human/user-centric security

Human/User-Centric Security

Dr Shujun LiDeputy Director, Surrey Centre for Cyber Security (SCCS)

Senior Lecturer, Department of Computer ScienceUniversity of Surrey, Guildford

http://www.hooklee.com/@hooklee75

User-centric security

GCHQ new (2016) password guidance

3

GCHQ new password guidance

4

GCHQ new password guidance

5

Case study:Password expiry policy

6

Case study:Password expiry policy @ Surrey

User-centric security

Let us look at more about passwords!

8

How many passwords are there?

- 4 digits (PINs): 104=10 thousand≈213.3

- 6 digits (PINs): 106=1 million≈220

- Lowercase letters only, 7 characters: 267≈8 million≈233

- Lowercase letters + digits, 7 characters: 367≈78.4 million≈236

- Lowercase & uppercase letters + digits, 7 characters: 627≈10 trillion≈242

- Lowercase & uppercase letters + digits, 11 characters: 6211≈52 quintillion≈265.5

9

How fast are today’s supercomputers?

10EFlops=1019263

10

What passwords are being used?

- Dinei Florêncio and Cormac Herley, “A Large-Scale Study of Web Password Habits,” in Proc. WWW 2007, W3C/ACM- Real passwords collected from 544,960 web users in

three months in 2006.

11

What passwords are being used?

- DataGenetics, PIN analysis, 3rd September 2012- 3.4 million leaked passwords composed of 4 digits.

xy00

999900xy 19xy

mmdd

xyxy

12

Password cracking: 1979

- R. Morris and K. Thomson, “Password security: A case history,” Communications of the ACM, vol. 22, no.11, 1979- In a collection of 3,289 passwords…

- 15 were a single ASCII character- 72 were strings of two ASCII characters- 464 were strings of three ASCII characters- 477 were strings of four alphamerics- 706 were five letters, all upper-case or all lower-case- 605 were six letters, all lower-case- 492 appeared in dictionaries, name lists, and the like

2,831 passwords

13

Password cracking: 1990

- Daniel V. Klein, “Foiling the Cracker: A Survey of, and Improvements to, Password Security,” in Proc. USENIX Workshop on Security, 1990- In a set of 15,000 passwords

- 25% were cracked within 12 CPU months- 21% were cracked in the first week- 2.7% were cracked within the first 15 minutes

14

Password cracking: 2005

- Arvind Narayanan and Vitaly Shmatikov, “Fast dictionary attacks on passwords using time-space tradeoff,” in Proc. CCS’2005, ACM- In a collection of 142 real user passwords

- 67.6% (96) were cracked with a searching complexity 2.17×109≈231

14

15

Password cracking: 2013

- Dan Goodin, “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” ars technica, 28 May 2013- Three professional crackers were given 16,449 hashed

passwords and the best of them was able to crack 90% of the passwords.

- Remark 1: All the passwords are considered harder ones because they are what remained uncracked in a much larger database of leaked passwords.

- Remark 2: Nate Anderson, Ars deputy editor and a self-admitted newbie to password cracking, was able to crack around 50% of the passwords within a few hours.

16

What can we learn from reality?

- The security-usability dilemma- Stronger passwords are securer but harder to remember

by humans.- Weaker passwords are easier to remember by humans

but also easier to be cracked.- Strong passwords for humans Strong passwords for

automated password crackers- End users have a tendency of choosing usability

over security: using easy-to-remember passwords.- End users have not changed their ways of using

(weak) passwords very much since 1970s!

17

Solution: xkcd method?

18

Solution: Password checkers?

- A password checker checks the strength of a given password and warns the user about its weakness.- Proactive password checkers work at the client side when the

user is entering his/her password.- Reactive password checkers work at the server side after the

user set his/her passwords (by scanning all passwords of all users).- All password checkers are based on one or more password

meters which estimate the strength of any passwords given, but there are also standalone password meters.

19

Solution: Password managers?

- A password manager is a software/hardware tool managing credentials of multiple accounts of the user.- A master password is normally required to manage all passwords.- Local password managers run from a local computer (could be a

smart phone) and store the data locally.- Web-based password managers run from the Web or the cloud

and store the data remotely in a remote web site.- Cloud-based password managers run from local computer or the

Web and store the data remotely in a cloud.- Data across devices could be synchronized.

20

More solutions?

