Operating system framed in case of mistaken identity
Upcoming SlideShare
Loading in...5
×
 

Operating system framed in case of mistaken identity

on

  • 161 views

Presented at CCS'12 at Raleigh, NC, US. ...

Presented at CCS'12 at Raleigh, NC, US.

When asking users to enter credentials, today's desktop operating systems often use windows that provide scant evidence that a trusted path has been established; evidence that would allow a user to know that a request is genuine and that the password will not be read by untrusted principals. We measure the efficacy of web-based attacks that spoof these operating system credential-entry windows to steal users' device-login passwords. We recruited 504 users of Amazon's Mechanical Turk to evaluate a series of games on third-party websites. The third such website indicated that it needed to install software from the publisher that provided the participants' operating system: Microsoft's Silverlight for Windows Vista/7 users and Apple's QuickTime for Mac OS users. The website then displayed a spoofed replica of a window the participant's client operating system would use to request a user's device credentials. In our most effective attacks, over 20% of participants entered passwords that they later admitted were the genuine credentials used to login to their devices. Even among those who declined to enter their credentials, many participants were oblivious to the spoofing attack. Participants were more likely to confirm that they were worried about the consequences of installing software from a legitimate source than to report that they thought the credential-entry window might have appeared as a result of an attempt to steal their password.

Get the paper at http://dl.acm.org/citation.cfm?id=2382237.

Statistics

Views

Total Views
161
Views on SlideShare
157
Embed Views
4

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 4

http://www.linkedin.com 4

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

CC Attribution License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Operating system framed in case of mistaken identity Operating system framed in case of mistaken identity Presentation Transcript

  • CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/ Operating system framed in case of mistaken identity Measuring the success of web-based spoofing attacks on OS password-entry dialogs Cristian Bravo-Lillo, Lorrie Cranor, Julie Downs, Saranga Komanduri, Manya Sleeper (Carnegie Mellon University) Stuart Schechter (Microsoft Research)
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 22 Motivation  Users have to make security decisions too often  Decisions are usually based on: • Information presented on-the-fly by different principals (OS, browser, etc.) • Beliefs, knowledge, hunches...  Many decisions are triggered by security dialogs
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 33 Trusted path problem  How do users know that information presented by the OS really comes from the OS?  Would users be able to spot fake dialogs asking for a password?
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 44 Possible consequences  Install or run malicious software (e.g., fake AV software)  Ignore security warnings  Turn OS security features off  Reveal secrets that should only be shared with OS (passwords)
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 55 Windows has two defenses  Ctrl-Alt-Del before entering password • “Don't enter your password without hitting Ctrl-Alt-Del”  Trusted desktop: • Dimming screen outside of UAC dialog • “Enter your password without Ctrl-Alt-Del only if screen dims”
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 66 Research question What proportion of users would enter their passwords in a spoofed OS window?
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 77 Experimental design “Give us your opinion about online games” “Is the password you entered real?” “May we keep it for research?”
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1010 1010
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1212 1212
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1414 1414
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1616 1616
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1717 1717
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1818 1818
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 1919 1919
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2020 2020
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2121 2121
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2222 2222
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2323 2323
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2424 2424
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2525 2525
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2626 2626
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2727 2727
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2828 2828
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 2929 2929
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3030 3030
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3131 3131
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3232 3232
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3535 3535
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3636 3636
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3838 3838
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 3939 3939
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4040 4040
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4242 Conditions UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4343 Challenges in learning what really happened  How can we know which participants entered real passwords? • If deceived, participants may be/feel (deeply) harmed • Participants may not want to admit being deceived • We cannot ethically/legally verify that we’ve tricked them without their consent  How can we know which participants detected spoofing? • People don't like admitting that they were fooled
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4444 How do we determine if a participant knew that the window was spoofed?
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4646 Results
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4747 Participants' demographics  504 US-only participants across 11 conditions: • 28 years old (σ=9.6 years) • 55% males, 78% caucasian • Top two reported occupations: 33% students, 13% unemployed • 17 min 23 sec to complete study (σ=18 min 15 sec)  199 US-only participants in follow-up experiment: • 29 years old (σ=9.7 years) • 53% males, 77% caucasian • Top two reported occupations: 28% students, 16% unemployed • 19 min 57 sec to complete study (σ=8 min 26 sec)
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4848 We categorize participants into three groups
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 4949 Who was wise to the attack? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 27% 29% 34% 40% 29% 19% 29% 57%
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5050 Who was oblivious? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 40% 37% 45% 45% 43% 42% 65% 39%
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5151 Who was compromised? UAC CredUI Mac OS w/ install Mac OS w/o install Cancel enabled Cancel disabled 27% 35% 21% 15% 8% 6% 4%8%
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5252 Follow-up for UAC, cancel-enabled [15.0% – 26.2%] [25.2% – 38.2%] [40.8% – 54.6%]
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5353 Limitations of deception  In both cases: dialog embedded in browser  In Windows: no screen dim-out  In Mac OS: no username filled-in, simplified installation sequence  Despite these differences, we still had participants who entered their credentials: • At least 15% in Windows 7/Vista across IE9, Chrome, and Firefox • ~ 6% in Mac OS across Safari, Chrome and Firefox • 5% fake AV attacks [Cova et al. 2010, 2012]
  • • CMU Usable Privacy and Security Laboratory • http://cups.cs.cmu.edu/ 5454 Conclusions and future work  A large number of users are not able to discriminate whether information comes from the OS or a malicious attacker  Problem may be worsened by: • Habituation to dialogs • Lack of attention, not knowing what to look for/where to look  Future work: • Design and test new ways to drive users' attention to critical information in the security dialog • Determine how quickly habituation occurs, and ways to avoid it
  • CMU Usable Privacy and Security Laboratory http://cups.cs.cmu.edu/