1 / 24

Users, Devices, and Security

Users, Devices, and Security. Nitesh Saxena Security and Privacy In Emerging Systems (SPIES) Lab University of Alabama at Birmingham saxena@cis.uab.edu http://spies.cis.uab.edu. Research Program Overview. Practical , Transformative and Interdisciplinary approaches to security

melosa
Download Presentation

Users, Devices, and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Users, Devices, and Security Nitesh Saxena Security and Privacy In Emerging Systems (SPIES) Lab University of Alabama at Birmingham saxena@cis.uab.edu http://spies.cis.uab.edu

  2. Research Program Overview • Practical, Transformative and Interdisciplinary approaches to security • No short-term tinkering • Over $4M in total funding from NSF as well industry including Google (2 faculty research awards), Nokia, Cisco, RIM, Intel, and others • But, clearly, we are not done – please fund us and/or work with us  • Integration of research with education • leadership of educational programs • UAB CFSM; NYU-Poly CyberSec • Main focus • Device-Centered Security • User-Centered Security

  3. Device-Centered Security • Devices are ubiquitous • Attacks are becoming common • We need to protect our devices

  4. User-Centered Security • Security of devices often relies upon users’ actions or decisions • Users make mistakes • Mistakes translate into attacks • We need to improve usability of security

  5. Secure Device Association

  6. The Problem How to bootstrap secure communication between Alice’s and Bob’s devices when they have • no prior context • no common trusted CA or TTP

  7. Example Scenarios Common pairing examples: • Cell-phone  headset (bluetooth) • Laptop  access point (WiFi) • Cell-phone  cell-phone (bluetooth)

  8. Solution Idea Audio, Visual, Tactile A solution approach: • use auxiliary or out-of-band (OOB) channel • with minimal involvement from Alice and Bob

  9. Research Challenges OOB channels are low-bandwidth Devices may be constrained in terms of interfaces User is constrained - Usability Multiple devices/users Sensor network initialization Group formation Internet Setting – secure VoIP Ohh! I cannot even pair my socks!

  10. RFID Security and Privacy

  11. Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The Privacy Problem Good tags, Bad readers

  12. Wig model #4456 (cheap polyester) Viagra medical drug #459382 Das Kapitaland Communist-party handbook 500 Euros in wallet Serial numbers: 597387,389473… 30 items of lingerie The Cloning Problem Good readers, Bad tags Counterfeit!!

  13. Relay Attack 1: Terrorist Fraud response query query query response response

  14. Relay Attack 2: Mafia Fraud Picture courtesy: http://www.cl.cam.ac.uk/~sjm217/papers/usenix07bounding.pdf

  15. NFC Malware Problem Youtube video: http://www.youtube.com/watch?feature=player_detailpage&v=eEcz0XszEic

  16. Research Challenges • Very limited resources • a $0.03 tag can’t do much computationally • only and-or-xor operations might be feasible • has only ~2,000 gates for security operations • few bits to few bytes of memory • No user interfaces • Atypical usage model • Our approach – Contextual Security • Using sensor data to make informed security decisions

  17. Tap-Wave-Rub: Smartphone Malware Defense • Distinguishes between malware and human initiated activity • OS looks for a human gesture, such as a simple wave in front of the phone, to authorize access • Gesture read through proximity sensor (or light sensor) • Specific use case: authorize outgoing calls • Premium rate malware • http://vimeo.com/60748327

  18. Strong Password Authentication • Passwords suck! (to say it nicely) • But, we are stuck with them • How to improve the usability and security of passwords? • Password managers • Mobile Managers • Fault-tolerant Remote Managers http://spies.cis.uab.edu/research/strong-user-authentication/ http://spies.cis.uab.edu/research/fault-tolerant-distributed-security-services/

  19. Intrusion-tolerant 2-Factor Authentication [K, h = H(p, s)] [K, s] 6. h == H(p, z xor r)? 2. c 1. c = Enck(r) 5. password, z 3. z= s xor r Improved security to offline dict attacks Phishing-resistant 4. Input password, z

  20. Playful Security: Security can be fun! • Make security tasks fun and enjoyable for the users; entice them • Use extrinsic motivation • Hoping that users will better comply with them • Tom Sawyer Effect • Can be applied to many different problems • Device association • User authentication • CAPTCHAs http://vimeo.com/63842010 • http://students.cis.uab.edu/manar/newgames/ShapeGameOct28EC.html http://spies.cis.uab.edu/research/playful-security

  21. Neuro Security • Neural signatures of user-centered security interactions via fMRI • Phishing attacks • Security warnings • http://vimeo.com/63838658 • Brain hacking via commercial BCI devices • Neural keylogger / screen scraper http://spies.cis.uab.edu/research/strong-user-authentication/ http://spies.cis.uab.edu/research/fault-tolerant-distributed-security-services/

  22. Mobile PoS Security • Small businesses’ new love • Can smartphone malware compromise credit card info as the card is swiped? • What are the users’ risk, security and privacy perceptions of this technology compared to traditional PoS?

  23. Acknowledgments • Students – the SPIES • Current grads : Manar Mohamed, AjayaNeupane, Babins Shrestha, MalihehShirvanian, Song Gao, DibyaMukhopadhyay, LutforRahman, AbhishekAnand • Past: Tzipora Halevi, Jonathan Voris, Niharika Sachdeva, Sai Teja Peddinti, Justin Lin, BorhanUddin, AmbarishKarole, Arun Kumar, Ramnath Prasad, Alexander Gallego • UAB Collaborators: Drs. Bangalore, Fidopiastis, Hasan, Kana, Schwebel, Sloan, Zhang • Other Collaborators More info: http://spies.cis.uab.edu Thanks!

  24. Thanks! saxena@cis.uab.edu http://spies.cis.uab.edu

More Related