Rainer Böhme

Measuring the Cost of Cybercrime

This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around

Can we trust digital image forensics

2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.

Revisiting weighted stego-image steganalysis

Compared to the prominent role digital images play in nowadays multimedia society, research in the field of image authenticity is still in its infancy. Only recently, research on digital image forensics has gained attention by addressing tamper detection and image source identification. However, most publications in this emerging field still lack rigorous discussions of robustness against strategic counterfeiters, who anticipate the existence of forensic techniques. As a result, the question of trustworthiness of digital image forensics arises. This work will take a closer look at two state-of-the-art forensic methods and proposes two counter-techniques; one to perform resampling operations undetectably and another one to forge traces of image origin. Implications for future image forensic systems will be discussed.

Hiding Traces of Resampling in Digital Images

This paper revisits the steganalysis method involving a Weighted Stego-Image (WS) for estimating LSB replacement payload sizes in digital images. It suggests new WS estimators, upgrading the methods three components: cover pixel prediction, least-squares weighting, and bias correction. Wide-ranging experimental results (over two million total attacks) based on images from multiple sources and pre-processing histories show that the new methods produce greatly improved accuracy, to the extent that they outperform even the best of the structural detectors, while avoiding their high complexity. Furthermore, specialised WS estimators can be derived for detection of sequentially-placed payload: they offer levels of accuracy orders of magnitude better than their competitors.

Counter-Forensics: Attacking Image Forensics

Resampling detection has become a standard tool for forensic analyses of digital images. This paper presents new variants of image transformation operations which are undetectable by resampling detectors based on periodic variations in the residual signal of local linear predictors in the spatial domain. The effectiveness of the proposed method is supported with evidence from experiments on a large image database for various parameter settings. We benchmark detectability as well as the resulting image quality against conventional linear and bicubic interpolation and interpolation with a sinc kernel. These early findings on ldquocounter-forensicrdquo techniques put into question the reliability of known forensic tools against smart counterfeiters in general, and might serve as benchmarks and motivation for the development of much improved forensic techniques.

The Dresden Image Database for Benchmarking Digital Image Forensics

This chapter discusses counter-forensics, the art and science of impeding or misleading forensic analyses of digital images. Research on counter-forensics is motivated by the need to assess and improve the reliability of forensic methods in situations where intelligent adversaries make efforts to induce a certain outcome of forensic analyses. Counter-forensics is first defined in a formal decision-theoretic framework. This framework is then interpreted and extended to encompass the requirements to forensic analyses in practice, including a discussion of the notion of authenticity in the presence of legitimate processing, and the role of image models with regard to the epistemic underpinning of the forensic decision problem. A terminology is developed that distinguishes security from robustness properties, integrated from post-processing attacks, and targeted from universal attacks. This terminology is directly applied in a self-contained technical survey of counter-forensics against image forensics, notably techniques that suppress traces of image processing and techniques that synthesize traces of authenticity, including examples and brief evaluations. A discussion of relations to other domains of multimedia security and an overview of open research questions concludes the chapter.

Breaking Cauchy Model-Based JPEG Steganography with First Order Statistics

ABSTRACT This article introduces and documents a novel image database specifically built for the purpose of development and benchmarking of camera-based digital forensic techniques. More than 14,000 images of various indoor and outdoor scenes have been acquired under controlled and thus widely comparable conditions from altogether 73 digital cameras. The cameras were drawn from only 25 different models to ensure that device-specific and model-specific characteristics can be disentangled and studied separately, as validated with results in this article. In addition, auxiliary images for the estimation of device-specific sensor noise pattern were collected for each camera. Another subset of images to study model-specific JPEG compression algorithms has been compiled for each model. The Dresden Image Database is freely available for scientific purposes. The database is intended to become a useful resource for researchers and forensic investigators. Using a standard database as a benchmark makes results more ...

Trained to accept?: a field experiment on consent dialogs

The recent approach of a model-based framework for steganography fruitfully contributes to the discussion on the security of steganography. In addition, the first proposal for an embedding algorithm constructed under the model-based paradigm reached remarkable performance in terms of capacity and security. In this paper, we review the emerging of model-based steganography in the context of decent steganalysis as well as from theoretical considerations, before we present a method to attack the above-mentioned scheme on the basis of first order statistics. Experimental results show a good detection ratio for a large test set of typical JPEG images. The attack is successful because of weaknesses in the model and does not put into question the generalised theoretical framework of model-based steganography. So we discuss possible implications for improved embedding functions.

The Effect of Stock Spam on Financial Markets

A typical consent dialog was shown in 2 x 2 x 3 experimental variations to 80,000 users of an online privacy tool. We find that polite requests and button texts pointing to a voluntary decision decrease the probability of consent---in contrast to findings in social psychology. Our data suggests that subtle positive effects of polite requests indeed exist, but stronger negative effects of heuristic processing dominate the aggregated results. Participants seem to be habituated to coercive interception dialogs---presumably due to ubiquitous EULAs---and blindly accept terms the more their presentation resembles a EULA. Response latency and consultation of online help were taken as indicators to distinguish more systematic from heuristic responses.

Countering counter-forensics: the case of JPEG compression

Spam messages are ubiquitous and extensive interdisciplinary research has tried to come up with effective countermeasures. However, little is known about the response to unsolicited e-mail, partly because spammers do not disclose sales figures. This paper correlates incoming spam messages that promote the investment in particular equity securities with financial market data. We use multivariate regression models to measure the impact of stock spam on traded volume and conduct an event study to find effects on market valuation. In both cases we have found evidence for significant reactions to spam campaigns in the short run. Theoretical and practical implications of the findings are addressed.