Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben

2012 | Buch

Linguistic Properties of Multi-word Passphrases Kapitel lesen Erstes Kapitel lesen

Financial Cryptography and Data Security

FC 2012 Workshops, USEC and WECSR 2012, Kralendijk, Bonaire, March 2, 2012, Revised Selected Papers

herausgegeben von: Jim Blyth, Sven Dietrich, L. Jean Camp

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book constitutes the thoroughly refereed post-conference proceedings of the workshop on Usable Security, USEC 2012, and the third Workshop on Ethics in Computer Security Research, WECSR 2012, held in conjunction with the 16th International Conference on Financial Cryptology and Data Security, FC 2012, in Kralendijk, Bonaire. The 13 revised full papers presented were carefully selected from numerous submissions and cover all aspects of data security. The goal of the USEC workshop was to engage on all aspects of human factors and usability in the context of security. The goal of the WECSR workshop was to continue searching for a new path in computer security that is Institutional review boards at academic institutions, as well as compatible with ethical guidelines for societies at government institutions.

Inhaltsverzeichnis

Frontmatter

The Workshop on Usable Security (USEC 12)

Linguistic Properties of Multi-word Passphrases
Abstract
We examine patterns of human choice in a passphrase-based authentication system deployed by Amazon, a large online merchant. We tested the availability of a large corpus of over 100,000 possible phrases at Amazon’s registration page, which prohibits using any phrase already registered by another user. A number of large, readily-available lists such as movie and book titles prove effective in guessing attacks, suggesting that passphrases are vulnerable to dictionary attacks like all schemes involving human choice. Extending our analysis with natural language phrases extracted from linguistic corpora, we find that phrase selection is far from random, with users strongly preferring simple noun bigrams which are common in natural language. The distribution of chosen passphrases is less skewed than the distribution of bigrams in English text, indicating that some users have attempted to choose phrases randomly. Still, the distribution of bigrams in natural language is not nearly random enough to resist offline guessing, nor are longer three- or four-word phrases for which we see rapidly diminishing returns.
Joseph Bonneau, Ekaterina Shutova
Understanding the Weaknesses of Human-Protocol Interaction
Abstract
A significant number of attacks on systems are against the non-cryptographic components such as the human interaction with the system. In this paper, we propose a taxonomy of human-protocol interaction weaknesses. This set of weaknesses presents a harmonization of many findings from different research areas. In doing so we collate the most common human-interaction problems that can potentially result in successful attacks against protocol implementations. We then map these weaknesses onto a set of design recommendations aimed to minimize those weaknesses.
Marcelo Carlos, Geraint Price
High Stakes: Designing a Privacy Preserving Registry
Abstract
This paper details our experience designing a privacy preserving medical marijuana registry. In this paper, we make four key contributions. First, through direct and indirect interaction with multiple stakeholders like the ACLU of Washington, law enforcement, the Cannabis Defense Coalition, state legislators, lawyers, and many others, we describe a number of intersting technical and socially-imposed challenges for building medical registries. Second, we identify a new class of registries called unidirectional, non-identifying (UDNI) registries. Third, we use the UDNI concept to propose holistic design for a medical marijuana registry that leverages elements of a central database, but physically distributes proof-of-enrollment capability to persons enrolled in the registry. This design meets all of our goals and stands up in the face of a tough threat model. Finally, we detail our experience in transforming a technical design into an actual legislative bill.
Alexei Czeskis, Jacob Appelbaum
Protected Login
Abstract
Despite known problems with their security and ease-of-use, passwords will likely continue to be the main form of web authentication for the foreseeable future. We define a certain class of password-based authentication protocols and call them protected login. Protected login mechanisms present reasonable security in the face of real-world threat models. We find that some websites already employ protected login mechanisms, but observe that they struggle to protect first logins from new devices – reducing usability and security. Armed with this insight, we make a recommendation for increasing the security of web authentication: reduce the number of unprotected logins, and in particular, offer opportunistic protection of first logins. We provide a sketch of a possible solution.
Alexei Czeskis, Dirk Balfanz
Enabling Users to Self-manage Networks: Collaborative Anomaly Detection in Wireless Personal Area Networks
Abstract
Personal area networks such as home or small office LANs are usually more vulnerable to cyber-attacks than those with dedicated support staff and the ability to invest consistently in security defenses. In this paper I propose leveraging physical characteristics of these personal area networks in order to enable non-technical individuals to secure their networks or at least be aware that their devices have been compromised. This proposal leverages records of location for mobile devices, proximity authentication, and individual homophily. In this work, I summarize previous studies on securing personal networks, proximity authentication, and software attestation. I then present a preliminary design for the detection of and recovery from infection for personal area networks. Limitations and future work are also discussed.
Zheng Dong
A Conundrum of Permissions: Installing Applications on an Android Smartphone
Abstract
Each time a user installs an application on their Android phone they are presented with a full screen of information describing what access they will be granting that application. This information is intended to help them make two choices: whether or not they trust that the application will not damage the security of their device and whether or not they are willing to share their information with the application, developer, and partners in question. We performed a series of semi-structured interviews in two cities to determine whether people read and understand these permissions screens, and to better understand how people perceive the implications of these decisions. We find that the permissions displays are generally viewed and read, but not understood by Android users. Alarmingly, we find that people are unaware of the security risks associated with mobile apps and believe that app marketplaces test and reject applications. In sum, users are not currently well prepared to make informed privacy and security decisions around installing applications.
Patrick Gage Kelley, Sunny Consolvo, Lorrie Faith Cranor, Jaeyeon Jung, Norman Sadeh, David Wetherall
Methodology for a Field Study of Anti-malware Software
Abstract
Anti-malware products are typically evaluated using structured, automated tests to allow for comparison with other products and for measuring improved efficiency against specific attacks. We propose that anti-malware testing would benefit from field studies assessing effectiveness in more ecologically valid settings. This paper presents our methodology for conducting a 4-month field study with 50 participants, including discussion of deployment and data collection, encouraging retention of participants, ethical concerns, and our experience to date.
Fanny Lalonde Lévesque, Carlton R. Davis, José M. Fernandez, Sonia Chiasson, Anil Somayaji
My Privacy Policy: Exploring End-user Specification of Free-form Location Access Rules
Abstract
The increasing inclusion of location and other contextual information in social media applications requires users to be more aware of what their location disclosures reveal. As such, it is important to consider whether existing access-control mechanisms for managing location sharing meet the needs of today’s users. We report on a questionnaire (N = 103) in which respondents were asked to specify location access control rules using free-form everyday language. Respondents also rated and ranked the importance of a variety of contextual factors that could influence their decisions for allowing or disallowing access to their location. Our findings validate some prior results (e.g., the recipient was the most highly rated and ranked factor and appeared most often in free-form rules) while challenging others (e.g., time-based constraints were deemed relatively less important, despite being features of multiple location-sharing services). We also identified several themes in the free-form rules (e.g., special rules for emergency situations). Our findings can inform the design of tools to empower end users to articulate and capture their access-control preferences more effectively.
Sameer Patil, Yann Le Gall, Adam J. Lee, Apu Kapadia

