1 Introduction Pieter hartel
2 Queensland hacker jailed for revenge sewage attacks
3 Russian hacker jailed for porn on video billboard
4 Engineers ignored the human element
5 Once a happy family dedicated to universal packet carriage
6 Keeping honest people honest with the netiquette
7 Explosive growth of the Internet from Year Millions of Users
8 Everyone invited to the party and crime was here to stay
9 Uptake of security technology slow
10 The offender simply skirts around your defenses..
11 The human element: People are the weakest link
12 Example: The failure of DigiNotar
13 Certificate The binding of a public key and an identity signed by a certification authority
14 How does a certificate work? Server 1.Generates key pair and keeps private key secret 2.Sends public key to CA 7.Encrypt message with private key CA 3.CA signs & publishes public key User 4.Obtain certificate 5.Check CA signature 6.Check revocation list 8.Decrypt message with public key 9.User “knows” that it is talking to the server.
15 What went wrong? 2001 Verisign Offender claimed to be from Microsoft Social engineering 2 rogue certificates Discovered by Verisign internal audit 2011 DigiNotar Offender(s) hacked the server No anti virus and weak passwords Hundreds of rogue certificates issued Discovered by Iranian Gmail user
16 Additional issues DigiNotar has been hacked before (2009) Microsoft delayed patches for NL by week to prevent blackout No backup certificates There are hundreds of companies like DigiNotar (GlobalSign?) False certificates still accepted by browsers that have not been patched... DigiNotar now bankrupt.
17 How to deal with the human element? Focus on the offender Focus on the offence [Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5): ,
18 [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782): ,
19 Situational crime prevention focuses on the offence 1.A theoretical foundation. 2.A standard methodology based on action research. 3.A set of opportunity-reducing techniques. 4.A body of evaluated practice including studies of displacement.
20 1. Theoretical foundation Routine Activity Approach crime is likely to occur when a potential offender meets with a suitable target in the absence of a capable guardian. Crime Pattern theory crime is concentrated at particular places (hot spots), targets the same victims repeatedly (repeat victimisation), and selects hot products. Rational choice perspective criminals make a bounded rational choice judging risks and benefits. Specific event Every day life Society
21 2. Methodology: Action Research 1.collection of data about the nature of problem 2.analysis of the situational conditions 3.systematic study of means of blocking opportunities 4.implementation of the most promising means 5.monitoring of results and dissemination of experience. 1 2,3 4 5
22 3. A set of opportunity-reducing techniques.
23
24 Increase effort 1.Harden targets User training; Steering column locks and immobilizers 2.Access control Two factor authentication; Electronic card access 3.Screen exits Audit logs; Ticket needed for exit 4.Deflect offenders Honey pots; Segregate offenders 5.Control tools & weapons Delete account of ex-employee; Smart guns
25 Increase effort
26 Increase risks 6.Extend guardianship RFID tags; Neighbourhood watch 7.Assist natural surveillance Show were laptops are; Improve street lighting 8.Reduce anonymity Caller ID for Internet; School uniforms 9.Utilise place managers Intrusion detection; CCTV for on buses 10.Strengthen Formal surveillance Lawful interception; Burglar alarms
27 Increase risks
28 Reduce rewards 11.Conceal Targets Use pseudonyms; Gender-neutral phone directories 12.Remove targets Turn bluetooth off when not in use; Removable car radio 13.Identify property Protective chip coatings; Property marking 14.Disrupt markets Find money mules; Monitor pawn shops 15.Deny benefits Blacklist stolen mobiles; Speed humps
29 Reduce rewards
30 Reduce provocation 16.Reduce frustrations and stress Good helpdesk; Efficient queues and polite service 17.Avoid disputes Chat site moderation; Fixed taxi fares 18.Reduce emotional arousal ???; Controls on violent pornography 19.Neutralise peer pressure Declare hacking illegal; “Idiots drink and drive” 20.Discourage imitation Repair websites immediately; Censor details of modus operandi
31 Reduce provocation
32 Remove excuses 21.Set rules Ask users to sign security policy; Rental agreements 22.Post instructions Warn against unauthorized use; “No parking” 23.Alert conscience License expiry notice; Roadside speed display boards 24.Assist compliance Free games if license is valid; Public lavatories 25.Control disinhibitors (drugs, alcohol) User education; Alcohol-free events
33 Remove excuses
34 4. A body of evaluated practice: Phishing... Phishing is cheap and easy to automate Gartner group estimates losses rose by 40% in 2008 Phishers are hard to catch Victims are gullible
35 Characters 1.Bob’s bank has website 2.Customer Charlie has address 3.Phisher Phil buys + bulk addresses 4.Money Mule Mary works for Phil as “Administrative Sales Support - Virtual Office” 5.Rob is a “business relation” of Phil
36 Scenario 1.Phil sends Charlie a more or less credible From: Dear customer, please renew your online banking subscription by entering your account details at 2.Charlie believes it’s from his bank, clicks on the link provided and enters his credentials 3.Phil uses Charlie's credentials to log in to Charlie’s account and sends Charlie’s money to Mary 4.Mary transfers the money, untraceably, irreversibly to Rob
37 How can we use the 25 techniques to fight Phishing? Increase the effort 1.Target Hardening : Train users to be vigilant 2.Control access to facilities : Control inbox & account Reduce Rewards 11.Conceal targets : Conceal the address 14.Disrupt markets : Control Mule recruitment Remove Excuses 22.Post Instructions : “No phishing”
38 1. Target Hardening Training: Anti-phishing Phil
39 The message of the training 1.Ignore asking to update personal info 2.Ignore threatening 3.Ignore from bank that is not yours 4.Ignore /url with spelling errors 5.Ignore a url with an ip address 6.Check a url using Google 7.Type a url yourself, don’t click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul ACM.
40 How well does training work? 515 volunteers out of 21,351 CMU staff+stud. 172 in the control group, no training 172 single training, day 0 training 171 double training, day 0 and day 14 training 3 legitimate + 7 spearphish s in 28 days No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul ACM.
41 Good but could be better On day 0 about 50% of participants fell Constant across demographic Control group remains constant Single training reduces clicks Multiple training reduces clicks more People click within 8 hours of receiving the (!) Unfortunately: Participants were self selected... No indication that this reduces crime...
42 2. Control access to facilities (1) 1.The addresses: Few $ per million addresses – too late 2.The mail service: Client puzzles – different devices 3.The target’s inbox: Spam filter – False positives & negatives Signed – Phisher will use this too Reputation based filtering – Whose reputation? Caller-id – Major changes in the Internet [Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages , Montréal, Canada, Oct IEEE.
43 2. Control access to facilities (2) 4.The target’s online banking site Two factor authentication (TAN via SMS, gadget) [Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar Springer.
Conceal targets 1.The victim’s address Use Disposable address – Clumsy 2.The victim’s credentials Fill the database of the phishers with traceable data [Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug Springer, Boston _2http://dx.doi.org/ / _2
Disrupt Markets 1.Money mule = target = victim Credentials sell for pennies to the dollar US Regulation E of Federal Reserve board Only backend detection will protect against fraud [Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec IEEEE. BeforeAfter Target-$100$0 Bank$0 Mule+$10-$90 Offender+$90
Post Instructions 1.The bank’s website Post notice that active anti phishing measures are being taken... – Do banks do this? Phishers will be prosecuted [Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct IEEE.
47 ?
48 Conclusions Crime Science approach: Gives a human perspective on all things technical Might have come up with new ideas Avoids experimental flaws An ounce of prevention is worth a pound of cure [Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct