security skins
play

Security Skins: Embedded, Unspoofable Security Indicators Rachna - PowerPoint PPT Presentation

Mar 08, 2024 •150 likes •731 views

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

  1. Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University

  2. Talk Outline • Why Phishing Works • Dynamic Security Skins • Embedded Security Indicators

  3. Talk Outline • Why Phishing Works Dhamija, Tygar & Hearst, CHI April 2006 • Dynamic Security Skins • Embedded Security Indicators

  5. Goals of Our Study • To design anti-phishing solutions, we need to understand: – Which attack strategies work? – Who gets fooled – Why?

  6. Cognitive Walkthrough • The goal was to discover knowledge and skills required by users • We evaluated 200 phishing attacks from APWG archive • From this, we developed a set of hypotheses for why users are fooled

  7. Hypotheses Why users are fooled by attacks: 1. Lack of Knowledge a) Computer system knowledge b) Knowledge of security & security indicators 2. Visual Deception a) Visually deceptive text b) Images masking underlying text c) Images that mimic browser chrome d) Windows masking underlying windows e) Deceptive look and feel 3. Bounded Attention a) Lack of attention to security indicators b) Lack of attention to the absence of security indicators

  8. Usability study: how do participants distinguish legitimate websites? • We archived 200 phishing websites – 2 months phishing email from colleagues – 1 week of phishing email from MailFrontier • We showed participants 19 websites in random order – 7 legitimate websites – 9 phishing websites • with varied domain name, type of request, phishing techniques – 3 constructed phishing attacks • (popups, spoofed SSL indicators, …) + 1 website that presents a self-signed certificate • Websites were fully functioning – Several levels deep, same domain name, links, etc.

  9. Study Design • Within-subjects design • Scenario: Imagine that you receive an email message that asks you to click on one of the following links. Imagine that you decide to click on the link to see if it is a legitimate website or a "spoof" (a fraudulent copy of that website). • Talk Aloud study- participants were asked: – Is this site legitimate? – Reasoning & confidence level – Would you give data? – Have you been to this website or have account? • Participants primed to look for spoofs – No deception – Spoof detection rate higher than real-life – If our participants are fooled, real users will be too

  10. Participants • 22 participants – 45% male, 55% female – Age 18-56 – 50% staff, 50% students • Staff: 73% Bachelors, 18% Masters, 9% J.D. • Students: 67% Masters, 18% Masters, 18% Ph.D. – 86% non-technical, 14% technical – Used a variety of OS, browser & email • Recruited by XLab (university service) • $15 participation fee

  11. Study Results: Participant Score Number of Websites Judged Correctly by Each Participant (out of 19 websites) 18 18 16 16 16 15 Number of Websites 14 14 14 13 13 13 12 12 12 12 11 10 10 10 10 9 9 9 8 7 7 6 6 4 2 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Participant

  12. Study Results: Website Difficulty

  13. Study Results: Confidence Level When Correct

  14. Study Results: Confidence Level When Incorrect Participants are confident, whether correct or incorrect.

  15. Spoof- www.bankofthevvest.com • 91% incorrect • 68% would give data • Convinced by: – “cute” animation – Links to legit pages • Consumer alert • Verisign logo

  16. Spoof- Paypal Screenshot 50% incorrect

  17. XUL Spoof- www.paypal.com 81% incorrect

  18. Real - cib.ibanking-services.com 50% incorrect

  19. Real - www.bankone.com 100% correct

  20. Self-signed SSL Certificate • 15 participants selected “OK” without reading • 3 read & selected “OK”, 2 chose “do not accept”, 2 examined cert • When asked what warning was about: • 18 didn’t know, 3 were incorrect (cookies, passwords, spyware) • only 1 was correct

  21. Certificates Only 1 participant could explain the certificate

  22. What determines participant score? • Score was not significantly associated with – Sex – Age – Level of education – Hours using the computer – Previous use or account with website • Participant knowledge and use of security indicators was a more important factor • We categorized participants into strategy types based on their behavior and responses to our interview questions

  23. Mean Score by Strategy Type Strategy Type 1 performed significantly worse than other types.

  24. Strategy 1: Security Indicators in Website Content 5 participants (23%): • Don’t look at address or status bar • Don’t use URLs – “I never look at the letters and numbers up there. I’m not sure what they are supposed to say”. – Can’t distinguish different sites • Rely on images, logos, links and security warnings – “Why would a phishing site have a phishing warning?”

