Stefan Savage Cyber Cafe

Looking at Security throughan Empirical Socio-

economic lens

Stefan SavageUniversity of California, San Diego

Motivation

Security is often seen as a technical problem

There is a broader socio-economic view

Key hypothesis: These extrinsic factors will provide a

more effective basis for designing security interventions

2

Actors▪ Adversaries ▪ Victims ▪ Defenders

Incentives/Costs

Capabilities Relationships

Arguing for an empirical focus

Security is poised to become a big data field But defenses/policies need good models;

good models need to be informed by good data

Very poor ground truth data in security field today

For validating hypotheses e.g., monetary payments are a structural

bottleneck in all advertising-based e-crime

For deriving hypotheses e.g., how important is trust establishment

for online criminals?

3

Economics of e-crime

hAdvertising Theft

GoodsSpam

BankCred TheftFakeAV

ClickFraud

Infrastructure

BP hosting

Banking Trojans

Exploit kits

Spammingbotnets

Phishing kits

Markets VPNs

PPI serviceCrypters Traffic

salesSEO kits

Today, the largest driver for threats is $$$

Economics of e-crime

5

Today, the largest driver for threats is $$$ Scale allows commodity monetization

Complex value chain relationships

Click Trajectory study of spam “value chain”• Aug 1 -- Oct 31 2010• 7 URL/Spam feeds + 5

botnet feeds• 968M URLs• 17M domains

• Crawled domains for 98%of URLs in • 1000s of Firefox instances• Large IP address diversity

• Multiple purchases from allmajor programs

• Identify bottlenecks in process

Finding: Merchant banks are the fragile resource

7

• Low diversity• 3 banks covered 95% of spam• Fewer banks willing handle “high-risk”

merchants• High switching cost

• In-person account creation, due diligence, multi-day process

• Upfront capital, holdback forfeiture

AGBank

St. Kitts & Nevis

DnB NORD

Example: payment intervention

Major initiative underway Undercover purchases Drive merchant takedown

Appears highlysuccessful

“Right now most affiliate programs have a mass of declines, cancels and pendings, and it doesn't depend much on the program imho, there is a general sad picture, fucking Visa is burning us with napalm (for problematic countries, it's totally fucked, on a couple of programs you're lucky if you get 50% through).”

8

Summary

Security interventions should be understood in their larger socio-economic context Don’t just plug holes; figure out which

holes matter and whyEmpiricism and fieldwork are

necessary parts of the solution here The lab setting is great, but its not a

substitute for studying the real world

9