Andrew Bragdon CS166: USABLE SECURITY

Transcription

1 Andrew Bragdon CS166: USABLE SECURITY

2 WHY CRYPTOSYSTEMS FAIL (ANDERSON, 1993) Traditionally, it was assumed that the biggest security threat is from sophisticated cryptanalysis Assumes government (e.g. NSA)-level capabilities In practice, however, it is not the encryption products but how they are deployed that is the problem Using the wrong products Poor implementation/integration Sloppy operating procedures

3 WHY CRYPTOSYSTEMS FAIL (CONT.) Security groups are rarely well-integrated into corporate culture High turnover rate Companies selling security products overestimate the level of competence of their customers A new threat model is needed Need to concentrate on what is likely to happen rather than what could happen Features not getting used correctly Need to understand how security products are actually used

4 WHY JOHNNY CAN T ENCRYPT (TYGAR, 1999) Given no prior training Can users encrypt messages in an ecologically valid setting?

5 PGP

6 WHY JOHNNY CAN T ENCRYPT (CONT.) 12 participants were recruited from a political campaign office Users were given Eudora and PGP and asked to send internal messages regarding the campaign, in encrypted form Given an introduction to Eudora but not to PGP

7 WHY JOHNNY CAN T ENCRYPT (RESULTS) 1 participant was unable to figure out how to encrypt, and two participants took > 25 min to send the 1 st message 7 participants mistakenly used their public key to encrypt Only 2 participants correctly encrypted a message in the 90 minute session Conclusion: standard user interface design fails for security applications, such as encryption!

8 USABLE SECURITY Applying human-computer interaction (HCI) to computer security Understanding How security systems are used in practice How a better interface can improve user security Better practices Better understanding

9 PAPERS OVERVIEW Publication landscape In contrast to other fields Best work in CS is usually published first at conferences Later collected together into Journal articles CHI conference

10 Moncur, W. and Leplâtre, G Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proceedings of CHI ' PICTURES AT THE ATM

11 ATM SECURITY Token Knowledge-based password, 4-digits Users have approx. 5 token/password combinations on average

12 IT S HARD TO REMEMBER PINS!

13 INSECURE MEMORY STRATEGIES Write down PINs Make them all the same Disclose them to friends and family (some studies suggest up to 30% of the time)

14 BACKGROUND Picture Superiority Effect: People remember images better than words, and other semantic or syntactic information Graphical Password Types Locimetric (salient points) Drawmetric (sketch a picture) Cognometric (recognize pictures)

15 THE SYSTEM

16 THE CONTROL

17 HYPOTHESES H1: Multiple graphical passwords are more memorable than multiple PIN numbers H2: Memorability of multiple graphical passwords can be improved using a mnemonic to aid recall H3: Memorability of multiple graphical passwords can be improved by showing password and distracter images against a signature colored background.

18 METHODOLOGY Web-based at home study, 172 participants Must remember five PIN/bank combinations Initial training, three tests spaced by two weeks Five groups: Control 0: 4-digit numeric PIN Experimental 1: Graphical passwords Experimental 2: Graphical passwords with signature color background to augment memorability Experimental 3: Graphical passwords with explicit mnemonic strategy Experimental 4: Graphical passwords with mnemonic strategy and color background

19 EMPIRICAL STUDY RESULTS

20 EMPIRICAL STUDY RESULTS

21 EMPIRICAL STUDY RESULTS

22 DISCUSSION Core hypothesis confirmed Users benefited from mnemonic, did not benefit from color Users frequently got the right set of images, but the wrong order Future work Larger sample size to examine large-scale patterns such as age Longer periods of time Semantically equivalent images

23 Stoll, J., Tashman, C. S., Edwards, W., and Spafford, K Sesame: informing user security decisions with system visualization. In Proceeding of CHI ' HELPING USERS UNDERSTAND SECURITY ISSUES THROUGH SYSTEM VISUALIZATION

24 SOME REAL SECURITY PROMPTS AVG Update downloader is trying to access the Internet The firewall has blocked Internet access to your computer [FTP] from [TCP Port 57796, Flags: S] [Your] AntiSpyware has detected that the Windows NetBIOS Messenger Service is currently running. (This service should not be confused with the peer-to-peer Windows Messenger service, or MSN Messenger service which are used for Internet Chat). Beginning with Windows XP Service Pack 2, the Windows NetBIOS Messenger service What would you like to do?

