The current implementation of TLS involves your browser displaying a padlock, and a green bar, after
successfully verifying the digital signature on the TLS certificate. Proposed is a solution where your
browser's response to successful verification of a TLS certificate is to display a login window. That login
window displays the identity credentials from the TLS certificate, to allow the user to authenticate Bob. It
also displays a 'user-browser' shared secret i.e. a specific picture from your hard disk. This is not SiteKey,
the image is shared between the computer user and their browser. It is never transmitted over the internet.
Since sandboxed websites cannot access your hard disk this image cannot be counterfeited by phishing
websites. Basically if you view the installed software component of your browser as an actor in the
cryptography protocol, then the solution to phishing attacks is classic cryptography, as documented in any
cryptography textbook.
This document discusses password managers and their adoption. It begins by outlining the need for secure authentication as online transactions and data sharing increases. While passwords are theoretically secure, users often choose weak passwords and reuse them across accounts. This exposes them to risk if one password is compromised.
The document then describes three types of password managers: browser-based, which are convenient but less secure; desktop-based, which require opening a separate program but offer stronger security; and mobile apps, which provide security and usability on any device. It argues password managers can help users meet best practices for unique, strong passwords without memorization burden, improving security overall.
Does facebook federation have your best interests at heartPerfectCloud Corp.
The document discusses concerns with using Facebook login integration and single sign-on services for sensitive accounts. It notes that consolidating all account information into one identity on Facebook poses security risks, as Facebook profiles can be easily accessed and the company has shared user data before. The document recommends using single sign-on services like SmartSignin that are not social networks and can better protect multiple identities with separate usernames and passwords.
The document discusses threats to privacy and confidentiality on social media. It identifies three main threats: 1) Malware like viruses can steal personal information from computers through social media links or extensions. 2) Social engineering techniques like creating fake profiles or phishing scams can trick users into sharing private information. 3) Social media networks track users across the web through techniques like single sign-on to collect user data for advertisers. The document concludes that due to these threats, personal data on social media cannot be considered confidential.
1) Password cracking is the process of recovering secret passwords through various techniques like hashing, guessing using dictionaries, using default passwords, brute force, and phishing.
2) Common password cracking techniques include exploiting weak hashing algorithms, guessing using common words and personal details, using default passwords for applications, trying all possible character combinations through brute force, and tricking users into revealing passwords through phishing.
3) IP spoofing involves modifying the source IP address field in the IP packet header to disguise the identity of the sender or impersonate another system and exploit weaknesses in the connection-oriented TCP protocol.
Hacking with experts 3 (facebook hacking) by anurag dwivedi.Esteban Bedoya
The keylogger software allows monitoring of keyboard activity on a target computer without the user's knowledge. The summarizes the steps to use a keylogger software:
1. Download and extract the keylogger software files.
2. Configure the keylogger by generating a server name and specifying settings like self-destruct timing, file icon, and binding to another file.
3. The keylogger will then covertly monitor and log all keyboard activity on the target computer without being visible to the user. The logs can be sent via email or other methods for the attacker to access the recorded keystrokes.
Keyloggers allow unauthorized surveillance of keyboard input, allowing an attacker to obtain passwords and sensitive information entered
The document discusses reasons why PCs crash and methods for hacking Facebook accounts.
It provides 5 common reasons for PC crashes: 1) Hardware conflicts where two devices use the same interrupt request channel. 2) Bad RAM such as mismatched chip speeds or parity errors. 3) Improper BIOS settings. 4) Overheating components. 5) Hard drive failures from bad sectors or mechanical issues.
It also describes two methods for hacking Facebook accounts: 1) Using tabnapping to redirect users to a fake login page when they switch browser tabs. 2) Installing a keylogger file on a victim's computer to steal their login credentials. The document provides step-by-step instructions for both hacking methods.
This document discusses various hacking techniques, including hacking Airtel mobile internet using a proxy server, cracking passwords using tools like Cain & Abel and John the Ripper, installing keylogger software to steal Facebook login credentials, and creating a fake Facebook login page using the Backtrack 5 operating system to phish user passwords. The author argues that the Backtrack method is most effective as it allows anonymous hacking without installing anything on the victim's computer. The document concludes by warning readers not to attempt hacking and only discusses these techniques for educational purposes.
This document discusses password managers and their adoption. It begins by outlining the need for secure authentication as online transactions and data sharing increases. While passwords are theoretically secure, users often choose weak passwords and reuse them across accounts. This exposes them to risk if one password is compromised.
The document then describes three types of password managers: browser-based, which are convenient but less secure; desktop-based, which require opening a separate program but offer stronger security; and mobile apps, which provide security and usability on any device. It argues password managers can help users meet best practices for unique, strong passwords without memorization burden, improving security overall.
Does facebook federation have your best interests at heartPerfectCloud Corp.
The document discusses concerns with using Facebook login integration and single sign-on services for sensitive accounts. It notes that consolidating all account information into one identity on Facebook poses security risks, as Facebook profiles can be easily accessed and the company has shared user data before. The document recommends using single sign-on services like SmartSignin that are not social networks and can better protect multiple identities with separate usernames and passwords.
The document discusses threats to privacy and confidentiality on social media. It identifies three main threats: 1) Malware like viruses can steal personal information from computers through social media links or extensions. 2) Social engineering techniques like creating fake profiles or phishing scams can trick users into sharing private information. 3) Social media networks track users across the web through techniques like single sign-on to collect user data for advertisers. The document concludes that due to these threats, personal data on social media cannot be considered confidential.
1) Password cracking is the process of recovering secret passwords through various techniques like hashing, guessing using dictionaries, using default passwords, brute force, and phishing.
2) Common password cracking techniques include exploiting weak hashing algorithms, guessing using common words and personal details, using default passwords for applications, trying all possible character combinations through brute force, and tricking users into revealing passwords through phishing.
3) IP spoofing involves modifying the source IP address field in the IP packet header to disguise the identity of the sender or impersonate another system and exploit weaknesses in the connection-oriented TCP protocol.
Hacking with experts 3 (facebook hacking) by anurag dwivedi.Esteban Bedoya
The keylogger software allows monitoring of keyboard activity on a target computer without the user's knowledge. The summarizes the steps to use a keylogger software:
1. Download and extract the keylogger software files.
2. Configure the keylogger by generating a server name and specifying settings like self-destruct timing, file icon, and binding to another file.
3. The keylogger will then covertly monitor and log all keyboard activity on the target computer without being visible to the user. The logs can be sent via email or other methods for the attacker to access the recorded keystrokes.
