usable security
play

Usable Security Fall 2017 Franziska (Franzi) Roesner - PowerPoint PPT Presentation

Nov 01, 2023 •362 likes •715 views

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Poor Usability Causes Problems si.ed u 12/4/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. Importance in Security • Why is usability important? – People are the critical element of any computer system • People are the real reason computers exist in the first place – Even if it is possible for a system to protect against an adversary, people may use the system in other, less secure ways 12/4/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Usable Security Roadmap • 2 case studies – Phishing – SSL warnings • Step back: root causes of usability problems, and how to address 12/4/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. Case Study #1: Phishing • Design question: How do you help users avoid falling for phishing sites? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. A Typical Phishing Page Weird URL http instead of https 12/4/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Safe to Type Your Password? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. Safe to Type Your Password? “Picture-in-picture attacks” Trained users are more likely to fall victim to this! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. Experiments at Indiana University • Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn and Friendster • Sent 921 Indiana University students a spoofed email that appeared to come from their friend • Email redirected to a spoofed site inviting the user to enter his/her secure university credentials – Domain name clearly distinct from indiana.edu • 72% of students entered their real credentials into the spoofed site 12/4/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. More Details • Control group: 15 of 94 (16%) entered personal information • Social group: 349 of 487 (72%) entered personal information • 70% of responses within first 12 hours • Adversary wins by gaining users’ trust • Also: If a site looks “professional”, people likely to believe that it is legitimate 12/4/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. Phishing Warnings Active (Firefox) Passive (IE) Active (IE) 12/4/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. [Egelman et al.] Are Phishing Warnings Effective? • CMU study of 60 users • Asked to make eBay and Amazon purchases • All were sent phishing messages in addition to the real purchase confirmations • Goal: compare active and passive warnings 12/4/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. [Egelman et al.] Active vs. Passive Warnings • Active warnings significantly more effective – Passive (IE): 100% clicked, 90% phished – Active (IE): 95% clicked, 45% phished – Active (Firefox): 100% clicked, 0% phished Passive (IE) Active (IE) Active (Firefox) 12/4/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. [Egelman et al.] User Response to Warnings • Some fail to notice warnings entirely – Passive warning takes a couple of seconds to appear; if user starts typing, his keystrokes dismiss the warning • Some saw the warning, closed the window, went back to email, clicked links again, were presented with the same warnings… repeated 4-5 times – Conclusion: “ website is not working ” – Users never bothered to read the warnings, but were still prevented from visiting the phishing site – Active warnings work! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. [Egelman et al.] Why Do Users Ignore Warnings? • Don’t trust the warning – “ Since it gave me the option of still proceeding to the website, I figured it couldn’t be that bad ” • Ignore warning because it’s familiar (IE users) – “ Oh, I always ignore those ” – “ Looked like warnings I see at work which I know to ignore ” – “ I thought that the warnings were some usual ones displayed by IE ” – “ My own PC constantly bombards me with similar messages ” 12/4/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. Site Authentication Image (SiteKey) If you don’t recognize your personalized SiteKey, don’t enter your Passcode 12/4/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. Case Study #2: Browser SSL Warnings • Design question 1: How to indicate encrypted connections to users? • Design question 2: How to alert the user if a site’s SSL certificate is untrusted? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. The Lock Icon • Goal: identify secure connection – SSL/TLS is being used between client and server to protect against active network attacker • Lock icon should only be shown when the page is secure against network attacker – Semantics subtle and not widely understood by users – Whose certificate is it?? – Problem in user interface design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. [Moxie Marlinspike] Will You Notice? Þ Clever favicon inserted by network attacker 12/4/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Do These Indicators Help? • “The Emperor’s New Security Indicators” – http://www.usablesecurity.org/emperor/emperor.pdf Users don’t notice the absence of indicators! 12/4/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. Latest Design in Chrome 12/4/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. [Felt et al.] Firefox vs. Chrome Warning 33% vs. 70% clickthrough rate 12/4/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 26

  27. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 27

  28. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 28

  29. [Felt et al.] Experimenting w/ Warning Design 12/4/17 CSE 484 / CSE M 584 - Fall 2017 29

