web app security – the good, the bad and the ugly ross anderson cambridge university
TRANSCRIPT
Web App Security – Web App Security – The Good, the Bad and The Good, the Bad and
the Uglythe Ugly
Ross AndersonRoss Anderson
Cambridge UniversityCambridge University
KrakowMay 13th 2009
Is Web 2.0 Reinventing the Is Web 2.0 Reinventing the Whole World?Whole World?
html, javascripthtml, javascript FBMLFBML
SQLSQL FBQLFBQL
SMTPSMTP FB MailFB Mail
UsenetUsenet FB GroupsFB Groups
Open IDOpen ID FB ConnectFB Connect
BloggerBlogger FB NotesFB Notes
TwitterTwitter FB Status UpdatesFB Status Updates
craigslistcraigslist FB MarketplaceFB Marketplace
KrakowMay 13th 2009
So what’s changed?So what’s changed? A cynic might say that IT just goes in cycles!A cynic might say that IT just goes in cycles! Back in the 60s and 70s, we had mainframe Back in the 60s and 70s, we had mainframe
bureau servicesbureau services Then we had minis, then PCsThen we had minis, then PCs The pendulum seems to be swinging back – The pendulum seems to be swinging back –
server farms do what mainframes used toserver farms do what mainframes used to And we get a wide range of terminals – phones, And we get a wide range of terminals – phones,
netbooks, PCs, …netbooks, PCs, … How should we make sense of all this?How should we make sense of all this?
KrakowMay 13th 2009
Economics and SecurityEconomics and Security About 2000, we realised that engineering About 2000, we realised that engineering
analysis alone didn’t explain all that goes wronganalysis alone didn’t explain all that goes wrong Economic analysis often explains failure better! Economic analysis often explains failure better! Electronic banking: UK banks were less liable for Electronic banking: UK banks were less liable for
fraud, so became careless and ended up fraud, so became careless and ended up suffering more internal fraud and errorssuffering more internal fraud and errors
Distributed denial of service: viruses now don’t Distributed denial of service: viruses now don’t attack the infected machine so much as use it to attack the infected machine so much as use it to attack othersattack others
Why is Microsoft software so insecure, despite Why is Microsoft software so insecure, despite market dominance?market dominance?
KrakowMay 13th 2009
New View of InfosecNew View of Infosec
Systems are often insecure because the people Systems are often insecure because the people who guard them, or who could fix them, have who guard them, or who could fix them, have insufficient incentivesinsufficient incentives Medical record systems bought by research or Medical record systems bought by research or
finance directors, not patients – so failed to protect finance directors, not patients – so failed to protect privacyprivacy
Casino websites suffer when infected PCs run DDoS Casino websites suffer when infected PCs run DDoS attacks on themattacks on them
Insecurity is often what economists call an Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental ‘externality’ – a side-effect, like environmental pollutionpollution
KrakowMay 13th 2009
IT Economics (1)IT Economics (1)
The first distinguishing characteristic of many IT The first distinguishing characteristic of many IT product and service markets is network effectsproduct and service markets is network effects
Metcalfe’s law – the value of a network is the Metcalfe’s law – the value of a network is the square of the number of userssquare of the number of users
Real networks – phones, fax, emailReal networks – phones, fax, email Virtual networks – PC architecture versus MAC, Virtual networks – PC architecture versus MAC,
or Symbian versus WinCEor Symbian versus WinCE Network effects tend to lead to dominant-firm Network effects tend to lead to dominant-firm
markets where the winner takes allmarkets where the winner takes all
KrakowMay 13th 2009
IT Economics (2)IT Economics (2)
Second common feature of IT product and Second common feature of IT product and service markets is high fixed costs and low service markets is high fixed costs and low marginal costsmarginal costs
Competition can drive down prices to marginal Competition can drive down prices to marginal cost of productioncost of production
This can make it hard to recover capital This can make it hard to recover capital investment, unless stopped by patent, brand, investment, unless stopped by patent, brand, compatibility …compatibility …