Keyloggers allow unauthorized surveillance of keyboard input, allowing an attacker to obtain passwords and sensitive information entered
The document discusses reasons why PCs crash and methods for hacking Facebook accounts.
It provides 5 common reasons for PC crashes: 1) Hardware conflicts where two devices use the same interrupt request channel. 2) Bad RAM such as mismatched chip speeds or parity errors. 3) Improper BIOS settings. 4) Overheating components. 5) Hard drive failures from bad sectors or mechanical issues.
It also describes two methods for hacking Facebook accounts: 1) Using tabnapping to redirect users to a fake login page when they switch browser tabs. 2) Installing a keylogger file on a victim's computer to steal their login credentials. The document provides step-by-step instructions for both hacking methods.
This document discusses various hacking techniques, including hacking Airtel mobile internet using a proxy server, cracking passwords using tools like Cain & Abel and John the Ripper, installing keylogger software to steal Facebook login credentials, and creating a fake Facebook login page using the Backtrack 5 operating system to phish user passwords. The author argues that the Backtrack method is most effective as it allows anonymous hacking without installing anything on the victim's computer. The document concludes by warning readers not to attempt hacking and only discusses these techniques for educational purposes.
GNUCITIZEN Pdp Owasp Day September 2007guest20ab09
The document discusses potential ways that Web 2.0 technologies could be abused by malicious actors, through five fictional stories. It describes how social networks, APIs, cloud services and other Web 2.0 features could enable new types of malware, spam, botnets and data theft. The stories illustrate techniques like using mashups and feeds to distribute malware, exploiting search and social media to spread worms, using bookmarks for ad-jacking and creating botnets, and abusing aggregators and search engines to conduct reconnaissance. The document warns that legitimate Web 2.0 services could enable large-scale abuse if exploited by attackers.
The document provides an overview of the darknet, including:
1) It explains how the darknet works using tools like Tor and cryptocurrencies to allow anonymous browsing and transactions.
2) The darknet is used for both legal and illegal purposes, including anonymous communication, confidential information sharing, and exchange of illegal goods.
3) While the darknet provides advantages of anonymity and privacy, it also enables illegal activities and is virtually impossible for authorities to control due to its design.
The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
The document provides guidelines for ensuring cybersecurity. It discusses threats like malware, phishing, and social engineering. It recommends practicing safe online habits like using strong passwords, updating software, and avoiding unsafe downloads. The document also provides tips for organizations, including access controls, monitoring networks, backups, and supplier management. The overall message is that cybersecurity requires vigilance across individual, technical, and policy levels.
The document provides information on connecting to the internet using different connection types like LAN, VPN, modem, etc. It discusses using browser software like Firefox to navigate web pages and search for information. Specific browser tools are described like the address bar, bookmarks, back and forward buttons. The document also covers using email and social media to communicate online and the importance of privacy and safety practices when browsing like using strong passwords, privacy settings, and avoiding clicking suspicious links.
The document discusses various online threats such as hackers, malware writers, and fraudsters who are all trying to steal people's money and personal information. Three real-world examples are provided: 1) A financial trojan wiping someone's bank account by manipulating their online banking transactions. 2) A computer being turned into a "zombie bot" part of a large botnet without the owner's knowledge. 3) A ransomware attack encrypting all of someone's files and demanding payment to decrypt them. The document recommends using reliable anti-malware software to protect against these kinds of online threats.
Why is password protection a fallacy a point of viewYury Chemerkin
This document discusses vulnerabilities in password protection and login security. It provides tips for creating strong passwords but notes that passwords are not fully secure due to vulnerabilities like keylogging malware, screen capturing of password entry, and login spoofing attacks. On Windows systems, replacing files like utilman.exe that activate alternate login screens can enable unauthorized password changes. iPhones also had login bugs exposing passwords through unexpected screen transitions. In summary, while passwords provide some protection, they have significant limitations and vulnerabilities that can be exploited by attackers.
[Computer] hacking for dummies how to learn to hack in easy stepsLee Toulouse
The document provides instructions on how to begin learning to hack. It recommends using Linux as your operating system instead of Windows because hacking tools and exploits primarily target UNIX/Linux systems. It discusses connecting your Linux box to the internet, staying anonymous while hacking, using nmap to scan target systems and identify open ports and services, and uploading and compiling programs on target systems without leaving logs. The goal is to provide beginners with foundational knowledge on tools and techniques without promoting illegal hacking activities.
Who's that knocking on my firewall door?Bruce Wolfe
This document discusses various cybersecurity trends and threats non-profit organizations should be aware of in 2010, including malicious bots, bandwidth theft through malware, insecure hardware and software, social engineering attacks, and weak user passwords. It provides recommendations for spam filtering and access control lists, considers options like OpenID for centralized authentication, and emphasizes the importance of ongoing education to help non-profits securely manage their online resources with limited budgets.
When developers api simplify user mode rootkits development – part iiYury Chemerkin
This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
Advanced phishing for red team assessmentsJEBARAJM
The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments.
Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/
Webinar Security: Apps of Steel transcriptionService2Media
The document summarizes the key challenges around mobile app security from a webinar on creating secure apps. It highlights issues like insecure operating systems, networks that can't be trusted, malware, and how developers are responsible for protecting users' data despite these challenges. The presenter asks how developers can create "apps of steel" that are securely designed without massive effort. The response covers mitigation strategies like secure development processes, multi-factor authentication, threat modeling, and key management.
This document provides information about computer hacking tools and skills. It discusses hacking tools like SQLI Helper, Dark Port Scanner, Sonic Bat virus creator, Brutus password cracker, and IP Tools. It also mentions Cain and Abel password recovery tool. The document outlines essential hacking skills like network packet sniffing, password hash cracking, rainbow tables, and cryptanalysis attacks. It emphasizes the wide IT knowledge required to become a skilled hacker, including fundamentals like networking, operating systems, and programming.
Challenges and Risks of Web 3.0 — A New Digital World OrderMindfire LLC
It’s no secret that the world of technology is ever-evolving. From Web 1.0 to the current climate of Web 2.0, new platforms and technologies have revolutionized how we communicate, create content, share ideas, and even buy products. But what does this all mean for the next wave — Web 3.0?
Is it an opportunity for growth or a risk for developers who wish to adopt cutting-edge tech tools into their projects? This post aims to discuss the risks and challenges associated with ramping up development related to emerging forms of advanced web applications like those found in Web 3.0 — and reveal what it could mean to be a part of this ground-breaking industry shift!
