Popular in Course
Popular in ComputerScienence
This 34 page Class Notes was uploaded by Vito Kilback on Wednesday September 23, 2015. The Class Notes belongs to CS475 at Drexel University taught by RachelGreenstadt in Fall. Since its upload, it has received 26 views. For similar materials see /class/212433/cs475-drexel-university in ComputerScienence at Drexel University.
Reviews for ComputerandNetworkSecurity
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/23/15
Reinterpreting the Disclosure Debate for Web Infections Oliver Day Brandon Palmen Rachel Greenstadt Harvard University Drexel University 1 stopwareorg Overview 0 Background 0 Actors 0 Methodology 0 Statistics 0 Possible Solutions 0 Conclusions 2 stopwareorg Background Driveby Downloads Internet users can be infected simply by viewing a compromised website DONATE Tc 1 FquotgtKI39K 39 CAL39ANDRA TVquot W 39 q mm In mn num SENIORS 1M MVINGSW hrJKIV te n39rargln lopmalgm quot matglnwndtw v n argmherght 0quot r z 5 r w w r J w Iable wtdthquot99quot harden I allgnquotcenter cellpadumgf39 cellspacmg hardercotot 00l D30 stop BAD waregorg Background Google s Interstitial Warnings Google Mona m We Llarl39 Puma aw May 2i JJJS u U Jb ta comw ert L 2 am HI P3 F s httgnmvmlw39 7 Wanting vlsltlng lhls web all may harm your computer 5mquot stopwareorg Background StopBadware Review Process 0 We provide independent transparent and manual website testing 0 We receive urls from partners 0 We assume the majority of sites are victims stopwareorg Attack Trends 0 The longtail approach Attacking well defended sites takes a long time infections are detected quickly Attacking poorly defended sites is quick infections can remain hidden for long periods of time o Facilitated by Weaponized exploit packs Google hacking Infected advertising networks 6 stopwareorg Consumer Webmasters o Are not tech geeks Just want things to work Use offthe shelf software Do not believe they are infected Can not identify or remove badware 0 Security is an unobservable attribute 0 Budget constraints make them choose between features and security 7 stopwareorg Web Hosting vs CoIocation 0 Web Hosting provides both the physical machine and the administration of the operating system 0 CoIocation provides neither 39Value39 Web Hosting Providers 0 Technical properties Feature bloat Offthe shelf control panels Nonuniform security patching 100s1000s ofwebsites per server 0 Economic properties Both hidden actions and hidden characteristics exist in the market Consumers cannot monitor hosting providers security practices Hosting providers may fall into moral hazard 9 stopwareorg Economics of Security in brief 0 Markets work when people have incentives to do the right thing 0 But Externalities Asymmetric Information Hidden characteristics gt Adverse Selection 0 Hidden actions gt Moral Hazard o All present in web security market 1 stopwareorg Externalities o Occurwhen decisions cause external costs or benefits to stakeholders who did not directly affect the transaction 1 stqprwareors Externalized Costs of Web Insecurity 0 Web infections typically affect the end users browsers of websites Often don39t know that they are infected Ifthey do they don39t know why Some evidence to suggest overt security measures actually reduce customer confidence Revealing infections can only harm companies brands and reputations 0 Most harm is even further removed Attacks carried out phishing sites hosted SPAM sent from infected machines 1 stopwareorg Akerlof39s Market for Lemons o Comes from analysis of Used Car market 0 Hidden characteristics Buyer doesn39t know if the carthey are buying is good or a 39lemon39 0 Seller does have this information 0 Given uncertainty buyer will not pay much 0 Result Adverse Selection sellers won39t sell good cars can39t get a good price only lemons 0 Solution Reduce customer uncertainty 0 Independent Inspections Guarantees etc 1 stopwareorg 3 Hidden Characteristics in Web Insecurity 0 End user doesn39t know if site they visit is safe or attacking them 0 