河南中医药大学：《信息安全网络与网络安全》课程教学资源（英文讲稿）第10章 浏览器 The Web—User Side

SECURITY IN COMPUTING FIETH EDITION Chapter 10: The Web-User Side 授课教师:高海波 可南中医药大学 信息管理与信息系统教研室 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

SECURITY IN COMPUTING, FIFTH EDITION Chapter 10: The Web—User Side From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved. 1 授课教师：高海波 河南中医药大学 信息管理与信息系统教研室

2 Chapter 10 Objectives Attacks against browsers Fake and malicious websites Attacks targeting sensitive data Injection attacks Spam Phishing attacks From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Chapter 10 Objectives • Attacks against browsers • Fake and malicious websites • Attacks targeting sensitive data • Injection attacks • Spam • Phishing attacks 2 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

3 Browser vulnerabilities 1000 900 897 800 727 700 600 500 400 300 208 207 200 100 0 200820092010201120122013 From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Browser Vulnerabilities 3 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

Browser Attack Types Man-in-the-browser Keystroke logger Page-in-the-middle Program download substitution User-in-the-middle From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Browser Attack Types •Man-in-the-browser •Keystroke logger •Page-in-the-middle •Program download substitution •User-in-the-middle 4 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

5 Man-in-the-Browser Browser Encrypted data User types transferred to encrypts bank 分 AN SilentBanker intercepts From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Man-in-the-Browser 5 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

6 Keystroke Logger Hardware or software that records all keystrokes May be a small dongle plugged into a USB port or can masquerade as a keyboard May also be installed as malware Not limited to browsers From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Keystroke Logger • Hardware or software that records all keystrokes • May be a small dongle plugged into a USB port or can masquerade as a keyboard • May also be installed as malware • Not limited to browsers 6 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

7 Page-in-the-Middle User is directed to a different page than believed or intended Similar effect to a man-in -the-browser where attacker can intercept and modify user input From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Page-in-the-Middle • User is directed to a different page than believed or intended •Similar effect to a man-in-the-browser, where attacker can intercept and modify user input 7 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

8 Program Download Substitution Attacker creates a page with seemingly innocuous and desirable programs for download Instead of, or in addition to the intended functionality, the user installs malware This is a very common technique for spyware From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Program Download Substitution • Attacker creates a page with seemingly innocuous and desirable programs for download • Instead of, or in addition to, the intended functionality, the user installs malware • This is a very common technique for spyware 8 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

9 User-in-the-Middle Using click-bait to trick users into solving CAPTCHAs on spammers behalf From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

User-in-the-Middle 9 • Using click-bait to trick users into solving CAPTCHAs on spammers’ behalf From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved

Successful Authentication The attacks listed above are largely failures of authentication Can be mitigated with Shared secret One-time password Out-of-band communication From Security in Computing, Fifth Edition, by Charles P Pfleeger, et al. (ISBN: 9780134085043) Copyright 2015 by Pearson Education, Inc. All rights reserved

Successful Authentication • The attacks listed above are largely failures of authentication • Can be mitigated with • Shared secret • One-time password • Out-of-band communication 10 From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved