14 research outputs found
Do Malware Reports Expedite Cleanup? An Experimental Study
Web-based malware is pervasive. Miscreants compromise insecure hosts or even set up dedicated servers to
distribute malware to unsuspecting users. This scourge
is mainly fought by the voluntary action of private actors
who detect and report infections to affected site owners, hosting providers and registrars. In this paper we
describe an experiment to assess whether sending reports to affected parties makes a measurable difference in
cleaning up malware. Using community reports of malware submitted to StopBadware over two months in Fall
2011, we find evidence that detailed notices are immediately effective: 32% of malware-distributing websites
are cleaned within one day of sending a notice, compared
to just 13% of sites not receiving a notice. The improved
cleanup rate holds for longer periods, too – 62% of websites receiving a detailed notice were cleaned up after
16 days, compared to 45% of websites not receiving a
notice. It turns out that including details describing the
compromise is essential for the notice to work – sending reports with minimal descriptions of the malware was
found to be roughly as effective as not sending reports at
all. Furthermore, we present evidence that sending multiple notices from two sources is not helpful. Instead,
only the first transmitted notice makes a difference
Poster: How to best inform website owners about vulnerabilities on their websites
Background. Content management systems (CMS) provide default features that make it easy even for laypersons to create and maintain sophisticated websites [3]. But a CMS also poses a security risk. Not only can the CMS’s framework itself contain vulnerabilities. Also, there is a vast number of plugins and templates that may introduce vulnerabilities [3, 5]. We are looking for websites that are vulnerable to search engine Spam (SEO Spam) or Pharma Hacks, where an attacker deploys code on a website to redirect to fake web shops [11, 12]. The manipulation is not visible on the
genuine website, but the sites appear in the search engine results as shops selling illegal or banned drugs / medicines, luxurious brand-name clothing, or expensive appliances for cheap. Often, the malicious code is hidden within the CSS files of a website and cannot be easily found – even by skilled developers [11].
Aim. Since the problem is not easy to detect and only visible in a website’s search results, most website owners have to rely on vulnerability notifications by the security community to be informed about the manipulation. In trying to create suitable vulnerability notifications, with which we could inform the website owners about the security issues, we conducted 25 semi-structured interviews with affected website owners and discussed the perception of vulnerability notifications with them. To our knowledge, none of the experimental studies on vulnerability notifications [1, 4, 6–9, 13–21] have conducted qualitative interviews with affected website owners, to identify common themes and trust-promoting factors for a vulnerability notification. The motivation of our work was to answer the following research questions: (1) How did website owners perceive previous web vulnerability notifications? (2) What are suitable senders and communication channels that the website owners deem trustworthy? (3) What aspects should we consider in future notifications to be deemed trustworthy? Finally, by answering these questions, we aimed at designing a vulnerability notification that is suitable to informwebsite owners about the security issue on their website
Herding Vulnerable Cats: A Statistical Approach to Disentangle Joint Responsibility for Web Security in Shared Hosting
Hosting providers play a key role in fighting web compromise, but their
ability to prevent abuse is constrained by the security practices of their own
customers. {\em Shared} hosting, offers a unique perspective since customers
operate under restricted privileges and providers retain more control over
configurations. We present the first empirical analysis of the distribution of
web security features and software patching practices in shared hosting
providers, the influence of providers on these security practices, and their
impact on web compromise rates. We construct provider-level features on the
global market for shared hosting -- containing 1,259 providers -- by gathering
indicators from 442,684 domains. Exploratory factor analysis of 15 indicators
identifies four main latent factors that capture security efforts: content
security, webmaster security, web infrastructure security and web application
security. We confirm, via a fixed-effect regression model, that providers exert
significant influence over the latter two factors, which are both related to
the software stack in their hosting environment. Finally, by means of GLM
regression analysis of these factors on phishing and malware abuse, we show
that the four security and software patching factors explain between 10\% and
19\% of the variance in abuse at providers, after controlling for size. For
web-application security for instance, we found that when a provider moves from
the bottom 10\% to the best-performing 10\%, it would experience 4 times fewer
phishing incidents. We show that providers have influence over patch
levels--even higher in the stack, where CMSes can run as client-side
software--and that this influence is tied to a substantial reduction in abuse
levels
Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure
Cybersecurity Information Sharing: Analysing an Email Corpus of Coordinated Vulnerability Disclosure. K Sridhar, A Householder, JM Spring, DW Woods. The 20th Workshop on the Economics of Information Security (WEIS 2021
Best Practices for Notification Studies for Security and Privacy Issues on the Internet
Researchers help operators of vulnerable and non-compliant internet services
by individually notifying them about security and privacy issues uncovered in
their research. To improve efficiency and effectiveness of such efforts,
dedicated notification studies are imperative. As of today, there is no
comprehensive documentation of pitfalls and best practices for conducting such
notification studies, which limits validity of results and impedes
reproducibility. Drawing on our experience with such studies and guidance from
related work, we present a set of guidelines and practical recommendations,
including initial data collection, sending of notifications, interacting with
the recipients, and publishing the results. We note that future studies can
especially benefit from extensive planning and automation of crucial processes,
