logging in or signing up min wu Quintino Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 16 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: February 04, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Users Are Not Dependable How to make security indicators that protect them better: Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence LabUser Is Part Of System: User Is Part Of System “Weakest link” in operational security systems If attackers can easily trick users into compromising their security, they do not have to try hard to directly attack the system. A typical attack: PhishingSecurity Indicators: Security Indicators “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”Security Indicators: Security Indicators “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”More Security Indicators: More Security IndicatorsMore Security Indicators: More Security Indicators SpoofstickMore Security Indicators: More Security Indicators Netcraft ToolbarMore Security Indicators: More Security Indicators TrustbarMore Security Indicators: More Security Indicators eBay Account GuardMore Security Indicators: More Security Indicators SpoofguardOutline: Outline Introduction of security indicators Anti-phishing user study Web authentication using cell phones ConclusionsSecurity Toolbar Abstractions: Security Toolbar Abstractions SpoofStick Netcraft Toolbar eBay Account Guard SpoofGuard Neutral-Information Toolbar System-Decision Toolbar Positive-Information Toolbar TrustBarStudy Scenario: Study Scenario We set up dummy accounts as John Smith at various websites “You are the personal assistant of John Smith. John is on vacation now. During his vacation, he sometimes sends you emails asking you to do some tasks for him online.” “Here is John Smith’s profile.”Study Scenario: Study Scenario Users dealt with 20 emails forwarded by John Smith. 5 emails were phishing emails. Most of the emails were about managing John’s wish lists at various sitesSlide16: Main FrameSlide17: Address bar frame http://tigermail.co.kr/cgi-bin/webscrcmd_login.phpSlide18: Toolbar frame Status bar frameAttack Types: Attack Types 1. Similar-name attack 2. IP-address attack 3. Hijacked-server attack 4. Popup-window attack 5. Paypal attack bestbuy.com www.bestbuy.com.ww2.us bestbuy.com 212.85.153.6 bestbuy.com www.btinternet.comSecurity Toolbar Display: Security Toolbar Display Legitimate Site Phishing Site vs.Attack Pattern: Attack PatternRecruitment: Recruitment 30 users Recruited at MIT, paid $15 for one hour 10 for each toolbar Average age 27 [18-50] 14 females and 16 males 20 MIT students, 10 not Neutral-Information Toolbar System-Decision Toolbar Positive-Information ToolbarSpoof Rates With Different Toolbars: Spoof Rates With Different ToolbarsSpoof Rates With Different Attacks: Spoof Rates With Different Attacks p = 0.052 (ANOVA)Why Did Users Get Fooled?: Why Did Users Get Fooled? 20 out of 30 got fooled by at least one attack. Among the 20 users 17 (85%) claimed web content is professional or familiar; 7 (35%) depended on security-related content 12 (60%) explained away odd behaviors “I have been to sites that use plain IP addresses.” “Sometimes I go to a website, and it directs me to another site with a different address.” “Yahoo may have just opened a branch in Brazil and thus registered there.” “I must have mistakenly triggered the popup window.”Results: Results Users did not rely on security indicators Depended on web content instead Cannot distinguish poorly designed websites from malicious phishing attacksOutline: Outline Introduction of security indicators Anti-phishing user study Web authentication using cell phones Authentication protocol User study An improved protocol ConclusionsAuthentication Using Cell Phones: Authentication Using Cell Phones Prevent people’s passwords from being captured by public computers Use trusted cell phone to authenticate login sessions from untrusted public computers Checking security indicator is part of the authentication protocolAuthentication Protocol: Authentication ProtocolAuthentication Protocol: Authentication Protocol Login attemptAuthentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” “I approve ‘FAITH’.” Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” Log in “I approve ‘FAITH’.” User Interface: User InterfaceAttack Types: Attack Types Duplicated attack Blocking attackUser Study: User Study Log in to Amazon.com with a personal computer and a cell phone 6 logins in a row Attacks were randomly selected and assigned to the 5th or the 6th login 20 users Recruited at MIT, paid $10 for one hour Average age 25 [18 - 43] 9 females and 11 males 16 MIT students, 4 not Results: Results Duplicated attack: 36% (4 successful out of 11 attacks) “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the cell phone.” Blocking attack: 22% (2 successful out of 9 attacks) “The network connection must be really slow since the session name has not been displayed.” Users failed to follow the protocol Cannot distinguish system failures from malicious attacksAn Improved Protocol: An Improved Protocol Thanks to Steve Strassman from Orange™Under Attacks: Under Attacks Duplicated Attack Blocking attackResults: Results Login by choosing a correct session name has zero spoof rate! 9 duplicated attacks and 11 blocking attacks There was little chance that the attacker’s list included the user’s session name in the browser Users were forced to attend to the security indicatorConclusions: Conclusions Security indicator checking scheme fails Users ignore advice (34% spoof rate) Users do not follow instructions (30% spoof rate) Users cannot distinguish “bugs” from “attacks” Security indicator is not part of the user’s “critical action sequence”Lesson Learned: Lesson Learned Moving the security indicator into the critical action sequence can better protect users Users Cared About Security: Users Cared About Security 18 out of 30 uncheck “remember me” 13 out of 30 logged out (or tried to) after at least one taskSlide45: Legitimate Site Phishing Site You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
