CUPS Blog Thank You For Attending SOUPS 2008!

Some photos from Mez of SOUPS 2008

Mostly social stuff

http://www.flickr.com/photos/8391807@N05/sets/72157600254522816/

Tylenol ibuprophen opiate ultram 784. Tylenol And Dogs aleve active ingrdients
soma technology Cheap Tramadol Cod soma coupons!
tramadol additiction Celebrex And Weight Gain tramadol dog no prescription;
tylenol ld50 Infants Tylenol denver celebrex attorneys
“celebrex law suits” Cheap Tramadol No Prescription Trauma soma ultram pain reliever 391.
tylenol and new dangers Tramadol Cod Saturday Delivery ultram er 200 mg
tylenol migraine Tylenol Allergy Complete tylenol pm and pregnancy
tramadol hcl-acetaminophen par weight? Baby Tylenol tramadol teaching,
pregnant women on imuran Tylenol 4 aleve and tremors!
ultram withdraw Celebrex 200mg taking mobic
tramadol generic ultram Tramadol Pee Test tylenol vs ibuprofen!
soma stores? Tylenol Brand Scholarship tramadol vets
tramadol dogs dose Soma Records “ingredients in tylenol pm”
soma 350mg Die From Tylenol Pm soma 120
“no name tylenol ingredients” Tramadol 100mg 180 pills called soma
celebrex 200 Tylenol With Codeine 3 “inject tramadol capsules”
deltasone prednisone Soma Cube Shapes soma fm cryosleep
soma ingredients, Soma By Chicos very cheap tramadol
pregnancy tylenol Celebrex Chemotherapy Colon Cancer abuse celebrex
soma watson brand Advil Vs Tylenol tegretol medication
tylenol pm every night Celebrex Lawyer Texas giving dogs tylenol
ultram er medication; Tylenol And Precautions tizanidine migraine

Try The Preference-Based Authentication Demo

Dear all,

It’s nice to present our poster at SOUPS. Welcome to try our demo on preference-based authentication. Any comments will be appreciated.

http://blue-moon-authentication.com/

For more details, see http://I-forgot-my-password.com

Liu

aleve active ingrdients Tramadol Bipolar soma technology
soma coupons! Soma Moustache Handlebar tramadol additiction
tramadol dog no prescription; Soma Drug History tylenol ld50
denver celebrex attorneys Order Tramadol Using Cod “celebrex law suits”
Trauma soma ultram pain reliever 391. Tramadol Description tylenol and new dangers
ultram er 200 mg Tylenol Go Tabs tylenol migraine
tylenol pm and pregnancy Zanaflex Medication tramadol hcl-acetaminophen par weight?
tramadol teaching, Cheapest Soma Online pregnant women on imuran
aleve and tremors! Cheap Fedex Tramadol ultram withdraw
taking mobic Naprosyn Information tramadol generic ultram
tylenol vs ibuprofen! Aleve D soma stores?
tramadol vets Tramadol Additiction tramadol dogs dose
“ingredients in tylenol pm” Infant Tylenol Overdose soma 350mg
soma 120 Imuran And Febrile Illness “no name tylenol ingredients”
pills called soma Imuran And Fertility celebrex 200
“inject tramadol capsules” Tramadol 377 deltasone prednisone
soma fm cryosleep Aleve Overdose Symptoms soma ingredients,
very cheap tramadol Soma Chico pregnancy tylenol
abuse celebrex Heroin And Tylenol Pm soma watson brand
tegretol medication Soma Diesel Flowering Time tylenol pm every night
giving dogs tylenol Soma Airmail ultram er medication;
tizanidine migraine Celebrex Drug Info aleve active ingrdients

PCI Regulation Discussion Summary

PCI DSS is Payment Card Industry Data Security Standard, a collaborative effort to achieve a common set of security standards for use by entities that process, store, or transport payment card data. This applies to: all merchants that “store, process, or transmit cardholder data” and all payment channels including brick-and-mortar, mail, telephone, and e-commerce.

