Embed Size (px)
Citation preview
EE515/IS523 Think Like an AdversaryLecture 7
Usability/Software Failures
Yongdae Kim
Recap http://security101.kr
E-mail policy Include [ee515] or [is523] in the subject of your e-mail
Student Survey http://bit.ly/SiK9M3
Student Presentation Send me email.
Preproposal meeting: Today after class
Definitions Identification - a claim about identity
Who or what I am (global or local) Authentication - confirming that claims are true
I am who I say I am I have a valid credential
Authorization - granting permission based on a valid claim Now that I have been validated, I am allowed to access certain resources or take certain actions
Access control system - a system that authenticates users and gives them access to resources based on their authorizations Includes or relies upon an authentication mechanism May include the ability to grant course or fine-grained authorizations, revoke or delegate authorizations
Also includes an interface for policy configuration and management
Building blocks of authentication
FactorsSomething you know (or recognize)Something you haveSomething you are
Two factors are better than oneEspecially two factors from different categories
What are some examples of each of these factors?
What are some examples of two-factor authentication?
Authentication mechanismsText-based passwords Graphical passwordsHardware tokensPublic key crypto protocolsBiometrics
EvaluationAccessibilityMemorabilitySecurityCostEnvironmental considerations
Typical password advice
Typical password advicePick a hard to guess passwordDon’t use it anywhere elseChange it oftenDon’t write it down
So what do you do when every web site you visit asks for a password?
Bank = b3aYZ Amazon = aa66x!Phonebill = p$2$ta1
Problems with Passwords Selection
– Difficult to think of a good password– Passwords people think of first are easy to guess
Memorability– Easy to forget passwords that aren’t frequently used– Difficult to remember “secure” passwords with a mix of upper & lower case letters, numbers, and special characters
Reuse– Too many passwords to remember– A previously used password is memorable
Sharing– Often unintentional through reuse– Systems aren’t designed to support the way people work together and share information
Mnemonic Passwords
Four
First letter of each word (with punctuation)
fsasya,oFSubstitute numbers for words or similar-looking letters
4sa7ya,oFSubstitute symbols for words or similar-looking letters
F
4sasya,oF
Four
4sa7ya,oF
4s&7ya,oF
score s andaand seven sseven yearsy ago a ,, our o Fathers F
Source: Cynthia Kuo, SOUPS 2006
The Promise?Phrases help users incorporate different character classes in passwordsEasier to think of character-for-word substitutions
Virtually infinite number of phrasesDictionaries do not contain mnemonics
Source: Cynthia Kuo, SOUPS 2006
Mnemonic password evaluation
Mnemonic passwords are not a panacea for password creation
No comprehensive dictionary todayMay become more vulnerable in future
– Many people start to use them– Attackers incentivized to build dictionaries
Publicly available phrases should be avoided!
Source: Cynthia Kuo, SOUPS 2006
Password keeper softwareRun on PC or handheldOnly remember one password
Single sign-onLogin once to get access to all your passwords
Biometrics
Fingerprint Spoofing Devices
Microsoft Fingerprint Reader APC Biometric Security device
Success! Very soft piece of wax flattened against hard surface
Press the finger to be molded for 5 minutes Transfer wax to freezer for 10-15 minutes Firmly press modeling material into cast Press against the fingerprint reader
Replicated several times
Retina/Iris Scan Retinal Scan
Must be close to camera (IR)
Scanning can be invasive Not User friendly Expensive
Iris Scan Late to the game Requires advanced technology to properly capture iris
Users do not have to consent to have their identity tested
Graphical passwords
“Forgotten password” mechanism
Email password or magic URL to address on file
Challenge questions Why not make this the normal way to access infrequently used sites?
Convenient SecureID 1What problems does this approach solve?
What problems does it create?
Source:
http://worsethanfailure.com/Articles/Security_by_Oblivity.aspx
Convenient SecureID 2What problems does this approach solve?
What problems does is create?