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
This document discusses how easily user-mode rootkits and malware can be developed for BlackBerry devices by exploiting application programming interfaces (APIs) and oversight in privilege handling. It provides examples of real malware like Android Plankton and Geinimi that steal information by abusing APIs rather than exploiting vulnerabilities. The document argues that similar techniques could be used to create malware disguised as media players or chat applications for BlackBerry, which could steal files, conversations, and device information by accessing the unencrypted filesystem and chat logs. Code snippets are provided to demonstrate how this could be done by reading and writing files and monitoring communication history folders.
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations.
This document is the contents page for issue 9/2010 of the magazine "Practical Protection IT Security Magazine". It lists the titles and authors of articles in the issue, including pieces on email security issues, VoIP technology, web malware techniques, IPv6 security implications, session riding attacks, and the biggest hacking breach in cyber history. The contents page also provides information about the magazine's editors and production team.
This document discusses internet security. It begins by defining the internet and its types such as dial up, DSL, cable, wireless, satellite, and cellular. It then defines internet security and its objective to establish rules and measures against attacks over the internet. The document outlines the history of internet security from 1960 to 2000. It discusses common internet security threats like viruses, trojan horses, worms, hacking, phishing, and spyware. Finally, it recommends techniques to improve security such as using strong passwords, antivirus software, firewalls, authenticating data, unlinking accounts, and blocking cookies.
GNUCITIZEN Pdp Owasp Day September 2007guest20ab09
The document discusses potential ways that Web 2.0 technologies could be abused by malicious actors, through five fictional stories. It describes how social networks, APIs, cloud services and other Web 2.0 features could enable new types of malware, spam, botnets and data theft. The stories illustrate techniques like using mashups and feeds to distribute malware, exploiting search and social media to spread worms, using bookmarks for ad-jacking and creating botnets, and abusing aggregators and search engines to conduct reconnaissance. The document warns that legitimate Web 2.0 services could enable large-scale abuse if exploited by attackers.
The document provides an overview of the darknet, including:
1) It explains how the darknet works using tools like Tor and cryptocurrencies to allow anonymous browsing and transactions.
2) The darknet is used for both legal and illegal purposes, including anonymous communication, confidential information sharing, and exchange of illegal goods.
3) While the darknet provides advantages of anonymity and privacy, it also enables illegal activities and is virtually impossible for authorities to control due to its design.
The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
The document provides guidelines for ensuring cybersecurity. It discusses threats like malware, phishing, and social engineering. It recommends practicing safe online habits like using strong passwords, updating software, and avoiding unsafe downloads. The document also provides tips for organizations, including access controls, monitoring networks, backups, and supplier management. The overall message is that cybersecurity requires vigilance across individual, technical, and policy levels.
The document provides information on connecting to the internet using different connection types like LAN, VPN, modem, etc. It discusses using browser software like Firefox to navigate web pages and search for information. Specific browser tools are described like the address bar, bookmarks, back and forward buttons. The document also covers using email and social media to communicate online and the importance of privacy and safety practices when browsing like using strong passwords, privacy settings, and avoiding clicking suspicious links.
The document discusses various online threats such as hackers, malware writers, and fraudsters who are all trying to steal people's money and personal information. Three real-world examples are provided: 1) A financial trojan wiping someone's bank account by manipulating their online banking transactions. 2) A computer being turned into a "zombie bot" part of a large botnet without the owner's knowledge. 3) A ransomware attack encrypting all of someone's files and demanding payment to decrypt them. The document recommends using reliable anti-malware software to protect against these kinds of online threats.
Why is password protection a fallacy a point of viewYury Chemerkin
This document discusses vulnerabilities in password protection and login security. It provides tips for creating strong passwords but notes that passwords are not fully secure due to vulnerabilities like keylogging malware, screen capturing of password entry, and login spoofing attacks. On Windows systems, replacing files like utilman.exe that activate alternate login screens can enable unauthorized password changes. iPhones also had login bugs exposing passwords through unexpected screen transitions. In summary, while passwords provide some protection, they have significant limitations and vulnerabilities that can be exploited by attackers.
[Computer] hacking for dummies how to learn to hack in easy stepsLee Toulouse
The document provides instructions on how to begin learning to hack. It recommends using Linux as your operating system instead of Windows because hacking tools and exploits primarily target UNIX/Linux systems. It discusses connecting your Linux box to the internet, staying anonymous while hacking, using nmap to scan target systems and identify open ports and services, and uploading and compiling programs on target systems without leaving logs. The goal is to provide beginners with foundational knowledge on tools and techniques without promoting illegal hacking activities.
Who's that knocking on my firewall door?Bruce Wolfe
This document discusses various cybersecurity trends and threats non-profit organizations should be aware of in 2010, including malicious bots, bandwidth theft through malware, insecure hardware and software, social engineering attacks, and weak user passwords. It provides recommendations for spam filtering and access control lists, considers options like OpenID for centralized authentication, and emphasizes the importance of ongoing education to help non-profits securely manage their online resources with limited budgets.
When developers api simplify user mode rootkits development – part iiYury Chemerkin
This series of articles is about the ease of which user-mode rootkits for BlackBerry can be developed. In a previous article, several cases were mentioned along with ideas on how a mobile rootkit could easily be built on the application level by exploiting API and privilege escalation vulnerabilities or oversight. Cases covered the top trojans for two years with the first one being Android Plankton. Instead of giving access to hidden levels of this popular game, malware sends information about the device to criminals and downloads other malicious programs.
Describe briefly the OSI Reference model and its relevance to computer security. [4 Marks]
• Ans 1: The Open System Interconnection Model (OSI) is a standardized framework for describing how computers communicate with each other over a network system. The OSI model also conceptualizes how data flows through a stack of seven layers, beginning with the physical layer and continuing through the datalink, network, transport, session, presentation, and finally the application layer (Simoneau, 2006)
Advanced phishing for red team assessmentsJEBARAJM
The presentation was about how Office365 can be attacked, and how GSUITE features can be leveraged for phishing and RED Team assessments.
Linkedin: https://www.linkedin.com/in/jebaraj-m-551a091aa/
Webinar Security: Apps of Steel transcriptionService2Media
The document summarizes the key challenges around mobile app security from a webinar on creating secure apps. It highlights issues like insecure operating systems, networks that can't be trusted, malware, and how developers are responsible for protecting users' data despite these challenges. The presenter asks how developers can create "apps of steel" that are securely designed without massive effort. The response covers mitigation strategies like secure development processes, multi-factor authentication, threat modeling, and key management.
This document provides information about computer hacking tools and skills. It discusses hacking tools like SQLI Helper, Dark Port Scanner, Sonic Bat virus creator, Brutus password cracker, and IP Tools. It also mentions Cain and Abel password recovery tool. The document outlines essential hacking skills like network packet sniffing, password hash cracking, rainbow tables, and cryptanalysis attacks. It emphasizes the wide IT knowledge required to become a skilled hacker, including fundamentals like networking, operating systems, and programming.
Challenges and Risks of Web 3.0 — A New Digital World OrderMindfire LLC
It’s no secret that the world of technology is ever-evolving. From Web 1.0 to the current climate of Web 2.0, new platforms and technologies have revolutionized how we communicate, create content, share ideas, and even buy products. But what does this all mean for the next wave — Web 3.0?
Is it an opportunity for growth or a risk for developers who wish to adopt cutting-edge tech tools into their projects? This post aims to discuss the risks and challenges associated with ramping up development related to emerging forms of advanced web applications like those found in Web 3.0 — and reveal what it could mean to be a part of this ground-breaking industry shift!
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
This document discusses how easily user-mode rootkits and malware can be developed for BlackBerry devices by exploiting application programming interfaces (APIs) and oversight in privilege handling. It provides examples of real malware like Android Plankton and Geinimi that steal information by abusing APIs rather than exploiting vulnerabilities. The document argues that similar techniques could be used to create malware disguised as media players or chat applications for BlackBerry, which could steal files, conversations, and device information by accessing the unencrypted filesystem and chat logs. Code snippets are provided to demonstrate how this could be done by reading and writing files and monitoring communication history folders.
The EternalBlue Exploit: how it works and affects systemsAndrea Bissoli
The purpose of this report is to focus on one particular aspect of a WannayCry malware in order to understand which vulnerability it ex- ploited and how it is spread into the internet. In the report it will be shown EternalBlue attack and how it is possible to take the pc control thanks to DoublePulsar attack and Meterpreter session. Than it is shown a study case in which it is performed a pivoting attack. In the end it is injected simple keyloggers in the machines attacked in order to take some useful informations.
This document is the contents page for issue 9/2010 of the magazine "Practical Protection IT Security Magazine". It lists the titles and authors of articles in the issue, including pieces on email security issues, VoIP technology, web malware techniques, IPv6 security implications, session riding attacks, and the biggest hacking breach in cyber history. The contents page also provides information about the magazine's editors and production team.
This document discusses internet security. It begins by defining the internet and its types such as dial up, DSL, cable, wireless, satellite, and cellular. It then defines internet security and its objective to establish rules and measures against attacks over the internet. The document outlines the history of internet security from 1960 to 2000. It discusses common internet security threats like viruses, trojan horses, worms, hacking, phishing, and spyware. Finally, it recommends techniques to improve security such as using strong passwords, antivirus software, firewalls, authenticating data, unlinking accounts, and blocking cookies.
The document summarizes the latest issue of the (IN)SECURE magazine. It includes articles on administrative Nmap scripting, evil applications of augmented reality, social engineering attacks, and more. It also announces that the next RSA Conference Europe will take place in London next month. Contact information is provided for the magazine editors and information on how to freely distribute the magazine is given.
This presentation is in English; the announcement (beneath) & talk were in Dutch (NL)
OpenTechTalks | Ethisch hacken met Kali
Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
The document describes how to steal Gmail credentials using social engineering and the Social Engineering Toolkit (SET). It involves tricking a victim into entering their login credentials on a spoofed Gmail login page hosted on the attacker's machine. The attacker first sets up Kali Linux in a virtual machine and launches SET. They then change the victim's Gmail bookmark to point to the attacker's IP address hosting the fake login page. When the victim tries to access Gmail, they enter their credentials which are stolen by SET. The document warns readers to be vigilant against these kind of social engineering attacks.
This document provides summaries of security-related news articles and recommendations for security software for Windows 10. It summarizes recent articles about enabling encryption in Facebook Messenger, hacked Amazon passwords, Russian election hacking, and malicious Android apps. It then provides detailed reviews and recommendations for the best antivirus, anti-malware, full disk encryption, internet browser, password manager, file deletion utilities, and system cleanup software for Windows 10 security. O&O ShutUp10 is highlighted as a free tool that can enhance Windows 10 privacy and security settings.
The document discusses the emerging threat of man-in-the-browser attacks that can modify online transactions without the user's knowledge. These attacks circumvent all existing authentication methods by targeting transactions after authentication. Potential solutions discussed include developing a secure, hardened browser without extensions or scripts that is tightly coupled to cryptography. However, there would be no way for servers to reliably identify use of a secure browser versus an insecure one.
Sophos Threatsaurus: The A-Z of Computer and Data Security ThreatsConnecting Up
The document provides an introduction to various computer and data security threats. It discusses how threats have evolved from disruptive viruses to more stealthy malware aimed at financial gain. Today's threats are more likely to secretly install keyloggers, turn computers into zombies for spamming, or exploit social networks. Spear phishing targets specific individuals within organizations. Predicting future threats is difficult, but wherever there is opportunity for financial gain, criminals will attempt to misuse data.
Chapter wise All Notes of First year Basic Civil Engineering.pptxDenish Jangid
Chapter wise All Notes of First year Basic Civil Engineering
Syllabus
Chapter-1
Introduction to objective, scope and outcome the subject
Chapter 2
Introduction: Scope and Specialization of Civil Engineering, Role of civil Engineer in Society, Impact of infrastructural development on economy of country.
Chapter 3
Surveying: Object Principles & Types of Surveying; Site Plans, Plans & Maps; Scales & Unit of different Measurements.
Linear Measurements: Instruments used. Linear Measurement by Tape, Ranging out Survey Lines and overcoming Obstructions; Measurements on sloping ground; Tape corrections, conventional symbols. Angular Measurements: Instruments used; Introduction to Compass Surveying, Bearings and Longitude & Latitude of a Line, Introduction to total station.
Levelling: Instrument used Object of levelling, Methods of levelling in brief, and Contour maps.
Chapter 4
Buildings: Selection of site for Buildings, Layout of Building Plan, Types of buildings, Plinth area, carpet area, floor space index, Introduction to building byelaws, concept of sun light & ventilation. Components of Buildings & their functions, Basic concept of R.C.C., Introduction to types of foundation
Chapter 5
Transportation: Introduction to Transportation Engineering; Traffic and Road Safety: Types and Characteristics of Various Modes of Transportation; Various Road Traffic Signs, Causes of Accidents and Road Safety Measures.
