Andrew Bragdon CS166: USABLE SECURITY
WHY CRYPTOSYSTEMS FAIL (ANDERSON, 1993) Traditionally, it was assumed that the biggest security threat is from sophisticated cryptanalysis Assumes government (e.g. NSA)-level capabilities In practice, however, it is not the encryption products but how they are deployed that is the problem Using the wrong products Poor implementation/integration Sloppy operating procedures
WHY CRYPTOSYSTEMS FAIL (CONT.) Security groups are rarely well-integrated into corporate culture High turnover rate Companies selling security products overestimate the level of competence of their customers A new threat model is needed Need to concentrate on what is likely to happen rather than what could happen Features not getting used correctly Need to understand how security products are actually used
WHY JOHNNY CAN T ENCRYPT (TYGAR, 1999) Given no prior training Can users encrypt email messages in an ecologically valid setting?
PGP
WHY JOHNNY CAN T ENCRYPT (CONT.) 12 participants were recruited from a political campaign office Users were given Eudora and PGP and asked to send internal messages regarding the campaign, in encrypted form Given an introduction to Eudora but not to PGP
WHY JOHNNY CAN T ENCRYPT (RESULTS) 1 participant was unable to figure out how to encrypt, and two participants took > 25 min to send the 1 st message 7 participants mistakenly used their public key to encrypt Only 2 participants correctly encrypted a message in the 90 minute session Conclusion: standard user interface design fails for security applications, such as encryption!
USABLE SECURITY Applying human-computer interaction (HCI) to computer security Understanding How security systems are used in practice How a better interface can improve user security Better practices Better understanding
PAPERS OVERVIEW Publication landscape In contrast to other fields Best work in CS is usually published first at conferences Later collected together into Journal articles CHI conference
Moncur, W. and Leplâtre, G. 2007. Pictures at the ATM: exploring the usability of multiple graphical passwords. In Proceedings of CHI '07. 887-894. PICTURES AT THE ATM
ATM SECURITY Token Knowledge-based password, 4-digits Users have approx. 5 token/password combinations on average
IT S HARD TO REMEMBER PINS!
INSECURE MEMORY STRATEGIES Write down PINs Make them all the same Disclose them to friends and family (some studies suggest up to 30% of the time)
BACKGROUND Picture Superiority Effect: People remember images better than words, and other semantic or syntactic information Graphical Password Types Locimetric (salient points) Drawmetric (sketch a picture) Cognometric (recognize pictures)
THE SYSTEM
THE CONTROL
HYPOTHESES H1: Multiple graphical passwords are more memorable than multiple PIN numbers H2: Memorability of multiple graphical passwords can be improved using a mnemonic to aid recall H3: Memorability of multiple graphical passwords can be improved by showing password and distracter images against a signature colored background.
METHODOLOGY Web-based at home study, 172 participants Must remember five PIN/bank combinations Initial training, three tests spaced by two weeks Five groups: Control 0: 4-digit numeric PIN Experimental 1: Graphical passwords Experimental 2: Graphical passwords with signature color background to augment memorability Experimental 3: Graphical passwords with explicit mnemonic strategy Experimental 4: Graphical passwords with mnemonic strategy and color background
EMPIRICAL STUDY RESULTS
EMPIRICAL STUDY RESULTS
EMPIRICAL STUDY RESULTS
DISCUSSION Core hypothesis confirmed Users benefited from mnemonic, did not benefit from color Users frequently got the right set of images, but the wrong order Future work Larger sample size to examine large-scale patterns such as age Longer periods of time Semantically equivalent images
Stoll, J., Tashman, C. S., Edwards, W., and Spafford, K. 2008. Sesame: informing user security decisions with system visualization. In Proceeding of CHI '08. 1045-1054. HELPING USERS UNDERSTAND SECURITY ISSUES THROUGH SYSTEM VISUALIZATION
SOME REAL SECURITY PROMPTS AVG Update downloader is trying to access the Internet The firewall has blocked Internet access to your computer [FTP] from 192.168.0.105 [TCP Port 57796, Flags: S] [Your] AntiSpyware has detected that the Windows NetBIOS Messenger Service is currently running. (This service should not be confused with the peer-to-peer Windows Messenger service, or MSN Messenger service which are used for Internet Chat). Beginning with Windows XP Service Pack 2, the Windows NetBIOS Messenger service What would you like to do?
