1. 1 Introduction Pieter hartel

2. 2 Queensland hacker jailed for revenge sewage attacks

3. 3 Russian hacker jailed for porn on video billboard

4. 4 Engineers ignored the human element

5. 5 Once a happy family dedicated to universal packet carriage

6. 6 Keeping honest people honest with the netiquette

7. 7 Explosive growth of the Internet from 1995.. 2005 Year Millions of Users

8. 8 Everyone invited to the party and crime was here to stay

9. 9 Uptake of security technology slow

10. 10 The offender simply skirts around your defenses..

11. 11 The human element: People are the weakest link

12. 12 Example: The failure of DigiNotar

13. 13 Certificate The binding of a public key and an identity signed by a certification authority

14. 14 How does a certificate work?  Server 1.Generates key pair and keeps private key secret 2.Sends public key to CA 7.Encrypt message with private key  CA 3.CA signs & publishes public key  User 4.Obtain certificate 5.Check CA signature 6.Check revocation list 8.Decrypt message with public key 9.User “knows” that it is talking to the server. http://www.youtube.com/watch?v=wZsWoSxxwVY

15. 15 What went wrong?  2001 Verisign  Offender claimed to be from Microsoft  Social engineering  2 rogue certificates  Discovered by Verisign internal audit  2011 DigiNotar  Offender(s) hacked the server  No anti virus and weak passwords  Hundreds of rogue certificates issued  Discovered by Iranian Gmail user

16. 16 Additional issues  DigiNotar has been hacked before (2009)  Microsoft delayed patches for NL by week to prevent blackout  No backup certificates  There are hundreds of companies like DigiNotar (GlobalSign?)  False certificates still accepted by browsers that have not been patched...  DigiNotar now bankrupt.

17. 17 How to deal with the human element?  Focus on the offender  Focus on the offence [Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070 http://dx.doi.org/10.1017/S0956792510000070

18. 18 [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598ahttp://dx.doi.org/10.1038/428598a

19. 19 Situational crime prevention focuses on the offence 1.A theoretical foundation. 2.A standard methodology based on action research. 3.A set of opportunity-reducing techniques. 4.A body of evaluated practice including studies of displacement.

20. 20 1. Theoretical foundation  Routine Activity Approach  crime is likely to occur when a potential offender meets with a suitable target in the absence of a capable guardian.  Crime Pattern theory  crime is concentrated at particular places (hot spots), targets the same victims repeatedly (repeat victimisation), and selects hot products.  Rational choice perspective  criminals make a bounded rational choice judging risks and benefits. Specific event Every day life Society

21. 21 2. Methodology: Action Research 1.collection of data about the nature of problem 2.analysis of the situational conditions 3.systematic study of means of blocking opportunities 4.implementation of the most promising means 5.monitoring of results and dissemination of experience. 1 2,3 4 5

22. 22 3. A set of opportunity-reducing techniques.  http://www.popcenter.org/25techniques/ http://www.popcenter.org/25techniques/

23. 23

24. 24 Increase effort 1.Harden targets  User training; Steering column locks and immobilizers 2.Access control  Two factor authentication; Electronic card access 3.Screen exits  Audit logs; Ticket needed for exit 4.Deflect offenders  Honey pots; Segregate offenders 5.Control tools & weapons  Delete account of ex-employee; Smart guns

25. 25 Increase effort

26. 26 Increase risks 6.Extend guardianship  RFID tags; Neighbourhood watch 7.Assist natural surveillance  Show were laptops are; Improve street lighting 8.Reduce anonymity  Caller ID for Internet; School uniforms 9.Utilise place managers  Intrusion detection; CCTV for on buses 10.Strengthen Formal surveillance  Lawful interception; Burglar alarms

27. 27 Increase risks

28. 28 Reduce rewards 11.Conceal Targets  Use pseudonyms; Gender-neutral phone directories 12.Remove targets  Turn bluetooth off when not in use; Removable car radio 13.Identify property  Protective chip coatings; Property marking 14.Disrupt markets  Find money mules; Monitor pawn shops 15.Deny benefits  Blacklist stolen mobiles; Speed humps

29. 29 Reduce rewards

30. 30 Reduce provocation 16.Reduce frustrations and stress  Good helpdesk; Efficient queues and polite service 17.Avoid disputes  Chat site moderation; Fixed taxi fares 18.Reduce emotional arousal  ???; Controls on violent pornography 19.Neutralise peer pressure  Declare hacking illegal; “Idiots drink and drive” 20.Discourage imitation  Repair websites immediately; Censor details of modus operandi

