About
CUPS is the Carnegie Mellon Usable Privacy & Security Lab, which is presently hosting SOUPS the Symposium on Usable Privacy & Security at Google in Mountain View, CA.
Recent Posts
There are more SOUPS 2009 blog posts availible at usablesecurity.com.
The Think Evil tutorial (slides) talks about how attackers and defenders react to each other.
Netalyzr
When security people want to measure the network?
The speaker’s group built a system called Netalyzr which tests “your Internet connection for signs of trouble.” The application test for many different things to determine if there is anything sitting between the user and the Internet. The tests are specifically intended to push boundaries and send back inconsistent responses to get information on what is sitting on the connection. Some of the things tested for are:
The list of websites that Netalyzr checks connectivity to were generated by a set of security researchers “thinking evil.” Sites like IM chat clients and search pages may be proxied to get passwords. The tool has resulted in some interesting things. For example one ISP redirects to a proxy of Googles web page.
style=”text-align: left;”>Netalyzr needs some usability work in how to explain some of the results to normal users. Things such as buffering in conjunction with BitTorrent and Skype can result in latencies that can confuse end users.
Security in my Everyday life
The speaker spent this section talking about the complex set of financial protocols he uses for his everyday life.
(Blogger note: Check out the Personal Data Privacy blog for tips on how to do security for normal people.)
Passwords
Someone please fix passwords! I don’t like remembering them. I don’t like RSA keys. I love SSH but typing the password into is dangerous because if someone compromised the server they have my password. As a result I always use public key authentication. I also use agent key forwarding even though I know it is horribly insecure for similar reasons.
The speaker stores his passwords in his wallet because his wallet is almost never stolen and he is not too concerned about loosing it. An audience member also comments that the passwords are probably the least valuable thing in your wallet if it is lost.
Credit Cards
The speaker is not too concerned about credit cards and he uses them for most of his purchases. He is not concerned because he is not the one who takes the damage
An audience member commented that in Europe the laws are different and that the burden and risk is on the user. In the UK there is a law that states that you have protection if you use the credit card online. If the chip and pin is used then it is the consumer that is on the line. If it goes through the chip and pin network then the burden is on the user to prove the charge was fraudulent. However, chip and pin cards also have magnetic stripe to use if no chip and pin system is available for use. An audience member says they had a chip and pin card cloned and used in another country through the magnetic stripe and in that case they were not considered to be liable. The speaker commented that if he was forced to use such a card where the damages and responsibility is on the user he would either 1) always pay cached 2) put it in the microwave.
Debit Cards
The speaker is very concerned about debit cards and is very selective about where he uses one. He also always checks the ATMs for any sign of tampering. This is because though he may not be liable eventually his money is at stake initially wich is a strong modivator.
Online Banking
The speaker doesn’t do online banking. All bills are paid by mail because even though it is not overly secure it is an O(n) attack that requires physical access to the letter. Sometimes I pay via phone with a credit card.
Audience Discussion
There is general audience disagreement that the use of checks is more usable than using a credit card. The speaker argues that the use of checks is the result of a cost benefit analysis of the security risks and implementation costs and he is deliberately sacrificing usability in this case to gain security.
We are here because security is difficult and because it is not useable. The speaker would like to do banking online but he needs a secure channel where he can personally verify every single transaction because there is always a non-zero chance that the host is compromised especially on public terminals. He wants a push button that basically approves transactions only when the user expressly pushes a button to approve the transaction. An audience member comments that this is very difficult from a usability standpoint because you have to install software on the user’s machine.
The Think Evil tutorial (slides) talks about how attackers and defenders react to each other.
Intro/Casinos
As a first example we looked at casino cheating. Casinos have an interesting problem because 1) money is involved 2) there is no hope of negotiating with the attackers 3) determining the difference between a good and bad player is hard.
Card counting works and puts the odds in the players favor but it also makes the pattern of play more regular. This can be detected by wafting a player’s pattern over time. Anti virus does something similar, it recognizes the patterns of known viruses allowing them to block bad things. Similarly host based IDS recognizes good things and allows them. However, to do this you need to be able to differentiate “bad” from “good”.
Casinos have several defenses to even the odds back out. Two examples are reshuffling more often and using more decks both of which make it harder for card counters to get good enough odds. Windows XP used to be very open until someone wrote the Blaster worm. Then Microsoft released Service Pack 2 which turned all services off by default.
Casinos also sometimes just do nothing, many card counters are not good enough to bother about. In fact a card counter who are bad at card counting are a good thing since they think they can win which is exactly what casinos love. Security sometimes takes a similar opinion. If the cost of defending against something is more expensive than the thing being defended than it is not worth it.
The MIT Card-Counting ring made the observation that casinos look for individual players not groups. So they did card counting in groups. This works well because they are attacking the pattern matching strategy. Mimicry attacks are where the attacker makes their behavior look like known good behavior. The attacker can also use evasion where the defender is looking for known bad behavior so the attacker makes their behavior look different than the known bad. The goal of defense is to have complete coverage of all bad behavior. This is why anti virus companies are shifting towards exploit identification not signature identification because it is more general. MIT also made use of the fact that their attack was novel. It takes time for a security program to adapt to a new type of attack.
