How to deal with emergencies better

Academic papers, Legal issues, News coverage, Politics, Security psychology

Britain has just been hit by a storm; two people have been killed by falling trees, and one swept out to sea. The rail network is in chaos and over 100,000 homes lost electric power. What can security engineering teach about such events?

Risk communication could be very much better. The storm had been forecast for several days but the instructions and advice from authority have almost all been framed in vague and general terms. Our research on browser warnings shows that people mostly ignore vague warnings (“Warning – visiting this web site may harm your computer!”) but pay much more attention to concrete ones (such as “The site you are about to visit has been confirmed to contain software that poses a significant risk to you, with no tangible benefit. It would try to infect your computer with malware designed to steal your bank account and credit card details in order to defraud you”). In fact, making warnings more concrete is the only thing that works here – nudge favourites such as appealing to social norms, or authority, or even putting a cartoon face on the page to activate social cognition, don’t seem to have a significant effect in this context.

So how should the Met Office and the emergency services deal with the next storm?

Continue reading How to deal with emergencies better

We're hiring again

Security economics, Security engineering, Security psychology, Spam, Web security

We have a vacancy for a postdoc to work on the economics of cybercrime for two years from January. It might suit someone with a PhD in economics or criminology and an interest in online crime; or a PhD in computer science with an interest in security and economics.

Security economics has grown rapidly in the last decade; security in global systems is usually an equilibrium that emerges from the selfish actions of many independent actors, and security failures often follow from perverse incentives. To understand better what works and what doesn’t, we need both theoretical models and empirical data. We have access to various large-scale sources of data relating to cybercrime – email spam, malware samples, DNS traffic, phishing URL feeds – and some or all of this data could be used in this research. We’re very open-minded about what work might be done on this project; possible topics include victim analysis, malware analysis, spam data mining, data visualisation, measuring attacks, how security scales (or fails to), and how cybercrime data could be shared better.

This is an international project involving colleagues at CMU, SMU and the NCFTA.

A Study of Whois Privacy and Proxy Service Abuse

Academic papers, Security economics, Web security

ICANN have now published a draft for public comment of “A Study of Whois Privacy and Proxy Service Abuse“. I am the primary author of this report — the work being done whilst I was collaborating with the National Physical Laboratory (NPL) under EPSRC Grant EP/H018298/1.

This particular study was originally proposed by ICANN in 2010, one of several that were to examine the impact of domain registrants using privacy services (where the name of a domain registrant is published, but contact details are kept private) and proxy services (where even the domain licensee’s name is not made available on the public database).

ICANN wanted to know if a significant percentage of the domain names used to conduct illegal or harmful Internet activities are registered via privacy or proxy services to obscure the perpetrator’s identity? No surprises in our results: they are!

However, it’s more interesting to ask whether this percentage is somewhat higher than the usage of privacy or proxy services for entirely lawful and harmless Internet activities? This turned out NOT to be the case — for example banks use privacy and proxy services almost as often as the registrants of domains used in the hosting of child sexual abuse images; and the registrants of domains used to host (legal) adult pornography use privacy and proxy services more often than most (but not all) of the different types of malicious activity that we studied.

It’s also relevant to consider what other methods might be chosen by those involved in criminal activity to obscure their identities, because in the event of changes to privacy and proxy services, it is likely that they will turn to these alternatives.

Accordingly, we determined experimentally whether a significant percentage of the domain names we examined have been registered with incorrect Whois contact information – and specifically whether or not we could reach the domain registrant using a phone number from the Whois information. We asked them a single question in their native language “did you register this domain”?

We got somewhat variable results from our phone survey — but the pattern becomes clear if we consider whether there is any a priori hope at all of ringing up the domain registrant?

If we sum up the likelihoods:

  • uses privacy or proxy service
  • no (apparently valid) phone number in whois
  • number is apparently valid, but fails to connect
  • number reaches someone other than the registrant

then we find that for legal and harmless activities the probability of a phone call not being possible ranges between 24% (legal pharmacies on the Legitscript list) and 62% (owners of lawful websites that someone has broken into and installed phishing pages). For malicious activities the probability of failure is 88% or more, with typosquatting (which is a civil matter, rather than a criminal one) sitting at 68% (some of the typosquatters want to hide, some do not).

There’s lots of detail and supporting statistics in the report… and an executive summary for the time-challenged. It will provide real data, rather than just speculative anecdotes, to inform the debate around reforming Whois — and the difficulties of doing so.

Google funding of open-source security projects

Open-source security, Operating systems, Security engineering

I was pleased to contribute to a recent blog article by Ben Laurie, a frequent collaborator with the Cambridge security group, on the Google Open Source Programs Office blog. We describe open-source security work OSPO has sponsored over the last couple of years, including our joint work on Capsicum, and its followup projects funded jointly by Google and the FreeBSD Foundation. He also talks about Google support for Certificate Transparency, OpenSSL, Tor, and Libpurple — projects focussed not just on communications security, but also communications privacy on the Internet.

Capsicum

Over the last decade or so, it has become increasingly (and painfully) apparent that ACLs and MAC, which were originally designed to protect expensive mainframes from their users, and the users from each other, are failing to secure modern cheap machines with single users who need protecting from the software they run.

Instead, we need fine-grained access control and strong sandboxing.
Continue reading Google funding of open-source security projects

Offender tagging

Hardware & signals, Legal issues, News coverage, Politics, Usability

August was a slow month, but we got a legal case where our client was accused of tampering with a curfew tag, and I was asked for an expert report on the evidence presented by Serco, the curfew tagging contractor. Many offenders in the UK are released early (or escape prison altogether) on condition that they stay at home from 8pm to 8am and wear an ankle bracelet so their compliance can be monitored. These curfew tags have been used for fourteen years now but are controversial for various reasons; but with the prisons full and 17,500 people on tag at any one time, the objective of policy is to improve the system rather than abolish it.

