SlideShare una empresa de Scribd logo
1 de 36
Descargar para leer sin conexión
On the future of Cyber-crime


Pieter Hartel
University of Twente




                               1
Queensland hacker jailed for revenge sewage attacks




                                                      2
Russian hacker jailed for porn on video billboard




                                                    3
DigiNotar Hackers suspected of spying on Iranian gmail




http://www.youtube.com/user/foxitsoc?feature=watch

                                                         4
Online banking fraud

 2010: € 9,8 M
 2011: € 35 M
 2012: € 125M?
Engineers ignored the human element




                                      6
Once a happy family dedicated to universal packet
carriage




                                                    7
Keeping honest people honest with the netiquette




                                                   8
Explosive growth of the Internet from 1995 .. 2005

 Millions of Users




                         Year
                                                     9
Everyone invited to the party and crime was here to stay




                                                           10
Uptake of security technology slow




                                     11
The offender simply skirts around your defenses..




                                                    12
The human element: People are the weakest link
Two examples...




                                                 13
Example 1 : Simulated laptop theft experiment




                                                14
62 simulated offences of which 31 succeeded


Steps          Succeeded               Failed
Enter building 61                      1
                                       (locked door)
Enter office    47                     14
                (1×cleaner)
Unlock          31                     16
Kensington      (5×bolt cutter)
Leave           62                     0
building        (1×emergency exit)


                                                       15
Results

                 Social engineering works
                    30 out of 47 attempts with social engineering succeeded
                    1 out of 15 attempts without social engineering succeeded
                 Managers more likely to prevent attack than the target
                 Offender masquerading as ICT staff twice as likely to be successful




[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.
PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317
                                                                                           16
Example 2 : The failure of DigiNotar




                                       17
Certificate

The binding
of a public key
and an identity
signed by a
certification
authority




                  18
What went wrong?

 No anti virus and weak passwords
 Offenders hacked the system and issued rogue certificates
 DigiNotar has been hacked before (2009)
 No backup certificates
 False certificates still accepted by browsers that have not been
  patched...
 DigiNotar now bankrupt.




                                                                     19
How to deal with the human element?

                Focus on the offender
                Focus on the offence




[Fel10a] M. Felson. What every mathematician should know about modelling crime.
European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.
http://dx.doi.org/10.1017/S0956792510000070                                       20
[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged
children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a
                                                                                         21
Situational crime prevention focuses on the offence

1.   A theoretical foundation.
2.   A standard methodology based on action research.
3.   A set of opportunity-reducing techniques.
4.   A body of evaluated practice including studies of displacement.




                                                                       22
1. Routine Activity Approach




        Motivated              Capable
         Offender              Guardian



            crime
                    Suitable
                     Target



                                          23
2. Methodology: Action Research

1. collection of data about the nature of problem
2. analysis of the situational conditions
3. systematic study of means of blocking opportunities
4. implementation of the most promising means
5. monitoring of results and dissemination of experience.

                       First car theft
                                                            4
                     index published
                                                            5
                           2,3

# of                 1
Vehicles
Stolen                                                   Years   24
3. A set of opportunity-reducing techniques.

 http://www.popcenter.org/25techniques/




                                               25
26
4. A body of evaluated practice
Example: Phishing case study




                                  27
How can we use the 25 techniques to fight Phishing?

   Increase the effort
    1. Target Hardening : Train users to be vigilant
    2. Control access to facilities : Control inbox & account
    3. Control weapons and tools : Keep your PC up to date
   Reduce Rewards
    1. Conceal targets : Conceal the email address
    2. Disrupt markets : Control Mule recruitment
   Remove Excuses
    1. Post Instructions : “No phishing”




                                                                28
1. Target Hardening

 Training: Anti-phishing Phil
 http://cups.cs.cmu.edu/antiphishing_phil/new/




                                                  29
The message of the training

             1. Ignore email asking to update personal info
             2. Ignore threatening email
             3. Ignore email from bank that is not yours
             4. Ignore email/url with spelling errors
             5. Ignore a url with an ip address
             6. Check a url using Google
             7. Type a url yourself, don’t click on it




[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and
susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),
pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.
http://dx.doi.org/10.1145/1143120.1143131
                                                                                   30
How well does training work?

             515 volunteers out of 21,351 CMU staff+stududents.
                172 in the control group, no training
                172 single training, day 0 training
                171 double training, day 0 and day 14 training
             3 legitimate + 7 spearphish emails in 28 days
             No real harvest of ID




[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.
Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on
Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.
ACM. http://dx.doi.org/10.1145/1572532.1572536                                             31
Good but could be better

 On day 0 about 50% of participants fell
   Constant across demographic
   Control group remains constant
   Single training reduces clicks
   Multiple training reduces clicks more
 Unfortunately:
   Participants were self selected...
   No indication that this reduces crime...




                                               32
5. Control weapons and tools

Is it a good idea to:                 Is it a good idea to:
 Let people surf the Internet         Let people drive on the road
  without a license ?                   without a license ?
 Allow manufacturers to sell the      Allow manufacturers to sell the
  anti-virus of a PC as an optional     brakes of a car as an optional
  extra ?                               extra ?
 Expect people to maintain their      Expect people to maintain their
  own anti-virus, fire wall, OS ?       own car ?
An idea that we would like to test

1. User pays the ISP an “Insurance” premium
2. Security vendor serves the user with updates
3. Security vendor notifies an ISP when user does not update
4. ISP ensures that non-compliant user does not endanger others
5. ISP remunerates vendor
6. Government controls ISPs and vendors
√       √
√   √           √
    √
        √       √
√   √       ?       35
Conclusions

                Crime Science approach:
                   Gives a human perspective on all things technical
                   Might have come up with new ideas
                   Avoids experimental flaws
                An ounce of prevention is worth a pound of cure




[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science
+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct
2010. http://eprints.eemcs.utwente.nl/18500/
                                                                                           36

Más contenido relacionado

Similar a Presentatie professor Hartel Dialogues House, 28 mrt 2012

Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfMahdi_Fahmideh
 
Essay On The Design And Development Of Intrusion Detection...
Essay On The Design And Development Of Intrusion Detection...Essay On The Design And Development Of Intrusion Detection...
Essay On The Design And Development Of Intrusion Detection...Crystal Carter
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Dr. Ann Cavoukian
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
 
Outline D
Outline DOutline D
Outline Dbutest
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018Panda Security
 
Huntpedia
HuntpediaHuntpedia
HuntpediaJc Sv
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016Melissa Krasnow
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counselbugcrowd
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselCasey Ellis
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...Casey Ellis
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsChelsea Porter
 
Computer Science Department At George Washington University
Computer Science Department At George Washington UniversityComputer Science Department At George Washington University
Computer Science Department At George Washington UniversityMelanie Smith
 
Module ict society
Module ict societyModule ict society
Module ict societyKak Yong
 

Similar a Presentatie professor Hartel Dialogues House, 28 mrt 2012 (20)

Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdfDigital Forensics for Artificial Intelligence (AI ) Systems.pdf
Digital Forensics for Artificial Intelligence (AI ) Systems.pdf
 
Essay On The Design And Development Of Intrusion Detection...
Essay On The Design And Development Of Intrusion Detection...Essay On The Design And Development Of Intrusion Detection...
Essay On The Design And Development Of Intrusion Detection...
 
Hacking 10 2010
Hacking 10 2010Hacking 10 2010
Hacking 10 2010
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015Privacy by Design Seminar - Jan 22, 2015
Privacy by Design Seminar - Jan 22, 2015
 
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensExploring the Psychological Mechanisms used in Ransomware Splash Screens
Exploring the Psychological Mechanisms used in Ransomware Splash Screens
 
Outline D
Outline DOutline D
Outline D
 
A report on cyber Crime
A report on cyber CrimeA report on cyber Crime
A report on cyber Crime
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
FINAL presentationMay2016
FINAL presentationMay2016FINAL presentationMay2016
FINAL presentationMay2016
 
Pt08 19 final1
Pt08 19 final1Pt08 19 final1
Pt08 19 final1
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal CounselBug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
Bug Bounties, Ransomware, and Other Cyber Hype for Legal Counsel
 
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
MCCA Global TEC Forum - Bug Bounties, Ransomware, and Other Cyber Hype for Le...
 
