The "U" in SOUPS
I'm attending the Symposium on Usable Privacy and Security (SOUPS) this week. In its second year, the ACM conference strives to understand the known weakest link in security: the human. The focus this year is phishing and passwords. Humans are particularly susceptible to URL typos (a la Bankofthevvest.com), homographic attacks (substituting a unicode "a"-like character in paypal.com, taking you to a different domain) and picture-in-picture attacks because we've become accustomed to trusting cues within the browser. And it's unreasonable to expect people to remember random mixed-case alphanumeric passwords that change regularly and are different for all of their accounts. Our brains just don't work that way. Some highlights from the conference:Skinny-dipping on the Internet: A Windows machine connected to the Internet without anti-virus software will be infected in 11 minutes. Anti-virus software takes 14 minutes to install. (Oh, and that's the fastest software. Mcafee 2006 takes 136 minutes and 8 reboot cycles.)
Lorrie Cranor, the conference organizer, received an email from the Nigerian government with registrations for three Nigerian attendees. The email included a request for travel visas, a typical request for conferences with international attendees. The credit cards went through. Lorrie showed the email on the overhead and asked whether we thought it was a scam. She thought so, but her staff didn't. Eventually they found out the cards were stolen. Lorrie suggested that the Nigerian government probably wouldn't use three exclamation points in the subject line.
Passpet: A password helper app that doesn't suck. Ping Ye and Kragen Sitaker developed a Firefox extension that generates secure passwords. It's a unique animal icon (e.g. goldfish, frog) that stores your own labels ("petnames") for each website you trust (e.g. Citibank.com is "my bank"). Because each user has a different animal, attackers can't chrome-spoof a Passpet (like they can a standard password entry dialog box). The Passpet runs a double hash on the site label and URL to create a secure password. Passpet remembers these passwords for each website for you, and all you need is a single secret (like "wonderland is fun") that you tell to Passpet before using it. When you click the Passpet on a known (labeled) site, it enters your username and password for you. You can't enter a password in a spoofed site, because it's not labeled. Passpet will refuse. Encrypted versions of your site labels are stored on a server of your choice so you can access your Passpet from any computer.
Gender differences in password management: Shirley Gaw presented a qualitative study of undergrads' perceptions about password management. They believe that hackers, competitors, and friends are the people most motivated and able to break into their accounts. Friends. She didn't focus on gender, but did mention that two female participants feared that their ex-boyfriends would compromise their accounts. Do guys worry about their girlfriends hacking their accounts? Perhaps they should listen to Barcelona's shell account song.
Cracking mnemonic phrase-based passwords: Lots of organizations encourage employees to generate passwords by using the first letter from a memorable phrase. But these phrase-based passwords are as easy—perhaps even easier—to crack because people pick publicly available phrases. In the study, 53% of the participants chose googleable phrases like:
- "I wish I were an Oscar Meyer weiner"
- My name is Inigo Montoya. You killed my father. Prepare to die.
- Kelly Clarkson lyrics
Unicode attacks: There are 2.6 billion possible URLs using unicode characters that look exactly like those in "citibank." Nifty IRI-based phishing chart at the City University of Hong Kong.
Customized spamming and phishing: Data mining is getting so good (think gmail ads) that soon spam and phishing will be customized to an individual level, but still generated automatically. So signature-based spam/phishing detection will be ineffective.
Smiling baby: As an aside, Lorrie has the most well behaved and adorable baby in the world. She attended the entire conference from Lorrie's lap. She was awake about as much as the adult participants.
Julie Downs: "To escape a bear, you don't have to run faster than the bear, just faster than the other people." Phishers just have to be smarter than the stupidest internet users.
Rob Franco (of Microsoft, when his IE demo didn't work): "Every Microsoft demo begins with an excuse."
Naive computer user: "I have Norton Antibiotics running on my computer."
A more thorough summary of the conference is on Ping's Usable Security blog.
Comments
I especially enjoy articles about areas I'm fringe-interested in, but not very expert in yet. So you can hear about clever things other people do and be truly amazed...
I'm with Kevin on the fringe-interest-not-yet-expert thing.
-- Margaret
So it's good these aren't dictionary words. But they're still not really all that random. First of all, they're all lowercase. So you've cut the search time in half (more, really, but let's just say half).
And these letters are all in easy-to-type locations on the keyboard. Lots of people do this; it's annoying to reach for numbers, the plus sign, hold down shift, etc. So, any brute force attack that just tried out letters would try the easy letters first, too.
You guys should both check out Ping's blog. It's full of stuff like this.
Great job pulling together info I was only peripherally aware of.
Back to my little black book full of individual goobly d gook. Oppps! that was my favorite password- please don't use it!