The Death of the Internet E-Book

Contents

Cover

Title Page

Copyright

Dedication

Foreword

Preface

Is the Title of this Book a Joke?

Acknowledgments

Contributors

Part 1: The Problem

Chapter 1: What Could Kill the Internet? And so What?

Chapter 2: It is About People

2.1 Human and Social Issues

2.2 Who are the Criminals?

Chapter 3: How Criminals Profit

3.1 Online Advertising Fraud

3.2 Toeing the Line: Legal but Deceptive Service Offers

3.3 Phishing and Some Related Attacks

3.4 Malware: Current Outlook

3.5 Monetization

Chapter 4: How Things Work and Fail

4.1 Online Advertising: With Secret Security

4.2 Web Security Remediation Efforts

4.3 Content-Sniffing XSS Attacks: XSS with Non-HTML Content

4.4 Our Internet Infrastructure at Risk

4.5 Social Spam

Acknowledgment

4.6 Understanding CAPTCHAs and Their Weaknesses4

4.7 Security Questions

4.8 Folk Models of Home Computer Security

4.9 Detecting and Defeating Interception Attacks Against SSL

Acknowledgments

Chapter 5: The Mobile Problem

5.1 Phishing on Mobile Devices

5.2 Why Mobile Malware will Explode

5.3 Tapjacking: Stealing Clicks on Mobile Devices

Acknowledgment

Chapter 6: The Internet and the Physical World

6.1 Malware-Enabled Wireless Tracking Networks

6.2 Social Networking Leaks

6.3 Abuse of Social Media and Political Manipulation

Acknowledgments

Part II: Thinking About Solutions

Chapter 7: Solutions to the Problem

7.1 When and How to Authenticate

7.2 Fastwords: Adapting Passwords to Constrained Keyboards

Acknowledgments

7.3 Deriving PINs from Passwords

7.4 Visual Preference Authentication

7.5 The Deadly Sins of Security User Interfaces

7.6 SpoofKiller—Let's Kiss Spoofing Goodbye!

7.7 Device Identification and Intelligence

7.8 How can we Determine if a Device is Infected or not?

Further Reading

Chapter 8: The Future

8.1 Security Needs the Best User Experience

8.2 Fraud and the Future

References

Index

Copyright © 2012 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Jakobsson, Markus.

The death of the Internet / by Markus Jakobsson.

pages cm

Includes bibliographical references.

ISBN 978-1-118-06241-8 (pbk.)

1. Internet–Security measures. 2. Electronic commerce–Security measures.

3. Data protection. 4. Computer crimes. I. Title.

TK5105.875.I57.J34 2012

005.8–dc23

2011047198

For A and Art.

Foreword

It is tempting to believe that Internet security is somebody else's problem, or that it is a problem that eventually will vanish, as technology improves. This is a dangerous belief; burglary has not vanished because of improvements in door and window locks, and Internet security is similarly unlikely to change as technology gets better. In considering the recent past, I think it is easy to say that increased awareness of Internet security has not had much impact on the rate of victimization of consumers. Given how many Internet users there now are—significantly over 1 billion people, and as high as 2 billion by some counts—consciously improving the rate of awareness of populations at this scale is incredibly difficult and time consuming. And technology leaps often make things worse, quite as much as they make things better.

This is not a Chicken Little situation of “the sky is falling, the sky is falling,” but we will find ourselves in an increasingly difficult situation soon, unless we start to pay more attention to Internet problems than we have done in the last few years. To begin with, we need to ensure that we not only understand the problem—and not just its manifestation—but also its underlying reasons for being. Then, we need to start designing new technology to save ourselves—and our users—from greed and crime, from the very things that have made the Internet so successful: how efforts scale, how everybody can participate, and from the low costs of entry. We also need to consider possible regulation, as it is unlikely that the technology industry's call for self-regulation will be heeded any more than that of the road or aviation industries in the 1910s and 1920s.

Let me tell you a little bit about myself first, to give you some perspective on my viewpoint. I have been a technology strategist for nearly three decades, honing my craft first within the confines of a corporate environment, but in recent years increasingly looking outside that mothership. In the early 2000s, I spent quite a bit of time in the identity space—I was President of the Liberty Alliance, which was an open standards consortium that developed the first meaningful identity federation protocol, SAML 2.0. Since 2006, I have been CISO at PayPal. Given PayPal's global reach, the size of our user base (in mid-2011, over 100 million active customers) and the nature of our systems, which move money from any arbitrary point A to point B on the planet, we tend to find ourselves at the leading edge of new classes of criminal attacks. Willy nilly, we find ourselves having to craft solutions to problems that the rest of the industry barely recognizes as problems, let alone admits there are solutions for.

Here is what I believe we must do. We must begin by understanding our vulnerabilities, whether they are social or technical. We must then instrument our systems, both technical and societal, to collect metrics about everything relevant. After all, how can we argue about reality objectively without having hard data about it? And then we must take the next step, and measure what is not yet reality—trying to predict behaviors and vulnerabilities, in other words. With these hard won insights, we must then create plans for the future. You cannot design a system—especially not a security system—without understanding what affects security and everything that affects security.

That is what this book is about. It describes the Internet, and the mobile Internet, in a crisp and convincing manner. It is infused with the anticipation of trends and describes how these will affect us, for good and bad. And it gives examples of novel approaches that we can take to change the course of the future, and avoid what otherwise may become what the title of the book states—The Death of the Internet.

I encourage anyone with an interest in the Internet; in technology; in online commerce, or indeed in a fair and open society to read this book. These are important topics and this book does an excellent job in provoking alternative ways of thinking about them.

Michael Barrett

San Jose, CAMay 2012Chief Information Security Officer, Paypal

Preface

Imagine life without electricity. Although most of humankind has managed just well without electricity, its loss would certainly impact society most profoundly. Now imagine that hundreds of thousands of criminals all over the world could make a quick profit by doing something that—little by little—killed the electric infrastructure. And that politically adversarial individuals and governments could speed up this looming catastrophe if they wanted to. It is terrible to imagine. And yet, it is a very real threat—although to the Internet.

Criminals have an array of ways to abuse the Internet. Most commonly in order to make money: Internet crime is both profitable and safe for criminals to engage in. Online crime scales exceptionally well, and is fast to perpetrate. It is often difficult to identify abuse, and almost always difficult to track down the criminals. And most of the time, offenders who are detected and blocked simply vanish, only to resurface with a new pseudonym shortly thereafter. While financial abuses are difficult to block and track, politically motivated abuse is yet harder to control. This is since politically motivated attacks do not involve taking money out of the system—which is often the hardest and riskiest part of online crime.

Any disruptions to the Internet would send shock waves through society. It would affect telephony; banking; how corporations do business; how the energy grid is controlled; and how many of us make a living. It would disrupt government, media, and military. It would impact our entire infrastructure—including our trust infrastructure.

Like a bridge that may tolerate increasing strains until it comes crashing down, the Internet may hold up well until the tipping point is reached. We must not wait for that moment. We must understand the problems, and defend against them—before they develop, if possible. We must understand how things can go wrong, and how we can engineer things better.

This book describes the problems the Internet is facing, and gives examples of some possible solutions. You do not need a deep technical background to understand the general nature of these. At the same time, each chapter has in-depth material for readers who do not want to stop at understanding the general concepts, but who want to know exactly how things work.

I hope that the insights that you will gain by reading this book will help you make decisions or designs—depending on who you are—that will help rescuing the Internet from the assault it is under.

Markus Jakobsson, PHD

Mountain View, CAMay 2012Principal Scientist of Consumer Security, PayPal

Is the Title of this Book a Joke?

Maybe you thought the title of this book was simply chosen to demand attention, or a silly joke, and that the Internet cannot realistically be killed. If that is so, I want to start off by convincing you that it just is not so. Killed sounds drastic. Let us for a moment say “rendered useless” or “more or less abandoned.” Is that possible?

You may ask: What would render the Internet useless? And what would make people abandon it? Let me start off my explanation with an analogy.

Now, let us talk about the Internet. The first commercial spam message was sent on March 5, 1994 by an Arizona-based law firm. In the years to follow, spam became more and more prevalent. Still, it shocked a lot of people when the amount of spam overtook that of legitimate emails. Many did not think that it could ever become that bad. In spite of impressive advancements in spam blocking technologies, less than 5% of email is legitimate at the time of writing, and most of us receive one or two spam messages every day. But a spam message that manages to sneak by the filters typically only wastes a few seconds of our time, with no further consequences to the typical recipient. Things could be worse.

That is what this book is about. This book explains what might kill the Internet by making it useless and dangerous. And how we are inching toward a tipping point where the result would be the death of the Internet. Where is that point? Nobody knows.

This book also investigates what can be done to stop that from happening, given a thorough understanding of what the problem is. It does not contain an exhaustive list of all the dangers, and certainly not a complete list of meaningful solutions. But it does explain how to think about the problems and the solutions in a way that helps you—and others like you—start thinking about how we can prevent the death of the Internet. We depend too much on it to let it go.

So, no, the title of the book is not a cheap attention grabber or a joke. I am serious when I say that the situation is too serious.

Acknowledgments

Internet security—and insecurity—is both a compelling and terrifying topic to write about. Even more than other aspects of the Internet, it is amorphous and under constant evolution—fueled by both the introduction of new features and services and the criminal realization that these offer new opportunities. It is a vast topic. It is technical, legal, and social. It requires an understanding of the markets, computing, and psychology. You may feel that reading this book is much like drinking from a fire hose. This is also how writing it has been.

We would like to thank BITS and the BITS Security Steering Committee for permitting the reuse of portions of the BITS Malware Risks and Remediation Report. The full report, developed by members of the BITS Security Working Group, is publicly available at www.bits.org. BITS addresses issues at the intersection of financial services, technology, and public policy, where industry cooperation serves the public good, such as critical infrastructure protection, fraud prevention, and the safety of financial services. BITS is the technology policy division of the Financial Services Roundtable, which represents 100 of the largest integrated financial services companies providing banking, insurance, and investment products and services to the American consumer.

I could not have pulled this off on my own, and I am indebted to my many contributors, all of whom have invested their time and passion in making this book fantastic. In particular, I want to thank Ruj Akavipat, Adam Barth, Dan Boneh, Garth Bruen, Igor Bulavko, Elie Bursztein, Juan Caballero, Richard Chow, Michael Conover, Mayank Dhiman, Ori Eisen, Bruno Gonçalves, Baptiste Gourdin, Mark Grandcolas, Jeff Hodges, Mohammad Hossein Manshaei, Jean-Pierre Hubaux, Nathaniel Husted, Hampus Jakobsson, William Leddy, Debin Liu, Filippo Menczer, Steven Myers, Dimitar Nikolov, Yuan Niu, Adrienne Porter Felt, Ariel Rabkin, Emilee Rader, Gustav Rydstedt, Elaine Shi, Christopher Soghoian, Dawn Song, Sid Stamm, Andy Steingruebl, Nevena Vratonjic, David Wagner, Rick Wash, Ruilin Zhu, and Members of the BITS Security Working Group and staff leads Greg Rattray and Andrew Kennedy.

I know few people as hardworking and dedicated as Liu Yang, and I owe my sanity to him for helping me with all practical issues surrounding conversions to LaTeX, hacking the template to make things look nice, and ensuring that everything was complete.

I am also thankful for the administrative help I have received from Wiley and HEP. Finally, thanks to all my wonderful colleagues, many of whom also contributed to this book.

Contributors

Ruj Akavipat, Department of Computer Engineering, Mahidol University, Bangkok, Thailand

Adam Barth, IMDEA Software Institute, Google, Inc., University of California, Berkeley, San Francisco, CA, USA

Dan Boneh, Department of Computer Science and Electrical Engineering, Stanford University, Stanford, CA, USA

Garth Bruen, KnujOn.com LLC, Brookline, MA, USA

Igor Bulavko, PayPal, Inc., San Jose, CA, USA

Elie Bursztein, Security Laboratory, Computer Science Department, Stanford University, Stanford, CA, USA

Juan Caballero, IMDEA Software Institute, Madrid, Spain

Richard Chow, Palo Alto Research Center (PARC), Palo Alto, CA, USA

Michael Conover, School of Informatics and Computing, Indiana University, Bloomington, IN, USA

Mayank Dhiman, PEC University of Technology, Ambala, Chandigarh, India

Ori Eisen, The 41st Parameter, Inc., Scottsdale, AZ, USA

Adrienne Porter Felt, Computer Science Division, University of California, Berkeley, CA, USA

Aurélien Francillon, EURECOM, Sophia Antipolis, France

Philippe Golle, Google, Inc., Mountain View, CA, USA

Bruno Gonçalves, Northeastern University, Boston, MA, USA

Nathan Good, Principal Good Research LLC, Berkeley, CA USA

Baptiste Gourdin, LSV, INRIA & ENS-Cachan, Paris, France

Mark Grandcolas, FatSkunk, Inc., Mountain View, CA, USA

Jeff Hodges, PayPal, Inc., San Jose, CA, USA

Jean-Pierre Hubaux, School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland

Nathaniel Husted, School of Informatics and Computing, Indiana University, Bloomington, IN, USA

Hampus Jakobsson, Independent Researcher, Limhamn, Sweden

Markus Jakobsson, PayPal, Inc., San Jose, CA, USA

Andrew Kennedy, BITS/The Financial Services Roundtable, Washington, DC, USA

William Leddy, PayPal, Inc., Georgetown, Washington, DC, USA

Debin Liu, Information Risk Management, PayPal, Inc., Austin, TX, USA

Mohammad Hossein Manshaei, Department of Electrical and Computer Engineering, Isfahan University of Technology, Isfahan, Iran

Ryusuke Masuoka, Fujitsu, Sunnyvale, CA, USA

Filippo Menczer, School of Informatics and Computing, Indiana University, Bloomington, IN, USA

Jesus Molina, Fujitsu, Sunnyvale, CA, USA

Steven Myers, School of Informatics and Computing, Indiana University, Bloomington, IN, USA

Dimitar Nikolov, School of Informatics and Computing, Indiana University, Bloomington, IN, USA

Yuan Niu, Yahoo!, Sunnyvale; University of California, Davis, CA, USA

Adrian Perrig, Cybersecurity Laboratory (CyLab), Department of Electrical and Computer Engineering, Department of Engineering and Public Policy, and School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, USA

Ariel Rabkin, Electrical Engineering and Computer Science Department, University of California, Berkeley, CA, USA

Emilee Rader, Department of Telecommunication, Information Studies and Media, College of Communication Arts and Sciences, Michigan State University, East Lansing, MI, USA

Greg Rattray, Delta Risk LLC, Washington, DC, USA

Gustav Rydstedt, Blizzard Entertainment, Huntington Beach, CA, USA

Elaine Shi, Palo Alto Research Center (PARC), University of California, Berkeley, CA, USA

Christopher Soghoian, Center for Applied Cybersecurity Research, Indiana University, Bloomington, IN, USA

Dawn Song, IMDEA Software Institute, Google, Inc., Computer Science Department, University of California, Berkeley, CA, USA

Jeff Song, Fujitsu, Sunnyvale, CA, USA

Sid Stamm, Independent Security and Privacy Researcher, Santa Clara, CA, USA

Andy Steingruebl, Information Risk Management, PayPal, Inc., San Jose, CA, USA

Dahn Tamir, Entropy Management Services, Techlist, Las Vegas, NV, USA

Nevena Vratonjic, School of Computer and Communication Sciences, EPFL, Lausanne, Switzerland

David Wagner, Computer Science Division, University of California, Berkeley, CA, USA

Rick Wash, School of Journalism, and Department of Telecommunication, Information Studies and Media, Michigan State University, East Lansing, MI, USA

Ruilin Zhu, Peking University, Beijing, China

Part I

The Problem

We need to understand what is wrong before we can fix it. But the problem is not always simple. When we deal with the Internet, it almost never is. We need to understand the technical aspects of the problem. What is computed, what is stored, how can what we want to do go wrong? And the social—how people think, how do they make mistakes? These people—that includes both the potential victims and their attackers—why do they do what they do? Then we need to understand the structural aspects of the problem. Who knows what? Who can detect abuse? Who can stop it?

We will begin the book by describing the problem. We will explain some commonly exploited vulnerabilities—and some that are just emerging. We will talk about how taking advantage of these will enable attacker to reach his goals. That, of course, forces us to also have to understand exactly what motivates the adversary. And, of course, we have to try to understand the capabilities and limitations of the attacker. Then we can start thinking about how to address the problems we perceive.

This book is not about the particular vulnerabilities or solutions we will describe. It is about connecting the dots. The Internet is changing, and so are the threats that are posed to it. Once we recognize this, it becomes natural that we also need to be able to anticipate trends. Security trends are driven by both markets (such as an increase of vulnerable devices) and opportunities (such as the ability to easily monetize stolen information). We will look at existing problems through the lens of what caused them. This will give us practice to anticipate what comes next, and be proactive.

Chapter 1

What Could Kill the Internet? And so What?

The dangers may be to your machine, to proprietary information, to your financial situation, or even to you.

Malware can corrupt your machine. It can destroy data and software. It can even destroy hardware—for example, by rewriting your computer's EEPROM or flash memories so many times that they burn out. That takes only a few seconds per block, and if strategically chosen blocks are damaged, the hardware is rendered useless. Malware can also affect external equipment or processes as the em Stuxnet worm gave an example in 2010. It can be used to turn on the microphone of your phone, turning you into a walking eavesdropping bot—and you would not even know it! Malware is believed to commonly be used to be used to steal corporate and national secrets.

Most of the time, though, malware will only attempt to steal your money. That is the same goal as phishers have. And it is the same goal as scam artists have, attempting to convince their victims to send them money or merchandise. Often referred to as Nigerian scammers, these are certainly not all in Nigeria, although a surprisingly high number is.

The Internet—as well as wireless networks—can also be used to spy on people, to determine their location, for example. This can have direct physical consequences, whether the attack is mounted by a crazed expartner, political enemies, or common criminals. While this type of tracking is not commonly heard about today, it does not mean that it does not happen. And it certainly does not mean that it cannot happen. In fact, and as we describe in Section 6.1, it can be done on a grand scale without any significant investment.

Those are just a few examples of dangers that did not exist just a few years ago, and which soon may take up first#$#hyphen;page newspaper space. There are also plenty of ways in which the Internet may become meaningless.

When we speak of spam, almost everybody thinks of unwanted email. A similar type of spam affects mobile communications—SMS spam. Voice spam is closely related to telemarketing. Instant messaging and online game messaging are also vulnerable to spam. But not all spam is about selling counterfeit Viagra or Rolexes. The term is also used to refer to other junk material, whether it is intended to fool search engines to rank particular pages higher than they otherwise would have. It can be used to manipulate reputations of sites and services—typically to make them look more attractive than they are, but sometimes used the other way to stab competitors. Spam is used to mean polluted peer-to-peer material—material that claims to be things it is not.

Spam is not the only source of pollution of information, though. Criminals can deceive news organizations to broadcast untruthful information. Given the increased competition to be first in online media, it is sometimes hard for journalists to balance the need to validate information—and to be first. Malware and spoofing can be used to make information appear to have originated with trusted sources. Criminals may benefit from the pollution of information in many ways. Politically, by sowing doubts and causing fear and confusion. Financially, by manipulating the markets.

The Internet could also become meaningless by becoming so dangerous that typical users restrain their activities and only dare to engage in a minimal manner.

But “meaningless” is in the eye of the beholder. Typical users would have one view of what could make the Internet meaningless. Service providers have a very different view. To online merchants, the Internet would be meaningless if nobody buys their products using it, or if it cannot be used to advertise products that are sold off-line. If this were to happen, advertising would plummet. Since many free services depend of advertisements, that type of development would affect them, and they would scale back or vanish. A lot of services we have come to take for granted fall into this category, starting with search engines, but also including online news services, many content distribution sites, email service providers (do you remember—we used to pay for email …) and other services, such as translation services, recommendation services, navigation services, consumer advice services … you name it, it is probably on the list.

So what happens if people do not dare to watch advertisements? Or if click-fraud runs rampant? It is the same end result. No advertisements … no services.

If your livelihood depends on the Internet—like mine does—then you are surely aware of what the impact would be to you of any severe problems with it. You know that you would not be happy if the Internet were crippled by fraud. But if that does not describe you, you might shrug, thinking that this is not such a big deal. After all, you may think, you can live just fine without reading the news online, and you can drive to the store instead of shopping online. Right? Wrong.

Even if the Internet is not taken down by attacks, we may all be affected by rising levels of fraud.

You and I may have bulletproof antivirus software on our computers —and phones—and still be affected. For example, if people passing you on town have infected phones, these phones may render your phone useless simply by making phone calls or web accesses in dramatic quantities. It would be hard for you to get a connection when you want one.

If you use a Bluetooth enabled headset and let your phone be discoverable, then your phone can be tracked by infected phones in your neighborhood. In fact, it may not matter whether your phone is discoverable or not if nearby devices can eavesdrop on signals: your phone will send its Bluetooth device identifier in the clear.

But it is not all about phones. Do you use social networking? Many services will detect if you are online or not. You online/offline patterns may say a lot about you. Who you are, what you do.

So far, I have argued that online attacks may result in problems in society. In lack of trust, degradation of our infrastructure, increases of costs to do business. But the consequences of online attacks could also be what invites abuse. If a hostile country or organization wants to hurt us, they may find that the easiest way of doing it is by attacking the Internet. Our dependence on the Internet will invite attacks. We have already seen instances of massive cyber attacks, such as those on Estonia in 2007. We are not safe from such attacks. If anything, we may be more vulnerable to them, as our dependence on the Internet is greater—and increasing by the day.

Since 2001, we are all aware of terrorism. What makes it terrifying is not only its arbitrariness, but its asymmetric nature. A small number of dedicated aggressors can inflict massive damage and suffering to large numbers of victims. The terrorists, of course, do not attack us because it is fun—they do it to further their political agendas. From their point of view, what they do is justified by the needs.

Of course, every society does what they think is justified by their needs—if they think they can get away with it, at least. Now, imagine that you belonged to an organization that needed to send a strong signal to a society or organization you disagree with. You may not have a powerful army to engage to pressure your enemy with. But you have other, and simpler, ways. You can degrade their infrastructure—with the click of a mouse. You can cause severe interruptions, degrade their economy, spread fear and confusion. Would you be tempted to click? Of course you would. And if you would not, then somebody else in your organization surely would.

That is also what we are up against. It is not only about fraudsters trying to make a profit.