Trust and Semantic Attacks - II Ponnurangam Kumaraguru

Please download to get full document.

View again

of 38
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Information Report
Category:

Mobile

Published:

Views: 2 | Pages: 38

Extension: PDF | Download: 0

Share
Related documents
Description
Trust and Semantic Attacks - II Ponnurangam Kumaraguru Computation, Organizations and Society Carnegie Mellon University Feb 23 rd CMU Usable Privacy
Transcript
Trust and Semantic Attacks - II Ponnurangam Kumaraguru Computation, Organizations and Society Carnegie Mellon University Feb 23 rd CMU Usable Privacy and Security Laboratory CMU Usable Privacy and Security Laboratory PK 2 Summary of part I Semantic Attacks Phishing User studies Task Outline CMU Usable Privacy and Security Laboratory PK 3 What is trust? No single definition Depends on the situation and the problem Many models developed Very few models evaluated Trust Models Positive antecedents Benevolence Comprehensive information Credibility Familiarity Good feedback Propensity Reliability Usability Willingness to transact Negative antecedents Risk Transaction cost Uncertainty CMU Usable Privacy and Security Laboratory PK 4 CMU Usable Privacy and Security Laboratory PK 5 Summary of part I Semantic Attacks Phishing User studies Task Outline Security Attacks: Waves Physical: attack the computers, wires and electronics E.g. physically cutting the network cable Syntactic: attack operating logic of the computers and networks E.g. buffer overflows, DDoS Semantic: attack the user not the computers E.g. Phishing CMU Usable Privacy and Security Laboratory PK 6 CMU Usable Privacy and Security Laboratory PK 7 Security Attacks (contd.) Lance James. Phishing Exposed Semantic Attacks Target the way we, as humans, assign meaning to content. System and mental model CMU Usable Privacy and Security Laboratory PK 8 CMU Usable Privacy and Security Laboratory PK 9 Summary of part I Semantic Attacks Phishing User studies Task Outline CMU Usable Privacy and Security Laboratory PK 10 Phishing Basics (1) Pronounced fishing Scam to steal personal information Also known as brand spoofing Official-looking sent to potential victims Pretends to be from their ISP, retail store, etc., One form of semantic attack Phishing Basics (2) Link in message directs the user to a web page Asks for financial information Page looks genuine s sent to people on selected lists or to any list Some % will actually have account Phishing kit Set of software tools Help novice phisher imitate target Web site Make mass mailings From Computer Desktop Encyclopedia, CMU Usable Privacy and Security Laboratory PK 11 Phish example CMU Usable Privacy and Security Laboratory PK 12 CMU Usable Privacy and Security Laboratory PK 13 Phishing Successful phishing depends on a discrepancy between the way a user perceives a communication and actual effect of the communication. Phishing is a form of online identity theft that employs both social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. - APWG the act of sending a forged (using a bulk mailer) to a recipient, falsely mimicking a legitimate establishment in an attempt to scam the recipient into divulging private information such as credit card numbers or bank account passwords. Phishing Exposed CMU Usable Privacy and Security Laboratory PK 14 Phishing: A Growing Problem Over 16,000 unique phishing attacks reported in Nov. 2005, about double the number from 2004 Illegal access to checking accounts, often gained via phishing scams, has become the fastest-growing form of consumer theft in the United States, accounting for a staggering $2.4 billion in fraud in the previous 12 months. Gartner, late Additional losses due to consumer fears Phishing Trends, Dec CMU Usable Privacy and Security Laboratory PK 15 Phishing Trends, Dec 2005 (contd.) CMU Usable Privacy and Security Laboratory PK 16 CMU Usable Privacy and Security Laboratory PK 17 Phishing Trends, Dec 2005 (contd.) Number of unique phishing reports received in December: Number of unique phishing sites received in December: 7197 Number of brands hijacked by phishing campaigns in December: 121 (highest) Average time online for site: 5.3 days Longest time online for site: 31 days CMU Usable Privacy and Security Laboratory PK 18 Phishing attacks Lack of knowledge Lack of computer system