Network security defined from basics to latest update news of the market.
This blog will have no more posts, any security/tech stuff I will be posting on my other blog (namely http://aggarwalnakul.blogspot.com) itself.
posted by Nakul @ 11/21/2005 08:14:00 PM
0 comments
Post-graduate students working on information-security research projects can
qualify for a scholarship of up to $12,500.The International Information Systems Security Certification Consortium Inc. (Palm Harbor, Fla.) said Tuesday (Sept. 27) it will offer one-year scholarships of up to $12,500 each to four qualifying full-time post-graduate students. Qualified candidates must be pursuing an advanced degree in information security at any
accredited university worldwide.Applications must be submitted by Nov. 30, 2005.
from EE times via http://www.securitypipeline.com/171201217
posted by Nakul @ 9/29/2005 12:41:00 AM
0 comments
There has been an interesting discussion going on at google groups ... Yahoo - a "Phisher-friendly" domain. The discussion is quite interesting since according to SpamHaus Project details, there has been large number of phishing attacks are going on using yahoo registered servers. Till now, they have found 18 SBL listings under the domain name of yahoo.com
posted by Nakul @ 9/05/2005 01:46:00 PM
0 comments
I got a new link from Bjorn borg (a researcher from sweden working in this field), a complete tutorial on Phishing.
posted by Nakul @ 8/26/2005 12:29:00 PM
0 comments
Definition:
Phishing is the "art" of fooling people using social engineering and technical subterfuge by sending fake emails, or spam which seems as send by some known organization redirecting them to fake pages; hence getting unauthorized access to people's username, passwords, credit card account information etc.
“Phishing attacks use 'spoofed' e-mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card numbers, account usernames and passwords, social security numbers, etc.” This is a social engineering attack that targets vulnerable online consumers and, depending on the particular scam, uses weaknesses and exploits in email and web browsers.”
Term origin: It’s derived from fishing where a fisherman uses a lure to attract fish in the same way that the attackers use an email to attract online consumers. Finally the ‘f’’ from fishing has been substituted for with ‘ph’ to form “phishing”. This is in recognition of the original hacking method phreaking. (Dictionary meaning - “phreaking” is where a hacker would take over someone else’s phone line and use it for their own use, including hacking into other computers.)
First incident of Phishing was reported as early as 1998. An example
==
Sector 4G9E of our data base has lost all I/O functions. When your account logged onto our system, we were temporarily able to verify it as a registered user. Approximately 94 seconds ago, your verification was made void by loss of data in the Sector 4G9E. Now, due to AOL verification protocol, it is mandatory for us to re-verify you. Please click 'Respond' and re-state your password. Failure to comply will result in immediate account deletion.
====
A number of examples of phishing with ebay and paypal especially can be seen here.
From individuals or small groups in the starting stage, Phishing has now reached to very advanced stage. Large amount of bulk emails are send everyday, and hacking is going at large scale. Latest being hack of eBay login page, ATM card numbers etc.
Statistics:
The main targets are financial institutions and e-commerce companies, particularly online banks. The top four targets according to the Anti-Phishing Work Group in April 2004 were Citibank, eBay, PayPal and US Bank. The Anti-phishing Workgroup states that 5% of attacks result in identity theft26. A Gartner survey of 5000 estimated the damage from Phishing in 2003 cost US Banks and credit card companies $1.2 billion in 20033. Actual losses are much lower, monetary values of losses are difficult to obtain but Paypals loss rate from fraud is 0.33%. Australian banks have recently put aside $2 million to cover losses from phishing¹. British banks estimated they lost ₤1 million through phishing scams².
Technology:
A web server, a bulk mailing tool, a form e-mail and a database of e-mails would be enough to mount a phishing scam.
The email is branded to look like it’s from the particular financial institution or e-commerce
site and the ‘from’ address is spoofed to appear from that domain. It usually includes an URL, which appears to be linking back to the appropriate site, however the actual link points to the ghosted website.
Techniques:
1) Email
2) Ghost Website (eg. http://www.paypa1.com/)
3) Hiding/spoofing the address bar
a) No SSL padlock
b) javascript
4) Adding Subdomain to the main site
5) PopUp Windows
6) Use of Malware – Trojans, Viruses and Botnets
7) Phishing through Compromised web servers
8) Port redirection -- removing the possibility of backtrack by web server also by redirecting the web server to another web-server.
9) Using botnets
In geek terms, these are done via
1) DNS poisoning
2) Pharming (a guide from NGS softwares )
3) All the antiviruses has inbuilt capabilities to filter spams and some of the phishing attacks.
A white paper from McAfee(PDF:5) gives a detailed graphical and detailed explanation about the current phishing attacks methods. IT even comments
existing counter measures and tells what McAfee has to provide.
COUNTER-MEASURES
1) Phishing scams can be reported through consumer alerts or real-time detection and then companies updates their respective customers about the same and even post about them on their websites.
