SECURITY IN COMPUTING FIETH EDITION Chapter 10: The Web-User Side 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
SECURITY IN COMPUTING, FIFTH EDITION Chapter 10: The Web—User Side From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师:高海波 河南中医药大学 信息管理与信息系统教研室
2 Chapter 10 Objectives Attacks against browsers Fake and malicious websites Attacks targeting sensitive data Injection attacks Spam Phishing attacks From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Chapter 10 Objectives • Attacks against browsers • Fake and malicious websites • Attacks targeting sensitive data • Injection attacks • Spam • Phishing attacks 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
3 Browser vulnerabilities 1000 900 897 800 727 700 600 500 400 300 208 207 200 100 0 200820092010201120122013 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Browser Vulnerabilities 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Browser Attack Types Man-in-the-browser Keystroke logger Page-in-the-middle Program download substitution User-in-the-middle From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Browser Attack Types •Man-in-the-browser •Keystroke logger •Page-in-the-middle •Program download substitution •User-in-the-middle 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
5 Man-in-the-Browser Browser Encrypted data User types transferred to encrypts bank 分 AN SilentBanker intercepts From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Man-in-the-Browser 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
6 Keystroke Logger Hardware or software that records all keystrokes May be a small dongle plugged into a USB port or can masquerade as a keyboard May also be installed as malware Not limited to browsers From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Keystroke Logger • Hardware or software that records all keystrokes • May be a small dongle plugged into a USB port or can masquerade as a keyboard • May also be installed as malware • Not limited to browsers 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
7 Page-in-the-Middle User is directed to a different page than believed or intended Similar effect to a man-in -the-browser where attacker can intercept and modify user input From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Page-in-the-Middle • User is directed to a different page than believed or intended •Similar effect to a man-in-the-browser, where attacker can intercept and modify user input 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
8 Program Download Substitution Attacker creates a page with seemingly innocuous and desirable programs for download Instead of, or in addition to the intended functionality, the user installs malware This is a very common technique for spyware From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Program Download Substitution • Attacker creates a page with seemingly innocuous and desirable programs for download • Instead of, or in addition to, the intended functionality, the user installs malware • This is a very common technique for spyware 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
9 User-in-the-Middle Using click-bait to trick users into solving CAPTCHAs on spammers behalf From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
User-in-the-Middle 9 • Using click-bait to trick users into solving CAPTCHAs on spammers’ behalf From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved
Successful Authentication The attacks listed above are largely failures of authentication Can be mitigated with Shared secret One-time password Out-of-band communication From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved
Successful Authentication • The attacks listed above are largely failures of authentication • Can be mitigated with • Shared secret • One-time password • Out-of-band communication 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved