265 research outputs found
Recommended from our members
Usability issues with security of electronic mail
This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis shows that human factors can have a large and direct impact on security, not only on the user’s satisfaction, but also on the level of security achieved in practice. The usability issues identified are also extended to include mental models and perceptions as well as traditional user interface issues. These findings were accomplished through three studies using various methodologies to best suit their aims.
The research community have issued principles to better align security and usability, so it was first necessary to evaluate their effectiveness. The chosen method for achieving this was through a usability study of the most recent software specifically to use these principles. It was found that the goal of being simultaneously usable and secure was not entirely met, partially through problems identified with the software interface, but largely due to the user’s perceptions and actions whilst using the software. This makes it particularly difficult to design usable and secure software without detailed knowledge of the users attitudes and perceptions, especially if we are not to blame the user for security errors as has occurred in the past.
Particular focus was given to e-mail security because it is an area in which there is a massive number of vectors for security threats, and in which it is technologically possible to negate most of these threats, yet this is not occurring. Interviews were used to gain in depth information from the user’s point of view. Data was collected from individual e-mail users from the general public, and organisations. It was found that although the literature had identified various problems with the software and process of e-mail encryption, the majority of problems identified in the interviews stemmed once again from user’s perceptions and attitudes. Use of encryption was virtually nil, although the desire to use encryption to protect privacy was strong.
Remembering secure passwords was recurrently found to be problematic, so in an effort to propose a specific method of increasing their usability an empirical experiment was used to examine the memorability of passwords. Specially constructed passwords were tested for their ability to improve memorability, and therefore usability. No statistical significance in the construction patterns was found, but a memory phenomenon whereby users tend to forget their password after a specific period of non-use was discovered.
The findings are discussed with reference to the fact that they all draw on a theme of responsibility to maintain good security, both from the perspective of the software developer and the end user. The term Personal Liability and General Use Evaluation (PLaGUE) is introduced to highlight the importance of considering these responsibilities and their effect on the use of security
BATTLE AGAINST PHISHING
Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users. There are two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This imag e creates a "skin" that automatica lly customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the users browser to independently compute the image that it expects to receive from the server. To authenticate cont ent from the se rver, the user can visually verify that the images match. We contrast our work with existing anti - phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himse lf the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the us er only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators
2015 Major League Baseball All-Star Game
This capstone looks specifically at the planning, and execution of the 2015 Major League Baseball All-Star Game. Covering all aspects from marketing, financial planning, sports law and more, this project breaks down baseball\u27s mid-summer classic from a professional sport management perspective
Embedding Privacy Into Design Through Software Developers: Challenges & Solutions
To make privacy a first-class citizen in software, we argue for equipping
developers with usable tools, as well as providing support from organizations,
educators, and regulators. We discuss the challenges with the successful
integration of privacy features and propose solutions for stakeholders to help
developers perform privacy-related tasks.Comment: To be published in "IEEE Security & Privacy: Special Issue on Usable
Security for Security Workers" 11 pages, 4 figure
Password Habits and Cracking Toolkit
Passwords comprise important pieces of information nowadays. They are on the basis of many
access control systems and are often the first, something-you-know factor of authentication
mechanisms. They comprise keys to computer systems, confidential information or even physical
facilities, and their widespread adoption makes of their discovery one of the main objectives
of the initial phase of computer attacks and an interesting research topic. On the one hand,
since passwords are sequences of characters with which the input of users have to be compared
to, their representations have to be stored in computer systems; on the other, given their
sensitive nature, they have to be stored in a secure manner. Rather than the passwords themselves,
it is common and preferable to save transformations of these sequences of characters,
which should be obtained using functions with stringent properties such as the ones of cryptographically
secure hash or encryption functions. There are many known methods available and
documented nowadays for such task, scrutinized in the literature and considered secure, though
they are not always correctly employed. Obtaining a password from a representation is thus,
normally, a computationally unfeasible task. Cracking a password often refers to the procedure
of submitting several known passwords (using dictionaries or compendiums) or patterns (using
brute force attacks) to the transformation procedure and compare the result with a representation,
until a match is obtained, if ever. As such, the security of the mechanism used to obtain
the representations is also dependent of how guessable the passwords are.
This dissertation addresses the topics of habits for construction of passwords and tools for cracking
them. Several specialized tools for cracking are available nowadays, most of them free or
open source, designed for command line interaction only. One of the main contributions of
this work comprised the development of a Graphical User Interface (GUI) for several cracking
tools (namely Hashcat, John the Ripper and RainbowCrack), congregating their most interesting
features in an integrated and meaningful manner. The developed toolkit, named PassCrackGUI,
was then used in the cracking attempt of several Databases (DBs) with password representations
that leaked to the Internet in 2014 and 2015 with the intention of analyzing how vulnerable they
were to the procedure, and also the contemporary habits of people in terms of construction of
passwords. Also aiming to better study the topic mentioned in last, a questionnaire was prepared
and delivered to 64 participants. This analysis of password habits constitutes another
contribution of this work.
PassCrackGUI is a main output of this Master of Science (M.Sc.) program. It is fully functional,
easy to use and made freely available as an open-source project. It was written in Java and
tested in Linux, Windows and Mac Operating Systems (OSs). When using it to crack the leaked
DBs, it was possible to recover 36% of the 4233 password representations using only dictionaries
and simple rules on a common laptop. Part of the problem lies in the adopted mechanismsfor obtaining the representations, which were outdated in most of the cases; while very weak
passwords also contributed for this number (e.g., a significant number of 4 digits long passwords
was found in one of the DBs). The results from the survey corroborate other works in the
area, namely in terms of stereotypes. For example, the answers suggest that men use longer
and more diverse (in terms of character sets) passwords than women. Nonetheless, several
contracting aspects lead to the conclusion that the participants may be claiming to construct
stronger passwords than they really use.As palavras-passe desempenham, hoje em dia, um papel importante em sistemas informação.
Estas estão muitas vezes na base de mecanismos de controlo de acesso e constituem frequentemente
o primeiro factor something you know de mecanismos de autenticação. São chaves
para computadores, sistemas de software, informação confidêncial e até para edifícios, e a
sua adoção generalizada torna a sua descoberta um dos principais objetivos da fase inicial de
ataques informáticos e uma área de investigação muito interessante. Por um lado, dado que
as palavras-passe são sequências de caracteres com as quais valores fornecidos por utilizadores
têm de ser comparados, a sua representação tem de ser guardada em sistemas computacionais;
por outro, dada a sua natureza sensível, estas têm de ser guardadas de uma forma segura.
Ao invés de guardar as palavras-passe em texto limpo, é comum e preferível guardar transformações
destas sequências de caracteres, obtidas através de funções com propriedades muito
especificas, tais como funções de cifra ou resumo criptográficas. Existem vários métodos conhecidos
e documentados hoje em dia para a execução desta tarefa, descritos na literatura da
especialidade e considerados seguros, embora estas não sejam sempre corretamente utilizadas.
Assim, a obtenção de uma palavras-passe a partir da representação constitui normalmente uma
tarefa computacionalmente inviável. O compromentimento de palavras-passe (do inglês password
cracking) é então tentado através da submissão repetida de diversas palavras já conhecidas
(usando dicionários ou compendios) ou padrões à função de transformação, comparando o seu
resultado com a representação capturada, até que uma correspondência seja encontrada ou
as possibilidades se esgotem. Assim, a segurança dos mecanismos usados para a obtenção das
representações está dependente do quão previsíveis as palavras-passe são.
Esta dissertação aborda temas relacionados com hábitos de construção de palavras-passe e ferramentas
de password cracking. Muitas ferramentas especializadas de cracking estão disponíveis
nos dia de hoje, sendo muitas delas gratuidas ou código aberto, desenhadas apenas para interação
em linha de comandos. Uma das principais contribuições deste trabalho foi o desenvolvimento
de uma interface gráfica para diversas ferramentas de cracking (como o Hashcat, John
the Ripper e RainbowCrack), reunindo as suas funcionalidades mais interessantes de uma forma
concisa e inteligente. A ferramenta desenvolvida, designada por PassCRackGUI, foi usada com o
intuito de descobrir palavras-passe em diversas bases de dados contendo representações, e que
vazaram para a Internet em 2014 e 2015. Este estudo foi feito com a intenção de analisar o quão
expostas as respetivas palavras-passe estão e também de perceber os hábitos dos utilizadores
na construção destas sequências de caracteres. Para um melhor estudo deste último tópico,
foi preparado e entregue um questionário a 64 participantes. A análise dos resultados deste
questionário constitui outra contribuição deste trabalho.
PassCrackGUI é o principal resultado deste programa de mestrado. É totalmente funcional, fácil de usar e está disponível gratuitamente como um projeto open source. Foi desenvolvido em
Java e testado nos sistemas operativos Linux, Windows e Mac OS. Quando usado na tentativa
de cracking das bases de dados vazadas, foi possível recuperar 36% de 4233 representações de
palavras-passe, apenas utilizando dicionários e simples regras num computador portátil vulgar.
Parte do problema reside nos mecanismos adotados para a obtenção das representações, já ultrapassados
na maioria dos casos; enquanto que a existência de palavras-passe fracas também
contribuiu para este número (e.g., um significante número de palavras-passe eram constituídas
por 4 dígitos apenas). Os resultados do questionário estão em conformidade com outros trabalhos
nesta área, nomeadamente em termos de esteriótipos. Por exemplo, as respostas sugerem
que os homens usam palavras-passe com maior diversidade e comprimento do que as mulheres.
Ainda assim, vários aspectos contraditórios nas respostas levam à conclusão que os participantes
parecem estar a alegar usar palavras-passe mais fortes do que usam realmente
Phishing: message appraisal and the exploration of fear and self-confidence
Phishing attacks have threatened the security of both home users and organizations in recent years. Phishing uses social engineering to fraudulently obtain information that is confidential or sensitive. Individuals are targeted to take action by clicking on a link and providing information. This research explores fear arousal and self-confidence in subjects confronted by phishing attacks. The study collected data from multiple sources (including an attempted phishing attack). The survey results indicated that when individuals had a high level of fear arousal related to providing login credentials they had a decreased intention to respond to a phishing attack. Self-confidence did not significantly moderate the relationship between fear arousal and intention to respond to a phishing attack but it did have a significant direct positive influence on intention. The results from the experiment indicated that 18% of individuals overall clicked on the link. The combined data indicated that higher level of fear arousal resulted in a decreased intention to respond to a phishing attack and a decreased actual click behaviour. The research explores how fear of providing login credentials influences both intention to respond and actual response to a phishing attack. When fear arousal is high, individuals are less likely to respond
Käyttäjiin kohdistuvien kyberturvariskien hallinta organisaatiossa
Ihmisiin kohdistuvat niin sanotut sosiaaliset manipulointihyökkäykset, kuten tietojenkalastelu, ovat kasvava uhka organisaatioille ja niiden toiminnalle. Hyökkäyksen tavoitteena on saada kohde antamaan luottamuksellista tietoa tietämättään hyökkääjälle. Tietojenkalastelu on skaalautuva huijaus, jossa käytetään joksikin muuksi tekeytymistä hyödyksi saadakseen tietoa kohteelta. Tietojenkalastelu voi olla yksilöimätöntä ja tiettyihin yksilöihin tai ryhmiin kohdennettua. Tietojenkalastelua voidaan toteuttaa muun muassa sähköpostin, tekstiviestin ja puhelun välityksellä. Hyökkäys kohdistetaan ihmiseen, koska he saattavat tehdä inhimillisiä virheitä riskien tunnistamisessa. On siis tärkeää, että organisaation työntekijät koulutetaan varautumaan uhkiin ja reagoimaan niihin oikein.
Kun tietojenkalasteluhyökkäykset yleistyvät, on syytä pohtia sitä, miten riskejä voidaan hallita. On tärkeää, että käyttäjät koulutetaan puolustautumaan tietojenkalastelua vastaan, jotta he ovat tietoisia uhista ja valppaita niiden varalta. Koulutus on hyödyllistä sekä turvallisuustaitojen opettamisen että turvallisuuden tarpeen motivoimisen kannalta. Käyttäjien tulisi päästä harjoittelemaan taitoja käytännössä oppijoille relevanttien tehtävien avulla ympäristössä ja kontekstissa, jossa oikeatkin tietojenkalasteluhyökkäykset organisaatiossa tapahtuvat.
Tutkielma käsittelee tietojenkalastelun eri muotoja ja keinoja niiltä puolustautumiseen organisaatiossa
- …