lecture 6 – psychology: from usability and risk to scams security computer science tripos part 2...
Post on 21-Dec-2015
219 views
TRANSCRIPT
Lecture 6 – Psychology:From Usability and Risk to Scams
Security
Computer Science Tripos part 2
Ross Anderson
Usability and Psychology• ‘Why Johnny Can’t Encrypt’ – study of
encryption program PGP – showed that 90% of users couldn’t get it right give 90 minutes
• Private / public, encryption / signing keys, plus trust labels was too much – people would delete private keys, or publish them, or whatever
• Security is hard – unmotivated users, abstract security policies, lack of feedback …
• Much better to have safe defaults (e.g. encrypt and sign everything)
• But economics often push the other way …
Usability and Psychology (2)
• 1980s concerns with passwords: technical (crack /etc/passwd, LAN sniffer, retry counter)
• 1990s concerns: weak defaults, attacks at point of entry (vertical ATM keypads), can the user choose a good password and not write it down?
• Our 1998 password trial: control group, versus random passwords, versus passphrase
• The compliance problem; and can someone who chooses a bad password harm only himself?
Social Engineering
• Use a plausible story, or just bully the target• ‘What’s your PIN so I can cancel your card?’• NYHA case• Patricia Dunn case• Kevin Mitnick ‘Art of Deception’• Traditional responses:
– mandatory access control
– operational security
Social Engineering (2)
• Social psychology:– Solomon Asch, 1951: two-thirds of subjects would
deny obvious facts to conform to group
– Stanley Milgram, 1964: a similar number will administer torture if instructed by an authority figure
– Philip Zimbardo, 1971: you don’t need authority: the subjects’ situation / context is enough
• The Officer Scott case• And what about users you can’t train (customers)?
Phishing
• Started in 2003 with six reported (there had been isolated earlier attacks on AOL passwords)
• By 2006, UK banks lost £35m (£33m by one bank) and US banks maybe $200m
• Early phish crude and greedy but phishermen learned fast
• E.g. ‘Thank you for adding a new email address to your PayPal account’
• The banks make it easy for them – e.g. Halifax
Phishing (2)
• Banks pay firms to take down phishing sites• A couple have moved to two-factor authentication
(CAP) – we’ll discuss later• At present, the phished banks are those with poor
back-end controls and slow asset recovery• One gang (Rockphish) is doing half to two-thirds
of the business• Mule recruitment seems to be a serious bottleneck
Types of phishing website
• Misleading domain namehttp://www.banckname.com/
http://www.bankname.xtrasecuresite.com/
• Insecure end userhttp://www.example.com/~user/www.bankname.com/
• Insecure machinehttp://www.example.com/bankname/login/
http://49320.0401/bankname/login/
• Free web hostinghttp://www.bank.com.freespacesitename.com/
• Compromised machines run a proxy
• Domains do not infringe trademarks– name servers usually done in similar style
• Distinctive URL stylehttp://session9999.bank.com.lof80.info/signon/
• Some usage of “fast-flux” from Feb’07 onwards– viz: resolving to 5 (or 10…) IP addresses at once
Rock-phish is different!
Phishing website lifetimes (hours)
# sites(8 weeks)
Mean lifetime
Medianlifetime
Non-rock 1695 62 20
Rock-phishdomains
421 95 55
Fast-flux rock-phishdomains
57 196 111
Rock-phishIP addresses
125 172 26
Fast-flux rock-phish IP addresses
4287 139 18
Site lifetimes (hours) January 2008 sites mean median
eBay sites on free web-hosting 395 47.6 0
if eBay aware 240 4.3 0
if eBay not aware 155 114.7 29
eBay sites on compromised hosts 193 49.2 0
if eBay aware 105 3.5 0
if eBay not aware 88 103.8 10
Rock-phish domains (all targets) 821 70.3 33
Fast-flux domains (all targets) 314 96.1 25.5
Mule recruitment
• Proportion of spam devoted to recruitment shows that this is a significant bottleneck
• Aegis, Lux Capital, Sydney Car Centre, etc– mixture of real firms and invented ones– some “fast-flux” hosting involved
• Only the vigilantes are taking these down– impersonated are clueless and/or unmotivated
• Long-lived sites usually indexed by Google
Fake banks
• These are not “phishing”– no-one takes them down, apart from the vigilantes
• Usual pattern of repeated phrases on each new site, so googling finds more examples– sometimes old links left in (hand-edited!)
• Sometimes part of a “419” scheme– inconvenient to show existence of dictator’s
$millions in a real bank account!
• Or sometimes part of a lottery scam
Fraud and Phishing Patterns
• Fraudsters do pretty well everything that normal marketers do
• The IT industry has abandoned manuals – people learn by doing, and marketers train them in unsafe behaviour (click on links…)
• Banks’ approach is ‘blame and train’ – long known to not work in safety critical systems
• Their instructions ‘look for the lock’, ‘click on images not URLs’, ‘parse the URL’ are easily turned round, and discriminate against nongeeks
Results
• Ability to detect phishing is correlated with SQ-EQ
• It is (independently) correlated with gender
• So the gender HCI issue applies to security too