Adverse selection Takes resources to be secure so why bother if no one can notice 0 Hosting provider doesn39t know if webmaster is incompetent or malicious o Webmasters don39t know if hosting provider is secure or not 1 stopwareorg 4 Adverse Selection in Web Privacy 0 End users don39t know privacy policies of websites 0 Bad sites endeavorto make signaling hard coopt signals 0 Example privacy seals like Truste Do little or no audit Edelman 2006 Sites with seals more likely to be bad 1 stopwareorg Hidden Actions and Moral Hazard o Webmasters unable to monitor hosting providers39 security practices 0 Maintaining secure sewers is expensive tendency to skimp o Moral hazard when contracted to efforts are costly and unobservable economic entities are likely to not make those efforts 1 stopwareorg Market Failures in Web Security Infected web users do not know howwhere they became infected 0 Consumer webmasters do not know iftheir hosting providers have poor security 0 Both web hosts and webmasters are incented to keep infection points hidden to protect their brands and revenues 1 stopwareorg Disclosure Theory 0 Browsers portals incentivized to protect web users from attack 0 Publicize andor block infected website Users more protected Webmasters incentivized to x sites or go away Webmasters incentivized to nd secure hosting 1 stopwareorg Disclosure for Software Vulnerabilities 0 Similar economic theory holds for software vulnerabilities 0 Without vulnerability disclosure software vendors have no incentive to disclose or fix security holes 0 lfno exploit exists and no patch disclosure poses risk of more attacked users before hole xed 0 Accepted practice Delayed disclosure tell the vendor wait speci ed period then tell world 0 Vendor can deploy patch during delay 0 Arora Telang Xu Optimal delay 1 stopwareorg Vulnerability Disclosure Debate Website owners want similar notice 0 Hosting provider also want similar notice 0 Web infections are attacks not vulnerabilities 0 Delay only optimal if no exploit oothenNise increases harm o Mandatory immediate disclosure of web infections helps to optimize social welfare 2 stopwareorg 0 Methodology 0 Query clearinghouse for all bad urls 0 Translate domain name to IP address 0 Team Cymru IP gt ASN translation 0 Group by ASN and by IP address 0 Process repeated at least weekly z stopwareorg Global Infection Share 2008 2 4 2 A 39U39 W C May 2008 2 stopwareorg Global Infection Share 2009 I ON I US I KR I RU I DE I ROW Jan 2009 stopwareorg US Web Infections 2008 The Planet IPower Aquot M MW n March 2007 January 2008 z stopwareorg 5mm S E a 2 1lWIHIHIHIHUUHIHHN ll llllmlll T hePlanet 2009397 4 208 109 stopwareorg Endurance 2009 I nnnnnn nsl 208 109 7 130m wane 7 12m mane 7 soon 7 mm mu 7 stopwareorg McCoIo Infections 208 1108 2 s waremg Intercage Infections I 908 208 stop BAD wareorg Webhost Disclosure Example 3mm threal of disclosure 25W mceole depeered mm 7 V iconfcall 7 mmm mu m 208 109 2 stopwareorg Possible Solutions 0 Broader Disclosure Gatekeepers Baidu gt China ISPs and hosting providers Notification of mass infections Browsers Firefox 3 Google amp SBW Opera 95 HauteSecure 3 stopwareorg Possible Solutions 0 Community CastIeCops retired Badware Busters Disclosure This is a SBW project 3 stopwareorg Possible Solutions Market 0 Consumer screening Educating consumer webmasters to screen hosting providers for security information o Hosting provider signaling Vulnerability scanning Patching policy 3 stopwareorg Conclusions 0 Information asymmetry exists between consumer webmasters and hosting providers 0 Webmasters and hosting providers have little economic incentive to disclose infections publicly 0 Immediate disclosure bluntly protects Internet users and applies economic pressure to webmasters and hosting providers who othenNise would not clean their sites 3 stopwareorg Questions 0 Oliver Day odaycyberlawharvardedu 0 Brandon Palmen bpalmencvberlawharvardedu 0 Rachel Greenstadt qreeniecsdrexeledu U
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'