Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
Conference Reports-soups 2006

Conference Reports-soups 2006

Ratings: (0)|Views: 0|Likes:
Published by IT Special Force

More info:

Published by: IT Special Force on Jun 02, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

06/02/2012

pdf

text

original

 
Conference Reports
Editor:Carl E. Landwehr, clandweh@isr.umd.edu
conference, which was organized bythe CMU Usable Privacy and Secu-rity (CUPS) Lab with sponsorshipfrom Carnegie Mellon CyLab.Clare-Marie Karat from IBM T.J.Watson Research and Diana Smettersof the Palo Alto Research Center (PARC) served as chairs for the tech-nical paper sessions.The conference’s first dayopened with a security-related user studies workshop and poster ses-sion. The user-study constructionkits discussed in the workshopprovided useful examples for researchers developing security-related user studies.
Opening session 
Cranor and Richard Pethia, codirec-tor of Cylab, welcomed the confer-ence participants. Cranor started her remarks with an anecdote aboutNigerian scammers who had tried toregister for the conference with stolencredit-card information, illustratingthe prevalence of phishing scams,which are now even trying to targetsecurity and privacy researchers.Austin Hill, one of the co-founders of RadialPoint (formerlyZero-Knowledge), delivered akeynote address that shared his expe-riences in trying to make securityand privacy usable for everydayusers. Unfortunately, Hill discoveredthat users hadn’t yet reached a “crisispoint” to push them to protect their security and privacy. He explainedthat it’s increasingly difficult to se-cure a computer and recommendedbuilding security and privacy ser-vices into the main access channel, asISPs are starting to do.
Technical  paper sessions 
Attendees presented 14 papers infour sessions covering access control,password management, phishing,and risk transparency.
 Access control 
Alex DeWitt from Brunel Univer-sity, London, started the first paper session with his talk on a usabilitystudy ofPolaris, software for limit-ing the privileges available to com-puter viruses. The study’s resultsshowed that Polaris wasn’t easily us-able and didn’t provide systemprotection. The study’s authorsconcluded that to encourage usersto adopt and use security softwaresuch as Polaris, it should providehigh integration, low time invest-ment, few decision points, obviousperceived benefits, strong visual in-dicators, and no error messages. John Karat of IBM T.J. WatsonResearch Center spoke about a pol-icy management workbench called
S
erver 
P
rivacy
Ar 
chitecture and
C
apabi
l
ity
E
nablement (Sparcle),which is designed to let nontechnicalpolicymakers write rules in a familiar natural language format. Specifically,the IBM team examined the accu-racy rates Sparcle’s natural languageparser achieved in detecting struc-tural elements from rules written innatural language. Sparcle yielded ac-curacy rates between 82–100percent, with an average parsing pre-cision of94 percent.Lee Iverson from the UniversityofBritish Columbia spoke about hiswork on intentional access manage-ment. He argued that most access-control interfaces are written at toolow a level for most users involvedin collaborative information-shar-ing tasks. Thus, Iverson and histeam built and tested a frameworkand system for specifying users’resource-sharing intentions for anyunderlying access-control mecha-nism that implements users’ high-level intentions in the lower-levelaccess-control mechanism.
Password management 
Ka-Ping Yee from the University of California, Berkeley, kicked off thepassword session by introducingPasspet, his password-managementtool that provides users with an ani-mal image in the Firefox toolbar anda mechanism for creating personallabels for each Web site that theyvisit. Clicking on the animalprompts the user for a master pass-word, which generates a site-specificpassword based on the user’s label for that page. To log in to a Web site,users must always click on their ani-mal image. Thus users rely on some-thing they’ve made (the label) for 
J
ANICE
Y. T
SAIAND
S
ERGE
E
GELMAN
Carnegie MellonUniversity 
 T
he second annual Symposium on Usable Privacy andSecurity (SOUPS 2006) was held at Carnegie Mel-lon University (CMU) 12–14 July 2006. Lorrie Cra-nor, an
associate research professor with CMU’sInstitute for Software Research International
, chaired the
SOUPS 2006
PUBLISHED BY THE IEEE COMPUTER SOCIETY
1540-7993/06/$20.00 © 2006IEEE
IEEE SECURITY & PRIVACY
53
 
