Two Technical Phishing Countermeasures

1
Two Technical Phishing Countermeasures

• Burt Kaliski, Chief Scientist, RSA Security
• North Shore Technology Council 23 March 2005

2
Exploiting Trust

• Phishing is a social engineering attack that
  exploits users trust in the familiar to gain
  access to private information
• Basic approach
• Attacker sends an email that appears to be from
  a source the user might trust
• User clicks on an apparently innocuous link in
  the email and is taken to a site that looks like
  the right one but which is actually the
  attackers
• User discloses passwords and other sensitive
  information, e.g., account numbers

3
The Basic Problems

• Attackers can make emails (and Web pages!) look
  like the real thing
• Not just the content, but also the From
  address can be forged
• User interface for authentication generally
  doesnt authenticate the Web site just the
  user
• Passwords and other sensitive information are
  often sent directly to the application, whether
  trustworthy or not
• In general, users dont have good tools to tell
  the familiar from the authentic

4
A Multifaceted Response

• Many avenues are being pursued to deal with the
  problems
• Find the phishing sites and shut them down
• Filter email to flag or reduce the bait
• Equip users to recognize and not respond to
  attacks
• Two technical solutions of interest here
• Authenticate the emails, so user can tell where
  they really came from
• Improve the protocols and interfaces for user
  authentication so that credentials wont be
  learned even if attackers ask for them

5
Authenticating the Emails

• Problem From address can be forged
• Solution Verify that message comes from
  authorized sender
• SenderID (Meng Weng Wong / Microsoft)
• Senders domain lists authorized mail servers in
  DNS
• Recipient checks email postmark against list
• DomainKeys (Yahoo!)
• Senders domain posts public key domain signs
  all messages
• Recipient verifies digital signature
• Challenge Users need to decide which senders to
  trust

6
Improving the Protocols and Interfaces

• Problem Passwords are sent directly to attackers
• Solution Better interfaces and protocols!
• Password hashing (classical see Stanford
  PwdHash)
• Interface automatically hashes password (slowly)
  with application identifier before sending it
• Attacker has to search for password, which is a
  deterrent
• Extensions Two-factor and mutual authentication
• Password-based key agreement (Bellovin-Merritt,
  et al.)
• Challenge Interfaces need to be integrated into
  browsers, operating systems, so that attackers
  cant bypass them

7
A Special Control Sequence?

• What if you could ensure that your password were
  protected by typing a special control sequence
  beforehand?
• e.g., Alt-Password
• Control sequence would automatically invoke the
  stronger interface and protocols for protecting
  the password
• If this were standard on operating systems and
  browsers, and you learned to use it, would your
  confidence be increased?
• Overall goal Trustworthy Interfaces for Personal
  Information and Credentials (TIPIC) should become
  typical

8
Contact Information

• Burt KaliskiChief Scientist, RSA
  Securitybkaliski_at_rsasecurity.comwww.rsasecurity.
  com/rsalabs

9
(No Transcript)