2) Toolbars – There exist a lot of toolbars and plugins for all the major browsers. A graph with their properties can be seen here:
Source: Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks
3) All the antiviruses has inbuilt capabilities to filter spams and some of the phishing attacks.
RESEARCH:
A lot of research has been encouraged bcoz of the stats as we have seen above. These are briefings of some of them:
1) this paper has introduced a new scheme namely, Dynamic Security Skins, that allows a remote web server to prove its identity in a way that is easy for a human user to verify and hard for an attacker to spoof. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. [PDF:2]
2) A contribution of this paper is the description of what we term a context aware phishing attack. [PDF:3]
3) They define five properties of an ideal HIP (Human Interactive Proofs) to detect phishing attacks. The challenge must:
1) be easy for a particular class of computers to pass,
2) be hard for other computers to pass, even after observing a number of successful authentications,
3) produce results that are easy for a human to verify,
4) use a protocol that is publicly available, and
5) not require the user to have specialized tools.
[PDF:4]
4) Complete technical and detailed specs of how phishing is done [PDF:5]
A brief intro about Microsoft Phishing Filter (from Microsoft site)
• Phishing Filter is a feature in Internet Explorer 7.0 that helps determine whether a Web site is legitimate or a so-called phishing Web site.
• Phishing Filter uses three checks to help protect users from phishing scams:
1. It compares the addresses of Web sites that a user attempts to visit to the addresses of sites that have been reported as legitimate. This list is stored on the user's computer.
2. It analyzes sites that a user attempts to visit by checking those sites for characteristics common to phishing sites.
3. If the user chooses, Phishing Filter sends the addresses of Web sites that a user attempts to visit to Microsoft to be checked against a frequently updated list of reported phishing sites.
Future Solutions:
1) Tumbleweed Communications already have a digital signing solution ready to go to market.
2) Microsoft's Caller-ID,
3) the Sender Policy Framework (SPF), and
4) Yahoo! Domain Keys proposals.
5) The Internet engineering Task Force (IETF) has also published an IETF draft to stop source address spoofing.
6) Another area that will become more prominent is the near real-time detection of phishing scams using email scanning and filtering, trademark searches, monitoring of DNS registrations, scanning of front pages.
SOME LINKS:
Detailed explanation of Existing methods and tools
https://antiphishing.kavi.com/events/Conference_Notes/phishing-sfectf-report.pdf
Latest Alert(25/08/2005) --WSLabs, Phishing Alert: Bank of Montreal
http://www.honeynet.org/papers/phishing/
http://antiphishing.org/
http://www.phishreport.net/
http://www.honeynet.org/papers/phishing/details/phishing-background.html
Microsoft Antiphishing Technology
http://crypto.stanford.edu/SpoofGuard/
Identity Theft Via Online Resumes
Identity Theft From servers
Pdfs used:
(1) An analysis of Phishing and possible mitigation strategies
(2) The Battle Against Phishing: Dynamic Security Skins
(3) Modeling and Preventing Phishing Attacks
(4) Phish and HIPs: Human Interactive Proofs to Detect Phishing Attacks
(5) Anti-Phishing: Best Practices for Institutions and Consumers
All of these pdf’s can be searched from http://scholar.google.com/
posted by Nakul @ 8/25/2005 04:39:00 PM
1 comments
A lots lots of research is going on in this field. A lot of approaches and technology exists. Most people use one of multiples of them while some of them are research oriented.
posted by Nakul @ 8/16/2005 11:32:00 PM
0 comments
Sygate Technologies has unveiled its own form of double-agent on Monday introducing Sygate Enterprise Protection (SEP) 5.0, software with device agents that do double duty by delivering both host intrusion prevention (HIP) and network access control (NAC) to millions of networked devices.
Read more at http://www.sygate.com/news/sygate-enterprise-protection_rls.htm
posted by Nakul @ 8/10/2005 10:55:00 AM
0 comments
In the month of June, I got a project on "signature matching" in network intrusion detection. I know much work has been done already in this field and work is still going on. It forms an important and versatile part of most IDS tools like snort, bro etc.
Simple string matching is just not the simple iterative i.e. n^2 process to be followed but much research has been done into it already. Their are many efficient ways of doing this in software. ( you can get a lot of papers from scholar)
While much more efficient ways exist in hardware which makes it widely applicable when it comes to inline matching in real time.
While signature matching via DFA is much more interesting since it assumes good knowledge of automata theory, definite finite automata and regular expressions. The problem with this approach is in formation of DFA itself which explodes with the current number of signatures which needs to be incorporated into IDS. The solution to this problem is "Incremental generation of DFA's" which involves the DFA formation just at the stage of mathcing and not once hardcoded and making trasnsitions over it.
The comparsion of the two approaches has been shown in the technical paper of "BRO" which uses the 2nd approach and compares the results with snort which uses the 1st approach. The results shows both the tools are at par with each other but snort havign a upper hand at some points.
But am inclined towards the 2nd approach, and working on it currently lets see if this can give better results.
posted by Nakul @ 8/10/2005 10:49:00 AM
0 comments
