Usability and Psychology

Based on Ross J. Anderson“Security Engineering”

Presentation by Gennady Laventman

Intro

• Many security attacks exploit psychology at

least as much as technology.

– Phishing – over email.

– Pretexting – over phone.

• Phone and online communications are

relatively new and humans don’t have tools to

deal with deception without face-to-face

interaction.

Psychology based attacks• Pretexting

– “Hello, I am MD Toosmart, I have patient Simpson, can you fax me his health record to 123456789”.

– Kevin Mitnick

– HP scandal

– Illegal in most of first world countries.

• Phishing– Phishing is the act of attempting to acquire information such as

usernames, passwords, etc. by masquerading as a trustworthy entity online.

– Target customers, not employees. Too many customers and they think they always right…

– Really nice tricks. Now URLs support national characters –phishing became more fun.

– Phishing losses in 2010 - 3.5 bn USD

Psychology

• “The mind is what the brain does”

– Actually, we don’t know why brains do in way it do

• Human brain very different from computers

– Computers never forget (actually, women don’t forget either)

– Human bad in routine tasks.

– While data overload human choose strongest or general rule.

– Human continue to operate even in case of uncertainty.

– But human recognize things much better.

Behavioural Economics• Heuristics that people use, and the biases that influence

them, when making decisions.– Daniel Kahneman and Amos Tversky Nobel prize 2002

• Prospect theory –– We do hate give away money, even it will bring us more

– We really bad in calculating probabilities and use bad analogies.

– We give more value to resent facts

– Video > Sound

– etc.

• Really bad risks calculation– We can hardly plan for more than dozen years

– We prefer to be control (driving car vs. flying plane)

– Etc

• Fraudsters, Terrorists, Politicians and other Marketers know and use this.

Mental Processing

• How we explain things? Head vs. Heart…

– First, use “scientific” approach.

– After it fails, use “spiritual” explanation.

– “Somebody” did it – welcome FSM.

– “Our bank will never, ever send you email asking

for password”

– Emotion => people use their hearts more than

their minds => people insensitive to probability

Social Psychology

• Explain how people interact in groups.

• Second part of 20 century was “fun” for Social

Psychology

– Ashe experiment

– Milgram experiment

– Stanford “prison” experiment

• Cognitive dissonance

Passwords.• Really bad authentication mechanism.

– Humans can’t remember infrequently used, frequently-changed, or many similar items

– Humans can’t forget on demand

– Recall is harder than recognition

– Remember non-meaningful words are more difficult

• “Something you have, something you know, or something you are”– Simson Garfinkel - ‘something you had once,

something you’ve forgotten, or something you once were’

• Many log-ins – many passwords.– Password reuse

• SSN or “your mother’s maiden name”

– Easy to find – use Google

• Problems

– Password correctness - too long, user under stress,

etc.

• Prepaid electricity meters in South Africa vs. US nuclear

codes.

– User can’t remember the password - write it down or

choose easy one.

• “Choose a password you can’t remember, and don’t write it

down.”

– Will the user break the system security by disclosing

the password to a third party, whether accidentally,

on purpose, or as a result of deception?

Password choice

• 20 most common female names + 2 digits

– I assure you - any big organization password file contains at least one match.

• Lets make user change password frequently and forbid previous few choices

– People will reset passwords often, to reuse old passwords.

• Research prove that many people now choose slightly better passwords

– The most common password is not ‘password’ but ‘password1’ ☺

• Sometimes you can force users to use really random passwords

– Government, Military, etc

– Centrally-assigned passwords not always possible

• Sometime you can train users…

– And sometime it works…

• Research about passwords

– Setup

• Red group – user choose 6 letters password

• Green group – user create password from phrase

• Yellow group – user have to choose random password from list

– Results – green group won

• Passwords were easy to remember and hard to guess

• 1/3 of users just don’t do what they’re told

Passwords – more problems?

• Passwords – too many of them.– People write passwords down in any case.

