End User Security

1
End User Security

• Doug Tygar
• University of California, Berkeley

2
Goals and Impact

• Goals
• Applied Security Issues
• Forensics
• Anti-malware
• Preventing ID theft
• Impact
• Phishing attacks growing in scale and
  sophistication
• Main reason phishers can steal real money.
• Research goal
• Make it harder for phishers to obtain user
  information that can lead to monetary theft
• Technology transfer
• Freely distributed open-source software
• Talks at conferences, industry meetings (ITTC, )
• Startups
• Partnering arrangements

3
Overview

• New thrust area
• Perspective of the end user
• Web security privacy
• Malware
• Security configuration
• Presenting security information to users
• Forensics
• Sample directions
• Understanding users mental models
• Web authentication
• Fundamental underpinnings of next-generation
  browser security
• Effective interfaces for security configuration
  and information dialogs
• Science of malware detection and mitigation
• Automated forensics and recovery of systems that
  have been attacked

4
Year 2 Research Topics

• Phishing detection and prevention
• Browser extensions, Server support
• Cache and link attacks, timing attacks,
• Authentication using trusted platforms
• Smartphone, Virtualization, Password token
• User interface issues
• Tricky problem users are fooled
• Do users understand EULAs? (need I ask?)
• Malware detection and mitigation
• Signature generation
• Behavioral botnet detection

5
Modern Threats

• Spear phishing
• Targeted email to known customers, evade spam
  filter
• Man-in-the-middle attacks
• Forward communication to honest server
• Attack one-time passwords, server defenses
• Cookie theft
• Keyloggers
• Install via worms, or as browser infections
• Acoustic emanations
• Botnets
• Host keyloggers, send spam, steal credentials,
  etc.
• Vint Cerf as many as ¼ of all machines on
  Internet
• Many user interface issues related to deception

6
Basic Questions

• Security of human/computer systems
• Phishing not attack on OS, network protocol, or
  computer application
• Attack on user through the users computer
• Deception works because user has incomplete and
  unreliable information, or does not understand
  the information that is presented
• Web authentication
• How can clients and servers authenticate each
  other?
• Passwords are low entropy but easy to remember
• Images, other indicators easy to spoof, esp. if
  attacker has info about user
• Isolation for web sessions
• Implicit notion of process ? user visiting site
• Many complexities ads, redirects, mashups
• Privacy expectations and laws
• Users transmit sensitive information to web sites
• What privacy can they expect? How can this be
  guaranteed?
• Part of the problem is to identify and articulate
  the core issues
• Principled understanding of web activity will
  lead to more secure browser design, clearer
  understanding of contract between browser and
  server, better server practices

7
Technology Transition Plan

• PwdHash RSA Security
• www.pwhash.com
• Initial integration completed fall 2006
• Hope to convince IE team to embed natively in IE
• SpyBlock deployment
• Available at http//getspyblock.com/
• Relevant companies Mocha5, VMWare
• Dialog with companies about transaction
  generators
• SafeHistory Microsoft, Mozilla
• Available at www.safehistory.com