What you see is not what you get - when homographs attack

Video thumbnail (Frame 0) Video thumbnail (Frame 788) Video thumbnail (Frame 4218) Video thumbnail (Frame 8071) Video thumbnail (Frame 8780) Video thumbnail (Frame 16068) Video thumbnail (Frame 17474) Video thumbnail (Frame 28265) Video thumbnail (Frame 31930) Video thumbnail (Frame 32661) Video thumbnail (Frame 33397) Video thumbnail (Frame 34023) Video thumbnail (Frame 34739) Video thumbnail (Frame 36914) Video thumbnail (Frame 37561) Video thumbnail (Frame 42213) Video thumbnail (Frame 42789) Video thumbnail (Frame 43582)
Video in TIB AV-Portal: What you see is not what you get - when homographs attack

Formal Metadata

What you see is not what you get - when homographs attack
Title of Series
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Since the introduction of Unicode in domain names (known as Internationalized Domain Names, or simply IDN) by ICANN over two decades ago, a series of brand new security implications were also brought into light together with the possibility of registering domain names using different alphabets and Unicode characters. This talk offers a brief overview about homograph attacks, describes part of the mechanics behind the registration of homograph domains, highlights their risks and presents a chain of two practical exploits against Signal, Telegram and Tor Browser that could lead to nearly impossible to detect phishing scenarios and also situations where more powerful exploits could be used against an opsec-aware target. Historical security issues related to Unicode and confusable homographs, as well as other attack vectors not discovered by the author will also be explored in this presentation.
User interface Service (economics) Telecommunication Robotics Chaos (cosmogony) Information security Computer architecture
Domain name Presentation of a group State of matter Image resolution Modal logic Client (computing) Web browser Unicode Formal language Revision control Internetworking Information Series (mathematics) Internationalization and localization Information security Service (economics) Execution unit Graph (mathematics) Graph (mathematics) Domain name Latin square Formal language Arithmetic mean Uniform resource locator Internetworking Visualization (computer graphics) Personal digital assistant Series (mathematics) Information security Family Thomas Bayes
Building Group action Algorithm Execution unit Mereology Unicode Rule of inference Formal language Usability Wave packet Revision control Internetworking Alphabet (computer science) Energy level ASCII User interface Personal identification number Execution unit Image resolution Block (periodic table) Domain name Code System call Unicode Time evolution Order (biology) Revision control
Torus Scripting language Latin square Execution unit 1 (number) Coma Berenices Computer font Mereology Proper map Formal language Different (Kate Ryan album) Electronic visual display Endliche Modelltheorie Volumenvisualisierung Information security Scripting language Computer font Point (geometry) Domain name Latin square Electronic mailing list Mountain pass Demoscene Process (computing) Order (biology) Different (Kate Ryan album) Volumenvisualisierung Website Information security Identical particles Point (geometry) Divisor Field (computer science) Machine vision Twitter Number Revision control Goodness of fit Regular graph Form (programming) Execution unit Dependent and independent variables Graph (mathematics) Physical law Cartesian coordinate system Unicode Symbol table Similarity (geometry) Maize Personal digital assistant Partial derivative Faktorenanalyse Electronic visual display
Email Group action Scripting language Google Chrome Latin square Multiplication sign Direction (geometry) 1 (number) Water vapor Frustration Coma Berenices Client (computing) Unicode Social engineering (security) Software bug Usability Formal language Neuroinformatik Data model Graphical user interface Different (Kate Ryan album) Information security Social class Scripting language Latin square Domain name Image warping Electronic mailing list Bit Image registration 19 (number) Product (business) Process (computing) Order (biology) Information security Web page Domain name Software developer Image resolution Web browser Field (computer science) Revision control Energy level Maize Lie group World Wide Web Consortium Rule of inference Scale (map) Execution unit Dependent and independent variables Graph (mathematics) Key (cryptography) Coefficient of variation Physical law Code Client (computing) Web browser Perspective (visual) Graphical user interface Maize Agreeableness Personal digital assistant Revision control Speech synthesis Family Extension (kinesiology)
Point (geometry) Domain name Android (robot) Service (economics) Link (knot theory) Coma Berenices Web browser Usability Revision control Facebook Roundness (object) Videoconferencing Cuboid Mobile app Programming language Email Graph (mathematics) Touchscreen Linear regression Android (robot) Cube Website Musical ensemble Window Reading (process)
Hoax Coma Berenices System call
Process (computing) Videoconferencing Neuroinformatik
Graphical user interface Googol Hacker (term) Solid geometry Web browser Neuroinformatik
Email Google Chrome Electronic mailing list Water vapor Coma Berenices Mereology Web browser Unicode Graphical user interface Internet service provider Order (biology) Website Extension (kinesiology) Information security Family Extension (kinesiology)
Point (geometry) Domain name Group action Momentum Google Chrome Link (knot theory) Software developer View (database) Decision theory Mereology Unicode Perspective (visual) Computer programming Social engineering (security) Data model Computer configuration Electronic visual display Office suite Information security Execution unit Algorithm Graph (mathematics) Software developer Interface (computing) Weight Code Control flow Cartesian coordinate system Web browser Social engineering (security) Perspective (visual) Graphical user interface Message passing Arithmetic mean Process (computing) Googol Spring (hydrology) Website Quicksort Information security Library (computing)
Scale (map) View (database) Domain name
yes. a i'd be for the architecture about user interface security and have a craft attacks.