- Passphrases- Graphical passwords- Strong password policies- Frequently changed passwords- One-time passwords (such as iTANs)- Hardware-based solutions

- One-time password generators (such as RSA® SecurID)

- Physical tokens (such as smart cards)- Biometrics (finger/face/iris/palm/…

recognition, …)- Multi-factor authentication- Single-sign-on (SSO)

21

- A new technology developed by cyber security researchers (my PhD student and me) at the University of Surrey

- It allows user-centric combinations of diverse authentication actions (across different factors), while keeping backward compatibility with current passwords.

Pass∞ (PassInfinity)

22

- Access control policies- Data protection policies- Bring your own device (BYOD) policies- USB usage policies- Email policies- Confidential documents management policies- Computer incident reporting and investigation

policies- …

Going beyond passwords

User-centric security

Why do we need cyber security policies?

24

Security is a process, NOT a product.

- A product is secure. A process is secure.- Bruce Schneier, Secrets and Lies: Digital

Security in a Networked World, John Wiley & Sons, Inc., 2004

25

Social engineering does work well!

- Hackers only need to break the weakest link in a process – humans!

- Weak human users vs. Strong hackers

26

A real hacker’s testimony

Testifying before Congress not long ago, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.

Kevin D. Mitnick and William L. SimonThe Art of Deception: Controlling the Human Element of Security

, John Wiley & Sons Inc., 2003

27

Social engineering everywhere: Phishing, SMiShing, vishing, …

- Getting your password from you.

28

A recent book on social engineering

- Christopher Hadnagy, Social Engineering: The Art of Human Hacking, John Wiley & Sons, Inc., 2010

29

Different kinds of weak humans

- Weak designers- Weak programmers- Weak assemblers- Weak distributors- Weak deployers- Weak maintainers- Weak users- Weak …

Security holes in the delivered products

Security holes in the deployed system

Strong Hackers

User-centric security

Are you a weak link of your organisation(s)?

31

Are you a weak link of your organisation(s)?

- Have you installed any encryption software (such as GPG) for your email client or your web browser (for web mail)?

32

Are you a weak link of your organisation(s)?

- For those who said YES in previous question: How often do you use the above encryption software to protect your personal emails?

33

Are you a weak link of your organisation(s)?

- Have you written one or more of your passwords down (on paper, on mobile phone, …) at least once to avoid forgetting them?

34

Are you a weak link of your organisation(s)?

- Are you sharing passwords over multiple web sites?- SSO (Single-Sign-On password is not counted).

35

Are you a weak link of your organisation(s)?

- Do you know how digital certificates are used with secure web sites such as online banking sites?

36

Are you a weak link of your organisation(s)?

- If YES to the last question: How often do you check digital certificate’s contents against the claimed owner?

37

Are you a weak link of your organisation(s)?

- Have you seen a web browser warning about a digital certificate used by a website (untrusted issuer, expired or self-signed certificate, etc.)?

38

Are you a weak link of your organisation(s)?

- If YES to the previous question: Did you choose to ignore the web browser warning(s) because you felt you could trust the website(s) you were visiting?

?

User-centric security

The solution and take-home message:Human/User-centric security

40

Help users, not blame them!

41

- Better tools for all humans involved- Better user interfaces- More useful data- More user control- Visualisation & gamification- Personalisation & contextualization- Human-in-the-loop- …

- Better guidance for all humans involved- Awareness campaigns, education, training, serious

games, more user-friendly and consistent guidelines and policies, …

How to help users?

42

- Consultancy- Technical reports- Bespoke solutions (tools / data)- Joint (research) projects

- Cyber Aware (formerly known as Cyber Streetwise)- Cyber Security Body of Knowledge (CySec-BoK)- Individual research projects

- Communities- RISCS (Research Institute in Science of Cyber Security)

- Living labs for cyber security- Meet-ups and networking events- …

We can work together!

43

- Pass∞ (PassInfinity)- A new user authentication framework

- H-DLP- Human-assisted machine learning for bootstrapping DLP (data

loss/leakage prevention) systems- ACCEPT

- Addressing Cybersecurity and Cybercrime via a co-Evolutionary approach to reducing human-related risks

- COMMANDO-HUMANS- COMputational Modelling and Automatic Non-intrusive Detection Of

HUMan behAviour based iNSecurity- POLARBEAR

- Pattern Of Life ANPR Behaviour Extraction Analysis and Recognition

Opportunities for collaboration

User-centric security

Thanks! Questions?