PCI Standards

• Install and maintain a firewall configuration to protect card holder data
• Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks
• Use and regularly update anti-virus software
• Develop and maintain secure systems and applications
• Restrict Access to cardholder data by business need-to-know
• Assign a unique ID to each person with computer access
• Restrict physical access to cardholder data
• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes
• Maintain a policy that address information security

PCI Winners & Losers
The winners will be Visa, MasterCard, and others, Consulting and security firms, and possibly (though this has not been determined) consumers. The merchants certainly lose.

PCI Complicance
Air France is currently undergoing a multi-million dollar effort to comply with PCI. It is attempting to reduce the number of applications that use credit cards, record processing requirements, and are implementing encryption and PCI storage in the network.

Some questions raised involve liability issues, for example who to assign liability to when fraud happens. Also it is unclear how outsourcing will effect security and compliance with PCI.

soma technology Arcoxia R soma coupons!
tramadol additiction Ordering Ultram tramadol dog no prescription;
tylenol ld50 Tramadol Medication denver celebrex attorneys
“celebrex law suits” Addiction To Tramadol Trauma soma ultram pain reliever 391.
tylenol and new dangers Is There Benzoin Soma ultram er 200 mg
tylenol migraine Ultram No Prescription tylenol pm and pregnancy
tramadol hcl-acetaminophen par weight? Soma Cheap Cod tramadol teaching,
pregnant women on imuran Soma In San Diego aleve and tremors!
ultram withdraw Soma Methodone taking mobic
tramadol generic ultram Tylenol Scholarships tylenol vs ibuprofen!
soma stores? Soma Pill tramadol vets
tramadol dogs dose Pain Medication Ultram “ingredients in tylenol pm”
soma 350mg Buy Cheap Tramadol Online soma 120
“no name tylenol ingredients” Give A Dog Tylenol pills called soma
celebrex 200 Remove Tylenol From Hydrocodone “inject tramadol capsules”
deltasone prednisone Celebrex Taken Off Market soma fm cryosleep
soma ingredients, Mobic Indications very cheap tramadol
pregnancy tylenol Nimesulide Tizanidine abuse celebrex
soma watson brand Naprosyn Gel tegretol medication
tylenol pm every night Buy Cheap Online Soma giving dogs tylenol
ultram er medication; Tylenol And Infants tizanidine migraine
aleve active ingrdients Tylenol Sleep Aid soma technology

More SOUPS blogs at usablesecurity.com

You will find more SOUPS blog entires at usablesecurity.com.

Analyzing Websites for User-Visible Security Design Flaws

Study

-chose not to examine bugs or browser flaws

-Analyzed a combination of 214 websites(mostly banks)

Demo:

-Login on insecure pages

-Contact information on insecure pages

Should this be a concern?

-exploits would not be straightforward, but attackers are becoming more organized

Use of Third-Party Sites

-break in chain of trust

Demo:

-transition to third party site

Policies on User Ids and Passwords

-inadequate or unclear policies for user ids and passwords

Ambiguity in Policies

-emailing security sensitive information

Results

-significant number of sites have login design flaws (47%)

Limitations of Study

-may have failed to completely retrieve all relevant pages

-Only looked financial intitutions in US

-used heuristics for automated analysis

Usability Lessons for WebSites

-stay on the same host name

-if not keep on same domain

-else make “proper introduction”

