1

On the future of Cyber-crime

Pieter Hartel

University of Twente

2

Queensland hacker jailed for revenge sewage attacks

3

Russian hacker jailed for porn on video billboard

DigiNotar Hackers suspected of spying on Iranian gmail

4

http://www.youtube.com/user/foxitsoc?feature=watch

Online banking fraud

2010: € 9,8 M

2011: € 35 M

2012: € 125M?

6

Engineers ignored the human element

7

Once a happy family dedicated to universal packet carriage

8

Keeping honest people honest with the netiquette

9

Explosive growth of the Internet from 1995 .. 2005

Year

Mill

ions

of

Use

rs

10

Everyone invited to the party and crime was here to stay

11

Uptake of security technology slow

12

The offender simply skirts around your defenses..

13

The human element: People are the weakest linkTwo examples...

14

Example 1 : Simulated laptop theft experiment

62 simulated offences of which 31 succeeded

Steps Succeeded Failed

Enter building 61 1(locked door)

Enter office 47(1×cleaner)

14

Unlock Kensington

31(5×bolt cutter)

16

Leave building

62(1×emergency exit)

0

15

Results

Social engineering works

30 out of 47 attempts with social engineering succeeded

1 out of 15 attempts without social engineering succeeded

Managers more likely to prevent attack than the target

Offender masquerading as ICT staff twice as likely to be successful

16

[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317

17

Example 2 : The failure of DigiNotar

18

Certificate

The binding

of a public key

and an identity

signed by a

certification

authority

What went wrong?

No anti virus and weak passwords

Offenders hacked the system and issued rogue certificates

DigiNotar has been hacked before (2009)

No backup certificates

False certificates still accepted by browsers that have not been

patched...

DigiNotar now bankrupt.

19

20

How to deal with the human element?

Focus on the offender

Focus on the offence

[Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070

21

[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a

22

Situational crime prevention focuses on the offence

1. A theoretical foundation.

2. A standard methodology based on action research.

3. A set of opportunity-reducing techniques.

4. A body of evaluated practice including studies of displacement.

1. Routine Activity Approach

23

Capable Guardian

Motivated Offender

SuitableTarget

crime

24

2. Methodology: Action Research

1. collection of data about the nature of problem

2. analysis of the situational conditions

3. systematic study of means of blocking opportunities

4. implementation of the most promising means

5. monitoring of results and dissemination of experience.

1

2,3

4

5

Years

# ofVehiclesStolen

First car theft index published

25

3. A set of opportunity-reducing techniques.

http://www.popcenter.org/25techniques/

26

27

4. A body of evaluated practiceExample: Phishing case study

28

How can we use the 25 techniques to fight Phishing?

Increase the effort

1. Target Hardening : Train users to be vigilant

2. Control access to facilities : Control inbox & account

5. Control weapons and tools : Keep your PC up to date

Reduce Rewards

11.Conceal targets : Conceal the email address

14.Disrupt markets : Control Mule recruitment

Remove Excuses

22.Post Instructions : “No phishing”

29

1. Target Hardening

Training: Anti-phishing Phil

http://cups.cs.cmu.edu/antiphishing_phil/new/

30

The message of the training

1. Ignore email asking to update personal info

2. Ignore threatening email

3. Ignore email from bank that is not yours

4. Ignore email/url with spelling errors

5. Ignore a url with an ip address

6. Check a url using Google

7. Type a url yourself, don’t click on it

[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131

31

How well does training work?

515 volunteers out of 21,351 CMU staff+stududents.

172 in the control group, no training

172 single training, day 0 training

171 double training, day 0 and day 14 training

3 legitimate + 7 spearphish emails in 28 days

No real harvest of ID

[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536

Good but could be better

On day 0 about 50% of participants fell

Constant across demographic

Control group remains constant

Single training reduces clicks

Multiple training reduces clicks more

Unfortunately:

Participants were self selected...

No indication that this reduces crime...

32

5. Control weapons and tools

Is it a good idea to:

Let people surf the Internet

without a license ?

Allow manufacturers to sell the

anti-virus of a PC as an optional

extra ?

Expect people to maintain their

own anti-virus, fire wall, OS ?

Is it a good idea to:

Let people drive on the road

without a license ?

Allow manufacturers to sell the

brakes of a car as an optional

extra ?

Expect people to maintain their

own car ?

An idea that we would like to test

1. User pays the ISP an “Insurance” premium

2. Security vendor serves the user with updates

3. Security vendor notifies an ISP when user does not update

4. ISP ensures that non-compliant user does not endanger others

5. ISP remunerates vendor

6. Government controls ISPs and vendors

35

?

36

Conclusions

Crime Science approach:

Gives a human perspective on all things technical

Might have come up with new ideas

Avoids experimental flaws

An ounce of prevention is worth a pound of cure

[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/