How to avoid Phishing attack in Shibboleth

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to avoid Phishing attack in Shibboleth

reason-4
Hi all,
 
Assuming the following scenario:
If someone build a federation,including SP and IdP (I call this SP and IdP are fake SP and fake IdP )
one user accesses the resource protected by the fake SP but he doesn't know
he will be redirected to the fake IdP and will input his username and password 
then user's privacy info is exposed
 
How to avoid Phishing attack in Shibboleth?
 
 
Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Chad La Joie
You would use whatever mechanism you use to protect any other website
from such attacks.

Reason wrote:

> Hi all,
>
> Assuming the following scenario:
> If someone build a federation,including SP and IdP (I call this SP and IdP
> are fake SP and fake IdP )
> one user accesses the resource protected by the fake SP but he doesn't know
> he will be redirected to the fake IdP and will input his username and
> password
> then user's privacy info is exposed
>
> How to avoid Phishing attack in Shibboleth?
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Lukas Hämmerle
>> How to avoid Phishing attack in Shibboleth?

Chad La Joie wrote:
> You would use whatever mechanism you use to protect any other website
> from such attacks.

In other words: This is a general web authentication problem that has
nothing to do directly with Shibboleth :-)

There are probably no silver bullet solutions to solve the phishing
problem. If you know one, tell me and we could become very rich by
selling it to the banks operating e-banking sites :-)

However, by using Shibboleth it's probably a lot easier to train the
users to enter their password only on a single and known login page,
namely the one of the organisation's Identity Provider.

Best Regards
Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
[hidden email], http://www.switch.ch
Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Chad La Joie
Right.  If you looking for one approach you might use to train your
users you might try this:
http://wombatsecurity.com/

Lukas Haemmerle wrote:
> However, by using Shibboleth it's probably a lot easier to train the
> users to enter their password only on a single and known login page,
> namely the one of the organisation's Identity Provider.

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Peter Schober
In reply to this post by Lukas Hämmerle
* Lukas Haemmerle <[hidden email]> [2009-06-15 10:08]:
> However, by using Shibboleth it's probably a lot easier to train the
> users to enter their password only on a single and known login page,
> namely the one of the organisation's Identity Provider.

Also you can secure access to all you SAML-enabled applications (even
those run by others) by just securing your IdP login with a second
factor (Token, whatver), which is not phishable.
-peter

Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Chad La Joie
Actually, depending on the attack being attempted this doesn't help.  It
would prevent the case where the attacker tries to capture your
credentials for later use but if the purpose to get a session with some
service as you the fake IdP could just proxy the request to a the real
IdP and use that session for its lifetime.

If the attack is aimed at getting your personal data the fake IdP can
just always make it look like authentication succeeds.  Since most
people don't first enter invalid credentials then their real ones and
assume they typed their credentials in correctly most wouldn't notice a
thing.

Peter Schober wrote:

> * Lukas Haemmerle <[hidden email]> [2009-06-15 10:08]:
>> However, by using Shibboleth it's probably a lot easier to train the
>> users to enter their password only on a single and known login page,
>> namely the one of the organisation's Identity Provider.
>
> Also you can secure access to all you SAML-enabled applications (even
> those run by others) by just securing your IdP login with a second
> factor (Token, whatver), which is not phishable.
> -peter
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Peter Schober
* Chad La Joie <[hidden email]> [2009-06-15 10:51]:
> Actually, depending on the attack being attempted this doesn't help.
> It would prevent the case where the attacker tries to capture your
> credentials for later use but if the purpose to get a session with
> some service as you the fake IdP could just proxy the request to a
> the real IdP and use that session for its lifetime.

Phishing for credentials and reusing them shorty after to offload spam
(via webmail) is what we're seeing almost on a daily basis right
now. I'm certainly not holding my breath until we see IdP-proxying on
that scale ;)
-peter
Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Lukas Hämmerle
In reply to this post by Chad La Joie
> Right.  If you looking for one approach you might use to train your
> users you might try this:
> http://wombatsecurity.com/

Related to this:
Today I just heard about an a very interesting and (for me) surprising
study carried out by the London School of Economics & Political Science.

It demonstrates very well that phishing is not only limited to the web
and that supposedly intelligent and educated people (in this case
students of the above university) are willing to provide all sorts for
login username/(facebook and university) passwords/personal data/credit
card numbers away to just anybody who is wearing a red t-shirt on the
university campus and offers them some chocolate :)

More information and a stream are available here:
http://tnc2009.terena.org/schedule/presentations/show.php?pres_id=31

Slides to fast-forward through :-)
http://tnc2009.terena.org/core/getfile.php?file_id=309

Lukas

PS: If you give away such sensitive data as in the above-mentioned study
at least make sure that you at least get some good Swiss chocolate in
return ;-)

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
[hidden email], http://www.switch.ch
Reply | Threaded
Open this post in threaded view
|

RE: How to avoid Phishing attack in Shibboleth

Cantor, Scott E.
Lukas Haemmerle wrote on 2009-06-15:
> It demonstrates very well that phishing is not only limited to the web
> and that supposedly intelligent and educated people (in this case
> students of the above university) are willing to provide all sorts for
> login username/(facebook and university) passwords/personal data/credit
> card numbers away to just anybody who is wearing a red t-shirt on the
> university campus and offers them some chocolate :)

Is this the original one, or a new one? If they're at it again, somebody
needs to fix this apparently severe chocolate shortage in the UK...

-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: How to avoid Phishing attack in Shibboleth

Chad La Joie
It's not so much that there is a shortage of chocolate...  it's just
that UK chocolate is to real chocolate (Swiss or otherwise) as McDonalds
is to real food.  ;)  Of all the many things I love about the UK the
chocolate is not amongst them.

Scott Cantor wrote:
> Is this the original one, or a new one? If they're at it again, somebody
> needs to fix this apparently severe chocolate shortage in the UK...

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch