1

IntroductionPieter hartel

2

Queensland hacker jailed for revenge sewage attacks

3

Russian hacker jailed for porn on video billboard

4

Engineers ignored the human element

5

Once a happy family dedicated to universal packet carriage

6

Keeping honest people honest with the netiquette

7

Explosive growth of the Internet from 1995 .. 2005

Year

Mill

ions

of

Use

rs

8

Everyone invited to the party and crime was here to stay

9

Uptake of security technology slow

10

The offender simply skirts around your defenses..

11

The human element: People are the weakest link

12

Example: The failure of DigiNotar

13

Certificate

The binding

of a public key

and an identity

signed by a

certification

authority

14

How does a certificate work?

Server

1. Generates key pair and keeps

private key secret

2. Sends public key to CA

7. Encrypt message with private key

CA

3. CA signs & publishes public key

User

4. Obtain certificate

5. Check CA signature

6. Check revocation list

8. Decrypt message with public key

9. User “knows” that it is talking to the server.

http://www.youtube.com/watch?v=wZsWoSxxwVY

15

What went wrong?

2001 Verisign

Offender claimed to be from Microsoft

Social engineering

2 rogue certificates

Discovered by Verisign internal audit

2011 DigiNotar

Offender(s) hacked the server

No anti virus and weak passwords

Hundreds of rogue certificates issued

Discovered by Iranian Gmail user

16

Additional issues

DigiNotar has been hacked before (2009)

Microsoft delayed patches for NL by week to prevent blackout

No backup certificates

There are hundreds of companies like DigiNotar (GlobalSign?)

False certificates still accepted by browsers that have not been

patched...

DigiNotar now bankrupt.

17

How to deal with the human element?

Focus on the offender

Focus on the offence

[Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070

18

[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a

19

Situational crime prevention focuses on the offence

1. A theoretical foundation.

2. A standard methodology based on action research.

3. A set of opportunity-reducing techniques.

4. A body of evaluated practice including studies of displacement.

20

1. Theoretical foundation

Routine Activity Approach

crime is likely to occur when a potential offender meets with a suitable

target in the absence of a capable guardian.

Crime Pattern theory

crime is concentrated at particular places (hot spots), targets the same

victims repeatedly (repeat victimisation), and selects hot products.

Rational choice perspective

criminals make a bounded rational choice judging risks and benefits.

Spe

cific

eve

nt

E

very

day

life

S

ocie

ty

21

2. Methodology: Action Research

1. collection of data about the nature of problem

2. analysis of the situational conditions

3. systematic study of means of blocking opportunities

4. implementation of the most promising means

5. monitoring of results and dissemination of experience.

1

2,3

4

5

22

3. A set of opportunity-reducing techniques.

http://www.popcenter.org/25techniques/

23

24

Increase effort

1. Harden targets

User training; Steering column locks and immobilizers

2. Access control

Two factor authentication; Electronic card access

3. Screen exits

Audit logs; Ticket needed for exit

4. Deflect offenders

Honey pots; Segregate offenders

5. Control tools & weapons

Delete account of ex-employee; Smart guns

25

Increase effort

26

Increase risks

6. Extend guardianship

RFID tags; Neighbourhood watch

7. Assist natural surveillance

Show were laptops are; Improve street lighting

8. Reduce anonymity

Caller ID for Internet; School uniforms

9. Utilise place managers

Intrusion detection; CCTV for on buses

10.Strengthen Formal surveillance

Lawful interception; Burglar alarms

27

Increase risks

28

Reduce rewards

11.Conceal Targets

Use pseudonyms; Gender-neutral phone directories

12.Remove targets

Turn bluetooth off when not in use; Removable car radio

13. Identify property

Protective chip coatings; Property marking

14.Disrupt markets

Find money mules; Monitor pawn shops

15.Deny benefits

Blacklist stolen mobiles; Speed humps

29

Reduce rewards

30

Reduce provocation

16.Reduce frustrations and stress

Good helpdesk; Efficient queues and polite service

17.Avoid disputes

Chat site moderation; Fixed taxi fares

18.Reduce emotional arousal

???; Controls on violent pornography

19.Neutralise peer pressure

Declare hacking illegal; “Idiots drink and drive”

20.Discourage imitation

Repair websites immediately; Censor details of modus operandi

31

Reduce provocation

32

Remove excuses

21.Set rules

Ask users to sign security policy; Rental agreements

22.Post instructions

Warn against unauthorized use; “No parking”

23.Alert conscience

License expiry notice; Roadside speed display boards

24.Assist compliance

Free games if license is valid; Public lavatories

25.Control disinhibitors (drugs, alcohol)

User education; Alcohol-free events

33

Remove excuses

http://www.homeoffice.gov.uk/

34

4. A body of evaluated practice: Phishing...

Phishing is cheap and easy to automate

Gartner group estimates losses rose by 40% in 2008

Phishers are hard to catch

Victims are gullible

35

Characters

1. Bob’s bank has website www.BOB.com

2. Customer Charlie has email address charlie@gmail.com

3. Phisher Phil buys www.B0B.com + bulk email addresses

4. Money Mule Mary works for Phil as “Administrative Sales Support -

Virtual Office”

5. Rob is a “business relation” of Phil

36

Scenario

1. Phil sends Charlie a more or less credible email:

From: helpdesk@BOB.com

Dear customer, please renew your online banking

subscription by entering your account details at

www.B0B.com/renewal/

2. Charlie believes it’s from his bank, clicks on the link provided and

enters his credentials

3. Phil uses Charlie's credentials to log in to Charlie’s account and

sends Charlie’s money to Mary

4. Mary transfers the money, untraceably, irreversibly to Rob

37

How can we use the 25 techniques to fight Phishing?

