Showing papers in "Journal of Cybersecurity in 2017"

The impact of DDoS and other security shocks on Bitcoin currency exchanges: evidence from Mt. Gox

Abstract: We investigate how distributed denial-of-service (DDoS) attacks and other disruptions affect the Bitcoin ecosystem. In particular, we investigate the impact of shocks on trading activity at the leading Mt. Gox exchange between April 2011 and November 2013. We find that following DDoS attacks on Mt. Gox, the number of large trades on the exchange fell sharply. In particular, the distribution of the daily trading volume becomes less skewed (fewer big trades) and had smaller kurtosis on days following DDoS attacks. The results are robust to alternative specifications, as well as to restricting the data to activity prior to March 2013, i.e., the period before the first large appreciation in the price of and attention paid to Bitcoin.

The price of anonymity: empirical evidence from a market for Bitcoin anonymization

Abstract: We present the first measurement study of JoinMarket, a growing marketplace for more anonymous transfers in the Bitcoin ecosystem. Our study reveals that this market is funded with multiple thousand bitcoins and generated a turnover of almost 29.5 million USD over the course of 13 months. Assessing the resilience of the market against a well-funded attacker, we discover that in a typical scenario, a selective attack with a 90% success rate requires an investment of 14 000– 54 000 USD (which is recoverable after the attack). We present economic arguments to explain the existence of this novel market for anonymity and underpin the hypothesis of heterogeneous time preference with empirical data.

Given Enough Eyeballs, All Bugs Are Shallow? Revisiting Eric Raymond with Bug Bounty Programs

Abstract: Author(s): Maillart, Thomas; Zhao, Mingyi; Grossklags, Jens; Chuang, John | Abstract: Bug bounty programs offer a modern way for organizations to crowdsource their software security, and for security researchers to be fairly rewarded for the vulnerabilities they find. However, little is known on the incentives set by bug bounty programs – how they drive engagement and new bug discoveries. This article provides an empirical investigation of the strategic interactions among the managers and participants of bug bounty programs, as well as the intermediation by bug bounty platforms. We find that for a given bug bounty program, each security researcher can only expect to discover a bounded number of bugs. This result offers a validation step to a theory brought forth early on by Brady et al. This theory proposes that each security researcher inspecting a piece of software offers a unique environment of skills and mindset, which is amenable to the discovery of bugs that others may not be able to uncover. Bug bounty programs indeed benefit from the engagement of large crowds of researchers. Conversely, security researchers benefit greatly from searching for bugs in multiple bug bounty programs. However, we find that following a strong front-loading effect, newly launched programs attract researchers at the expense of older programs: the probability of finding bugs decays asn∼1/t0.4∼1/t0.4nafter the launch of a program, even though bugs found later yield on average higher rewards. Our results lead us to formulate three recommendations for organizing bug bounty programs and platforms: (i) organize enrollment, mobility, and renewal of security researchers across bounty programs, (ii) highlight and organize programs for front-loading, and (iii) organize fluid market transactions to reduce uncertainty and thus reduce incentives for security researchers to sell on the black market.

Coercion in cybersecurity: What public health models reveal

Abstract: Insights from public health theory and practice have been put forward as elements of doctrine to inform theory and policy frameworks for cybersecurity. Analogies between public health and cybersecurity are superficially appealing but fail on closer examination in two distinct ways: the “publicness” of the goods in question, and the readiness of the relevant actors and institutions to exert and accept coercive authority. This article assesses the analogy in depth, starting with a review of foundational arguments from public goods theory. I demonstrate how policy choices not technological ground truths have configured many cybersecurity “goods” or goals as public goods. I then assess the public goods provision problem in context by examining the history of important public health challenges and responses. I argue that this framing presents difficult choices regarding the use of coercive power to supply public goods. These are choices that public health officials have largely settled, but that internet society and the technology community have not because the requirements are counter-cultural to basic mindsets in those communities. Pushing past cultural resistance around the idea of “coercion in the interests of security” does not fully determine any specific cybersecurity policy outcome, but it does force a more straightforward assessment of what tradeoffs are at stake. The level of coercion that public policy will have to grapple with for cybersecurity goals is higher than generally understood.

