Title: Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails

We present a novel key distribution architecture and a novel use of a particular identity-based digital signature scheme for making email trustworthy. Like typical digital signatures, our solution fights email-based phishing attacks and mitigates spam by detecting spoofed emails. Unlike typical digital signatures, our approach requires no complex, preestablished public-key infrastructure nor cooperation between email domains. Furthermore, it provides just enough trust to make email useful again, but not too much: email remains repudiable. All current legitimate uses of email -- alternate email personalities, alternate outgoing mail servers, PGP or S/MIME encryption, sending attachments, web-based email etc... -- remain fully functional. The end-to-end nature of email is preserved: the only requirements are an upgraded email client and at least one keyserver. We call this approach a Lightweight Trust Architecture.

Joint work with Susan Hohenberger and Ronald L. Rivest.

Title: Some are not thieves!

To prevent illegal access to digital content distributed over a broadcast channel, it is often necessary to revoke users whose access privileges have expired; a revoked user is not able to recover the broadcasted content anymore. This works well when such users did in fact commit an infraction or made a conscious decision to leave the system, but numerous cases exist in which the revocation is in error and these users are consequently left with the often onerous burden of getting reinstated. We introduce a gradual form of revocation that we call service degradation and that enables the content distributor to provide ``cues'' to the user in the form of degraded system performance. The cues alert the user to their impending revocation and allow them to take the necessary action to remain in the system. Our protocols build on techniques for broadcast encryption and spam-fighting to provide the appropriate form of service for this previously ignored class of users.

Title: Identity Theft: Methods and Prevention

This talk surveys several common ways computer criminals perpetrate identity theft, and discusses the disconcerting monetization of these activities. We identify some of the easiest and most common attacks currently in use and propose methods of repairing or ameliorating them with changes ranging from simple and practical to those requiring (perhaps unrealistic) fundamental changes in network protocols.

Title: Social Networks and Trust Networks

Phishing is a feasible social engineering mechanism because of the ease of impersonation on digital networks. Impersonation is easy because web sites are presented without social, geographical or physical context. Multiple mechanisms which create a single trusted entity have failed to resolve phishing problems, in part because single trusted third parties themselves lack context. We propose a system that embeds social context in trust decisions by combining individual histories, social networks, and explicit ratings. This social context allows an individual to select their own trusted sources of information, rate particular sites as trustworthy (or not), and leverages pre-existing social networks. The proposal is informed by previous work in reputation systems, interaction design, social networks, social browsing, computer security, and peer production of knowledge. We will begin our presentation with an high level overview of the social science findings on human trust decisions that inform this proposal. We will then present the proposed implementation, including screen shots and an overview of the reputation mechanism.

Title: Phishing Countermeasures

"Phishing" is a form of identity theft in which deception is used to trick a user into revealing confidential information with economic value. Phishing was responsible for at least $1.2 billion in direct losses last year. Starting with a threat model based on the information flow of a phishing attack, this presentation evaluates technical countermeasures applicable at each chokepoint to detect phishing, reduce the deceptiveness of fraudulent content, provide a trusted path over the public internet and render illicitly obtained information valueless. A combination of applied cryptographic techniques has the potential to dramatically reduce the losses due to phishing and other forms of identity theft.

Title: Fraud and Fraud Reduction on the Internet

Fraud on the Internet is developing into a major issue of concern for consumers and businesses. The Financial Times and many other media outlets report that online fraud represents "an epidemic of huge and rapidly growing proportions". One area that is particularly of interest is the area of swindling activities related to online auctions. Understanding fraud is especially important because of the "network externality" effect, in which a large number of satisfied buyers lead to a large number of sellers; this effect is based on the knowledge that satisfied traders induce others to trade on the Internet increasing the trading system efficiency. Headlines that present swindling activities on the internet deter users from using the internet for commercial activities. We will present and classify methods that swindlers use in order to defraud users, and suggest procedures to reduce the level of successful fraudulent activities on the web. We will also report on a preliminary empirical survey on the magnitude of fraudulent auctions on auction sites. The empirical results obtained in this survey, invalidate claims by online auction site operators that fraudulent activity is negligible.

Title: Messin' with Texas: Deriving Mother's Maiden Names Using Public Records

We have developed techniques to automatically infer mother's maiden names from public records. We demonstrate our techniques using publicly available records from the state of Texas, and reduce the entropy of a mother's maiden name from an average of close to 13 bits down to below 6.89 bits for more than a quarter of the people targeted, and down to a zero entropy (i.e., certainty of their mothers maiden name) for approximately two percent of the targeted individuals. This poses a significant risk not only to individuals whose mothers maiden name can easily be guessed from the possible choices, but highlights the vulnerability of the system as such, given the traditional reliance of authentication by mother maiden names for financial services. While our techniques and approach are novel, it is important to note that these techniques -- once understood -- do not require any insider information or particular skills to implement. This emphasizes the need to move away from mothers maiden names as an authenticator. Using the techniques described, during our testing we were able to deduce the mother's maiden name for at least 3,773,883 Texans.