The Workshop on Ethics in Computer Security Research (WECSR 12)

Spamming for Science: Active Measurement in Web 2.0 Abuse Research
Abstract
Spam and other electronic abuses have long been a focus of computer security research. However, recent work in the domain has emphasized an economic analysis of these operations in the hope of understanding and disrupting the profit model of attackers. Such studies do not lend themselves to passive measurement techniques. Instead, researchers have become middle-men or active participants in spam behaviors; methodologies that lie at an interesting juncture of legal, ethical, and human subject (e.g., IRB) guidelines.
In this work two such experiments serve as case studies: One testing a novel link spam model on Wikipedia and another using blackhat software to target blog comments and forums. Discussion concentrates on the experimental design process, especially as influenced by human-subject policy. Case studies are used to frame related work in the area, and scrutiny reveals the computer science community requires greater consistency in evaluating research of this nature.
Andrew G. West, Pedram Hayati, Vidyasagar Potdar, Insup Lee
A Refined Ethical Impact Assessment Tool and a Case Study of Its Application
Abstract
Research of or involving Information and Communications Technology (ICT) presents a wide variety of ethical challenges and the relative immaturity of ethical decision making in the ICT research community has prompted calls for additional research and guidance. The Menlo report, a revisiting of the seminal Belmont report, seeks to bring clarity to this arena by articulating a basic set of ethical principles for ICT research. However the gap between such principles and actionable guidance for the ethical conduct of ICT research is large. In previous work we sought to bridge this gap through the construction of an ethical impact assessment (EIA) tool that provided a set of guiding questions to help researchers understand how to apply the Menlo principles. While a useful tool, experiences in the intervening years have caused us to rethink and expand the EIA. In this paper we: (i) discuss the various challenges encountered in applying the original EIA, (ii) present a new EIA framework that represents our evolved understanding, and (iii) retrospectively apply this EIA to an ethically challenging, original study in ICTR.
Michael Bailey, Erin Kenneally, David Dittrich
It’s Not Stealing If You Need It: A Panel on the Ethics of Performing Research Using Public Data of Illicit Origin
Introduction
In a world where sensitive data can be published to a worldwide audience with the press of a button, researchers are increasingly making use of datasets that were publicized under questionable circumstances. In many cases, such research would otherwise not be possible. For instance, Weir et al. examined over thirty million user-generated passwords in order to observe the effects of entropy on password cracking [10].
Serge Egelman, Joseph Bonneau, Sonia Chiasson, David Dittrich, Stuart Schechter
Ethics Committees and IRBs: Boon, or Bane, or More Research Needed?
Abstract
A summary of remarks of the keynote talk.
Ross Anderson
Ethical and Secure Data Sharing across Borders
Abstract
This is a report on a panel that was held on March 2 nd , 2012, as part of the Third Workshop on Ethics in Computer Security Research (WECSR 2012). The purpose of the panel was to discuss issues pertaining to ethical and secure data sharing across borders. In particular, (1) Are there ethically-driven data-sharing differences between laws of different nations, (2) Are there ethically different norms between nations? (3) How can one satisfy all norms/codes/acts among nations? (4) Can above be enforceable? automatically so? (5) Are there ever circumstances that justify “breaking the glass”? and (6) Assuming data sanitization is involved, how can we (technically) guarantee such?
José M. Fernandez, Andrew S. Patrick, Lenore D. Zuck
Backmatter
Metadaten
Titel
Financial Cryptography and Data Security
herausgegeben von
Jim Blyth
Sven Dietrich
L. Jean Camp
Copyright-Jahr
2012
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-34638-5
Print ISBN
978-3-642-34637-8
DOI
https://doi.org/10.1007/978-3-642-34638-5

Premium Partner

    Bildnachweise