23
Previously available at:
http://fob.webhop.net/
Browser-based mutual authentication
Chris Drake’s “Magic Bullet” proposal http://lists.w3.org/Archives/Public/p
ublic-usable-authentication/2007Mar/0004.html– User gets ID, password (or alternative),
image, hotspot at enrollment– Before user is allowed to login they are
asked to confirm URL and SSL cert and click buttons
– Then login box appears and user enters username and password (or alternative)
– Server displays set of images, including user’s image (or if user entered incorrect password, random set of images appear)
– User finds their image and clicks on hotspot
• Image manipulation can help prevent replay attacks
What problems does this solve? What problems doesn’t it solve? What kind of testing is needed
Phishing
Spear Phishing (Targeted Phishing)
Personalized mail for a (small) group of targeted users Employees, Facebook friends, Alumni, eCommerce Customers
These groups can be obtained through identity theft!
Content of the email is personalized. Different from Viagra phishing/spam
Combined with other attacks Zero-day vulnerability: unpatched Rootkit: Below OS kernel, impossible to detect with AV software
Key logger: Further obtain ID/password APT (Advanced Persistent Threat): long-term surveillance
26
Examples of Spear Phishing
27
Good Phishing example
28
Policy and Usability
Cost of Reading Policy Cranor et al.
TR= p x R x n p is the population of all Internet users R is the average time to read one policy n is the average number of unique sites Internet users visit annually
p = 221 million Americans online (Nielsen, May 2008)
R = avg time to read a policy = # words in policy / reading rate To estimate words per policy:
Measured the policy length of the 75 most visited websites Reflects policies people are most likely to visit
Reading rate = 250 WPM Mid estimate: 2,514 words / 250 WPM = 10 minutes
n = number of unique sites per yearNielsen estimates Americans visit 185 unique sites in a month:
but that doesn’t quite scale x12, so 1462 unique sites per year.
TR= p x R x n
= 221 million x 10 minutes x 1462 sites
R x n = 244 hours per year per person
P3P: Platform for Privacy Preferences
A framework for automated privacy discussionsWeb sites disclose their privacy practices in standard machine-readable formats
Web browsers automatically retrieve P3P privacy policies and compare them to users’ privacy preferences
Sites and browsers can then negotiate about privacy terms
Why Johnny Can’t Encrypt
- A Usability Evaluation of PGP 5.0-
Alma Whitten and J.D. TygarUsenix Sec’99
Presented by Yongdae Kim
Some of the Slides borrowed from Jeremy Hyland
Defining Usable Security Software
Security software is usable if the people who are expected to use it:are reliably made aware of the security tasks they need to perform.
are able to figure out how to successfully perform those tasks
don't make dangerous errorsare sufficiently comfortable with the interface to continue using it.
Why is usable security hard?
1. The unmotivated users“Security is usually a secondary goal”
2. Policy AbstractionProgrammers understand the representation but normal users have no background knowledge.
3. The lack of feedbackWe can’t predict every situation.
4. The proverbial “barn door”Need to focus on error prevention.
5. The weakest linkAttacker only needs to find one vulnerability
Why Johnny can’t encrypt?PGP 5.0
Pretty Good PrivacySoftware for encrypting and signing dataPlug-in provides “easy” use with email clientsModern GUI, well designed by most standards
Usability Evaluation following their definition
If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?
Usability Evaluation Methods
Cognitive walk throughMentally step through the software as if we were a new user. Attempt to identify the usability pitfalls.
Focus on interface learnablity.
Results
Cognitive Walk Through Results
Irreversible actions Need to prevent costly errors
Consistency Status message: “Encoding”?!?
Too much information More unneeded confusion Show the basic information, make more advanced information available only when needed.
User TestUser Test
PGP 5.0 with Eudora12 participants all with at least some college and none with advanced knowledge of encryption
Participants were given a scenario with tasks to complete within 90 min
Tasks built on each otherParticipants could ask some questions through email
User Test Results 3 users accidentally sent the message in clear text
7 users used their public key to encrypt and only 2 of the 7 figured out how to correct the problem
Only 2 users were able to decrypt without problems
Only 1 user figured out how to deal with RSA keys correctly.
