1 / 48

Introduction

Introduction. Pieter hartel. Queensland hacker jailed for revenge sewage attacks. Russian hacker jailed for porn on video billboard. Engineers ignored the human element. Once a happy family dedicated to universal packet carriage. Keeping honest people honest with the netiquette.

osric
Download Presentation

Introduction

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction Pieter hartel

  2. Queensland hacker jailed for revenge sewage attacks

  3. Russian hacker jailed for porn on video billboard

  4. Engineers ignored the human element

  5. Once a happy family dedicated to universal packet carriage

  6. Keeping honest people honest with the netiquette

  7. Explosive growth of the Internet from 1995 .. 2005 Millions of Users Year

  8. Everyone invited to the party and crime was here to stay

  9. Uptake of security technology slow

  10. The offender simply skirts around your defenses..

  11. The human element: People are the weakest link

  12. Example: The failure of DigiNotar

  13. Certificate The binding of a public key and an identity signed by a certification authority

  14. Server Generates key pair and keeps private key secret Sends public key to CA Encrypt message with private key CA CA signs & publishes public key User Obtain certificate Check CA signature Check revocation list Decrypt message with public key User “knows” that it is talking to the server. How does a certificate work? http://www.youtube.com/watch?v=wZsWoSxxwVY

  15. What went wrong? • 2001 Verisign • Offender claimed to be from Microsoft • Social engineering • 2 rogue certificates • Discovered by Verisign internal audit • 2011 DigiNotar • Offender(s) hacked the server • No anti virus and weak passwords • Hundreds of rogue certificates issued • Discovered by Iranian Gmail user

  16. Additional issues • DigiNotar has been hacked before (2009) • Microsoft delayed patches for NL by week to prevent blackout • No backup certificates • There are hundreds of companies like DigiNotar (GlobalSign?) • False certificates still accepted by browsers that have not been patched... • DigiNotar now bankrupt.

  17. How to deal with the human element? • Focus on the offender • Focus on the offence [Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070

  18. [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a

  19. Situational crime prevention focuses on the offence • A theoretical foundation. • A standard methodology based on action research. • A set of opportunity-reducing techniques. • A body of evaluated practice including studies of displacement.

  20. 1. Theoretical foundation • Routine Activity Approach • crime is likely to occur when a potential offender meets with a suitable target in the absence of a capable guardian. • Crime Pattern theory • crime is concentrated at particular places (hot spots), targets the same victims repeatedly (repeat victimisation), and selects hot products. • Rational choice perspective • criminals make a bounded rational choice judging risks and benefits. Specific event Every day life Society

  21. 2. Methodology: Action Research • collection of data about the nature of problem • analysis of the situational conditions • systematic study of means of blocking opportunities • implementation of the most promising means • monitoring of results and dissemination of experience. 4 5 2,3 1

  22. 3. A set of opportunity-reducing techniques. • http://www.popcenter.org/25techniques/

  23. Increase effort • Harden targets • User training; Steering column locks and immobilizers • Access control • Two factor authentication; Electronic card access • Screen exits • Audit logs; Ticket needed for exit • Deflect offenders • Honey pots; Segregate offenders • Control tools & weapons • Delete account of ex-employee; Smart guns

  24. Increase effort

  25. Increase risks • Extend guardianship • RFID tags; Neighbourhood watch • Assist natural surveillance • Show were laptops are; Improve street lighting • Reduce anonymity • Caller ID for Internet; School uniforms • Utilise place managers • Intrusion detection; CCTV for on buses • Strengthen Formal surveillance • Lawful interception; Burglar alarms

  26. Increase risks

  27. Reduce rewards • Conceal Targets • Use pseudonyms; Gender-neutral phone directories • Remove targets • Turn bluetooth off when not in use; Removable car radio • Identify property • Protective chip coatings; Property marking • Disrupt markets • Find money mules; Monitor pawn shops • Deny benefits • Blacklist stolen mobiles; Speed humps

  28. Reduce rewards

  29. Reduce provocation • Reduce frustrations and stress • Good helpdesk; Efficient queues and polite service • Avoid disputes • Chat site moderation; Fixed taxi fares • Reduce emotional arousal • ???; Controls on violent pornography • Neutralise peer pressure • Declare hacking illegal; “Idiots drink and drive” • Discourage imitation • Repair websites immediately; Censor details of modus operandi