min wu Quintino Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 16 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: February 04, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Users Are Not Dependable How to make security indicators that protect them better: Users Are Not Dependable How to make security indicators that protect them better Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence LabUser Is Part Of System: User Is Part Of System “Weakest link” in operational security systems If attackers can easily trick users into compromising their security, they do not have to try hard to directly attack the system. A typical attack: PhishingSecurity Indicators: Security Indicators “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”Security Indicators: Security Indicators “Look for the lock at the bottom of your browser and ‘https’ in front of the website address.”More Security Indicators: More Security IndicatorsMore Security Indicators: More Security Indicators SpoofstickMore Security Indicators: More Security Indicators Netcraft ToolbarMore Security Indicators: More Security Indicators TrustbarMore Security Indicators: More Security Indicators eBay Account GuardMore Security Indicators: More Security Indicators SpoofguardOutline: Outline Introduction of security indicators Anti-phishing user study Web authentication using cell phones ConclusionsSecurity Toolbar Abstractions: Security Toolbar Abstractions SpoofStick Netcraft Toolbar eBay Account Guard SpoofGuard Neutral-Information Toolbar System-Decision Toolbar Positive-Information Toolbar TrustBarStudy Scenario: Study Scenario We set up dummy accounts as John Smith at various websites “You are the personal assistant of John Smith. John is on vacation now. During his vacation, he sometimes sends you emails asking you to do some tasks for him online.” “Here is John Smith’s profile.”Study Scenario: Study Scenario Users dealt with 20 emails forwarded by John Smith. 5 emails were phishing emails. Most of the emails were about managing John’s wish lists at various sitesSlide16: Main FrameSlide17: Address bar frame http://tigermail.co.kr/cgi-bin/webscrcmd_login.phpSlide18: Toolbar frame Status bar frameAttack Types: Attack Types 1. Similar-name attack 2. IP-address attack 3. Hijacked-server attack 4. Popup-window attack 5. Paypal attack bestbuy.com www.bestbuy.com.ww2.us bestbuy.com 212.85.153.6 bestbuy.com www.btinternet.comSecurity Toolbar Display: Security Toolbar Display Legitimate Site Phishing Site vs.Attack Pattern: Attack PatternRecruitment: Recruitment 30 users Recruited at MIT, paid $15 for one hour 10 for each toolbar Average age 27 [18-50] 14 females and 16 males 20 MIT students, 10 not Neutral-Information Toolbar System-Decision Toolbar Positive-Information ToolbarSpoof Rates With Different Toolbars: Spoof Rates With Different ToolbarsSpoof Rates With Different Attacks: Spoof Rates With Different Attacks p = 0.052 (ANOVA)Why Did Users Get Fooled?: Why Did Users Get Fooled? 20 out of 30 got fooled by at least one attack. Among the 20 users 17 (85%) claimed web content is professional or familiar; 7 (35%) depended on security-related content 12 (60%) explained away odd behaviors “I have been to sites that use plain IP addresses.” “Sometimes I go to a website, and it directs me to another site with a different address.” “Yahoo may have just opened a branch in Brazil and thus registered there.” “I must have mistakenly triggered the popup window.”Results: Results Users did not rely on security indicators Depended on web content instead Cannot distinguish poorly designed websites from malicious phishing attacksOutline: Outline Introduction of security indicators Anti-phishing user study Web authentication using cell phones Authentication protocol User study An improved protocol ConclusionsAuthentication Using Cell Phones: Authentication Using Cell Phones Prevent people’s passwords from being captured by public computers Use trusted cell phone to authenticate login sessions from untrusted public computers Checking security indicator is part of the authentication protocolAuthentication Protocol: Authentication ProtocolAuthentication Protocol: Authentication Protocol Login attemptAuthentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH”Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” “I approve ‘FAITH’.” Authentication Protocol: Authentication Protocol Login attempt “This login session is named ‘FAITH’.” “FAITH” “Do you approve login session named ‘FAITH’?” “FAITH” Log in “I approve ‘FAITH’.” User Interface: User InterfaceAttack Types: Attack Types Duplicated attack Blocking attackUser Study: User Study Log in to Amazon.com with a personal computer and a cell phone 6 logins in a row Attacks were randomly selected and assigned to the 5th or the 6th login 20 users Recruited at MIT, paid $10 for one hour Average age 25 [18 - 43] 9 females and 11 males 16 MIT students, 4 not Results: Results Duplicated attack: 36% (4 successful out of 11 attacks) “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the cell phone.” Blocking attack: 22% (2 successful out of 9 attacks) “The network connection must be really slow since the session name has not been displayed.” Users failed to follow the protocol Cannot distinguish system failures from malicious attacksAn Improved Protocol: An Improved Protocol Thanks to Steve Strassman from Orange™Under Attacks: Under Attacks Duplicated Attack Blocking attackResults: Results Login by choosing a correct session name has zero spoof rate! 9 duplicated attacks and 11 blocking attacks There was little chance that the attacker’s list included the user’s session name in the browser Users were forced to attend to the security indicatorConclusions: Conclusions Security indicator checking scheme fails Users ignore advice (34% spoof rate) Users do not follow instructions (30% spoof rate) Users cannot distinguish “bugs” from “attacks” Security indicator is not part of the user’s “critical action sequence”Lesson Learned: Lesson Learned Moving the security indicator into the critical action sequence can better protect users Users Cared About Security: Users Cared About Security 18 out of 30 uncheck “remember me” 13 out of 30 logged out (or tried to) after at least one taskSlide45: Legitimate Site Phishing Site