Want To Combat Phishing? Try Plaintext Password Sniffing!
Michael Spaling
University of Alberta
Michael is an IT Security Administrator with the University of Alberta where he works on a small team responsible for campus wide operational security. He holds numerous industry certifications and has been recognized by many companies for his ever growing list of privately disclosed vulnerabilities across a wide range of products.
Abstract
Credential theft is a universal issue which grants attackers a broad range of access which goes beyond traditional exploitation. The most common method we see are emails that convince users to enter their username and... [ view full abstract ]
Credential theft is a universal issue which grants attackers a broad range of access which goes beyond traditional exploitation. The most common
method we see are emails that convince users to enter their username and password on third party unencrypted website not under our
control. Once entered, the attacker now has access to a victims credentials and all associated services and information that go with it.
While addressing this threat, we found a way to leverage an existing technical investment to enable plain text password sniffing. By looking for a handful of identifiers in network traffic, we have successfully built a tool that not only alerts when someone has entered credentials into an unencrypted web-form but also expires those credentials automatically. This has proved to be immensely valuable as these credentials will no longer be valid when the attacker attempts to use them.
We encountered a few issues along the way and would like to highlight why you should be doing this, how the tool works, valuable information gained and peoples reactions.
Authors
-
Michael Spaling
(University of Alberta)
Topic Areas
Topics: Game changing tools and technologies , Topics: Data privacy and security
Session
CM1.2 » Game Changing Tools & Tech (11:15 - Monday, 20th June, CCIS 1-430)
Presentation Files
The presenter has not uploaded any presentation files.