A total of 3 users were able to successfully complete the basic process of sending and receiving encrypted emails.
One user was not able to encrypt at all
Conclusion Reminder
If an average user of email feels the need for privacy and authentication, and acquires PGP with that purpose in mind, will PGP's current design allow that person to realize what needs to be done, figure out how to do it, and avoid dangerous errors, without becoming so frustrated that he or she decides to give up on using PGP after all?
Is this a failure in the design of the PGP 5.0 interface or is it a function of the problem of traditional usable design vs. design for usable secure systems?
What other issues? What kind of similar security issues? What do we learn from this paper?
Analysis of an Electronic Voting System
TADAYOSHI KOHNO ADAM STUBBLEFIELD† AVIEL D. RUBIN‡DAN S. WALLACH§
February 27, 2004
Presented by: Aldo Villanueva
OutlinePalm Beach FiascoIntroducing DREHistory of DieboldVulnerabilities of Diebold DRESummary
46
Palm Beach Ballot Fiasco
47
Palm Beach Ballot Fiasco
48
Eliminate paper ballots from the voting process.
Process:The voter arrives to the voting place and prove he’s allowed to vote there.
He gets a token (PIN or smartcard).Enters the token in the voting terminal and votes for its candidate.
DRE System presents the voter’s election and gives a final chance to make changes.
DRE “Direct Recording Electronic”
History
•1995: I-Mark Systems
•1997: Global Election Systems acquired I-Mark
•2002: Diebold acquired GES and change the name to Diebold Election System
•2006: Diebold removed its name from the voting machines for “strategic” reasons
•2007: Diebold changed its name to "Premier Election Solutions"
The source code for
Diebold’s AccuVote-TS DRE voting system was analyzed.
There were several vulnerabilities found.
Analysis of the Diebold’s AccuVote-TS
DRE voting system
The smartcards used in the voting process are very easy to fake since they don’t perform any cryptographic operations.
Attacker could:Cast multiple votesEnd the elections early
Vulnerability No. 1: Smartcards
System configuration : impersonating any other voting terminal.
Ballot definitions: changing the order of the candidates only in the interface
Election results: modifying the voting records file stored on the device
Vulnerability No. 2: Tampering
Voting terminals are configured to upload voting totals to a system after an election.
An adversary able to pose as a legitimate voting terminal to the tabulating authority could report false vote counts.
Vulnerability No. 3: Impersonating
legitimate voting terminals
If an attacker with access to the source code learns the key, he can read and modify voting and auditing records.
In the Diebold system, from the CVS logs, we see this particular key has been used without change since December 1998.
Vulnerability No. 4: Key management
Each vote is written sequentially to the file recording the votes.
It’s easy for the attacker (poll worker) to access the voting records, to link voters with their votes.
Vulnerability No. 5: Linking voters to their
votes
The whole audit log is encrypted using an insecure method.
At the time that the logging occurs, the log can also be printed to an attached printer.
An attacker could create discrepancies between the printed log and the log stored on the terminal by unplugging the printer (or, by simply cutting the cable).
Vulnerability No. 6: Audit logs
An attacker can delay the start of an election:DoS attack against the election management’s server preventing the voting terminals from acquiring their ballot definition in time.
Poor software engineering:Uses C++No documentation Top-to-bottom code review would be nearly impossible.
Other vulnerabilities
Significant security flaws:
Voters can trivially cast multiple ballots Administrative functions can be performed by regular voters
Threats posed by insiders such as poll workers, software developers, etc.
