Chapter 1 What Could Kill the Internet? And so What? 3
Chapter 2 It is About People 7
2.1 Human and Social Issues&Markus Jakobsson 7
2.1.1 Nigerian Scams 8
2.1.2 Password Reuse 9
2.1.3 Phishing 11
2.2 Who are the Criminals?&Igor Bulavko 13
2.2.1 Who are they? 14
2.2.2 Where are they? 14
2.2.3 Deep-Dive: Taking a Look at Ex-Soviet Hackers 14
2.2.4 Let's try to Find Parallels in the World we Live in 16
2.2.5 Crime and Punishment? 17
Chapter 3 How Criminals Profit 19
3.1 Online Advertising Fraud&Nevena Vratonjic, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux 20
3.1.1 Advertising on the Internet 20
3.1.2 Exploits of Online Advertising Systems 24
3.1.3 Click Fraud 25
3.1.4 Malvertising: Spreading Malware via Ads 31
3.1.5 Inflight Modification of Ad Traffic 33
3.1.6 Adware: Unsolicited Software Ads 35
3.1.7 Conclusion 36
3.2 Toeing the Line: Legal but Deceptive Service Offers&Markus Jakobsson and Ruilin Zhu 36
3.2.1 How Does it Work? 37
3.2.2 What do they Earn? 37
3.3 Phishing and Some Related Attacks&Markus Jakobsson and William Leddy 39
3.3.1 The Problem is the User 39
3.3.2 Phishing 39
3.3.3 Man-in-the-Middle 40
3.3.4 Man-in-the-Browser 41
3.3.5 New Attack: Man-in-the-Screen 42
3.4 Malware: Current Outlook&Members of the BITS Security Working Group and staff leads Greg Rattrayand Andrew Kennedy 43
3.4.1 Malware Evolution 43
3.4.2 Malware Supply and Demand 49
3.5 Monetization&Markus Jakobsson 54
Chapter 4 How Things Work and Fail 59
4.1 Online Advertising: With Secret Security&Markus Jakobsson 60
4.1.1 What is a Click? 60
4.1.2 How Secret Filters are Evaluated 63
4.1.3 What do Fraudsters Know? 64
4.2 Web Security Remediation Efforts&Jeff Hodges and Andy Steingruebl 65
4.2.1 Introduction 65
4.2.2 The Multitude of Web Browser Security Mechanisms 66
4.2.3 Where do we go from Here? 78
4.3 Content-Sniffing XSS Attacks: XSS with Non-HTML Content&Juan Caballero, Adam Barth, and Dawn Song 78
4.3.1 Introduction 78
4.3.2 Content-Sniffing XSS Attacks 80
4.3.3 Defenses 88
4.3.4 Conclusion 93
4.4 Our Internet Infrastructure at Risk&Garth Bruen 93
4.4.1 Introduction 93
4.4.2 The Political Structure 94
4.4.3 The Domain 96
4.4.4 WHOIS: Ownership and Technical Records 98
4.4.5 Registrars: Sponsors of Domain Names 100
4.4.6 Registries: Sponsors of Domain Extensions 101
4.4.7 CCTLDs: The Sovereign Domain Extensions 103
4.4.8 ICANN: The Main Internet Policy Body 104
4.4.9 Conclusion 106
4.5 Social Spam&Dimitar Nikolov and Filippo Menczer 108
4.5.1 Introduction 108
4.5.2 Motivations for Spammers 110
4.5.3 Case Study: Spam in the GiveALink Bookmarking System 113
4.5.4 Web Pollution 120
4.5.5 The Changing Nature of Social Spam: Content Farms 121
4.5.6 Conclusion 122
4.6 Understanding CAPTCHAs and Their Weaknesses&Elie Bursztein 122
4.6.1 What is a Captcha? 123
4.6.2 Types of Captchas 123
4.6.3 Evaluating Captcha Attack Effectiveness 124
4.6.4 Design of Captchas 124
4.6.5 Automated Attacks 129
4.6.6 Crowd-Sourcing: Using Humans to Break Captchas 134
4.7 Security Questions&Ariel Rabkin 136
4.7.1 Overview 137
4.7.2 Vulnerabilities 139
4.7.3 Variants and Possible Defenses 143
4.7.4 Conclusion 145
4.8 Folk Models of Home Computer Security&Rick Wash and Emilee Rader 146
4.8.1 The Relationship Between Folk Models and Security 146
4.8.2 Folk Models of Viruses and Other Malware 148
4.8.3 Folk Models of Hackers and Break-Ins 152
4.8.4 Following Security Advice 156
4.8.5 Lessons Learned 159
4.9 Detecting and Defeating Interception Attacks Against SSL&Christopher Soghoian and Sid Stamm 160
4.9.1 Introduction 160
4.9.2 Certificate Authorities and the Browser Vendors 161
4.9.3 Big Brother in the Browser 164
4.9.4 Compelled Assistance 165
4.9.5 Surveillance Appliances 166
4.9.6 Protecting Users 166
4.9.7 Threat Model Analysis 170
4.9.8 Related Work 173
4.9.9 Conclusion 175
Chapter 5 The Mobile Problem 177
5.1 Phishing on Mobile Devices&Adrienne Porter Felt and David Wagner 177
5.1.1 The Mobile Phishing Threat 178
5.1.2 Common Control Transfers 181
5.1.3 Phishing Attacks 186
5.1.4 Web Sender → Mobile Target 190
5.1.5 Web Sender → Web Target 192
5.1.6 Attack Prevention 193
5.2 Why Mobile Malware will Explode&Markus Jakobsson and Mark Grandcolas 193
5.2.1 Nineteen Eighty-Six: When it all Started 194
5.2.2 A Glimpse of Users 194
5.2.3 Why Market Size Matters 194
5.2.4 Financial Trends 195
5.2.5 Mobile Malware Outlook 195
5.3 Tapjacking: Stealing Clicks on Mobile Devices&Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh 197
5.3.1 Framing Attacks 197
5.3.2 Phone Tapjacking 199
5.3.3 Framing Facebook 202
5.3.4 Summary and Recommendations 203
Chapter 6 The Internet and the Physical World 205
6.1 Malware-Enabled Wireless Tracking Networks&Nathaniel Husted and Steven Myers 205
6.1.1 Introduction 206
6.1.2 The Anatomy of a Modern Smartphone 208
6.1.3 Mobile Tracking Networks: A Threat to Smartphones 209
6.1.4 Conclusion 228
6.2 Social Networking Leaks&Mayank Dhiman and Markus Jakobsson 228
6.2.1 Introduction 229
6.2.2 Motivations for Using Social Networking Sites 229
6.2.3 Trust and Privacy 230
6.2.4 Known Issues 231
6.2.5 Case Study: Social Networking Leaks in the Physical World 234
6.3 Abuse of Social Media and Political Manipulation&Bruno Goncalves, Michael Conover, and Filippo Menczer 241
6.3.1 The Rise of Online Grassroots Political Movements 241
6.3.2 Spam and Astroturfing 242
6.3.3 Deceptive Tactics 243
6.3.4 The Truthy System for Astroturf Detection 246
6.3.5 Discussion 250
Part Ⅱ Thinking About Solutions 255
Chapter 7 Solutions to the Problem 255
7.1 When and How to Authenticate&Richard Chow, Elaine Shi, Markus Jakobsson, Philippe Golle, Ryusuke Ma-suoka, Jesus Molina, Yuan Niu, and Jeff Song 256
7.1.1 Problem Description 256
7.1.2 Use Cases 257
7.1.3 System Architecture 258
7.1.4 User Privacy 260
7.1.5 Machine Learning/Algorithms 260
7.1.6 User Study 262
7.2 Fastwords: Adapting Passwords to Constrained Keyboards&Markus Jakobsson and Ruj Akavipat 265
7.2.1 The Principles Behind Fastwords 266
7.2.2 Basic Feature Set 268
7.2.3 Extended Feature Set 270
7.2.4 Sample Stories and Frequencies 272
7.2.5 Recall Rates 273
7.2.6 Security Analysis 274
7.2.7 The Security of Passwords 275
7.2.8 Entry Speed 279
7.2.9 Implementation of Fastword Entry 281
7.2.10 Conclusion 282
7.3 Deriving PINs from Passwords&Markus Jakobsson and Debin Liu 283
7.3.1 Introduction 283
7.3.2 A Brief Discussion of Passwords 285
7.3.3 How to Derive PINs from Passwords 285
7.3.4 Analysis of Passwords and Derived PINs 287
7.3.5 Security Analysis 290
7.3.6 Usability Experiments 292
7.4 Visual Preference Authentication&Yuan Niu, Markus Jakobsson, Gustav Rydstedt, and Dahn Tamir 293
7.4.1 Password Resets 294
7.4.2 Security Questions Aren't so Secure 294
7.4.3 What is Visual Preference-Based Authentication 295
7.4.4 Evaluating Visual Preference-Based Authentication 297
7.4.5 Case Study: Visual Blue Moon Authentication 298
7.4.6 Conclusion 301
7.5 The Deadly Sins of Security User Interfaces&Nathan Good 302
7.5.1 Security Applications with Frustrating User Interfaces 302
7.5.2 The Four Sins of Security Application User Interfaces 304
7.5.3 Consumer Choice: A Security Bugbear 305
7.5.4 Security by Verbosity 311
7.5.5 Walls of Checkboxes 312
7.5.6 All or Nothing Switch 314
7.5.7 Conclusion 316
7.6 SpoofKiller—Let's Kiss Spoofing Goodbye!&Markus Jakobsson and William Leddy 316
7.6.1 A Key to the Solution: Interrupts 317
7.6.2 Why can the User Log in to Good Sites, but not Bad Ones? 317
7.6.3 What About Sites that are Good ...but not Certified Good? 320
7.6.4 SpoofKiller: Under the Hood 321
7.6.5 Say we Implement SpoofKiller then What? 324
7.7 Device Identification and Intelligence&Ori Eisen 324
7.7.1 1995—2001: The Early Years of Device Identification 325
7.7.2 2001—2008: Tagless Device Identification Begins 327
7.7.3 2008—Present: Private Browsing and Beyond 332
7.8 How can we Determine if a Device is Infected or not?&Aurelien Francillon, Markus Jakobsson, and Adrian Perrig 335
7.8.1 Why Detection is Difficult 335
7.8.2 Setting up an Isolated Environment 337
7.8.3 What Could go Wrong? 339
7.8.4 Brief Comparison with TrustZone 340
7.8.5 Summary 341
Chapter 8 The Future 343
8.1 Security Needs the Best User Experience&Hampus Jakobsson 344
8.1.1 How the User Won Over Features 344
8.1.2 So How Come the iPhone Became so Successful? 345
8.1.3 A World of Information Anywhere 346
8.1.4 Midas' Touch Screens 346
8.1.5 New Input, New Opportunities 347
8.1.6 Zero-Click and Real-Life User Interfaces 348
8.1.7 Privacy and User Interfaces 348
8.1.8 It all Comes Together 349
8.2 Fraud and the Future&Markus Jakobsson 349
References 353
Index 373