Thinking about intrusion kill chains as mechanisms

Abstract: We integrate two established modeling methods from disparate fields: mechanisms from the philosophy of science literature and intrusion kill chain modeling from the computer security literature. The result demonstrates that model accuracy can be improved by incorporating methods from philosophy of science. Modeling security accurately is a key function in the science of security. Mechanistic modeling of computer security incidents clarifies the existing model and points toward areas for substantive improvement for computer security professionals. Additional models of computer security incidents are translated mechanistically to compare results and to demonstrate such modeling can be applied in multiple situations. This integration of philosophy of science and computer security is sensible only by integrating new adaptations to mechanistic modeling, specifically conceived to enable better modeling of engineered systems such as computers. The results indicate continued integration of the fields of philosophy of science and information security will be fruitful.

Limiting the undesired impact of cyber weapons: technical requirements and policy implications

Abstract: Can cyber weapons be precisely targeted or are they inherently indiscriminate and what are the implications for compliance with international law? This paper hopes to start a public discussion of the question by showing how they should be designed.We begin by considering what should be done technically and what policy issues should be part of the considerations in the design and deployment of cyber weapons. The fact that cyber weapons can be narrowly targeted is crucial to their use, especially, although not only, outside of a war scenario. In this paper we examine the technical requirements and policy implications of targeted cyber attacks. Contrary to public perception (as well as statements from some political and military leaders), cyber weapons not only can be targeted, a number of successful ones have already been so. By examining previous attacks so as to discern what technical attributes enables attacks to be targeted, we show that variables include whether the attack is autonomous or manually directed and what level of situation specific information is required for the attack. We next consider technical and policy constraints on cyber weapons that would enable them to be targetable. We examine direct and indirect effects of such weapons, and what variables affect precise targeting.If "imprecise targeting" includes "other damage traceable to the initial use of a cyberweapon", proliferation becomes an issue. By this definition, if one country's use leads to another country using the same attack or tools, that is itself imprecise targeting. We consider two different types of proliferation: immediate proliferation and a somewhat time-delayed proliferation that could occur through repurposing of the weapon or the weapon's techniques. The nonproliferation objective has a broad meaning, for it includes not only preventing others from using code snippets and information on zero days, but also using profitable attack techniques and new classes of attack. Thus preventing opponents from repurposing cyber weapons is not solely through technical means, such as code obfuscation, but also through such policy measures as disclosure so that those who might be harmed by proliferation will not be. We observe that as a result, while some of the nonproliferation effort falls to the attacker, some must be handled by potential victims, a rather interesting turn of events.

Valuing information security from a phishing attack

Abstract: In most cyber security contexts, users need to make trade-offs for information security. This research examined this issue by quantifying the relative value of information security within a value system that comprises of multiple conflicting objectives. Using this quantification as a platform, this research also examined the effect of different usage contexts on information security concern. Users were asked to indicate how much loss in productivity and time, and how much more money they were willing to incur to acquire an effective phishing filter. The results indicated that users prioritize productivity and time over information security while there was much more heterogeneity in the concern about cost. The value of information security was insignificantly different across different usage contexts. The relative value of information security was found to be predictive of self-reported online security behaviors. These results offer valuable implications for the design of a more usable information security system.

Surveillance and identity: conceptual framework and formal models

Abstract: Surveillance is recognised as a social phenomenon that is commonplace, employed by governments, companies and communities for a wide variety of reasons. Surveillance is fundamental in cybersecurity as it provides tools for prevention and detection; it is also a source of controversies related to privacy and freedom. Building on general studies of surveillance, we identify and analyse certain concepts that are central to surveillance. To do this we employ formal methods based on elementary algebra. First, we show that disparate forms of surveillance have a common structure and can be unified by abstract mathematical concepts. The model shows that (i) finding identities and (ii) sorting identities into categories are fundamental in conceptualising surveillance. Secondly, we develop a formal model that theorizes identity as abstract data that we call identifiers. The model views identity through the computational lens of the theory of abstract data types. We examine the ways identifiers depend upon each other; and show that the provenance of identifiers depends upon translations between systems of identifiers.

International Comparison of Bank Fraud Reimbursement: Customer Perceptions and Contractual Terms

Abstract: The study presented in this article investigated to what extent bank customers understand the terms and conditions (T&Cs) they have signed up to. If many customers are not able to understand T&Cs and the behaviours they are expected to comply with, they risk not being compensated when their accounts are breached. An expert analysis of 30 bank contracts across 25 countries found that most contract terms were too vague for customers to infer required behaviour. In some cases the rules vary for different products, meaning the advice can be contradictory at worst. While many banks allow customers to write Personal identification numbers (PINs) down (as long as they are disguised and not kept with the card), 20% of banks categorically forbid writing PINs down, and a handful stipulate that the customer have a unique PIN for each account. We tested our findings in a survey with 151 participants in Germany, the USA and UK. They mostly agree: only 35% fully understand the T&Cs, and 28% find important sections are unclear. There are strong regional variations: Germans found their T&Cs particularly hard to understand, and USA bank customers assumed some of their behaviours contravened the T&Cs, but were reassured when they actually read them.

