Presentation is loading. Please wait.

Presentation is loading. Please wait.

Usable Privacy and Security Jason I. Hong Carnegie Mellon University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Usable Privacy and Security Jason I. Hong Carnegie Mellon University."— Presentation transcript:

1 Usable Privacy and Security Jason I. Hong Carnegie Mellon University

2 Everyday Privacy and Security Problem

3

4 Future Privacy and Security Problem Real-time location information –Friend Finder (“where is Alice?”) –Filtered searches (“restaurants near me?”) –Better awareness(“Daniel is at school”) What kinds of controls and feedback needed? Find FriendsinTouch

5 Future Privacy and Security Problem You think you are in one context, actually overlapped in many others Without this understanding, cannot act appropriately

6 Usable Privacy and Security Important People increasingly asked to make trust judgements –Install this software? –Login to a site and enter username and password? –Share location information? –What context you are in, how to act? New networked technologies leading to new risks Everyday RisksExtreme Risks Hackers, Muggers _________________________________ Identity Theft Malware Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

7 Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003

8 Usable Privacy and Security Work Supporting Trust Decisions Ubiquitous Computing Location Enhanced Services

9 Project: Supporting Trust Decisions Goal here is to help people make better decisions –Context here is anti-phishing Large multi-disciplinary team project –Six faculty, five PhD students

10 Phishing A semantic attack aimed directly at people rather than computers –“Please update your account” –“Fill out survey and get $25” –“Question about your auction” Rapidly growing in scale and damage –~7000 new phishing sites in Dec 2005 alone –~$1 billion in damages –More profitable (and safer) to phish than rob a bank

11 Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side –Email Anti-Phishing Filter –Automated Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar Automate where possible, support where necessary

12 Project: Supporting Trust Decisions Interviews to Understand Decision-Making How do people decide what e-mails to “trust”? Interviews with 40 novices and some experts –Asked them to role play and go through a series of emails

13 Project: Supporting Trust Decisions Interviews to Understand Decision-Making How do people decide what e-mails to “trust”? Interviews with 40 novices and some experts –Asked them to role play and go through a series of emails Highlights –People know cues (from, to, locks) but interpret incorrectly Very few people understand URLs Browser chrome versus content –Hard for people to generalize risks (Banks vs. Amazon) –Judge legitimacy primarily by quality of site –Was expecting an email or have had previous contact

14 Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side –Email Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar

15 Project: Supporting Trust Decisions Embedded Training Can we “train” people to avoid phishing in their regular use of email? –Periodically, people get sent a training email –Training email looks like a phishing attack –If person falls for it, intervention warns and highlights what cues to look for Has been done by others –New York state government office, West Point, Indiana U Goal: Understand what designs are most effective

16 Project: Supporting Trust Decisions Embedded Training Created three interventions –#0 – Early prototype that helped us explore design space –#1 – Diagram that explains phishing –#2 – Comic strip that tells a story –Shown only if a person clicks on a link in email

17 #0 – Early Prototype People didn’t understand what the training message was trying to say Why am I getting this? Missed explanation text at top Screenshot of the web browser confused people People who clicked on a phishing link were very likely to enter in username and password Need clear actionable items Not the same, so what?

18 #1 – Diagram Intervention

19 Explains why they are seeing this message

20 #1 – Diagram Intervention Explains how to identify a phishing scam

21 #1 – Diagram Intervention Explains what a phishing scam is

22 #1 – Diagram Intervention Explains simple things you can do to protect self

23 #2 – Comic Strip Intervention

24

25

26

27

28 Embedded Training Evaluation Compared two prototypes to standard security notices –A – EBay, PayPal notices –B – Diagram that explains phishing –C – Comic strip that tells a story 10 participants in each condition (30 total) Roughly, go through 19 emails, 4 phishing attacks scattered throughout, 2 training emails too –Emails are in context of working in an office

29 Embedded Training Results

30 Embedded Training Summary Summary –Existing practice of security notices ineffective –Diagram intervention mildly better –Comic strip intervention worked best Next Steps –Iterate on the design –Understand more why comic strip worked better Story? Comic format? –Larger scale deployment and evaluation

31 Anti-Phishing Phil A game to teach people about anti-phishing –Embedded training focuses on email –Game focuses on web browser, urls Goals –How to parse URLs –Where to look for URLs –Use search engines instead Early preview!

32 Anti-Phishing Phil

33 Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side –Email Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar

34 Email Anti-Phishing Filter Philosophy: automate where possible, support where necessary Goal: Create an email filter that detects phishing emails –Well explored area for spam –Can we do better for phishing?

35 Email Anti-Phishing Filter Heuristics combined in SVM –IP addresses in links (http://128.23.34.45/blah)http://128.23.34.45/blah –Age of linked-to domains (younger domains likely phishing) –Non-matching URLs (ex. most links point to PayPal) –“Click here to restore your account” –HTML email –Number of links –Number of domain names in links –Number of dots in URLs (http://www.paypal.update.example.com/update.cgi) –JavaScript –SpamAssassin rating

36 Email Anti-Phishing Filter Evaluation Ham corpora from SpamAssassin (2002 and 2003) –6950 good emails Phishingcorpus –860 phishing emails

37 Email Anti-Phishing Filter Evaluation

38 Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side –Email Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar

39 Testbed for Anti-Phishing Toolbars Lots of anti-phishing web browser toolbars, but unclear how well they work in practice –Way of systematically evaluating toolbars –Way of rigorously comparing algorithms

40 Testbed for Anti-Phishing Toolbars First iteration: manual evaluation –Get 1 laptop and 1 person per toolbar –Send out a URL –Manually check –Tedious, slow, error-prone Created a testbed that could semi-automatically evaluate these toolbars –Just give it a set of URLs to check (labeled as phish or not) –Check all the toolbars, aggregate statistics