i.e., activities that take place well before the first notifications are sent.Comment: Accepted to the 3rd International Workshop on Information Security
Methodology and Replication Studies (IWSMR '21), colocated with ARES '2
Evidence-based Cybersecurity: Data-driven and Abstract Models
Achieving computer security requires both rigorous empirical measurement and models to understand cybersecurity phenomena and the effectiveness of defenses and interventions. To address the growing scale of cyber-insecurity, my approach to protecting users employs principled and rigorous measurements and models. In this dissertation, I examine four cybersecurity phenomena. I show that data-driven and abstract modeling can reveal surprising conclusions about longterm, persistent problems, like spam and malware, and growing threats like data-breaches and cyber conflict. I present two data-driven statistical models and two abstract models. Both of the data-driven models show that the presence of heavy-tailed distributions can make naive analysis of trends and interventions misleading. First, I examine ten years of publicly reported data breaches and find that there has been no increase in size or frequency. I also find that reported and perceived increases can be explained by the heavy-tailed nature of breaches. In the second data-driven model, I examine a large spam dataset, analyzing spam concentrations across Internet Service Providers. Again, I find that the heavy-tailed nature of spam concentrations complicates analysis. Using appropriate statistical methods, I identify unique risk factors with significant impact on local spam levels. I then use the model to estimate the effect of historical botnet takedowns and find they are frequently ineffective at reducing global spam concentrations and have highly variable local effects. Abstract models are an important tool when data are unavailable. Even without data, I evaluate both known and hypothesized interventions used by search providers to protect users from malicious websites. I present a Markov model of malware spread and study the effect of two potential interventions: blacklisting and depreferencing. I find that heavy-tailed traffic distributions obscure the effects of interventions, but with my abstract model, I showed that lowering search rankings is a viable alternative to blacklisting infected pages. Finally, I study how game-theoretic models can help clarify strategic decisions in cyber-conflict. I find that, in some circumstances, improving the attribution ability of adversaries may decrease the likelihood of escalating cyber conflict
Does the online card payment system unwittingly facilitate fraud?
PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of
Card Not Present (CNP) financial transactions. These are the transactions which include payments
performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on
hundreds of websites and on multiple CNP payment protocols justifies that the current security
architecture of CNP payment system is not adequate enough to protect itself from fraud.
Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of
the security features put in place to protect the CNP payment system from fraud. With insecure modes
of accepting payments, the online payment system paves the way for cybercriminals to abuse even the
latest designed payment protocols like 3D Secure 2.0.
We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment
protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The
analysis methodology comprises of UML diagrams and reference tables which describe the CNP
payment protocol sequences, software tools which implements the protocol and practical
demonstrations of the research results. Detailed referencing of the online payment specifications
provides a documented link between the exploitable vulnerabilities observed in real implementations
and the source of the vulnerability in the payment specifications.
We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world
with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards,
with our work appearing in the media, radio and T
Recommended from our members
Remedying Security Concerns at an Internet Scale
The state of security across the Internet is poor, and it has been so since the advent of the modern Internet. While the research community has made tremendous progress over the years in learning how to design and build secure computer systems, network protocols, and algorithms, we are far from a world where we can truly trust the security of deployed Internet systems. In reality, we may never reach such a world. Security concerns continue to be identified at scale through-out the software ecosystem, with thousands of vulnerabilities discovered each year. Meanwhile, attacks have become ever more frequent and consequential.As Internet systems will continue to be inevitably affected by newly found security concerns, the research community must develop more effective ways to remedy these issues. To that end, in this dissertation, we conduct extensive empirical measurements to understand how remediation occurs in practice for Internet systems, and explore methods for spurring improved remediation behavior. This dissertation provides a treatment of the complete remediation life cycle, investigating the creation, dissemination, and deployment of remedies. We start by focusing on security patches that address vulnerabilities, and analyze at scale their creation process, characteristics of the resulting fixes, and how these impact vulnerability remediation. We then investigate and systematize how administrators of Internet systems deploy software updates which patch vulnerabilities across the many machines they manage on behalf of organizations. Finally, we conduct the first systematic exploration of Internet-scale outreach efforts to disseminate information about security concerns and their remedies to system administrators, with an aim of driving their remediation decisions. Our results show that such outreach campaigns can effectively galvanize positive reactions.Improving remediation, particularly at scale, is challenging, as the problem space exhibits many dimensions beyond traditional computer technical considerations, including human, social, organizational, economic, and policy facets. To make meaningful progress, this work uses a diversity of empirical methods, from software data mining to user studies to Internet-wide network measurements, to systematically collect and evaluate large-scale datasets. Ultimately, this dissertation establishes broad empirical grounding on security remediation in practice today, as well as new approaches for improved remediation at an Internet scale