Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Cyber-crime Science = Crime Science + Information Security

advertisement 
Introduction
Pieter hartel
1
Queensland hacker jailed for revenge sewage attacks
2
Russian hacker jailed for porn on video billboard
3
Engineers ignored the human element
4
Once a happy family dedicated to universal packet
carriage
5
Keeping honest people honest with the netiquette
6
Millions of Users
Explosive growth of the Internet from 1995 .. 2005
Year
7
Everyone invited to the party and crime was here to stay
8
Uptake of security technology slow
9
The offender simply skirts around your defenses..
10
The human element: People are the weakest link
11
Example: The failure of DigiNotar
12
Certificate
The binding
of a public key
and an identity
signed by a
certification
authority
13
How does a certificate work?

Server
1. Generates key pair and keeps
private key secret

2. Sends public key to CA
CA
3. CA signs & publishes public key

User
4. Obtain certificate
5. Check CA signature
http://www.youtube.com/watch?v=wZsWoSxxwVY
7. Encrypt message with private
key
6. Check revocation list
8. Decrypt message with public key
9. User “knows” that it is talking to
the server.
14
What went wrong?
 2001 Verisign
 Offender claimed to be from Microsoft
 Social engineering
 2 rogue certificates
 Discovered by Verisign internal audit
 2011 DigiNotar
 Offender(s) hacked the server
 No anti virus and weak passwords
 Hundreds of rogue certificates issued
 Discovered by Iranian Gmail user
15
Additional issues
 DigiNotar has been hacked before (2009)
 Microsoft delayed patches for NL by week to prevent blackout
 No backup certificates
 There are hundreds of companies like DigiNotar (GlobalSign?)
 False certificates still accepted by browsers that have not been
patched...
 DigiNotar now bankrupt.
16
How to deal with the human element?
 Focus on the offender
 Focus on the offence
[Fel10a] M. Felson. What every mathematician should know about modelling crime.
European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.
http://dx.doi.org/10.1017/S0956792510000070
17
[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged
children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
18
Situational crime prevention focuses on the offence
1.
A theoretical foundation.
2.
A standard methodology based on action research.
3.
A set of opportunity-reducing techniques.
4.
A body of evaluated practice including studies of displacement.
19
Specific event
Every day life
Society
1. Theoretical foundation
 Routine Activity Approach
 crime is likely to occur when a potential offender meets with a
suitable target in the absence of a capable guardian.
 Crime Pattern theory
 crime is concentrated at particular places (hot spots), targets the
same victims repeatedly (repeat victimisation), and selects hot
products.
 Rational choice perspective
 criminals make a bounded rational choice judging risks and
benefits.
20
2. Methodology: Action Research
1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.
4
5
2,3
1
21
3. A set of opportunity-reducing techniques.
 http://www.popcenter.org/25techniques/
22
23
Increase effort
1. Harden targets

User training; Steering column locks and immobilizers
2. Access control

Two factor authentication; Electronic card access
3. Screen exits

Audit logs; Ticket needed for exit
4. Deflect offenders

Honey pots; Segregate offenders
5. Control tools & weapons

Delete account of ex-employee; Smart guns
24
Increase effort
25
Increase risks
6. Extend guardianship

RFID tags; Neighbourhood watch
7. Assist natural surveillance

Show were laptops are; Improve street lighting
8. Reduce anonymity

Caller ID for Internet; School uniforms
9. Utilise place managers

Intrusion detection; CCTV for on buses
10. Strengthen Formal surveillance

Lawful interception; Burglar alarms
26
Increase risks
27
Reduce rewards
11. Conceal Targets

Use pseudonyms; Gender-neutral phone directories
12. Remove targets

Turn bluetooth off when not in use; Removable car radio
13. Identify property

Protective chip coatings; Property marking
14. Disrupt markets

Find money mules; Monitor pawn shops
15. Deny benefits

Blacklist stolen mobiles; Speed humps
28
Reduce rewards
29
Reduce provocation
16. Reduce frustrations and stress

Good helpdesk; Efficient queues and polite service
17. Avoid disputes

Chat site moderation; Fixed taxi fares
18. Reduce emotional arousal

???; Controls on violent pornography
19. Neutralise peer pressure

Declare hacking illegal; “Idiots drink and drive”
20. Discourage imitation

Repair websites immediately; Censor details of modus operandi
30
Reduce provocation
31
Remove excuses
21. Set rules

Ask users to sign security policy; Rental agreements
22. Post instructions

Warn against unauthorized use; “No parking”
23. Alert conscience

License expiry notice; Roadside speed display boards
24. Assist compliance

Free games if license is valid; Public lavatories
25. Control disinhibitors (drugs, alcohol)

