I’ll be trying to liveblog the seventeenth workshop on the economics of information security at Harvard. I’m not in Cambridge, Massachussetts, but in Cambridge, England, because of a visa held in ‘administrative processing’ (a fate that has befallen several other cryptographers). My postdoc Ben Collier is attending as my proxy (inspired by this and this).
Category Archives: Cybercrime
The Changing Cost of Cybercrime
In 2012 we presented the first systematic study of the costs of cybercrime. We have now repeated our study, to work out what’s changed in the seven years since then.
Measuring the Changing Cost of Cybercrime will appear on Monday at WEIS. The period has seen huge changes, with the smartphone replacing as PC and laptop as the consumer terminal of choice, with Android replacing Windows as the most popular operating system, and many services moving to the cloud. Yet the overall pattern of cybercrime is much the same.
We know a lot more than we did then. Back in 2012, we guessed that cybercrime was about half of all crime, by volume and value; we now know from surveys in several countries that this is the case. Payment fraud has doubled, but fallen slightly as a proportion of payment value; the payment system has got larger, and slightly more efficient.
So what’s changed? New cybercrimes include ransomware and other offences related to cryptocurrencies; travel fraud has also grown. Business email compromise and its cousin, authorised push payment fraud, are also growth areas. We’ve also seen serious collateral damage from cyber-weapons such as the NotPetya worm. The good news is that crimes that infringe intellectual property – from patent-infringing pharmaceuticals to copyright-infringing software, music and video – are down.
Our conclusions are much the same as in 2012. Most cyber-criminals operate with impunity, and we have to fix this. We need to put a lot more effort into catching and punishing the perpetrators.
Our new paper is here. For comparison the 2012 paper is here, while a separate study on the emotional cost of cybercrime is here.
Security Engineering: Third Edition
I’m writing a third edition of my best-selling book Security Engineering. The chapters will be available online for review and feedback as I write them.
Today I put online a chapter on Who is the Opponent, which draws together what we learned from Snowden and others about the capabilities of state actors, together with what we’ve learned about cybercrime actors as a result of running the Cambridge Cybercrime Centre. Isn’t it odd that almost six years after Snowden, nobody’s tried to pull together what we learned into a coherent summary?
There’s also a chapter on Surveillance or Privacy which looks at policy. What’s the privacy landscape now, and what might we expect from the tussles over data retention, government backdoors and censorship more generally?
There’s also a preface to the third edition.
As the chapters come out for review, they will appear on my book page, so you can give me comment and feedback as I write them. This collaborative authorship approach is inspired by the late David MacKay. I’d suggest you bookmark my book page and come back every couple of weeks for the latest instalment!
Hiring for the Cambridge Cybercrime Centre
We have yet another “post-doc” position in the Cambridge Cybercrime Centre: https://www.cambridgecybercrime.uk (for the happy reason that Daniel is off to become a Chancellor’s Fellow at Strathclyde).
We are looking for an enthusiastic researcher to join us to work on our datasets of cybercrime activity, collecting new types of data, maintaining existing datasets and doing innovative research using our data. The person we appoint will define their own goals and objectives and pursue them independently, or as part of a team.
An ideal candidate would identify cybercrime datasets that can be collected, build the collection systems and then do cutting edge research on this data — whilst encouraging other academics to take our data and make their own contributions to the field.
We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus. However, we are looking for strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.
Please follow this link to the advert to read the formal advertisement for the details about exactly who and what we’re looking for and how to apply — and please pay attention to our request that in the covering letter you create as part of the application you should explain which particular aspects of cybercrime research are of particular interest to you.
Does security advice discriminate against women?
Security systems are often designed by geeks who assume that the users will also be geeks, and the same goes for the advice that users are given when things start to go wrong. For example, banks reacted to the growth of phishing in 2006 by advising their customers to parse URLs. That’s fine for geeks but most people don’t do that, and in particular most women don’t do that. So in the second edition of my Security Engineering book, I asked (in chapter 2, section 2.3.4, pp 27-28): “Is it unlawful sex discrimination for a bank to expect its customers to detect phishing attacks by parsing URLs?”
Tyler Moore and I then ran the experiment, and Tyler presented the results at the first Workshop on Security and Human Behaviour that June. We recruited 132 volunteers between the ages of 18 and 30 (77 female, 55 male) and tested them to see whether they could spot phishing websites, as well as for systematising quotient (SQ) and empathising quotient (EQ). These measures were developed by Simon Baron-Cohen in his work on Asperger’s; most men have SQ > EQ while for most women EQ > SQ. The ability to parse URLs is correlated with SQ-EQ and independently with gender. A significant minority of women did badly at URL parsing. We didn’t get round to publishing the full paper at the time, but we’ve mentioned the results in various talks and lectures.
We have now uploaded the original paper, How brain type influences online safety. Given the growing interest in gender HCI, we hope that our study might spur people to do research in the gender aspects of security as well. It certainly seems like an open goal!
Security Protocols 2019
I’m in the Security Protocols Workshop, whose theme this year is “security protocols for humans”. I’ll try to liveblog the talks in followups to this post.
Future ID
I’m in the FutureID3 workshop in Jesus College, Cambridge, and will try to liveblog the talks in followups to this post.
Financial Cryptography 2019
I’m at Financial Crypto 2019 and will try to liveblog some of the sessions in followups to this post.
Visualizing Diffusion of Stolen Bitcoins
In previous work we have shown how stolen bitcoins can be traced if we simply apply existing law. If bitcoins are “mixed”, that is to say if multiple actors pool together their coins in one transaction to obfuscate which coins belong to whom, then the precedent in Clayton’s Case says that FIFO ordering must be used to track which fragments of coin are tainted. If the first input satoshi (atomic unit of Bitcoin) was stolen then the first output satoshi should be marked stolen, and so on.
This led us to design Taintchain, a system for tracing stolen coins through the Bitcoin network. However, we quickly discovered a problem: while it was now possible to trace coins, it was harder to spot patterns. A decent way of visualizing the data is important to make sense of the patterns of splits and joins that are used to obfuscate bitcoin transactions. We therefore designed a visualization tool that interactively expands the taint graph based on user input. We first came up with a way to represent transactions and their associated taints in a temporal graph. After realizing the sheer number of hops that some satoshis go through and the high outdegree of some transactions, we came up with a way to do graph generation on-the-fly while assuming some restrictions on maximum hop length and outdegree.
Using this tool, we were able to spot many of the common tricks used by bitcoin launderers. A summary of our findings can be found in the short paper here.
Hiring for the Cambridge Cybercrime Centre (again!)
As recently posted, we currently advertising a post (details here) where “we expect that the best candidate will be someone from a sociology or criminology background who already has some experience analysing large datasets relating to cybercrime” — and now we have a second post for someone with a more technical background.
We seek an enthusiastic researcher to join us in collecting new types of cybercrime data, maintaining existing datasets and doing innovative research using our data. The person we appoint will define their own goals and objectives and pursue them independently, or as part of a team.
An ideal candidate would identify cybercrime datasets that can be collected, build the collection systems and then do cutting edge research on this data – whilst encouraging other academics to take our data and make their own contributions to the field.
We are not necessarily looking for existing experience in researching cybercrime, although this would be a bonus as would a solid technical background in networking and/or malware analysis. We do seek a candidate with strong programming skills — and experience with scripting languages and databases would be much preferred. Good knowledge of English and communication skills are important.
Details of this second post, and what we’re looking for are in the job advert here: http://www.jobs.cam.ac.uk/job/19543/.