Online suicide games: a form of digital self-harm or a myth?

By Maria Bada & Richard Clayton

October is ‘Cyber Security Month’, and you will see lots of warnings and advice about how to keep yourself safe online. Unfortunately, not every warning is entirely accurate and particularly egregious examples are warnings about ‘suicide games’ which are said to involve an escalating series of challenges ending in suicide.

Here at the Cambridge Cybercrime Centre, we’ve been looking into suicide games by interviewing teachers, child protection experts and NGOs; and by tracking mentions of games such as the ‘Blue Whale Challenge’ and ‘Momo’ in news stories and on UK Police and related websites.

We found that the stories about online suicide games have no discernable basis in fact and are linked to misperceptions about actual suicides. A key finding of our work is that media, social media and well-meaning (but baseless) warning releases by authorities are spreading the challenge culture and exaggerating fears.

To clarify, virally spreading challenges are real and some are unexpectedly dangerous such as the salt and ice challenge, the cinnamon challenge and more recently skin embroidery. Very sadly of course suicides are also real – but we are convinced that the combination has no basis in fact.

We’re not alone in our belief. Snopes investigated Blue Whale in 2017 and deemed the story ‘unproven’, while in 2019 the BBC posted a detailed history of Blue Whale showing there was no record of such a game prior to a single Russian media article of dubious accuracy. The UK Safer Internet Centre calls the claims around Momo ‘fake news’, while YouTube has found no evidence to support the claim that there are videos showing or promoting Momo on its platform.

Regardless of whether a challenge is dangerous or not, youngsters are especially motivated to take part, presumably because of a desire for attention and curiosity. The ‘challenge culture’ is a deeply rooted online phenomenon. Young people are constantly receiving media messages and new norms which not only inform their thinking, but also their values and beliefs. 

Although there is no evidence that the suicide games are ‘real’, authorities around the world have reacted by releasing warnings and creating information campaigns to warn youngsters and parents about the risks. However, a key concern when discussing, or warning of, suicide games is that this drives children towards the very content of concern and raises the risk of ‘suicide contagion’, which could turn stories into a tragic self-fulfilling prophecy for a small number of vulnerable youths.

Understanding what media content really means, what its source is and why a certain message has been constructed, is crucial for quality understanding and recognition of media mediated messages and their meaning. Adequate answers to all these questions can only be acquired by media literacy. However, in most countries media education is still a secondary activity that teachers or media educators deal with without training or proper material. 

Our research recommends that policy measures are taken such as: a) awareness and education to ensure that young people can handle risks online and offline; b) development of national and international strategies and guidelines for suicide prevention and how the news related to suicides is shown in media and social media; c) development of social media and media literacy; d) collaborative efforts of media, legal systems and education to prevent suicides; e) guidance for quality control of warning releases by authorities.

Maria Bada presented this work on 24-26th June 2019, at the 24th Annual CyberPsychology, CyberTherapy & Social Networking Conference (CYPSY24) in Norfolk, Virginia, USA. Click here  to access the abstract of this paper – the full version of the paper is currently in peer review and should be available soon.

Usability of Cybercrime Datasets

By Ildiko Pete and Yi Ting Chua

The availability of publicly accessible datasets plays an essential role in the advancement of cybercrime and cybersecurity as a field. There has been increasing effort to understand how datasets are created, classified, shared, and used by scholars. However, there has been very few studies that address the usability of datasets. 

As part of an ongoing project to improve the accessibility of cybersecurity and cybercrime datasets, we conducted a case study that examined and assessed the datasets offered by the Cambridge Cybercrime Centre (CCC). We examined two stages of the data sharing process: dataset sharing and dataset usage. Dataset sharing refers to three steps: (1) informing potential users of available datasets, (2) providing instructions on application process, and (3) granting access to users. Dataset usage refers to the process of querying, manipulation and extracting data from the dataset. We were interested in assessing users’ experiences with the data sharing process and discovering challenges and difficulties when using any of the offered datasets. 

To this end, we reached out to 65 individuals who applied for access to the CCC’s datasets and are potentially actively using the datasets. The survey questionnaire was administered via Qualtrics. We received sixteen responses, nine of which were fully completed. The responses to open-ended questions were transcribed, and then we performed thematic analysis.

As a result, we discovered two main themes. The first theme is users’ level of technological competence, and the second one is users’ experiences. The findings revealed generally positive user experiences with the CCC’s data sharing process and users reported no major obstacles with regards to the dataset sharing stage. Most participants have accessed and used the CrimeBB dataset, which contains more than 48 million posts. Users also expressed that they are likely to recommend the dataset to other researchers. During the dataset usage phase, users reported some technical difficulties. Interestingly, these technical issues were specific, such as version conflicts. This highlights that users with a higher level of technical skills also experience technical difficulties, however these are of different nature in contrast to generic technical challenges. Nonetheless, the survey shown the CCC’s success in sharing their datasets to a sub-set of cybercrime and cybersecurity researchers approached in the current study. 

Ildiko Pete presented the preliminary findings on 12thAugust at CSET’19. Click here to access the full paper. 

Hiring for the Cambridge Cybercrime Centre

We have just re-advertised a “post-doc” position in the Cambridge Cybercrime Centre: The vacancy arises because Daniel is off to become a Chancellor’s Fellow at Strathclyde), the re-advertisement is because of a technical flaw in the previous advertising process (which is now addressed).

We are looking for an enthusiastic researcher to join us to work on our datasets of cybercrime activity, collecting new types of data, maintaining existing datasets and doing innovative research using our data. The person we appoint will define their own goals and objectives and pursue them independently, or as part of a team.

An ideal candidate would identify cybercrime datasets that can be collected, build the collection systems and then do cutting edge research on this data — whilst encouraging other academics to take our data and make their own contributions to the field.

