Usable Security: Why Do We Need It? How Do We Get It?

Security experts frequently refer to people as “the weakest link in the chain” of system security. Famed hacker Kevin Mitnick revealed that he hardly ever cracked a password, because it “was easier to dupe people into revealing it” by employing a range of social engineering techniques. Often, such failures are attributed to users’ carelessness and ignorance. However, more enlightened researchers have pointed out that current security tools are simply too complex for many users, and they have made efforts to improve user interfaces to security tools. In this chapter, we aim to broaden the current perspective, focusing on the usability of security tools (or products) and the process of designing secure systems for the real-world context (the panorama) in which they have to operate. Here we demonstrate how current human factors knowledge and user-centered design principles can help security designers produce security solutions that are effective in practice

An Analysis and Enumeration of the Blockchain and Future Implications

The blockchain is a relatively new technology that has grown in interest and potential research since its inception. Blockchain technology is dominated by cryptocurrency in terms of usage. Research conducted in the past few years, however, reveals blockchain has the potential to revolutionize several different industries. The blockchain consists of three major technologies: a peer-to-peer network, a distributed database, and asymmetrically encrypted transactions. The peer-to-peer network enables a decentralized, consensus-based network structure where various nodes contribute to the overall network performance. A distributed database adds additional security and immutability to the network. The process of cryptographically securing individual transactions forms a core service of the blockchain and enables semi-anonymous user network presence

The New Grid

The New Grid seeks to provide mobile users with an additional method for off-grid communication, or communication without connection to Internet infrastructure. The motivation for this project was to find another alternative to Internet-dependent communication. Current Internet infrastructure is antiquated; it is expensive to maintain and expand, it has numerous vulnerabilities and high-impact points of failure, and can be rendered unusable for lengthy periods of time by natural disasters or other catastrophes. This current grid will eventually need to be replaced by a more modern, scalable, and adaptive infrastructure. The results of the projects research showed that implementing a library to allow for the creation of mobile peer-to-peer mesh networks could serve as a starting point for a transition from current Internet infrastructure to a more scalable, adaptive, and reliable Internet- independent network grid. Development of The New Grid largely followed the Rational Unified Process, in which the development process is split into four phases: requirements gathering, system design, implementation, and testing. Most of fall quarter was spent outlining functional requirements for the system, designing possible methods of implementation, and researching similar solutions that seek to transition mass mobile communication to a newer, more modern network grid. The New Grid differs from similar solutions because it has been implemented as a modular library. Current systems that allow for off-grid mobile connection exist as independent applications with a defined context and predetermined usability scope. We, the design team, found that implementing the system in the form of a modular library has multiple benefits. Primarily, this implementation would allow The New Grid to be deployed as widely as possible. Developers can both write applications around our library as well as include specific modules into existing applications without impacting other modules or introducing additional overhead into a system. Another benefit of deploying the system as a modular library is adaptability. The current, initial stable build of The New Grid uses Bluetooth Low Energy as its backbone for facilitating communication within large networks of mobile devices; however, this library could use any existing or future communication protocol to facilitate connection as long as a hook is written to allow The New Grid to interface with that protocol. Thus, The New Grid is not limited by which connection protocols currently exist, a property that other similar systems do not possess. The New Grid can be used in any application that requires connection between users. The most common applications would likely be messaging, file sharing, or social networking. While developers may find a variety of uses for The New Grid, its primary purpose is to facilitate reliable connection and secure data transfer in an environment with a large user base. Achieving this goal was proven feasible through research and testing the library with a small cluster of Android devices communicating solely with Bluetooth Low Energy. Expanding this group of a few phones to a larger mesh network of hundreds of devices was shown to be feasible through testing the librarys algorithms and protocols on a large network of virtual devices. As long as developers seek to create applications that allow users to communicate independent of Internet infrastructure, The New Grid will allow smartphone users to communicate off-grid and hopefully spur a switch from infrastructure-dependent mobile communication to user-centric, adaptive, and flexible connection

Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study

Passwords are still a mainstay of various security systems, as well as the cause of many usability issues. For end-users, many of these issues have been studied extensively, highlighting problems and informing design decisions for better policies and motivating research into alternatives. However, end-users are not the only ones who have usability problems with passwords! Developers who are tasked with writing the code by which passwords are stored must do so securely. Yet history has shown that this complex task often fails due to human error with catastrophic results. While an end-user who selects a bad password can have dire consequences, the consequences of a developer who forgets to hash and salt a password database can lead to far larger problems. In this paper we present a first qualitative usability study with 20 computer science students to discover how developers deal with password storage and to inform research into aiding developers in the creation of secure password systems

Towards Tamper-Evident Storage on Patterned Media

We propose a tamper-evident storage system based on probe storage with a patterned magnetic medium. This medium supports normal read/write operations by out-of-plane magnetisation of individual magnetic dots. We report on measurements showing that in principle the medium also supports a separate class of write-once operation that destroys the out-of-plane magnetisation property of the dots irreversibly by precise local heating. We discuss the main issues of designing a tamper-evident storage device and file system using the properties of the medium

Chinese Wall Security Policy

This project establishes a Chinese wall security policy model in the environment of cloud computing. In 1988 Brewer and Nash proposed a very nice commercial security policy in British financial world. Though the policy was well accepted, but the model was incorrect. A decade later, Dr. Lin provided a model in 2003 that meets Brewer & Nash’s Policy. One of the important components in Cloud computing is data center. In order for any company to store data in the center, a trustable security policy model is a must; Chinese wall security policy model will provide this assurance. The heart of the Chinese Wall Security Policy Model is the concept of Conflict of Interest (COI). The concept can be modeled by an anti-reflexive, symmetric and transitive binary relation. In this project, by extending Dr. Lin’s Model, we explore the security issues in the environment of cloud computing and develop a small system of the Chinese Wall Security Model

IPhone Securtity Analysis

The release of Apple’s iPhone was one of the most intensively publicized product releases in the history of mobile devices. While the iPhone wowed users with its exciting design and features, it also outraged many for not allowing installation of third party applications and for working exclusively with AT&T wireless services for the first two years. Software attacks have been developed to get around both limitations. The development of those attacks and further evaluation revealed several vulnerabilities in iPhone security. In this paper, we examine several of the attacks developed for the iPhone as a way of investigating the iPhone’s security structure. We also analyze the security holes that have been discovered and make suggestions for improving iPhone security

Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version)

We present a formal approach that exploits attacks related to SQL Injection (SQLi) searching for security flaws in a web application. We give a formal representation of web applications and databases, and show that our formalization effectively exploits SQLi attacks. We implemented our approach in a prototype tool called SQLfast and we show its efficiency on real-world case studies, including the discovery of an attack on Joomla! that no other tool can find