Increase the effort

1. Target Hardening : Train users to be vigilant

2. Control access to facilities : Control inbox & account

Reduce Rewards

11.Conceal targets : Conceal the email address

14.Disrupt markets : Control Mule recruitment

Remove Excuses

22.Post Instructions : “No phishing”

38

1. Target Hardening

Training: Anti-phishing Phil

http://cups.cs.cmu.edu/antiphishing_phil/new/

39

The message of the training

1. Ignore email asking to update personal info

2. Ignore threatening email

3. Ignore email from bank that is not yours

4. Ignore email/url with spelling errors

5. Ignore a url with an ip address

6. Check a url using Google

7. Type a url yourself, don’t click on it

[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131

40

How well does training work?

515 volunteers out of 21,351 CMU staff+stud.

172 in the control group, no training

172 single training, day 0 training

171 double training, day 0 and day 14 training

3 legitimate + 7 spearphish emails in 28 days

No real harvest of ID

[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536

41

Good but could be better

On day 0 about 50% of participants fell

Constant across demographic

Control group remains constant

Single training reduces clicks

Multiple training reduces clicks more

People click within 8 hours of receiving the email(!)

Unfortunately:

Participants were self selected...

No indication that this reduces crime...

42

2. Control access to facilities (1)

1. The email addresses:

Few $ per million email addresses – too late

2. The mail service:

Client puzzles – different devices

3. The target’s inbox:

Spam filter – False positives & negatives

Signed email – Phisher will use this too

Reputation based filtering – Whose reputation?

Caller-id – Major changes in the Internet

[Wid08] H. Widiger, S. Kubisch, P. Danielis, J. Schulz, D. Timmermann, T. Bahls, and D. Duchow. IPclip: An architecture to restore trust-by-Wire in packet-switched networks. In 33rd IEEE Conf. on Local Computer Networks (LCN), pages 312-319, Montréal, Canada, Oct 2008. IEEE. http://dx.doi.org/10.1109/LCN.2008.4664185

43

2. Control access to facilities (2)

4. The target’s online banking site

Two factor authentication (TAN via SMS, gadget)

[Wei08] T. Weigold, T. Kramp, R. Hermann, F. Höring, P. Buhler, and M. Baentsch. The Zürich trusted information channel - an efficient defence against man-in-the-Middle and malicious software attacks. In P. Lipp, A.-R. Sadeghi, and K.-M. Koch, editors, 1st Int. Conf. on Trusted Computing and Trust in Information Technologies (TRUST), volume 4968 of LNCS, pages 75-91, Villach, Austria, Mar 2008. Springer. http://dx.doi.org/10.1007/978-3-540-68979-9_6

44

11. Conceal targets

1. The victim’s email address

Use Disposable email address – Clumsy

2. The victim’s credentials

Fill the database of the phishers with traceable data

[Gaj08] S. Gajek and A.-R. Sadeghi. A forensic framework for tracing phishers. In 3rd IFIP WG 9.2, 9.6/ 11.6, 11.7/FIDIS Int. Summer School on The Future of Identity in the Information Society, volume IFIP Int. Federation for Information Processing 262, pages 23-35, Karlstad, Sweden, Aug 2007. Springer, Boston. http://dx.doi.org/10.1007/978-0-387-79026-8_2

45

14. Disrupt Markets

1. Money mule = target = victim

Credentials sell for pennies to the dollar

US Regulation E of Federal Reserve board

Only backend detection will protect against fraud

[Flo10] D. Florêncio and G. Herley. Phishing and money mules. In IEEE Int. Workshop on Information Forensics and Security (WIFS), Article 31, Seattle, Washington, Dec 2010. IEEEE. http://dx.doi.org/10.1109/WIFS.2010.5711465

Before After

Target -$100 $0

Bank $0 $0

Mule +$10 -$90

Offender +$90 +$90

46

20. Post Instructions

1. The bank’s website

Post notice that active anti phishing measures are being taken... –

Do banks do this?

Phishers will be prosecuted

[Sog08] C. Soghoian. Legal risks for phishing researchers. In 3rd annual eCrime Researchers Summit (eCrime), Article 7, Atlanta, Georgia, Oct 2008. IEEE. http://dx.doi.org/10.1109/ECRIME.2008.4696971

47

?

48

Conclusions

Crime Science approach:

Gives a human perspective on all things technical

Might have come up with new ideas

Avoids experimental flaws

An ounce of prevention is worth a pound of cure

[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/