1
On the future of Cyber-crime
Pieter Hartel
University of Twente
2
Queensland hacker jailed for revenge sewage attacks
3
Russian hacker jailed for porn on video billboard
DigiNotar Hackers suspected of spying on Iranian gmail
4
http://www.youtube.com/user/foxitsoc?feature=watch
Online banking fraud
2010: € 9,8 M
2011: € 35 M
2012: € 125M?
6
Engineers ignored the human element
7
Once a happy family dedicated to universal packet carriage
8
Keeping honest people honest with the netiquette
9
Explosive growth of the Internet from 1995 .. 2005
Year
Mill
ions
of
Use
rs
10
Everyone invited to the party and crime was here to stay
11
Uptake of security technology slow
12
The offender simply skirts around your defenses..
13
The human element: People are the weakest linkTwo examples...
14
Example 1 : Simulated laptop theft experiment
62 simulated offences of which 31 succeeded
Steps Succeeded Failed
Enter building 61 1(locked door)
Enter office 47(1×cleaner)
14
Unlock Kensington
31(5×bolt cutter)
16
Leave building
62(1×emergency exit)
0
15
Results
Social engineering works
30 out of 47 attempts with social engineering succeeded
1 out of 15 attempts without social engineering succeeded
Managers more likely to prevent attack than the target
Offender masquerading as ICT staff twice as likely to be successful
16
[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
17
Example 2 : The failure of DigiNotar
18
Certificate
The binding
of a public key
and an identity
signed by a
certification
authority
What went wrong?
No anti virus and weak passwords
Offenders hacked the system and issued rogue certificates
DigiNotar has been hacked before (2009)
No backup certificates
False certificates still accepted by browsers that have not been
patched...
DigiNotar now bankrupt.
19
20
How to deal with the human element?
Focus on the offender
Focus on the offence
[Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070
21
[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
22
Situational crime prevention focuses on the offence
1. A theoretical foundation.
2. A standard methodology based on action research.
3. A set of opportunity-reducing techniques.
4. A body of evaluated practice including studies of displacement.
1. Routine Activity Approach
23
Capable Guardian
Motivated Offender
SuitableTarget
crime
24
2. Methodology: Action Research
1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.
1
2,3
4
5
Years
# ofVehiclesStolen
First car theft index published
25
3. A set of opportunity-reducing techniques.
http://www.popcenter.org/25techniques/
26
27
4. A body of evaluated practiceExample: Phishing case study
28
How can we use the 25 techniques to fight Phishing?
Increase the effort
1. Target Hardening : Train users to be vigilant
2. Control access to facilities : Control inbox & account
5. Control weapons and tools : Keep your PC up to date
Reduce Rewards
11.Conceal targets : Conceal the email address
14.Disrupt markets : Control Mule recruitment
Remove Excuses
22.Post Instructions : “No phishing”
29
1. Target Hardening
Training: Anti-phishing Phil
http://cups.cs.cmu.edu/antiphishing_phil/new/
30
The message of the training
1. Ignore email asking to update personal info
2. Ignore threatening email
3. Ignore email from bank that is not yours
4. Ignore email/url with spelling errors
5. Ignore a url with an ip address
6. Check a url using Google
7. Type a url yourself, don’t click on it
[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131
31
How well does training work?
515 volunteers out of 21,351 CMU staff+stududents.
172 in the control group, no training
172 single training, day 0 training
171 double training, day 0 and day 14 training
3 legitimate + 7 spearphish emails in 28 days
No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536
Good but could be better
On day 0 about 50% of participants fell
Constant across demographic
Control group remains constant
Single training reduces clicks
Multiple training reduces clicks more
Unfortunately:
Participants were self selected...
No indication that this reduces crime...
32
5. Control weapons and tools
Is it a good idea to:
Let people surf the Internet
without a license ?
Allow manufacturers to sell the
anti-virus of a PC as an optional
extra ?
Expect people to maintain their
own anti-virus, fire wall, OS ?
Is it a good idea to:
Let people drive on the road
without a license ?
Allow manufacturers to sell the
brakes of a car as an optional
extra ?
Expect people to maintain their
own car ?
An idea that we would like to test
1. User pays the ISP an “Insurance” premium
2. Security vendor serves the user with updates
3. Security vendor notifies an ISP when user does not update
4. ISP ensures that non-compliant user does not endanger others
5. ISP remunerates vendor
6. Government controls ISPs and vendors
35
?
36
Conclusions
Crime Science approach:
Gives a human perspective on all things technical
Might have come up with new ideas
Avoids experimental flaws
An ounce of prevention is worth a pound of cure
[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/