Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Embed Size (px)

Citation preview

Page 1: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!



Secure Anti-Phishing Environment

Presented by Uri Sternfeld

Page 2: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!



• Phishing caused 3 Billion $ damages in 2007 alone

• Current solutions are not effective enough

Page 3: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


What is Phishing?

• Any attempt to masquerade as a legitimate server in order to obtain sensitive information

• Usually done by soliciting an unsuspecting user to follow a fraudulent link From: your bank

To: unsuspecting user

There are problems in your account. Please follow attached link to solve them.

Page 4: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Why Phishing works?

• Users are naïve• Its hard to detect differences in URLs:



• Over-reliance on SSL securityDid you

notice the small lock icon in the


Page 5: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Current solutions

• Maintaining black lists (Firefox & IE7)• Phishing solicitations detection• Idiosyncratic characteristics

That’s me!

Page 6: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


A relevant warning

• This was recently published in a major Israeli bank’s web site:

click me

Page 7: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


The Saphe Solution

• Relies on a password known only to the user and the real server

• Protects against:– Any impersonation of the real server– DNS poisoning– Man-in-the-Middle attacks

Page 8: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Security assumptions

• AES is a strong encryption algorithm• SSLv3.0 is a secure protocol• Digital certificates positively identify

the owner of a domain

Page 9: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


The general idea

• Use the password to authenticate the server to the user before using it to authenticate the user to the server

• Encrypt information about the current session to detect any tampering

Page 10: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How it works

• Client-side code (plugin) automatically guards the user

• Server-side code creates data that authenticates the server to the plugin

• All the user needs to do is notice the plugin dialog box (or the lack of it…)

Page 11: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Page 12: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How it really works

• Plugin automatically started when relevant MIME-type is detected

• The password is NOT sent until the server is authenticated and the connection is proven to be tamper-free

• All links MUST be secure (HTTPS)

Page 13: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How it really works (ctd)

• Client-side and server-side random challenge buffers are used (to prevent replay attacks)

• Encryption key is derived from the password and the challenges

• Data integrity is guaranteed with HMAC

Page 14: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How it really works (ctd2)

• Key derivation function is computationally demanding to slow offline enumeration

• The server encrypts the following:– Connection source IP address– URL requested during the connection– Login URL

Page 15: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How it really works (ctd3)

• User machine’s real IP address is retrieved from a secured (HTTPS) known server

Page 16: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Next:Thwarting Phishing


Page 17: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Phishing scenario #1

• Redirecting the user to a fraudulent domain

• Forged web page similar to the real one

• Passive Phishing• (Most common scenario)

Page 18: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Phishing scenario #2

• Active Phishing

Page 19: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Phishing scenario #3

• DNS poisoning

Page 20: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Phishing scenario #4

• Man-in-the-Middle

Page 21: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Implementation details

• Firefox plugin written as a DLL in C++

• Server side code written in C++• Test server written in Python

• Tested on Windows XP with Firefox 1.5

Page 22: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


Future versions

• Support more browsers and operating systems

• Automatic installer• Allow HTML code in Saphe data• Support password hashes

Page 23: Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld

Saphe surfing!


How much is the phish?

Questions?(How many fish are in this presentation?)