CMU Usable Privacy and Security Laboratory
http://cups.cs.cmu.edu/
Operating system framed in
case of mistaken identity
Me...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
22
Motivation
 Users have to make security decisio...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
33
Trusted path problem
 How do users know that in...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
44
Possible consequences
 Install or run malicious...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
55
Windows has two defenses
 Ctrl-Alt-Del before e...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
66
Research question
What proportion of users would...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
77
Experimental design
“Give us your opinion
about ...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1010
1010
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1212
1212
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1414
1414
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1616
1616
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1717
1717
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1818
1818
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
1919
1919
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2020
2020
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2121
2121
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2222
2222
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2323
2323
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2424
2424
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2525
2525
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2626
2626
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2727
2727
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2828
2828
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
2929
2929
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3030
3030
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3131
3131
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3232
3232
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3535
3535
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3636
3636
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3838
3838
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
3939
3939
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4040
4040
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4242
Conditions
UAC CredUI Mac OS w/
install Mac OS...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4343
Challenges in learning what really happened
 ...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4444
How do we determine if a participant knew that...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4646
Results
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4747
Participants' demographics
 504 US-only parti...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4848
We categorize participants into three groups
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
4949
Who was wise to the attack?
UAC CredUI Mac OS ...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5050
Who was oblivious?
UAC CredUI Mac OS w/
instal...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5151
Who was compromised?
UAC CredUI Mac OS w/
inst...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5252
Follow-up for UAC, cancel-enabled
[15.0% – 26....
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5353
Limitations of deception
 In both cases: dial...
• CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/
5454
Conclusions and future work
 A large number o...
CMU Usable Privacy and Security
Laboratory
http://cups.cs.cmu.edu/
Upcoming SlideShare
Loading in...5
×

Operating system framed in case of mistaken identity

172

Published on

Presented at CCS'12 at Raleigh, NC, US.

When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password.

Get the paper at http://dl.acm.org/citation.cfm?id=2382237.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
172
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Operating system framed in case of mistaken identity

  1. 1. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Operating system framed in case of mistaken identity Measuring the success of web-based spoofing attacks on OS password-entry dialogs Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Manya Sleeper (Carnegie Mellon University) Stuart Schechter (Microsoft Research)
  2. 2. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 22 Motivation  Users have to make security decisions too often  Decisions are usually based on: • Information presented on-the-fly by different principals (OS, browser, etc.) • Beliefs, knowledge, hunches...  Many decisions are triggered by security dialogs
  3. 3. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 33 Trusted path problem  How do users know that information presented by the OS really comes from the OS?  Would users be able to spot fake dialogs asking for a password?
  4. 4. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 44 Possible consequences  Install or run malicious software (e.g., fake AV software)  Ignore security warnings  Turn OS security features off  Reveal secrets that should only be shared with OS (passwords)
  5. 5. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 55 Windows has two defenses  Ctrl-Alt-Del before entering password • “Don't enter your password without hitting Ctrl-Alt-Del”  Trusted desktop: • Dimming screen outside of UAC dialog • “Enter your password without Ctrl-Alt-Del only if screen dims”
  6. 6. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 66 Research question What proportion of users would enter their passwords in a spoofed OS window?
  7. 7. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 77 Experimental design “Give us your opinion about online games” “Is the password you entered real?” “May we keep it for research?”
  8. 8. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1010 1010
  9. 9. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1212 1212
  10. 10. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1414 1414
  11. 11. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1616 1616
  12. 12. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1717 1717
  13. 13. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1818 1818
  14. 14. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1919 1919
  15. 15. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2020 2020
  16. 16. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2121 2121
  17. 17. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2222 2222
  18. 18. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2323 2323
  19. 19. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2424 2424
  20. 20. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2525 2525
  21. 21. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2626 2626
  22. 22. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2727 2727
  23. 23. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2828 2828
  24. 24. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2929 2929
  25. 25. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3030 3030
  26. 26. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3131 3131
  27. 27. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3232 3232
  28. 28. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3535 3535
  29. 29. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3636 3636
  30. 30. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3838 3838
  31. 31. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3939 3939
  32. 32. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4040 4040
  33. 33. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4242 Conditions UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled
  34. 34. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4343 Challenges in learning what really happened  How can we know which participants entered real passwords? • If deceived, participants may be/feel (deeply) harmed • Participants may not want to admit being deceived • We cannot ethically/legally verify that we’ve tricked them without their consent  How can we know which participants detected spoofing? • People don't like admitting that they were fooled
  35. 35. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4444 How do we determine if a participant knew that the window was spoofed?
  36. 36. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4646 Results
  37. 37. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4747 Participants' demographics  504 US-only participants across 11 conditions: • 28 years old (σ=9.6 years) • 55% males, 78% caucasian • Top two reported occupations: 33% students, 13% unemployed • 17 min 23 sec to complete study (σ=18 min 15 sec)  199 US-only participants in follow-up experiment: • 29 years old (σ=9.7 years) • 53% males, 77% caucasian • Top two reported occupations: 28% students, 16% unemployed • 19 min 57 sec to complete study (σ=8 min 26 sec)
  38. 38. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4848 We categorize participants into three groups
  39. 39. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4949 Who was wise to the attack? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 27% 29% 34% 40% 29% 19% 29% 57%
  40. 40. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5050 Who was oblivious? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 40% 37% 45% 45% 43% 42% 65% 39%
  41. 41. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5151 Who was compromised? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 27% 35% 21% 15% 8% 6% 4%8%
  42. 42. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5252 Follow-up for UAC, cancel-enabled [15.0% – 26.2%] [25.2% – 38.2%] [40.8% – 54.6%]
  43. 43. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5353 Limitations of deception  In both cases: dialog embedded in browser  In Windows: no screen dim-out  In Mac OS: no username filled-in, simplified installation sequence  Despite these differences, we still had participants who entered their credentials: • At least 15% in Windows 7/Vista across IE9, Chrome, and Firefox • ~ 6% in Mac OS across Safari, Chrome and Firefox • 5% fake AV attacks [Cova et al. 2010, 2012]
  44. 44. • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5454 Conclusions and future work  A large number of users are not able to discriminate whether information comes from the OS or a malicious attacker  Problem may be worsened by: • Habituation to dialogs • Lack of attention, not knowing what to look for/where to look  Future work: • Design and test new ways to drive users' attention to critical information in the security dialog • Determine how quickly habituation occurs, and ways to avoid it
  45. 45. CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×