Docstoc

Phishing

Document Sample
Phishing Powered By Docstoc
					                          Phishing




OWASP
Chennai 2007



               The OWASP Foundation
               http://www.owasp.org
    Definition
      It is the act of tricking someone into giving
      confidential information (like passwords and
      credit card information) on a fake web page or email
      form pretending to come from a legitimate company
      (like their bank).

     For example: Sending an e-mail to a user falsely claiming to be an
      established legitimate enterprise in an attempt to scam the user into
      surrendering private information that will be used for identity theft.




2                                         OWASP Chennai Chapter Kick-off
    Examples




3              OWASP Chennai Chapter Kick-off
    Examples




4              OWASP Chennai Chapter Kick-off
    Examples




5              OWASP Chennai Chapter Kick-off
    Types of Phishing
       Deceptive - Sending a        deceptive email, in bulk, with a “call to
        action” that demands the recipient click on a link.




6                                               OWASP Chennai Chapter Kick-off
    Types of Phishing
       Malware-Based - Running malicious software on the user’s
        machine. Various forms of malware-based phishing are:

                Key Loggers & Screen Loggers
                Session Hijackers
                Web Trojans
                Data Theft




7                                               OWASP Chennai Chapter Kick-off
    Types of Phishing
       DNS-Based - Phishing that interferes with the integrity of the
        lookup process for a domain name. Forms of DNS-based phishing are:
            Hosts file poisoning
            Polluting user’s DNS cache
            Proxy server compromise




8                                           OWASP Chennai Chapter Kick-off
    Types of Phishing
       Content-Injection – Inserting malicious content into legitimate site.

        Three primary types of content-injection phishing:

            Hackers can compromise a server through a security
             vulnerability and replace or augment the legitimate content
             with malicious content.

          Malicious content can be inserted into a site through a cross-
           site scripting vulnerability.

          Malicious actions can be performed on a site through a SQL
           injection vulnerability.


9                                           OWASP Chennai Chapter Kick-off
     Types of Phishing
        Man-in-the-Middle Phishing - Phisher positions himself
         between the user and the legitimate site.




10                                               OWASP Chennai Chapter Kick-off
     Types of Phishing
        Search Engine Phishing - Create web pages for fake products,
         get the pages indexed by search engines, and wait for users to enter their
         confidential information as part of an order, sign-up, or balance transfer.




11                                               OWASP Chennai Chapter Kick-off
     Causes of Phishing
        Misleading e-mails
        No check of source address
        Vulnerability in browsers
        No strong authentication at websites of banks and financial
         institutions
        Limited use of digital signatures
        Non-availability of secure desktop tools
        Lack of user awareness
        Vulnerability in applications
        … and more




12                                         OWASP Chennai Chapter Kick-off
     Effects of Phishing
        Internet fraud
        Identity theft
        Financial loss to the original institutions
        Difficulties in Law Enforcement Investigations
        Erosion of Public Trust in the Internet.




13                                           OWASP Chennai Chapter Kick-off
     Industries affected
     Major industries affected are:
      Financial Services

      ISPs

      Online retailers




14                                    OWASP Chennai Chapter Kick-off
     Phishing Trends




15                     OWASP Chennai Chapter Kick-off
     Phishing Trends




16                     OWASP Chennai Chapter Kick-off
     How to combat phishing?

      Educate application users
           Think before you open
           Never click on the links in an email , message boards or mailing lists
           Never submit credentials on forms embedded in emails
           Inspect the address bar and SSL certificate
           Never open suspicious emails
           Ensure that the web browser has the latest security patch applied
           Install latest anti-virus packages
           Destroy any hard copy of sensitive information
           Verify the accounts and transactions regularly
           Report the scam via phone or email.




17                                              OWASP Chennai Chapter Kick-off
     How to combat phishing?

        Formulate and enforce Best practices

              Authorization controls and access privileges for systems,
               databases and applications.
              Access to any information should be based on need-to-know
               principle
              Segregation of duties.
              Media should be disposed only after erasing sensitive
               information.




18                                       OWASP Chennai Chapter Kick-off
     How to combat phishing?
     Reinforce application development / maintenance processes:
             1. Web page personalization
                 Using two pages to authenticate the users.
                 Using Client-side persistent cookies.




19                                         OWASP Chennai Chapter Kick-off
     How to combat phishing?

      2. Content Validation

             Never inherently trust the submitted data
             Never present the submitted data back to an application user
              without sanitizing the same
             Always sanitize data before processing or storing
             Check the HTTP referrer header




20                                          OWASP Chennai Chapter Kick-off
     How to combat phishing?
     3. Session Handling

               Make session identifiers long, complicated and difficult to guess.
               Set expiry time limits for the SessionID’s and should be checked for
                every client request.
               Application should be capable of revoking active SessionID’s and
                not recycle the same SessionID.
               Any attempt the invalid SessionID should be redirected to the login
                page.
               Never accept session information within a URL.
               Protect the session via SSL.
               Session data should be submitted as a POST.
               After authenticating, a new SessionID should be used (HTTP &
                HTTPS).
               Never let the users choose the SessionID.


21                                             OWASP Chennai Chapter Kick-off
     How to combat phishing?

     4. URL Qualification

           Do not reference redirection URL in the browser’s URL
           Always maintain a valid approved list of redirection url’s
           Never allow customers to supply their own URL’s
           Never allow IP addresses to be user in URL information




22                                             OWASP Chennai Chapter Kick-off
     How to combat phishing?
     5. Authentication Process

            Ensure that a 2-phase login process is in place
            Personalize the content
            Design a strong token-based authentication




23                                            OWASP Chennai Chapter Kick-off
     How to combat phishing?
     6. Transaction non-repudiation
           To ensure authenticity and integrity of the transaction




24                                              OWASP Chennai Chapter Kick-off
     How to combat phishing?
     7. Image Regulation
               Image Cycling
               Session-bound images




25                                     OWASP Chennai Chapter Kick-off
     Organizations
        Anti-Phishing Working Group (APWG)
               The APWG has over 2300+ members from over 1500 companies &
         agencies worldwide. Member companies include leading security companies
         such as Symantec, McAfee and VeriSign. Financial Industry members
         include the ING Group,VISA, Mastercard and the American Bankers
         Association.




26                                           OWASP Chennai Chapter Kick-off
     What does all the above imply?




      It is better to be safer now than feel sorry later.




27                               OWASP Chennai Chapter Kick-off
References
     • http://www.antiphishing.org/reports/apwg_report_november_2006.pdf
     • http://72.14.235.104/search?q=cache:-T6-
       U5dhgYAJ:www.avira.com/en/threats/what_is_phishing.html+Phishing+c
       onsequences&hl=en&gl=in&ct=clnk&cd=7
     • Phishing-dhs-report.pdf
     • Report_on_phishing.pdf
     • http://www.cert-in.org.in/training/15thjuly05/phishing.pdf
     • http://www.antiphishing.org/consumer_recs.html




28                                       OWASP Chennai Chapter Kick-off
     Questions?




29      OWASP Chennai Chapter Kick-off
     Thank You!




30      OWASP Chennai Chapter Kick-off

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:2/16/2013
language:English
pages:30