Upload
phungnhan
View
219
Download
4
Embed Size (px)
Citation preview
Usability and Psychology
Based on Ross J. Anderson“Security Engineering”
Presentation by Gennady Laventman
Intro
• Many security attacks exploit psychology at
least as much as technology.
– Phishing – over email.
– Pretexting – over phone.
• Phone and online communications are
relatively new and humans don’t have tools to
deal with deception without face-to-face
interaction.
Psychology based attacks• Pretexting
– “Hello, I am MD Toosmart, I have patient Simpson, can you fax me his health record to 123456789”.
– Kevin Mitnick
– HP scandal
– Illegal in most of first world countries.
• Phishing– Phishing is the act of attempting to acquire information such as
usernames, passwords, etc. by masquerading as a trustworthy entity online.
– Target customers, not employees. Too many customers and they think they always right…
– Really nice tricks. Now URLs support national characters –phishing became more fun.
– Phishing losses in 2010 - 3.5 bn USD
Psychology
• “The mind is what the brain does”
– Actually, we don’t know why brains do in way it do
• Human brain very different from computers
– Computers never forget (actually, women don’t forget either)
– Human bad in routine tasks.
– While data overload human choose strongest or general rule.
– Human continue to operate even in case of uncertainty.
– But human recognize things much better.
Behavioural Economics• Heuristics that people use, and the biases that influence
them, when making decisions.– Daniel Kahneman and Amos Tversky Nobel prize 2002
• Prospect theory –– We do hate give away money, even it will bring us more
– We really bad in calculating probabilities and use bad analogies.
– We give more value to resent facts
– Video > Sound
– etc.
• Really bad risks calculation– We can hardly plan for more than dozen years
– We prefer to be control (driving car vs. flying plane)
– Etc
• Fraudsters, Terrorists, Politicians and other Marketers know and use this.
Mental Processing
• How we explain things? Head vs. Heart…
– First, use “scientific” approach.
– After it fails, use “spiritual” explanation.
– “Somebody” did it – welcome FSM.
– “Our bank will never, ever send you email asking
for password”
– Emotion => people use their hearts more than
their minds => people insensitive to probability
Social Psychology
• Explain how people interact in groups.
• Second part of 20 century was “fun” for Social
Psychology
– Ashe experiment
– Milgram experiment
– Stanford “prison” experiment
• Cognitive dissonance
Passwords.• Really bad authentication mechanism.
– Humans can’t remember infrequently used, frequently-changed, or many similar items
– Humans can’t forget on demand
– Recall is harder than recognition
– Remember non-meaningful words are more difficult
• “Something you have, something you know, or something you are”– Simson Garfinkel - ‘something you had once,
something you’ve forgotten, or something you once were’
• Many log-ins – many passwords.– Password reuse
• SSN or “your mother’s maiden name”
– Easy to find – use Google
• Problems
– Password correctness - too long, user under stress,
etc.
• Prepaid electricity meters in South Africa vs. US nuclear
codes.
– User can’t remember the password - write it down or
choose easy one.
• “Choose a password you can’t remember, and don’t write it
down.”
– Will the user break the system security by disclosing
the password to a third party, whether accidentally,
on purpose, or as a result of deception?
Password choice
• 20 most common female names + 2 digits
– I assure you - any big organization password file contains at least one match.
• Lets make user change password frequently and forbid previous few choices
– People will reset passwords often, to reuse old passwords.
• Research prove that many people now choose slightly better passwords
– The most common password is not ‘password’ but ‘password1’ ☺
• Sometimes you can force users to use really random passwords
– Government, Military, etc
– Centrally-assigned passwords not always possible
• Sometime you can train users…
– And sometime it works…
• Research about passwords
– Setup
• Red group – user choose 6 letters password
• Green group – user create password from phrase
• Yellow group – user have to choose random password from list
– Results – green group won
• Passwords were easy to remember and hard to guess
• 1/3 of users just don’t do what they’re told
Passwords – more problems?
