Presentatie professor Hartel Dialogues House, 28 mrt 2012
Upcoming SlideShare
Loading in...5
×
 

Presentatie professor Hartel Dialogues House, 28 mrt 2012

on

  • 372 views

 

Statistics

Views

Total Views
372
Views on SlideShare
372
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Cyber crime has a bright future because the engineers responsible for the technology of the Internet have largely ignored the human element. We will review the history of the Internet briefly to see why have ended up in the present situation. We will look at a number of case studies into cyber crime, such as the DigiNotar case, but also more mundane offences like laptop theft. To conclude we suggest how the principles of situational crime prevention that have been shown to be successful in the prevention of “traditional” crime could be applied to cyber crime.
  • Queensland, 2000, 46 times!
  • 2011
  • I will make more precise later what I mean by the human element To understand how we got into this let’s review the history of the Internet Life is easy for the cyber criminal You can commit a cyber crime yourself Examples from our research and from other Gloss over many important issues Once upon a time
  • Researchers trying to do better research with the help of the Internet
  • Issues but they could all be dealt with by the family using the rules of the net etiquette
  • Many innovative services thanks to the design philosophy No security still
  • Self management by netiquette broke down
  • Backstitching security technology is costly But there is a bigger problem
  • Offender does not follow the rules Rational person maximizing his profits and minimizing his efforts This is the human element!
  • Back to the human element So Internet security will remain an oxymoron for as long as network and security engineers focus on the technology, and ignore the human element.
  • Forthcoming thesis of Trajce Dimkov
  • James Heckman Nobel prize Economics 2000
  • motivated offender meets a suitable target in the absence of capable guardians motivated offender acts rationally but has limited time and knowledge to make optimal decisions.
  • http://www.gartner.com/it/page.jsp?id=936913 http://community.seattletimes.nwsource.com/mobile/?type=story&id=2016301512&

Presentatie professor Hartel Dialogues House, 28 mrt 2012 Presentatie professor Hartel Dialogues House, 28 mrt 2012 Presentation Transcript

  • On the future of Cyber-crimePieter HartelUniversity of Twente 1
  • Queensland hacker jailed for revenge sewage attacks 2
  • Russian hacker jailed for porn on video billboard 3
  • DigiNotar Hackers suspected of spying on Iranian gmailhttp://www.youtube.com/user/foxitsoc?feature=watch 4
  • Online banking fraud 2010: € 9,8 M 2011: € 35 M 2012: € 125M?
  • Engineers ignored the human element 6
  • Once a happy family dedicated to universal packetcarriage 7
  • Keeping honest people honest with the netiquette 8
  • Explosive growth of the Internet from 1995 .. 2005 Millions of Users Year 9
  • Everyone invited to the party and crime was here to stay 10
  • Uptake of security technology slow 11
  • The offender simply skirts around your defenses.. 12
  • The human element: People are the weakest linkTwo examples... 13
  • Example 1 : Simulated laptop theft experiment 14
  • 62 simulated offences of which 31 succeededSteps Succeeded FailedEnter building 61 1 (locked door)Enter office 47 14 (1×cleaner)Unlock 31 16Kensington (5×bolt cutter)Leave 62 0building (1×emergency exit) 15
  • Results  Social engineering works  30 out of 47 attempts with social engineering succeeded  1 out of 15 attempts without social engineering succeeded  Managers more likely to prevent attack than the target  Offender masquerading as ICT staff twice as likely to be successful[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317 16
  • Example 2 : The failure of DigiNotar 17
  • CertificateThe bindingof a public keyand an identitysigned by acertificationauthority 18
  • What went wrong? No anti virus and weak passwords Offenders hacked the system and issued rogue certificates DigiNotar has been hacked before (2009) No backup certificates False certificates still accepted by browsers that have not been patched... DigiNotar now bankrupt. 19
  • How to deal with the human element?  Focus on the offender  Focus on the offence[Fel10a] M. Felson. What every mathematician should know about modelling crime.European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.http://dx.doi.org/10.1017/S0956792510000070 20
  • [Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantagedchildren. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a 21
  • Situational crime prevention focuses on the offence1. A theoretical foundation.2. A standard methodology based on action research.3. A set of opportunity-reducing techniques.4. A body of evaluated practice including studies of displacement. 22
  • 1. Routine Activity Approach Motivated Capable Offender Guardian crime Suitable Target 23
  • 2. Methodology: Action Research1. collection of data about the nature of problem2. analysis of the situational conditions3. systematic study of means of blocking opportunities4. implementation of the most promising means5. monitoring of results and dissemination of experience. First car theft 4 index published 5 2,3# of 1VehiclesStolen Years 24
  • 3. A set of opportunity-reducing techniques. http://www.popcenter.org/25techniques/ 25
  • 26
  • 4. A body of evaluated practiceExample: Phishing case study 27
  • How can we use the 25 techniques to fight Phishing? Increase the effort 1. Target Hardening : Train users to be vigilant 2. Control access to facilities : Control inbox & account 3. Control weapons and tools : Keep your PC up to date Reduce Rewards 1. Conceal targets : Conceal the email address 2. Disrupt markets : Control Mule recruitment Remove Excuses 1. Post Instructions : “No phishing” 28
  • 1. Target Hardening Training: Anti-phishing Phil http://cups.cs.cmu.edu/antiphishing_phil/new/ 29
  • The message of the training 1. Ignore email asking to update personal info 2. Ignore threatening email 3. Ignore email from bank that is not yours 4. Ignore email/url with spelling errors 5. Ignore a url with an ip address 6. Check a url using Google 7. Type a url yourself, don’t click on it[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies andsusceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.http://dx.doi.org/10.1145/1143120.1143131 30
  • How well does training work?  515 volunteers out of 21,351 CMU staff+stududents.  172 in the control group, no training  172 single training, day 0 training  171 double training, day 0 and day 14 training  3 legitimate + 7 spearphish emails in 28 days  No real harvest of ID[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. onUsable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.ACM. http://dx.doi.org/10.1145/1572532.1572536 31
  • Good but could be better On day 0 about 50% of participants fell  Constant across demographic  Control group remains constant  Single training reduces clicks  Multiple training reduces clicks more Unfortunately:  Participants were self selected...  No indication that this reduces crime... 32
  • 5. Control weapons and toolsIs it a good idea to: Is it a good idea to: Let people surf the Internet  Let people drive on the road without a license ? without a license ? Allow manufacturers to sell the  Allow manufacturers to sell the anti-virus of a PC as an optional brakes of a car as an optional extra ? extra ? Expect people to maintain their  Expect people to maintain their own anti-virus, fire wall, OS ? own car ?
  • An idea that we would like to test1. User pays the ISP an “Insurance” premium2. Security vendor serves the user with updates3. Security vendor notifies an ISP when user does not update4. ISP ensures that non-compliant user does not endanger others5. ISP remunerates vendor6. Government controls ISPs and vendors
  • √ √√ √ √ √ √ √√ √ ? 35
  • Conclusions  Crime Science approach:  Gives a human perspective on all things technical  Might have come up with new ideas  Avoids experimental flaws  An ounce of prevention is worth a pound of cure[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct2010. http://eprints.eemcs.utwente.nl/18500/ 36