In this spirit I offer a redacted version of my expert report which may give some insight into the frailty of the system. The logs relating to my defendant’s case showed large numbers of false alarms; some of these had good explanations (such as power cuts) but many didn’t. The overall impression is of an unreliable technology surrounded by chaotic procedures. Of policy concern too is that the tagging contractor not only supplies the tags and the back-end systems, but the call centre and the interface to the court system. What’s more, if you break your curfew, it isn’t the Crown Prosecution Service that takes you before the magistrates, but the contractor – relying on expert evidence from one of its subcontractors. Such closed systems are notoriously vulnerable to groupthink. Anyway, we asked the court for access not just to the tag in the case, but a complete set of tagging equipment for testing, plus system specifications, false alarm statistics and audit reports. The contractor promptly replied that “although we continue to feel that the defendant is in breach of the order, our attention has been drawn to a number of factors that would allow me to properly discontinue proceedings in the public interest.”

The report is published with the consent of my client and her solicitor. Long-time readers of this blog may recall similarities with the case of Jane Badger. If you’re designing systems on whose output someone may have to rely in court, you’d better think hard about how they’ll stand up to hostile review.

NSA Award for Best Scientific Cybersecurity Paper

Academic papers, Authentication, Awards

Yesterday I received the NSA award for the Best Scientific Cybersecurity Paper of 2012 for my IEEE Oakland paper “The science of guessing.” I’m honored to have been recognised by the distinguished academic panel assembled by the NSA. I’d like to again thank Henry Watts, Elizabeth Zwicky, and everybody else at Yahoo! who helped me with this research while I interned there, as well as Richard Clayton and Ross Anderson for their support and supervision throughout.

On a personal note, I’d be remiss not to mention my conflicted feelings about winning the award given what we know about the NSA’s widespread collection of private communications and what remains unknown about oversight over the agency’s operations. Like many in the community of cryptographers and security engineers, I’m sad that we haven’t better informed the public about the inherent dangers and questionable utility of mass surveillance. And like many American citizens I’m ashamed we’ve let our politicians sneak the country down this path.

In accepting the award I don’t condone the NSA’s surveillance. Simply put, I don’t think a free society is compatible with an organisation like the NSA in its current form. Yet I’m glad I got the rare opportunity to visit with the NSA and I’m grateful for my hosts’ genuine hospitality. A large group of engineers turned up to hear my presentation, asked sharp questions, understood and cared about the privacy implications of studying password data. It affirmed my feeling that America’s core problems are in Washington and not in Fort Meade. Our focus must remain on winning the public debate around surveillance and developing privacy-enhancing technology. But I hope that this award program, established to increase engagement with academic researchers, can be a small but positive step.

We're hiring

Security economics, Security psychology, Social networks

We have a vacancy for a postdoc to work on the psychology of cybercrime and deception for two years from October. It might suit someone with a PhD in psychology or behavioural economics with a specialisation in deception, fraud or online crime; or a PhD in computer science with a strong interest in psychology, usability and security.

This is part of a cross-disciplinary project involving colleagues at Portsmouth, Newcastle and UCL. It will build on work we’ve been doing in the psychology of security over the past few years.

Why privacy regulators are ineffective: an anthropologist's view

Academic papers, Legal issues, Politics, Security economics, Security psychology

Privacy activists have complained for years that the Information Commissioner is useless, and compared him with captured regulators like the FSA and the Financial Ombudsman. However I’ve come across a paper by a well-known anthropologist that gives a different take on the problem.

Alan Fiske did fieldwork among a tribe in northern Nigeria that has different boundaries for which activities are regulated by communal sharing, authority, tit-for-tat or monetary exchange. For example,labour within the village is always communal; you expect your neighbours to help you fix your house, and you later help them fix theirs. (This exasperated colonialists who couldn’t get the locals to work for cash; the locals for their part imagined that Europeans must present their children with an itemised bill for child-rearing when they reached adulthood.) He has since written several papers on how many of the tensions in human society arise on the boundaries of these domains of sharing, authority, tit-for-tat and the market. The boundaries can vary by culture, by generation and by politics; libertarians are happy to buy and sell organs for transplant, where many people prefer communal sharing, while radical socialists object to some routine market transactions. Indeed regulatory preferences may drive political views.

So far so good. Where it gets interesting is his extensive discussion of taboo transactions across a variety of cultures, and the institutions created to mitigate the discomfort that people feel when something affects more than one sphere of regulation: from extreme cases such as selling a child into slavery so you can feed your other children, through bride-price and blood money, to such everyday things as alimony and deconsecrating a cemetery for development. It turns out there’s a hierarchy of spheres, with sharing generally taking precedence over authority and authority over tit-for-tat, and market pricing following along last. This ordering makes “downhill” transactions easier. Alimony works (you once loved me, so pay me money!) but buying love doesn’t. Continue reading Why privacy regulators are ineffective: an anthropologist's view

Eavesdropping a fax machine

Hardware & signals, News coverage

I was intrigued this morning to see on the front page of the Guardian newspaper a new revelation by NSA whistleblower Edward Snowden: a US eavesdropping technique “DROPMIRE implanted on the Cryptofax at the EU embassy [Washington] D.C.”. I was even more intrigued by an image that accompanied the report (click for higher resolution):

The Guardian, 1 July 2013, page 1

Having done many experiments to eavesdrop on office equipment myself, the noisy image at the bottom third of the picture above looked instantly familiar: it is what you might get from listening with a radio receiver on the compromising emanations of a video signal of a page of text. Continue reading Eavesdropping a fax machine