  25. Strategy 2: Website Content & Address Only 8 participants (36%): • Notice IP address • Notice when domain changes • Don’t notice SSL indicators

  26. Strategy 3: Content & Address + HTTPS 2 participants (9%): • Can distinguish HTTP & HTTPS • Don’t use SSL lock icon in status bar – “It is too far away and out of my peripheral vision”

  27. Strategy 4: Content + Address + HTTPS + lock icon 5 participants (23%): • Use website content, address, https and lock icon

  28. Strategy 5: Also Check Certificates 2 participants (9%): • Use content, address, SSL indicators, and also check certificates.

  29. Additional Strategies • 2 participants were only suspicious if more than password and username were requested – 1 entered usernames and passwords to see if she had an account (in study & real life) • “What’s the harm? Passwords are not dangerous to give like money information is” (Type 1, Score 7) • 1 participant confirmed every website by Yahoo search (Type 4, Score 18)

  30. We confirmed our hypotheses & added 2 new ones Why users are fooled by attacks: 1. Lack of Knowledge a) Computer system knowledge b) Knowledge of security & security indicators c) Knowledge of web fraud d) Erroneous security knowledge 2. Visual Deception a) Visually deceptive text b) Images masking underlying text c) Images that mimic browser chrome d) Windows masking underlying windows e) Deceptive look and feel 3. Bounded Attention a) Lack of attention to security indicators b) Lack of attention to the absence of security indicators

  31. Summary of Results • Even though participants were informed & motivated, good phishing sites fooled 90% • Existing anti-phishing browsing cues are ineffective. • Cues are not noticed - 60% ignored SSL indicators - 68% clicked OK on warning notice w/o reading • Cues are not understood • Cues are trivial to spoof

  32. Conclusions • We need a different approach for usable security design – Security is a secondary goal – Users misplace trust in logos and indicators – Assume that uniform graphic designs will be copied! – Indicators placed in the periphery may be ignored – Designers should “spoof” own designs in user testing

  33. Talk Outline • Why Phishing Works • Dynamic Security Skins • Embedded Security Indicators

  34. Talk Outline • Why Phishing Works • Dynamic Security Skins Dhamija & Tygar, SOUPS 05 • Embedded Security Indicators

  35. Review: Password Authenticated Key Exchange • Many protocols exist (EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…) • The paper discusses one, SRP Password Verifier

  36. Review: Password Authenticated Key Exchange • Many protocols exist (EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…) • The paper discusses one, SRP Password Protocol

  37. Review: Password Authenticated Key Exchange • Many protocols exist (EKE, SPEKE, SNAPI, AuthA, PAK, SRP, etc…) • The paper discusses one, SRP Password Protocol • Summary of advantages of SRP: – user authentication & mutual authentication – preserve familiar use of passwords • secret stored in memory of the user • user doesn’t need a trusted device – no passwords sent over the network – server doesn’t store password

  38. But protocols alone won’t stop phishing! Password entry mechanism can be spoofed.

  39. Dynamic Security Skins Usability Goals • Preserve familiar use of passwords • User must be able to verify password prompt, before entering password • Rely on human skills – To login, recognize 1 image & recall 1 password (for any # of servers) – To verify server, compare 2 images • Hard to spoof security indicators

  40. Dynamic Security Skins Password Window • Mozilla Firefox extension • Trusted window, dedicated to password entry • Trusted path  one-time customization • Random photo assigned or chosen • Image overlaid across window – and over textboxes • User recognizes image first – then enters password • Password not sent to server

  41. Usability Study – Think aloud, informal study • Do users understand concept? • Can users enter password? • Will users check images? • Do users notice spoofs? • Step 1: Select personal image

