Embed Size (px)
Citation preview
Lecture 7 – Psychology,Scams etc continued
Security
Computer Science Tripos part 2
Ross Anderson
Relevant Seminar
• Tomorrow, Tuesday Nov 17: security seminar, 1615, LT2
• Frank Stajano (joint work with Paul Wilson of “the Real Hustle”)
• Talk title: ‘Understanding scam victims: Seven principles for systems security’
• See our blog, www.lightbluetouchpaper.org, for more details and a link to the paper
Marketing Psychology
• See, for example, Cialdini’s “Influence – Science and Practice”
• People make buying decisions with the emotions and rationalise afterwards
• Mostly we’re too busy to research each purchase – and in the ancestral evolutionary environment we had to make flight-or-fight decisions quickly
• The older parts of the brain kept us alive for millions of years before we became sentient
• We still use them more than we care to admit!
Marketing Psychology (2)
• Mental shortcuts include quality = price and quality = scarcity
• Reciprocation can be used to draw people in• Then get a commitment and follow through• Cognitive dissonance: people want to be
consistent (or at least think that they are)• Social proof: like to do what others do• People also like to defer to authority• They want to deal with people they can relate to
Prospect theory
• Kahneman & Tversky, 1970s: people value gains and losses differently
• Evolutionary logic of risk aversion, status quo bias• Can drive fear marketing, ‘savings’, and (some of the)
irrational behaviour of financial markets
Context and Framing• Framing effects include ‘Was £8.99 now £6.99’
and the estate agent who shows you a crummy house first
• Take along an ugly friend on a double date …• Typical phishing attack: user is fixated on task
completion (e.g. finding why new payee on PayPal account)
• Advance fee frauds take this to extreme lengths!• Risk salience is hugely dependent on context! E.g.
CMU experiment on privacy
Risk Misperception
• Why do we overreact to terrorism?– Risk aversion / status quo bias
– ‘Availability heuristic’ – easily-recalled data used to frame assessments
– Our behaviour evolved in small social groups, and we react against the out-group
– Mortality salience greatly amplifies this
– We are also sensitive to agency, hostile intentions
• See book chapters 2, 24
CAPTCHAs
• ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, Blum et al
• Idea: stop bots by finding things that humans do better
• Constant arms race
• Relay attacks always possible
Biometrics
• Evolution: faces • But: Uni of
Westminster study• John Daugman’s idea:
irises• Work fine in some
apps – equal error rate very low
• Unattended operation?
Manuscript Signatures
• Used for centuries! (14c – replaced seals)• Equal error rate for document examiners 6%; for
educated lay people 38%. • Possible high-tech improvements: signature
tablets also measure velocity, pen contact• University of Kent study• But: commercial products withdrawn mid-90s• Manuscript signatures still work, and are good for
the customer – thanks to the Bills of Exchange Act
Fingerprints
• UK police uses for forensics, US for identifying arrested persons
• Automatic recognition has equal error rate of 1-2%
• Widely used in 1990s in welfare / pensions• Banking: India, other LDCs• Since 9/11: US-VISIT• Forensic use: 16-point match taken as gospel until
the McKie case
The McKie Case
• Identifying people from ‘16 points’ thought infallible
• Error rate “2.5x10-10” • Sylvie McKie
prosecuted; won• Police panic• www.sylviemckie.com
Actual McKie Case Photos
• Even harder, isn’t it?• And what about the odds now we have computers?
Phone Phreaking
• Phone system under attack since 1960s!– Cap’n Crunch
– 2k resistor
• 1970s – systematic attacks on signalling– Blue boxes
– DoS on bookmakers’ comms
• 1980s/90s – attacks on switching, configuration– Poulsen, Mitnick
Phone System Security (90s)
• Deregulation, premium-rate services upped the stakes! You could get real cash out
• Mobile cloning becomes a big deal• Move to GSM shifts modus operandi to buying
phones with stolen cards, then street robbery• PBX hacking; cordless phones; clip-on• Feature interaction: Clallam Bay, ringback• Phone companies rip off users: cramming,
slamming, short termination
Phone System Lessons
• It’s so like the history of Internet crime!• Hacks invented for fun get used by crooks• Vulns are found at all sorts of levels• A weak foundation, such as the phone company
payment system, grows until it’s too big to change, then gets targeted
• Things take off once money extraction can be industrialised
• Then stakeholders dump risk and run for cover
Malware
• Trojans known in 1960s: login programs• 1974: Paul Karger, Roger Schell: compiler Trojan• 1983: Fred Cohen’s thesis• 1984: Ken Thompson ‘On Trusting Trust’• 1987: First viruses in the wild• 1988: Morris worm. NB, on terminology:
– Worm: program that replicates itself – Virus: … by copying itself in a host program– Trojan: … by tricking people into running it
Malware (2)
• Arms race ensued between virus writers and AV companies!– Check file sizes (so: hide in middle)
– Search for telltale string (so: polymorphic)
– Checksum all executables (so: hide elsewhere)
– …
• Theory is gloomy: virus detection is undecidable!• In practice, AV firms kept up until about 2007
Malware (3)• Big change 2003/4 – crooks started to specialise
and trade• Malware writers now work for profit not fun• Have R&D and testing depts• Worms and viruses have almost disappeared: now
it’s Trojans and rootkits• AV products now find only 20-30% of new
badware• Perhaps 1% of Windows machines are 0wned• Botnets were millions of machines, now less
Exploits
• Internet worm: stack overflow in fingerd• Over-long input ( > 255 bytes) got executed – seen
in 1b• Professional developers: static testing tools,
canaries, fuzzing …• So it’s getting harder to do this on Windows,
Office …• But similar tricks still work against many apps!• Bad guys use Google to find vulnerable machines
Exploits (2)• Many other ‘type-safety’ vulnerabilities:
– Format string vulnerability – e.g. %n in printf() allowing string’s author to write to the stack
– SQL insertion – careless web developer passes user input to database which interprets it as SQL
– General attack: input stuff in language A, interpret it as language B
– Defences: safe libraries for I/O, string handling etc; tools to manage APIs; ‘language lawyer’ to nitpick; …
• Next there’s the concurrency stuff – see Robert Watson’s guest lecture
Filtering
• A number of security systems filter stuff– Firewalls try to stop bad stuff getting in– Intrusion detection tries to detect attacks in progress
against machines in your network – Extrusion detection: look for people leaking classified
stuff, or even just infected machines sending spam– Surveillance tries to detect suspicious communications
between principals – Censorship, whether government or coporate
• They suffer from common design trade-offs
Filtering (2)• The higher up the stack the filters live, the more
they can parse but the more they will cost• Policy is hard! Are you doing BLP, Biba, what?• Data volumes now are enormous. Do you do the
filtering locally, or on a backbone?• Maintaining blacklists, whitelists is expensive• Understanding new applications is expensive• The ROC curve matters• The opponents may be active or passive• Collateral damage can be a big issue