everybody very much for come to the top and i was very late but the act we appreciate the fact that you guys made it so here's a quick peek robot myself like many we should just as a fort director of professional services and partner at blaze for security but yeah let's just move on.
make a quick intro about the talk so sickening to the action of unocal been seen in the waning so a series of security implications have like appeared that came along as well sold to presentation aims to discuss some security risks around internationalize of the main aims and how location such as browsers. all you may have clients and like secure messengers well they fail to handle id and you know secure way and and up exposing users to a necessary security risks and by making it very easy or two for phishing attacks and visual spoofing to materialise. so here's a quick agenda. of all the talk so we start presenting like speaking about international was the main aims how they were called to be registered and so on and we move on to talk about home of graphs and the associated security risks that come along with them and then we explore how user agent in this case like brothers and me a client. and so on how they react to have a graph attacks and later also shows some practical attacks against some of them and how we can also defend yourself and then we don't end up like ripping up the talk afterwards. so you're now we're going to speak about internationalized the meanings and the emergence of of the idea and so is actually the internet was never designed to be multi-lingual so it was created all mostly united states at using our ski caracter so that is like latino. doctors and the main aims have always been confined to be plotting bay's characters as as a just mission however like the billions of people that do not have latina base of languages as the first language and kind of the way internet worked on with its actually mainly steelworks it somehow exclude. the fact that like these people use one would like to use their own language the off about through book to express themselves in the internet and because of that like i can end up coming with of resolution collect the there was little version all of the international his domain names that each.
it ended up giving a lot of support but it is wide support to for unicode selectors will look around some two decades ago and of support for unit coldly because unit gold it ended up on call. different languages. bad like the cyrillic alphabet likes of russia for some really old ancient european languages and so on so this is why they decided to go with unicode foot out but then we have a little technical problem where and when winning but ended up implementing ideas and the main. technical problem here is that the n.h.s. and like as you guys know very well be an ice is like the some of the building blocks of all of the internet is only our ski so it doesn't really speak unit good and because of that will be the copulate with a different like way to make these blue. and then the fact the come up with this company called pin code so pickled especially converts unit called to ask he and then for example it converts this emotionally of these nice little call hear about that he was which by the way does actually valid the my is actually. just two x. and dash dash and something nice like that or obedient eighty which is the train company from austria sold is also that's translated into it too puny called in order to the and has actually worked with that and then the user interfaces will do the user friendly part of things. so we called her back and forth and ideas in unit go to swallow things like this there's like hope that l.a. does action does actually also exists disease like a boat he and the main aim was he later only double its own right rules around out and or i love tacos these also exists. this through again with an emotion or completely full cyrillic cummings including even the top level my which is by the way the fool for a russian version of of young bucks and is called also look for id n. as we going to see later on in to talk.
yeah it's safe for actually became much faster than had actually remembered so this like partial ideas so b.b. that the tea which means that the tories some international as the characters here like this bowl with the double thing on the top doc but the field the is eighty so you use the law team of about. whereas we have this flu id and wants which in this case is idle russians so i don't know how to pronounce that about this points to the crime only official website.