-use SSL throughout the site

tramadol additiction Celebrex Dose tramadol dog no prescription;
tylenol ld50 Tylenol With Codine denver celebrex attorneys
“celebrex law suits” Cod Soma Watson Trauma soma ultram pain reliever 391.
tylenol and new dangers Celebrex Alternative ultram er 200 mg
tylenol migraine Celebrex Amd Menstrual Pain tylenol pm and pregnancy
tramadol hcl-acetaminophen par weight? Tegretol Actions tramadol teaching,
pregnant women on imuran Tylenol And Breastfeeding aleve and tremors!
ultram withdraw Buy Tylenol With Codiene taking mobic
tramadol generic ultram Buy Tylenol 3 tylenol vs ibuprofen!
soma stores? Drug Tramadol tramadol vets
tramadol dogs dose Soma Collection Chelsea “ingredients in tylenol pm”
soma 350mg Zanaflex 2mg soma 120
“no name tylenol ingredients” Tramadol Safe During Pregnancy pills called soma
celebrex 200 Soma Half Ironman 2007 “inject tramadol capsules”
deltasone prednisone Tramadol Fedex Cod soma fm cryosleep
soma ingredients, Ultram Euphoria very cheap tramadol
pregnancy tylenol Dolor Ibuprofeno Tramadol abuse celebrex
soma watson brand Soma Smoothie Es tegretol medication
tylenol pm every night Tylenol Scholarship Fund giving dogs tylenol
ultram er medication; Tylenol Nascar Online Contest tizanidine migraine
aleve active ingrdients Celebrex Lawyers Houston soma technology
soma coupons! Celebrex Vs Bextra tramadol additiction

Discussion notes - Metrics for Characterizing Research Participants’ Technical Knowledge

Summary from the discussion Metrics for Characterizing Research Participants’ Technical Knowledge:

- Background with some studies and criteria that they used
- Participants agreed that there needs to be a metric but it is not clear whether there can be one-size-fit-all
- Conduct a large study among different types of users and then decide on what type of questions can be used for specific study
- Suggestion on looking on users’ behavior to classify technical or novice (e.g. using short cut keys)
- Some questions that we agreed on which we may use in the future studies
- Are you technical or non-technical?
- Why do you think you are technical or non-technical?
- What is your educational background?

tramadol dog no prescription; Soma Drug Toxicity tylenol ld50
denver celebrex attorneys Soma Inexpensive “celebrex law suits”
Trauma soma ultram pain reliever 391. Tramadol Best Price tylenol and new dangers
ultram er 200 mg Xanax And Soma Interaction tylenol migraine
tylenol pm and pregnancy Buying Soma Online tramadol hcl-acetaminophen par weight?
tramadol teaching, Nascar Stop Team Tylenol pregnant women on imuran
aleve and tremors! Celebrex Drug Prescription ultram withdraw
taking mobic Buy Tramadol Cod tramadol generic ultram
tylenol vs ibuprofen! Tylenol 8 Hour soma stores?
tramadol vets Aspirin Vs Tylenol tramadol dogs dose
“ingredients in tylenol pm” Drug Formulations Tylenol 3 soma 350mg
soma 120 Buy Tramadol No Prescription “no name tylenol ingredients”
pills called soma Tylenol Overdose Symptoms celebrex 200
“inject tramadol capsules” Tramadol Cod 89.00 deltasone prednisone
soma fm cryosleep Dogs Ibuprofen Tylenol Aspirin soma ingredients,
very cheap tramadol Generic Soma Online pregnancy tylenol
abuse celebrex Tramadol In Breastmilk soma watson brand
tegretol medication Buy Soma Drug Cheap tylenol pm every night
giving dogs tylenol Ingrdients Tylenol P M ultram er medication;
tizanidine migraine Tylenol Scandal aleve active ingrdients
soma technology Tramadol Drug Interactions soma coupons!
tramadol additiction Cold Medicine Without Tylenol tramadol dog no prescription;

Use Your Illusion: Secure Authentication Usable Anywhere

Eiji Hayashi

Nicolas Christin

Rachna Dhamija

Adria Perrig

Graphical Authentication

• Passfaces - Faces are used as graphical portfolio
• Pass Points - Use “a sequence of clicks” as a shared secret
• DAS (Draw-A-Secret) -
• Deja vu

Graphical Portfolio

• If user chooses portfolio, easy to remember
• If it’s random, users have difficult remembering picture

Use your Illusion

1. Allow users to take/choose picture by themselves
2. Distort pictures
3. Assign the distorted pictures as graphical portfolio

Requirement for Distortion

• One-way
• Discarding precise shapes and colors
• Preserving rough shapes and colors

Oil Paintings are used

Distortion level

• If high, difficult to guess, but difficult to memorize
• If low, easy to memorize, but easy to guess

Low Fidelity Test - Show most distorted imagine then ask user to guess image. If user does not know, continue showing less distorted images.

