Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Download ReportTranscript Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University.
Web App Security – The Good, the Bad and the Ugly Ross Anderson Cambridge University Is Web 2.0 Reinventing the Whole World? html, javascript FBML SQL FBQL SMTP FB Mail Usenet FB Groups Open ID FB Connect Blogger FB Notes Twitter FB Status Updates craigslist FB Marketplace Krakow May 13th 2009 So what’s changed? A cynic might say that IT just goes in cycles! Back in the 60s and 70s, we had mainframe bureau services Then we had minis, then PCs The pendulum seems to be swinging back – server farms do what mainframes used to And we get a wide range of terminals – phones, netbooks, PCs, … How should we make sense of all this? Krakow May 13th 2009 Economics and Security About 2000, we realised that engineering analysis alone didn’t explain all that goes wrong Economic analysis often explains failure better! Electronic banking: UK banks were less liable for fraud, so became careless and ended up suffering more internal fraud and errors Distributed denial of service: viruses now don’t attack the infected machine so much as use it to attack others Why is Microsoft software so insecure, despite market dominance? Krakow May 13th 2009 New View of Infosec Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Medical record systems bought by research or finance directors, not patients – so failed to protect privacy Casino websites suffer when infected PCs run DDoS attacks on them Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution Krakow May 13th 2009 IT Economics (1) The first distinguishing characteristic of many IT product and service markets is network effects Metcalfe’s law – the value of a network is the square of the number of users Real networks – phones, fax, email Virtual networks – PC architecture versus MAC, or Symbian versus WinCE Network effects tend to lead to dominant-firm markets where the winner takes all Krakow May 13th 2009 IT Economics (2) Second common feature of IT product and service markets is high fixed costs and low marginal costs Competition can drive down prices to marginal cost of production This can make it hard to recover capital investment, unless stopped by patent, brand, compatibility … These effects can also lead to dominant-firm market structures Krakow May 13th 2009 IT Economics (3) Third common feature of IT markets is that switching from one product or service to another is expensive E.g. switching from Windows to Linux means retraining staff, rewriting apps Shapiro-Varian theorem: the net present value of a software company is the total switching costs So major effort goes into managing switching costs – once you have $3000 worth of songs on a $300 iPod, you’re locked into iPods Krakow May 13th 2009 IT Economics and Security High fixed/low marginal costs, network effects and switching costs all tend to lead to dominantfirm markets with big first-mover advantage So time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and get it right by version 3’ was quite rational Whichever company had won in the PC OS business would have done the same “Growth is primary, revenue is secondary” – Mark Zuckerberg Krakow May 13th 2009 IT Economics and Security (2) When building a network monopoly, you must appeal to vendors of complementary products That’s application software developers in the case of PC versus Apple, then of Symbian versus Windows/Palm, now Facebook Lack of security in early Windows / Symbian / Facebook made life easier for them So did the choice of security technologies that dump costs on the user (SSL, not SET) Once you’ve a monopoly, lock it all down! Krakow May 13th 2009 Security Economics and Web Applications The big security economics problem is aligning incentives The big system engineering problem is managing complexity. You want architecture, i.e. interfaces, to divide up systems sensibly Consider a travel agent, buying services from airlines, hotels etc. It pretty much all lines up Open interfaces, defined by contract Competition drives costs down, usability up Krakow May 13th 2009 Security Economics and Web Applications (2) However, some web apps are platforms, so operate under the same forces as Windows or Symbian or S/360 E.g. Facebook – huge network effects Incentives on its developers: grab the market now, fix privacy later appeal to complementers (app writers) But does social context change anything? Krakow May 13th 2009 How Fraud Adapts to SNS The old scams are still there – 419, spam, phishing, XSS, malware, click fraud, … Social context makes phishing more effective (72% in controlled study – Jagatic) not to mention targeted attacks / scams Facebook now 7th biggest phishing target (after PayPal, top banks, eBay) Frequent genuine emails with login links Some incentive on operator to fight it (spam caused decline of MySpace, Friendster) Krakow May 13th 2009 Privacy Most people say they value privacy, but act otherwise. Most privacy ventures failed. Why? Odlyzko – technology makes price discrimination both easier and more attractive Acquisti – people care about privacy when buying clothes, but not cameras Loewenstein – privacy is heavily context sensitive. People only really worry if salient Facebook viruses ‘worse’ than PC viruses (as more personal) or not (as less salient)? Krakow May 13th 2009 Privacy and SNS Conflict of interest Facebook wants to sell user data Users want feeling of intimacy, small group, social control Very complex access controls – over 60 settings on 7 pages Over 90% of users never change defaults The complexity lets Facebook blame the customer when things go wrong Krakow May 13th 2009 Privacy and SNS (2) Krakow May 