so now we're moving on to have a graph of talk about security risks and some consideration associated said. sold lots and script for example it can represent more verity of languages it can represent for example portuguese spanish english the you tally and french and a bunch more and then also the fact that i would like to speak about is that different scripts they share moon. conductors the eater looks exactly similar to have a very strong resemblance so what i want to explain your is for example there are like some characters say a scene in law teen the lot and script that he has a very very strong resemblance to something very soon work in syria. the or in the great offer but and ordered off about how their soul and they're called comfortable home a graph that as we can see here that the first part of things like the number one is actually latino and this is the unit cold cold point of it and the second one is the one in cyrillic. and even if was looming these a lot it's very very hard to distinguish them from a visual standpoint. there is also in all a in latin and there is always the horn but they also in latin so even the same language and same script has some characters that the local like a lot but yeah i mean we've been here a lot so you can see the actual born into old but with a very small screen. pain and opinion the font this can be actually very hard to tell. also we have here peak and the be seen or i was something like that in cyrillic like to apologise for those that actually speak russian i probably i didn't really speak properly. is also bleak and the list goes on and on like this is the most small see and coptic which is i don't even know which language this has something very similar. and also in cyrillic soul that you can go too late to grow from col which is which will come next like yeah to grow from could not calm there is very much like all the whole list of all have different unicode called points and symbols and so on and you can actually find of mania of them that are confused. double with watching characters so now we're moving on speaking about user agent and home a graphic backs and how they handle it. seoul for twitter is asian of his response teams are next topic like a bunch of important factors that we going to see the next up cummings light so these attacks there mostly up. the happen a lot because the few important factors so the way different sexual rent rendered the to display so display size font size and the all play a role in forming a user actually into believing that the main to he is visiting oakley king is not a legitimate one. so as we can see here like using the for the whole model sixty eight point. a lot to an apple dot com and those using apple with she really confused of all there is absolutely no way to distinguish these from vision standpoint so even if we use another point to an old style of seventy point. we can see that old there is a leader think all of between the bell and the the order l for apple which is actually not an l. is just the capital i but in cyrillic and there are all the forms that they actually do a better job at making these things distinguishable as you can see here are the ones who really. it's pretty off so you can actually tell there is something dodgy is something fishy going on. and this is actually have to live were not with a couple of good news agency in this case like secure messenger applications wired for for desktop is look example here and telegram sold i assumed been as well that some four hundred four hundred percent and you can see that. here like so but actually have to explain the few things before so i registered like here i think the used to be not come up with something like that so i really should like the fulham a graphic version of it mean consider like for like a spot of research for the stock so i was doing all the stars this along with this summer. does the maze that i actually owned by the way i'm actually happy to give them back to hear belief their interest that because all the research pretty much gone by now so yeah let's go back here so this is the legitimate one at home a gruff one how to wire renders them you can see that pretty much.
much everything exactly the same there was just something off into our but it is because we zoom been a lot like four hundred. four hundred percent actually sold for much less five times as much any telegram some characters as well like for example the page is a bit off in this particular case but then as was elated low some characters that are completely this are indistinguishable two. so does actual the telegram with the u.s. as well and wire soldiers now let's move on with with this. so essentially we were talking about these like as a nation that i can have this resolution backing and twenty years ago or so when the caliph with it but then i realized that they were like a few falls in the way the eight were actually allowing people to riches should remain so essentially it was possible.