Conference Reports
online security, as opposed to some-thing that the attacker might control(Web site layout, for example).Shirley Gaw from PrincetonUniversity presented her resultsfrom a user study that examined thestrength, use, and user perceptionsregarding passwords. She found thatmost users had an average of threepasswords that they continuouslyreused. Most users perceived their friends to be the most able attackersto compromise their accounts.Gaw’s study found that users aren’tworried about dictionary attacks;rather, they’re primarily concernedabout other people closer to them,such as friends or family, guessingtheir passwords.Furkan Tari of the University of Maryland, Baltimore County, pre-sented a study of shoulder-surfing’seffect on Passfaces, a system that usesfaces as passwords. The study con-firmed that Passfaces is vulnerable toshoulder-surfing—looking over users’ shoulders as they enter their passwords—because the images areeasy to observe when the user selectsthem with a mouse. Additionally,Tari’s study found that non-dictionary passwords are easier toobserve than dictionary ones, per-haps because users enter non-dictionary passwords more slowlythan dictionary ones.CMU’s Cynthia Kuo wrappedup the session with the results from apassword study that involved build-ing a dictionary of common phrasesto run an attack against mnemonicpasswords. In her study, a dictionaryattack cracked 11 percent of controlpasswords and 4 percent of mnemonic passwords. Kuo positedthat mnemonic passwords might be-come more vulnerable in the futureas better phrase dictionaries aredeveloped and suggested that in-structions on generating mnemonicpasswords should warn users not touse well-known phrases.
Phishing 
CMU’s Julie Downs examinedusers’ perceptions of phishing andwhether they could distinguish be-tween phishing messages and legiti-mate email. Overall, Downs foundthat participants based their trust de-cisions on familiarity with the com-pany and how personal the emailappeared to be. At the same time,participants had little grasp ofhowto prevent being phished.Anthony Y. Fu from the CityUniversity of Hong Kong illustratedsome interesting unicode attacks.More than 200 different characterslook identical to the ASCII “c,” let-ting phishers create domain namesthat look exactly like the brands thatthey’re phishing. Fu presented twoschemes to help combat this prob-lem: the first examines visual simi-larities between various characters,and the second examines charactersfor semantic similarities.MIT’s Min Wu presented WebWallet, a taskbar program that resideswithin a Web browser and storesusers’ personal information. Whenusers’ information is sent to the Website, the toolbar determines whether the Web site is legitimate. Wu foundthat Web Wallet was very effective inblocking phishing attacks but wasn’tas successful when an attacker cre-ated a similar looking toolbar withina Web page.
Risk transparency 
Paul A. Karger presented IBM’sCaernarvon protocol, a privacy-preserving way to identify federalemployees. Current identificationprotocols leak information per-taining to the ID holder’s agencycode. Krager recommended that anew version of the ID standardmandate a formally proven, pri-vacy-preserving protocol for cardsissued by all agencies.Richard Newman from theUniversity of Florida focused onprotecting domestic powerline com-munications with the HomePlugAV standard, which would protectagainst leaked communications andsupport multiple virtual networksand devices.CMU’s Serge Egelman pre-sented a study on Privacy Finder, asearch engine in which results areenhanced with privacy informationfrom Web sites’ Platform for PrivacyPreferences (P3P) policies. Thisstudy investigated whether addi-tional privacy information affectedusers’ purchasing behaviors. Partici-pants in the study were asked to shoponline for a nonprivacy-sensitiveitem (surge protectors) and a pri-vacy-sensitive one (condoms). Withprivacy-enhanced searches, userswere more likely to select sites withbetter privacy policies, especially for the condom purchases. Jennifer Rode and Paul DiGioiaof the University of California,Irvine, presented a paper on Im-promptu, a file-sharing system inwhich users move colored dotsrepresenting their files in a sharedworkspace shown as a pie-shapedarea. Their user tests confirmedthat integration of configurationand action was successful. Emer-gence of group norms about shar-ing suggested the concreteness andmutual visibility principles werealso successful.
Panel 
This year’s conference featured a panelentitled “Phishing: How Will the
54
IEEE SECURITY &PRIVACY
NOVEMBER/DECEMBER 2006
 As more user-friendly privacy and security toolsare developed, the human–computer interface
security community must also develop approaches
to encourage users to protect themselves.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->