13th 2009 Privacy and SNS (3) Krakow May 13th 2009 See our paper ‘Eight friends are enough’ Given the eight published friends, an outsider can run all the usual network analysis Including covert community detection as used by the spooks Security Economics and Web Applications (3) As you’d expect from the incentives, Facebook provides the appearance of security, not reality – ‘security theatre’ Abd it deals with the occasional outrage using ‘democracy theatre’ (see our blog, www.lightbluetouchpaper.org for more) Is this sustainable? Long-term problem: European regulators Krakow May 13th 2009 Security Economics and Web Applications (4) Sometimes the monopoly doesn’t come from platform dynamics but exogenously Example: UK attempt to centralize all medical records, children’s records Records at GPs, hospitals being moved to ‘hosted’ systems Sales pitch: benefits of research Driver: bureaucratic centralization Gotcha: I v Finland Krakow May 13th 2009 Security Economics and Web Applications (5) Thankfully the UK TG programme is failing; see our report “Database State” for more But might Google or Microsoft make a healthrecord web service work? There are similar incentives on private and public sectors to collect data in order to price discriminate between clients / citizens Are there any technical limits (systems complexity, microeconomics) or must we rely on our legislators and courts? Krakow May 13th 2009 The Gladman Principle “You can have security, or functionality, or scale. With good engineering you can have any two of these. But there’s no way you can get all three.” Brian Gladman (formerly of UK Defence Science Advisory Board) Krakow May 13th 2009 Compartmentation It’s OK to have 20 doctors and nurses having access to 10,000 patients’ records in a medical practice With some care, it’s just about OK to have 2000 doctors and nurses having access to 1,000,000 patients’ records in a hospital It’s not OK to have 580,000 health service staff having access to 50,000,000 citizens’ records on a national database … as our Prime Minister has learned … Krakow May 13th 2009 Attack Trends One aspect of security economics is building models that explain how things go wrong Another is the econometrics – measuring what actually does go wrong We have a research project on collecting statistics on spam, phishing, malware (see my Google tech talk, for example) Recent trends in malware are getting worrying! If an attack can be industrialized, it will be … Krakow May 13th 2009 Case study – the Dalai Lama Simple attacks reported on the Office of His Holiness the Dalai Lama (OHHDL) since 2007 From directed spam to simple targeted attacks Compromise became obvious in July 2008 – foreign diplomats about to meet the Dalai Lama were warned off We got asked to investigate Krakow May 13th 2009 Modus Operandi A sends email to B on topic X, archived publicly C sends email to A pretending to be B, on topic X, with toxic attachment C pretending to be A takes over mail server Internal mail attachments thereafter toxic PCs then accessed remotely … We call this ‘Social Malware’ The typical company has no defence at all! Krakow May 13th 2009 A low grade sample Krakow May 13th 2009 Malware Equilibrium? Big change in 2004: black market led to specialisation Malware now professionally written; most exploits are for money, not bragging rights Most companies just don’t know how to block social malware (even Deloittes was among the victims of the Chinese) What will the world be like if 1%, or 5%, or machines are 0wned, and exploited? Krakow May 13th 2009 Open versus Closed? Are open systems more dependable? It’s easier for the attackers to find vulnerabilities, but also easier for the defenders to find and fix them This debate goes back to the 17th century! Theorem (2002): openness helps both equally if bugs are random and standard dependability model assumptions apply So whether open is better than closed will depend on whether / how your system differs from the ideal Krakow May 13th 2009 The Good, the Bad and the Ugly Travel agent: not a big deal if the bad guys occasionally go on holiday (the bank pays) Facebook: there will be all sorts of platform exploits, and social exploits, with which they’ll have to cope. As for compromised user machines, my daughter’s view … Government databases: you can’t make everyone’s medical records available to 500,000 doctors and nurses and still have privacy The insider (malware) threat sets limits here! Krakow May 13th 2009 An Opportunity If 1% of end-user machines will always be infected with malware, what can we do? Web services can offer a haven But they need to assume some corrupt insiders Experience from defence – compartmentation And from accounting – dual control, audit, backup, … How do you build these ideas into other apps? What other limits on security, functionality and scale are there – and what’s the social angle? Krakow May 13th 2009 The Research Agenda The online world and the physical world are merging – many years of turbulence ahead! If Web 2.0 is going to reinvent the world, expect it to reinvent the problems too The security world is changing, though The old paradigm was what might go wrong … Security economics gives us tools to think about what people might want things to go wrong, and metrics to measure what’s actually going wrong Krakow May 13th 2009 More … See www.ross-anderson.com for survey articles, our ENISA and Tibet reports, and my security economics resource page WEIS – Workshop on Economics and Information Security – UCL, June 24–5 Workshop on Security and Human Behaviour – in Cambridge in 2010 ‘Security Engineering – A Guide to Building Dependable Distributed Systems’ Krakow May 13th 2009 Krakow May 13th 2009