What you see is not what you get - when homographs attack

Video in TIB AV-Portal: What you see is not what you get - when homographs attack

Formal Metadata

Title
What you see is not what you get - when homographs attack
Title of Series
Author
License
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2019
Language
English

Content Metadata

Subject Area
Abstract
This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN over two decades ago, a series of brand new security implications were also brought into light together with the possibility of registering domain names using different alphabets and Unicode characters. This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Historical security issues related to Unicode and confusable homographs, as well as other attack vectors not discovered by the author will also be explored in this presentation.
Telecommunication Chaos (cosmogony)
Service (economics) Execution unit Internetworking Series (mathematics) Latin square Information Information security Unicode Formal language Domain name
Execution unit Image resolution Algorithm Time evolution Revision control Code Unicode ASCII Domain name
Execution unit Computer font Scripting language Point (geometry) Latin square Similarity (geometry) Regular graph Different (Kate Ryan album) Partial derivative Faktorenanalyse Information security Volumenvisualisierung Electronic visual display Domain name
Email Scripting language Google Chrome Software developer Unicode Social engineering (security) Data model Graphical user interface Maize World Wide Web Consortium Rule of inference Scale (map) Execution unit Latin square Image warping Domain name Code Client (computing) Image registration Web browser Product (business) Perspective (visual) Agreeableness Revision control Information security Domain name Extension (kinesiology)
Mobile app Android (robot)
Email Graphical user interface Google Chrome Web browser Extension (kinesiology)
Data model Execution unit Google Chrome Software developer Code Control flow Information security Unicode Web browser Social engineering (security) Perspective (visual)
Scale (map) Domain name
Feedback