Monthly Archive for March, 2008

We promise we won’t store your password

Published
by
Dan Guido
on March 30, 2008
in Privacy, Psychology of Security, Social Engineering and Web
. Comments

This is a short rant prompted by another student’s observation that Yelp actually asks for your Gmail password as part of their signup process…

Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:

Facebook asking for my Gmail password
Continue reading ‘We promise we won’t store your password’

Paper Discussion - Do Background Images Improve “Draw a Secret” Graphical Passwords?

Published
by
sevinc
on March 29, 2008
in Academic Papers
. Comments

Short Summary of the paper:

Draw a Secret- DAS is a graphical password scheme where users are suppose to draw a secret on a grid. A completed drawing, i.e., a secret, is encoded as the ordered sequence of cells that the user crosses whilst constructing the secret. Each time a user lifts the en from the drawing grid surface, a “pen-up” event is encoded by distinguished coordinate pair. Here the important thing to note is even if the shape are not same as long as the encoding is identical it will yield to the same password. The basic problem with this scheme is it is vulnerable to graphical dictionary attacks. Also, users tend to choose passwords which are symmetrical and centralized. Therefore in this paper, authors proposed to use a background image to help users 1)remember the password more easily 2)set none symmetrical or none centralized passwords. The only difference here, users are not drawing their passwords onto an empty grid, but they are choosing a background image to draw on it as well. Experimental results show that this scheme is better than DAS since people chose more complicated and longer passwords. Also symmetry and centralization was lesser for this scheme, therefore authors concluded it is more secure than DAS. However the question arises here : introducing background images may give the attackers clue about the password. So can security reduction caused by this background images be compensated by reduced symmetry and centering? Unfortunately in the paper there is no study about this question. It is an open problem!

Questions arised in the meeting:

  • Do we really believe in graphical passwords? Are they really more memorable? Are the really more usable? Are they really more secure?
  • What would be the impact of background images in this scheme? Will they mess up the security?
  • Which graphical password scheme is more secure? DAS or PassPoints(where user click on the points of an image in a particular order)
  • How about using PassPhrases instead of Passwords? Will it be more secure to use initials of a secret Phrase as a password?
  • Can we design a new scheme combining both graphical and text?
    • How about writing your password with your own hand writing and make the scheme verify that it is you who is writing. (how about combining password with your biometric?) Will you feel uncomfortable about shoulder surfing in this case? (Note that even if the shoulder-surfers capture your movements, they can’t capture all about your handwriting, they can only capture about the letters that you use in your password.)

Single Site Browsers

Published
by
Dan Guido
on March 13, 2008
in Academic Papers, Psychology of Security and Web
. Comments

Single Site Browsers [to be uploaded later]

It’s an interesting idea and I can’t disagree with the concept (<3 <3 separation of privilege) but I think it’s missing a few things. Here are some observations I made about it.

  1. They acknowledge that SSB’s do nothing against malware.
  2. It solves the problem of webpages bringing in resources from all over pretty nicely. Since the organization pushing the SSB knows whats on their own website they can easily publish a whitelist of allowed domains/content or even change their own site to be simpler in that regard.
  3. I think this might come down to a social problem. If I’ve got one general purpose browser I use every day (IE, Firefox, Safari) and I have it open right now, what is going to convince me to close my browser and open a new app just to get to a website that I already have bookmarked? There needs to be some incentive besides security tied into the SSB to get people to perform the above action or companies need to disable functionality on their public websites.
  4. I think the SSB idea is really just a crutch because people can’t implement robust security policies in a browser. Think “IE Zones” on steroids or even GreenBorder (wow when did they get bought out???).

Still, it’s kind of cool.

Refusing Business from Insecure Customers

Published
by
Dan Guido
on March 12, 2008
in Legal, Psychology of Security, Social Engineering and Web
. Comments

Late last year in an article titled “In Zombies We Trust,” Dan Geer suggested that there are two types of users — those who blindly say yes to everything and are probably infected with a dozen viruses and those who say no to most everything and likely escape most virus problems — and that it could be a legitimate practice for websites to further scrutinize the actions of those who always say yes to prevent them from getting into trouble while using their site. The premise is that these virus-infected users end up costing the businesses they frequent a significant amount of money by being such persistent problems.

A member of our lab (I’ll leave it to him to take credit for this idea) suggested last week that maybe this should be taken a step further. If I know that one customer of mine is more likely to be infected with a virus (or has a higher susceptibility to phishing, pick your threat) now or in the future, is it reasonable for me to completely deny him my business?

This can be easily tested using either Dan Geer’s test or by sending my customers random phishing messages for my own business (there’s even a phishing appliance to do it for you!). Ie., Paypal sends you a phishing email for themselves (sent from another domain, self-signed certificate, graphics copied incorrectly, differently formatted e-mail, whatever) and if you fall for it, they calculate your future profitability and weigh it against the costs you’ll incur if you actually do get phished in the future. If you’ve got a negative balance after this calculation, your account will be canceled and PayPal will have saved money.

The observation was also made that this is standard practice in other industries. Insurance and, regrettably, healthcare come to mind. Would this be a bad thing for web services?

Refusing Insecure Customers

View Results

Loading ... Loading …