research-article

Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs

Authors:

Cristian Bravo-Lillo,

Saranga Komanduri,

Stuart Schechter,

Manya SleeperAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 365 - 377

https://doi.org/10.1145/2382196.2382237

Published: 16 October 2012 Publication History

Abstract

When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password.

References

[1]

Adelsbach, A., Gajek, S., and Schwenk, J. Visual spoofing of SSL protected web sites and effective countermeasures. Information Security Practice and Experience (2005), 204--216.

Digital Library

[2]

Bravo-Lillo, C., Cranor, L. F., Downs, J., and Komanduri, S. Bridging the gap in computer security warnings: A mental model approach. IEEE Security & Privacy Magazine 9, 2 (Mar. 2011), 18--26.

Digital Library

[3]

Cova, M. Personal corresponence, May 5, 2012.

[4]

Cova, M., Leita, C., Thonnard, O., Keromytis, A. D., and Dacier, M. An analysis of rogue AV campaigns. In Proceedings of the 13th International Symposium on Recent Advances in Intrusion Detection (RAID 2010) (Sept. 2010), pp. 442--463.

Digital Library

[5]

Dhamija, R., and Tygar, J. D. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 Symposium on Usable Privacy and Security (New York, NY, USA, 2005), SOUPS '05, ACM, pp. 77--88.

Digital Library

[6]

Dhamija, R., Tygar, J. D., and Hearst, M. Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (New York, NY, USA, 2006), CHI '06, ACM, pp. 581--590.

Digital Library

[7]

Downs, J. S., Holbrook, M. B., and Cranor, L. F. Decision strategies and susceptibility to phishing. In Proceedings of the Second Symposium on Usable Privacy and Security (New York, NY, USA, 2006), SOUPS '06, ACM, pp. 79--90.

Digital Library

[8]

Downs, J. S., Holbrook, M. B., Sheng, S., and Cranor, L. F. Are your participants gaming the system?: Screening mechanical turk workers. In Proceedings of the 28th International Conference on Human Factors in Computing Systems (New York, NY, USA, 2010), CHI '10, ACM, pp. 2399--2402.

Digital Library

[9]

Felten, E. W., Balfanz, D., Dean, D., and Wallach, D. S. Web spoofing: An Internet con game. In 20th National Information Systems Security Conference (Oct. 1996).

[10]

Feske, N., and Helmuth, C. A nitpicker's guide to a minimal-complexity secure GUI. In Proceedings of the 21st Annual Computer Security Applications Conference (Washington, DC, USA, 2005), IEEE Computer Society, pp. 85--94.

Digital Library

[11]

Herzberg, A., and Gbara, A. Security and identification indicators for browsers against spoofing and phishing attacks. Cryptology ePrint Archive, Report 2004/155, 2004. http://eprint.iacr.org/.

[12]

Initializing Winlogin, 2012. http://msdn.microsoft.com/en-us/library/windows/desktop/aa375994(v=vs.85).aspx.

[13]

Jackson, C., Simon, D. R., Tan, D. S., and Barth, A. An evaluation of extended validation and picture-in-picture phishing attacks. In Proceedings of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security (Berlin, Heidelberg, 2007), FC'07/USEC'07, Springer-Verlag, pp. 281--293.

Digital Library

[14]

Kerr, K. Defend your apps and critical user info with defensive coding techniques. MSDN Magazine (Nov. 2004). http://msdn.microsoft.com/en-us/magazine/cc163883.aspx.

[15]

Lefranc, S., and Naccache, D. Cut-&-paste attacks with java. In Proceedings of the 5th International Conference on Information Security and Cryptology (Berlin, Heidelberg, 2003), ICISC'02, Springer-Verlag, pp. 1--15.

Digital Library

[16]

Li, T.-Y., and Wu, Y. Trust on web browser: Attack vs. defense. In Applied Cryptography and Network Security, J. Zhou, M. Yung, and Y. Han, Eds., vol. 2846 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2003, pp. 241--253. 10.1007/978-3-540-45203-4 19.

[17]

Libonati, A., McCune, J. M., and Reiter, M. K. Usability testing a malware-resistant input mechanism. In Proceedings of the 18th Annual Network & Distributed System Security Symposium (NDSS11) (Feb. 2011).

[18]

Microsoft Corporation. What is user account control? http://windows.microsoft.com/en-US/windows-vista/What-is-User-Account-Control.

[19]

Nodder, C. Users and trust: A microsoft case study. In Security and Usability: Designing Secure Systems That People Can Use, L. F. Cranor and S. L. Garfinkel, Eds., first ed., Theory in practice. O'Reilly Media, Inc., Sebastopol, CA, USA, 2005, ch. 29, pp. 589--606.

[20]

Parno, B., Kuo, C., and Perrig, A. Phoolproof phishing prevention. In Proceedings of the Financial Cryptography and Data Security 10th International Conference (2006), FC'06.

Digital Library

[21]

Rajab, M. A., Ballard, L., Mavrommatis, P., Provos, N., and Zhao, X. The nocebo* effect on the web: An analysis of fake anti-virus distribution. In Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (Berkeley, CA, USA, 2010), LEET'10, USENIX Association, pp. 3--3.

Digital Library

[22]

Ross, B., Jackson, C., Miyake, N., Boneh, D., and Mitchell, J. C. Stronger password authentication using browser extensions. In Proceedings of the Proceedings of the 14th Usenix Security Symposium (Aug. 2005).

Digital Library

[23]

Schechter, S. E., Dhamija, R., Ozment, A., and Fischer, I. The emperor's new security indicators. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2007), IEEE Computer Society, pp. 51--65.