knowledge Lack of security and security indicators (security locks, browser chrome, SSL certificates) Visual deception Visually deceptive text (vv for w, l for I, 0 for O) Images masking underlying text Windows masking underlying windows Deceptive look and feel Bounded attention Lack of attention to security indicators (secondary goal) Lack of attention to the absence of security indicators CMU Usable Privacy and Security Laboratory PK 19 Summary of part I Semantic Attacks Phishing User studies Task Outline CMU Usable Privacy and Security Laboratory PK 20 Why Phishing Works Goal What makes a bogus website credible? Methods With-in subjects design Analyze about 200 phishing attacks from anti-phishing archive Usability Study of 22 participants on 20 websites to determine fraudulent websites Analysis Good phishing websites fooled 90% of participants On average 40% of the time subjects made mistakes CMU Usable Privacy and Security Laboratory PK 21 CMU Usable Privacy and Security Laboratory PK 22 CMU Usable Privacy and Security Laboratory PK 23 Why Phishing Works (contd.) Conclusions Existing browsing cues are ineffective Participants proves vulnerable to phishing attacks Lack of knowledge of web fraud Erroneous security knowledge Suggestions To understand what humans do well and what they do not do well Help user to distinguish legitimate and spoofed website CMU Usable Privacy and Security Laboratory PK 24 Do Security Toolbars Actually Prevent Phishing attacks? Goal To evaluate security toolbar approach to fight phishing? Methods Between subjects design Subjects as John Smith s personal assistant 20 s from John Toolbars tested Neutral-information SSL verification System decision CMU Usable Privacy and Security Laboratory PK 25 Spoofstick Displays real domain name = wws2.us Customize the color and size CMU Usable Privacy and Security Laboratory PK 26 Netcraft Displays domain registration date, hosting name and country, and popularity among other users Traps suspicious URLs with deceivable characters Enforces display of browser navigational controls CMU Usable Privacy and Security Laboratory PK 27 Trustbar Makes secure connection more visible by displaying logos of the website Allowing you to assign a name and/or logo for each of these sites CMU Usable Privacy and Security Laboratory PK 28 ebay account guard Green indicate current site is ebay or paypal, red is a knowing phishing, gray is for all other sites CMU Usable Privacy and Security Laboratory PK 29 Spoofguard Calculates spoof score from previous attacks Red for hostile, yellow for middle and green for safe CMU Usable Privacy and Security Laboratory PK 30 Do Security Toolbars Actually Prevents Phishing attacks? (contd.) Analysis 34% of the subjects provided information even after notification 25% of the subjects did not notice the tool bars at all Conclusions Spoof scores of all the toolbars are greater than 0 Some toolbars would have better spoof rates than others CMU Usable Privacy and Security Laboratory PK 31 Potential drawbacks Suggestions Active interruptions are effective Tutorials are effective Knowing the user s intentions will be effective User intentions should be respected CMU Usable Privacy and Security Laboratory PK 32 Take away points Phishing is effective Humans are involved Human interaction with interfaces Social context Need better user interfaces Need more understanding of users decision making process Need Education Expertise CMU Usable Privacy and Security Laboratory PK 33 Summary of part I Semantic Attacks Phishing User studies Task Outline CMU Usable Privacy and Security Laboratory PK 34 Task - Definition Vulnerability - susceptibility to injury or attack (e.g. clicking on the link in the , giving username and password, etc.) CMU Usable Privacy and Security Laboratory PK 35 Task User type Geek Expert Savvy Novice Vulnerability Low Low Medium High Design the specifications of a system to train the user type about phishing attacks and help them make trust decisions. CMU Usable Privacy and Security Laboratory PK 36 Summary of part I Semantic Attacks Phishing User studies Task Outline CMU Usable Privacy and Security Laboratory PK 37 Bibliography df pdf CMU Usable Privacy and Security Laboratory PK 38 Thanks to Supporting Trust Decision project members
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks