Security and Human Behaviour 2012 – Session 2 Fraud

Sandy Clark, University of Pennsylvania

The Honeymoon Period and Secuity Development

Bug identification models don’t work for vulnerability identification.

Casinos have developed good approaches to patching exploits in their systems (general systems, not just computer-based systems).

Scams are the “buffer overflow errors” of human consciousness.

Attackers adapt, so defenders must adapt.

Evolutionary Biology model for Parasite/Host competing evolution (the Red Queen Hypothesis everyone must run in place to maintain the best outcome, which is not a perfect system).

Modelling the defender is not enough. We need to model the attacker. More importantly, we need to model the interaction and the violation of assumptions is one of the key eleents of this.

 

Richard Clayton, Cambridge

Devo estar falando Portugues? (Should I speak Portugese)

IM Worms.

Portuguese-specific short IMs for infection have significanly higher numbers of click at peak than “language-independent” ones.

 

Cormac Herley, Microsoft

Fraud

Anything I do with a password can be repudiable.

We should be teaching check(cheque)-clearing rules instead of Byzantine security tips.

 

Markus Jacobsson, PayPal

What are password strength checkers actually doing?

Strength checker? Fast Runner? Has Tail, Has Black marks, Has Yellow surface, Has Dots? Result is a budgie not a leopard.

Determine the user’s mental process for creating (strong) passwords.

Comment by Richard Clayton: passwords for porn sites need to be enterable with only one hand.

 

Eric Johnson, Dartmouth College

Fraud in Healthcare

US healthcare costs are $2.5T. Farud is estimated at some hundreds of billions of dollars.

Medical Identity Theft?

The US medical system is setup to provide opportunities for fraud. Particularly dueto the pay-and-chase model.

Very easy to join medicare/medicaid as a payee, just a bureaucratic process.

Geting hold of identity ius not hard. The monetisation model is the keydevelopment.

Grainne Kirwin, Inst of Tech, Ireland

Psychology of Cybercrime

Interrested in victims of cybercrime. Why are they targetted, how do they react?

Trait anxiety, rather than state anxiety (Big-5?): how does it compare to susceptibility to fraud?

Victim facilitation and precipitation. Insult someone and they hit you (precipitation). Leave your keys on the bar (facilitation).

Considering how facilitation relates to liability. Most people will indicate that faciltative victims should be more liable.

David Modic, Exeter

Risk and Internet Scams

Ego-depletion, materlialism, marketing (susceptibility to being scammed).

Ego-depletion has no effect on falling for a scam.

No materialism measure has ay impact.

Appeal is very limited effect.

Scammers offer money not goods and intangibles.

Current Mood: fascinated

Originally published at blog.a-cubed.info

Security and Human Behaviour 2012 – Session 3 Usability

Pam Briggs, Northumbria

A “Family and Friends” Perspective on Privacy and Security

Prevailing rhetoric is that privacy and security operate at a personal level – with individual decisions.

Too little attention paid to inadvertent disclosure in social or family networks.

Location-based services – one of the potentially most disruptive applications for privacy in the next few years.

Ubicomp in a family setting.

Facebook account hacked – three facebook friends to provide re-authentication.

 

Jaeyon Jung, Microsoft

Tools to Analyse Personal Data Exposure Through Apps & Developing UIs for Control

Problem is that access to information by Apps is often “all or nothing” for classes and without certain classes the app cannot be used at all – even if the app does not need it, depending on how it is programmed.

Some participants in a study of smartphone app data transfer were unsurprised – this is the price you pay for “free” apps. Others were surprised at things like the collection and transfer of location data when the app did not need it. Others felt they were not bothered by the collection per se, but wanted to know who had the data.

Some participants planned to uninstall particular apps (e.g. Angry Birds) because of their data collection. Some felt that the option of disclose or don’t use was not a good situation.

We need better user experiences for users in knowing about and controlling the information their smartphones give out.

 

Rob Reeder, Microsoft

NEAT guidance for usable software security

RSA data release started with a spear phishing attack based on an XL.