Infa 610 Final Exam Solutions
Infa 610 Final Exam SolutionsInfa 610 Final Exam Solutions
Infa 610 Final Exam Solutions
 
Computer Science Department At George Washington University
Computer Science Department At George Washington UniversityComputer Science Department At George Washington University
Computer Science Department At George Washington University
 
Computer Crime
Computer CrimeComputer Crime
Computer Crime
 
Module ict society
Module ict societyModule ict society
Module ict society
 

Último

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataSafe Software
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceMartin Humpolec
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 

Último (20)

Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial DataCloud Revolution: Exploring the New Wave of Serverless Spatial Data
Cloud Revolution: Exploring the New Wave of Serverless Spatial Data
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Things you didn't know you can use in your Salesforce
Things you didn't know you can use in your SalesforceThings you didn't know you can use in your Salesforce
Things you didn't know you can use in your Salesforce
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 

Presentatie professor Hartel Dialogues House, 28 mrt 2012

  • 1. On the future of Cyber-crime Pieter Hartel University of Twente 1
  • 2. Queensland hacker jailed for revenge sewage attacks 2
  • 3. Russian hacker jailed for porn on video billboard 3
  • 4. DigiNotar Hackers suspected of spying on Iranian gmail http://www.youtube.com/user/foxitsoc?feature=watch 4
  • 5. Online banking fraud  2010: € 9,8 M  2011: € 35 M  2012: € 125M?
  • 6. Engineers ignored the human element 6
  • 7. Once a happy family dedicated to universal packet carriage 7
  • 8. Keeping honest people honest with the netiquette 8
  • 9. Explosive growth of the Internet from 1995 .. 2005 Millions of Users Year 9
  • 10. Everyone invited to the party and crime was here to stay 10
  • 11. Uptake of security technology slow 11
  • 12. The offender simply skirts around your defenses.. 12
  • 13. The human element: People are the weakest link Two examples... 13
  • 14. Example 1 : Simulated laptop theft experiment 14
  • 15. 62 simulated offences of which 31 succeeded Steps Succeeded Failed Enter building 61 1 (locked door) Enter office 47 14 (1×cleaner) Unlock 31 16 Kensington (5×bolt cutter) Leave 62 0 building (1×emergency exit) 15
  • 16. Results  Social engineering works  30 out of 47 attempts with social engineering succeeded  1 out of 15 attempts without social engineering succeeded  Managers more likely to prevent attack than the target  Offender masquerading as ICT staff twice as likely to be successful [Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice. PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317 16
  • 17. Example 2 : The failure of DigiNotar 17
  • 18. Certificate The binding of a public key and an identity signed by a certification authority 18
  • 19. What went wrong?  No anti virus and weak passwords  Offenders hacked the system and issued rogue certificates  DigiNotar has been hacked before (2009)  No backup certificates  False certificates still accepted by browsers that have not been patched...  DigiNotar now bankrupt. 19
  • 20. How to deal with the human element?  Focus on the offender  Focus on the offence [Fel10a] M. Felson. What every mathematician should know about modelling crime. European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010. http://dx.doi.org/10.1017/S0956792510000070 20
  • 21. [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantaged children. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a 21
  • 22. Situational crime prevention focuses on the offence 1. A theoretical foundation. 2. A standard methodology based on action research. 3. A set of opportunity-reducing techniques. 4. A body of evaluated practice including studies of displacement. 22
  • 23. 1. Routine Activity Approach Motivated Capable Offender Guardian crime Suitable Target 23
  • 24. 2. Methodology: Action Research 1. collection of data about the nature of problem 2. analysis of the situational conditions 3. systematic study of means of blocking opportunities 4. implementation of the most promising means 5. monitoring of results and dissemination of experience. First car theft 4 index published 5 2,3 # of 1 Vehicles Stolen Years 24
  • 25. 3. A set of opportunity-reducing techniques.  http://www.popcenter.org/25techniques/ 25
  • 26. 26
  • 27. 4. A body of evaluated practice Example: Phishing case study 27
  • 28. How can we use the 25 techniques to fight Phishing?  Increase the effort 1. Target Hardening : Train users to be vigilant 2. Control access to facilities : Control inbox & account 3. Control weapons and tools : Keep your PC up to date  Reduce Rewards 1. Conceal targets : Conceal the email address 2. Disrupt markets : Control Mule recruitment  Remove Excuses 1. Post Instructions : “No phishing” 28
  • 29. 1. Target Hardening  Training: Anti-phishing Phil  http://cups.cs.cmu.edu/antiphishing_phil/new/ 29
  • 30. The message of the training 1. Ignore email asking to update personal info 2. Ignore threatening email 3. Ignore email from bank that is not yours 4. Ignore email/url with spelling errors 5. Ignore a url with an ip address 6. Check a url using Google 7. Type a url yourself, don’t click on it [Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies and susceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS), pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM. http://dx.doi.org/10.1145/1143120.1143131 30
  • 31. How well does training work?  515 volunteers out of 21,351 CMU staff+stududents.  172 in the control group, no training  172 single training, day 0 training  171 double training, day 0 and day 14 training  3 legitimate + 7 spearphish emails in 28 days  No real harvest of ID [Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T. Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. on Usable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009. ACM. http://dx.doi.org/10.1145/1572532.1572536 31
  • 32. Good but could be better  On day 0 about 50% of participants fell  Constant across demographic  Control group remains constant  Single training reduces clicks  Multiple training reduces clicks more  Unfortunately:  Participants were self selected...  No indication that this reduces crime... 32
  • 33. 5. Control weapons and tools Is it a good idea to: Is it a good idea to:  Let people surf the Internet  Let people drive on the road without a license ? without a license ?  Allow manufacturers to sell the  Allow manufacturers to sell the anti-virus of a PC as an optional brakes of a car as an optional extra ? extra ?  Expect people to maintain their  Expect people to maintain their own anti-virus, fire wall, OS ? own car ?
  • 34. An idea that we would like to test 1. User pays the ISP an “Insurance” premium 2. Security vendor serves the user with updates 3. Security vendor notifies an ISP when user does not update 4. ISP ensures that non-compliant user does not endanger others 5. ISP remunerates vendor 6. Government controls ISPs and vendors
  • 35. √ √ √ √ √ √ √ √ √ ? 35
  • 36. Conclusions  Crime Science approach:  Gives a human perspective on all things technical  Might have come up with new ideas  Avoids experimental flaws  An ounce of prevention is worth a pound of cure [Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science + information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct 2010. http://eprints.eemcs.utwente.nl/18500/ 36