Chapter 6
Environmental Engineering: Environmental Pollution, Environmental Acts and Regulations, Functional Concepts of Ecology, Basics of Species, Biodiversity, Ecosystem, Hydrological Cycle; Chemical Cycles: Carbon, Nitrogen & Phosphorus; Energy Flow in Ecosystems.
Water Pollution: Water Quality standards, Introduction to Treatment & Disposal of Waste Water. Reuse and Saving of Water, Rain Water Harvesting. Solid Waste Management: Classification of Solid Waste, Collection, Transportation and Disposal of Solid. Recycling of Solid Waste: Energy Recovery, Sanitary Landfill, On-Site Sanitation. Air & Noise Pollution: Primary and Secondary air pollutants, Harmful effects of Air Pollution, Control of Air Pollution. . Noise Pollution Harmful Effects of noise pollution, control of noise pollution, Global warming & Climate Change, Ozone depletion, Greenhouse effect
Text Books:
1. Palancharmy, Basic Civil Engineering, McGraw Hill publishers.
2. Satheesh Gopi, Basic Civil Engineering, Pearson Publishers.
3. Ketki Rangwala Dalal, Essentials of Civil Engineering, Charotar Publishing House.
4. BCP, Surveying volume 1
Gender and Mental Health - Counselling and Family Therapy Applications and In...PsychoTech Services
A proprietary approach developed by bringing together the best of learning theories from Psychology, design principles from the world of visualization, and pedagogical methods from over a decade of training experience, that enables you to: Learn better, faster!
How Barcodes Can Be Leveraged Within Odoo 17Celine George
In this presentation, we will explore how barcodes can be leveraged within Odoo 17 to streamline our manufacturing processes. We will cover the configuration steps, how to utilize barcodes in different manufacturing scenarios, and the overall benefits of implementing this technology.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
This presentation was provided by Racquel Jemison, Ph.D., Christina MacLaughlin, Ph.D., and Paulomi Majumder. Ph.D., all of the American Chemical Society, for the second session of NISO's 2024 Training Series "DEIA in the Scholarly Landscape." Session Two: 'Expanding Pathways to Publishing Careers,' was held June 13, 2024.
1. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
DOI:10.5121/ijcis.2018.8102 17
THE GAME OF PHISHING
Joseph Kilcullen
Moylurg, Foxford Road, Ballina, Co. Mayo, F26 D9D2, Ireland.
ABSTRACT
The current implementation of TLS involves your browser displaying a padlock, and a green bar, after
successfully verifying the digital signature on the TLS certificate. Proposed is a solution where your
browser's response to successful verification of a TLS certificate is to display a login window. That login
window displays the identity credentials from the TLS certificate, to allow the user to authenticate Bob. It
also displays a 'user-browser' shared secret i.e. a specific picture from your hard disk. This is not SiteKey,
the image is shared between the computer user and their browser. It is never transmitted over the internet.
Since sandboxed websites cannot access your hard disk this image cannot be counterfeited by phishing
websites. Basically if you view the installed software component of your browser as an actor in the
cryptography protocol, then the solution to phishing attacks is classic cryptography, as documented in any
cryptography textbook.
KEYWORDS
Game theory, phishing, authentication, cryptography
1. INTRODUCTION
Originally it was game theory research, seeking screening strategies, or signalling strategies, to
prevent the counterfeiting of websites i.e. phishing attacks. Since your web browser is installed
software, it is more capable than the websites creating the counterfeit e.g. it can access the hard
disk. Hence, various ways for websites to counterfeit installed software behaviour were studied.
In full screen mode, it was found that, browsers can counterfeit almost anything, including blue
screens of death and formatting the hard drive.
From an academic point of view, full screen counterfeiting eliminates several categories of
installed software behaviour, as possible anti-counterfeiting solutions. One category of installed
software behaviour was resistant to counterfeiting. Every solution, in that category, was found to
be a user-browser shared secret. Basically Mallory cannot counterfeit what Mallory does not
know. The user-browser shared secret is not known by either Bob or Mallory. Furthermore, such
a simple solution prompted the following hypothesis. Web browsers are virtual machines. They
execute each website inside a sandbox. Hence any given web browser has N + 1 personalities, at
any given time. Where N is the number of webpages open i.e. one personality for each webpage,
plus one for the installed software, of the browser itself. Once you view the installed software
component of your browser as an actor in the cryptography protocol, the solution to phishing
attacks becomes classic cryptography i.e. the installed software component, of your browser,
must authenticate itself. It does this in the same way that cryptography actors have been
authenticating themselves for thousands of years i.e. by presenting a previously shared secret.
With that, game theory research was transformed into cryptography research.
2. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
18
2. CONCERNING THE CAPACITY OF BROWSERS TO COUNTERFEIT
INSTALLED SOFTWARE BEHAVIOUR
The idea is that a phishing attack is a game of incomplete information. That the user does not
even know that a phishing attack is taking place. It is the successful counterfeiting of the website
that does this. If we can devise a signalling strategy which cannot be counterfeited then the
computer user will know when a phishing attack is taking place. They will back away from the
phishing website causing the phishing attack to fail.
The idea was to add information, specifically an anti-counterfeiting signalling strategy which
would be triggered after the browser has verified the digital signature on Bob's TLS certificate. I
listed behaviour that installed software is capable of but websites are not capable of. The idea
was: Your browser is installed software so it has this advantage over websites trying to
counterfeit its behaviour. The following categories were proposed for research:
1. Drawing outside the browser canvas area.
2. Creation of Modal Windows.
3. File manipulation e.g. file creation, copying, renaming etc. this includes the possibility of
formatting the hard disk, though we can't use that as evidence either.
4. Access to local data and operating system identifiers e.g. your username, your account
login picture or whether or not you have accessed this website before.
5. Microsoft, User Account Control behaviour.
6. Existing best practice i.e. inspection of the TLS Certificate being used by your browser.
This is the original list with the exception of category 6 which was added after I had developed
the solution. The quality of this list is irrelevant. I believed I could add to the list later, if
necessary. Since the final solution is hidden within this list it was not necessary to add to it.
