Embed Size (px)
Citation preview
Human/User-Centric Security
Dr Shujun LiDeputy Director, Surrey Centre for Cyber Security (SCCS)
Senior Lecturer, Department of Computer ScienceUniversity of Surrey, Guildford
http://www.hooklee.com/@hooklee75
User-centric security
GCHQ new (2016) password guidance
3
GCHQ new password guidance
4
GCHQ new password guidance
5
Case study:Password expiry policy
6
Case study:Password expiry policy @ Surrey
User-centric security
Let us look at more about passwords!
8
How many passwords are there?
- 4 digits (PINs): 104=10 thousand≈213.3
- 6 digits (PINs): 106=1 million≈220
- Lowercase letters only, 7 characters: 267≈8 million≈233
- Lowercase letters + digits, 7 characters: 367≈78.4 million≈236
- Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242
- Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5
10
What passwords are being used?
- Dinei Florêncio and Cormac Herley, “A Large-Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM- Real passwords collected from 544,960 web users in
three months in 2006.
11
What passwords are being used?
- DataGenetics, PIN analysis, 3rd September 2012- 3.4 million leaked passwords composed of 4 digits.
xy00
999900xy 19xy
mmdd
xyxy
12
Password cracking: 1979
- R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979- In a collection of 3,289 passwords…
- 15 were a single ASCII character- 72 were strings of two ASCII characters- 464 were strings of three ASCII characters- 477 were strings of four alphamerics- 706 were five letters, all upper-case or all lower-case- 605 were six letters, all lower-case- 492 appeared in dictionaries, name lists, and the like
2,831 passwords
13
Password cracking: 1990
- Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990- In a set of 15,000 passwords
- 25% were cracked within 12 CPU months- 21% were cracked in the first week- 2.7% were cracked within the first 15 minutes
14
Password cracking: 2005
- Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time-space tradeoff,” in Proc. CCS’2005, ACM- In a collection of 142 real user passwords
- 67.6% (96) were cracked with a searching complexity 2.17×109≈231
14
15
Password cracking: 2013
- Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” ars technica, 28 May 2013- Three professional crackers were given 16,449 hashed
passwords and the best of them was able to crack 90% of the passwords.
- Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords.
- Remark 2: Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.
16
What can we learn from reality?
- The security-usability dilemma- Stronger passwords are securer but harder to remember
by humans.- Weaker passwords are easier to remember by humans
but also easier to be cracked.- Strong passwords for humans Strong passwords for
automated password crackers- End users have a tendency of choosing usability
over security: using easy-to-remember passwords.- End users have not changed their ways of using
(weak) passwords very much since 1970s!
18
Solution: Password checkers?
- A password checker checks the strength of a given password and warns the user about its weakness.- Proactive password checkers work at the client side when the
user is entering his/her password.- Reactive password checkers work at the server side after the
user set his/her passwords (by scanning all passwords of all users).- All password checkers are based on one or more password
meters which estimate the strength of any passwords given, but there are also standalone password meters.
19
Solution: Password managers?
- A password manager is a software/hardware tool managing credentials of multiple accounts of the user.- A master password is normally required to manage all passwords.- Local password managers run from a local computer (could be a
smart phone) and store the data locally.- Web-based password managers run from the Web or the cloud
and store the data remotely in a remote web site.- Cloud-based password managers run from local computer or the
Web and store the data remotely in a cloud.- Data across devices could be synchronized.
20
More solutions?
- Passphrases- Graphical passwords- Strong password policies- Frequently changed passwords- One-time passwords (such as iTANs)- Hardware-based solutions
- One-time password generators (such as RSA® SecurID)
- Physical tokens (such as smart cards)- Biometrics (finger/face/iris/palm/…
recognition, …)- Multi-factor authentication- Single-sign-on (SSO)
21
- A new technology developed by cyber security researchers (my PhD student and me) at the University of Surrey
- It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with current passwords.
Pass∞ (PassInfinity)
22
- Access control policies- Data protection policies- Bring your own device (BYOD) policies- USB usage policies- Email policies- Confidential documents management policies- Computer incident reporting and investigation
policies- …
Going beyond passwords
User-centric security
Why do we need cyber security policies?
24
Security is a process, NOT a product.
- A product is secure. A process is secure.- Bruce Schneier, Secrets and Lies: Digital
Security in a Networked World, John Wiley & Sons, Inc., 2004
25
Social engineering does work well!
- Hackers only need to break the weakest link in a process – humans!
- Weak human users vs. Strong hackers
26
A real hacker’s testimony
Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.
Kevin D. Mitnick and William L. SimonThe Art of Deception: Controlling the Human Element of Security
, John Wiley & Sons Inc., 2003
27
Social engineering everywhere: Phishing, SMiShing, vishing, …
- Getting your password from you.
28
A recent book on social engineering
- Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010
29
Different kinds of weak humans
- Weak designers- Weak programmers- Weak assemblers- Weak distributors- Weak deployers- Weak maintainers- Weak users- Weak …
Security holes in the delivered products
Security holes in the deployed system
Strong Hackers
User-centric security
Are you a weak link of your organisation(s)?
31
Are you a weak link of your organisation(s)?
- Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?
32
Are you a weak link of your organisation(s)?
- For those who said YES in previous question: How often do you use the above encryption software to protect your personal emails?
33
Are you a weak link of your organisation(s)?
- Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?
34
Are you a weak link of your organisation(s)?
- Are you sharing passwords over multiple web sites?- SSO (Single-Sign-On password is not counted).
35
Are you a weak link of your organisation(s)?
- Do you know how digital certificates are used with secure web sites such as online banking sites?
36
Are you a weak link of your organisation(s)?
- If YES to the last question: How often do you check digital certificate’s contents against the claimed owner?
37
Are you a weak link of your organisation(s)?
- Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?
38
Are you a weak link of your organisation(s)?
- If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting?
?
User-centric security
The solution and take-home message:Human/User-centric security
40
Help users, not blame them!
41
- Better tools for all humans involved- Better user interfaces- More useful data- More user control- Visualisation & gamification- Personalisation & contextualization- Human-in-the-loop- …
- Better guidance for all humans involved- Awareness campaigns, education, training, serious
games, more user-friendly and consistent guidelines and policies, …
How to help users?
42
- Consultancy- Technical reports- Bespoke solutions (tools / data)- Joint (research) projects
- Cyber Aware (formerly known as Cyber Streetwise)- Cyber Security Body of Knowledge (CySec-BoK)- Individual research projects
- Communities- RISCS (Research Institute in Science of Cyber Security)
- Living labs for cyber security- Meet-ups and networking events- …
We can work together!
43
- Pass∞ (PassInfinity)- A new user authentication framework
- H-DLP- Human-assisted machine learning for bootstrapping DLP (data
loss/leakage prevention) systems- ACCEPT
- Addressing Cybersecurity and Cybercrime via a co-Evolutionary approach to reducing human-related risks
- COMMANDO-HUMANS- COMputational Modelling and Automatic Non-intrusive Detection Of
HUMan behAviour based iNSecurity- POLARBEAR
- Pattern Of Life ANPR Behaviour Extraction Analysis and Recognition
Opportunities for collaboration
User-centric security
Thanks! Questions?
