Transcript Lecture 7 – Psychology, Scams etc continued Security Computer Science Tripos part 2 Ross Anderson.

Lecture 7 – Psychology,
Scams etc continued
Security
Computer Science Tripos part 2
Ross Anderson
Relevant Seminar
• Tomorrow, Tuesday Nov 17: security
seminar, 1615, LT2
• Frank Stajano (joint work with Paul Wilson
of “the Real Hustle”)
• Talk title: ‘Understanding scam victims:
Seven principles for systems security’
• See our blog, www.lightbluetouchpaper.org,
for more details and a link to the paper
Marketing Psychology
• See, for example, Cialdini’s “Influence – Science
and Practice”
• People make buying decisions with the emotions
and rationalise afterwards
• Mostly we’re too busy to research each purchase –
and in the ancestral evolutionary environment we
had to make flight-or-fight decisions quickly
• The older parts of the brain kept us alive for
millions of years before we became sentient
• We still use them more than we care to admit!
Marketing Psychology (2)
• Mental shortcuts include quality = price and
quality = scarcity
• Reciprocation can be used to draw people in
• Then get a commitment and follow through
• Cognitive dissonance: people want to be
consistent (or at least think that they are)
• Social proof: like to do what others do
• People also like to defer to authority
• They want to deal with people they can relate to
Prospect theory
• Kahneman & Tversky, 1970s: people value gains and
losses differently
• Evolutionary logic of risk aversion, status quo bias
• Can drive fear marketing, ‘savings’, and (some of the)
irrational behaviour of financial markets
Context and Framing
• Framing effects include ‘Was £8.99 now £6.99’
and the estate agent who shows you a crummy
house first
• Take along an ugly friend on a double date …
• Typical phishing attack: user is fixated on task
completion (e.g. finding why new payee on
PayPal account)
• Advance fee frauds take this to extreme lengths!
• Risk salience is hugely dependent on context! E.g.
CMU experiment on privacy
Risk Misperception
• Why do we overreact to terrorism?
– Risk aversion / status quo bias
– ‘Availability heuristic’ – easily-recalled data used to
frame assessments
– Our behaviour evolved in small social groups, and we
react against the out-group
– Mortality salience greatly amplifies this
– We are also sensitive to agency, hostile intentions
• See book chapters 2, 24
CAPTCHAs
• ‘Completely Automated Public Turing test to tell
Computers and Humans Apart’, Blum et al
• Idea: stop bots by finding things that humans do better
• Constant arms race
• Relay attacks always possible
Biometrics
• Evolution: faces
• But: Uni of
Westminster study
• John Daugman’s idea:
irises
• Work fine in some
apps – equal error rate
very low
• Unattended operation?
Manuscript Signatures
• Used for centuries! (14c – replaced seals)
• Equal error rate for document examiners 6%; for
educated lay people 38%.
• Possible high-tech improvements: signature tablets
also measure velocity, pen contact
• University of Kent study
• But: commercial products withdrawn mid-90s
• Manuscript signatures still work, and are good for
the customer – thanks to the Bills of Exchange Act
Fingerprints
• UK police uses for forensics, US for identifying
arrested persons
• Automatic recognition has equal error rate of 12%
• Widely used in 1990s in welfare / pensions
• Banking: India, other LDCs
• Since 9/11: US-VISIT
• Forensic use: 16-point match taken as gospel until
the McKie case
The McKie Case
• Identifying people
from ‘16 points’
thought infallible
• Error rate “2.5x10-10”
• Sylvie McKie
prosecuted; won
• Police panic
• www.sylviemckie.com
Actual McKie Case Photos
• Even harder, isn’t it?
• And what about the odds now we have computers?
Phone Phreaking
• Phone system under attack since 1960s!
– Cap’n Crunch
– 2k resistor
• 1970s – systematic attacks on signalling
– Blue boxes
– DoS on bookmakers’ comms
• 1980s/90s – attacks on switching, configuration
– Poulsen, Mitnick
Phone System Security (90s)
• Deregulation, premium-rate services upped the
stakes! You could get real cash out
• Mobile cloning becomes a big deal
• Move to GSM shifts modus operandi to buying
phones with stolen cards, then street robbery
• PBX hacking; cordless phones; clip-on
• Feature interaction: Clallam Bay, ringback
• Phone companies rip off users: cramming,
slamming, short termination
Phone System Lessons
•
•
•
•
It’s so like the history of Internet crime!
Hacks invented for fun get used by crooks
Vulns are found at all sorts of levels
A weak foundation, such as the phone company
payment system, grows until it’s too big to change,
then gets targeted
• Things take off once money extraction can be
industrialised
• Then stakeholders dump risk and run for cover
Malware
•
•
•
•
•
•
Trojans known in 1960s: login programs
1974: Paul Karger, Roger Schell: compiler Trojan
1983: Fred Cohen’s thesis
1984: Ken Thompson ‘On Trusting Trust’
1987: First viruses in the wild
1988: Morris worm. NB, on terminology:
– Worm: program that replicates itself
– Virus: … by copying itself in a host program
– Trojan: … by tricking people into running it
Malware (2)
• Arms race ensued between virus writers and AV
companies!
–
–
–
–
Check file sizes (so: hide in middle)
Search for telltale string (so: polymorphic)
Checksum all executables (so: hide elsewhere)
…
• Theory is gloomy: virus detection is undecidable!
• In practice, AV firms kept up until about 2007
Malware (3)
• Big change 2003/4 – crooks started to specialise
and trade
• Malware writers now work for profit not fun
• Have R&D and testing depts
• Worms and viruses have almost disappeared: now
it’s Trojans and rootkits
• AV products now find only 20-30% of new
badware
• Perhaps 1% of Windows machines are 0wned
• Botnets were millions of machines, now less
Exploits
• Internet worm: stack overflow in fingerd
• Over-long input ( > 255 bytes) got executed – seen
in 1b
• Professional developers: static testing tools,
canaries, fuzzing …
• So it’s getting harder to do this on Windows,
Office …
• But similar tricks still work against many apps!
• Bad guys use Google to find vulnerable machines
Exploits (2)
• Many other ‘type-safety’ vulnerabilities:
– Format string vulnerability – e.g. %n in printf()
allowing string’s author to write to the stack
– SQL insertion – careless web developer passes user
input to database which interprets it as SQL
– General attack: input stuff in language A, interpret it as
language B
– Defences: safe libraries for I/O, string handling etc;
tools to manage APIs; ‘language lawyer’ to nitpick; …
• Next there’s the concurrency stuff – see Robert
Watson’s guest lecture
Filtering
• A number of security systems filter stuff
– Firewalls try to stop bad stuff getting in
– Intrusion detection tries to detect attacks in progress
against machines in your network
– Extrusion detection: look for people leaking classified
stuff, or even just infected machines sending spam
– Surveillance tries to detect suspicious communications
between principals
– Censorship, whether government or coporate
• They suffer from common design trade-offs
Filtering (2)
• The higher up the stack the filters live, the more
they can parse but the more they will cost
• Policy is hard! Are you doing BLP, Biba, what?
• Data volumes now are enormous. Do you do the
filtering locally, or on a backbone?
• Maintaining blacklists, whitelists is expensive
• Understanding new applications is expensive
• The ROC curve matters
• The opponents may be active or passive
• Collateral damage can be a big issue