51: Received: from uw03.uniweb.no (uw03.uniweb.no [ ]) by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof for Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from ee.lbl.gov id 1NfHf9-0002n7- Md reports that the message came from for Wed, 10 Feb :51: uw03.uniweb.no. To: Subject: RE: Russian spear phishing attack against.mil and.gov emp From: I trust jeffreyc@cia.gov that information, but I do not trust that host. Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: So Wed, any 10 information Feb :51:47 from that point below is X- Virus- Scanned: untrustworthy. clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116

78 Delivery- Date: Wed Feb 10 10:51: Received: from mailhost.icsi.berkeley.edu [ ] by vpmini.icir.org with IMAP (fetchmail ) for (single- drop); Wed, 10 Feb :51:5 Received: from ee.lbl.gov (ee.lbl.gov [ ]) by fruitcake.icsi.berkeley.edu ( / ) wi However, for I have reliably learned Wed, that the 10 Feb message :51:50 was Received: sent by from a machine uw03.uniweb.no in Norway (uw03.uniweb.no probably [ ]) not where the by ee.lbl.gov (8.14.4/8.14.4) with ESMTP id o1aipmof CIA has a mail server! for <vern@ee.lbl.gov>; Wed, 10 Feb :51: (PST) Authentication- Results: ee.lbl.gov; sender- id=softfail header.from=j Received: from w63697 by uw03.uniweb.no with local (Exim 4.66) (envelope- from <w63697@uw03.uniweb.no>) id 1NfHf9-0002n7- Md for vern@ee.lbl.gov; Wed, 10 Feb :51: To: vern@ee.lbl.gov Subject: RE: Russian spear phishing attack against.mil and.gov emp From: jeffreyc@cia.gov Message- Id: <E1NfHf9-0002n7- Md@uw03.uniweb.no> Date: Wed, 10 Feb :51: X- Virus- Scanned: clamav- milter at ee.lbl.gov X- Virus- Status: Clean Content- Length: 1116