• Passwords – too many of them.– People write passwords down in any case.
• Security questions – Mostly based on public available data. Google it?
• User who can choose PIN – often choose some year.– Only 2000 choices.
– Many choose birth date – only 99 choices
• Change default password!!!!
• R v Gold and Schifreen case in Great Britain– Caused to parliament to pass first specific computer
crime law.
Example of good security question
Social-Engineering Attacks
• Problem - user disclose password to third-party
– Accidentally or as a result of deception
• 1990 – Unix terminals ‘password fishing’
• Pretexting
– Credit cards PINs
– Access to user passwords over phone
– More examples in Mitnick’s ‘Art of Deception’.
• Many organizations try to prevent it by physical separations.
– Different phones in military, root access only from local terminal in Sun (no Sun anymore), etc
Phishing• Ask user for password in mail, for some security reason
– Many will replay with correct one
• Inside each business there is straggle between security people and sales people.
– Sales usually wins.
• Malicious emails with links
– Used both by phishermen and by organization sales department.
– Very convenient mails – user can’t tell if mail from bank or not.
– Mails with links from banks.
– Mails that point to outside domains from banks.
– Mails with executables, clickable pictures, etc (from banks).
Trusted Path
• Getting user credentials by technology, instead of phycology.
• Fake ATM machines.
– Collecting user PINs since 1993
• Skimmers - ATM with camera
– Sending pictures of users PINs since 2003
– Since 2005 sending data direct from the wire.
• Fake computes – we already saw them in ‘password fishing’.
– The reason why ‘ctrl-alt-del’ was born
Phishing Countermeasures
• Phishing is mix of phycology and technology,
but most of solutions based on technology.
• People educated by internet merchants to
click on links.
– Isn’t it Internet all about? (except for pron)
– Most money in internet come from ads.
• Many technics to deal with phishing.
– Some more successful then other.
Password manglers
• Browser plugin that creates from user password unique password from domain
• Problem to deal with – password sharing
• Problems
– Roaming
– Service on different domain
– Different services - different password rules
– Browser specific
• Short search give at least one such solution for Chrome
Client Certs or Special Apps
• SSL support client side certificate
• Bank provide non-browser based application.
• Problem to deal with – end-user authentication
• Problems
– Certificates in pain to manage.
– Phishermen ask user to ‘update’ software.
– Phishermen ask from user to ‘update’ certificate by
sending it to him
Browser’s Password Database
• User choose really random password and let
browser store it.
• Problem to deal – password reuse.
• Problems
– Same as in password mangles.
– Password stored unencrypted.
– Merchants forbid autocomplete feature.
Soft Keyboards
• Instead of real keyboard – type password in
on-screen keyboard.
– Latin America banks solutions.
• Deal with key-loggers.
• Problem
– Key-logger send pictures of area around mouse
click.
Customer Education
• Banks try to educate their customers.
• Problem – attacker always on step ahead.
– Check English – attacker hire native speaker.
– Look for lock symbol – attacker use SSL
– Hovering your mouse over link – attacker add non-
printing character to URL.
• Attacker always have advance and end-user
get lost in huge amount of advices.
Microsoft Passport
• Central authentication authority. Something like centralized Kerberos.
• Problem to solve – many services to log-in.– Updates in one place. Both software and passwords.
• Problems– Bugs in implementation –
• Sometime user can authenticate himself as someone else because of race condition
• Cookie-stealing attack.
• Password reset attack.
– Have to use Microsoft software.
• Liberty Alliance
Phishing Alert Toolbars
• Browser toolbars that use a number of heuristics
to parse URLs and look for wicked ones
• Problem to solve – alert user about wicked site
• Problems
– Bugs in IE 7 implemetation
• Website which simply displays a picture of a browser with a
nice green toolbar in the frame of the normal browser.
– Problems with using heuristics to spot dodgy sites.
Two-Factor Authentication
• Use site specific ‘password calculator’ in addition to memorized password.
