Tyler Moore

Measuring the Cost of Cybercrime

This chapter documents what we believe to be the first systematic study of the costs of cybercrime. The initial workshop paper was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs – both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now “cyber” because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/euros/dollars a year; transitional frauds cost a few pounds/euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around

So near and yet so far: distance-bounding attacks in wireless networks

2.7 million, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely inefficient at fighting cybercrime; or to put it another way, cyber-crooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response – that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail.

Beware the Middleman: Empirical Analysis of Bitcoin-Exchange Risk

Distance-bounding protocols aim to prevent an adversary from pretending that two parties are physically closer than they really are. We show that proposed distance-bounding protocols of Hu, Perrig and Johnson (2003), Sastry, Shankar and Wagner (2003), and Capkun and Hubaux (2005, 2006) are vulnerable to a guessing attack where the malicious prover preemptively transmits guessed values for a number of response bits. We also show that communication channels not optimized for minimal latency imperil the security of distance-bounding protocols. The attacker can exploit this to appear closer himself or to perform a relaying attack against other nodes. We describe attack strategies to achieve this, including optimizing the communication protocol stack, taking early decisions as to the value of received bits and modifying the waveform of transmitted bits. We consider applying distance-bounding protocols to constrained devices and evaluate existing proposals for distance bounding in ad hoc networks.

Measuring the perpetrators and funders of typosquatting

Bitcoin has enjoyed wider adoption than any previous crypto- currency; yet its success has also attracted the attention of fraudsters who have taken advantage of operational insecurity and transaction irreversibility. We study the risk investors face from Bitcoin exchanges, which convert between Bitcoins and hard currency. We examine the track record of 40 Bitcoin exchanges established over the past three years, and find that 18 have since closed, with customer account balances often wiped out. Fraudsters are sometimes to blame, but not always. Using a proportional hazards model, we find that an exchange’s transaction volume indicates whether or not it is likely to close. Less popular exchanges are more likely to be shut than popular ones. We also present a logistic regression showing that popular exchanges are more likely to suffer a security breach.

Suicide for the common good: a new strategy for credential revocation in self-organizing systems

We describe a method for identifying “typosquatting”, the intentional registration of misspellings of popular website addresses. We estimate that at least 938 000 typosquatting domains target the top 3 264 .com sites, and we crawl more than 285 000 of these domains to analyze their revenue sources. We find that 80% are supported by pay-per-click ads, often advertising the correctly spelled domain and its competitors. Another 20% include static redirection to other sites. We present an automated technique that uncovered 75 otherwise legitimate websites which benefited from direct links from thousands of misspellings of competing websites. Using regression analysis, we find that websites in categories with higher pay-per-click ad prices face more typosquatting registrations, indicating that ad platforms such as Google AdWords exacerbate typosquatting. However, our investigations also confirm the feasibility of significantly reducing typosquatting. We find that typosquatting is highly concentrated: Of typo domains showing Google ads, 63% use one of five advertising IDs, and some large name servers host typosquatting domains as much as four times as often as the web as a whole.

Information security: where computer science, economics and psychology meet

We consider the problem of credential revocation in self-organizing systems. In the absence of a common trusted authority, reaching a decision is slow, expensive and prone to manipulation. We propose a radical, new strategy---suicide for the common good---which drastically simplifies the decision-making process and revocation orders. Our mechanism is fully decentralized, incurs low communication and storage overhead, enables fast removal of misbehaving nodes, and is ideally suited to highly mobile networks.

The economics of cybersecurity: Principles and policy options

Until ca. 2000, information security was seen as a technological discipline, based on computer science but with mathematics helping in the design of ciphers and protocols. That perspective started to change as researchers and practitioners realized the importance of economics. As distributed systems are increasingly composed of machines that belong to principals with divergent interests, incentives are becoming as important to dependability as technical design. A thriving new field of information security economics provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam and phishing, but into more general areas of system dependability and policy. This research programme has recently started to interact with psychology. One thread is in response to phishing, the most rapidly growing form of online crime, in which fraudsters trick people into giving their credentials to bogus websites; a second is through the increasing importance of security usability; and a third comes through the psychology-and-economics tradition. The promise of this multidisciplinary research programme is a novel framework for analysing information security problems—one that is both principled and effective.

Game-Theoretic Analysis of DDoS Attacks Against Bitcoin Mining Pools

Economics puts the challenges facing cybersecurity into perspective better than a purely technical approach does. Systems often fail because the organizations that defend them do not bear the full costs of failure. For instance, companies operating critical infrastructures have integrated control systems with the Internet to reduce near-term, measurable costs while raising the risk of catastrophic failure, whose losses will be primarily borne by society. As long as anti-virus software is left to individuals to purchase and install, there may be a less than optimal level of protection when infected machines cause trouble for other machines rather than their owners. In order to solve the problems of growing vulnerability and increasing crime, policy and legislation must coherently allocate responsibilities and liabilities so that the parties in a position to fix problems have an incentive to do so. In this paper, we outline the various economic challenges plaguing cybersecurity in greater detail: misaligned incentives, information asymmetries and externalities. We then discuss the regulatory options that are available to overcome these barriers in the cybersecurity context: ex ante safety regulation, ex post liability, information disclosure, and indirect intermediary liability. Finally, we make several recommendations for policy changes to improve cybersecurity: mitigating malware infections via ISPs by subsidized cleanup, mandatory disclosure of fraud losses and security incidents, mandatory disclosure of control system incidents and intrusions, and aggregating reports of cyber espionage and reporting to the World Trade Organization (WTO).

The consequence of non-cooperation in the fight against phishing

One of the unique features of the digital currency Bitcoin is that new cash is introduced by so-called miners carrying out resource-intensive proof-of-work operations. To increase their chances of obtaining freshly minted bitcoins, miners typically join pools to collaborate on the computations. However, intense competition among mining pools has recently manifested in two ways. Miners may invest in additional computing resources to increase the likelihood of winning the next mining race. But, at times, a more sinister tactic is also employed: a mining pool may trigger a costly distributed denial-of-service (DDoS) attack to lower the expected success outlook of a competing mining pool. We explore the trade-off between these strategies with a series of game-theoretical models of competition between two pools of varying sizes. We consider differences in costs of investment and attack, as well as uncertainty over whether a DDoS attack will succeed. By characterizing the game’s equilibria, we can draw a number of conclusions. In particular, we find that pools have a greater incentive to attack large pools than small ones. We also observe that larger mining pools have a greater incentive to attack than smaller ones.

The Impact of Incentives on Notice and Take-down

A key way in which banks mitigate the effects of phishing is to have fraudulent websites removed or abusive domain names suspended. This dasiatake-downpsila is often subcontracted to specialist companies. We analyse six months of dasiafeedspsila of phishing Website URLs from multiple sources, including two such companies. We demonstrate that in each case huge numbers of Websites may be known to others, but the company with the take-down contract remains unaware of them, or only belatedly learns that they exist. We monitored all of the Websites to determine when they were removed and calculate the resultant increase in lifetimes from the take-down company not knowing that they should act. The results categorically demonstrate that significant amounts of money are being put at risk by the failure to share proprietary feeds of URLs. We analyse the incentives that prevent data sharing by take-down companies, contrasting this with the anti-virus industry - where sharing prevails - and with schemes for purchasing vulnerability information, where information about attacks is kept proprietary. We conclude by recommending that the defenders of phishing attacks start cooperatively sharing all of their data about phishing URLs with each other.