Usable Privacy and Security Jason I. Hong Carnegie Mellon University
Everyday Privacy and Security Problem
Future Privacy and Security Problem Real-time location information –Friend Finder (“where is Alice?”) –Filtered searches (“restaurants near me?”) –Better awareness(“Daniel is at school”) What kinds of controls and feedback needed? Find FriendsinTouch
Future Privacy and Security Problem You think you are in one context, actually overlapped in many others Without this understanding, cannot act appropriately
Usable Privacy and Security Important People increasingly asked to make trust judgements –Install this software? –Login to a site and enter username and password? –Share location information? –What context you are in, how to act? New networked technologies leading to new risks Everyday RisksExtreme Risks Hackers, Muggers _________________________________ Identity Theft Malware Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties
Grand Challenge “Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.” - Computing Research Association 2003
Usable Privacy and Security Work Supporting Trust Decisions Ubiquitous Computing Location Enhanced Services
Project: Supporting Trust Decisions Goal here is to help people make better decisions –Context here is anti-phishing Large multi-disciplinary team project –Six faculty, five PhD students
Phishing A semantic attack aimed directly at people rather than computers –“Please update your account” –“Fill out survey and get $25” –“Question about your auction” Rapidly growing in scale and damage –~7000 new phishing sites in Dec 2005 alone –~$1 billion in damages –More profitable (and safer) to phish than rob a bank
Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side – Anti-Phishing Filter –Automated Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar Automate where possible, support where necessary
Project: Supporting Trust Decisions Interviews to Understand Decision-Making How do people decide what s to “trust”? Interviews with 40 novices and some experts –Asked them to role play and go through a series of s
Project: Supporting Trust Decisions Interviews to Understand Decision-Making How do people decide what s to “trust”? Interviews with 40 novices and some experts –Asked them to role play and go through a series of s Highlights –People know cues (from, to, locks) but interpret incorrectly Very few people understand URLs Browser chrome versus content –Hard for people to generalize risks (Banks vs. Amazon) –Judge legitimacy primarily by quality of site –Was expecting an or have had previous contact
Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side – Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar
Project: Supporting Trust Decisions Embedded Training Can we “train” people to avoid phishing in their regular use of ? –Periodically, people get sent a training –Training looks like a phishing attack –If person falls for it, intervention warns and highlights what cues to look for Has been done by others –New York state government office, West Point, Indiana U Goal: Understand what designs are most effective
Project: Supporting Trust Decisions Embedded Training Created three interventions –#0 – Early prototype that helped us explore design space –#1 – Diagram that explains phishing –#2 – Comic strip that tells a story –Shown only if a person clicks on a link in
#0 – Early Prototype People didn’t understand what the training message was trying to say Why am I getting this? Missed explanation text at top Screenshot of the web browser confused people People who clicked on a phishing link were very likely to enter in username and password Need clear actionable items Not the same, so what?
#1 – Diagram Intervention
Explains why they are seeing this message
#1 – Diagram Intervention Explains how to identify a phishing scam
#1 – Diagram Intervention Explains what a phishing scam is
#1 – Diagram Intervention Explains simple things you can do to protect self
#2 – Comic Strip Intervention
Embedded Training Evaluation Compared two prototypes to standard security notices –A – EBay, PayPal notices –B – Diagram that explains phishing –C – Comic strip that tells a story 10 participants in each condition (30 total) Roughly, go through 19 s, 4 phishing attacks scattered throughout, 2 training s too – s are in context of working in an office
Embedded Training Results
Embedded Training Summary Summary –Existing practice of security notices ineffective –Diagram intervention mildly better –Comic strip intervention worked best Next Steps –Iterate on the design –Understand more why comic strip worked better Story? Comic format? –Larger scale deployment and evaluation
Anti-Phishing Phil A game to teach people about anti-phishing –Embedded training focuses on –Game focuses on web browser, urls Goals –How to parse URLs –Where to look for URLs –Use search engines instead Early preview!
Anti-Phishing Phil
Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side – Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar
Anti-Phishing Filter Philosophy: automate where possible, support where necessary Goal: Create an filter that detects phishing s –Well explored area for spam –Can we do better for phishing?