HOW DO YOU COMMUNICATE COMPLEX SECURITY CONCEPTS TO AN END USER? Information provided by security tools is technical, and difficult to interpret Users are in a hurry, and expect things to just work Must choose between dealing with more boxes in the future, and making a permanent decision
THE VISUALIZATION CHALLENGE
DESIGN (CONT.)
ZONE ALARM FIREWALL
METHODOLOGY 20 participants (9 female, 11 male) Undergraduates; no CS/Engineering None considered themselves to be experts 6 tasks 4 allow/forbid incoming connection 2 phishing site tasks Between-subjects, 2 conditions
EMPIRICAL STUDY RESULTS
EMPIRICAL STUDY RESULTS
DISCUSSION Users performed better (statistically significant) with Sesame Post-interviews indicate that: Most participants in the control did not know how to use information presented 5 participants allowed/denied all requests All participants in experimental group used information presented All users understood foreground processes, only 2 understood background processes Understood arrows, and remote computers
Egelman, S., Cranor, L. F., and Hong, J. 2008. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceeding of CHI '08. 1065-1074. AN EMPIRICAL STUDY OF PHISHING WARNINGS IN WEB BROWSERS
BANNER BLINDNESS
INTERNET EXPLORER 7
INTERNET EXPLORER 7
FIREFOX 2
STUDY METHODOLOGY 70 participants Assigned to conditions based on what browser (and version) they use: Internet Explorer, Active Internet Explorer, Passive Firefox, Active Control (no warning) Participants were told they were in an online shopping study; used their personal information to buy two items Amazon ebay
STUDY METHODOLOGY (CONT.) Bought from store Were sent a Spear Phishing message saying their purchase needed to be confirmed Checked email to confirm Clicking link in the message produced Phishing warning message
EMPIRICAL STUDY FINDINGS
EMPIRICAL STUDY FINDINGS
DISCUSSION 50% of IE condition recognized warning, 20% for Firefox IE has a very similar warning for an expired cookie IE warning may have suffered from habituation: Oh, I always ignore those Looked like warnings I see at work which I know to ignore I see them daily Since it gave me the option of proceeding to the site, I figured it couldn t be that bad. Most participants did not appear to understand that email can be faked; thus they were confused as to why they got this warning message
DESIGN REQUIREMENTS Interrupt the primary task Provide clear choices Failing safely Preventing habituation Altering the phishing website Users trust sites primarily based on its look and feel
Sankarpandian, K., Little, T., and Edwards, W. K. 2008. Talc: using desktop graffiti to fight software vulnerability. In Proceeding of CHI '08. 1055-1064. PERSUADING USERS TO INSTALL SECURITY UPDATES
DON T INTERRUPT ME!
HOW DO YOU PERSUADE A USER TO INSTALL UPDATES? Ambient display Constant, non-intrusive reminder Allows users to respond at their own pace
THE GRAFFITI SOLUTION
THE GRAFFITI SOLUTION Allows users to respond at their own pace Size of graffiti denotes severity Images chosen randomly from a predetermined corpus In order to clear the graffiti off of their desktop, they must install the patches
METHODOLOGY 10 participants, recruited from outside the university context Used TALC at home, on their personal computers for a week TALC logged usage and patch data, and periodically uploaded it
EMPIRICAL STUDY RESULTS
EMPIRICAL STUDY RESULTS
DISCUSSION Users appear to return to address threats later Users appeared to become aware of the patches they needed to install Is this an appropriate solution for a business context? Are there issues interpreting this type of feedback across cultures?
THANK YOU