Anti-Phishing Technology Chokepoints and Countermeasures Aaron Emigh Radix Labs aaron@radixlabs. com
A Typical Phishing Email
Phishing Information Flow
Step 1: Phish Delivery
Authentication
Reducing False Positives
Image Recognition Simple idea: recognize logos
Image Recognition Maybe not so simple…
Image Recognition Fully render, then retrieve sub-images
Patching
Secure Patch Distribution
Secure Patch Activation
Automatic Secure Patch Activation
Step 2: User Action
Education Why Johnny can’t identify phish…
Personally Identifiable Information
Personally Identifiable Information
Unmask Deceptive Links <P>To go to a surprising place via a cloaked URL, click on <A HREF="http: //security. ebay. com@phisher. com">this link. </A> <P>To go to a surprising place via a cloaked URL with a password, click on <A HREF="http: //security. ebay. com: password@phisher. com">this link. </A> <P>To go to a surprising place via an open redirect, click on <A HREF="http: //redirect. ebaysecurity. com? url=phisher. com">this link. </A> <P>To go to a surprising place via misleading link, click on <A HREF="http: //phisher. com">http: //security. ebay. com. </A>
Unmask Deceptive Links <P>To go to a surprising place via a cloaked URL, click on <A HREF="http: //security. ebay. com@phisher. com">this link. </A> <P>To go to a surprising place via a cloaked URL with a password, click on <A HREF="http: //security. ebay. com: password@phisher. com">this link. </A> <P>To go to a surprising place via an open redirect, click on <A HREF="http: //redirect. ebaysecurity. com? url=phisher. com">this link. </A> <P>To go to a surprising place via misleading link, click on <A HREF="http: //phisher. com">http: //security. ebay. com. </A>
Interfere With Navigation
Detecting DNS Poisoning
Steps 2 and 4: Information Sharing
It’s the metadata, stupid!
Step 4: Transmitting data
Little Brother is Watching
Steps 4 and 6: Secure Path
Secure Path (That Was Then) Login: aaron Password: ******
Secure Path (This Is Now)
Secure Path (This Is Now)
Step 6: Data Without Value
Two-Factor Authentication
Two-Factor Authentication
Password Hashing
Policy-based data
Aftermath: Ex Post Facto Detection
Aftermath: Information Sharing
Conclusions
Anti-Phishing Technology Chokepoints and Countermeasures Aaron Emigh Radix Labs aaron@radixlabs. com