Embed Size (px)
Citation preview
Messaging Anti-Abuse Working Group
MAAWG | maawg.org | San Francisco, CA 2011
WHY WE MUST ASK WHYMarkus Jakobsson, Principal Scientist, PayPalKeynote, June 7, 2011MAAWG 22nd General Meeting, San Francisco, CA
Why Did the Internet Turn out as it Did?
We first designed it to provide features, then
for usability. We never designed it with abuse
in mind. We did not try to predict the future.
And now we are in a pickle.
Predicting An Unsupervised Future
“Predicting the future is much too easy, anyway.
You look at the people around you, the street you
stand on, the visible air you breathe, and predict
more of the same. To hell with more. I want better.”
Ray Bradbury
To Hell With More. I want better.
Who?
Where? What?
Weak Authentication
Weak Authentication
MalwareMalwareSpoofingSpoofing
Why?
Before we can address any problem, we need to know why it occurs.Talk focus: mobile Internet. Will be huge – and we can ask “why” before it is too late.
Web/App Spoofing: Why Works?Where?
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
Jakobsson/Leddy: www.spoofkiller.com
Web/App Spoofing: Why Works?Where?
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
Traditional countermeasures address this part (locks, colors, warnings – a user communication problem)
Jakobsson/Leddy: www.spoofkiller.com
Web/App Spoofing: Why Works?Where?
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
An attacker is successful if
1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker
Can we address this instead?
Jakobsson/Leddy: www.spoofkiller.com
Imagine a World Where…Where?
GOOD SITE
+
NAÏVE USER
=
SUCCESS
Jakobsson/Leddy: www.spoofkiller.com
SPOOF SITE
+
NAÏVE USER(SAME ACTION)
=
ABORT
Here is How to Do It!Where?
Jakobsson/Leddy: www.spoofkiller.com
Got cert?Got cert?
LOG IN NOW
ABORT
Y
N
We are all Pavlov’s dogs!Where?
Jakobsson/Leddy: www.spoofkiller.com
Demo time!Where?
Jakobsson/Leddy: www.spoofkiller.com
Demo produced by Hossein Siadaty
Jakobsson/Leddy: www.spoofkiller.com
Jakobsson/Leddy: www.spoofkiller.com
Take-Home MessageWhere?
Jakobsson/Leddy: www.spoofkiller.com
It is more important to understand people than to understand computers.
It is more important to understand people than to understand computers.
Now: Authentication
Jakobsson/Akavipat: www.fastword.me
Who?
People hate passwords – especially on handsets
• Slow to enter … … and then you realize you mistyped something!
• At the same time, recall rates are low for passwords … and reset is difficult / insecure / expensive
• PINs are faster … … but not very secure … and reuse is rampant
Understanding usability issues
Jakobsson/Akavipat: www.fastword.me
Who?
Q. Why are passwords more painful than text? A. Text uses auto-correction/completion! Q. Why are passwords more painful than text? A. Text uses auto-correction/completion!
Understanding recall issues
Jakobsson/Akavipat: www.fastword.me
Who?
Q. Why are (good) passwords hard to recall? A. Good passwords are weird! Q. Why are (good) passwords hard to recall? A. Good passwords are weird!
(Ebbinghausen, 1885)
A stab at a solution
Jakobsson/Akavipat: www.fastword.me
Who?
Not so secure, you say?Approx. 64k words only.
Auto correct works
frogfroffrofrffrof
A stab at a solution
Jakobsson/Akavipat: www.fastword.me
Who?
Auto correct works
frog flat work
A Look at Speed
Jakobsson/Akavipat: www.fastword.me
Who?
A Look at Security
Jakobsson/Akavipat: www.fastword.me
Who?
Average passwordAverage
password
Average fastwordAverage fastword
Forgot your fastword? Hint: “frog”
Jakobsson/Akavipat: www.fastword.me
Who?
EFFECTIVE RECALL: 0.36+(1-0.36)*0.48=0.67 …. 67%
Forgot your fastword? Hint: “frog”
Jakobsson/Akavipat: www.fastword.me
Who?
Average fastwordAverage fastword
Average passwordAverage password
Big-Picture InsightWho?
We can improve as basic things as passwords – if we ask “why”.
We can improve as basic things as passwords – if we ask “why”.
Jakobsson/Akavipat: www.fastword.me
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
Problem: PowerProblem: Power
Dealing with MalwareWhat?
Three truths:
1.Nasty malware is active2.Active routines are in RAM
3.Algorithms: time-space trade-off
Three truths:
1.Nasty malware is active2.Active routines are in RAM
3.Algorithms: time-space trade-off
Jakobsson/Johansson: www.fatskunk.com
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
cache
RAM
1. Swap out all programs (malware may refuse)
monolithkernel
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
monolithkernel
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAM pseudo-random content(malware refuses again)cache
RAM
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
monolithkernel
cache
RAM
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM (access order unknown a priori)
monolithkernel
cache
RAM
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM (access order unknown a priori)
monolithkernel
cache
RAM
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM (access order unknown a priori)
monolithkernel
cache
RAMExternal verifier provides thisExternal verifier provides this
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
1. Swap out all programs (malware may refuse)
2. Overwrite all “free” RAMpseudo-random content(malware refuses again)
3. Compute keyed digest of all RAM (access order unknown a priori)
monolithkernel
cache
RAM
External verifier will time this(and check result of computation)
External verifier will time this(and check result of computation)
Dealing with MalwareWhat?
Jakobsson/Johansson: www.fatskunk.com
Malware has options:
1.Swap out and become inactive2.Stay, cause delay, be detected3.Refuse connection, be detected
4.Die and remain unnoticed
Malware has options:
1.Swap out and become inactive2.Stay, cause delay, be detected3.Refuse connection, be detected
4.Die and remain unnoticed
After test passedWhat?
Jakobsson/Johansson: www.fatskunk.com
Scan flash for inactive malware, make secure backup to cloud, DRM, password manager, virtualized phone
setup, banking app, vote casting, unlock data/apps, …
Scan flash for inactive malware, make secure backup to cloud, DRM, password manager, virtualized phone
setup, banking app, vote casting, unlock data/apps, …
More detail: unlocking data/appsWhat?
Jakobsson/Johansson: www.fatskunk.com
Application
Encrypted storage of data and routines
Encrypted storage of data and routines
FLASH RAMApplication
Decrypted storage of data and routines
Decrypted storage of data and routines
GET KEY FROM VERIFIER.
LOADLOAD
THE FUTURE MATTERS TODAYWhy?
Jakobsson/Johansson: www.fatskunk.com
Anticipating problems gives us time to innovate.
Anticipating problems gives us time to innovate.
Why does user education fail?A final why
Contact me to talk spoofing, authentication, malware, mobile, education … and “why”!