Digital Library

[24]

"Security-on-a-Stick" to protect consumers and banks from the most sophisticated hacker attacks, October 2008. http://www.zurich.ibm.com/news/08/ztic.html.

[25]

Shapiro, J. S., Vanderburgh, J., Northup, E., and Chizmadia, D. Design of the EROS trusted window system. In Proceedings of the 13th Conference on USENIX Security Symposium (Berkeley, CA, USA, 2004), SSYM'04, USENIX Association, pp. 12--12.

Digital Library

[26]

Stone-Gross, B., Abman, R., Kemmerer, R. A., Kruegel, C., Steigerwald, D. G., and Vigna, G. The underground economy of fake antivirus software. In Workshop on Economics of Information Security (WEIS) (June 2011).

[27]

Symantec Corporation. Symantec report on rogue security software, Oct. 2009.

[28]

Tygar, J. D., and Whitten, A. WWW electronic commerce and Java trojan horses. In Proceedings of the Second USENIX Workshop on Electronic Commerce (Berkeley, CA, USA, 1996), vol. 2, USENIX Association, pp. 15--15.

Digital Library

[29]

Ye, E., Yuan, Y., and Smith, S. Web spoofing revisited: SSL and beyond. Tech. Rep. TR2002-417, Dartmouth College, 2002.

[30]

Ye, Z. E., Smith, S., and Anthony, D. Trusted paths for browsers. In Proceedings of the 11th USENIX Security Symposium (2002), pp. 263--279.

Digital Library

[31]

Yee, K.-P. User interaction design for secure systems. In Proceedings of the 4th International Conference on Information and Communications Security (London, UK, 2002), ICICS '02, Springer-Verlag, pp. 278--290.

Digital Library

Cited By

Do YHoang LPark JAbowd GDas S(2021)Spidey Sense: Designing Wrist-Mounted Affective Haptics for Communicating Cybersecurity WarningsProceedings of the 2021 ACM Designing Interactive Systems Conference10.1145/3461778.3462027(125-137)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3461778.3462027
Oesch SRuoti SCapkun SRoesner F(2020)That was then, this is nowProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489334(2165-2182)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489334
Ruoti SAndersen JMonson TZappala DSeamons K(2018)A comparative usability study of key management in secure emailProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291258(375-394)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291258
Show More Cited By

Index Terms

Operating system framed in case of mistaken identity: measuring the success of web-based spoofing attacks on OS password-entry dialogs
1. Computing methodologies
  1. Computer graphics
    1. Graphics systems and interfaces
2. Human-centered computing
  1. Human computer interaction (HCI)

Recommendations

SGXIO: Generic Trusted I/O Path for Intel SGX
CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy

Application security traditionally strongly relies upon security of the underlying operating system. However, operating systems often fall victim to software attacks, compromising security of applications as well. To overcome this dependency, Intel SGX ...
Spoofing and countermeasures for speaker verification

While biometric authentication has advanced significantly in recent years, evidence shows the technology can be susceptible to malicious spoofing attacks. The research community has responded with dedicated countermeasures which aim to detect and ...
Anti-spoofing for text-independent speaker verification: an initial database, comparison of countermeasures, and human performance

In this paper, we present a systematic study of the vulnerability of automatic speaker verification to a diverse range of spoofing attacks. We start with a thorough analysis of the spoofing effects of five speech synthesis and eight voice conversion ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
548
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Do YHoang LPark JAbowd GDas S(2021)Spidey Sense: Designing Wrist-Mounted Affective Haptics for Communicating Cybersecurity WarningsProceedings of the 2021 ACM Designing Interactive Systems Conference10.1145/3461778.3462027(125-137)Online publication date: 28-Jun-2021
https://dl.acm.org/doi/10.1145/3461778.3462027
Oesch SRuoti SCapkun SRoesner F(2020)That was then, this is nowProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489334(2165-2182)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489334
Ruoti SAndersen JMonson TZappala DSeamons K(2018)A comparative usability study of key management in secure emailProceedings of the Fourteenth USENIX Conference on Usable Privacy and Security10.5555/3291228.3291258(375-394)Online publication date: 12-Aug-2018
https://dl.acm.org/doi/10.5555/3291228.3291258
Pendergrass JHelble SClemens JLoscocco P(2018)A Platform Service for Remote Integrity Measurement and AttestationMILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM)10.1109/MILCOM.2018.8599735(1-6)Online publication date: Oct-2018
https://doi.org/10.1109/MILCOM.2018.8599735
Yang WXiong AChen JProctor RLi N(2017)Use of Phishing Training to Improve Security Warning ComplianceProceedings of the Hot Topics in Science of Security: Symposium and Bootcamp10.1145/3055305.3055310(52-61)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3055305.3055310
Aviv ABudzitowski DKuber R(2015)Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern UnlockProceedings of the 31st Annual Computer Security Applications Conference10.1145/2818000.2818014(301-310)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1145/2818000.2818014
Fahl SHarbach MAcar YSmith MBauer LBeznosov KCranor L(2013)On the ecological validity of a password studyProceedings of the Ninth Symposium on Usable Privacy and Security10.1145/2501604.2501617(1-13)Online publication date: 24-Jul-2013
https://dl.acm.org/doi/10.1145/2501604.2501617
Bravo-Lillo CKomanduri SCranor LReeder RSleeper MDowns JSchechter SBauer LBeznosov KCranor L(2013)Your attention pleaseProceedings of the Ninth Symposium on Usable Privacy and Security10.1145/2501604.2501610(1-12)Online publication date: 24-Jul-2013
https://dl.acm.org/doi/10.1145/2501604.2501610

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents