Download - You are the weakest link
You are the
weakest link
CHALLENGES IN BUILDING SECURE USER EXPERIENCES
You didn’t get picked on so much
before…
Most malware from the early decades of computing targeted the
system
Code Red exploited a buffer overflow in IIS
Nimda exploited the same vulnerabilities as Code Red, plus a
vulnerability in MIME
SQL Slammer targeted SQL servers or clients with MSDE component
installed
Blaster exploited a buffer overflow in the Windows Distributed COM
service
Of the worst malware, only the I LOVE YOU virus targeted the user…
…and Kevin Mitnick
…but now picking on you is all the rage.
You have serious vulnerabilities in how
you act…
You tend to trust others easily, based mostly on surface appearance and behavior.
Famous social engineer Kevin Mitnick, and many others, obtained access to systems and information by thinly disguised pretenses that preyed on people’s natural instincts.
You like to reciprocate, but it makes you vulnerable to returning favors disproportionately.
You don’t always understand the value of the information or power you hold, so can be tricked into misusing it or giving it away.
You tend to follow authority… but may not always verify someone who claims to be an authority.
…but it’s not really your fault.
These “vulnerabilities” in each of us is what makes our complex societies
possible.
Designers need to account for these “vulnerabilities” in the systems they
build.
You need the right information to make safety decisions, without having too
much hidden from you.
The systems need to be easy for you to use, not the designers.
You need to know what you can trust, and what you cannot.
The system needs to make the safest decisions when you can’t.
Some examples of poor, insecure UX
Most email systems know a lot more
about an email than they show to the
user, some of which may be needed for
the user to make a trust decision.
Password systems were originally built more for
ease of development than a secure, usable
authentication UX.
Designers are focusing more on
security…
Major companies like Google, Microsoft and banks with online services are tightening security in their systems.
These improved security measures include:
Two-factor authentication, often using one’s phone
Token-based authentication, using a USB or other key
Biometric authentication
Additional keys presented to the user, such as Bank of America’s SiteKey
Better spam and malware detection and filtering
Deploying applications through application Stores such as GooglePlay
…but introducing user experience
changes is difficult…
Most web sites still don’t use SSL, even when downloading files.
Because of this, browsers can’t automatically block downloads from insecure
sites, since they may be perfectly legitimate. This leaves the decision up to the
user, who doesn’t have enough information to make the best decision.
Files and emails are often unsigned, reducing accountability and trust.
As a result no UX mechanisms can be put in place to help the user make good
trust decisions.
Most sites and apps still use password-based mechanisms.
These are easier and cheaper to implement, and don’t require additional
hardware to be sent to the user, nor additional training on all ends.
…and several experiments in secure
user experience have fallen short.
Browsers are adding indicators of trust, such as
this “green” address bar to indicate a more
thoroughly vetted business. However, research
shows people tend to ignore these.
The industry made a big investment in secure
email (S/MIME), but users were found to read
and trust unsigned email as much as signed
email.
I wish I could say things will get better…
…but there is no “magic bullet” for these issues.
With cybercrime becoming more profitable, attackers will
only become more sophisticated…
…and as systems developers strengthen their systems, users will
increasingly be targeted.
The pace of technological innovation is not slowing, and with
it comes new types of user interactions that won’t be made
fully secure by default.
RSA – 2014 State of Cybercrime
Good Bye!
References
FBI. (2014, June 2). GameOver Zeus Botnet Disrupted. Retrieved from FBI: http://www.fbi.gov/news/stories/2014/june/gameover-zeus-botnet-disrupted
Google. (2014, Nov 10). Google Security. Retrieved from Google: https://www.google.com/intl/en/about/company/security.html#section-philosophy
Hadnagy, C. (2011). Social Engineering: The Art of Human Hacking. Indianapolis, IN: Wiley.
Perlroth, N. (2014, Apr 7). Hackers Lurking in Vents and Soda Machines. Retrieved from New York Times: http://www.nytimes.com/2014/04/08/technology/the-spy-in-the-soda-machine.html?_r=0
RSA. (2014, Nov 11). The Current State of Cybercrime 2014. Retrieved from EMC: http://www.emc.com/collateral/white-paper/rsa-cyber-crime-report-0414.pdf
RSA Security. (n.d.). A Decade of Fraud and Cybercrime. Retrieved Sept 18, 2014, from YouTube: https://www.youtube.com/watch?v=P_MIP9_fwTI&feature=youtu.be
Schechter, S. E., Dhamija, R., Ozment, A., & Fischer, I. (2014, Nov 10). The Emperor's New Security
Indicators. Retrieved from Commerce.net: http://commerce.net/wp-content/uploads/2012/04/The%20Emperors_New_Security_Indicators.pdf
The Hacker News. (2014, July 12). After Takedown, GameOver Zeus Banking Trojan Returns Again. Retrieved from The Hacker News: http://thehackernews.com/2014/07/after-takedown-gameover-zeus-banking_12.html
Verizon. (2014, October 12). 2014 Verizon Data Breach Investigations Report. Retrieved from Verizon Enterprise Solutions: http://www.verizonenterprise.com/DBIR/2014/