In my original research I dismissed or counterfeited every category except number 4. Every
solution in Category 4 is actually a secret shared between the computer user and their web
browser. With the exception of item number 6 this is the list from my original research. It has not
been polished or edited. Item number 6 was added because this is current best practice. It is by
accident that item number 4 just happened to contain the solution. Hence username, or account
login picture, make good shared secrets, while previous access to this website is a bad shared
secret. Previous access can be communicated via a darker colour hyperlink, or via browser
dialogues such as the 'More Information' dialogue from the Firefox TLS window (Version
53.0.3). The darker colour hyperlink is easily counterfeited by any webpage. The browser
dialogue can easily be counterfeited via full screen counterfeiting, documented below. Though
the actual number of times you have accessed a website would be incorrect because Mallory does
not have this information. It's still a bad signalling strategy because users don't track the number
of times they have accessed a website.
Note, counterfeiting a browser dialogue with an undecorated window does not work anymore, see
Figure 1. However, a floating DIV within a webpage can counterfeit a dialogue window i.e. on a
webpage show a picture of a window, border and all. It's up to the user to notice that no window
icon exists for this new window.
3. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
19
Figure 1. Attempt to create an undecorated window with JavaScript function ‘window.open()’.
The arrow indicates an address bar added to prevent counterfeiting of browser controls.
Originally I dismissed Category 3 believing it to be unworkable. However references [3] and
SiteKey [5] both use cookies to trigger their solutions. Cookies actually fit Category 3. These are
'cookie as a password' solutions. 'Cookie as a password' solutions fail because Alice-Human
cannot successfully authenticate Bob, either at the regular login page or at the cookie creation
page.
A key component of this research was the study of screening strategies. The actual path that I
followed was to study the categories listed above. There is no point in me documenting that
research here because it was straight forward and quite similar to discussions of screening
strategies found in [1] and [2].
One phishing attack website that I stumbled upon requested a username and password. Even
though the genuine website was open access. This type of phishing is more social engineering
than counterfeiting. During my research I devised a versatile social engineering attack which
allows the entire computer screen to be counterfeited, discussed next.
As stated, item number 6 was actually added after I had the solution. When I realised that even
inspection of the TLS certificate could be counterfeited, in full screen mode.
2.1. Full Screen Counterfeiting
Full screen counterfeiting is easily achieved with a small amount of JavaScript and a set of
bitmaps to fake the user's browser controls and desktop. Figure 2 shows six bitmaps set on a grey
background. These images are deliberately drawn to appear fake, like crayon drawings.
Figure 4 shows a computer desktop, and browser, before a full screen counterfeiting attack. The
'Switch to Fullscreen!' button executes JavaScript. Figure 3 shows sample JavaScript code which
implements the switch to full screen.
Description of Figure 2: Six bitmap pictures are shown on a grey background. The grey
background is to help the reader see the size and shape of the bitmaps. The top three are to
counterfeit browser controls while the bottom three show a counterfeit 'Windows start button',
counterfeit taskbar with an application icon and clock. They are deliberately made to look fake,
like crayon drawings. This is to help the reader see the difference between Figure 4 and Figure 6.
The centre bitmaps will be tiled horizontally to help adjust the fake to any desktop resolution. The
crayon like fake is made to look like the original NCSA Mosaic browser. An actual
implementation would use ‘navigator.userAgent’ to ensure appropriate counterfeit images are
presented.
4. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
20
Figure 2. Six bitmaps used to create fake desktop. See text for description.
Figure 3. Example of JavaScript code to switch browser to full screen mode.
5. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
21
Figure 4. Screenshot of desktop before full screen counterfeiting attempt.
Basically a JavaScript function ‘request Full screen ()’ forces the browser into full screen mode.
The same JavaScript code moves a HTML DIV to the front and makes it visible. That DIV
'crayon_browser' has the images from Figure 2 positioned in the corners or tiled to fit different
desktop resolutions. It also contains the same webpage that was visible before the move to full
screen.
Each web browser responds differently to the function ‘request Full screen ()’. Figure 5 shows the
warnings shown by three browsers. Microsoft Edge is both the best and worst. The warning
shown in Figure 5 is shown the first time you switch to full screen. It stays on screen till the user
dismisses it. This forces the user to explicitly acknowledge full screen mode. Unfortunately
subsequent changes to full screen, on that website, do not warn the user at all i.e. Figure 4 is
transformed directly to Figure 6 without any warnings. Firefox and Chrome show a warning
every time. However these warnings dismiss themselves after a few seconds. Aside from the
different transition warnings, shown in Figure 5, all three browsers transform Figure 4 into Figure
6.
If the bitmaps used in Figure 2 were realistic then Figure 4 and Figure 6 would be almost
identical. Furthermore the transition warnings shown in Figure 5 would only appear odd/unusual
because they appeared outside of the perceived canvas area. These are very weak indicators of
counterfeiting.
From a researcher's point of view many types of installed software behaviour can be
counterfeited. Including browser addons, inspection of TLS certificates, and Microsoft User
Account Control behaviour. As such categories 5 and 6 must be eliminated as suitable anti-
counterfeiting solutions. Furthermore we now need to be concerned with counterfeiting of blue
screens of death, hackers/criminals blackmailing people with the threat of formatting their hard
drives etc.
6. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
22
Figure 5. Shown are the warnings presented by three browsers after the JavaScript function
‘requestFullscreen()’ is called.
Figure 6. Screenshot after full screen counterfeiting attack, compare with Figure 4. Also see the bitmaps in
Figure 2, used to counterfeit the desktop.
7. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
23
The purpose here is to demonstrate these mechanisms. No user testing has been performed. There
is anecdotal evidence in [6] that these tactics will work. The academic exercise of demonstrating
that this is possible is sufficient to eliminate categories 5 and 6. What is of interest is the inability
of this mechanism to counterfeit category 4 solutions. It is this fact which suggests the hypothesis
proposed in this paper.
3. PROPOSED HYPOTHESIS
Figure 7 shows a login dialogue which embodies the solution. The only behaviour which cannot
be counterfeited by full screen counterfeiting is the presentation of previously shared secrets i.e. a
cryptography authentication mechanism since the time of antiquity. The sections which follow
document various aspects of the proposed hypothesis.
Figure 7. Window for user to authenticate (1) their own browser, via picture (2) Bob, (3) Bob’s website,
(4) Trent, via browser confirmation of the digital signature and finally login fields. The use of which
indicates acceptance of the various credentials presented.
Description of Figure 7: This is not SiteKey. This is not a webpage. This is a browser created
dialogue. Created with a user-browser shared secret, obtained from the hard disk, and identity
credentials from the TLS certificate. For Mallory to carry out a MITM attack she must stand
between you and your computer monitor. Either that or hack into your computer to steal the
shared secret. Hacking into thousands of computers to steal shared secrets is an entirely different
endeavour to creating a counterfeit website. Furthermore having hacked into your computer why
bother with a phishing attack?
8. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
24
In a nutshell: Your browser is a virtual machine. Each webpage executes inside its own sandbox.
Once your view the installed software component, of your browser, as an actor in the
cryptography protocol, everything else is classic cryptography i.e. your browser seeks
authentication of Bob from Alice-Human. This act is vulnerable to counterfeiting. As such your
browser utilises a signalling strategy to communicate that it is the correct actor i.e. it reads a
shared secret from the hard disk and presents it to Alice-Human. Sandboxed processes, websites,
cannot do this. Hence Alice-Human can interpret the correct shared secret as proof that the
browser created the window, rather than a sandboxed website a.k.a. a phishing website.
Figure 7 should be displayed as a modal window, positioned in the middle of the screen. If the
rest of the screen can be greyed, like Microsoft User Account Control, then even better. Arguably
in Figure 7 putting the login fields into a dialogue with the browser signals, TLS identity, is more
important than the shared secret i.e. it forces Alice-Human to look at the Padlock, or green bar
from extended validation TLS. I just happened to use the TLS identity rather than a padlock, or
green bar. Furthermore, the shared secret prevents the phishers from making their next move i.e.
to counterfeit Figure 7.
4. TWO ACTORS OR THREE?
Figure 8. Two actors: The browser is a virtual machine with each website sandboxed inside it.
The figure represents the current situation where TLS is implemented by two actors i.e. Alice-
Browser and either Bob or Mallory. Alice-Human plays a passive role. By default she accepts the
TLS identity without being forced to examine it. She must remember to look for the passive
signals from the browser.
In the current system Alice-Human's participation in TLS is optional. The sandboxed websites
look the same. See Figure 8. The signals from the browser are passive and displayed away from
the main event, the webpage. In Figure 9 the response to successful authentication of the TLS
certificate is not to display a padlock, or a green bar, rather to display Figure 7. The green bar can
be ignored by Alice-Human. Figure 7 cannot be ignored. Alice-Human must enter her login
credentials into it. Or, into a counterfeit of it. It’s an active process rather than passive. Part of this
solution is that regular webpages will no longer provide login fields i.e. you will only enter your
username and password into the dialogue in Figure 7. Request of login credentials, on a regular
webpage, should be viewed as suspicious by users.
9. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
25
Figure 9. Three actors: The virtual machine itself must participate in TLS, not a sandboxed
process. The current implementation of TLS shows a padlock, or green bar, on successful
verification of a TLS certificate. With this solution the browser shows Figure 7 on successful
verification of a TLS certificate. Only after Alice-Human enters her login credentials will the
browser proceed to create the website inside its own sandbox. Your browser can access the hard
disk, so it can place the correct shared secret on the dialogue. Sandboxed websites cannot access
the hard disk. Hence they cannot counterfeit Figure 7.
In the existing system, Figure 8, your browser fulfils the role of Alice. In the proposed solution
Alice is the human being sitting at the computer. To aid discussion I have used the names Alice-
Human, Alice-Browser and HAL-Browser. Alice-Browser refers to the current situation where
your browser fulfils the role of Alice within TLS. The human is present but her role is, at best,
passive. In the proposed solution Alice-Human plays an active role, authenticating both her
browser window and the TLS identity.
In the existing system Alice-Browser verifies the digital signature on Bob's TLS certificate. On
success Alice-Browser and Bob proceed to implement TLS i.e. two actors. In the new model,
Figure 9, HAL-Browser verifies the digital signature on Bob's TLS certificate. On success HAL-
Browser turns to Alice-Human and invites her to further authenticate Bob. He does this by
displaying Figure 7. The problem is: this act is vulnerable to counterfeiting. In this context
counterfeiting is referred to as a phishing attack.
Shown in Figure 7 is a picture of a turtle which is a shared secret between Alice-Human and
HAL-Browser. Neither Bob nor Mallory know this secret. As such Mallory cannot counterfeit
Figure 7 without hacking into HAL-Browser to steal the secret. Hacking into thousands of
computers to steal these secrets is an entirely different endeavour to tricking people into going to
a fake website.
Once you correctly model the system as a three actor system. Cryptographers know how to
appropriately authenticate the three participants. As such Figure 7 is a relatively obvious step for
cryptographers. Dhamija et al also use a user-display shared secret. They use it to protect a
dedicated login window from counterfeiting. They do not appear to go beyond that and use it to
present Bob's identity credentials [4]. With my solution, by entering her login credentials Alice-
Human is accepting Bob's identity credentials and her browser's shared secret. She is
authenticating both Bob and her web browser. HAL-Browser then proceeds to implement TLS.
10. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
26
Hence Figure 7 extends TLS by forcing Alice-Human to carry out these additional authentication
steps.
Alice-Human now knows she is looking at a dialogue created by her web browser i.e. it is not a
counterfeit, a phishing attack. She can now examine the identity credentials presented and
complete Bob's authentication.
TLS would need to be modified to implement the solution e.g. websites should be able to choose
'no login dialogue', 'no set password tab', among other possibilities. I was approaching this as a
game theorist seeking screening strategies to prevent counterfeiting. Here follows an outline of
the game theory interpretation.
4.1. Shared Secret Authentication as a Screening Strategy
Anti-counterfeiting technologies and the screening strategy that accompany them go together like
a lock and key pair. The research involved the study of each category, from section 2, to find
screening strategies which would prevent phishing attacks.
The definition of a screening strategy, from [2] is given since its language is used to frame the
discussion that follows. From [2]: ‘A screening strategy is a strategy used by a less informed
player to elicit information from a more informed player’.
Human Interactive Proofs (e.g. CAPTCHA), Turing tests and anti-counterfeiting technologies are
all specific types of screening strategy. Here too authentication, through the confirmation of a
shared secret, constitutes a screening strategy. The less informed player is eliciting the identity of
the more informed player. They are not eliciting the secret because they already know it. They
want to know 'do you know what the secret is?' This is why it's just a point of view that this is
cryptography. As a game theorist I see a screening strategy. It elicits their identity, as the
individual who knows the secret or someone else.
Furthermore, the fact that this works while other approaches fail indicates phishing attacks
involve the counterfeiting of an identity, not a website. This is significant because it allows us to
prevent any type of counterfeiting. It recasts counterfeiting as theft of intellectual property,
patents, copyright, trademarks, designs etc. accompanied by identity theft. The purpose of the
identity theft is to undermine law enforcement attempts which would otherwise prevent the
intellectual property theft. This means authentication based solutions can be developed for any
type of counterfeiting including manufactured goods like pharmaceutical drugs and currencies.