to the the you realize that all there was this confuse above all mcgrath thing and does actually can be a problem so it means that people can virtually google dot com with the at say that he looks like the the from the one cyrillic and then that would be all that would be very complicated to actually slow down these attacks soul. this brought his lies we're talking about small the rules of on the frustration of holographic remains in the very a lot depending on the top level domain of her sisters all so for example the doctor that dot com dot tv and so on the allows different script from many languages soul you can see late. boyle's portuguese remaining end jevon his tie and all that all these characters for example if you want is a more permissive like that the us the tea old i think the l.a. you can even come up with emotions even though i think the firm on this thing the r.f.c. doesn't allow him or just to be there but while it's not the first time that people don't really follow our of sees as the. should. for example of dr lane latinas to actually a script are only the ones that gets a lot sold some of the top level domains that actually a bit more restrictive than than ten orders sold as a sailor going to virtual money the law that makes the script and then they realized old is actually secured. problem and there will be a lot of trouble in the future with that and of i think like a plus two thousand well yeah couple of years ago that came on political water versions of these resolution called the old version to entry that he does a lot we could scrape toy for pure scripts are still completely fine to register. and now to see here so all those examples here like people aapl corporate and so on to all home a graph that means that actually could be reduced or because there was no way to stop from riches story of pure script home a graft and family come in many honours list goes on and on. so now we're going to see some actual practical attacks like to see how it is actually going to build up and to actual computer security problems soul the practical townsley the very first time these you even before idea was actually. re to do so by the con and even before all this is the direction was the maze what even to think so this was like back in two thousand won the two israeli researchers they say hold is actually going to be secure problem and the regional papers very interesting is very sharp like only thing to have three pages and like i totally recommend to read to understand more. above the seizures but only lately i think like the past couple of years especially these year he has been picking up a lot and fusion like all those features and all the different adversaries are now notes indies and we're seeing a rise in such attacks and i'd like to think is also very important. to speak briefly about something historic all the recent bugs. related to home a graph saw firefox so like backed thousand five hundred johansson from should move group he left field in the ticket with with the firefox like with the law saying hey like you guys are not doing anything to prevent such attacks these was actually. we unfortunately taken as a p three importance bug even though i think he should be its actual definitely something should be higher but so does was like a vicious between the u.r.l. bar because see some of these a bit later the all the talk recently there have been like of fuel c v's like want a safari that this letter. but called whom he was interpreted exactly as it looks like a lot of letter from all some some language that nobody but probably very speaks of any more but still like is the script of latin script and the he was rendered by safari would just purely wonders at the start of these do. also have just recently took as a nineteen that was one k. seen in cyrillic that was interpreted at actually actual k. in in moscow and there was also his research by will. little i cannot believe that is named for him. he also found like different to the front of losing the way chrome firefox and and a few other browsers off a corporate as well how they reacted to to this kind of problems and and and as a response com at least the came up with the improvement in delaware with him to the that is confused people and. but it's probably the best won but have these days and league again like dirty fuel to get open in the bugs a lot of our folks be treated visit between portents again where a scrum truth is people want and that's full browser is also based on fire for the young folks if it means that the. also vulnerable and unfortunately i don't know why but difficult process that could just go and fix this thing but the claim that the away for crop of sorry for firefox to know what you're going to end up straining order to finally fix it i don't think is actually for acceptable excuse but anyway just my personal opinion. oh yeah the way browses handle id and sold after his home a graft attacks the were published by by does chinese research into of seventeen from stepped up again about big time like mad prop for that. and then firefox also a browser still left leg and to hide. but yeah like so i worry that the handle ideas crown is actually probably has it has a very complex policy that seems to do very well the key to preventing does about opera and brave i think the fall of the same the same away from the scrum when i was doing tests. that's what seemed to me at least you don't explorer surprisingly was not have really vulnerable to this thing like it is probably the only class of drugs what it was no vulnerable to wear as firefox and all browsers still are still going to hide as it to just nation so now moving on to him a client and white males so i didn't want to call its back. a friend so for the sake of user friendliness some white males and something may appliance they convert the puny called the that we just saw all the acts and dash dash and some weird or the characters. back into unique old like to make it user friendly but very often there are no checks for a few simple folk of his of the characters they are not made so as we're going to see here now with there's an example those hushmail so harsh mayor's like a secure male provider and as if you really really isn't.
are you going to see it like this is actually have the money that all was well it's kind of like a pack of this research of this idea and home a graph facebook with that something on public a soul if you just feel like a mule in your computer language it's as if like there is some torch on your screen that's if you just. just basle as looks to us facebook dot com and is actually go straight into a box doesn't get flagged by and to spam or anything like least not with harsh male and with a few other services that that i tested it could somebody wants that a home for it we cannot really speak about now because they have not fix the dent. also there is news that you actually even ascendancy of the recently being round cube so again i used my domain here dot com does like the x. and ashutosh something if i send an e-mail to anyone using round cube iran people just conferred back to make user friendly and he will appear. as if it comes from here dot com again no checks and nothing else i mean it's actually don't keep his music was supposed to delivery my soul would just go straight to your inbox but then from a visual spent point you going to you can essentially spoof domain name where does come fall and now so does. more how signal handle this was also a sense of your early this year so signal bold from out for android and windows were vulnerable to this social see here can spot the fake u.r.l. there is actually no way to tell from a visual standpoint seen before i last fall. i don't know why but it made the fact that the link that was home a graph and clickable soul that is great for less than work but for the other versions they were actually vulnerable. telegram as well had the had the same issue. and telegram actually went even as far as making that you know that quick preview all of of this website so using the fake one so you can you could really make pull off lead to real out very convincing fee she attacks with that soul. let's just talk but actually it we condemn here with home a graph attacks with signal and toward browser.
i hope the video read of the sea. so i but way these issues were fix a buy signal couple of months back also actual telegram fix that for a while but seems that the just we produce of it when i was checking things for the talk this week hand seems like it went back some regression would not really don't properly but that lets you didn't hear the attack.
social there is a fake league of apple dot com totally change you can click and then the u.r.l. barton was no way to sell. i now have to always sorry call to do that i don't know. it's our right side about that goes on.
so we're back here to the video.
so like fake apple yet the world i would just play apple all and so on and and tom process the vulnerable to this both black and white version and in the desktop version. so it's back to. all right i don't know how to use my computer going nowhere.
but there's a shameful out that i need some help again.
the. by the. i want to. yet the simple answer about it.
so i thought all about this hacking in everything but the outlook some basics of a computer can i do that's pretty shameful it's all right so as we just solid diseases year analysing legs very important to talk about like how to defend yourself up the all the steely for browsers perfectly just use google chrome lady of the one.
is actually putting an effort to prevent such attacks and ball and also many orders security relevant stuff that chrome dollars so it's really worth using and the like a few as extensions of all but two parties that we stop the eyes one of them that also prevents that some attacks i believe their order. for older extensions to that will promote to do the same awful firefox you can actually turn off the whole thing was showing unicode to do so it means that who never show again all this going to go think we just show the actual pinnacle of it. the male like a family tested outlook problem male to tunnel to define the problem was not so much as we just saw schmale and they're like a few water special webmail providers that they have not gone anywhere work yet on these even though like some of them actually. part of his a k i think is a problem some of them replied some of them not some of them as lord in orders to fix things and then again this is like rahm just introduce you to think like him off month and a half ago briskly com has a list of the han like ten thousand miles with the website.
and they will actually do some sort of work to the act like a cult looks like somebody trying to pull off and on home turf attack against gasquet hub and i assure you want to go to get public comment to this thing that's budgie and so much trying to fisher. and also from a different perspective.
from the story from the human eye perspective the world like a proposal to never really took off that they wanted to have different callers in the letters that are not blotting off about so i mean who wants a lot fusible and is never really took off like probably not that great from move from light user. the interface and use experience point of view and i think that's why you never really picked up momentum there are few developer a story application developers there like a few libraries that they check for confuse have all sold the with just two part of his of the heavy weight of. for you. and all we are writing of talk so it's usually comes from home graph have been a little around for a was all cecil some twenty years old says look pretty much the very to the action of internationalism meanings by a con bucks for a leader has been discussed around them. very frequently overlooked. and these issues are not really part of the truck small the for many implications as they are very often closely associate in years actually good luck for for you if you try to sell me something like this for bubble to program many of them will say hey this is social engineering attacked us out of school for off my. program bought actually somewhat secure messages i actually got a bulky from one of them that i didn't mention here because it's part of what can i would speak about it that it's one of the bubble to program but i think was the only one that actually gave a small reward for for this kind of he should even the very beginning they say it's not you. it's not a security issue because they do exactly what they're supposed to do so display links but get a food spring link of google and when i clicked their it takes to summer isles old probably something off and ultimately i think competition two teams they can't do much more at the practice of in preventing distracts. for example google chrome is actually doing a pretty good job with that not only now we simply showing to use this interface of user hey you sure you going to write correct website and also improving their algorithms to show domain names and whereas like me out of office and i actually doing it. instead of asking for users to be you like vigilant and please don't click on bad links or stuff like that's just not really an option or even worse way for econ to come up with the magic solution for the problem i believe i remember that one of the secure messengers when i reported decision to them they say. it all disease also not a problem because we are doing exactly what was supposed to display links and is a problem with i can and registrars we have like trying to shift the blame no is actually it's not their fault is actually the the fact that you're not really doing just think correctly and here like a few references. so about this research i will recommend reading them up if you're interested and yet thank you very much still question fine now.
thank you for the talk and do we have any questions from the room view.
on the internet nope. while. this is really amazing summit this i hope explained everything so well there's no questions asked yet a kind of seems like that there are no questions and answers on this amazing topic.
it's a great and will wrap it up and college at night and thank you very much and you have one more one hand i have friends.
a year.