mary ellen zurko aka mez mez alum mit edu
play

Mary Ellen Zurko (aka Mez) mez@alum.mit.edu 1 2 Security the way - PowerPoint PPT Presentation

Jan 04, 2023 •778 likes •1.49k views

Mary Ellen Zurko (aka Mez) mez@alum.mit.edu 1 2 Security the way Tim intended Server says: WWW-Authenticate: Basic realm=" insert realm User prompted for their password Client says: Authorization: Basic

  1. Mary Ellen Zurko (aka Mez) mez@alum.mit.edu 1

  2. 2

  3. • Security the way Tim intended • Server says: WWW-Authenticate: Basic realm=" insert realm ” • User prompted for their password • Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= User agent remembers and sends for that URI domain/realm 3

  4. • Every domain+realm does their own authentication No Single Sign On Password proliferation • Password unprotected Encoding is not encrypting • Who’s asking you for your password? For what? 4

  5. 5

  6. 6

  7. • Encryption is to Security as Caching is to Performance • Trust, Trustworthy, and Trust for What? • Quis custodiet ipsos custodes? 7

  8. • Cryptographically hash the password • With the username and realm Defense against Rainbow Tables • Nonces in the server challenge for replay protection • Started in 1994; RFC in 1997 • Resists passive attacker on the network • Minimizes handling of password plaintext No passing the password itself in the protocol No need to store the password in the clear Store it hashed with the username and realm 8

  9. • The world was no longer a clean slate • Needs both browser support and server support • The protocol for negotiating mutual support allows a Man in the Middle to spoof lack of support Active attacker gets the password anyway • Three tier architectures Calling a back end service as the web user Sometimes you need that password to propagate the user authentication to some service not supporting Digest • Why put in the resources to support this? No attacks in the wild, no high value web site interactions, known imperfections 9

  10. 10

  11. • Lessons: Defense in depth matters Secrets protecting secrets protecting secrets protecting ... It’s not turtles all the way down • Themes: Passwords – users vs system parts Web server and files Compliance 11

  12. 12

  13. • Secure HyperText Transfer Protocol - S-HTTP: • Flexible framework for encryption of the HTML document Page data and submitted data – not the headers The specific URL moved into encrypted portion • Headers defined to specify type of encryption and algorithm, type of key management Supports pre arranged keys, public/private keys, PGP, etc. Server and client negotiate which enhancements they’ll use • Digital signature option – another form of authentication • End to end – clients can initiate the encrypted request Resists Man in the Middle 13

  14. • End to end protection requires client side deployment of secrets A challenge still not overcome today Scale of client deployment much larger than server deployment • End user had to interact with secrets for web pages • Flexible framework meant (too) many choices for deployment Which type of secrets do which users have? Which type of secrets do which web pages require? 14

  15. 15

  16. • Encryption! Authentication! Security! • Open standard • Authentication of the server using public key certificate • Authentication of the client using public key certificate is an option • The encryption part works pretty darn well • The authentication part… 16

  17. • My browser has 175 “System Roots”. They’re all trusted to issue web site certificates. Associate the public key with the information in the certificate Who will watch the watchers? • 12 CA incidents in 2011 • Attack on Comodo Username/password of a Registration Authority stolen 9 fraudulent certificates issued, including login.yahoo.com, mail.google.com, login.skype.com, addons.mozilla.org Certificate revoked upon discovery • DigiNotar attacked and fraudulent certificates issued • KPN discovered attack tools on its server during an audit and stopped issuing certificates DDoS tool there for as long as 4 years 17

  18. • Ask the user! Which no one seemed to think was a problem when the protocol was designed • What does it mean if a server has a self signed certificate? CA issued certificates cost money Users learned to ignore warnings Accepted by the usable security research community as early as 2008 • Crying Wolf: An Empirical Study of SSL Warning Effectiveness in 2009 used FF2 as a baseline in its study of clickthrough, with a 90% ignore rate in their Internet user study of a banking scenario. • ImperialViolet documented a 60% rate of bypassing SSL interstitials in 2012 18

  19. In theory, there is no difference between theory and practice. In practice, there is. - Yogi Berra 19

  20. • Citigroup.com • Citibank.info • Citibank.com • Citicards.com • Cititigroup.com • Citicreditcards.com • Citigroup.de • Citibank-cards.us • Citibank.co.uk • Citimoney.com • Citigroup.org • Citigold.net • Thisiscitigroup.org • Citigrøup.org 20

  21. • Citigroup.com • Citibank.info • Citibank.com • Citicards.com • Cititigroup.com • Citicreditcards.com • Citigroup.de • Citibank-cards.us • Citibank.co.uk • Citimoney.com • Citigroup.org • Citigold.net • Thisiscitigroup.org • Citigrøup.org 21