  30. [Felt et al.] Opinionated Design Helps! Adherence N 30.9% 4,551 12/4/17 CSE 484 / CSE M 584 - Fall 2017 30

  31. [Felt et al.] Opinionated Design Helps! Adherence N Adherence N 30.9% 30.9% 4,551 4,551 32.1% 4,075 32.1% 4,075 58.3% 4,644 12/4/17 CSE 484 / CSE M 584 - Fall 2017 31

  32. [Felt et al.] Challenge: Meaningful Warnings 12/4/17 CSE 484 / CSE M 584 - Fall 2017 32

  33. Stepping Back: Root Causes? • Computer systems are complex; users lack intuition • Users in charge of managing own devices – Unlike other complex systems, like healthcare or cars. • Hard to gauge risks – “It won’t happen to me!” • Annoying, awkward, difficult • Social issues – Send encrypted emails about lunch?... 12/4/17 CSE 484 / CSE M 584 - Fall 2017 33

  34. How to Improve? • Security education and training • Help users build accurate mental models • Make security invisible • Make security the least-resistance path • …? 12/4/17 CSE 484 / CSE M 584 - Fall 2017 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist

Usable security for control systems Jun Ho Huh Honeywell ACS Labs, research scientist junho.huh@honeywell.com Honeywell.com What is usable security? Building security solutions that are intuitive and easy to use Many security

350 views • 9 slides
Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] & Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research

DNSCurve: Usable security for DNS D. J. Bernstein Research Professor Center for RITES: Research and Instruction in Technologies for Electronic Security Department of Computer Science University of Illinois at Chicago The Domain Name

598 views • 48 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given

What Does the Brain Tell Us about Usable Security? Anthony Vance Brigham Young University Given a choice between dancing pigs and security, users will pick dancing pigs every time. Felton and McGraw (1999) clicky lusers BYU LAB

1.12k views • 84 slides
Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of

Usable Security of Named Data Networking Yingdi Yu 1 Traditional communication model of Internet Speaking to a host end-to-end channel Communication security container-based authenticity: X.509, Certificate

678 views • 57 slides
Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security

Towards Usable Privacy in Cross-System Personalization Yang Wang CMU Usable Privacy and Security (CUPS) Lab Carnegie Mellon University 2 Personalization 3 Cross-System Personalization 4 Cross-System Personalization 5 Cross-System

310 views • 18 slides
Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two

Previous a researcher in the usable security group at ICSI/UCB Now a lead research engineer at Two Six Labs working on DARPA Brandeis This talk goes over work from UCB 1 Install-time permissions A ccept all or dont use the app at all. No

944 views • 77 slides
Usable Security Spring 2015 Franziska (Franzi) Roesner

Usable Security Spring 2015 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan

1.11k views • 55 slides
Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer,

Usable security and the human in the loop Michelle Mazurek Some slides adapted from Lujo Bauer, Lorrie Cranor, Rob Reeder, Blase Ur, and Yinqian Zhang 1 Todays class Introducing me Introducing you Human Factors for Security and

985 views • 82 slides
The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas

The Phenomenology of User Privacy and Security Decision-Making: Practice What You Preach Thomas Reynolds University at Albany a Lightning Talk Symposium On Usable Privacy & Security Carnegie Mellon University, July 2011 Usable

371 views • 5 slides
Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to

Introducing Precautionary Behavior by Temporal Diversion of Voter Attention from Casting to Verifying their Vote Workshop on Usable Security 2/23/2014 Usable Security Lab Jurlind Budurushi, Marcel Woide and Melanie Volkamer Crypto Lab Current

217 views • 19 slides
USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we

USABLE SECURITY GRAD SEC SEP 28 2017 USER AUTHENTICATION What we know (passwords) What we have (tokens) What we are (iris, fingerprint) [Accuracy vs. cost trade-off] Other USER AUTHENTICATION INKBLOT AUTHENTICATION Come up with

671 views • 20 slides
Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi,

Blind and Human: Exploring More Usable Audio CAPTCHA Designs Valerie Fanelle, Sepideh Karimi, Aditi Shah, Bharath Subramanian, and Sauvik Das The Sixteenth Symposium on Usable Privacy and Security August 7th - 11th, 2020 High attention levels

