why we must ask why

Messaging Anti-Abuse Working Group

MAAWG | maawg.org | San Francisco, CA 2011

WHY WE MUST ASK WHYMarkus Jakobsson, Principal Scientist, PayPalKeynote, June 7, 2011MAAWG 22nd General Meeting, San Francisco, CA

Why Did the Internet Turn out as it Did?

We first designed it to provide features, then

for usability. We never designed it with abuse

in mind. We did not try to predict the future.

And now we are in a pickle.

Predicting An Unsupervised Future

“Predicting the future is much too easy, anyway.

You look at the people around you, the street you

stand on, the visible air you breathe, and predict

more of the same. To hell with more. I want better.”

Ray Bradbury

To Hell With More. I want better.

Who?

Where? What?

Weak Authentication

Weak Authentication

MalwareMalwareSpoofingSpoofing

Why?

Before we can address any problem, we need to know why it occurs.Talk focus: mobile Internet. Will be huge – and we can ask “why” before it is too late.

Web/App Spoofing: Why Works?Where?

An attacker is successful if

1.The victim is tricked, and as a result2.The victim acts, benefitting the attacker



Jakobsson/Leddy: www.spoofkiller.com






Traditional countermeasures address this part (locks, colors, warnings – a user communication problem)







Can we address this instead?


Imagine a World Where…Where?

GOOD SITE

+

NAÏVE USER

=

SUCCESS


SPOOF SITE

+

NAÏVE USER(SAME ACTION)

=

ABORT

Here is How to Do It!Where?


Got cert?Got cert?

LOG IN NOW

ABORT

Y

N

We are all Pavlov’s dogs!Where?


Demo time!Where?


Demo produced by Hossein Siadaty

Take-Home MessageWhere?


It is more important to understand people than to understand computers.

It is more important to understand people than to understand computers.

Now: Authentication

Jakobsson/Akavipat: www.fastword.me

Who?

People hate passwords – especially on handsets

• Slow to enter … … and then you realize you mistyped something!

• At the same time, recall rates are low for passwords … and reset is difficult / insecure / expensive

• PINs are faster … … but not very secure … and reuse is rampant

Understanding usability issues


Who?

Q. Why are passwords more painful than text? A. Text uses auto-correction/completion! Q. Why are passwords more painful than text? A. Text uses auto-correction/completion!

Understanding recall issues


Who?

Q. Why are (good) passwords hard to recall? A. Good passwords are weird! Q. Why are (good) passwords hard to recall? A. Good passwords are weird!

(Ebbinghausen, 1885)

A stab at a solution


Who?

Not so secure, you say?Approx. 64k words only.

Auto correct works

frogfroffrofrffrof

A stab at a solution


Who?

Auto correct works

frog flat work

A Look at Speed


Who?

A Look at Security


Who?

Average passwordAverage

password

Average fastwordAverage fastword

Forgot your fastword? Hint: “frog”


Who?

EFFECTIVE RECALL: 0.36+(1-0.36)*0.48=0.67 …. 67%

Forgot your fastword? Hint: “frog”


Who?

Average fastwordAverage fastword

Average passwordAverage password

Big-Picture InsightWho?

We can improve as basic things as passwords – if we ask “why”.

We can improve as basic things as passwords – if we ask “why”.


Dealing with MalwareWhat?

Jakobsson/Johansson: www.fatskunk.com

Problem: PowerProblem: Power


Three truths:

1.Nasty malware is active2.Active routines are in RAM

3.Algorithms: time-space trade-off

Three truths:

1.Nasty malware is active2.Active routines are in RAM

3.Algorithms: time-space trade-off




cache

RAM

1. Swap out all programs (malware may refuse)

monolithkernel



monolithkernel


2. Overwrite all “free” RAM pseudo-random content(malware refuses again)cache

RAM




2. Overwrite all “free” RAMpseudo-random content(malware refuses again)

monolithkernel

cache

RAM





3. Compute keyed digest of all RAM (access order unknown a priori)

monolithkernel

cache

RAM






monolithkernel

cache

RAMExternal verifier provides thisExternal verifier provides this






monolithkernel

cache

RAM

External verifier will time this(and check result of computation)

External verifier will time this(and check result of computation)



Malware has options:

1.Swap out and become inactive2.Stay, cause delay, be detected3.Refuse connection, be detected

4.Die and remain unnoticed

Malware has options:

1.Swap out and become inactive2.Stay, cause delay, be detected3.Refuse connection, be detected

4.Die and remain unnoticed

After test passedWhat?


Scan flash for inactive malware, make secure backup to cloud, DRM, password manager, virtualized phone

setup, banking app, vote casting, unlock data/apps, …

Scan flash for inactive malware, make secure backup to cloud, DRM, password manager, virtualized phone

setup, banking app, vote casting, unlock data/apps, …

More detail: unlocking data/appsWhat?


Application

Encrypted storage of data and routines

Encrypted storage of data and routines

FLASH RAMApplication

Decrypted storage of data and routines

Decrypted storage of data and routines

GET KEY FROM VERIFIER.

LOADLOAD

THE FUTURE MATTERS TODAYWhy?


Anticipating problems gives us time to innovate.

Anticipating problems gives us time to innovate.

Why does user education fail?A final why

Contact me to talk spoofing, authentication, malware, mobile, education … and “why”!

why we must ask why

Documents