  42. Password Window Displays Personal Image

Recommend

Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29

Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29

Please turn off your mobile phone Banana Skins : The risks facing the microfinance industry 29 th Midi de linclusion financire Micr Microfinanc ofinance Ba e Banana nana Skins 20 Skins 2014 14 What are the main risks the industry is

403 views • 36 slides
Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei

Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei

Nuclear radii in density functional theory Witold Nazarewicz (FRIB/MSU) Neutron Skins in Nuclei MITP, Mainz,, May 17-27, 2016 Perspective Theoretical strategies Nuclear DFT Radii, skins, and halos Uncertainty

717 views • 34 slides
New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk Ecole Polytechnique & CEA Saclay Based on: arXiv:1203.6064 with M. Paulos, D. Poland, S. Rychkov, D. Simmons-Duffin, A. Vichi

634 views • 41 slides
Petite Pearl (TP 2-1-24) -Berry 2g; cluster 85-140g; very dense -Thick skins; resistance to

Petite Pearl (TP 2-1-24) -Berry 2g; cluster 85-140g; very dense -Thick skins; resistance to

Petite Pearl (TP 2-1-24) -Berry 2g; cluster 85-140g; very dense -Thick skins; resistance to mildew and splitting -Good winter hardiness over many years; Zone 4b and favored sites in 4a. -Late budbreak in spring; secondary buds nearly as

90 views • 8 slides
New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk CEA

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk CEA

New Skins for an Old Ceremony The Conformal Bootstrap and the Ising Model Sheer El-Showk CEA Saclay Based on: arXiv:1203.6064 with M. Paulos, D. Poland, S. Rychkov, D. Simmons-Duffin, A. Vichi arXiv:1211.XXXX with M. Paulos November 8, 2012

910 views • 37 slides
A Transcriptomic Comparison of Late- Ripening Cabernet Sauvignon Berry Skins from Bordeaux and

A Transcriptomic Comparison of Late- Ripening Cabernet Sauvignon Berry Skins from Bordeaux and

A Transcriptomic Comparison of Late- Ripening Cabernet Sauvignon Berry Skins from Bordeaux and Reno Grant R. Cramer Department of Biochemistry and Molecular Biology University of Nevada, Reno Talk Outline Experimental conditions

322 views • 10 slides
B. Transparent, Credible and Practical C. Acknowledge A review of the trade in Southeast

B. Transparent, Credible and Practical C. Acknowledge A review of the trade in Southeast

SUSTAINABLE TRADE: EXPLORING RELIABLE TRACEABILITY SYSTEMS FOR MANAGING TRADE OF PYTHON SKINS A. Participatory and Inclusive B. Transparent, Credible and Practical C. Acknowledge A review of the trade in Southeast Asian Python Skins

699 views • 41 slides
The child maintenance service A banana-skins edition James Pirrie jp@flip.co.uk Jul 2018

The child maintenance service A banana-skins edition James Pirrie jp@flip.co.uk Jul 2018

The child maintenance service A banana-skins edition James Pirrie jp@flip.co.uk Jul 2018 Scenarios we come across Yes? 1) Doing a maintenance deal in our court cases: 1) What should we expect from the CMS? 2) Can we structure our

773 views • 66 slides
No -one pours new wine into old wineskins. If he does, the wine will burst the skins, and both

No -one pours new wine into old wineskins. If he does, the wine will burst the skins, and both

No -one pours new wine into old wineskins. If he does, the wine will burst the skins, and both the wine and the wineskins will be ruined. No, he pours new wine into new wineskins." Mark 2:22 Building Relationship So then each of us

266 views • 15 slides
Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric

Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric

Stone Knives and Bear Skins: Why does the Internet still run on pre-historic cryptography? Eric Rescorla ekr@rtfm.com Indocrypt 2011 Indocrypt 2011 Eric Rescorla 1 Overview Our cryptographic protocols use ancient algorithms In many

860 views • 57 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

336 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

459 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

644 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

716 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides

More recommend