usable security
play

Usable Security Fall 2017 Franziska (Franzi) Roesner - PowerPoint PPT Presentation

Nov 01, 2023 •362 likes •715 views

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Poor Usability Causes Problems si.ed u 12/4/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 12/4/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Usable Security Roadmap • 2 case studies – Phishing – SSL warnings • Step back: root causes of usability problems, and how to address 12/4/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. Case Study #1: Phishing • Design question: How do you help users avoid falling for phishing sites? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. A Typical Phishing Page Weird URL http instead of https 12/4/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. Safe to Type Your Password? “Picture-in-picture attacks” Trained users are more likely to fall victim to this! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. Experiments at Indiana University • Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn and Friendster • Sent 921 Indiana University students a spoofed email that appeared to come from their friend • Email redirected to a spoofed site inviting the user to enter his/her secure university credentials – Domain name clearly distinct from indiana.edu • 72% of students entered their real credentials into the spoofed site 12/4/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. More Details • Control group: 15 of 94 (16%) entered personal information • Social group: 349 of 487 (72%) entered personal information • 70% of responses within first 12 hours • Adversary wins by gaining users’ trust • Also: If a site looks “professional”, people likely to believe that it is legitimate 12/4/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. Phishing Warnings Active (Firefox) Passive (IE) Active (IE) 12/4/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. [Egelman et al.] Are Phishing Warnings Effective? • CMU study of 60 users • Asked to make eBay and Amazon purchases • All were sent phishing messages in addition to the real purchase confirmations • Goal: compare active and passive warnings 12/4/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. [Egelman et al.] Active vs. Passive Warnings • Active warnings significantly more effective – Passive (IE): 100% clicked, 90% phished – Active (IE): 95% clicked, 45% phished – Active (Firefox): 100% clicked, 0% phished Passive (IE) Active (IE) Active (Firefox) 12/4/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. [Egelman et al.] User Response to Warnings • Some fail to notice warnings entirely – Passive warning takes a couple of seconds to appear; if user starts typing, his keystrokes dismiss the warning • Some saw the warning, closed the window, went back to email, clicked links again, were presented with the same warnings… repeated 4-5 times – Conclusion: “ website is not working ” – Users never bothered to read the warnings, but were still prevented from visiting the phishing site – Active warnings work! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. [Egelman et al.] Why Do Users Ignore Warnings? • Don’t trust the warning – “ Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad ” • Ignore warning because it’s familiar (IE users) – “ Oh, I always ignore those ” – “ Looked like warnings I see at work which I know to ignore ” – “ I thought that the warnings were some usual ones displayed by IE ” – “ My own PC constantly bombards me with similar messages ” 12/4/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. Site Authentication Image (SiteKey) If you don’t recognize your personalized SiteKey, don’t enter your Passcode 12/4/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. Case Study #2: Browser SSL Warnings • Design question 1: How to indicate encrypted connections to users? • Design question 2: How to alert the user if a site’s SSL certificate is untrusted? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. The Lock Icon • Goal: identify secure connection – SSL/TLS is being used between client and server to protect against active network attacker • Lock icon should only be shown when the page is secure against network attacker – Semantics subtle and not widely understood by users – Whose certificate is it?? – Problem in user interface design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. [Moxie Marlinspike] Will You Notice? Þ Clever favicon inserted by network attacker 12/4/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Do These Indicators Help? • “The Emperor’s New Security Indicators” – http://www.usablesecurity.org/emperor/emperor.pdf Users don’t notice the absence of indicators! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. Latest Design in Chrome 12/4/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. [Felt et al.] Firefox vs. Chrome Warning 33% vs. 70% clickthrough rate 12/4/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 26

  27. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 27

  28. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 28

  29. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 29

  30. [Felt et al.] Opinionated Design Helps! Adherence N 30.9% 4,551 12/4/17 CSE 484 / CSE M 584 - Fall 2017 30

  31. [Felt et al.] Opinionated Design Helps! Adherence N Adherence N 30.9% 30.9% 4,551 4,551 32.1% 4,075 32.1% 4,075 58.3% 4,644 12/4/17 CSE 484 / CSE M 584 - Fall 2017 31

  32. [Felt et al.] Challenge: Meaningful Warnings 12/4/17 CSE 484 / CSE M 584 - Fall 2017 32

  33. Stepping Back: Root Causes? • Computer systems are complex; users lack intuition • Users in charge of managing own devices – Unlike other complex systems, like healthcare or cars. • Hard to gauge risks – “It won’t happen to me!” • Annoying, awkward, difficult • Social issues – Send encrypted emails about lunch?... 12/4/17 CSE 484 / CSE M 584 - Fall 2017 33

  34. How to Improve? • Security education and training • Help users build accurate mental models • Make security invisible • Make security the least-resistance path • …? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 34

Recommend

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security (CUPS) Lab Carnegie Mellon University 2 Personalization 3 Cross-System Personalization 4 Cross-System Personalization 5 Cross-System

310 views • 18 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 Todays class Introducing me Introducing you Human Factors for Security and

985 views • 82 slides
The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to Verifying their Vote Workshop on Usable Security 2/23/2014 Usable Security Lab Jurlind Budurushi, Marcel Woide and Melanie Volkamer Crypto Lab Current

217 views • 19 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi, Aditi Shah, Bharath Subramanian, and Sauvik Das The Sixteenth Symposium on Usable Privacy and Security August 7th - 11th, 2020 High attention levels

1.03k views • 6 slides
Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Electrical and Computer

348 views • 9 slides
RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications and Networking July 1, 2016 Group DFAR Conclusion 2 / 22 Stephan Sigg RF-based DFAR and implicit ad-hoc usable security Group DFAR Conclusion

824 views • 37 slides
Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization

Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization

Seeing Further: Extending Seeing Further: Extending Visualization as a Basis for Visualization as a Basis for Usable Security Usable Security Jennifer Rode, Carolina Johansson , Paul DiGioia, Roberto Silva Filho, Jennifer Rode,

327 views • 30 slides
Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible Method Results A theory of security culture for secure and usable

Making the invisible visible S. Faily, I. Flchais Introduction Making the invisible visible Method Results A theory of security culture for secure and usable grids Cases What is Security Culture? Guidelines Future work S. Faily I.

692 views • 17 slides
Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of

Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of

Usable Security Raise the bar with implicit device pairing Stephan Sigg Department of Communications and Networking Aalto University, School of Electrical Engineering stephan.sigg@aalto.fi 09.10.2017 MEMORY IS A LIMITED RESOURCE Stephan

331 views • 13 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 The human threat Malicious humans Humans who dont know what to do

569 views • 38 slides
Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy, Sean Smith Institute for Security Technology Studies Department of Computer Science Dartmouth College Sergey Bratus, Alex Ferguson, Doug McIlroy,

482 views • 33 slides
Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy,

Pastures: Towards Usable Security Policy Engineering Sergey Bratus, Alex Ferguson, Doug McIlroy, Sean Smith Institute for Security Technology Studies Department of Computer Science Dartmouth College Sergey Bratus, Alex Ferguson, Doug McIlroy,

739 views • 29 slides
Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security

Introduction to Human Computer Interaction Course on NPTEL, Spring 2018 Week 7 Usable Security Ponnurangam Kumaraguru (PK) Associate Professor ACM Distinguished & TEDx Speaker Linkedin/in/ponguru/ 1 fb/ponnurangam.kumaraguru,

949 views • 60 slides

More recommend