31. 31 Reduce provocation

32. 32 Remove excuses 21.Set rules  Ask users to sign security policy; Rental agreements 22.Post instructions  Warn against unauthorized use; “No parking” 23.Alert conscience  License expiry notice; Roadside speed display boards 24.Assist compliance  Free games if license is valid; Public lavatories 25.Control disinhibitors (drugs, alcohol)  User education; Alcohol-free events

33. 33 Remove excuses http://www.homeoffice.gov.uk/

34. 34 4. A body of evaluated practice: Phishing...  Phishing is cheap and easy to automate  Gartner group estimates losses rose by 40% in 2008  Phishers are hard to catch  Victims are gullible

35. 35 Characters 1.Bob’s bank has website www.BOB.com 2.Customer Charlie has email address charlie@gmail.com 3.Phisher Phil buys www.B0B.com + bulk email addresses 4.Money Mule Mary works for Phil as “Administrative Sales Support - Virtual Office” 5.Rob is a “business relation” of Phil

36. 36 Scenario 1.Phil sends Charlie a more or less credible email: From: helpdesk@BOB.com Dear customer, please renew your online banking subscription by entering your account details at www.B0B.com/renewal/ 2.Charlie believes it’s from his bank, clicks on the link provided and enters his credentials 3.Phil uses Charlie's credentials to log in to Charlie’s account and sends Charlie’s money to Mary 4.Mary transfers the money, untraceably, irreversibly to Rob

37. 37 How can we use the 25 techniques to fight Phishing?  Increase the effort 1.Target Hardening : Train users to be vigilant 2.Control access to facilities : Control inbox & account  Reduce Rewards 11.Conceal targets : Conceal the email address 14.Disrupt markets : Control Mule recruitment  Remove Excuses 22.Post Instructions : “No phishing”

38. 38 1. Target Hardening  Training: Anti-phishing Phil  http://cups.cs.cmu.edu/antiphishing_phil/new/ http://cups.cs.cmu.edu/antiphishing_phil/new/

39. 39 The message of the training 1.Ignore email asking to update personal info 2.Ignore threatening email 3.Ignore email from bank that is not yours 4.Ignore email/url with spelling errors 5.Ignore a url with an ip address 6.Check a url using Google 7.Type a url yourself, don’t click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131 http://dx.doi.org/10.1145/1143120.1143131

40. 40 How well does training work?  515 volunteers out of 21,351 CMU staff+stud.  172 in the control group, no training  172 single training, day 0 training  171 double training, day 0 and day 14 training  3 legitimate + 7 spearphish emails in 28 days  No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536http://dx.doi.org/10.1145/1572532.1572536

41. 41 Good but could be better  On day 0 about 50% of participants fell  Constant across demographic  Control group remains constant  Single training reduces clicks  Multiple training reduces clicks more  People click within 8 hours of receiving the email(!)  Unfortunately:  Participants were self selected...  No indication that this reduces crime...

42. 42 2. Control access to facilities (1) 1.The email addresses:  Few $ per million email addresses – too late 2.The mail service:  Client puzzles – different devices 3.The target’s inbox:  Spam filter – False positives & negatives  Signed email – Phisher will use this too  Reputation based filtering – Whose reputation?  Caller-id – Major changes in the Internet [Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages 312-319, Montréal, Canada, Oct 2008. IEEE. http://dx.doi.org/10.1109/LCN.2008.4664185http://dx.doi.org/10.1109/LCN.2008.4664185

43. 43 2. Control access to facilities (2) 4.The target’s online banking site  Two factor authentication (TAN via SMS, gadget) [Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6 http://dx.doi.org/10.1007/978-3-540-68979-9_6

44. 44 11. Conceal targets 1.The victim’s email address  Use Disposable email address – Clumsy 2.The victim’s credentials  Fill the database of the phishers with traceable data [Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0- 387-79026-8_2http://dx.doi.org/10.1007/978-0- 387-79026-8_2

45. 45 14. Disrupt Markets 1.Money mule = target = victim  Credentials sell for pennies to the dollar  US Regulation E of Federal Reserve board  Only backend detection will protect against fraud [Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec 2010. IEEEE. http://dx.doi.org/10.1109/WIFS.2010.5711465http://dx.doi.org/10.1109/WIFS.2010.5711465 BeforeAfter Target-$100$0 Bank$0 Mule+$10-$90 Offender+$90

46. 46 20. Post Instructions 1.The bank’s website  Post notice that active anti phishing measures are being taken... – Do banks do this? Phishers will be prosecuted [Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971 http://dx.doi.org/10.1109/ECRIME.2008.4696971

47. 47     ?     

48. 48 Conclusions  Crime Science approach:  Gives a human perspective on all things technical  Might have come up with new ideas  Avoids experimental flaws  An ounce of prevention is worth a pound of cure [Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/http://eprints.eemcs.utwente.nl/18500/