41 Testbed for Anti-Phishing Toolbars Two key systems issues #1 – How to get a list of phishing URLs to evaluate? –Phishing feed from Anti-Phishing Working Group (APWG) –Manually inspect each URL to confirm phish #2 – How to automate this for different toolbars? –Different APIs (if any), different browsers –Image-based approach, take screenshots of web browser and compare relevant portions to known states

42 Image-Based Comparisons

43 Testbed System Architecture

44 Evaluation Tested five toolbars –NetCraft v1.6.2 –TrustWatch v3.0.4.0.1.2 –SpoofGuard(uses heuristics only) –CloudMark v1.0 –Google Toolbar v2.1 Test URLs manually confirmed –Extracted 100 confirmed, active phishing URLs spanning 100 domains –Also extracted 60 legitimate domains and added 40 others (banks, etc)

45 Results

46 Stanford’s SpoofGuard and NetCraft had best results CloudMark was worst –Relies on user ratings, perhaps not updated fast enough? Stanford’s SpoofGuard only one with false positives

47 Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side –Email Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar

48 Our Anti-Phishing Toolbar Issue #1: can we do better in detecting phish? –SpoofGuard accuracy 90-95%, but lots of false positives –NetCraft also around 90-95% Issue #2: how well do individual techniques work? –Evaluated each toolbar as blackbox –Need to unpack effectiveness of various techniques We are developing a toolbar to explore these issues –Developed two new heuristics –Still needs a name

49 Our Anti-Phishing Toolbar Heuristic #1 – Does it have text input fields? –No text input fields, not phishing Heuristic #2 – Content analysis –Based on Robust Hyperlinks by Phelps and Wilensky –Too many “404 Not Found” –Create a “lexical signature” for a web page –Feed lexical signature into search engine to find same page –Term Frequency / Inverse Document Frequency (TFIDF) Take the top six terms

50 Our Anti-Phishing Toolbar Heuristic #2 – Content analysis using TF-IDF –Apply TF-IDF algorithm to web page in question –Feed top six terms into Google –See if domain of web page in question is in top 30 results If so, probably not a phish +

51 Our Anti-Phishing Toolbar Informal results: –94% accurate –6% false positive –Pretty good, considering it took us 2 weeks to build Turns out content analysis works well for anti-phishing –Most scammers modify original web page –Not enough time for phish page to get high PageRank Next steps –Integrate other heuristics –Evaluate heuristics separately and combined –Better user interfaces for warning people

52 Summary Usable Privacy and Security increasingly important Supporting Trust Decisions –One of our group projects at Carnegie Mellon –Human-Side of Anti-Phishing Interviews, Embedded Training, Anti-Phishing Game –Computer-Side Email Filter, Testbed, Our Anti-Phishing Toolbar

53 Questions? Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Jason Hong Norman Sadeh NSF IIS-0534406 ARO D20D19-02-1-0389 Cylab Serge Egelman Ian Fette P. Kumaraguru (PK) Yong Rhee Steve Sheng Yue Zhang

54

55 Usable Privacy and Security Important People increasingly asked to make trust decisions –Install this software? –Trust expired certificate? (“what the !@^% is a certificate?”) –Share location information? Everyday RisksExtreme Risks Hackers, Muggers _________________________________ Identity Theft Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties

56 Everyday Privacy and Security Problem

Download ppt "Usable Privacy and Security Jason I. Hong Carnegie Mellon University."

Similar presentations

Database VS. Search Engine

Database VS. Search Engine
A3 Getting Out What You Put In R T I Data School Leadership Team Training Pamela Shannon, School Psychologist 11-05-10.

A3 Getting Out What You Put In R T I Data School Leadership Team Training Pamela Shannon, School Psychologist
Learning to Detect Phishing s

Learning to Detect Phishing s
What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via email, text message, online chat, blogs or various other.

What is Spam  Any unwanted messages that are sent to many users at once.  Spam can be sent via , text message, online chat, blogs or various other.
Computer Security Fundamentals by Chuck Easttom Chapter 3 Cyber Stalking, Fraud, and Abuse.

Computer Security Fundamentals by Chuck Easttom Chapter 3 Cyber Stalking, Fraud, and Abuse.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.

C MU U sable P rivacy and S ecurity Laboratory Anti-Phishing Phil The Design and Evaluation of a Game That Teaches People Not to.
Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing Emails I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing emails. In Proceedings.

Report : 鄭志欣 Advisor: Hsing-Kuo Pao 1 Learning to Detect Phishing s I. Fette, N. Sadeh, and A. Tomasic. Learning to detect phishing s. In Proceedings.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (http://cups.cs.cmu.edu/course-guide/)

Usable Security (Part 1 – Oct. 30/07) Dr. Kirstie Hawkey Content primarily from Teaching Usable Privacy and Security: A guide for instructors (
10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.
CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.

CANTINA: A Content-Based Approach to Detecting Phishing Web Sites Yue Zhang University of Pittsburgh Jason I. Hong, Lorrie F. Cranor Carnegie Mellon University.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.
Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University.

Usable Privacy and Security: A Grand Challenge for HCI Jason Hong Carnegie Mellon University.
Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.

Jason Hong, PhD Carnegie Mellon University Wombat Security Technologies Teaching Johnny Not to Fall for Phish.
June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.

June 19, 2006TIPPI21 Web Wallet Preventing Phishing Attacks by Revealing User Intentions Rob Miller & Min Wu User Interface Design Group MIT CSAIL Joint.
User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

User Interfaces and Algorithms for Fighting Phishing Jason I. Hong Carnegie Mellon University.

Similar presentations

Ads by Google