These effects can also lead to dominant-firm These effects can also lead to dominant-firm market structuresmarket structures
KrakowMay 13th 2009
IT Economics (3)IT Economics (3)
Third common feature of IT markets is that Third common feature of IT markets is that switching from one product or service to another switching from one product or service to another is expensiveis expensive
E.g. switching from Windows to Linux means E.g. switching from Windows to Linux means retraining staff, rewriting appsretraining staff, rewriting apps
Shapiro-Varian theorem: the net present value of Shapiro-Varian theorem: the net present value of a software company is the total switching costsa software company is the total switching costs
So major effort goes into managing switching So major effort goes into managing switching costs – once you have $3000 worth of songs on costs – once you have $3000 worth of songs on a $300 iPod, you’re locked into iPodsa $300 iPod, you’re locked into iPods
KrakowMay 13th 2009
IT Economics and SecurityIT Economics and Security
High fixed/low marginal costs, network effects High fixed/low marginal costs, network effects and switching costs all tend to lead to dominant-and switching costs all tend to lead to dominant-firm markets with big first-mover advantagefirm markets with big first-mover advantage
So time-to-market is criticalSo time-to-market is critical Microsoft philosophy of ‘we’ll ship it Tuesday and Microsoft philosophy of ‘we’ll ship it Tuesday and
get it right by version 3’ was quite rationalget it right by version 3’ was quite rational Whichever company had won in the PC OS Whichever company had won in the PC OS
business would have done the samebusiness would have done the same ““Growth is primary, revenue is secondary” – Growth is primary, revenue is secondary” –
Mark ZuckerbergMark Zuckerberg
KrakowMay 13th 2009
IT Economics and Security (2)IT Economics and Security (2)
When building a network monopoly, you must When building a network monopoly, you must appeal to vendors of complementary productsappeal to vendors of complementary products
That’s application software developers in the That’s application software developers in the case of PC versus Apple, then of Symbian case of PC versus Apple, then of Symbian versus Windows/Palm, now Facebookversus Windows/Palm, now Facebook
Lack of security in early Windows / Symbian / Lack of security in early Windows / Symbian / Facebook made life easier for themFacebook made life easier for them
So did the choice of security technologies that So did the choice of security technologies that dump costs on the user (SSL, not SET)dump costs on the user (SSL, not SET)
Once you’ve a monopoly, lock it all down!Once you’ve a monopoly, lock it all down!
KrakowMay 13th 2009
Security Economics Security Economics and Web Applicationsand Web Applications
The big security economics problem is aligning The big security economics problem is aligning incentivesincentives
The big system engineering problem is The big system engineering problem is managing complexity. You want architecture, i.e. managing complexity. You want architecture, i.e. interfaces, to divide up systems sensiblyinterfaces, to divide up systems sensibly
Consider a travel agent, buying services from Consider a travel agent, buying services from airlines, hotels etc. It pretty much all lines upairlines, hotels etc. It pretty much all lines up
Open interfaces, defined by contractOpen interfaces, defined by contract Competition drives costs down, usability upCompetition drives costs down, usability up
KrakowMay 13th 2009
Security Economics Security Economics and Web Applications (2)and Web Applications (2)
However, some web apps are platforms, However, some web apps are platforms, so operate under the same forces as so operate under the same forces as Windows or Symbian or S/360Windows or Symbian or S/360
E.g. Facebook – huge network effectsE.g. Facebook – huge network effects Incentives on its developers: Incentives on its developers:
grab the market now, fix privacy latergrab the market now, fix privacy later appeal to complementers (app writers)appeal to complementers (app writers)
But does social context change anything?But does social context change anything?
