The document discusses how security is often viewed too narrowly as a technical problem and that a broader socio-economic view is needed. It emphasizes considering the relationships between actors like adversaries, victims, and defenders as well as incentives, costs, and capabilities. A key hypothesis is that extrinsic factors provide a more effective basis for designing security interventions. It also notes the need for good models informed by better ground truth data in security.

2.  Security is often seen as a technical problem
 There is a broader socio-economic view
 Actors
▪ Adversaries
▪ Victims
▪ Defenders
 Incentives/Costs
 Capabilities
 Key hypothesis:  Relationships
 These extrinsic factors will provide a more
effective basis for designing security interventions 2

3.  Security is poised to become a big data field
 But defenses/policies need good models; good
models need to be informed by good data
 Very poor ground truth data in security field today
 For validating hypotheses
 e.g., monetary payments are a structural
bottleneck in all advertising-based e-crime
 For deriving hypotheses
 e.g., how important is trust establishment for
online criminals? 3

4.  Today, the largest driver for threats is $$$
Goods Click Bank
Spam FakeAV Fraud Cred Theft
Advertising Theft
Banking
Spamming Trojans
botnets h
PPI service Phishing kits
Crypters Traffic
Exploit kits
sales
SEO
kits Markets VPNs
BP hosting
Infrastructure

5.  Today, the largest driver for threats is $$$
 Scale allows commodity monetization
 Complex value chain relationships
5

6. Click Trajectory study of
spam “value chain”
• Aug 1 -- Oct 31 2010
• 7 URL/Spam feeds + 5 botnet
feeds
• 968M URLs
• 17M domains
• Crawled domains for 98%
of URLs in
• 1000s of Firefox instances
• Large IP address diversity
• Multiple purchases from all
major programs
• Identify bottlenecks in process

7. St. Kitts & Nevis
AGBank
• Low diversity DnB NORD
• 3 banks covered 95% of spam
• Fewer banks willing handle “high-risk” merchants
• High switching cost
• In-person account creation, due diligence, multi-day
process
• Upfront capital, holdback forfeiture
7

8.  Major initiative underway
 Undercover purchases
 Drive merchant takedown
 Appears highly
successful
“Right now most affiliate programs have a mass of declines, cancels and pendings, and it doesn't depend
much on the program imho, there is a general sad picture, fucking Visa is burning us with napalm (for
problematic countries, it's totally fucked, on a couple of programs you're lucky if you get 50% through).”
8

9.  Security interventions should be understood
in their larger socio-economic context
 Don’t just plug holes; figure out which holes
matter and why
 Empiricism and fieldwork are necessary parts
of the solution here
 The lab setting is great, but its not a substitute for
studying the real world
9