Anti-Phishing Filter Heuristics combined in SVM –IP addresses in links ( –Age of linked-to domains (younger domains likely phishing) –Non-matching URLs (ex. most links point to PayPal) –“Click here to restore your account” –HTML –Number of links –Number of domain names in links –Number of dots in URLs ( –JavaScript –SpamAssassin rating
Anti-Phishing Filter Evaluation Ham corpora from SpamAssassin (2002 and 2003) –6950 good s Phishingcorpus –860 phishing s
Anti-Phishing Filter Evaluation
Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side – Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar
Testbed for Anti-Phishing Toolbars Lots of anti-phishing web browser toolbars, but unclear how well they work in practice –Way of systematically evaluating toolbars –Way of rigorously comparing algorithms
Testbed for Anti-Phishing Toolbars First iteration: manual evaluation –Get 1 laptop and 1 person per toolbar –Send out a URL –Manually check –Tedious, slow, error-prone Created a testbed that could semi-automatically evaluate these toolbars –Just give it a set of URLs to check (labeled as phish or not) –Check all the toolbars, aggregate statistics
Testbed for Anti-Phishing Toolbars Two key systems issues #1 – How to get a list of phishing URLs to evaluate? –Phishing feed from Anti-Phishing Working Group (APWG) –Manually inspect each URL to confirm phish #2 – How to automate this for different toolbars? –Different APIs (if any), different browsers –Image-based approach, take screenshots of web browser and compare relevant portions to known states
Image-Based Comparisons
Testbed System Architecture
Evaluation Tested five toolbars –NetCraft v1.6.2 –TrustWatch v –SpoofGuard(uses heuristics only) –CloudMark v1.0 –Google Toolbar v2.1 Test URLs manually confirmed –Extracted 100 confirmed, active phishing URLs spanning 100 domains –Also extracted 60 legitimate domains and added 40 others (banks, etc)
Results
Stanford’s SpoofGuard and NetCraft had best results CloudMark was worst –Relies on user ratings, perhaps not updated fast enough? Stanford’s SpoofGuard only one with false positives
Outline Human-Side of Anti-Phishing –Interviews to understand decision-making –Embedded Training –Anti-Phishing Game Computer-Side – Anti-Phishing Filter –Testbed for Anti-Phishing Toolbars –Our Anti-Phishing Toolbar
Our Anti-Phishing Toolbar Issue #1: can we do better in detecting phish? –SpoofGuard accuracy 90-95%, but lots of false positives –NetCraft also around 90-95% Issue #2: how well do individual techniques work? –Evaluated each toolbar as blackbox –Need to unpack effectiveness of various techniques We are developing a toolbar to explore these issues –Developed two new heuristics –Still needs a name
Our Anti-Phishing Toolbar Heuristic #1 – Does it have text input fields? –No text input fields, not phishing Heuristic #2 – Content analysis –Based on Robust Hyperlinks by Phelps and Wilensky –Too many “404 Not Found” –Create a “lexical signature” for a web page –Feed lexical signature into search engine to find same page –Term Frequency / Inverse Document Frequency (TFIDF) Take the top six terms
Our Anti-Phishing Toolbar Heuristic #2 – Content analysis using TF-IDF –Apply TF-IDF algorithm to web page in question –Feed top six terms into Google –See if domain of web page in question is in top 30 results If so, probably not a phish +
Our Anti-Phishing Toolbar Informal results: –94% accurate –6% false positive –Pretty good, considering it took us 2 weeks to build Turns out content analysis works well for anti-phishing –Most scammers modify original web page –Not enough time for phish page to get high PageRank Next steps –Integrate other heuristics –Evaluate heuristics separately and combined –Better user interfaces for warning people
Summary Usable Privacy and Security increasingly important Supporting Trust Decisions –One of our group projects at Carnegie Mellon –Human-Side of Anti-Phishing Interviews, Embedded Training, Anti-Phishing Game –Computer-Side Filter, Testbed, Our Anti-Phishing Toolbar
Questions? Alessandro Acquisti Lorrie Cranor Sven Dietrich Julie Downs Mandy Holbrook Jason Hong Norman Sadeh NSF IIS ARO D20D Cylab Serge Egelman Ian Fette P. Kumaraguru (PK) Yong Rhee Steve Sheng Yue Zhang
Usable Privacy and Security Important People increasingly asked to make trust decisions –Install this software? –Trust expired certificate? (“what the is a certificate?”) –Share location information? Everyday RisksExtreme Risks Hackers, Muggers _________________________________ Identity Theft Personal safety Employers _________________________________ Over-monitoring Discrimination Reputation Friends, Family _________________________________ Over-protection Social obligations Embarrassment Government __________________________ Civil liberties
Everyday Privacy and Security Problem