  22. 22

  23. 23

  24. • The Emperor’s New Security Indicators (2007) • Lab study of bank customers (67) • Removed HTTPS indicators – “https” in address bar and lock icon in bottom right 0 withheld password • Removed the customer selected site-authentication image Replaced it with a bank upgrade maintenance notice 23 of 25 using their own accounts entered their password As well as all 36 role playing • Role playing participants behaved significantly less securely About half were security primed 24

  25. 25

  26. • Simulated spear phishing 97% fell for at least one 79% heeded active warnings when presented • Active warnings directly interrupt the task, give the user choices, and make recommendations Fail safely • Correlations between understanding a warning and heeding it (26) 26

  27. • SSL turns out to be entirely orthogonal to the kind of website authentication humans need • Phishing for user passwords became the next valuable thing about pretending to be an existing web site 27

  28. 28

  29. • First usable security standard • Charter: To enable users to come to a better understanding of the context that they are operating in when making trust decisions on the Web Specify a baseline set of security context information and practices for the secure and usable presentation of this information • Functional areas: TLS encryption, Domain name (authenticated or claimed), Certificate information, Browsing history, Errors • Principles: Visibility, assurance, attention 29 29

  30. 30

  31. • Certificate Trust validation Extended Validation, self-signed, and untrusted, and user interactions around validation • Existence of encryption • Strong cipher suites • User interactions for error handling based on error severity Attempting to combat habituation • Consistent visual presentation of authenticated DNS identity • MUST NOTs – mixed content, obscuring security info, techno jargon, unsupervised installation, automatic bookmarks 31 31

  32. • Standards Challenges “Successful standards enable” We had a lot of “Don’t do this thing” and constraints UI standards are process, not presentation • Context Challenges Browser vendor participation Some of the reasons vendors participate: interoperability (as required by/for the market), customer requirements (compliance and laws and features) Some of the reasons vendors don’t participate: IP/patents, dilution of their brand, market advantage in the area And then mobile Technology marches forward 32 32

  33. • Firefox Click Through Rate (CTR) for malware warnings is 33% (2014) Google Chrome’s 70% • Mock Firefox styling closed that difference by 12 to 20 points in a 10 day at scale controlled experiment Text, layout, default button • Users heed warnings to sites they have not visited • Users unpredictable for warnings on sites they have visited • Survey said users trust high reputation sites more than malware warnings 33 33

  34. 34

  35. 35

  36. • Who vouches for the code on this web site? Javascript Sandbox + same origin policy • Web mail Earliest web application serving data in pages not created by web site developers Broke domain name authentication assumptions Cross site scripting (XSS) • Response - HTML escaping of everything Where are my bold text and dancing pigs? • Next steps: Whitelist vs Blacklist of HTML tags What are the tradeoffs? 36

  37. • Major technical university’s web site • Cross Site Scripting (XSS) Every link modified to redirect through proxy Links to other web sites (e.g. LinkedIn, Facebook) • Insecure Direct Object Reference Walk the OS file system • Lesson: Developers are (fallible) people too 37

  38. • aka Code that executes • We had antivirus for OS malware – we knew that • GET stopped being safe and idempotent Which gave us CSRF JSON and XML enable CSRF with POST • Web based installations/download • Browser extensions 38

  39. • Introduced in 2007 on Apple iPhone iOS Every game creator has the security responsibility of a web browser implementer • Is It Safe? What responsibility is assumed to be the user’s? Who can the user rely on? How much control can the user have? Are users any good at making these decisions? • Different mobile platforms make different choices Control of the lifecycle Control of the store Code signing Installation time permissions 39

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Nexus of Identity IBM's submission for the W3C Identity in the Browser Workshop by

The Nexus of Identity IBM's submission for the W3C Identity in the Browser Workshop by

The Nexus of Identity IBM's submission for the W3C Identity in the Browser Workshop by Maryann Hondo, Mary Ellen Zurko, Matthew Flaherty, Paula K. Austel, Sridhar Muppidi Net - net of the paper Our customers expect us to give them the

558 views • 9 slides
Mary Ellen Bute Interactive Authoring Presentation Project By: Les, Taylor, Austin and Kevon

Mary Ellen Bute Interactive Authoring Presentation Project By: Les, Taylor, Austin and Kevon

Mary Ellen Bute Interactive Authoring Presentation Project By: Les, Taylor, Austin and Kevon Mary Ellen Butes Life - Grew up in Houston, Texas. Born November 25, 1906. - Received a scholarship to Pennsylvania Academy of Fine Arts -

471 views • 10 slides
improvements at ALUM refinery 1 ALUM STRATEGY FOR ENVIRONMENTAL PROTECTION ALUM S.A. is part of

improvements at ALUM refinery 1 ALUM STRATEGY FOR ENVIRONMENTAL PROTECTION ALUM S.A. is part of