User education; Alcohol-free events
32
Remove excuses
http://www.homeoffice.gov.uk/
33
4. A body of evaluated practice: Phishing...
 Phishing is cheap and easy to automate
 Gartner group estimates losses rose by 40% in 2008
 Phishers are hard to catch
 Victims are gullible
34
Characters
1. Bob’s bank has website www.BOB.com
2. Customer Charlie has email address charlie@gmail.com
3. Phisher Phil buys www.B0B.com + bulk email addresses
4. Money Mule Mary works for Phil as “Administrative Sales Support Virtual Office”
5. Rob is a “business relation” of Phil
35
Scenario
1. Phil sends Charlie a more or less credible email:
From: helpdesk@BOB.com
Dear customer, please renew your online banking
subscription by entering your account details at
www.B0B.com/renewal/
2. Charlie believes it’s from his bank, clicks on the link provided and
enters his credentials
3. Phil uses Charlie's credentials to log in to Charlie’s account and
sends Charlie’s money to Mary
4. Mary transfers the money, untraceably, irreversibly to Rob
36
How can we use the 25 techniques to fight Phishing?

Increase the effort
1. Target Hardening : Train users to be vigilant
2. Control access to facilities : Control inbox & account

Reduce Rewards
11. Conceal targets : Conceal the email address
14. Disrupt markets : Control Mule recruitment

Remove Excuses
22. Post Instructions : “No phishing”
37
1. Target Hardening
 Training: Anti-phishing Phil
 http://cups.cs.cmu.edu/antiphishing_phil/new/
38
The message of the training
1. Ignore email asking to update personal info
2. Ignore threatening email
3. Ignore email from bank that is not yours
4. Ignore email/url with spelling errors
5. Ignore a url with an ip address
6. Check a url using Google
7. Type a url yourself, don’t click on it
[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and
susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),
pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.
http://dx.doi.org/10.1145/1143120.1143131
39
How well does training work?
 515 volunteers out of 21,351 CMU staff+stud.
 172 in the control group, no training
 172 single training, day 0 training
 171 double training, day 0 and day 14 training
 3 legitimate + 7 spearphish emails in 28 days
 No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.
Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on
Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.
ACM. http://dx.doi.org/10.1145/1572532.1572536
40
Good but could be better
 On day 0 about 50% of participants fell
 Constant across demographic
 Control group remains constant
 Single training reduces clicks
 Multiple training reduces clicks more
 People click within 8 hours of receiving the email(!)
 Unfortunately:
 Participants were self selected...
 No indication that this reduces crime...
41
2. Control access to facilities (1)
1. The email addresses:

Few $ per million email addresses – too late
2. The mail service:

Client puzzles – different devices
3. The target’s inbox:

Spam filter – False positives & negatives

Signed email – Phisher will use this too

Reputation based filtering – Whose reputation?

Caller-id – Major changes in the Internet
[Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D.
Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd
IEEE Conf. on Local Computer Networks (LCN), pages 312-319, Montréal, Canada, Oct
2008. IEEE. http://dx.doi.org/10.1109/LCN.2008.4664185
42
2. Control access to facilities (2)
4. The target’s online banking site

Two factor authentication (TAN via SMS, gadget)
[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The
Zürich trusted information channel - an efficient defence against man-in-the-Middle and
malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int.
Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume
4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer.
http://dx.doi.org/10.1007/978-3-540-68979-9_6
43
11. Conceal targets
1. The victim’s email address

Use Disposable email address – Clumsy
2. The victim’s credentials

Fill the database of the phishers with traceable data
[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP
WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the
Information Society, volume IFIP Int. Federation for Information Processing 262, pages
23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0387-79026-8_2
44
14. Disrupt Markets
1. Money mule = target = victim

Credentials sell for pennies to the dollar

US Regulation E of Federal Reserve board

Only backend detection will protect against fraud
Before
After
Target
-$100
$0
Bank
$0
$0
Mule
+$10
-$90
Offender
+$90
+$90
[Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on
Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec 2010.
IEEEE. http://dx.doi.org/10.1109/WIFS.2010.5711465
45
20. Post Instructions
1. The bank’s website

Post notice that active anti phishing measures are being taken... –
Do banks do this?
Phishers
will be
prosecuted
[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime
Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE.
http://dx.doi.org/10.1109/ECRIME.2008.4696971
46









?
47
Conclusions
 Crime Science approach:
 Gives a human perspective on all things technical
 Might have come up with new ideas
 Avoids experimental flaws
 An ounce of prevention is worth a pound of cure
[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science
+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct
2010. http://eprints.eemcs.utwente.nl/18500/
48
Related documents
Give Us Clean Hands
Give Us Clean Hands
Presentation - myroyalmail
Presentation - myroyalmail
Security Awareness for ISACA
Security Awareness for ISACA
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
Flowers for Algernon: Progress Report 17
Flowers for Algernon: Progress Report 17
Lecture slides - UNC School of Information and Library Science
Lecture slides - UNC School of Information and Library Science
Jeopardy - Menifee County Schools
Jeopardy - Menifee County Schools
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
Sociology-subject-presentation-2014
Sociology-subject-presentation-2014
Download
advertisement