– ‘something you have’ and ‘something you know’
• Problems
– Many small banks can’t afford it.
– Phishermen can use real man-in-the-middle attack.
• In Europe widely used chip authentication program (CAP) device.
– Used either to calculate a logon password, or to compute a message authentication code on the actual transaction contents.
Trusted Computing
• TPM (Trusted Platform Module) security chips
in PC motherboards
– Tie down a transaction to a particular PC
– More or less like CAP
• Windows Vista had it kinda working…
• Problems
– Roaming
– Problems with Linux and Mac computers
Two-Channel Authentication
• Sending access code to user using different channel
– SMS to mobile
– Banks can use it to authenticate transactions.
– More easy that CAP
• Problems
– Man-in-the-middle attack.
– Request new SIM from phone company (with same number)
– Once browser runs on phone – schema is broken
The Future of Phishing• Damages will only become bigger.
– Phish not banks, but their suppliers
• Many new tricks– Authority can be impersonated.
• Man-in-the-middle attacks.
• Most of sales done now using portable devices –so long for two-channel.– Thank you, iPad.
• Big Brother model – everyone have electronic ID, including security keys, etc.– Not worked even for simple ID during last USA
elections
• Most fight will concentrate in back-end.
System issues
• Main problem – is it possible to limit number of failed login attempts?
– Online – have limited number of attempts (?)
– Offline – have unlimited number of attempts (?)
• Thread models
– Targeted attack on one account
– Attempt to penetrate any account on a system
– Attempt to penetrate any account on any system
– Service denial attack
Denial of service
• Seems quite simple – lets block user after number of failed login attempts.
• Sometime attacker got list of users and thus block all users in system.
– May cause total system DOS by flooding system with failed logins.
– What will happen in admin account blocked?
– Can be used to blackmail site owner
• Most commercial sites don’t use it. Exactly for those reasons.
Protecting Oneself or Others?
• Most systems today have to continue to work even some of the user accounts are compromised.
• System should provide strong separation between users
– Unix and Windows have been designed to protect one user against accidental interference by another
• Virtualization looks like promising solution.
– You broke into one my Amazon instance – I will delete it and start new one.
Password Entry• Interface flaw
– Somebody can looks over your shoulder
– Somebody can looks on your keyboard and/or screen
• Eavesdropping– Lets listen to public WiFi networks
– Switchboard facilities to log the keystrokes. WTF?
– Lets connect sniffer to LAN• I personally had hard time to convince users to use ssh.
• Technical Defeats of Password Retry Counters– It can’t be real – password characters checked one by
one. Delays between responses used.• To paraphrase Sheldon Cooper, this is the way the world
ends. Not with a bang, but with lazy hardware designer.
Password Storage Attacks• Bugs with passwords happens – no software without
bugs
– One old system allowed to log-in given wrong password
– Bug in PIN allocation – once bank allocated same PIN to all users – nobody can’t saw allocated PINs, so nobody knew.
– Logging failed login attempt – sometimes user type password as user name.
– Bug in MIT ‘ctss’ – password file as greeting message
• One-Way Encryption – you doing it wrong.
– Password stored without salt – easy to compare.
• Password Cracking
– Dictionary attacks – on passwords file or directly.
System Limits
• For example, in Unix password length is 8 chars.
– Can do exhaust search - 252
• Even random password can be cracked.
– Huge amount of users
– Attacker agree to penetrate any account on a system
– Good botnet (1 million nodes) can do the job.
• CAPTHCA can help.
CAPTCHA• Completely Automated Public Turing Test to Tell
Computers and Humans Apart (CAPTCHA).
• Distinguish between humans and computers.– Humans are good in recognizing things.
• One of first attempts is ‘Passfaces’ – System present user with number of faces he had to
recognize and select.
• Current CAPTCHAs – little graphic puzzles included distorted texts. – Sometimes block specific kinds of users:
• Broken using some AI algorithms or help from users– http://habrahabr.ru/post/121032/ (sorry, in russian)
Summary
• So, what have we learned today?