Slides of an invited talk given at the Fast Stream Conference 2017 - Digital: Definition Unknown, organised by UK Government's Civil Service Fast Stream, on 3 February 2017 in London.
The 7 Things I Know About Cyber Security After 25 Years | April 2024
Human/User-Centric Security
1. Human/User-Centric Security
Dr Shujun Li
Deputy Director, Surrey Centre for Cyber Security (SCCS)
Senior Lecturer, Department of Computer Science
University of Surrey, Guildford
http://www.hooklee.com/
@hooklee75
9. 9
How fast are today’s
supercomputers?
10EFlops
=1019263
10. 10
What passwords are being used?
- Dinei Florêncio and Cormac Herley, “A Large-
Scale Study of Web Password Habits,” in Proc.
WWW 2007, W3C/ACM
- Real passwords collected from 544,960 web users in
three months in 2006.
11. 11
What passwords are being used?
- DataGenetics, PIN analysis, 3rd September 2012
- 3.4 million leaked passwords composed of 4 digits.
xy00
9999
00xy 19xy
mmdd
xyxy
12. 12
Password cracking: 1979
- R. Morris and K. Thomson, “Password security: A
case history,” Communications of the ACM, vol.
22, no.11, 1979
- In a collection of 3,289 passwords…
- 15 were a single ASCII character
- 72 were strings of two ASCII characters
- 464 were strings of three ASCII characters
- 477 were strings of four alphamerics
- 706 were five letters, all upper-case or all lower-case
- 605 were six letters, all lower-case
- 492 appeared in dictionaries, name lists, and the like
2,831
passwords
13. 13
Password cracking: 1990
- Daniel V. Klein, “Foiling the Cracker: A Survey
of, and Improvements to, Password Security,” in
Proc. USENIX Workshop on Security, 1990
- In a set of 15,000 passwords
- 25% were cracked within 12 CPU months
- 21% were cracked in the first week
- 2.7% were cracked within the first 15 minutes
14. 14
Password cracking: 2005
- Arvind Narayanan and Vitaly Shmatikov, “Fast
dictionary attacks on passwords using time-
space tradeoff,” in Proc. CCS’2005, ACM
- In a collection of 142 real user passwords
- 67.6% (96) were cracked with a searching complexity
2.17×109≈231
14
15. 15
Password cracking: 2013
- Dan Goodin, “Anatomy of a hack: How crackers
ransack passwords like ‘qeadzcwrsfxv1331’,” ars
technica, 28 May 2013
- Three professional crackers were given 16,449 hashed
passwords and the best of them was able to crack 90%
of the passwords.
- Remark 1: All the passwords are considered harder
ones because they are what remained uncracked in a
much larger database of leaked passwords.
- Remark 2: Nate Anderson, Ars deputy editor and a self-
admitted newbie to password cracking, was able to
crack around 50% of the passwords within a few hours.
16. 16
What can we learn from reality?
- The security-usability dilemma
- Stronger passwords are securer but harder to remember
by humans.
- Weaker passwords are easier to remember by humans
but also easier to be cracked.
- Strong passwords for humans Strong passwords for
automated password crackers
- End users have a tendency of choosing usability
over security: using easy-to-remember passwords.
- End users have not changed their ways of using
(weak) passwords very much since 1970s!
18. 18
Solution: Password checkers?
- A password checker checks the strength of a given
password and warns the user about its weakness.
- Proactive password checkers work at the client side when the
user is entering his/her password.
- Reactive password checkers work at the server side after the
user set his/her passwords (by scanning all passwords of all users).
- All password checkers are based on one or more password
meters which estimate the strength of any passwords given, but
there are also standalone password meters.
19. 19
Solution: Password managers?
- A password manager is a software/hardware tool
managing credentials of multiple accounts of the user.
- A master password is normally required to manage all passwords.
- Local password managers run from a local computer (could be a
smart phone) and store the data locally.
- Web-based password managers run from the Web or the cloud
and store the data remotely in a remote web site.