Title: Blocking Phishing Spam: Pitfalls and Future Directions

Spam is increasingly being used to "fish" for user credentials to access and manipulate financial accounts. Current measures to block spam rely on scrutinizing the body of the spam, on maintaining white-lists of senders, and on DNS black-lists. Reliance on these techniques suffers from the many pitfalls: filters are not always successful in filtering out spam (and sometimes filter out good email as well), white-lists can easily be spoofed for well known businesses, and DNS black-lists are subject to manipulation and can be used to malign valid SMTP servers. Based on the analysis of actual email logs, we will present heuristics for blocking spam that avoid the above mentioned pitfalls. With deployability in mind, approaches to gradually tighten the security of email will also be discussed.

Title: Separable Identity-Based Ring Signatures: Theoretical Foundations For Fighting Phishing Attacks

Email phishing attacks are one of today's most common and costly forms of digital identity theft, where an adversary tricks a user into revealing their personal information by impersonating an established company. Such attacks could be mitigated with digitally-signed emails, if these signatures did not: (1) destroy the traditional repudiability of email, and (2) require the unrealistic, widespread adoption of a Public-Key Infrastructure (PKI). In order to overcome these obstacles, we introduce, define, and implement separable (a.k.a. cross-domain) identity-based ring signatures (SIBR, pronounced ``cyber,'' signatures). The ring structure of these signatures provides repudiability. With identity-based public keys, a full PKI is no longer required. Separability allows ring constructions across different identity-based master key domains. Together, these properties make SIBR signatures a practical solution to the email spoofing problem. Our construction yields a number of interesting components. First, we present several novel proofs of knowledge of bilinear map pre-images. We then present new identity-based identification (IBI) and signature (IBS) schemes based on these proofs. We note how our constructions share system parameters with the existing identity-based encryption schemes of Boneh-Franklin and Waters, thereby forming complete identity-based cryptosystems. We finally construct the first SIBR signature schemes by transforming our new signature schemes and certain other signature schemes.

Joint work with Ben Adida and Ronald L. Rivest.

Title: Distributed Phishing Attacks

We identify and describe a new type of phishing attack that circumvents what is probably today's most efficient defense mechanism in the war against phishing, namely the shutting down of sites run by the phisher. This attack is carried out using what we call a "distributed phishing attack" (DPA). The attack works by a per-victim personalization of the location of sites collecting credentials and a covert transmission of credentials to a hidden coordination center run by the phisher. We show how our attack can be simply and efficiently implemented and how it can increase the success rate of attacks while at the same time concealing the tracks of the phisher. We briefly describe a technique that may be helpful to combat DPAs.

Joint work with Adam Young.

Title: Passwords Don't Get No Respect -- Or, How to Make the Most of (Weak) Shared Secrets

Passwords are still the most popular form of user authentication, despite the availability for the last quarter century of a variety of stronger methods. Even given this popularity, however, password authentication is still not implemented as well as it could be. For instance, while trusted input paths and provably secure protocols are being gradually adopted for other authentication methods such as smart cards and biometrics, passwords are still often handled like they were in the 1970s --- entered and directly provided to the application that requests them, whether trustworthy or not. Better protocols for password authentication are possible, such as password-based authenticated key agreement or simple password hashing. Indeed, passwords are one of the few authentication types that naturally lends itself to mutual authentication based only on shared knowledge. However, the better protocols have not been widely adopted, perhaps because of industry interest in all the other methods that are expected to but haven't fully replaced passwords. Moreover, the implementation would still require a trusted component for entering and processing the password. If users remain intent on authenticating with passwords -- and more generally, static data like answers to life questions -- then industry needs to do a better job implementing password authentication. This is more than just making passwords harder to guess. Password authentication in general needs fundamentally better protocols and implementations. In this talk, I'll describe some new approaches for doing so.

