Upload
nelson-white
View
218
Download
0
Embed Size (px)
Citation preview
DIMVA 2014
The Economics and Psychology of Botnets
Ross AndersonCambridge
July 10th 2014
DIMVA 2014
Traditional systems engineering
• Build systems for scalability – choose efficient algorithms and data structures
• Once you start to distribute stuff, pay attention to consistency (file locking, fault tolerance etc)
• See security as ‘keeping the bad guys out’ by adding crypto, authentication, filtering
• React to malware by hardening platforms, writing scanners, talking about safe computing …
• But … about 2000, some of us started to realize that this is not enough!
July 10th 2014
DIMVA 2014
Economics also vital• Since 2000, we have started to apply economic
analysis to security and dependability• Systems often fail because the folks who guard them,
or who could fix them, have insufficient incentives– If electricity generation companies don’t have an incentive
to provide reserve capacity, there will be blackouts– Where banks can dump fraud risk on customers or
merchants, fraud increases– What about taking an insecure computer online?
• Insecurity and fragility are often an ‘externality’
July 10th 2014
DIMVA 2014
Information security economics
• In the last 12 years, it’s grown from zero to over 100 active researchers, working on many topics!
• Models of what’s likely to go wrong – perverse incentives, asymmetric information
• Measurements of what is going wrong – patching cycle, malware, fraud
• Recommendations – what actors can likely do what• Policy recommendations now being adopted in both
the USA and Europe (but often twisted by lobbyists)• Now growing into behavioral economics, psychology
July 10th 2014
DIMVA 2014
Security economics 101
• High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-firm markets with big first-mover advantage
• So time-to-market is critical• Microsoft philosophy of ‘we’ll ship it Tuesday and get
it right by version 3’ was quite rational• This is why platforms have so many bugs!• Bad guys who are motivated by economics write
malware for the dominant platforms• So buggy dominant platforms get exploited
July 10th 2014
DIMVA 2014
Who’ll catch the bad guys?• Suppose you’re the Commissioner of the
Metropolitan police• A bad guy in Moscow sends out 106 phish• London’s 1% of the Internet, so you see 104
• Do you say– (a) “right, let’s spend £500k trying to identify this
villain and extradite him”; or– (b) “the FBI will have seen 200,000 of these; let
them do the heavy lifting!”
July 10th 2014
DIMVA 2014
Tragedy of the commons
• Are we heading for a world with global systems and distributed harm, where law enforcement doesn’t give local incremental benefits?
• Who benefits from the systems we are compelled to trust, and who maintains them?
• As for emergent globalised phenomena – who can deal with them, or cares enough to try?
• What sort of institutions are eventually needed? A new feudalism? Reinvention of the state?
• Meantime, how can we minimise losses?July 10th 2014
DIMVA 2014
Security economics and policy
• Theory’s all very well, but what about data?• 2008: ‘Security Economics and the Single
Market’ report looked at cybercrime and what governments could do about it
• 2011: ‘Resilience of the Internet Interconnection Ecosystem’ examined critical infrastructure and made recommendations
• 2012 ‘Measuring the Cost of Cybercrime’ sets out to debunk myths and scaremongering
July 10th 2014
DIMVA 2014
‘Measuring the Cost of Cybercrime’
• Undertaken at request of Sir Mark Welland, then chief scientific adviser at the MoD
• Coauthors: Chris Barton, Rainer Böhme, Richard Clayton, Michel van Eeten, Michael Levi, Tyler Moore, Stefan Savage
• We set out to estimate cybercrime losses from publicly available data
• We use EU definition of cybercrime as– Traditional frauds now done by electronic means– Uniquely electronic crimes such as DDoS, hacking
July 10th 2014
DIMVA 2014
Decomposing the cost of cybercrime
• Many existing studies conflate different things. We broke up costs as– Criminal revenue (gross crime receipts)– Direct losses (losses, damage, suffering)– Defence costs– Indirect losses (costs in anticipation such as defence;
costs in consequence such as opportunity costs)• We ran a separate account of the costs of
common crime infrastructure such as botnets
July 10th 2014
DIMVA 2014
Cybercrimes we considered
• Online banking fraud• ‘Stranded traveler’ scams• Fake antivirus• Advanced fee fraud• IP-infringing pharmaceuticals• IP-infringing music, software• Bank card fraud and forgery• PABX fraud• Cyber-espionage and extortion• Tax and welfare fraudJuly 10th 2014
DIMVA 2014
Cybercrimes we considered
• Online banking fraud• ‘Stranded traveler’ scams• Fake antivirus• Advanced fee fraud Pure cybercrime• IP-infringing pharmaceuticals• IP-infringing music, software• Bank card fraud and forgery• PABX fraud Transitional crime• Cyber-espionage and extortion• Tax and welfare fraud Traditional crime
July 10th 2014
DIMVA 2014
Proceeds of pure cybercrimeType UK Global Period
• Online bank fraud– phishing $16m $320m 2007– Malware $10m $370m 2010– Bank defences $50m $1000m 2010
• Fake AV $5m $97m 2010• Infringing software $1m $22m 2010• Infringing music etc $7m $150m 2011• Infringing pharma $14m $288m 2010• Stranded traveler $1m $20m 2011• Fake escrow $10m $200m 2010• Advance fee fraud $50m $200m 2011
July 10th 2014
DIMVA 2014
Costs of transitional cybercrimeType UK Global Period
• Online card fraud $210m $4200m 2010• Offline card fraud– domestic $106m $2100m
2010– International $147m $2940m
2010– Bank / merch defences $120m $2400m 2010
• Indirect costs of payment fraud– confidence (consumer) $700m $10000m 2010– confidence (merchant) $1600m $20000m 2009
• PABX fraud $185m $4960m 2011July 10th 2014
DIMVA 2014
Cost of traditional crime becoming cyber
Type UKGlobal Period
• Welfare fraud $1900m$20000m 2011
• Tax fraud $12000m $125000m2011
• Corruption? …
July 10th 2014
DIMVA 2014
The infrastructure supporting cybercrime
• Much of the infrastructure is common to many scams (spam, botnets, …)
• Indirect losses and defence costs are also affected by many scams (loss of trust, antivirus software …)
• To save double counting we measured these separately
July 10th 2014
DIMVA 2014
Cost of cybercriminal infrastructure
Type UK GlobalPeriod
• Antivirus $170m $3400m 2011• Patching cost $50m $1000m 2010• Clean-up (ISPs) $2m $40m 2010• Clean-up (users) $500m $10000m 2011• Defence (firms) $500m $10000m 2010• Policing $15m $400m 2010[NB: most of this is extra IT industry turnover!]
July 10th 2014
DIMVA 2014
Lessons learned – costs by category
• Traditional frauds such as tax and welfare fraud cost each citizen a few hundred pounds/euros/dollars a year
• Transitional frauds such as bank and payment fraud cost each citizen a few tens pounds/euros/dollars a year
• New cyber frauds such as fake antivirus: a few tens pounds/euros/dollars a year, but almost all of these are indirect and defence costs
July 10th 2014
DIMVA 2014
Direct versus indirect costs
• Traditional crimes like tax fraud: the losses are most of it
• Genuine cybercrimes earn criminals little (tens of cents per citizen per category) but impose huge indirect defence and opportunity costs
• E.g. in 2010 the Rustock botnet earned its operators $3.5m via fake pharma, but sent a third of all spam – which cost about $1bn to deal with
July 10th 2014
DIMVA 2014
Policy lessons
• One conclusion is that we don’t spend anything like the optimal amount on policing!
• The USA does most of the heavy lifting:– $100m Federally (FBI, secret service, NCFTA)– $100m at state and local level
• Other countries largely free-ride • Some firms spend lots (Google, MS maybe
$100m each) but it’s targeted on their concerns; some vendors are net beneficiaries!
July 10th 2014
DIMVA 2014
Policy lessons (2)
• A second lesson is that infection rates vary hugely across ISPs (two orders of magnitude)
• Big ISPs are generally worse (small ISPs’ peering is at risk if they emit too much spam)
• But still there are large variations within each category of ISP
• The crucial factor is the cost of cleanup• In Europe, it’s hard to bully users as they just
switch. We need better ways to persuade …July 10th 2014
DIMVA 2014
Browser warnings
• Browsers throw up warnings we ignore, e.g. if a web page contains malware, or is a phishing site, or has an invalid certificate
• How can we get users to pay attention, for the cases where it actually matters?
• Can we use words, or do we need a face?• Big experiment at Google (Adrienne Porter-
Felt): faces in this context don’t seem to help!
July 10th 2014
DIMVA 2014
Browser warnings (2)
• With David Modic, tested response to– Appeal to authority– Social compliance– Concrete vs vague threats
• Based on much research on psychology of persuasion, and on scam compliance
• We’re also investigating who turned off their browser phishing warnings (or would have had they known how)
July 10th 2014
DIMVA 2014
Who turns off the warnings?• Of 496 mTurkers, 17 (3%) turned warnings off,
and a further 34 would have if they could• Reasons given (descending order) – False positives – Prefers to make own decisions – Don’t like the hassle – Don’t understand them
• Same rank ordering between those who did turn them off, and those who would have
July 10th 2014
DIMVA 2014
Who turns off the warnings (2)?
• Some interesting correlations turned up which explain most of the tendency to turn off warnings: – Desire for autonomy– Trust (in real-world and Facebook friends)– Confidence in IT competence– Lack of trust on authority (companies too)– Not using Windows– Gender
• These explain over 80% of the effect!
July 10th 2014
DIMVA 2014
What stops people clicking?
• The most significant effect was giving concrete warnings as opposed to vague ones
• Some way behind was appeal to authority• Factors other than our treatments: trust in the
browser vendor was strongest, then mistrust of authority
• All factors together explain 60% of the effect• A strong status quo bias emerged …
July 10th 2014
DIMVA 2014
Why this might be useful
• Almost all warnings are designed to benefit the warner, not the recipient
• The lawyers will game anything they can• Then people will learn to screen it out• Highly specific warnings are the exception, as
they are intrinsically hard to game!• Compare: Google search ads work much
better than general display ads
July 10th 2014
DIMVA 2014
Conclusions
• Malware matters! Cyber-criminal infrastructure is a serious global public-goods problem
• Rather like environmental degradation…• While some players have incentives to do some
work on the problem (some vendors, ISPs, AV firms, the FBI, academics …), all our efforts combined are less than socially optimal
• Economics & psychology can help understand why, and help us find better ways to cope
July 10th 2014