Also ask user at which point / distorted image he can’t recognize the image is a dog.

Prototype

• Implemented on Nokia’s cell-phone
• Also on the web

1st Usability Test

• 45 Participant were divided into 3 groups
• Self-selected, Non-distorted - Mean was around 20 sec
• self-selected, distorted - 20sec
• Imposed, Highly-distorted - 70 sec

Process of Memorization

• Participants assign meanings to distorted images
• Assigning meanings helps memorization

2nd test

• 54 participants were divided into 3 groups
• self-selected, non-distorted
• self-selected, distorted
• imposed, distorted

Future Work

• Detailed usability test
• long term test
• find an optimal distortion
• investigate a metric evaluating distortion level

Assigning meaning helps memorization

Securing Passfaces for Description

Paul Dunphy, James Nicholson and Patrick Olivier

Study 1:

• 18 participants (9m, 9f) , 45 faces (27f, 18m)
• Record descriptions of 15 faces each
• Results: Females made longer descriptions, used more words to describe them

Study 2:

• 56 partcipants (31m, 25f)
• Within-subject with conditions:
  • Random decoys
  • Visually similar decoys (used a separate set of participants to group similar matches)
  • Descriptively similar decoys
• Task: participant to choose 5 correct passfaces from descriptions to login.
• Results:
  • Average score in random condition best
  • 9% of logins were successful (7 in random, 5 in visual, 1 in verbal).

Discussion

• Decoy grouping effective
• Overall login success low
• Is there an impact on memorability/shoulder surfing?
• What about related graphical schemes?

SOUPS in the News.

SOUPS gets lots of press each year and we will be collecting as we see it in this post.

Analyzing Websites for User-Visible Security Design Flaws by Laura Falk, Atul Prakash and Kevin Borders has already been cited in a number of articles and posts including:

• Information Week: Most Bank Sites Are Insecure
• Slashdot: Most Bank Websites Are Insecure
• Network World: Bank Web sites full of security holes, University of Michigan survey finds
• Ars.Technica: Study: websites of financial institutions insecure by design

Security Questions in the Facebook Era

Ari Rabkin

Summary: Due to an environment where information sharing is common, security questions are becoming easier and easier to attack. What to do? Redesign security questions so that they are not easily attackable.  Add additional elements (i.e. audio or video) that can still be easy for the user to remember, but unique to the user.

Security questions assume there is an information asymmetry between the attacker and the user.

Def:
Security Question - Ask user something
Secret question - Ask for a secret fact
Personal security question - Ask about something meaningful to user (NOT SECRET)

The problem:
Security for personal sec. Q is based on
- Information retrieval hardness assumptions and security assumptions
But IR is improving rapidly
- Humans like to talk about themselves and share info
- Hard to know what an attacker might know

User Study Context:
Online Banking

Study
- Looked at forgotten password mechanisms at 20 banks
- Checked to see if the mechanism recognized hosts

Credit Unions do not do lost passwords

Classification:
- Guessable (Can guess more than 1% of the time)
- Automatically attackable (Info on Facebook)
- Human Attackable (Get answer from blogs/Internet, CV)

Popular Topics
- Family
Relatives, life events
- Preferences
Favorite books, movies, etc
- Name of first pet
-Favorite sports team
-Grandmother’s first name
-High school mascot

Quck fixes:
- Limit guessability by rejecting overly common answers
- Ask questions w/ secure answers
- remove weakest questions
- Use CAPTCHAS
- Warn users to pick good question

Deeper fixes:
- Ask Qs users can’t disclose answer to
- Recognition-based instead of recall
-Try to imbed media into questions?
- Ask about images, audio, etc to make it more difficult

Takeaways:
- Many security questions are week, and getting weaker.
- Research needed to keep up