Summary
SECURITY ANALYSIS OF THE DIEBOLD ACCUVOTE –
TS VOTING MACHINEAriel J. FeldmanJ. Alex HaldermanEdward W. Felten
September 13, 2006
Presented by: Jiseong Noh
OutlineOverview of Diebold AccuVote-TS Voting Machine
Design PointsBoot ProcessesVulnerability PointsAttack ScenariosMitigation of the vulnerabilitiesConclusion
62
(*)http://www.electiondataservices.com/images/File/NR_VoteEquip_Nov-2008wAppendix2.pdf)
Diebold AccuVote-TS Manufactured by Diebold Election Systems
Sold to Election Systems & Software in 2009
DRE – Direct Recording Electronic Voting Machine Voters use machine to cast vote Machine is used to record the votes (*) 32% of the USA registered voters used DRE in 2008
About 16 Million voters used Accuvote-TS in 2010
Custom election software runs on top of Windows CE
63
Design Points
64
Touch Screen
SmartCard
Reader
Audio jack
RemovableFlash
PrinterOn-board
FlashEPROM
RAMProcessor
Open to Public Key Access Inside Box
http://web.cecs.pdx.edu/~hook/cs491sp08/AccessControlSp08.pdf
Serialport
Design Points
65
Similar to a general-purpose hand-held PCA CPU, 32MB RAM, 16MB internal flash storageTouchscreen LCD displayTwo PC card slots – one for memory card, other for modem card
OS uses a customized softwareAutomatically runs Voting ProgramSearches for special files in memory card to administer or update the system
Searches for script files with user confirmation
(CPU) (RAM)
(Flash)
Boot Process
66
Boot loader loads itself into RAM Boot Location determined by jumpers on the board Onboard Flash Memory (default) EPROM Ext Flash slot
Boot loader looks for special file names fboot.nb0: replacement boot loader nk.bin: replacement of operating system EraseFFX.bsq: erases file system on-board flash
*** Does not verify file authenticity!
Boot Process
67
Windows CE image loads and start
Customized task managerAutomatically runs Voting programIf memory card is present and contains explorer.glb Runs windows explorer instead of voting program
runs script files (. with user confirmation
Vulnerability Points (H/W)
Lightweight Lock: easily picked up without a key
68
Easy Access to Memory Card
Vulnerability Points (H/W)
EPROM(E): Replace EPROM with malware
PC Card Slot(S): Used to replace existing software with malware using Memory Card
Serial Keypad Connector(O): open communication port
Infrared Port(N): open communication port
69
Vulnerability Points (S/W)
Authenticity problem Never checks to validate the authenticity of files on the memory card on booting or updating software
Buffer Overflow malformed script files could bypass the confirmation
70
http://www.cyberdin.com/images/stories/pict5.jpg
Attack Types
71
• Stealing Votes• Malicious processes runs in parallel with voting program
• Change votes for a favored candidate
• Total count of votes does not change
• Denial-of-Service• Destroys all records of the election
• Makes the voting machine inoperable
Delivery of Malicious Code
72
EPROM Attack code is placed on an EPROM chip Attacker replaces the EPROM chip and changes the jumper settings to boot from EPROM
Memory card on PC Card Slot Attack code is placed on the memory card Memory card is inserted before voting machine booted
Malicious boot loader containing virus is installed on the machine
The machine is now infected
Delivery of Malicious Code
73
Memory card on PC Card Slot (continue)
Mitigation of Vulnerabilities
74
Modifications to DRE Software and Hardware
Digitally sign all software updates Verify the signature of software updates before installing them
Ask user confirmation of any software updates Use specialized hardware to maintain tamper-proof logs
Physical Access Controls Sealing the machine and memory card with tamper-evident seals
SummaryDREs are like desktop PC, in the security point of view
Diebold AccuVote-TS has many serious vulnerabilitiesWeak physical securityRuns on general-purpose H/W and OSNo way to check if an attack occurredVirus attack possible – no need for distributed attack
DREs have their advantages; however, they should overcome these problems to make reliable votes
75
Papers which criticize DRE, particularly Diebold Systems
2003: Analysis of an Electronic Voting System
2004: Trusted Agent Report Diebold AccuVote-TS Voting System
2006: Security Analysis Of The Diebold AccuVote - TS Voting Machine
Bad Reputation Changed the name multiple times
May 19, 2010 Dominion Voting Systems acquired Premier Elections Solutions.
Bankruptcy of Diebold
Voting equipment vendors say closed-source nature of the systems makes them more secure.
Authors think that an open process would result better.
The best solution will be a computerized voting system with ballot paper.
Conclusions