5. ADDITIONAL SOLUTION DETAILS
The proposed solution is to display Figure 7 on successful verification of a TLS certificate's
digital signature. The key points are:
1. It's the installed software component of your browser which does this. Not a sandboxed
website. Nor is this a webpage hosted somewhere on the internet. That would be SiteKey.
This is not SiteKey.
2. Alice-Human elicits the identity of whoever created Figure 7 through a screening strategy
i.e. sandboxed websites cannot access the hard disk whereas the virtual machine, your
browser, can.
3. With the current situation it's up to Alice-Human to remember to check for a padlock
and/or green bar. The default is for Alice-Human to accept or reject Bob/Mallory based
upon the website's contents. With the proposed solution Alice-Human cannot ignore the
two identities being presented in Figure 7. She must examine Figure 7 in order to enter
11. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
27
her login credentials. She does not have to remember to check these identities nor is the
default, automatic acceptance, when she forgets to check for a padlock symbol.
4. Microsoft user account control behaviour can be used to further enhance the solution. If
Figure 7 is displayed as a modal dialogue with the rest of the screen blanked. This will
undermine even more attacks e.g. to counterfeit a modal window a phishing website need
only create an image of a dialogue window. Then position that image on their phishing
webpage as if it's a real dialogue. Real windows would create a window icon, in the
operating system. Users who don't notice the absence of a window icon may be tricked
into using that dialogue. Such fake login screens would have an incorrect authentication
image (the turtle in Figure 7).
5. Where Mallory buys/obtains a TLS certificate Figure 7 will be displayed with the correct
authentication image and whatever data is stored inside the certificate. If this solution is
adopted then a large number of issues with TLS certificates and certificate authorities will
need to be resolved.
6. In Figure 9 the genuine website is absent. This is because the installed software
component of your browser will only create the sandboxed website after a secure TLS
connection has been created. Hence Figure 9 shows the point just before Alice-Human
has entered her login credentials and clicked 'Login'.
7. Central Banks as Trent: When users are looking at Figure 7 it will become apparent that
the public have never heard of any of the Certificate Authority companies. And who will
trust a Trent they have never heard of? One solution is for central banks to fulfil the role
of Trent within their regulatory area. Hence the Federal Reserve, the European Central
Bank etc. should fulfil the role of Trent. The actual task of creating TLS certificates can
be outsourced to a Certificate Authority. The name for Trent in Figure 7 should be a
name the public know and trust.
8. While a patent application was filed [7] this application has now lapsed. Specifically all
patent deadlines have now lapsed including USA, Canada etc. where applications can be
made up to one year after publication of an idea. The solution is now prior art everywhere
in the world.
6. RELEVANT METAPHORS AND ANALOGIES
2.2. April fool's day at a TV Station
Consider the following: its April fool's day and someone in a television station decides to play a
joke on their viewers. They pick a popular brand of television, counterfeit it's setup menu and
then superimpose that image over the live television broadcast. Viewers who own a different
brand of television will be like a Bank of Ireland customer receiving a Bank of America phishing
email i.e. they will know immediately that it's a scam. However, viewers with the correct brand of
television will think their television is malfunctioning as it is presenting the setup menu no matter
what they do. To prevent this trick from working, viewers must customise their setup menu.
Doing so is creating a secret known by their television and themselves, but not known by the
television station. This is identical to the solution to phishing attacks i.e. Mallory cannot
counterfeit what Mallory does not know. It's a viewer-television secret just like our browser-user
secret.
2.2. HAL, friend or foe?
In 2001, a Space Odyssey HAL had two personalities, one friend one foe. Imagine that we give
the friend personality an Identity Card which he should present when we're talking to him, to help
us distinguish friend from foe. Effectively that is the solution presented i.e. when the installed
software is acting on our behalf it has access to the shared secret. When a remote website is
counterfeiting a website it cannot present a fake TLS certificate nor can it fake the shared secret.
12. International Journal on Cryptography and Information Security (IJCIS), Vol. 8, No.1, March 2018
28
Computer users must authenticate both their web browser and the identity presented in the TLS
certificate. This is where the name HAL-Browser came from. Our web browsers have split
personalities one friend one foe. The user-browser shared secret is an identity card for our friend.
7. CONCLUSIONS
Once the installed software component, of your browser, is recognised as an actor in the
cryptography protocol everything else is classic cryptography i.e. it must authenticate itself by
presenting a previously shared secret. Otherwise a sandboxed website will counterfeit it i.e. a
phishing attack. Sandboxed websites cannot access the hard disk, hence they cannot counterfeit
Figure 7. After that your browser's participation in the TLS protocol is textbook three actor
interaction. On successful authentication of a TLS certificate's digital signature. HAL-Browser
seeks further authentication from Alice-Human. This step involves HAL-Browser authenticating
himself with Alice-Human through the presentation of a previously shared secret. This step also
involves HAL-Browser presenting Bob's identity credentials from the TLS certificate. Alice-
Human can accept these two identities and enter her login credentials or she can reject either of
the identities presented and back away, refusing to enter her login credentials.
REFERENCES
[1] J. D. Miller, Game Theory at Work: How to Use Game Theory to Outthink and Outmaneuver Your
Competition. New York: McGraw Hill, 2003.
[2] A. Dixit, S. Skeath and D. H. Reiley, Games of Strategy. New York, London: W. W. Norton &
Company, Inc., 2009.
[3] I. C. Paya, T. Chow and C. N. Peterson, “Authentication of a server by a client to prevent fraudulent
user interfaces,” U.S. Patent 0 115 594, May 6, 2010.
[4] R. Dhamija and J. D. Tygar. “The Battle against Phishing: Dynamic Security Skins,” Symposium on
Usable Privacy and Security (2005), ACM Press, 2005, pp. 77-99.
[5] Wikipedia,“ SiteKey, www.wikipedia.org.[Online]. Available: https://en.wikipedia.org/wiki/SiteKey
[Accessed: Oct. 14, 2015].
[6] R. Dhamija, J. Tygar and M. Hearst, ‘Why phishing works’, Proceedings of the SIGCHI conference
on Human Factors in computing systems – CHI ’06, 2006.
[7] J. Kilcullen, “An identity authentication system and method to prevent phishing attacks,” EPO
Patent EP3048769 (A1) [Online] Available: https://data.epo.org/publication-
server/document?cc=EP&pn=3048769&ki=A1&lg=en, (August 4, 2016)