- Cloud-based password managers run from local computer or the
Web and store the data remotely in a cloud.
- Data across devices could be synchronized.
21. 21
- A new technology developed by cyber security
researchers (my PhD student and me) at the
University of Surrey
- It allows user-centric combinations of diverse
authentication actions (across different
factors), while keeping backward compatibility
with current passwords.
Pass∞ (PassInfinity)
22. 22
- Access control policies
- Data protection policies
- Bring your own device (BYOD) policies
- USB usage policies
- Email policies
- Confidential documents management policies
- Computer incident reporting and investigation
policies
- …
Going beyond passwords
24. 24
Security is a process, NOT a
product.
- A product is secure. A process is secure.
- Bruce Schneier, Secrets and Lies: Digital Security in a
Networked World, John Wiley & Sons, Inc., 2004
25. 25
Social engineering does work
well!
- Hackers only need to break the weakest link in a
process – humans!
- Weak human users vs. Strong hackers
26. 26
A real hacker’s testimony
Testifying before Congress not long ago, I explained
that I could often get passwords and other pieces of
sensitive information from companies by pretending
to be someone else and just asking for it.
Kevin D. Mitnick and William L. Simon
The Art of Deception: Controlling the Human Element of
Security, John Wiley & Sons Inc., 2003
31. 31
Are you a weak link of your
organisation(s)?
- Have you installed any encryption software (such as GPG)
for your email client or your web browser (for web mail)?
32. 32
Are you a weak link of your
organisation(s)?
- For those who said YES in previous question: How
often do you use the above encryption software to protect
your personal emails?
33. 33
Are you a weak link of your
organisation(s)?
- Have you written one or more of your passwords down (on
paper, on mobile phone, …) at least once to avoid
forgetting them?
34. 34
Are you a weak link of your
organisation(s)?
- Are you sharing passwords over multiple web sites?
- SSO (Single-Sign-On password is not counted).
35. 35
Are you a weak link of your
organisation(s)?
- Do you know how digital certificates are used with secure
web sites such as online banking sites?
36. 36
Are you a weak link of your
organisation(s)?
- If YES to the last question: How often do you check
digital certificate’s contents against the claimed owner?
37. 37
Are you a weak link of your
organisation(s)?
- Have you seen a web browser warning about a digital
certificate used by a website (untrusted issuer, expired or
self-signed certificate, etc.)?
38. 38
Are you a weak link of your
organisation(s)?
- If YES to the previous question: Did you choose to
ignore the web browser warning(s) because you felt you
could trust the website(s) you were visiting?
?
41. 41
- Better tools for all humans involved
- Better user interfaces
- More useful data
- More user control
- Visualisation & gamification
- Personalisation & contextualization
- Human-in-the-loop
- …
- Better guidance for all humans involved
- Awareness campaigns, education, training, serious
games, more user-friendly and consistent guidelines
and policies, …
How to help users?
42. 42
- Consultancy
- Technical reports
- Bespoke solutions (tools / data)
- Joint (research) projects
- Cyber Aware (formerly known as Cyber Streetwise)
- Cyber Security Body of Knowledge (CySec-BoK)
- Individual research projects
- Communities
- RISCS (Research Institute in Science of Cyber Security)
- Living labs for cyber security
- Meet-ups and networking events
- …
We can work together!
43. 43
- Pass∞ (PassInfinity)
- A new user authentication framework
- H-DLP
- Human-assisted machine learning for bootstrapping DLP (data
loss/leakage prevention) systems
- ACCEPT
- Addressing Cybersecurity and Cybercrime via a co-Evolutionary
approach to reducing human-related risks
- COMMANDO-HUMANS
- COMputational Modelling and Automatic Non-intrusive Detection Of
HUMan behAviour based iNSecurity
- POLARBEAR
- Pattern Of Life ANPR Behaviour Extraction Analysis and
Recognition
Opportunities for collaboration
Ask the audience to read the infographic quickly and ask them where digital technologies appear and what are items are about cyber security policies. Then go through those bullet points one after the other (skipping the one on password expiration).
Digital technologies mentioned: password cracking (can be used for good purposes such as reactive password checkers and evaluating password strength meters); proactive and reactive password checkers; password use monitoring and statistics; CAPTCHA and 4th factor for authentication; password manager; SSO and other factors of user authentication; password reset / recovery authentication; encrypt passwords at server side (strong salting); password security awareness and education (=> personalisation and contextualization); …
Digital technologies not mentioned: HTTPS, TLS/SSL, and all other network protocols, …
ISAGG = Information Security & Governance Group
Exactly 30 years ago…
Around 20 years ago…
Four years ago…
Rule based approach, hybrid approach, …
http://en.wikipedia.org/wiki/Xkcd
xkcd, sometimes stylized as XKCD, is a webcomic created by Randall Munroe. The comic's tagline describes it as "a webcomic of romance, sarcasm, math, and language."[‡ 1] Munroe mentions on the comic's website that the name of the comic is not an acronym but "just a word with no phonetic pronunciation".
Do they solve the problem completely?
Do they solve the problem completely?
All of them have some usability problems. We will focus on graphical passwords to show it’s not trivial to have a better solution.
Does anybody happen to know the person in the middle of the three?
In the late 20th century, he was convicted of various computer and communications-related crimes. At the time of his arrest, he was the most-wanted computer criminal in the United States.
At age 12, Mitnick used social engineering to bypass the punchcard system used in the Los Angeles bus system. After a friendly bus driver told him where he could buy his own ticket punch, he could ride any bus in the greater LA area using unused transfer slips he found in the trash. Social engineering became his primary method of obtaining information, including user-names and passwords and modem phone numbers.[3]
Mitnick first gained unauthorized access to a computer network in 1979, at 16, when a friend gave him the phone number for the Ark, the computer system Digital Equipment Corporation (DEC) used for developing their RSTS/E operating system software. He broke into DEC's computer network and copied their software, a crime he was charged with and convicted of in 1988. He was sentenced to 12 months in prison followed by three years of supervised release. Near the end of his supervised release, Mitnick hacked into Pacific Bell voice mail computers. After a warrant was issued for his arrest, Mitnick fled, becoming a fugitive for two and a half years.
Mitnick served five years in prison — four and a half years pre-trial and eight months in solitary confinement — because, according to Mitnick, law enforcement officials convinced a judge that he had the ability to "start a nuclear war by whistling into a pay phone"[7] meaning that law enforcement told the judge that he could somehow dial into the NORAD modem via a payphone from prison and communicate with the modem by whistling to launch nuclear missiles.[8] He was released on January 21, 2000. During his supervised release, which ended on January 21, 2003, he was initially forbidden to use any communications technology other than a landline telephone. Mitnick fought this decision in court, eventually winning a ruling in his favor, allowing him to access the Internet. Under the plea deal, Mitnick was also prohibited from profiting from films or books based on his criminal activity for seven years. Mitnick now runs Mitnick Security Consulting LLC, a computer security consultancy.
According to the U.S. Department of Justice, Mitnick gained unauthorized access to dozens of computer networks while he was a fugitive. He used cloned cellular phones to hide his location and, among other things, copied valuable proprietary software from some of the country's largest cellular telephone and computer companies. Mitnick also intercepted and stole computer passwords, altered computer networks, and broke into and read private e-mail. Mitnick was apprehended on February 15, 1995 in Raleigh, North Carolina.[4] He was found with cloned cellular phones, more than 100 clone cellular phone codes, and multiple pieces of false identification.[5]
Vishing = voice phishing (phishing over voice)
The image on the right seems to be an “orphan image”. I did search on the web but cannot find its owner.
Weak distributors may choose to exclude one security-oriented component to make their distributions more competitive in the market in term of price.
Weak humans vs. Strong attacker as well.
Cormac Herley: “It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users' rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the
advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses. Thus we find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole
population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”