1.03k views • 6 slides
Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in

T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Usable Security: Quo Vadis? Konstantin (Kosta) Beznosov Laboratory for Education and Research in Secure Systems Engineering lersse.ece.ubc.ca Electrical and Computer

348 views • 9 slides
RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications

RF-based DFAR and implicit ad-hoc usable security Stephan Sigg Aalto University, Communications and Networking July 1, 2016 Group DFAR Conclusion 2 / 22 Stephan Sigg RF-based DFAR and implicit ad-hoc usable security Group DFAR Conclusion

824 views • 37 slides
The Computational Paradigm 2. Why did computing need to be an academic discipline? of

The Computational Paradigm 2. Why did computing need to be an academic discipline? of

This Talk 1. Computer science: Definition The Computational Paradigm 2. Why did computing need to be an academic discipline? of Science 3. What characterizes computing as a discipline? ECSS 2015 4. Is everything computing? Matti Tedre

637 views • 24 slides
Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D

Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D

Diabetes Treatment and Heart Failure From Preventing Harm to Increasing Survival Jonathan D Davis, MD, MPHS Director, Heart Failure Program Assistant Clinical Professor | Division of Cardiology Zuckerberg San Francisco General Hospital

599 views • 36 slides
for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of

for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of

Practices St. Jude Rite of Christian Initiation for Adults Beliefs & Prayer SIGN IN AT THE WELCOME TABLE AND ENJOY THE FOOD RCIA Journey of Faith Sacraments/Rites Practices This evenings meal is provided by: Beliefs & Prayer

813 views • 45 slides
The Emperor Has No Clothes: Insecurities in Security Infrastructure Ben Feinstein, CISSP GCFA

The Emperor Has No Clothes: Insecurities in Security Infrastructure Ben Feinstein, CISSP GCFA

The Emperor Has No Clothes: Insecurities in Security Infrastructure Ben Feinstein, CISSP GCFA Director of Research Jeff Jarmoc, GPEN GCFW Firewall Engineer Dan King Security Engineer Black Hat USA 2010 Las Vegas, Nevada USA Wednesday, July

664 views • 44 slides
Inca At its peak, the Incan empire stretched more than 2,500 miles, almost the entire The Inca

Inca At its peak, the Incan empire stretched more than 2,500 miles, almost the entire The Inca

February 14, 2012 Inca At its peak, the Incan empire stretched more than 2,500 miles, almost the entire The Inca controlled a vast empire covering parts of modern length of the Andes day Peru, Ecudor, Bolivia, Chile, and Argentina.

514 views • 4 slides
Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan,

Fidelius: Protecting User Secrets from Compromised Browsers Saba Eskandarian , Jonathan Cogan, Sawyer Birnbaum, Peh Chang Wei Brandon, Dillon Franke, Forest Fraser, Gaspar Garcia, Eric Gong, Hung T. Nguyen, Taresh K. Sethi, Vishal Subbiah,

718 views • 28 slides
17/03/2020 1 2 Vienna 1683 3 4 Sobieski and the Emperor 5 6 1 17/03/2020 7 8 9 10 11

17/03/2020 1 2 Vienna 1683 3 4 Sobieski and the Emperor 5 6 1 17/03/2020 7 8 9 10 11

17/03/2020 1 2 Vienna 1683 3 4 Sobieski and the Emperor 5 6 1 17/03/2020 7 8 9 10 11 12 2 17/03/2020 13 14 15 16 17 18 3 17/03/2020 Fleurus 1690 19 20 21 22 Neerwinden 1693 Steenkirchen 1692 23 24 4 17/03/2020

605 views • 5 slides
The implementation of AArch64 NEON Instruction Set Ana Pazos Senior Staff Engineer, QuIC

The implementation of AArch64 NEON Instruction Set Ana Pazos Senior Staff Engineer, QuIC

The implementation of AArch64 NEON Instruction Set Ana Pazos Senior Staff Engineer, QuIC (Qualcomm Innovation Center) Jiangning Liu Principal software engineer, ARM 1 Implementation Goals Support all instructions in

322 views • 7 slides

More recommend