Security guidance to users in MS products should now follow NEAT: Necessary, Explained, Actionable, Tested.

 

Christoph Paar, Ruhr University

Real World Hacks

How do attackers learn their trade? With better information about how attackers develop their approaches, then we can potentially improve the defences. Obfuscation may be more use than its reputation (security by obscurity) gives it credit for.

 

Frank Stajano, Cambridge

The quest to replace passwords

Passwords have really poor usability. Does this mean we get good security? No.

Predictions of the demise of the password have ben greatly exaggereated. We use more and more passwords every year.

Make sense of what has been done – those who fail to study history are doomed to repeat it.

Evaluation framework for authentication systems.

Passwords are not going to die any time soon. Many schemes are better than passwords on security. Some schemes are better on usability than passwords, but most are worse. All are worse on deployability.

 

Jeff Yan, Newcastle University

Does psychological profiling predict MMORPG cheaters

There are many technical solutions to analysing in-game behaviour to identify cheating. Is it possible to identify likely cheaters with a psychological test. What about the issue of potential cheaters cheating on the questionnaire.

Current Mood: fascinated

Originally published at blog.a-cubed.info

Security and Human Behaviour – Session 5 Foundations

David Livingstone-Smith, New England

Ideology

The camera obscura description of ideology as an accidental inversion of reality. The Conspiracy Model of ideology as a purposive distortion of reality in pursuit of some goal.

There is a perfectly good model of non-intentional purposiveness available: the notion of biological purpose, e.g. the orhid that simulates a wasp for the “purpose” of seducing male wasps to use them as a pollenation vector.

Millikan’s theory of proper function provides analysis of non-intentional purposes. The thing that caused a reproduction of an item is the proper function of the item.

Ideologies are collective misrepresentations of the social world that:

perpetuate the power of dominant groups, creating the circumstances allowing their reproduction and the reproduction of that power.

 

Rachel Greenstadt, Drexel

Anonymouth: How to make machine learning for security usable

Long term anonymity is challenging, as shown in the case of “A Gay Girl in Damascus”. It’s particularly difficult to re-write an existing document in a new style.

Anonymouth provides a suggestion set of ideas for how to make your documents less recognisable as your own.

Luke Church, Cambridge

“tracking” for societal benefit

Users don’t understand derived sales models.

Asking programmers to allow the researchers to record and analyse their every keystroke and mouse click leads to refusal because they are afraid of the usage of that data.

Please can we slow down the process of restricting scientists access to data.

Bruce Schneier, BT

Profiling and Airports

Why profiling makes no sense in security, even if you have a differential threat. Arguing against intuition, “common sense” and “obviousness” with clear (security) engineering principles is hard.

Public policy has important characteristics which divorce it from individual common sense about security.

Political rhetoric focusses on folk belief, common sense and intuition, rather than solid engineering principles. Non-security issues are driving security decisions (including corporate interest, law enforcement interests, military interests).

The four horsemen of the cyber apocalypse used for two decades to justify intrusion.

Persuasion and security questions. How to teach people not to have their security fear buttons pushed.

Matt Blaze, University of Pennsylvania

Folklore

Why (Special Agent) Johnny (Still) Can’t Encrypt (redux)

APCO Project 25 (P25) cryptographic system for first responders.

Serious vulnerabilities in multiple ways, in theory. How often do they cause problems in practice?

Rule #1 of cryptanalysis – look for cleartext.

Ridiculous amount and high security content of cleartext. About 30 minutes of cleartext per day per city.

The problem exists because radio encryption is harder than we think.

After discussions with various agencies there was often a short term drop in cleartext but then a reversion and even an increase.

The act of paying attention to problems like this can lead to a reduction of security because of misunderstanding.

Institutional memory of the previous generation of analogue radios (encryption reduces quality) is still maintained even though it is completely incorrect for the current systems.

Current Mood: fascinated

Originally published at blog.a-cubed.info