Rules of engagement for cyberspace operations: a view from the USA

Abstract: Cyber weapons provide US forces with operational choices that were previously unavailable. To use these weapons with greatest effect, the US military seeks to integrate them into its operational toolkit within a common framework of principles that apply to all weapons. While the US military has had decades of operational experience formulating rules of engagement (ROEs) for kinetic weapons, several characteristics of operations in cyberspace complicate the formulation of cyberspecific ROEs. Sensitive issues related to command and control and escalation of force play important roles in shaping cyber-specific ROEs. The article’s conclusion is that a paucity of similar experience with cyber operations will hamper the formulation of ROEs for cyber weapons unless special efforts are taken to impart such experience to civilian leaders and military commanders.

A cyber SIOP? Operational considerations for strategic offensive cyber planning

Abstract: Most discussion to date about offensive cyber operations has focused on the theoretical and strategic rather than operational level of analysis. This mirrors the nuclear age, where critical operational questions were neglected in public discussion until very late in the Cold War. Yet these questions are critical for both nuclear and cyber operations so analysis that neglects them has little bearing on policy questions. An examination of the planning, targeting, and command and control aspects of offensive cyber operations in the U.S. context provides a starting for a more fruitful assessment of offensive cyber.

Second acts in cyberspace

Abstract: Cyberattacks depend, to a large extent on surprise. Because they do, the efficacy of their attacks may well fall sharply after the outset of an extended campaign – although that is not entirely bad news if some of the adjustments made to minimize future damage are themselves damaging (e.g., not trusting information that was once corrupted). Nevertheless, if cyberwarriors wish to maintain their relevance over the course of some future military campaign they need to understand how adversaries are likely to react to the first wave of cyberattacks. Furthermore, if cyberwarriors are to fulfill their defensive roles, it may help to understand how their own non-cyber colleagues are apt to react, the better to prioritize the assistance they provide in using lessons from attacks to secure their own systems.To understand how the target may adjust it helps to think of it as a multi-stage process: (1) recognizing a system is not performing as it should, (2) identifying the nature of the malfunction, (3) determining the weaknesses in the target system that allowed the cyberattack, (4) engineering a fix, and (5) promulgating the fix throughout the organization.This, in turn, would suggest why some organizations adjust faster than others. One reason is organizational culture. Does it take cybersecurity seriously? Are its people allowed to find faults and tell the truth about them? Is responsibility for fixing faults clear? Does the organization tell others? Another reason arises from the nature of the attacked systems – can their owners afford to take it down and change it without creating new faults or without having to retrain users? A third reason stems from whether the organization has access to outside vendors of software and cybersecurity – yielding a pronounced advantage for those that do.All this suggests strategies for confounding the target’s adjustment strategy. Choose targets carefully, concentrating on targets that react slowly. Keep up the military pressure in ways that inhibit withdrawing systems for repair. Limit the size and scope of cyberattacks so that the effects are less obvious, hence less likely to be attended to. Exploit a vulnerability that is particular to the target rather than one that is more widespread. Use penetration methods that are difficult to find (perhaps by using entry points that are difficult to trace). Use deception and distraction. Last, persuade third parties to hold off helping.Putting these concepts into practice is not trivial. A first guess on how others may react may come from gauging how one’s own forces would. Modeling a logical decision process – one that reflects known pathologies of potential adversaries – may provide another perspective. Historical analogies may provide an insight or two. In any case, USCYBERCOM needs to develop a body of research and exploration that acknowledges the potential of others to learn. Thus can it figure out how to make them learn slowly, incompletely, or, better yet, incorrectly.

Introduction to the special issue on strategic dimensions of offensive cyber operations

Abstract: Nations around the world recognize cybersecurity as a critical issue for public policy. They are concerned that their adversaries could conduct cyberattacks against their interests—damaging their military forces, their economies, and their political processes. Thus, their cybersecurity efforts have been devoted largely to protecting important information technology systems and networks against such attacks. Recognizing this point, the Oxford Dictionaries added in 2013 a new word to its lexicon—it defined cybersecurity as “the state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this.” But a nation can also conduct cyberattacks against other nations as deliberate instruments of policy, and many nations around the world are also exploring the use of offensive cyber operations in such a manner. In the USA, such operations have become increasingly prominent in US policy. For example: