Death of the Internet

MARKUS JAKOBSSON, PhD, is Principal Scientist for Consumer Security at PayPal. He is the founder of the security startups RavenWhite and FatSkunk and has held positions at Palo Alto Research Center, RSA Laboratories, and Bell Labs. The editor of RSA's technical newsletter CryptoBytes, Dr. Jakobsson holds numerous U.S. patents, has published more than 100 articles, and authored and edited several books, including Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Wiley). He has been interviewed on the subjects of phishing and crimeware on NPR, BBC, and other high-profile media outlets.

• Foreword xv Preface xviiIs the Title of this Book a Joke? xixAcknowledgments xxiContributors xxiiiPart I The Problem1 What Could Kill the Internet? And so What? 32 It is About People 72.1 Human and Social Issues 7Markus Jakobsson2.1.1 Nigerian Scams 82.1.2 Password Reuse 92.1.3 Phishing 112.2 Who are the Criminals? 13Igor Bulavko2.2.1 Who are they? 132.2.2 Where are they? 142.2.3 Deep-Dive: Taking a Look at Ex-Soviet Hackers 142.2.4 Let’s try to Find Parallels in the World we Live in 162.2.5 Crime and Punishment? 163 How Criminals Profit 193.1 Online Advertising Fraud 20Nevena Vratonjic, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux3.1.1 Advertising on the Internet 203.1.2 Exploits of Online Advertising Systems 233.1.3 Click Fraud 253.1.4 Malvertising: Spreading Malware via Ads 313.1.5 Inflight Modification of Ad Traffic 323.1.6 Adware: Unsolicited Software Ads 343.1.7 Conclusion 353.2 Toeing the Line: Legal but Deceptive Service Offers 35Markus Jakobsson and Ruilin Zhu3.2.1 How Does it Work? 363.2.2 What do they Earn? 363.3 Phishing and Some Related Attacks 38Markus Jakobsson and William Leddy3.3.1 The Problem is the User 383.3.2 Phishing 383.3.3 Man-in-the-Middle 393.3.4 Man-in-the-Browser 403.3.5 New Attack: Man-in-the-Screen 413.4 Malware: Current Outlook 42Members of the BITS Security Working Group and staff leads Greg Rattray and Andrew Kennedy3.4.1 Malware Evolution 423.4.2 Malware Supply and Demand 483.5 Monetization 53Markus Jakobsson3.5.1 There is Money Everywhere 534 How ThingsWork and Fail 574.1 Online Advertising: With Secret Security 58Markus Jakobsson4.1.1 What is a Click? 584.1.2 How Secret Filters are Evaluated 604.1.3 What do Fraudsters Know? 624.2 Web Security Remediation Efforts 63Jeff Hodges and Andy Steingruebl4.2.1 Introduction 634.2.2 The Multitude of Web Browser Security Mechanisms 644.2.3 Where do we go from Here? 754.3 Content-Sniffing XSS Attacks: XSS with Non-HTML Content 75Juan Caballero, Adam Barth, and Dawn Song4.3.1 Introduction 754.3.2 Content-Sniffing XSS Attacks 774.3.3 Defenses 844.3.4 Conclusion 894.4 Our Internet Infrastructure at Risk 89Garth Bruen4.4.1 Introduction 894.4.2 The Political Structure 904.4.3 The Domain 924.4.4 WHOIS: Ownership and Technical Records 944.4.5 Registrars: Sponsors of Domain Names 964.4.6 Registries: Sponsors of Domain Extensions 974.4.7 CCTLDs: The Sovereign Domain Extensions 994.4.8 ICANN: The Main Internet Policy Body 1004.4.9 Conclusion 1024.5 Social Spam 103Dimitar Nikolov and Filippo Menczer4.5.1 Introduction 1034.5.2 Motivations for Spammers 1054.5.3 Case Study: Spam in the GiveALink Bookmarking System 1084.5.4 Web Pollution 1144.5.5 The Changing Nature of Social Spam: Content Farms 1164.5.6 Conclusion 1174.6 Understanding CAPTCHAs and Their Weaknesses 117Elie Bursztein4.6.1 What is a Captcha? 1174.6.2 Types of Captchas 1184.6.3 Evaluating Captcha Attack Effectiveness 1184.6.4 Design of Captchas 1194.6.5 Automated Attacks 1244.6.6 Crowd-Sourcing: Using Humans to Break Captchas 1274.7 Security Questions 131Ariel Rabkin4.7.1 Overview 1314.7.2 Vulnerabilities 1344.7.3 Variants and Possible Defenses 1384.7.4 Conclusion 1394.8 Folk Models of Home Computer Security 140Rick Wash and Emilee Rader4.8.1 The Relationship Between Folk Models and Security 1404.8.2 Folk Models of Viruses and Other Malware 1424.8.3 Folk Models of Hackers and Break-Ins 1464.8.4 Following Security Advice 1494.8.5 Lessons Learned 1534.9 Detecting and Defeating Interception Attacks Against SSL 154Christopher Soghoian and Sid Stamm4.9.1 Introduction 1544.9.2 Certificate Authorities and the Browser Vendors 1554.9.3 Big Brother in the Browser 1574.9.4 Compelled Assistance 1584.9.5 Surveillance Appliances 1594.9.6 Protecting Users 1604.9.7 Threat Model Analysis 1634.9.8 Related Work 1664.9.9 Conclusion 1685 The Mobile Problem 1695.1 Phishing on Mobile Devices 169Adrienne Porter Felt and David Wagner5.1.1 The Mobile Phishing Threat 1705.1.2 Common Control Transfers 1725.1.3 Phishing Attacks 1785.1.4 Web Sender⇒Mobile Target 1825.1.5 Web Sender⇒Web Target 1845.1.6 Attack Prevention 1855.2 Why Mobile Malware will Explode 185Markus Jakobsson and Mark Grandcolas5.2.1 Nineteen Eighty-Six: When it all Started 1865.2.2 A Glimpse of Users 1865.2.3 Why Market Size Matters 1865.2.4 Financial Trends 1875.2.5 Mobile Malware Outlook 1875.3 Tapjacking: Stealing Clicks on Mobile Devices 189Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh5.3.1 Framing Attacks 1895.3.2 Phone Tapjacking 1915.3.3 Framing Facebook 1945.3.4 Summary and Recommendations 1956 The Internet and the PhysicalWorld 1976.1 Malware-Enabled Wireless Tracking Networks 197Nathaniel Husted and Steven Myers6.1.1 Introduction 1986.1.2 The Anatomy of a Modern Smartphone 1996.1.3 Mobile Tracking Networks: A Threat to Smartphones 2006.1.4 Conclusion 2196.2 Social Networking Leaks 219Mayank Dhiman and Markus Jakobsson6.2.1 Introduction 2206.2.2 Motivations for Using Social Networking Sites 2206.2.3 Trust and Privacy 2216.2.4 Known Issues 2226.2.5 Case Study: Social Networking Leaks in the Physical World 2256.3 Abuse of Social Media and Political Manipulation 231Bruno Gon¸calves, Michael Conover, and Filippo Menczer6.3.1 The Rise of Online Grassroots Political Movements 2316.3.2 Spam and Astroturfing 2326.3.3 Deceptive Tactics 2336.3.4 The Truthy System for Astroturf Detection 2366.3.5 Discussion 240Part II Thinking About Solutions7 Solutions to the Problem 2457.1 When and How to Authenticate 245Richard Chow, Elaine Shi, Markus Jakobsson, Philippe Golle, Ryusuke Masuoka, Jesus Molina, Yuan Niu, and Jeff Song7.1.1 Problem Description 2467.1.2 Use Cases 2477.1.3 System Architecture 2487.1.4 User Privacy 2507.1.5 Machine Learning/Algorithms 2507.1.6 User Study 2527.2 Fastwords: Adapting Passwords to Constrained Keyboards 255Markus Jakobsson and Ruj Akavipat7.2.1 The Principles Behind Fastwords 2567.2.2 Basic Feature Set 2587.2.3 Extended Feature Set 2607.2.4 Sample Stories and Frequencies 2617.2.5 Recall Rates 2627.2.6 Security Analysis 2647.2.7 The Security of Passwords 2647.2.8 Entry Speed 2687.2.9 Implementation of Fastword Entry 2707.2.10 Conclusion 2717.3 Deriving PINs from Passwords 271Markus Jakobsson and Debin Liu7.3.1 Introduction 2727.3.2 A Brief Discussion of Passwords 2737.3.3 How to Derive PINs from Passwords 2747.3.4 Analysis of Passwords and Derived PINs 2757.3.5 Security Analysis 2787.3.6 Usability Experiments 2807.4 Visual Preference Authentication 282Yuan Niu, Markus Jakobsson, Gustav Rydstedt, and Dahn Tamir7.4.1 Password Resets 2827.4.2 Security Questions Aren’t so Secure 2837.4.3 What is Visual Preference-Based Authentication 2837.4.4 Evaluating Visual Preference-Based Authentication 2857.4.5 Case Study: Visual Blue Moon Authentication 2867.4.6 Conclusion 2907.5 The Deadly Sins of Security User Interfaces 290Nathan Good7.5.1 Security Applications with Frustrating User Interfaces 2917.5.2 The Four Sins of Security Application User Interfaces 2937.5.3 Consumer Choice: A Security Bugbear 2937.5.4 Security by Verbosity 2997.5.5 Walls of Checkboxes 3007.5.6 All or Nothing Switch 3027.5.7 Conclusion 3047.6 SpoofKiller—Let’s Kiss Spoofing Goodbye! 304Markus Jakobsson and William Leddy7.6.1 A Key to the Solution: Interrupts 3057.6.2 Why can the User Log in to Good Sites, but not Bad Ones? 3057.6.3 What About Sites that are Good . . . but not Certified Good? 3087.6.4 SpoofKiller: Under the Hood 3097.6.5 Say we Implement SpoofKiller—then What? 3117.7 Device Identification and Intelligence 312Ori Eisen7.7.1 1995–2001: The Early Years of Device Identification 3137.7.2 2001–2008 Tagless Device Identification Begins 3147.7.3 2008—Present: Private Browsing and Beyond 3197.8 How can we Determine if a Device is Infected or not? 323Aur´elien Francillon, Markus Jakobsson, and Adrian Perrig7.8.1 Why Detection is Difficult 3237.8.2 Setting up an Isolated Environment 3247.8.3 What Could go Wrong? 3267.8.4 Brief Comparison with TrustZone 3287.8.5 Summary 3288 The Future 3318.1 Security Needs the Best User Experience 332Hampus Jakobsson8.1.1 How the User Won Over Features 3328.1.2 So How Come the iPhone Became so Successful? 3328.1.3 A World of Information Anywhere 3338.1.4 Midas’ Touch Screens 3348.1.5 New Input, New Opportunities 3358.1.6 Zero-Click and Real-Life User Interfaces 3358.1.7 Privacy and User Interfaces 3368.1.8 It all Comes Together 3368.2 Fraud and the Future 336Markus JakobssonReferences 339Index 359

“For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.”  (Word Virus, 17 April 2013)“For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.”  (Slashdot, 15 April 2013)“The book includes possible solutions to some of the problems, but the overwhelming appeal of this text is the awareness is provides.  Summing Up: Highly recommended.  Students of all levels, general readers, and professionals/practitioners.”  (Choice, 1 January 2012)