Notas del editor

  1. Cyber crime has a bright future because the engineers responsible for the technology of the Internet have largely ignored the human element. We will review the history of the Internet briefly to see why have ended up in the present situation. We will look at a number of case studies into cyber crime, such as the DigiNotar case, but also more mundane offences like laptop theft. To conclude we suggest how the principles of situational crime prevention that have been shown to be successful in the prevention of “traditional” crime could be applied to cyber crime.
  2. Queensland, 2000, 46 times!
  3. 2011
  4. I will make more precise later what I mean by the human element To understand how we got into this let’s review the history of the Internet Life is easy for the cyber criminal You can commit a cyber crime yourself Examples from our research and from other Gloss over many important issues Once upon a time
  5. Researchers trying to do better research with the help of the Internet
  6. Issues but they could all be dealt with by the family using the rules of the net etiquette
  7. Many innovative services thanks to the design philosophy No security still
  8. Self management by netiquette broke down
  9. Backstitching security technology is costly But there is a bigger problem
  10. Offender does not follow the rules Rational person maximizing his profits and minimizing his efforts This is the human element!
  11. Back to the human element So Internet security will remain an oxymoron for as long as network and security engineers focus on the technology, and ignore the human element.
  12. Forthcoming thesis of Trajce Dimkov
  13. James Heckman Nobel prize Economics 2000
  14. motivated offender meets a suitable target in the absence of capable guardians motivated offender acts rationally but has limited time and knowledge to make optimal decisions.
  15. http://www.gartner.com/it/page.jsp?id=936913 http://community.seattletimes.nwsource.com/mobile/?type=story&id=2016301512&