Title: Using Mutual Authentication to Fight Phishing

When a client attempts to interact with an online service provider that performs any form of financial transaction, the service provider requires the client to authenticate itself. This is traditionally done by having the client provide a user-name and password that were previously agreed upon, through some procedure, the first time the client attempted to use the services provided by the provider. Asymmetrically, the client does not ask the provider for the same form of authentication. That is, the customer of the service provider does not ask the web-page to somehow prove that it is really the service provider's web-page, and not some fraudulent copy. This asymmetry seems to stem mostly from an attempt to port security models from the physical to the digital world without regard to implicit authentication mechanism of the real-world. Further, this asymmetry permits phishing attacks, as it forces users to rely on somewhat sophisticated and arcane knowledge in order to determine if a web-page is authentic. In this talk, we will discuss several mutual authentication mechanisms that could be employed, and some of their drawbacks. We will also introduce a protocol that can be used to mutually authenticate clients and service providers to each other, with the added benefit that it provides protection against man-in-the-middle attacks. In addition to the protocol, we will talk about usability issues of this protocol and why it will address some of the drawbacks of other schemes.

Title: Preventing Theft in the Open

Consider a service provider that sells tickets for its services. And suppose that the tickets can then be resold, or just transferred, from one potential client to another, out in the open-in analogy to the manner in which theater tickets are handled by the public. The question to be addressed is how can one scalably prevent the theft, or the forgery, of tickets-and thus the theft of services-without having the tickets maintained by a centralized trusted intermediary, which would not be scalable. The proposed approach for addressing this problem is based on a control mechanism called LGI (for Law-Governed Interaction), which is due to be released to the research community at the end of March this year.

Title: Identity Theft and Legitimately-Minted Fraudulent Credentials

A fundamental problem which facilitates identity theft is the following. If stolen or "borrowed" credential information is used by an impersonator (identity thief) to obtain new credentials, the thief ends up possessing authentic copies of the new credentials, typically without any information immediately flowing back to the owner of the original credentials (who is subject of the new credentials). One proposed solution is a centralized or coordinated system that can either disallow (on a per-subject basis) all such "minting" of new credentials, or brings the (somehow verifiably) legitimate subject back "into the loop" before such minting can take place. We discuss and explore this problem in greater detail, defining the players and their motives, and pursue solutions intended to be of practical use.

Title: How to Search Privately on Streaming Data

One of the central tasks that the law enforcement and the intelligence community is concerned with is the collection of all "relevant" information from huge streaming sources of data, that might be of interest to the law and intelligence communities at some point. Since the data sources are vast, it is impossible to keep all the data. Thus, streaming data is typically sieved from multiple data streams in an on-line fashion, where most of the data is immediately dismissed and dropped, and only some small fraction of the data is retained. These streaming data sources include things like packet traffic on some network routers, on-line news feeds (such as Reuters) or chat-rooms of interest or potentially terrorist-related web-sites. Most data is totally innocent and is immediately dismissed except for some data that raises ``red flags'' and is collected for later analysis ``on the inside''. In almost all cases, what's "relevant" and raises a ``red flag'' is classified. Keeping the ``sieving'' criteria classified is clearly essential --- since otherwise adversaries could easily prevent their messages from being collected by simply avoiding criteria that is used to collect ``interesting'' messages in the first place. In order to keep the selection criteria classified, one possible solution (and in fact the one that is used in practice) is to collect all streaming data "on the inside" --in a secure environment-- and then filter the information, throwing away most of it and keeping only a small fraction of data-items that are interesting according to the secret criteria, such as a set of keywords that raise a red-flag. While this certainly keeps the sieving information private, this requires transferring all this data to a classified environment, adding considerable cost, both terms of communication cost and a potential delay or even loss of data, if the transfer to the classified environment is interrupted. Furthermore, it requires considerable cost for storage of this (un-sieved) data in case the transfer to the classified setting is delayed. The other solution, which is clearly beneficial, is to sieve that data-stream at the source (even on the same computer or router where the information is generated or arrives at the first place). This seems like a ridiculous suggestion, since the sieving information must remain secret. In this talk, never-the-less, we show how to do precisely this an a very efficient and private manner, even if the adversary has full access to the program that does the sieving. Joint work with William Skeith, UCLA.

Title: Safeguarding Wireless Service Access

Wireless domains will enable pervasive access to a wide range of services, but, at the same time, will make services vulnerable to theft. An attacker could obtain high-quality service access while systematically depriving other users from their sought service level. In fact, it suffices for the attacker to exploit that the wireless network resources are at premium. The seemingly benign, with access privileges, attacker needs only to mislead other nodes that the network does not have the ability to support the requested service. This way, it either prevents the establishment of their sessions or forces access at low service levels. As a result, such an attacker can essentially monopolize access to services with stringent communication requirements. In this talk, we discuss this indirect service theft and how to thwart this type of attackers. We first provide a specification of secure quality-of-service route discovery, and then describe a reactive secure routing protocol, SRP-QoS, to provide accuracy for the discovered route(s) with respect to generalized link and route metrics.

