Web App Security - PowerPoint PPT Presentation

1 / 33
About This Presentation
Title:

Web App Security

Description:

– PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 34
Provided by: OWA8
Category:
Tags: app | security | web

less

Transcript and Presenter's Notes

Title: Web App Security


1
Web App Security The Good, the Bad and the Ugly
  • Ross Anderson
  • Cambridge University

2
Is Web 2.0 Reinventing the Whole World?
3
So whats changed?
  • A cynic might say that IT just goes in cycles!
  • Back in the 60s and 70s, we had mainframe bureau
    services
  • Then we had minis, then PCs
  • The pendulum seems to be swinging back server
    farms do what mainframes used to
  • And we get a wide range of terminals phones,
    netbooks, PCs,
  • How should we make sense of all this?

4
Economics and Security
  • About 2000, we realised that engineering analysis
    alone didnt explain all that goes wrong
  • Economic analysis often explains failure better!
  • Electronic banking UK banks were less liable for
    fraud, so became careless and ended up suffering
    more internal fraud and errors
  • Distributed denial of service viruses now dont
    attack the infected machine so much as use it to
    attack others
  • Why is Microsoft software so insecure, despite
    market dominance?

5
New View of Infosec
  • Systems are often insecure because the people who
    guard them, or who could fix them, have
    insufficient incentives
  • Medical record systems bought by research or
    finance directors, not patients so failed to
    protect privacy
  • Casino websites suffer when infected PCs run DDoS
    attacks on them
  • Insecurity is often what economists call an
    externality a side-effect, like environmental
    pollution

6
IT Economics (1)
  • The first distinguishing characteristic of many
    IT product and service markets is network effects
  • Metcalfes law the value of a network is the
    square of the number of users
  • Real networks phones, fax, email
  • Virtual networks PC architecture versus MAC, or
    Symbian versus WinCE
  • Network effects tend to lead to dominant-firm
    markets where the winner takes all

7
IT Economics (2)
  • Second common feature of IT product and service
    markets is high fixed costs and low marginal
    costs
  • Competition can drive down prices to marginal
    cost of production
  • This can make it hard to recover capital
    investment, unless stopped by patent, brand,
    compatibility
  • These effects can also lead to dominant-firm
    market structures

8
IT Economics (3)
  • Third common feature of IT markets is that
    switching from one product or service to another
    is expensive
  • E.g. switching from Windows to Linux means
    retraining staff, rewriting apps
  • Shapiro-Varian theorem the net present value of
    a software company is the total switching costs
  • So major effort goes into managing switching
    costs once you have 3000 worth of songs on a
    300 iPod, youre locked into iPods

9
IT Economics and Security
  • High fixed/low marginal costs, network effects
    and switching costs all tend to lead to
    dominant-firm markets with big first-mover
    advantage
  • So time-to-market is critical
  • Microsoft philosophy of well ship it Tuesday
    and get it right by version 3 was quite rational
  • Whichever company had won in the PC OS business
    would have done the same
  • Growth is primary, revenue is secondary Mark
    Zuckerberg

10
IT Economics and Security (2)
  • When building a network monopoly, you must appeal
    to vendors of complementary products
  • Thats application software developers in the
    case of PC versus Apple, then of Symbian versus
    Windows/Palm, now Facebook
  • Lack of security in early Windows / Symbian /
    Facebook made life easier for them
  • So did the choice of security technologies that
    dump costs on the user (SSL, not SET)
  • Once youve a monopoly, lock it all down!

11
Security Economics and Web Applications
  • The big security economics problem is aligning
    incentives
  • The big system engineering problem is managing
    complexity. You want architecture, i.e.
    interfaces, to divide up systems sensibly
  • Consider a travel agent, buying services from
    airlines, hotels etc. It pretty much all lines up
  • Open interfaces, defined by contract
  • Competition drives costs down, usability up

12
Security Economics and Web Applications (2)
  • However, some web apps are platforms, so operate
    under the same forces as Windows or Symbian or
    S/360
  • E.g. Facebook huge network effects
  • Incentives on its developers
  • grab the market now, fix privacy later
  • appeal to complementers (app writers)
  • But does social context change anything?

13
How Fraud Adapts to SNS
  • The old scams are still there 419, spam,
    phishing, XSS, malware, click fraud,
  • Social context makes phishing more effective (72
    in controlled study Jagatic) not to mention
    targeted attacks / scams
  • Facebook now 7th biggest phishing target (after
    PayPal, top banks, eBay)
  • Frequent genuine emails with login links
  • Some incentive on operator to fight it (spam
    caused decline of MySpace, Friendster)

14
Privacy
  • Most people say they value privacy, but act
    otherwise. Most privacy ventures failed. Why?
  • Odlyzko technology makes price discrimination
    both easier and more attractive
  • Acquisti people care about privacy when buying
    clothes, but not cameras
  • Loewenstein privacy is heavily context
    sensitive. People only really worry if salient
  • Facebook viruses worse than PC viruses (as more
    personal) or not (as less salient)?