We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus. However, we are looking for strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.

Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply — and please pay attention to our request that in the covering letter you create as part of the application you should explain which particular aspects of cybercrime research are of particular interest to you.

The lifetime of an Android API vulnerability

By Daniel Carter, Daniel Thomas, and Alastair Beresford

Security updates are an important mechanism for protecting users and their devices from attack, and therefore it’s important vendors produce security updates, and that users apply them. Producing security updates is particularly difficult when more than one vendor needs to make changes in order to secure a system.

We studied one such example in previous research (open access). The specific vulnerability (CVE-2012-6636) affected Android devices and allowed JavaScript running inside a WebView of an app (e.g. an advert) to run arbitrary code inside the app itself, with all the permissions of app. The vulnerability could be exploited remotely by an attacker who bought ads which supported JavaScript. In addition, since most ads at the time were served over HTTP, the vulnerability could also be exploited if an attacker controlled a network used by the Android device (e.g. WiFi in a coffee shop). The fix required both the Android operating system, and all apps installed on the handset, to support at least Android API Level 17. Thus, the deployment of an effective solution for users was especially challenging.

When we published our paper in 2015, we predicted that this vulnerability would not be patched on 95% of devices in the Android ecosystem until January 2018 (plus or minus a standard deviation of 1.23 years). Since this date has now passed, we decided to check whether our prediction was correct.

To perform our analysis we used data on deployed API versions taken from (almost) monthly snapshots of Google’s Android Distribution Dashboard which we have been tracking. The good news is that we found the operating system update requirements crossed the 95% threshold in May 2017, seven months earlier than our best estimate, and within one standard deviation of our prediction. The most recent data for May 2019 shows deployment has reached 98.2% of devices in use. Nevertheless, fixing this aspect of the vulnerability took well over 4 years to reach 95% of devices.

Proportion of devices safe from the JavaScript-to-Java vulnerability. For details how this is calculated, see our previous paper.
Proportion of devices safe from the JavaScript-to-Java vulnerability. For details how this is calculated, see our previous paper.

Google delivered a further fix in Android 4.4.3 that blocked access to the getClass method from JavaScript, considerably reducing the risk of exploitation even from apps which were not updated. A conservative estimate of the deployment of this further fix is shown on the graph, reaching 95% adoption in April 2019. On the app side of things, Google has also been encouraging app developers to update. From 1st November 2018, updates to apps on Google Play must target API level 26 or higher and from November 1st 2019 updates to apps must target API level 28 or higher. This change forces the app-side changes necessary to fix this vulnerability. Unfortunately we don’t have good data on the distribution of apps installed on handsets, but we expect that most Android devices are now secure against this vulnerability.

Our work is not done however, and we are still looking into the security of mobile devices. This summer we are extending the work from our other 2015 paper Security Metrics for the Android Ecosystem where we analysed the composition of Android vulnerabilities. Last time we used distributions of deployed Android versions on devices from Device Analyzer (an Android measurement app we deployed to Google Play), the device management system of a FTSE 100 company, and User-Agent string data from an ISP in Rwanda. If you might be able to share similar data with us to support our latest research work then please get in touch:

Fourth Annual Cybercrime Conference

The Cambridge Cybercrime Centre is organising another one day conference on cybercrime on Thursday, 11th July 2019.

We have a stellar group of invited speakers who are at the forefront of their fields:

They will present various aspects of cybercrime from the point of view of criminology, policy, security economics and policing.

This one day event, to be held in the Faculty of Law, University of Cambridge will follow immediately after (and will be in the same venue as) the “12th International Conference on Evidence Based Policing” organised by the Institute of Criminology which runs on the 9th and 10th July 2018.

Full details (and information about booking) is here.

SHB 2019 – Liveblog

I’ll be trying to liveblog the twelfth workshop on security and human behaviour at Harvard. I’m doing this remotely because of US visa issues, as I did for WEIS 2019 over the last couple of days. Ben Collier is attending as my proxy and we’re trying to build on the experience of telepresence reported here and here. My summaries of the workshop sessions will appear as followups to this post.

WEIS 2019 – Liveblog

I’ll be trying to liveblog the seventeenth workshop on the economics of information security at Harvard. I’m not in Cambridge, Massachussetts, but in Cambridge, England, because of a visa held in ‘administrative processing’ (a fate that has befallen several other cryptographers). My postdoc Ben Collier is attending as my proxy (inspired by this and this).

The Changing Cost of Cybercrime

In 2012 we presented the first systematic study of the costs of cybercrime. We have now repeated our study, to work out what’s changed in the seven years since then.

Measuring the Changing Cost of Cybercrime will appear on Monday at WEIS. The period has seen huge changes, with the smartphone replacing as PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and many services moving to the cloud. Yet the overall pattern of cybercrime is much the same.

We know a lot more than we did then. Back in 2012, we guessed that cybercrime was about half of all crime, by volume and value; we now know from surveys in several countries that this is the case. Payment fraud has doubled, but fallen slightly as a proportion of payment value; the payment system has got larger, and slightly more efficient.

So what’s changed? New cybercrimes include ransomware and other offences related to cryptocurrencies; travel fraud has also grown. Business email compromise and its cousin, authorised push payment fraud, are also growth areas. We’ve also seen serious collateral damage from cyber-weapons such as the NotPetya worm. The good news is that crimes that infringe intellectual property – from patent-infringing pharmaceuticals to copyright-infringing software, music and video – are down.

Our conclusions are much the same as in 2012. Most cyber-criminals operate with impunity, and we have to fix this. We need to put a lot more effort into catching and punishing the perpetrators.

Our new paper is here. For comparison the 2012 paper is here, while a separate study on the emotional cost of cybercrime is here.