Roulette has an attack called “pastposting” where you change your bet after the ball has already landed. An anti-pastposting roulette wheel invented to prevent pastposting by raising an alarm if the bets are changed. To beat the system the players can mimic drunken players and continuously trigger the alarm until the dealer turns it off. Attackers can use malicious false positives to cause defenders to turn off alarms or start ignoring them. Reactions have a cost, the attacker may simply want to cost the defenders time, money or annoyance.
Even worse the dealer could be corrupt. If the attackers are friends with the dealer the dealer can do many things to make the players more “lucky.” Insider attacks are a security nightmare because the insider must be trusted and must have insider knowledge of the system. Insiders are also people which have all sorts of human weaknesses. There was a study where researchers traded candy for passwords (Note: those passwords were never verified). Casinos have cameras not just to watch customers its to also watches the dealers.
Some casinos are experimenting with RFID tags in the chips. This lets them track the chips around the casino and identify players that are winning or loosing.
You can win at Roulette because it is not a random process. Thorp also commented on this. If bets are allowed after the time the ball is thrown then you can use the phase and velocity of the ball and the wheel to predict where the ball will land. This works 40% of the time. Someone else also created a cell phone app that did this. In response the casinos made this illegal. Changing the attackers cost benefit analysis can also be used as a defense.
People
People are self-interested and typically act in their own self interest, if they understand their self interest. Each attacker has their own self interest and those interests can be very different.
You should always model an adversary as someone who is creative and innovative. Don’t underestimate your opponent. Security researchers get into a rat hole on tactics too early. Security experts spent too much time securing the door and don’t consider that the attacker wants something in the room and is uninterested in attacking the door and may just break a window.
Welcome to a new year and a new gathering of SOUPS, the Symposium on Usable Privacy and Security. This year, our fifth, we have relocated from the sunny hills of Pittsburgh, Pennsylvania to the sunny Google campus in Mountain View, California.
For the next three days you will have an opportunity to hear from people doing cutting edge research as well as from industry on their first hand experiences with usable privacy and security challenges. Our two tutorials for the day are both already underway: Designing and Evaluating Usable Security and Privacy Technology and Think Evil ™ and we will have more indepth reports on those soon, here.
If you are interested in posting to this blog, just click the Register link above, and your account will shortly be upgraded so you can post your notes & thoughts from SOUPS 2009. Tag your SOUPS photos with soups09 and we will pull those in (but remember no pictures anywhere inside any Google buildings) and finally our tweets are already streaming in, just use the #soups hashtag to engage in the SOUPS discussion on twitter.
Mostly social stuff
http://www.flickr.com/photos/8391807@N05/sets/72157600254522816/
Dear all,
It’s nice to present our poster at SOUPS. Welcome to try our demo on preference-based authentication. Any comments will be appreciated.
http://blue-moon-authentication.com/
For more details, see http://I-forgot-my-password.com
Liu
PCI DSS is Payment Card Industry Data Security Standard, a collaborative effort to achieve a common set of security standards for use by entities that process, store, or transport payment card data. This applies to: all merchants that “store, process, or transmit cardholder data” and all payment channels including brick-and-mortar, mail, telephone, and e-commerce.
PCI Standards
PCI Winners & Losers
The winners will be Visa, MasterCard, and others, Consulting and security firms, and possibly (though this has not been determined) consumers. The merchants certainly lose.
PCI Complicance
Air France is currently undergoing a multi-million dollar effort to comply with PCI. It is attempting to reduce the number of applications that use credit cards, record processing requirements, and are implementing encryption and PCI storage in the network.
Some questions raised involve liability issues, for example who to assign liability to when fraud happens. Also it is unclear how outsourcing will effect security and compliance with PCI.
Study
-chose not to examine bugs or browser flaws
-Analyzed a combination of 214 websites(mostly banks)
Demo:
-Login on insecure pages
-Contact information on insecure pages
Should this be a concern?
-exploits would not be straightforward, but attackers are becoming more organized
Use of Third-Party Sites
-break in chain of trust
Demo:
-transition to third party site
Policies on User Ids and Passwords
-inadequate or unclear policies for user ids and passwords
Ambiguity in Policies
-emailing security sensitive information
Results
-significant number of sites have login design flaws (47%)
Limitations of Study
-may have failed to completely retrieve all relevant pages
-Only looked financial intitutions in US
-used heuristics for automated analysis
Usability Lessons for WebSites
-stay on the same host name
-if not keep on same domain
-else make “proper introduction”
-use SSL throughout the site
Summary from the discussion Metrics for Characterizing Research Participants’ Technical Knowledge:
- Background with some studies and criteria that they used
- Participants agreed that there needs to be a metric but it is not clear whether there can be one-size-fit-all
- Conduct a large study among different types of users and then decide on what type of questions can be used for specific study
- Suggestion on looking on users’ behavior to classify technical or novice (e.g. using short cut keys)
- Some questions that we agreed on which we may use in the future studies
- Are you technical or non-technical?
- Why do you think you are technical or non-technical?
- What is your educational background?
© CUPS Blog. Powered by WordPress using the DePo Clean Theme.