As the convergence between our physical and digital worlds continue at a rapid pace, securing our digital information is vital to our prosperity. Most current typical computer systems are unwittingly helpful to attackers through their predictable responses. In everyday security, deception plays a prominent role in our lives and digital security is no different. The use of deception has been a cornerstone technique in many successful computer breaches. Phishing, social engineering, and drive-by- downloads are some prime examples. The work in this dissertation is structured to enhance the security of computer systems by using means of deception and deceit.
Deception-based security mechanisms focus on altering adversaries’ perception of computer systems in a way that can confuse them and waste their time and resources. These techniques exploit adversaries’ biases and present them with a plausible alter- native to the truth bringing a number of unique advantages to computer security. In addition, deception has been widely used in many areas of computing for decades and security is no different. However, deception has only been used haphazardly in computer security.
In this dissertation we present a framework where deception can be planned and integrated into computer defenses. We posit how the well-known Kerckhoffs’s principle has been misinterpreted to drive the security community away from deception-based mechanisms. We present two schemes that employ deception to protect users’ passwords during transmission and at rest when they are stored on a computer server. Moreover, we designed and built a centralized deceptive server that can be hooked to internet-facing servers giving them the ability to return deceptive responses. These three schemes are designed, implemented, and analyzed for their security and performance.
The use of deception in security, and in computing in general, shows some fruitful results. This dissertation discusses some of the unique advantages of such mechanisms and presents a framework to show how they can be integrated into computer defenses. Also, it provides three practical schemes that employ deception in their design to address some existing security challenges. We postulate that the use of deception can effectively enhance the effectiveness of current security defenses and present novel ways to address many security challenges.
4. Computer System
Defenses
Denial and Isolation
(1) Prevent unauthorized
access.
(2) Hide the existence
and/or the nature of
systems and/or data.
Degradation and
Obfuscation
(1) Slow down the
attackers.
(2) Prevent and reduce the
recovery.
(3) Obfuscate the value/
nature of systems and/or
data.
(4) Create noise around
valuable data.
Deception and Negative
Information
(1) Lead the attackers
astray.
(2) Add decoys.
(3) Add doubt to the
data obtained by the
adversary.
(4) Increase the risk of
attacking computer
systems.
Attribution and Counter
Operation
(1) Attributing adversaries.
(2) Cause damage to
attackers.
(3) Increase overall risk in
attacking our systems.
5. Computer System
Defenses
Denial and Isolation
(1) Prevent unauthorized
access.
(2) Hide the existence
and/or the nature of
systems and/or data.
Degradation and
Obfuscation
(1) Slow down the
attackers.
(2) Prevent and reduce the
recovery.
(3) Obfuscate the value/
nature of systems and/or
data.
(4) Create noise around
valuable data.
Deception and Negative
Information
(1) Lead the attackers
astray.
(2) Add decoys.
(3) Add doubt to the
data obtained by the
adversary.
(4) Increase the risk of
attacking computer
systems.
Attribution and Counter
Operation
(1) Attributing adversaries.
(2) Cause damage to
attackers.
(3) Increase overall risk in
attacking our systems.
6. Status Quo
• Breaches:
• 84% of these attacks took hours or less to infiltrate.
• 66% of breaches took months or years to discover.
• Defenses:
• Only 5% of these breaches were detected using
traditional tools.
10. Deception-Based Defenses
• Traditional security (negative clues) and deception
(positive clues) work in tandem.
• Humans are not good at detecting deception:
• Detecting deception by college students → 57%
• Detecting deception by law enforcement → 54%
16. Previous Uses of Deception
• Used as ad-hoc attempt:
• Deception has been mainly used as “trapping” or
“deterrence” tools.
• Trojan Horses, Phishing, XSS, XSRF and others have long
been effective.
• Deception is Effectively Used in Many Areas of Computing.
28. Goals of Using Such Channel
• Limit passwords exposure.
• Communicate the user’s authentication context.
• Incorporate covert messages in the protocol that are
totally oblivious to any part observing.
29. A Deceptive Covert Communication
• We will use an accumulation function A() that can be
realized using modular exponentiation.
• A(x1, x2) = A(x2, x1).
• Computing A(A(x1), x2) doesn’t require the knowledge
of x1, and = A(x1, x2).
• Current systems store h = H(passwd || salt).
30. A Deceptive Covert
Communication
Check whether username exists?
if usernameExists():
R = randomNonce()
key = A(h, R)
x = HMACkey(A(R), s, id)
Send QR(A(R), x, s, id)
id = Serverid
31. A Deceptive Covert
Communication
Check the integrity of QR
h = Hash(passwd || salt)
key = A(A(R), h)
x’ = HMACkey(A(R), s, id)
if x == x’ -> route (b)
else -> route (a)
37. Passwords Files are Attractive Target
• Evernote reported the leakage of the hashed passwords
for more than 50 million users
• Other attacks against Yahoo, RockYou, LinkedIn and
eHarmony has been reported.
