Professional Documents
Culture Documents
Phishing
Phishing
markus.jakobsson@parc.com
Conventional Aspects of Security
• Computational assumptions
– E.g., existence of a one-way function, RSA assumption,
Decision Diffie-Hellman
• Adversarial model
– E.g., access to data/hardware, ability to corrupt,
communication assumptions, goals
• Verification methods
– Cryptographic reductions to assumptions, BAN logic
• Implementation aspects
– E.g., will the communication protocol leak information that
is considered secret in the application layer?
The human factor of security
Deceit Neglect
Configuration
The human factor: configuration
Weak passwords
With Tsow, Yang, Wetzel: “Warkitting: the Drive-by
Subversion of Wireless Home Routers”
(Journal of Digital Forensic Practice, Volume 1,
Special Issue 3, November 2006)
ele ss d ate
Wir are up wardriving
w rootkitting
firm
v ra m
s s n
ir ele ing
W s e t t
u e
val
“Use DNS server x.x.x.x”
70%
60%
50%
40%
30%
Success Rate
20%
10%
0% To Any
To Female
From
Any
From To Male
Female
From
Male
Reality:
1 2
B
A
4 3 credentials
eBay
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
Attack:
1 (spoof) B
A
2 credentials
Ethical and accurate assessments
With Ratkiewicz “Designing Ethical Phishing Experiments:
A study of (ROT13) rOnl auction query features” (WWW, 2006)
A
2
Experiment: 3(
sp
2 oo
f)
1
B
A
1 5 eBay
4 credentials
Yield (incl spam filtering loss): 11% +- 3% …“eBay greeting” removed: same
Mutual
authentication
in the “real world”
With Tsow,Shah,Blevis,Lim,
“What Instills Trust? A
Qualitative Study of Phishing” starting with 4901
(Abstract at Usable Security,
2007)
How does the typical Internet
user identify phishing?
Spear Phishing and Data Mining
Current attack style:
“Little” Jimmy
their marriage
his parents license
Why?
Password Reset:
Typical Questions
• Make of your first car
• Mother’s maiden name
• City of your birth
• Date of birth
• High school you graduated from
• First name of your / your sister’s best friend
• Name of your pet
• How much wood would a woodchuck …
Problem 1: Data Mining
• Make of your first car?
– Until 1998, Ford has >25% market share
• First name of your best friend?
– 10% of males named James (Jim), John, or
Robert (Bob or Rob) + Facebook does not help
• Name of your first / favorite pet?
– Top pet names are online
Problem 2: People Forget
http://www. democratic-party.us/LiveEarth
http://www. democratic-party.us/LiveEarth
Countermeasures?
• Technical
– Better filters
– CardSpace
– OpenId
• Educational
– SecurityCartoon
– Suitable user interfaces
• Legal
Interesting?
Internships at PARC / meet over coffee / etc.
markus.jakobsson@parc.com