KrakowMay 13th 2009
How Fraud Adapts to SNSHow Fraud Adapts to SNS
The old scams are still there – 419, spam, The old scams are still there – 419, spam, phishing, XSS, malware, click fraud, …phishing, XSS, malware, click fraud, …
Social context makes phishing more effective Social context makes phishing more effective (72% in controlled study – Jagatic) not to (72% in controlled study – Jagatic) not to mention targeted attacks / scamsmention targeted attacks / scams
Facebook now 7th biggest phishing target (after Facebook now 7th biggest phishing target (after PayPal, top banks, eBay)PayPal, top banks, eBay)
Frequent genuine emails with login linksFrequent genuine emails with login links Some incentive on operator to fight it (spam Some incentive on operator to fight it (spam
caused decline of MySpace, Friendster)caused decline of MySpace, Friendster)
KrakowMay 13th 2009
PrivacyPrivacy Most people say they value privacy, but act Most people say they value privacy, but act
otherwise. Most privacy ventures failed. Why?otherwise. Most privacy ventures failed. Why? Odlyzko – technology makes price discrimination Odlyzko – technology makes price discrimination
both easier and more attractiveboth easier and more attractive Acquisti – people care about privacy when Acquisti – people care about privacy when
buying clothes, but not camerasbuying clothes, but not cameras Loewenstein – privacy is heavily context Loewenstein – privacy is heavily context
sensitive. People only really worry if salientsensitive. People only really worry if salient Facebook viruses ‘worse’ than PC viruses (as Facebook viruses ‘worse’ than PC viruses (as
more personal) or not (as less salient)?more personal) or not (as less salient)?
KrakowMay 13th 2009
Privacy and SNSPrivacy and SNS
Conflict of interestConflict of interest Facebook wants to sell user dataFacebook wants to sell user data Users want feeling of intimacy, small group, Users want feeling of intimacy, small group,
social controlsocial control Very complex access controls – over 60 Very complex access controls – over 60
settings on 7 pagessettings on 7 pages Over 90% of users never change defaultsOver 90% of users never change defaults The complexity lets Facebook blame the The complexity lets Facebook blame the
customer when things go wrongcustomer when things go wrong
KrakowMay 13th 2009
Privacy and SNS (2)Privacy and SNS (2)
KrakowMay 13th 2009
Privacy and SNS (3)Privacy and SNS (3)
See our paper ‘Eight See our paper ‘Eight friends are enough’friends are enough’
Given the eight Given the eight published friends, an published friends, an outsider can run all outsider can run all the usual network the usual network analysisanalysis
Including covert Including covert community detection community detection as used by the as used by the spooks spooks
KrakowMay 13th 2009
Security Economics Security Economics and Web Applications (3)and Web Applications (3)
As you’d expect from the incentives, As you’d expect from the incentives, Facebook provides the appearance of Facebook provides the appearance of security, not reality – ‘security theatre’security, not reality – ‘security theatre’
Abd it deals with the occasional outrage Abd it deals with the occasional outrage using ‘democracy theatre’ (see our blog, using ‘democracy theatre’ (see our blog, www.www.lightbluetouchpaperlightbluetouchpaper.org.org for more) for more)
Is this sustainable?Is this sustainable? Long-term problem: European regulatorsLong-term problem: European regulators
KrakowMay 13th 2009
Security Economics Security Economics and Web Applications (4)and Web Applications (4)
Sometimes the monopoly doesn’t come Sometimes the monopoly doesn’t come from platform dynamics but exogenouslyfrom platform dynamics but exogenously
Example: UK attempt to centralize all Example: UK attempt to centralize all medical records, children’s recordsmedical records, children’s records
Records at GPs, hospitals being moved to Records at GPs, hospitals being moved to ‘hosted’ systems‘hosted’ systems
Sales pitch: benefits of researchSales pitch: benefits of research Driver: bureaucratic centralizationDriver: bureaucratic centralization Gotcha: I v FinlandGotcha: I v Finland
KrakowMay 13th 2009
Security Economics Security Economics and Web Applications (5)and Web Applications (5)
Thankfully the UK TG programme is failing; see Thankfully the UK TG programme is failing; see our report “Database State” for moreour report “Database State” for more
But might Google or Microsoft make a health-But might Google or Microsoft make a health-record web service work?record web service work?