25 HOW DO YOU COMMUNICATE COMPLEX SECURITY CONCEPTS TO AN END USER? Information provided by security tools is technical, and difficult to interpret Users are in a hurry, and expect things to just work Must choose between dealing with more boxes in the future, and making a permanent decision

26 THE VISUALIZATION CHALLENGE

27 DESIGN (CONT.)

28 ZONE ALARM FIREWALL

29 METHODOLOGY 20 participants (9 female, 11 male) Undergraduates; no CS/Engineering None considered themselves to be experts 6 tasks 4 allow/forbid incoming connection 2 phishing site tasks Between-subjects, 2 conditions

30 EMPIRICAL STUDY RESULTS

31 EMPIRICAL STUDY RESULTS

32 DISCUSSION Users performed better (statistically significant) with Sesame Post-interviews indicate that: Most participants in the control did not know how to use information presented 5 participants allowed/denied all requests All participants in experimental group used information presented All users understood foreground processes, only 2 understood background processes Understood arrows, and remote computers

33 Egelman, S., Cranor, L. F., and Hong, J You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceeding of CHI ' AN EMPIRICAL STUDY OF PHISHING WARNINGS IN WEB BROWSERS

34 BANNER BLINDNESS

35 INTERNET EXPLORER 7

36 INTERNET EXPLORER 7

37 FIREFOX 2

38 STUDY METHODOLOGY 70 participants Assigned to conditions based on what browser (and version) they use: Internet Explorer, Active Internet Explorer, Passive Firefox, Active Control (no warning) Participants were told they were in an online shopping study; used their personal information to buy two items Amazon ebay

39 STUDY METHODOLOGY (CONT.) Bought from store Were sent a Spear Phishing message saying their purchase needed to be confirmed Checked to confirm Clicking link in the message produced Phishing warning message

40 EMPIRICAL STUDY FINDINGS

41 EMPIRICAL STUDY FINDINGS

42 DISCUSSION 50% of IE condition recognized warning, 20% for Firefox IE has a very similar warning for an expired cookie IE warning may have suffered from habituation: Oh, I always ignore those Looked like warnings I see at work which I know to ignore I see them daily Since it gave me the option of proceeding to the site, I figured it couldn t be that bad. Most participants did not appear to understand that can be faked; thus they were confused as to why they got this warning message

43 DESIGN REQUIREMENTS Interrupt the primary task Provide clear choices Failing safely Preventing habituation Altering the phishing website Users trust sites primarily based on its look and feel

44 Sankarpandian, K., Little, T., and Edwards, W. K Talc: using desktop graffiti to fight software vulnerability. In Proceeding of CHI ' PERSUADING USERS TO INSTALL SECURITY UPDATES

45 DON T INTERRUPT ME!

46 HOW DO YOU PERSUADE A USER TO INSTALL UPDATES? Ambient display Constant, non-intrusive reminder Allows users to respond at their own pace

47 THE GRAFFITI SOLUTION

48 THE GRAFFITI SOLUTION Allows users to respond at their own pace Size of graffiti denotes severity Images chosen randomly from a predetermined corpus In order to clear the graffiti off of their desktop, they must install the patches

49 METHODOLOGY 10 participants, recruited from outside the university context Used TALC at home, on their personal computers for a week TALC logged usage and patch data, and periodically uploaded it

50 EMPIRICAL STUDY RESULTS

51 EMPIRICAL STUDY RESULTS

52 DISCUSSION Users appear to return to address threats later Users appeared to become aware of the patches they needed to install Is this an appropriate solution for a business context? Are there issues interpreting this type of feedback across cultures?

53 THANK YOU