15
Privacy and SNS
  • Conflict of interest
  • Facebook wants to sell user data
  • Users want feeling of intimacy, small group,
    social control
  • Very complex access controls over 60 settings
    on 7 pages
  • Over 90 of users never change defaults
  • The complexity lets Facebook blame the customer
    when things go wrong

16
Privacy and SNS (2)
17
Privacy and SNS (3)
  • See our paper Eight friends are enough
  • Given the eight published friends, an outsider
    can run all the usual network analysis
  • Including covert community detection as used by
    the spooks

18
Security Economics and Web Applications (3)
  • As youd expect from the incentives, Facebook
    provides the appearance of security, not reality
    security theatre
  • Abd it deals with the occasional outrage using
    democracy theatre (see our blog,
    www.lightbluetouchpaper.org for more)
  • Is this sustainable?
  • Long-term problem European regulators

19
Security Economics and Web Applications (4)
  • Sometimes the monopoly doesnt come from platform
    dynamics but exogenously
  • Example UK attempt to centralize all medical
    records, childrens records
  • Records at GPs, hospitals being moved to hosted
    systems
  • Sales pitch benefits of research
  • Driver bureaucratic centralization
  • Gotcha I v Finland

20
Security Economics and Web Applications (5)
  • Thankfully the UK TG programme is failing see
    our report Database State for more
  • But might Google or Microsoft make a
    health-record web service work?
  • There are similar incentives on private and
    public sectors to collect data in order to price
    discriminate between clients / citizens
  • Are there any technical limits (systems
    complexity, microeconomics) or must we rely on
    our legislators and courts?

21
The Gladman Principle
  • You can have security, or functionality, or
    scale. With good engineering you can have any two
    of these. But theres no way you can get all
    three.
  • Brian Gladman (formerly of UK
  • Defence Science Advisory Board)

22
Compartmentation
  • Its OK to have 20 doctors and nurses having
    access to 10,000 patients records in a medical
    practice
  • With some care, its just about OK to have 2000
    doctors and nurses having access to 1,000,000
    patients records in a hospital
  • Its not OK to have 580,000 health service staff
    having access to 50,000,000 citizens records on
    a national database
  • as our Prime Minister has learned

23
Attack Trends
  • One aspect of security economics is building
    models that explain how things go wrong
  • Another is the econometrics measuring what
    actually does go wrong
  • We have a research project on collecting
    statistics on spam, phishing, malware (see my
    Google tech talk, for example)
  • Recent trends in malware are getting worrying!
  • If an attack can be industrialized, it will be

24
Case study the Dalai Lama
  • Simple attacks reported on the Office of His
    Holiness the Dalai Lama (OHHDL) since 2007
  • From directed spam to simple targeted attacks
  • Compromise became obvious in July 2008 foreign
    diplomats about to meet the Dalai Lama were
    warned off
  • We got asked to investigate

25
Modus Operandi
  • A sends email to B on topic X, archived publicly
  • C sends email to A pretending to be B, on topic
    X, with toxic attachment
  • C pretending to be A takes over mail server
  • Internal mail attachments thereafter toxic
  • PCs then accessed remotely
  • We call this Social Malware
  • The typical company has no defence at all!

26
A low grade sample
27
Malware Equilibrium?
  • Big change in 2004 black market led to
    specialisation
  • Malware now professionally written most exploits
    are for money, not bragging rights
  • Most companies just dont know how to block
    social malware (even Deloittes was among the
    victims of the Chinese)
  • What will the world be like if 1, or 5, or
    machines are 0wned, and exploited?

28
Open versus Closed?
  • Are open systems more dependable? Its easier for
    the attackers to find vulnerabilities, but also
    easier for the defenders to find and fix them
  • This debate goes back to the 17th century!
  • Theorem (2002) openness helps both equally if
    bugs are random and standard dependability model
    assumptions apply
  • So whether open is better than closed will depend
    on whether / how your system differs from the
    ideal

29
The Good, the Bad and the Ugly
  • Travel agent not a big deal if the bad guys
    occasionally go on holiday (the bank pays)
  • Facebook there will be all sorts of platform
    exploits, and social exploits, with which theyll
    have to cope. As for compromised user machines,
    my daughters view
  • Government databases you cant make everyones
    medical records available to 500,000 doctors and
    nurses and still have privacy
  • The insider (malware) threat sets limits here!

30
An Opportunity
  • If 1 of end-user machines will always be
    infected with malware, what can we do?
  • Web services can offer a haven
  • But they need to assume some corrupt insiders
  • Experience from defence compartmentation
  • And from accounting dual control, audit,
    backup,
  • How do you build these ideas into other apps?
  • What other limits on security, functionality and
    scale are there and whats the social angle?

31
The Research Agenda
  • The online world and the physical world are
    merging many years of turbulence ahead!
  • If Web 2.0 is going to reinvent the world, expect
    it to reinvent the problems too
  • The security world is changing, though
  • The old paradigm was what might go wrong
  • Security economics gives us tools to think about
    what people might want things to go wrong, and
    metrics to measure whats actually going wrong

32
More
  • See www.ross-anderson.com for survey articles,
    our ENISA and Tibet reports, and my security
    economics resource page
  • WEIS Workshop on Economics and Information
    Security UCL, June 245
  • Workshop on Security and Human Behaviour in
    Cambridge in 2010
  • Security Engineering A Guide to Building
    Dependable Distributed Systems

33
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com