Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

1. The Effectiveness of Security Training / Graphical Indicators of Security
   Joint project by Dan Guido and Boris Kochergin
2. Personalized Phishing
   Joint project by Brad Schonhorst and Jonathan Voris

I’ve made an executive decision. The mailing list that we used for the course will now be opened to the public for discussion of Social Engineering / Psychology of Security issues. I placed a link on the sidebar of this blog, please sign up if you’re interested!

His presentation makes a number of claims about the security benefits of SSBs. It lists protection against phishing, CSRF, some types of XSS (likely all non-persistent varieties), and domain whitelisting as a future improvement to harden those protections.

I don’t think [current] SSBs completely provide those security benefits unless you do two things:

1. You block non-SSBs from accessing your website (blocking on user agent string would be enough)
2. You train users that an SSB is the only acceptable place to enter their password

Without those two requirements satisfied, it is my opinion that SSBs give little security benefit.

If you still allow non-SSBs to access citibank.com, then when a user clicks an XSS’d link to citibank.com, the citibank.com page will still load, and they will still be XSS’d. Similarly, CSRF continues to function as it is likely that the ’session cookie isolation’ benefit of SSBs are negated by the user likely having duplicate cookies in both their SSB and in Firefox (you must ensure the user never logs into citibank.com with their normal browser and obtain a session cookie there, hence the first requirement).

In order for the phishing protection to be effective, users must be aware that they are only supposed to encounter Citibank content in their SSB and not in their normal browser. For instance, if an SSB user encounters a Citibank phishing website in Firefox, will they close their browser and open their SSB instead? It might be the case that users will behave in this way, but I haven’t seen any verifiable proof either way.

[This hasn't been reported on ISIS Blogs yet, but next week marks the end of our first run of "The Psychology of Security/Social Engineering", a first-run research course here at Poly. I'm writing up a research proposal to test the above hypothesis with a group of students in the Fall.]

Lastly, if a bank starts deploying SSBs to their customers, I see this as a first step towards successfully forcing client-side requirements on users where the end-game is fully trusted computing and the open commercial web starts to disappear. This actually goes back to our “Refusing Insecure Customers” debate. It’s an evolution of the same (bad, according to readers) idea.

So, although I see where SSBs have some use and can positively affect your web security, let’s not kid ourselves, they don’t solve that much. To really be effective, they require major changes in the way you do business and [still] rely on an intelligent user. Rather, they look like avoidance of the base problem and an idealistic patch that isn’t going to work.

Oddly enough, I have been using a set of 4 Prism SSBs for the last 2 weeks and have actually grown fond of them, but not for security reasons at all. I like how they show up in my dock, that they rarely crash, and it seems natural to give such webapps “first-class” status as desktop applications. I’ll probably continue using them, but I don’t think I’ve gained any security from doing so.

That said, I think part of the problem here is that SSBs haven’t fully matured yet. I just heard about these things 2 weeks ago and I haven’t heard anyone else in the security community talking about them besides Andrew. They are a topic that deserves more attention and particularly more research from the security community as they embody a lot of attractive ideas. Despite my harsh words, I’m not ready to give up on them yet.

Let’s brainstorm: how could SSBs be more useful to security? Could we change the way they work or change how they are deployed to give us additional benefits? If you’re an InfoSec student with no good topic to research, this is without a doubt a good avenue to explore.

Have you encountered a website that asks for the username and password to your e-mail provider? I’m talking about this:

LinkedIn asking for my Gmail password

Yelp asking for my Gmail password

This really needs to stop and people need to start using the Gmail Contacts Data API.

I think it’s kind of needless to say that not only is this unsafe, but it helps users become victims of phishing at some point in the future. Socializing users into giving away their passwords to arbitrary 3rd parties is not OK.

So, thanks Facebook, LinkedIn, Yelp, and others for continuing to make the Internet just that much more dangerous; now start using the Contacts API.

If you know of any other websites that still ask for your Gmail password, list them in the comments!

UPDATE: This exact same issue was highlighted in Coding Horror 2 months after my post went up.

It’s an interesting idea and I can’t disagree with the concept (<3 <3 separation of privilege) but I think it’s missing a few things. Here are some observations I made about it.

1. They acknowledge that SSB’s do nothing against malware.
2. It solves the problem of webpages bringing in resources from all over pretty nicely. Since the organization pushing the SSB knows whats on their own website they can easily publish a whitelist of allowed domains/content or even change their own site to be simpler in that regard.
3. I think this might come down to a social problem. If I’ve got one general purpose browser I use every day (IE, Firefox, Safari) and I have it open right now, what is going to convince me to close my browser and open a new app just to get to a website that I already have bookmarked? There needs to be some incentive besides security tied into the SSB to get people to perform the above action or companies need to disable functionality on their public websites.
4. I think the SSB idea is really just a crutch because people can’t implement robust security policies in a browser. Think “IE Zones” on steroids or even GreenBorder (wow when did they get bought out???).

Still, it’s kind of cool.

A member of our lab (I’ll leave it to him to take credit for this idea) suggested last week that maybe this should be taken a step further. If I know that one customer of mine is more likely to be infected with a virus (or has a higher susceptibility to phishing, pick your threat) now or in the future, is it reasonable for me to completely deny him my business?

This can be easily tested using either Dan Geer’s test or by sending my customers random phishing messages for my own business (there’s even a phishing appliance to do it for you!). Ie., Paypal sends you a phishing email for themselves (sent from another domain, self-signed certificate, graphics copied incorrectly, differently formatted e-mail, whatever) and if you fall for it, they calculate your future profitability and weigh it against the costs you’ll incur if you actually do get phished in the future. If you’ve got a negative balance after this calculation, your account will be canceled and PayPal will have saved money.

The observation was also made that this is standard practice in other industries. Insurance and, regrettably, healthcare come to mind. Would this be a bad thing for web services?