Title: Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality

On the surface, a natural countermeasure to theft in electronic arenas is better authentication. It is tempting to hypothesize that, if users at clients could identify themselves in ways that could not be easily sniffed or given away and if remote servers could identify themselves in ways that could not be spoofed, then many theft problems would go away. Since these processes typically involve humans separated by space and by organizational boundaries, PKI is typically invoked here. However, it's not that simple. If the trust structure we build into the computing systems does not match the trust structure in the human systems, then this trust infrastructure has not achieved its goal. In this talk, I will assess the inability of the standard PKI-based tools to capture many trust situations that really arise in current distributed systems, based on my lab's experience trying to make these tools fit. I also offer some observations for future work that may improve the situation. Joint work with Chris Masone and Sara Sinclair.

Title: PhishHook: A tool to detect and prevent phishing attacks

Phishing attacks are a major source of Internet identity theft. The main weapon of these scams is deception. Duping inexperienced or unsuspecting Internet users into giving away their sensitive information is the only way that such a scam can work. This implies that the best defense against them is to detect such attacks before they happen, and to display the warning signs to the user in an obvious way. This makes it easier for users to decide for themselves whether or not a webpage or email poses a threat before giving away their personal information. In this presentation we describe PhishHook; an extension to the Mozilla/Firefox web browser that will detect common phishing attacks and alert the user to their presence. We also show the results of PhishHook on some known phishing scams, and suggest future additions to make it more effective.

Title: Are Peripheral Security Indicators Effective to Prevent Phishing Attacks?

As phishing becomes a growing threat, many anti-phishing tools have been proposed and implemented that are designed to be presented as indicators in the user's web browser. A common property of these indicators is that they appear in the periphery of the web browser, outside the user's typical locus of attention when web browsing. The information provided by these indicators can be categorized into three types: (1) neutral information about the current website, such as its real domain name, date of DNS registration, and geographic location of hosting (e.g., SpoofStick and Netcraft); (2) positive information about authentic web sites, but no information about others (e.g., Trustbar); and (3) a system judgement about how suspicious a website looks (e.g.,Spoofguard). We are conducting a systematic user study of the effectiveness of these kinds of indicators. We hypothesized three ways that peripheral security indicators might fail to prevent phishing attacks: (1) users may fail to notice the information, since its display is peripheral; (2) users may not care about the displayed information since it concerns security, which is typically not their primary goal; or (3) users may not understand or believe the indicators. In our study, users pretended to be John Smith's personal assistant doing some tasks for him online. Each user used a browser with a randomly selected anti-phishing toolbar, to deal with emails from John Smith that ask the user to log into websites using John's username and password. Users were warned to expect "fake web pages" during the study, and to avoid disclosing John's username and password. Three types of phishing attacks were inserted: one using a plain IP address instead of a domain name; another using a social-engineered domain name, such as microsoft-download.info; and a third using a hijacked unrelated server, such as pages from btinternet.com that claimed to be Amazon. Preliminary results show that users do notice the peripheral indicators, do care about security even in this artificial scenario (often unchecking the Remember Me checkbox on login forms to prevent John Smith's username and password from being stored in a cookie), but do not believe the anti-phishing indicators. Instead they either consciously disregarded the indicators ("I initially noticed the Warning: this site is not protected message, but I stopped paying attention to it since it is always there") or explained away strange behavior ("I noticed the gibberish numbers [the IP address attack], but since the web content is so real, I think it must be the real site"; "buy.com must be coming from btinternet.com because of outsourcing").

Joint work with Robert Miller.

Title: Building a Cryptovirus Using Microsoft's Cryptographic API

This talk will cover the experimental results that were obtained by implementing the payload of a cryptovirus on the Microsoft Windows platform. The design is based entirely on the Microsoft Cryptographic API and the needed API calls are covered in detail. The exact sequence of API calls that is needed for both the viral payload and the code for key generation, decryption, and so on is given. More specifically, it is shown that by making merely 6 API calls and using 31 lines of ANSIC code, the payload can hybrid encrypt sensitive data and hold it hostage on the host computer system. These findings demonstrate the ease with which one can develop the payload of a cryptovirus when a cryptographic API is readily available on host machines. Finally, a novel countermeasure against cryptoviral extortion will be presented.

Title: Kleptography: The outsider inside your crypto devices, and its trust implications

Attacks against unscrutinized cryptographic devices that behave like a proper ones and look and feel correct and secure (in a provable way), but are nevertheless exposed, are presented. The implication of these attacks to the trust of an organization in its cryptography will be discussed, as will the chain of decision makers regarding crypto: vendors, suppliers, insiders and others.