Cyber-crime Science 5 Increase risks 6.Extend guardianship »RFID tags; Neighbourhood watch 7.Assist natural surveillance »Show were laptops are; Improve street lighting 8.Reduce anonymity »Caller ID for Internet; School uniforms 9.Utilise place managers »IDS; CCTV for on buses 10.Strengthen Formal surveillance »Lawful interception; Burglar alarms
Cyber-crime Science 6 9. IDS
Cyber-crime Science 7 Reduce rewards 11.Conceal Targets »Use pseudonyms; Gender-neutral phone directories 12.Remove targets » Turn off when not in use; Removable car radio 13.Identify property »Protective chip coatings; Property marking 14.Disrupt markets »Mining for money mules; Monitor pawn shops 15.Deny benefits »Blacklist stolen mobiles; Speed humps
Cyber-crime Science Protective coatings
Cyber-crime Science 9 Reduce provocation 16.Reduce frustrations and stress »Good helpdesk; Efficient queues and polite service 17.Avoid disputes »Chat site moderation; Fixed taxi fares 18.Reduce emotional arousal »Controls on gaming; Controls on violent pornography 19.Neutralise peer pressure »Declare hacking illegal; Idiots drink and drive 20.Discourage imitation »Instant clean-up; Censor details of modus operandi
Cyber-crime Science Instant clean-up
Cyber-crime Science 11 Remove excuses 21.Set rules »Ask users to sign security policy; Rental agreements 22.Post instructions »Warn against unauthorized use; No parking 23.Alert conscience »License expiry notice; Roadside speed display boards 24.Assist compliance »Free games if license is valid; Public lavatories 25.Control disinhibitors (drugs, alcohol) »User education; Alcohol-free events
Cyber-crime Science Warn against misuse
Phishing Case study
Cyber-crime Science 14 Characters »Bob s bank has website »Customer Charlie has address »Phisher Pete buys + bulk addresses Scenario 1.Pete sends Charlie a more or less credible From: Dear customer, please renew your online banking subscription by entering your account details at 2.Charlie believes it s from his bank and clicks on the link provided 3.Charlie enters his username and password 4.Pete uses Charlie s credentials to log in to Charlie s account and to takes Charlie s money A course in phishing
Cyber-crime Science 15 What is phishing? A form of social engineering »Phishers try to get your sensitive info by masquerading as someone you trust »Spear phishers search the web for context info. Phishing is a big and growing problem »Phishing is cheap and easy to automate »Losses rose by 40% in 2008 (Gartner, but beware!) »Phishers are hard to catch »Victims are gullible Phishing is not new »False billing
Cyber-crime Science 16 Examples of the 25 techniques Increase effort »1. Target Hardening : Train users to be vigilant »2. Control access to facilities : Control inbox & account Reduce rewards »11. Conceal targets : Conceal the address »14. Disrupt markets : Control Mule recruitment Remove excuses »22. Post Instructions : No phishing
Cyber-crime Science Target Hardening Training: Anti-phishing Phil
Cyber-crime Science 18 The message of the training 1.Ignore asking to update personal info 2.Ignore threatening 3.Ignore from bank that is not yours 4.Ignore /url with spelling errors 5.Ignore url with ip address 6.Check url using Google 7.Type url yourself, dont click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul ACM.
Cyber-crime Science 19 How well does training work? 515 volunteers out of 21,351 CMU staff+stud. »172 in the control group, no training »172 single training, day 0 training »171 double training, day 0 and day 14 training 3 legitimate + 7 spearphish s in 28 days No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul ACM.
Cyber-crime Science 20 Good but could be better On day 0 about 50% of participants fell »Constant across demographic »Control group remains constant »Single training reduces clicks »Multiple training reduces clicks more People click within 8 hours of receiving Room for improvement: »Participants were self selected... »No indication that this reduces crime...
Cyber-crime Science Control access to facilities The addresses »Few $ per million addresses – too late The mail service »Client puzzles – different devices The targets inbox »Spam filter – False positives & negatives »Signed – Phisher will use this too »Reputation based filtering – Whose reputation? »Caller-id – Major changes in the Internet [Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages , Montréal, Canada, Oct IEEE.
Cyber-crime Science Control access to facilities The targets online banking site »Two factor authentication (TAN via SMS, gadget) [Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar Springer.
Cyber-crime Science Conceal targets The victims address »Use Disposable address – Clumsy The victims credentials »Fill the database of the phishers with traceable data [Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug Springer, Boston _2http://dx.doi.org/ / _2
Cyber-crime Science Disrupt Markets Money mule = target = victim »Role: traceable, reversible untraceable, irreversible »Credentials sell for pennies to the dollar »US Regulation E of Federal Reserve board »Only backend detection will protect against fraud [Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec IEEEE. BeforeAfter Target-$100$0 Bank$0 Mule+$10-$90 Offender+$90
Cyber-crime Science Post Instructions The banks website »Post notice that active anti phishing measures are being taken... – Do banks do this? Would this work? Phishers will be prosecuted
Cyber-crime Science 26 ?
Cyber-crime Science 27 Anti-phishing research is risky Crawling social network site violates terms of service – use api properly Copyright prohibits cloning web sites – work with the target, change the law Confusing trademarks damages good name of target – idem Phishing is illegal in California – avoid Make sure that your research is not in any way linked to commercial activities! [Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct IEEE.
Laptop theft Case study
Laptop theft 62 simulated offences of which 31 succeeded Cyber-crime Science 29
Results Social engineering works »30 of 47 attempts with social engineering succeeded »1 of 15 attempts without social engineering succeeded Managers more likely to prevent attack than the target Offender masquerading as ICT staff twice as likely to be successful 31 Chapter 7 of [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, Cyber-crime Science
32 Conclusions Crime Science approach: »Might have avoided experimental flaws »Might have come up with new ideas »Would have looked at crime prevention How to bridge the gap between crime science and information security? An ounce of prevention is worth a pound of cure