• Security questions – Mostly based on public available data. Google it?

• User who can choose PIN – often choose some year.– Only 2000 choices.

– Many choose birth date – only 99 choices

• Change default password!!!!

• R v Gold and Schifreen case in Great Britain– Caused to parliament to pass first specific computer

crime law.

Example of good security question

Social-Engineering Attacks

• Problem - user disclose password to third-party

– Accidentally or as a result of deception

• 1990 – Unix terminals ‘password fishing’

• Pretexting

– Credit cards PINs

– Access to user passwords over phone

– More examples in Mitnick’s ‘Art of Deception’.

• Many organizations try to prevent it by physical separations.

– Different phones in military, root access only from local terminal in Sun (no Sun anymore), etc

Phishing• Ask user for password in mail, for some security reason

– Many will replay with correct one

• Inside each business there is straggle between security people and sales people.

– Sales usually wins.

• Malicious emails with links

– Used both by phishermen and by organization sales department.

– Very convenient mails – user can’t tell if mail from bank or not.

– Mails with links from banks.

– Mails that point to outside domains from banks.

– Mails with executables, clickable pictures, etc (from banks).

Trusted Path

• Getting user credentials by technology, instead of phycology.

• Fake ATM machines.

– Collecting user PINs since 1993

• Skimmers - ATM with camera

– Sending pictures of users PINs since 2003

– Since 2005 sending data direct from the wire.

• Fake computes – we already saw them in ‘password fishing’.

– The reason why ‘ctrl-alt-del’ was born

Phishing Countermeasures

• Phishing is mix of phycology and technology,

but most of solutions based on technology.

• People educated by internet merchants to

click on links.

– Isn’t it Internet all about? (except for pron)

– Most money in internet come from ads.

• Many technics to deal with phishing.

– Some more successful then other.

Password manglers

• Browser plugin that creates from user password unique password from domain

• Problem to deal with – password sharing

• Problems

– Roaming

– Service on different domain

– Different services - different password rules

– Browser specific

• Short search give at least one such solution for Chrome

Client Certs or Special Apps

• SSL support client side certificate

• Bank provide non-browser based application.

• Problem to deal with – end-user authentication

• Problems

– Certificates in pain to manage.

– Phishermen ask user to ‘update’ software.

– Phishermen ask from user to ‘update’ certificate by

sending it to him

Browser’s Password Database

• User choose really random password and let

browser store it.

• Problem to deal – password reuse.

• Problems

– Same as in password mangles.

– Password stored unencrypted.

– Merchants forbid autocomplete feature.

Soft Keyboards

• Instead of real keyboard – type password in

on-screen keyboard.

– Latin America banks solutions.

• Deal with key-loggers.

• Problem

– Key-logger send pictures of area around mouse

click.

Customer Education

• Banks try to educate their customers.

• Problem – attacker always on step ahead.

– Check English – attacker hire native speaker.

– Look for lock symbol – attacker use SSL

– Hovering your mouse over link – attacker add non-

printing character to URL.

• Attacker always have advance and end-user

get lost in huge amount of advices.

Microsoft Passport

• Central authentication authority. Something like centralized Kerberos.

• Problem to solve – many services to log-in.– Updates in one place. Both software and passwords.

• Problems– Bugs in implementation –

• Sometime user can authenticate himself as someone else because of race condition

• Cookie-stealing attack.

• Password reset attack.

– Have to use Microsoft software.

• Liberty Alliance

Phishing Alert Toolbars

• Browser toolbars that use a number of heuristics

to parse URLs and look for wicked ones

• Problem to solve – alert user about wicked site

• Problems

– Bugs in IE 7 implemetation

• Website which simply displays a picture of a browser with a

nice green toolbar in the frame of the normal browser.

– Problems with using heuristics to spot dodgy sites.

Two-Factor Authentication

• Use site specific ‘password calculator’ in addition to memorized password.

– ‘something you have’ and ‘something you know’

• Problems

– Many small banks can’t afford it.

– Phishermen can use real man-in-the-middle attack.

• In Europe widely used chip authentication program (CAP) device.

– Used either to calculate a logon password, or to compute a message authentication code on the actual transaction contents.

Trusted Computing

• TPM (Trusted Platform Module) security chips

in PC motherboards

– Tie down a transaction to a particular PC

– More or less like CAP

• Windows Vista had it kinda working…

• Problems

– Roaming

– Problems with Linux and Mac computers

Two-Channel Authentication

• Sending access code to user using different channel

– SMS to mobile

– Banks can use it to authenticate transactions.

– More easy that CAP

• Problems

– Man-in-the-middle attack.

– Request new SIM from phone company (with same number)

– Once browser runs on phone – schema is broken

The Future of Phishing• Damages will only become bigger.

– Phish not banks, but their suppliers

• Many new tricks– Authority can be impersonated.

• Man-in-the-middle attacks.

• Most of sales done now using portable devices –so long for two-channel.– Thank you, iPad.

• Big Brother model – everyone have electronic ID, including security keys, etc.– Not worked even for simple ID during last USA

elections

• Most fight will concentrate in back-end.

System issues

• Main problem – is it possible to limit number of failed login attempts?

– Online – have limited number of attempts (?)

– Offline – have unlimited number of attempts (?)

• Thread models

– Targeted attack on one account

– Attempt to penetrate any account on a system

– Attempt to penetrate any account on any system

– Service denial attack

Denial of service

• Seems quite simple – lets block user after number of failed login attempts.

• Sometime attacker got list of users and thus block all users in system.

– May cause total system DOS by flooding system with failed logins.

– What will happen in admin account blocked?

– Can be used to blackmail site owner

• Most commercial sites don’t use it. Exactly for those reasons.

Protecting Oneself or Others?

• Most systems today have to continue to work even some of the user accounts are compromised.

• System should provide strong separation between users

– Unix and Windows have been designed to protect one user against accidental interference by another

• Virtualization looks like promising solution.

– You broke into one my Amazon instance – I will delete it and start new one.

Password Entry• Interface flaw

– Somebody can looks over your shoulder

– Somebody can looks on your keyboard and/or screen

• Eavesdropping– Lets listen to public WiFi networks

– Switchboard facilities to log the keystrokes. WTF?

– Lets connect sniffer to LAN• I personally had hard time to convince users to use ssh.

• Technical Defeats of Password Retry Counters– It can’t be real – password characters checked one by

one. Delays between responses used.• To paraphrase Sheldon Cooper, this is the way the world

ends. Not with a bang, but with lazy hardware designer.

Password Storage Attacks• Bugs with passwords happens – no software without

bugs

– One old system allowed to log-in given wrong password

– Bug in PIN allocation – once bank allocated same PIN to all users – nobody can’t saw allocated PINs, so nobody knew.

– Logging failed login attempt – sometimes user type password as user name.

– Bug in MIT ‘ctss’ – password file as greeting message

• One-Way Encryption – you doing it wrong.

– Password stored without salt – easy to compare.

• Password Cracking

– Dictionary attacks – on passwords file or directly.

System Limits

• For example, in Unix password length is 8 chars.

– Can do exhaust search - 252

• Even random password can be cracked.

– Huge amount of users

– Attacker agree to penetrate any account on a system

– Good botnet (1 million nodes) can do the job.

• CAPTHCA can help.

CAPTCHA• Completely Automated Public Turing Test to Tell

Computers and Humans Apart (CAPTCHA).

• Distinguish between humans and computers.– Humans are good in recognizing things.

• One of first attempts is ‘Passfaces’ – System present user with number of faces he had to

recognize and select.

• Current CAPTCHAs – little graphic puzzles included distorted texts. – Sometimes block specific kinds of users:

• Broken using some AI algorithms or help from users– http://habrahabr.ru/post/121032/ (sorry, in russian)

Summary

• So, what have we learned today?