There are similar incentives on private and There are similar incentives on private and public sectors to collect data in order to price public sectors to collect data in order to price discriminate between clients / citizensdiscriminate between clients / citizens
Are there any technical limits (systems Are there any technical limits (systems complexity, microeconomics) or must we rely on complexity, microeconomics) or must we rely on our legislators and courts?our legislators and courts?
KrakowMay 13th 2009
The Gladman PrincipleThe Gladman Principle
“ “You can have security, or functionality, or You can have security, or functionality, or scale. With good engineering you can scale. With good engineering you can have any two of these. But there’s no way have any two of these. But there’s no way you can get all three.”you can get all three.”
Brian Gladman (formerly of UKBrian Gladman (formerly of UK
Defence Science Advisory Defence Science Advisory Board)Board)
KrakowMay 13th 2009
CompartmentationCompartmentation
It’s OK to have 20 doctors and nurses having It’s OK to have 20 doctors and nurses having access to 10,000 patients’ records in a medical access to 10,000 patients’ records in a medical practicepractice
With some care, it’s just about OK to have 2000 With some care, it’s just about OK to have 2000 doctors and nurses having access to 1,000,000 doctors and nurses having access to 1,000,000 patients’ records in a hospitalpatients’ records in a hospital
It’s not OK to have 580,000 health service staff It’s not OK to have 580,000 health service staff having access to 50,000,000 citizens’ records on having access to 50,000,000 citizens’ records on a national databasea national database
… … as our Prime Minister has learned …as our Prime Minister has learned …
KrakowMay 13th 2009
Attack Trends Attack Trends
One aspect of security economics is building One aspect of security economics is building models that explain how things go wrongmodels that explain how things go wrong
Another is the econometrics – measuring what Another is the econometrics – measuring what actually does go wrongactually does go wrong
We have a research project on collecting We have a research project on collecting statistics on spam, phishing, malware (see my statistics on spam, phishing, malware (see my Google tech talk, for example)Google tech talk, for example)
Recent trends in malware are getting worrying!Recent trends in malware are getting worrying! If an attack can be industrialized, it will be …If an attack can be industrialized, it will be …
KrakowMay 13th 2009
Case study – the Dalai Lama Case study – the Dalai Lama
Simple attacks reported on the Office of Simple attacks reported on the Office of His Holiness the Dalai Lama (OHHDL) His Holiness the Dalai Lama (OHHDL) since 2007since 2007
From directed spam to simple targeted From directed spam to simple targeted attacksattacks
Compromise became obvious in July 2008 Compromise became obvious in July 2008 – foreign diplomats about to meet the – foreign diplomats about to meet the Dalai Lama were warned offDalai Lama were warned off
We got asked to investigateWe got asked to investigate
KrakowMay 13th 2009
Modus OperandiModus Operandi
A sends email to B on topic X, archived publiclyA sends email to B on topic X, archived publicly C sends email to A pretending to be B, on topic C sends email to A pretending to be B, on topic
X, with toxic attachmentX, with toxic attachment C pretending to be A takes over mail serverC pretending to be A takes over mail server Internal mail attachments thereafter toxicInternal mail attachments thereafter toxic PCs then accessed remotely …PCs then accessed remotely … We call this ‘Social Malware’We call this ‘Social Malware’ The typical company has no defence at all!The typical company has no defence at all!
KrakowMay 13th 2009
A low grade sampleA low grade sample
KrakowMay 13th 2009
Malware Equilibrium?Malware Equilibrium?
