Upload
malcolm-barrett
View
216
Download
0
Embed Size (px)
Citation preview
14
How does a certificate work?
Server
1. Generates key pair and keeps
private key secret
2. Sends public key to CA
7. Encrypt message with private key
CA
3. CA signs & publishes public key
User
4. Obtain certificate
5. Check CA signature
6. Check revocation list
8. Decrypt message with public key
9. User “knows” that it is talking to the server.
http://www.youtube.com/watch?v=wZsWoSxxwVY
15
What went wrong?
2001 Verisign
Offender claimed to be from Microsoft
Social engineering
2 rogue certificates
Discovered by Verisign internal audit
2011 DigiNotar
Offender(s) hacked the server
No anti virus and weak passwords
Hundreds of rogue certificates issued
Discovered by Iranian Gmail user
16
Additional issues
DigiNotar has been hacked before (2009)
Microsoft delayed patches for NL by week to prevent blackout
No backup certificates
There are hundreds of companies like DigiNotar (GlobalSign?)
False certificates still accepted by browsers that have not been
patched...
DigiNotar now bankrupt.
17
How to deal with the human element?
Focus on the offender
Focus on the offence
[Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070
18
[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
19
Situational crime prevention focuses on the offence
1. A theoretical foundation.
2. A standard methodology based on action research.
3. A set of opportunity-reducing techniques.
4. A body of evaluated practice including studies of displacement.
20
1. Theoretical foundation
Routine Activity Approach
crime is likely to occur when a potential offender meets with a suitable
target in the absence of a capable guardian.
Crime Pattern theory
crime is concentrated at particular places (hot spots), targets the same
victims repeatedly (repeat victimisation), and selects hot products.
Rational choice perspective
criminals make a bounded rational choice judging risks and benefits.
Spe
cific
eve
nt
E
very
day
life
S
ocie
ty
21
2. Methodology: Action Research
1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.
1
2,3
4
5
22
3. A set of opportunity-reducing techniques.
http://www.popcenter.org/25techniques/
24
Increase effort
1. Harden targets
User training; Steering column locks and immobilizers
2. Access control
Two factor authentication; Electronic card access
3. Screen exits
Audit logs; Ticket needed for exit
4. Deflect offenders
Honey pots; Segregate offenders
5. Control tools & weapons
Delete account of ex-employee; Smart guns
26
Increase risks
6. Extend guardianship
RFID tags; Neighbourhood watch
7. Assist natural surveillance
Show were laptops are; Improve street lighting
8. Reduce anonymity
Caller ID for Internet; School uniforms
9. Utilise place managers
Intrusion detection; CCTV for on buses
10.Strengthen Formal surveillance
Lawful interception; Burglar alarms
28
Reduce rewards
11.Conceal Targets
Use pseudonyms; Gender-neutral phone directories
12.Remove targets
Turn bluetooth off when not in use; Removable car radio
13. Identify property
Protective chip coatings; Property marking
14.Disrupt markets
Find money mules; Monitor pawn shops
15.Deny benefits
Blacklist stolen mobiles; Speed humps
30
Reduce provocation
16.Reduce frustrations and stress
Good helpdesk; Efficient queues and polite service
17.Avoid disputes
Chat site moderation; Fixed taxi fares
18.Reduce emotional arousal
???; Controls on violent pornography
19.Neutralise peer pressure
Declare hacking illegal; “Idiots drink and drive”
20.Discourage imitation
Repair websites immediately; Censor details of modus operandi
32
Remove excuses
21.Set rules
Ask users to sign security policy; Rental agreements
22.Post instructions
Warn against unauthorized use; “No parking”
23.Alert conscience
License expiry notice; Roadside speed display boards
24.Assist compliance
Free games if license is valid; Public lavatories
25.Control disinhibitors (drugs, alcohol)
User education; Alcohol-free events
34
4. A body of evaluated practice: Phishing...
Phishing is cheap and easy to automate
Gartner group estimates losses rose by 40% in 2008
Phishers are hard to catch
Victims are gullible
35
Characters
1. Bob’s bank has website www.BOB.com
2. Customer Charlie has email address [email protected]
3. Phisher Phil buys www.B0B.com + bulk email addresses
4. Money Mule Mary works for Phil as “Administrative Sales Support -
Virtual Office”
5. Rob is a “business relation” of Phil
36
Scenario
1. Phil sends Charlie a more or less credible email:
From: [email protected]
Dear customer, please renew your online banking
subscription by entering your account details at
www.B0B.com/renewal/
2. Charlie believes it’s from his bank, clicks on the link provided and
enters his credentials
3. Phil uses Charlie's credentials to log in to Charlie’s account and
sends Charlie’s money to Mary
4. Mary transfers the money, untraceably, irreversibly to Rob
37
How can we use the 25 techniques to fight Phishing?
Increase the effort
1. Target Hardening : Train users to be vigilant
2. Control access to facilities : Control inbox & account
Reduce Rewards
11.Conceal targets : Conceal the email address
14.Disrupt markets : Control Mule recruitment
Remove Excuses
22.Post Instructions : “No phishing”
38
1. Target Hardening
Training: Anti-phishing Phil
http://cups.cs.cmu.edu/antiphishing_phil/new/
39
The message of the training
1. Ignore email asking to update personal info
2. Ignore threatening email
3. Ignore email from bank that is not yours
4. Ignore email/url with spelling errors
5. Ignore a url with an ip address
6. Check a url using Google
7. Type a url yourself, don’t click on it
[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131
40
How well does training work?
515 volunteers out of 21,351 CMU staff+stud.
172 in the control group, no training
172 single training, day 0 training
171 double training, day 0 and day 14 training
3 legitimate + 7 spearphish emails in 28 days
No real harvest of ID
[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536
41
Good but could be better
On day 0 about 50% of participants fell
Constant across demographic
Control group remains constant
Single training reduces clicks
Multiple training reduces clicks more
People click within 8 hours of receiving the email(!)
Unfortunately:
Participants were self selected...
No indication that this reduces crime...
42
2. Control access to facilities (1)
1. The email addresses:
Few $ per million email addresses – too late
2. The mail service:
Client puzzles – different devices
3. The target’s inbox:
Spam filter – False positives & negatives
Signed email – Phisher will use this too
Reputation based filtering – Whose reputation?
Caller-id – Major changes in the Internet
[Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages 312-319, Montréal, Canada, Oct 2008. IEEE. http://dx.doi.org/10.1109/LCN.2008.4664185
43
2. Control access to facilities (2)
4. The target’s online banking site
Two factor authentication (TAN via SMS, gadget)
[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6
44
11. Conceal targets
1. The victim’s email address
Use Disposable email address – Clumsy
2. The victim’s credentials
Fill the database of the phishers with traceable data
[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0-387-79026-8_2
45
14. Disrupt Markets
1. Money mule = target = victim
Credentials sell for pennies to the dollar
US Regulation E of Federal Reserve board
Only backend detection will protect against fraud
[Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec 2010. IEEEE. http://dx.doi.org/10.1109/WIFS.2010.5711465
Before After
Target -$100 $0
Bank $0 $0
Mule +$10 -$90
Offender +$90 +$90
46
20. Post Instructions
1. The bank’s website
Post notice that active anti phishing measures are being taken... –
Do banks do this?
Phishers will be prosecuted
[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971
48
Conclusions
Crime Science approach:
Gives a human perspective on all things technical
Might have come up with new ideas
Avoids experimental flaws
An ounce of prevention is worth a pound of cure
[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/