1 / 23

Enhancing Trust in Online Privacy: A Guide to Phishing and Security Tools

In today's digital landscape, safeguarding privacy is paramount. This comprehensive overview addresses critical threats such as phishing and fraudulent websites, emphasizing the central role of web browsers in user security. Key tools for detection like phishing toolbars and heuristics are evaluated based on their effectiveness in identifying fraudulent sites. By analyzing community ratings and SSL indicators, users can better navigate potential risks. Explore solutions that enhance trust while also recognizing that a fallible sense of security can lead to vulnerabilities.

alyson
Télécharger la présentation

Enhancing Trust in Online Privacy: A Guide to Phishing and Security Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Conveying Trust Serge Egelman

  2. Portal to The Interweb • Threats to privacy: • Phishing • Information interception • Fraudulent sites • Web browser is central • Email • IM • Detection must occur here

  3. In The Beginning… • Man-in-the-middle • Sniffing • SSL solved these • Browser SSL indicators • Locks • Keys • Borders • URL bar

  4. SSL Indicators • Microsoft IE • Mozilla • Firefox • Safari

  5. But What About Phishing? • Toolbars • User notification • Audio • Pop-ups • Indicators • Community ratings • Heuristics

  6. Phishing Toolbars • Clear Search • Scans email using heuristics

  7. Phishing Toolbars • Cloudmark • Community ratings

  8. Phishing Toolbars • eBay Toolbar • Community ratings

  9. Phishing Toolbars • SpoofGuard • URL analysis • Password analysis • Image analysis

  10. Phishing Toolbars • Trustbar (Mozilla) • Analyzes known sites • Analyzes certificate information

  11. Phishing Toolbars • Trustwatch • Site ratings

  12. But Do They Work? • No • 25 Sites tested • Cloudmark: 10 (40%) identified • Netcraft: 19 (76%) identified • Spoofguard: 10 (40%) identified • Trustwatch: 9 (36%) identified

  13. Activity #1 • Download a phishing toolbar: • http://www.cloudmark.com/desktop/download/ • http://pages.ebay.com/ebay_toolbar/ • http://crypto.stanford.edu/SpoofGuard/ • http://trustbar.mozdev.org/ • http://toolbar.trustwatch.com/ • http://toolbar.netcraft.com/ • Pros? Cons? • Is it usable? • How could it be circumvented?

  14. Other Browser Plugins • Previously mentioned toolbars • Phishing • Fraudulent sites • Limited intelligence

  15. Password Hashing • Many users use same passwords • One compromise leads to many • Knowing real password doesn’t help • Hashing solves this • Passwords hashed automatically with domain name • User doesn’t know the difference • Mozilla extension

  16. Dynamic Security Skins • User remembers one image • Trusted window • User remembers one password • Ease of use • Sites get hashed password • Matches two patterns to trust server • Generated using a shared secret

  17. Trusted Window

  18. Verifying Sites

  19. Using Tokens • Two factor authentication • Something you have • Usually cryptographic • SecureID • Smart cards • Random cryptographic tokens • Scratch cards

  20. Using Phones • Client side certificates • Private keys generated/stored on phone • New key for each phone • Keys linked to domain names • Key generated upon new connection • Bluetooth • No server modifications

  21. Current Browser Support • Hardware drivers • Crappy browser support • Example • Simple text box • Make using the device unobtrusive • Activity #2

  22. False Sense of Security • JavaScript tricks • ING example • MITM • Spyware • Stored images • Bank of America example • MITM • Spyware • CAPTCHAs • MITM

  23. Activity #3 • What security features really need to be prominent?

More Related