Big change in 2004: black market led to Big change in 2004: black market led to specialisationspecialisation
Malware now professionally written; most Malware now professionally written; most exploits are for money, not bragging rightsexploits are for money, not bragging rights
Most companies just don’t know how to Most companies just don’t know how to block social malware (even Deloittes was block social malware (even Deloittes was among the victims of the Chinese)among the victims of the Chinese)
What will the world be like if 1%, or 5%, or What will the world be like if 1%, or 5%, or machines are 0wned, and exploited?machines are 0wned, and exploited?
KrakowMay 13th 2009
Open versus Closed?Open versus Closed?
Are open systems more dependable? It’s easier Are open systems more dependable? It’s easier for the attackers to find vulnerabilities, but also for the attackers to find vulnerabilities, but also easier for the defenders to find and fix themeasier for the defenders to find and fix them
This debate goes back to the 17th century!This debate goes back to the 17th century! Theorem (2002): openness helps both equally if Theorem (2002): openness helps both equally if
bugs are random and standard dependability bugs are random and standard dependability model assumptions applymodel assumptions apply
So whether open is better than closed will So whether open is better than closed will depend on whether / how your system differs depend on whether / how your system differs from the idealfrom the ideal
KrakowMay 13th 2009
The Good, the Bad and the UglyThe Good, the Bad and the Ugly
Travel agent: not a big deal if the bad guys Travel agent: not a big deal if the bad guys occasionally go on holiday (the bank pays)occasionally go on holiday (the bank pays)
Facebook: there will be all sorts of platform Facebook: there will be all sorts of platform exploits, and social exploits, with which they’ll exploits, and social exploits, with which they’ll have to cope. As for compromised user have to cope. As for compromised user machines, my daughter’s view …machines, my daughter’s view …
Government databases: you can’t make Government databases: you can’t make everyone’s medical records available to 500,000 everyone’s medical records available to 500,000 doctors and nurses and still have privacydoctors and nurses and still have privacy
The insider (malware) threat sets limits here!The insider (malware) threat sets limits here!
KrakowMay 13th 2009
An OpportunityAn Opportunity
If 1% of end-user machines will always be If 1% of end-user machines will always be infected with malware, what can we do?infected with malware, what can we do?
Web services can offer a haven Web services can offer a haven But they need to assume some corrupt insidersBut they need to assume some corrupt insiders Experience from defence – compartmentationExperience from defence – compartmentation And from accounting – dual control, audit, And from accounting – dual control, audit,
backup, …backup, … How do you build these ideas into other apps?How do you build these ideas into other apps? What other limits on security, functionality and What other limits on security, functionality and
scale are there – and what’s the social angle?scale are there – and what’s the social angle?
KrakowMay 13th 2009
The Research AgendaThe Research Agenda
The online world and the physical world are The online world and the physical world are merging – many years of turbulence ahead!merging – many years of turbulence ahead!
If Web 2.0 is going to reinvent the world, expect If Web 2.0 is going to reinvent the world, expect it to reinvent the problems tooit to reinvent the problems too
The security world is changing, thoughThe security world is changing, though The old paradigm was what The old paradigm was what mightmight go wrong … go wrong … Security economics gives us tools to think about Security economics gives us tools to think about
what people might what people might want want things to go wrong, and things to go wrong, and metrics to measure what’s metrics to measure what’s actuallyactually going wrong going wrong
KrakowMay 13th 2009
More …More …
See See www.www.rossross--andersonanderson.com.com for survey for survey articles, our ENISA and Tibet reports, and articles, our ENISA and Tibet reports, and my security economics resource pagemy security economics resource page
WEIS – Workshop on Economics and WEIS – Workshop on Economics and Information Security – UCL, June 24–5Information Security – UCL, June 24–5
Workshop on Security and Human Workshop on Security and Human Behaviour – in Cambridge in 2010Behaviour – in Cambridge in 2010
‘‘Security Engineering – A Guide to Security Engineering – A Guide to Building Dependable Distributed Systems’Building Dependable Distributed Systems’
KrakowMay 13th 2009