Cyber crime has a bright future because the engineers responsible for the technology of the Internet have largely ignored the human element. We will review the history of the Internet briefly to see why have ended up in the present situation. We will look at a number of case studies into cyber crime, such as the DigiNotar case, but also more mundane offences like laptop theft. To conclude we suggest how the principles of situational crime prevention that have been shown to be successful in the prevention of “traditional” crime could be applied to cyber crime.
Queensland, 2000, 46 times!
I will make more precise later what I mean by the human element To understand how we got into this let’s review the history of the Internet Life is easy for the cyber criminal You can commit a cyber crime yourself Examples from our research and from other Gloss over many important issues Once upon a time
Researchers trying to do better research with the help of the Internet
Issues but they could all be dealt with by the family using the rules of the net etiquette
Many innovative services thanks to the design philosophy No security still
Self management by netiquette broke down
Backstitching security technology is costly But there is a bigger problem
Offender does not follow the rules Rational person maximizing his profits and minimizing his efforts This is the human element!
Back to the human element So Internet security will remain an oxymoron for as long as network and security engineers focus on the technology, and ignore the human element.
Forthcoming thesis of Trajce Dimkov
James Heckman Nobel prize Economics 2000
motivated offender meets a suitable target in the absence of capable guardians motivated offender acts rationally but has limited time and knowledge to make optimal decisions.
The offender simply skirts around your defenses.. 12
The human element: People are the weakest linkTwo examples... 13
Example 1 : Simulated laptop theft experiment 14
62 simulated offences of which 31 succeededSteps Succeeded FailedEnter building 61 1 (locked door)Enter office 47 14 (1×cleaner)Unlock 31 16Kensington (5×bolt cutter)Leave 62 0building (1×emergency exit) 15
Results Social engineering works 30 out of 47 attempts with social engineering succeeded 1 out of 15 attempts without social engineering succeeded Managers more likely to prevent attack than the target Offender masquerading as ICT staff twice as likely to be successful[Dim12] T. Dimkov, Alignment of Organizational Security Policies -- Theory and Practice.PhD thesis, University of Twente, http://dx.doi.org/10.3990/1.9789036533317 16
CertificateThe bindingof a public keyand an identitysigned by acertificationauthority 18
What went wrong? No anti virus and weak passwords Offenders hacked the system and issued rogue certificates DigiNotar has been hacked before (2009) No backup certificates False certificates still accepted by browsers that have not been patched... DigiNotar now bankrupt. 19
How to deal with the human element? Focus on the offender Focus on the offence[Fel10a] M. Felson. What every mathematician should know about modelling crime.European J. of Applied Mathematics, 21(Special Double Issue 4-5):275-281, 2010.http://dx.doi.org/10.1017/S0956792510000070 20
[Hec06] J. J. Heckman. Skill formation and the economics of investing in disadvantagedchildren. Science, 312(5782):1900-1902, 2006. http://dx.doi.org/10.1038/428598a 21
Situational crime prevention focuses on the offence1. A theoretical foundation.2. A standard methodology based on action research.3. A set of opportunity-reducing techniques.4. A body of evaluated practice including studies of displacement. 22
2. Methodology: Action Research1. collection of data about the nature of problem2. analysis of the situational conditions3. systematic study of means of blocking opportunities4. implementation of the most promising means5. monitoring of results and dissemination of experience. First car theft 4 index published 5 2,3# of 1VehiclesStolen Years 24
3. A set of opportunity-reducing techniques. http://www.popcenter.org/25techniques/ 25
4. A body of evaluated practiceExample: Phishing case study 27
How can we use the 25 techniques to fight Phishing? Increase the effort 1. Target Hardening : Train users to be vigilant 2. Control access to facilities : Control inbox & account 3. Control weapons and tools : Keep your PC up to date Reduce Rewards 1. Conceal targets : Conceal the email address 2. Disrupt markets : Control Mule recruitment Remove Excuses 1. Post Instructions : “No phishing” 28
The message of the training 1. Ignore email asking to update personal info 2. Ignore threatening email 3. Ignore email from bank that is not yours 4. Ignore email/url with spelling errors 5. Ignore a url with an ip address 6. Check a url using Google 7. Type a url yourself, don’t click on it[Dow06] J. S. Downs, M. B. Holbrook, and L. F. Cranor. Decision strategies andsusceptibility to phishing. In 2nd Symp. on Usable privacy and security (SOUPS),pages 79-90, Pittsburgh, Pennsylvania, Jul 2006. ACM.http://dx.doi.org/10.1145/1143120.1143131 30
How well does training work? 515 volunteers out of 21,351 CMU staff+stududents. 172 in the control group, no training 172 single training, day 0 training 171 double training, day 0 and day 14 training 3 legitimate + 7 spearphish emails in 28 days No real harvest of ID[Kum09] P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. Blair, and T.Pham. School of phish: a real-word evaluation of anti-phishing training. In 5th Symp. onUsable Privacy and Security (SOUPS), Article 3, Mountain View, California, Jul 2009.ACM. http://dx.doi.org/10.1145/1572532.1572536 31
Good but could be better On day 0 about 50% of participants fell Constant across demographic Control group remains constant Single training reduces clicks Multiple training reduces clicks more Unfortunately: Participants were self selected... No indication that this reduces crime... 32
5. Control weapons and toolsIs it a good idea to: Is it a good idea to: Let people surf the Internet Let people drive on the road without a license ? without a license ? Allow manufacturers to sell the Allow manufacturers to sell the anti-virus of a PC as an optional brakes of a car as an optional extra ? extra ? Expect people to maintain their Expect people to maintain their own anti-virus, fire wall, OS ? own car ?
An idea that we would like to test1. User pays the ISP an “Insurance” premium2. Security vendor serves the user with updates3. Security vendor notifies an ISP when user does not update4. ISP ensures that non-compliant user does not endanger others5. ISP remunerates vendor6. Government controls ISPs and vendors
Conclusions Crime Science approach: Gives a human perspective on all things technical Might have come up with new ideas Avoids experimental flaws An ounce of prevention is worth a pound of cure[Har10] P. H. Hartel, M. Junger, and R. J. Wieringa. Cyber-crime science = crime science+ information security. Technical Report TR-CTIT-10-34, CTIT, University of Twente, Oct2010. http://eprints.eemcs.utwente.nl/18500/ 36