Research Problems in Information Assurance Talk for the second year DPS students Li-Chiou Chen Seidenberg School of Computer Science and Information Systems Pace University 03/15/08

© Li-Chiou Chen, CSIS, Pace 2 Agenda Past research projects in Internet-based attacks Ongoing research projects in security usability & web security Student research projects

© Li-Chiou Chen, CSIS, Pace 3 Interdisciplinary study in information assurance Technology domain: Security Technology Problem domain: Social, Economical and Policy Issues Research Methodology: Computational Modeling

© Li-Chiou Chen, CSIS, Pace 4 Countermeasures for the propagation of computer viruses Problem: What anti-virus strategy works better to slow down the propagation of a new computer virus Method:  Simulate the spread of computer viruses and countermeasures using agent-based simulation  Run on 4 different theoretical network topology and 2 different empirical network topology  Compare five different strategies  Propose a new one – Countermeasure competing (CMC) Past project - Computer viruses

© Li-Chiou Chen, CSIS, Pace 5 Results and further research issues Results - countermeasure propagation network is more effective than others when  this network has a few highly connected nodes like P2P networks  the rate of countermeasure propagation is faster than the rate of virus infection Further research  How about zero-day worms?  The same model can be used to discussed the diffusion of ideas, the diffusion of disease, etc Past project - Computer viruses

© Li-Chiou Chen, CSIS, Pace 6 Distributed denial-of-service (DDOS) attacks and defenses Past project - Distributed denial of service

A research framework for DDOS problems © Li-Chiou Chen, CSIS, Pace 7 Past project - Distributed denial of service

© Li-Chiou Chen, CSIS, Pace 8 Further research problems Defenses for attacks against infrastructures, such as routers and DNS servers Assessment of risk attitude of subscribers and providers  E.g., the premium that a subscriber would like to pay in order to avoid the risk of DDOS attacks Procedures for determining a liability assignment Past project - Distributed denial of service

© Li-Chiou Chen, CSIS, Pace 9 Security usability of banking web sites What is usability? Problems:  Phishing: users can distinguish legitimate web sites from phishing web sites  a security usability problem of web interface design  What is the status quo?  What can we improve from here? Ongoing project – Security Usability

How do you distinguish legitimate web sites from fake ones © Li-Chiou Chen, CSIS, Pace 10 Ongoing project – Security Usability

Banking web site survey Top 100 banks from FDIC (Federal Deposit Insurance Corporation) Institution Directory Database Examine the login page of each online banking web site Three types of information  Security indicators: HTTPS, lockpad, security seal  Security certificate: common name, organization name, SSL version, cipher, validity  Site security information: security guide, phishing info, lock next to login Tools: Openssl library, awk, Linux shell programs © Li-Chiou Chen, CSIS, Pace 11 Ongoing project – Security Usability

Confusing login interfaces Company web site redirect to a secure server with a login page SSL is negotiated after users enter user name and password Popup windows for login The little secure lock next to login screen has a different meaning in different sites  Some have no links, some link to security information, some change the interface to show security indicators, some connects to 3 rd party certification © Li-Chiou Chen, CSIS, Pace 12 Ongoing project – Security Usability

Preliminary Results Number Percentage of total servers surveyed Banking Secure Servers Surveyed80 Login page without certificate padlock and https 19 24% Popup window used for login3 4% Invalid certificate1 1% Bank name is inconsistent with subject name11 14% outsourcing6 8% bank holding company name5 6% © Li-Chiou Chen, CSIS, Pace 13 Ongoing project – Security Usability

Cipher exchanged is not always the most secure one © Li-Chiou Chen, CSIS, Pace 14 Cipher SuiteNumber of Servers Percentage of the total server surveyed AES256-SHA13 16% DES-CBC3-SHA4 5% DHE-RSA-AES256-SHA6 8% RC4-MD551 64% RC4-SHA6 8% Total80100% Ongoing project – Security Usability

Long validation period might give certificate longer period to be exploited Validity durationNumberPercentage < 2 years5670% =2 years2025% >=3 years 4 (3 of them are between 3-4 years and one is 5 years) 5% Total80100% © Li-Chiou Chen, CSIS, Pace 15 Ongoing project – Security Usability

Implications Invalid security certificates: should not be there; defy anti-phishing tools Establish SSL connection after user enters username and password: no way to verify security indicator before login Inconsistent domain name with brand name: 3 rd party secure servers; using domain name checking strategy fails Confusing security indicators: multiple indicators, etc Confusing security information : consumers do not know which one to follow or look at Confusing login visual interface design: popup windows; may suffer visual deception attack Industry common practice do not echo the best available technology: vulnerability with the older versions © Li-Chiou Chen, CSIS, Pace 16 Ongoing project – Security Usability

Further research problems Align consumer trust and security on the web Security usability scanner Solve phishing problems from risk management perspectives, where should government put money and resources? Risk identification, reduction, or mitigation © Li-Chiou Chen, CSIS, Pace 17 Ongoing project – Security Usability

© Li-Chiou Chen, CSIS, Pace 18 Student Research Projects Joseph Acampora –MS in IS  XML-DNR: A Bandwidth-Saving Technique for Distributed Intrusion Detection Systems Yosef Lehrman – MS in IT  Client-side solutions for phishing prevention Konrad Koenig  Analyzing access control policies of banking data using Secure UML Alex Tsekhansky - DPS  Byzantine fault tolerant DNS for networks with limited PKI infrastructure Student projects