Continuous environmental improvements at ALUM refinery 1 ALUM STRATEGY FOR ENVIRONMENTAL PROTECTION ALUM S.A. is part of a vertically aluminium integrated company and is located in Tulcea, Romania. The main production is calcined alumina for

761 views • 13 slides
Current and Controversial Issues to Classroom Activities BY: Mary Ellen Daneels and Hayley

Current and Controversial Issues to Classroom Activities BY: Mary Ellen Daneels and Hayley

Connecting Current and Controversial Issues to Classroom Activities BY: Mary Ellen Daneels and Hayley Lotspeich WHAT IS CAP? Developed curriculum that allows for students to apply what they have learned through the course of their

708 views • 31 slides
Exploring Student Understanding and Practice of Discernment and Reflection Mary Ellen Wade

Exploring Student Understanding and Practice of Discernment and Reflection Mary Ellen Wade

Exploring Student Understanding and Practice of Discernment and Reflection Mary Ellen Wade Associate Director of Messina, Loyola University Maryland National Conference on the First-Year Experience 2.13.17 Messina Learning Outcomes Jesuit

860 views • 29 slides
Generating output in the COMIC multimodal dialogue system Mary Ellen Foster School of

Generating output in the COMIC multimodal dialogue system Mary Ellen Foster School of

Generating output in the COMIC multimodal dialogue system Mary Ellen Foster School of Informatics University of Edinburgh W3C MMI Workshop Sophia Antipolis, 20 July 2004 1 Overview The COMIC project and demonstrator Planning and

464 views • 20 slides
AIT Complex Facility Design Team Mary Ellen McCrillis HQDA, G-3/5/7 (Proponent) Dolat G. Desai

AIT Complex Facility Design Team Mary Ellen McCrillis HQDA, G-3/5/7 (Proponent) Dolat G. Desai

AIT Complex Facility Design Team Mary Ellen McCrillis HQDA, G-3/5/7 (Proponent) Dolat G. Desai OACSIM (Co-Chair) David Carr IMCOM (Housing) Chip Williams TRADOC, G-4 Goldie Bailey 5-STORY AIT B/COF Ft. Lee, VA ACES Dwain Scott, R.L.A.

354 views • 14 slides
Clinically Localized Prostate Cancer: AUA/ASTRO/SUO Guideline High-Risk Disease Mary-Ellen

Clinically Localized Prostate Cancer: AUA/ASTRO/SUO Guideline High-Risk Disease Mary-Ellen

Clinically Localized Prostate Cancer: AUA/ASTRO/SUO Guideline High-Risk Disease Mary-Ellen Taplin, MD Associate Professor of Medicine Harvard Medical School Director of Clinical Research, Lank Center for Genitourinary Oncology Dana-Farber

250 views • 10 slides
Board and Staff Roles in Fundraising Alliance for the Chesapeake Bay January 27, 2017 Mary Ellen

Board and Staff Roles in Fundraising Alliance for the Chesapeake Bay January 27, 2017 Mary Ellen

Board and Staff Roles in Fundraising Alliance for the Chesapeake Bay January 27, 2017 Mary Ellen Olcese 1 Two Fundraising Absolutes In order to raise money, someone from your organization must ask for it Once you receive a gift (of any size)

736 views • 36 slides
A Case for Investment in Maternal Survival and Health Mary Ellen Stanton Senior Maternal Health

A Case for Investment in Maternal Survival and Health Mary Ellen Stanton Senior Maternal Health

A Case for Investment in Maternal Survival and Health Mary Ellen Stanton Senior Maternal Health Advisor Bureau for Global Health, USAID The Impact of Maternal Mortality and Morbidity on Economic Development Woodrow Wilson Center July 29,

438 views • 21 slides
ALUMINUM SULFATE TO POLY ALUMINUM CHLORIDE A BRIEF SYNOPSIS ALUMINUM SULFATE (ALUM) ALUM HAS

ALUMINUM SULFATE TO POLY ALUMINUM CHLORIDE A BRIEF SYNOPSIS ALUMINUM SULFATE (ALUM) ALUM HAS

CONVERSION FROM ALUMINUM SULFATE TO POLY ALUMINUM CHLORIDE A BRIEF SYNOPSIS ALUMINUM SULFATE (ALUM) ALUM HAS BEEN USED SINCE THE PLANT WAS FIRST PUT IN SERVICE IN 1928 IT HAS BEEN USED FOR DIFFERENT PURPOSES FOR HUNDREDS IF NOT

116 views • 9 slides
Mary Ellen Iskenderian, Womens World Banking 20% 1 billion women are unbanked Of the 1.75

Mary Ellen Iskenderian, Womens World Banking 20% 1 billion women are unbanked Of the 1.75

Savings & Credit Forum / SDC Berne, 2 nd November 2018 Womens financial inclusion: How to reach one billion women? Mary Ellen Iskenderian, Womens World Banking 20% 1 billion women are unbanked Of the 1.75 billion women that have a

368 views • 24 slides
The iCat in the JAST Multimodal Dialogue System Mary Ellen Foster Technical University of Munich

The iCat in the JAST Multimodal Dialogue System Mary Ellen Foster Technical University of Munich

The iCat in the JAST Multimodal Dialogue System Mary Ellen Foster Technical University of Munich First iCat Workshop Eindhoven, 27 March 2005 The JAST project J oint A ction S cience and T echnology http://www.jast-net.gr/

496 views • 12 slides
Bank of America Merrill Lynch Future of Financials Conference November 15, 2017 Mary Ellen Baker

Bank of America Merrill Lynch Future of Financials Conference November 15, 2017 Mary Ellen Baker

Bank of America Merrill Lynch Future of Financials Conference November 15, 2017 Mary Ellen Baker Head of Business S ervices Tony Moscrop CIO Enterprise S ervices Forward-looking statements and use of key performance metrics and non-GAAP

910 views • 19 slides
Public Private Partnerships Business and Legal Issues Presented by: Mary Ellen Bench, City

Public Private Partnerships Business and Legal Issues Presented by: Mary Ellen Bench, City

Public Private Partnerships Business and Legal Issues Presented by: Mary Ellen Bench, City Solicitor, City of Mississauga Anna Kinastowski, City Solicitor, City of Toronto Lou Milrad, Associate Counsel, Miller Thomson LLP Presentation

870 views • 22 slides
Kinetic Modeling of Batch Slurry Reactions Paul J. Gemperline 1 , Mary Ellen McNalley 2 , Ron

Kinetic Modeling of Batch Slurry Reactions Paul J. Gemperline 1 , Mary Ellen McNalley 2 , Ron

East Car East Carolina Uni University ersity Kinetic Modeling of Batch Slurry Reactions Paul J. Gemperline 1 , Mary Ellen McNalley 2 , Ron Hoffman 2 , Chun Hsieh 1 , David Joiner 1 , Julien Billeter 1 (1) East Carolina University, (2) DuPont

773 views • 34 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l08,

680 views • 35 slides
We have all the pieces! Symmetric Encryption (privacy!) MACs (integrity!) Asymmetric

We have all the pieces! Symmetric Encryption (privacy!) MACs (integrity!) Asymmetric

CSE 484 / CSE M 584: Computer Security and Privacy SSL/TLS Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly

872 views • 42 slides
2) Secure HyperText Transfer Protocol Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule

2) Secure HyperText Transfer Protocol Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule

2) Secure HyperText Transfer Protocol Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents HyperText Transfer Protocol - HTTP

985 views • 41 slides
Several Scenarios at IHEP Zou Jiaheng On behalf of Scheduling Group at IHEP HTCondor Week 2019

Several Scenarios at IHEP Zou Jiaheng On behalf of Scheduling Group at IHEP HTCondor Week 2019

HTCondor Solutions for Several Scenarios at IHEP Zou Jiaheng On behalf of Scheduling Group at IHEP HTCondor Week 2019 Outline Brief Introduction HTCondor Solutions at IHEP Resource management Job management Abnormality

550 views • 18 slides
Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean

Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean

Introduction to the Security Area (the one area to rule them all) Alexey Melnikov & Sean Turner 2014-11-09 Purpose Provide a high level overview of the Security Area: Why you want security services and what they are What are

563 views • 33 slides
W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific

W l Welcome! ! The webinar will begin at The webinar will begin at 2:00 Eastern/11:00 Pacific Audio Tips Todays audio is streaming to your computers speakers or headphones. Too loud or soft? Adjust volume level in the Audio broadcast

821 views • 42 slides
Art in Our Servers Jean-Frederic Clere Jean-Frederic Clere What I will cover What I will cover

Art in Our Servers Jean-Frederic Clere Jean-Frederic Clere What I will cover What I will cover

SSL/TLS and HTTP/2 State of the SSL/TLS and HTTP/2 State of the Art in Our Servers Art in Our Servers Jean-Frederic Clere Jean-Frederic Clere What I will cover What I will cover HTTP/2 HTTP/2 and ALPN Servers Apache HTTPD

394 views • 28 slides
LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned

LECTURE 22: SECURE CODING BASICS CSE 442 Software Engineering Lessons Already Learned Hackers take advantage of any opening provided But most also lazy (talk to struggling 115/116 student) Any easy success in breaking code encourages

835 views • 58 slides

More recommend