Usable Privacy and Security. Ponnurangam K (PK) OWASP AppSec Asia Nov 17, 2009

Transcription

1 Usable Privacy and Security Ponnurangam K (PK) OWASP AppSec Asia Nov 17, 2009

2 Who am I? Faculty at IIIT Delhi Ph.D. from School of Computer Science, Carnegie Mellon University, USA Research interests InformaOon security Cyber crime Usable security Teaching a Ph.D. level course on Security and Privacy

3 Everyday Security Problems Install this so+ware?

4 Everyday Security Problems Se1ng File Permissions

5 Everyday Security Problems All channels are used

6

7 Secure, but usable?

8 Unusable security frustrates users

9 Outline Usable privacy and security challenges Making secure systems more usable Building usable secure systems AnO phishing Privacy decision making User controllable security and privacy Takeaways

10 Usable Privacy and Security Give end users security controls they can understand and privacy they can control for the dynamic, pervasive compuong environments of the future. Grand Challenges in InformaOon Security & Assurance CompuOng Research AssociaOon (2003) More research needed on how cultural and social influences can affect how people use computers and electronic informaoon in ways that increase the risk of cybersecurity breaches. Grand Challenges for Engineering NaOonal Academy of Engineering (2008)

11 Concerns may not be aligned Security experts are concerned about the bad guys ge^ng in Users may be more concerned about locking themselves out

12 Typical password advice Pick a hard to guess password Don t use it anywhere else Change it o`en Don t write it down

13 What do users do when every web site wants a password?

14 Bank = b3ayz Amazon = aa66x! Phonebill = p$2$ta1

15

16 Humans are weakest link Most security breaches abributed to human error Social engineering abacks proliferate

17 How can we make secure systems more usable? Make it just work Invisible security Make security/privacy understandable Make it visible Make it intuiove Use metaphors that users can relate to Train the user

18 Make it just work

19 Beber behind the scene Develop systems where users are not involved in solving a problem Spam filters RegulaOon ValidaOon

20 Make security understandable

21 Netcra` Displays domain registration date, hosting name and country, and popularity among other users Traps suspicious URLs with deceivable characters Enforces display of browser navigational controls

22 Privacy bird Privacy policy matches user s privacy preferences Privacy policy does not match user s privacy preferences

23 Train the user

24

25 Usable security makes users happy

26 Outline Usable privacy and security challenges Making secure systems more usable Building usable secure systems AnO phishing Privacy decision making User controllable security and privacy Takeaways

27

28 Phishing works Phishers make use of users trust Users lack computer and security knowledge People don t use good strategies VicOms Financial insotuoons and military Corporates UniversiOes Online social networking sites/games

29 MulO Pronged Approach Human side Interviews and surveys to understand decision making PhishGuru embedded training AnO Phishing Phil game Computer side PhishPatrol ano phishing filter CANTINA web ano phishing algorithm

30 How do users make decisions? Interview study Results Something to do with the band Phish, I take it. People generally not good at idenofying scams they haven t specifically seen before People don t use good strategies to protect themselves Non experts wanted advice to help them make beber trust decisions Non experts used significantly fewer meaningful signals compared to experts

31 PhishGuru Embedded Training Can we train people during their normal use of to avoid phishing abacks? Periodically, people receive a training Training looks like a phishing aback If a person falls for it, intervenoon warns and highlights what cues to look for in succinct and engaging format MoOvaOng users teachable moment Applies learning science principles for designing training intervenoons

32 Subject: Revision to Your Amazon.com InformaOon

33 Subject: Revision to Your Amazon.com InformaOon Please login and enter your informaoon hbp:// in.html

34

35 Laboratory study results Security nooces are an ineffecove medium for training users Users educated with embedded training make beber decisions than those sent security nooces ParOcipants retained knowledge a`er 7 days Training does not increase false posiove error

36 Real world studies People trained with PhishGuru were less likely to click on phishing links than those not trained People retained their training for 28 days Two training messages are beber than one PhishGuru training does not make people less likely to click on legiomate links Age was most significant factor in determining vulnerability

37 Some feedback I was more moovated to read the training materials since it was presented a`er me falling for the aback. Thank you PhishGuru, I will remember that [the 5 instrucoons given in the training material]. I really liked the idea of sending CMU students fake phishing s and then saying to them, essenoally, HEY! You could've just goben scammed! You should be more careful here's how... I think the idea of using something fun, like a cartoon, to teach people about a serious subject is awesome!

38 AnO Phishing Phil Online game Compliments PhishGuru Teaches people how to protect themselves from phishing abacks idenofy phishing URLs use web browser cues find legiomate sites with search engines Played 95,000 Omes

39

40

41

42 PhishPatrol Create filter that detects phishing s Spam filters well explored, but how good for phishing? Can we create a custom filter for phishing?

43 PhishPatrol: HeurisOcs IP addresses in link (hbp:// /blah) Age of linked to domains (younger domains likely phishing) Non matching URLs (ex. most links point to PayPal) Click here to restore your account HTML Number of links Number of domain names in links Number of dots in URLs (hbp:// JavaScript SpamAssassin raong

44 CANTINA Take five words with highest TF IDF weights Feed these five words into a search engine (Google) If domain name of current web page is in top N search results, we consider it legiomate

45

46

47 Outline Usable privacy and security challenges Making secure systems more usable Building usable secure systems AnO phishing Privacy decision making User controllable security and privacy Takeaways

48 Privacy decision making To make privacy informaoon more usable to consumers Plasorm for Privacy Preferences (P3P) XML format that web sites use to encode their privacy policies User so`ware to read P3P policies called a P3P user agent

49 Privacy bird indicator

50 Click on the bird for more info

51 Privacy policy summary mismatch Link to opt-out page

52 Outline Usable privacy and security challenges Making secure systems more usable Building usable secure systems AnO phishing Privacy decision making User controllable security and privacy Takeaways

53 User controllable security and privacy Give user the control of the informaoon Provide tools for users to audit System should learn from user behavior and suggest

54 Grey Distributed smartphone based access control system physical resources like office doors, computers, and coke machines electronic ones like computer accounts and electronic files currently only physical doors

55 Other systems Locaccino Expandable grids

56 Outline Usable privacy and security challenges Making secure systems more usable Building usable secure systems AnO phishing Privacy decision making User controllable security and privacy Takeaways

57 Takeaways Users are the weakest link in security system Usable Privacy and Security is criocal to reap the benefits of InformaOon and CommunicaOon Technologies Whirlwind tour of usable security and privacy systems Helping end users by developing usable systems

58 What can we do about it? Understanding the human in the loop Understand the usable security issue in India Collect empirical data related to security and privacy in India

59 Further readings HCISEC bibliography hbp://gaudior.net/alma/biblio.html Cranor, L. F., and Garfinkel, S. Security and Usability: Designing Secure Systems that People Can Use., James, L. Phishing Exposed. Syngress Publishing, Canada, November Wu, M. FighOng Phishing at the User Interface. PhD thesis, MIT, 2006., hbp://groups.csail.mit.edu/uid/projects/phishing/ minwu thesis.pdf. Norman, D. A. The Design of Everyday Things. Basic Books, 2002.

60 Thank you

61 QuesOons?

62 Acknowledgements Members of SupporOng Trust Decisions research group Members of CyLab Usable Privacy and Security laboratory Members of COS Ph.D. program Supported by NSF, ARO, CyLab, ISP in Portugal

63 Ponnurangam K (PK) pk@iiitd.ac.in