  30. Reduce provocation

  31. Remove excuses • Set rules • Ask users to sign security policy; Rental agreements • Post instructions • Warn against unauthorized use; “No parking” • Alert conscience • License expiry notice; Roadside speed display boards • Assist compliance • Free games if license is valid; Public lavatories • Control disinhibitors (drugs, alcohol) • User education; Alcohol-free events

  32. http://www.homeoffice.gov.uk/ Remove excuses

  33. 4. A body of evaluated practice: Phishing... • Phishing is cheap and easy to automate • Gartner group estimates losses rose by 40% in 2008 • Phishers are hard to catch • Victims are gullible

  34. Characters • Bob’s bank has website www.BOB.com • Customer Charlie has email address charlie@gmail.com • Phisher Phil buys www.B0B.com + bulk email addresses • Money Mule Mary works for Phil as “Administrative Sales Support - Virtual Office” • Rob is a “business relation” of Phil

  35. Scenario • Phil sends Charlie a more or less credible email: From: helpdesk@BOB.com Dear customer, please renew your online banking subscription by entering your account details at www.B0B.com/renewal/ • Charlie believes it’s from his bank, clicks on the link provided and enters his credentials • Phil uses Charlie's credentials to log in to Charlie’s account and sends Charlie’s money to Mary • Mary transfers the money, untraceably, irreversibly to Rob

  36. How can we use the 25 techniques to fight Phishing? • Increase the effort • Target Hardening : Train users to be vigilant • Control access to facilities : Control inbox & account • Reduce Rewards • Conceal targets : Conceal the email address • Disrupt markets : Control Mule recruitment • Remove Excuses • Post Instructions : “No phishing”

  37. 1. Target Hardening • Training: Anti-phishing Phil • http://cups.cs.cmu.edu/antiphishing_phil/new/

  38. The message of the training • Ignore email asking to update personal info • Ignore threatening email • Ignore email from bank that is not yours • Ignore email/url with spelling errors • Ignore a url with an ip address • Check a url using Google • Type a url yourself, don’t click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131

  39. How well does training work? • 515 volunteers out of 21,351 CMU staff+stud. • 172 in the control group, no training • 172 single training, day 0 training • 171 double training, day 0 and day 14 training • 3 legitimate + 7 spearphish emails in 28 days • No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536

  40. Good but could be better • On day 0 about 50% of participants fell • Constant across demographic • Control group remains constant • Single training reduces clicks • Multiple training reduces clicks more • People click within 8 hours of receiving the email(!) • Unfortunately: • Participants were self selected... • No indication that this reduces crime...

  41. 2. Control access to facilities (1) • The email addresses: • Few $ per million email addresses – too late • The mail service: • Client puzzles – different devices • The target’s inbox: • Spam filter – False positives & negatives • Signed email – Phisher will use this too • Reputation based filtering – Whose reputation? • Caller-id – Major changes in the Internet [Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages 312-319, Montréal, Canada, Oct 2008. IEEE. http://dx.doi.org/10.1109/LCN.2008.4664185

  42. 2. Control access to facilities (2) • The target’s online banking site • Two factor authentication (TAN via SMS, gadget) [Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6

  43. 11. Conceal targets • The victim’s email address • Use Disposable email address – Clumsy • The victim’s credentials • Fill the database of the phishers with traceable data [Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0-387-79026-8_2

  44. 14. Disrupt Markets • Money mule = target = victim • Credentials sell for pennies to the dollar • US Regulation E of Federal Reserve board • Only backend detection will protect against fraud [Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec 2010. IEEEE. http://dx.doi.org/10.1109/WIFS.2010.5711465

  45. 20. Post Instructions • The bank’s website • Post notice that active anti phishing measures are being taken... – Do banks do this? Phishers will be prosecuted [Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971

  46.         ?

  47. Conclusions • Crime Science approach: • Gives a human perspective on all things technical • Might have come up with new ideas • Avoids experimental flaws • An ounce of prevention is worth a pound of cure [Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/

More Related