Looking at Security through an Empirical Socio-economic lens Stefan Savage University of California, San Diego
Jun 20, 2015
Looking at Security throughan Empirical Socio-
economic lens
Stefan SavageUniversity of California, San Diego
Motivation
Security is often seen as a technical problem
There is a broader socio-economic view
Key hypothesis: These extrinsic factors will provide a
more effective basis for designing security interventions
2
Actors▪ Adversaries ▪ Victims ▪ Defenders
Incentives/Costs
Capabilities Relationships
Arguing for an empirical focus
Security is poised to become a big data field But defenses/policies need good models;
good models need to be informed by good data
Very poor ground truth data in security field today
For validating hypotheses e.g., monetary payments are a structural
bottleneck in all advertising-based e-crime
For deriving hypotheses e.g., how important is trust establishment
for online criminals?
3
Economics of e-crime
hAdvertising Theft
GoodsSpam
BankCred TheftFakeAV
ClickFraud
Infrastructure
BP hosting
Banking Trojans
Exploit kits
Spammingbotnets
Phishing kits
Markets VPNs
PPI serviceCrypters Traffic
salesSEO kits
Today, the largest driver for threats is $$$
Economics of e-crime
5
Today, the largest driver for threats is $$$ Scale allows commodity monetization
Complex value chain relationships
Click Trajectory study of spam “value chain”• Aug 1 -- Oct 31 2010• 7 URL/Spam feeds + 5
botnet feeds• 968M URLs• 17M domains
• Crawled domains for 98%of URLs in • 1000s of Firefox instances• Large IP address diversity
• Multiple purchases from allmajor programs
• Identify bottlenecks in process
Finding: Merchant banks are the fragile resource
7
• Low diversity• 3 banks covered 95% of spam• Fewer banks willing handle “high-risk”
merchants• High switching cost
• In-person account creation, due diligence, multi-day process
• Upfront capital, holdback forfeiture
AGBank
St. Kitts & Nevis
DnB NORD
Example: payment intervention
Major initiative underway Undercover purchases Drive merchant takedown
Appears highlysuccessful
“Right now most affiliate programs have a mass of declines, cancels and pendings, and it doesn't depend much on the program imho, there is a general sad picture, fucking Visa is burning us with napalm (for problematic countries, it's totally fucked, on a couple of programs you're lucky if you get 50% through).”
8
Summary
Security interventions should be understood in their larger socio-economic context Don’t just plug holes; figure out which
holes matter and whyEmpiricism and fieldwork are
necessary parts of the solution here The lab setting is great, but its not a
substitute for studying the real world
9