• Passwords cracking is often a precursor to more
significant attacks.
38. Ersatzpasswords
Goals
• Eliminate the possibility
of an offline passwords
cracking.
• Detect the leakage of
users’ passwords.
• Proactively detect
accounts impersonation
attempts.
39. Technical Specification — One-Time Initialization
• Instantaneously store all passwords in a machine
dependent format.
[ ui , αi , si ]
↓
HDF(αi)
↓
βi = H(HDF(αi) || si)
↓
[ ui , βi , si ]
αi = H(pi || si)
40. Technical Specification — Injecting
Ersatzpasswords
• When the user is logging-in:
ui , pi
↓
pi*
↓
si’ = HDF(pi || ui) ⊕ pi*
↓
βi’ = H[ pi* || si’],
↓
[ ui , βi’, si’]
[Choose an erstazpassword]
[Compute a new salt]
, pi* = HDF(pi || ui) ⊕ si’
41. Technical Specification — Login
• The user enters her username (ui) and password (pi).
• The systems checks:
• If H[ (HDF(pi || ui) ⊕ si’) || si’] equals βi’ → correct login.
• If H(pi || si’) equals βi’ → ersatzpassword login.
• else → incorrect username/password.
42. Three Main Properties
• Checking a password requires access to HDF
→ thwarting offline cracking.
• Cracking returns an ersatzpassword for every account
→ triggering an alarm at the server when used.
• Maintain the same format of the password file
→ deceiving the attacker.
47. Web Applications
• Verizon DBIR identified web application attacks as the
most common incident in 2013 accounting for 35% of all
incidents.
• Gartner states that more than 70% of threats are at the
web application layer
49. Deceptiver vs. Honeypots
• Instantaneous reflecting the current production state.
• Honeypots are yet another set of systems that need to
be administered and updated.
• Honeypots need to keep copies of different individual
resources where deceit is injected.
53. Performance Analysis
— 2
• Further investigating
performance showed
that 9 lines of codes
take %99.2 of
execution time.
• All of those are
querying the mySQL
database.
54. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
55. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• The role of Deception.
• A framework to plan and
integrate deception.
• Three practical tools.
56. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• In defending computer systems.
• In protecting users.
• Further investigating cultural and
organization biases.
57. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• Using game theoretical
models (e.g. hypergames).
• Where to apply deception
within the kill-chain.
58. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• Cost/benefit analysis.
• Externality effects.
• Lying to regular users.
59. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• Measuring plausibility,
deductibility, confusion and
other characteristics.
60. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The
creation of
deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• How to create believable
fake information?
61. Future Work
The role of
biases
This
Dissertation
Modeling
the use of
deception
The creation
of deceit
Deception
Metrics
Advanced
tools
Economical
and ethical
issues
• Deceptive file system.
• Deceptive patches.
• Deceptive system calls.
62. Publications
• M. Almeshekah, C. Gutierrez, M. Atallah and E. Spafford, “ErsatzPasswords – Ending Passwords
Cracking” (under review).
• M. Almeshekah, M. Atallah and E. Spafford, “Enhancing Passwords Security using Deceptive Covert
Communication,” International Conference on ICT Systems Security and Privacy Protection, IFIP SEC’15,
May 26-28, 2015, Hamburg, Germany.
• M. Almeshekah and E. Spafford, “Using Deceptive Information in Computer Security Defenses,” International
Journal of Cyber Warfare and Terrorism (IJCWT), 4 (3), 46-58, July-September 2014, IGI Global.
• M. Almeshekah and E. Spafford, “Planning and Integrating Deception into Computer Security Defenses,”
New Security Paradigms Workshop (NSPW’14), 15-18 September 2014, Victoria, BC, Canada.
• M. Almeshekah and E. Spafford, “The Case of Using Negative (Deceiving) Information in Data Protection,” in
Proceedings of the 9th International Conference on Cyber Warfare and Security ICCWS-2014, ISSN:
2048-9870, Academic Conferences and Publishing International Limited, March 2014.
• M. Almeshekah, M. Atallah, and E. Spafford, “Back channels can be useful! – layering authentication
channels to provide covert communication,” SPW’13, in Security Protocols XXI (B. Christianson, J. Malcolm,
F. Stajano, and J. Anderson, eds.), vol. 8263 of Lecture Notes in Computer Science, Springer Berlin
Heidelberg, 2013.