Wiley
Wiley.com
Print this page Share

The Death of the Internet

ISBN: 978-1-118-06241-8
386 pages
July 2012, Wiley-IEEE Computer Society Press
The Death of the Internet (1118062418) cover image
Fraud poses a significant threat to the Internet. 1.5% of all online advertisements attempt to spread malware. This lowers the willingness to view or handle advertisements, which will severely affect the structure of the web and its viability. It may also destabilize online commerce. In addition, the Internet is increasingly becoming a weapon for political targets by malicious organizations and governments. This book will examine these and related topics, such as smart phone based web security. This book describes the basic threats to the Internet (loss of trust, loss of advertising revenue, loss of security) and how they are related. It also discusses the primary countermeasures and how to implement them.
See More
Foreword xv

Preface xvii

Is the Title of this Book a Joke? xix

Acknowledgments xxi

Contributors xxiii

Part I The Problem

1 What Could Kill the Internet? And so What? 3

2 It is About People 7

2.1 Human and Social Issues 7
Markus Jakobsson

2.1.1 Nigerian Scams 8

2.1.2 Password Reuse 9

2.1.3 Phishing 11

2.2 Who are the Criminals? 13
Igor Bulavko

2.2.1 Who are they? 13

2.2.2 Where are they? 14

2.2.3 Deep-Dive: Taking a Look at Ex-Soviet Hackers 14

2.2.4 Let’s try to Find Parallels in the World we Live in 16

2.2.5 Crime and Punishment? 16

3 How Criminals Profit 19

3.1 Online Advertising Fraud 20
Nevena Vratonjic, Mohammad Hossein Manshaei, and Jean-Pierre Hubaux

3.1.1 Advertising on the Internet 20

3.1.2 Exploits of Online Advertising Systems 23

3.1.3 Click Fraud 25

3.1.4 Malvertising: Spreading Malware via Ads 31

3.1.5 Inflight Modification of Ad Traffic 32

3.1.6 Adware: Unsolicited Software Ads 34

3.1.7 Conclusion 35

3.2 Toeing the Line: Legal but Deceptive Service Offers 35
Markus Jakobsson and Ruilin Zhu

3.2.1 How Does it Work? 36

3.2.2 What do they Earn? 36

3.3 Phishing and Some Related Attacks 38
Markus Jakobsson and William Leddy

3.3.1 The Problem is the User 38

3.3.2 Phishing 38

3.3.3 Man-in-the-Middle 39

3.3.4 Man-in-the-Browser 40

3.3.5 New Attack: Man-in-the-Screen 41

3.4 Malware: Current Outlook 42

Members of the BITS Security Working Group and staff leads Greg Rattray and Andrew Kennedy

3.4.1 Malware Evolution 42

3.4.2 Malware Supply and Demand 48

3.5 Monetization 53
Markus Jakobsson

3.5.1 There is Money Everywhere 53

4 How ThingsWork and Fail 57

4.1 Online Advertising: With Secret Security 58
Markus Jakobsson

4.1.1 What is a Click? 58

4.1.2 How Secret Filters are Evaluated 60

4.1.3 What do Fraudsters Know? 62

4.2 Web Security Remediation Efforts 63
Jeff Hodges and Andy Steingruebl

4.2.1 Introduction 63

4.2.2 The Multitude of Web Browser Security Mechanisms 64

4.2.3 Where do we go from Here? 75

4.3 Content-Sniffing XSS Attacks: XSS with Non-HTML Content 75
Juan Caballero, Adam Barth, and Dawn Song

4.3.1 Introduction 75

4.3.2 Content-Sniffing XSS Attacks 77

4.3.3 Defenses 84

4.3.4 Conclusion 89

4.4 Our Internet Infrastructure at Risk 89
Garth Bruen

4.4.1 Introduction 89

4.4.2 The Political Structure 90

4.4.3 The Domain 92

4.4.4 WHOIS: Ownership and Technical Records 94

4.4.5 Registrars: Sponsors of Domain Names 96

4.4.6 Registries: Sponsors of Domain Extensions 97

4.4.7 CCTLDs: The Sovereign Domain Extensions 99

4.4.8 ICANN: The Main Internet Policy Body 100

4.4.9 Conclusion 102

4.5 Social Spam 103
Dimitar Nikolov and Filippo Menczer

4.5.1 Introduction 103

4.5.2 Motivations for Spammers 105

4.5.3 Case Study: Spam in the GiveALink Bookmarking System 108

4.5.4 Web Pollution 114

4.5.5 The Changing Nature of Social Spam: Content Farms 116

4.5.6 Conclusion 117

4.6 Understanding CAPTCHAs and Their Weaknesses 117
Elie Bursztein

4.6.1 What is a Captcha? 117

4.6.2 Types of Captchas 118

4.6.3 Evaluating Captcha Attack Effectiveness 118

4.6.4 Design of Captchas 119

4.6.5 Automated Attacks 124

4.6.6 Crowd-Sourcing: Using Humans to Break Captchas 127

4.7 Security Questions 131
Ariel Rabkin

4.7.1 Overview 131

4.7.2 Vulnerabilities 134

4.7.3 Variants and Possible Defenses 138

4.7.4 Conclusion 139

4.8 Folk Models of Home Computer Security 140
Rick Wash and Emilee Rader

4.8.1 The Relationship Between Folk Models and Security 140

4.8.2 Folk Models of Viruses and Other Malware 142

4.8.3 Folk Models of Hackers and Break-Ins 146

4.8.4 Following Security Advice 149

4.8.5 Lessons Learned 153

4.9 Detecting and Defeating Interception Attacks Against SSL 154
Christopher Soghoian and Sid Stamm

4.9.1 Introduction 154

4.9.2 Certificate Authorities and the Browser Vendors 155

4.9.3 Big Brother in the Browser 157

4.9.4 Compelled Assistance 158

4.9.5 Surveillance Appliances 159

4.9.6 Protecting Users 160

4.9.7 Threat Model Analysis 163

4.9.8 Related Work 166

4.9.9 Conclusion 168

5 The Mobile Problem 169

5.1 Phishing on Mobile Devices 169
Adrienne Porter Felt and David Wagner

5.1.1 The Mobile Phishing Threat 170

5.1.2 Common Control Transfers 172

5.1.3 Phishing Attacks 178

5.1.4 Web Sender⇒Mobile Target 182

5.1.5 Web Sender⇒Web Target 184

5.1.6 Attack Prevention 185

5.2 Why Mobile Malware will Explode 185
Markus Jakobsson and Mark Grandcolas

5.2.1 Nineteen Eighty-Six: When it all Started 186

5.2.2 A Glimpse of Users 186

5.2.3 Why Market Size Matters 186

5.2.4 Financial Trends 187

5.2.5 Mobile Malware Outlook 187

5.3 Tapjacking: Stealing Clicks on Mobile Devices 189
Gustav Rydstedt, Baptiste Gourdin, Elie Bursztein, and Dan Boneh

5.3.1 Framing Attacks 189

5.3.2 Phone Tapjacking 191

5.3.3 Framing Facebook 194

5.3.4 Summary and Recommendations 195

6 The Internet and the PhysicalWorld 197

6.1 Malware-Enabled Wireless Tracking Networks 197
Nathaniel Husted and Steven Myers

6.1.1 Introduction 198

6.1.2 The Anatomy of a Modern Smartphone 199

6.1.3 Mobile Tracking Networks: A Threat to Smartphones 200

6.1.4 Conclusion 219

6.2 Social Networking Leaks 219
Mayank Dhiman and Markus Jakobsson

6.2.1 Introduction 220

6.2.2 Motivations for Using Social Networking Sites 220

6.2.3 Trust and Privacy 221

6.2.4 Known Issues 222

6.2.5 Case Study: Social Networking Leaks in the Physical World 225

6.3 Abuse of Social Media and Political Manipulation 231
Bruno Gon¸calves, Michael Conover, and Filippo Menczer

6.3.1 The Rise of Online Grassroots Political Movements 231

6.3.2 Spam and Astroturfing 232

6.3.3 Deceptive Tactics 233

6.3.4 The Truthy System for Astroturf Detection 236

6.3.5 Discussion 240

Part II Thinking About Solutions

7 Solutions to the Problem 245

7.1 When and How to Authenticate 245
Richard Chow, Elaine Shi, Markus Jakobsson, Philippe Golle, Ryusuke Masuoka, Jesus Molina, Yuan Niu, and Jeff Song

7.1.1 Problem Description 246

7.1.2 Use Cases 247

7.1.3 System Architecture 248

7.1.4 User Privacy 250

7.1.5 Machine Learning/Algorithms 250

7.1.6 User Study 252

7.2 Fastwords: Adapting Passwords to Constrained Keyboards 255
Markus Jakobsson and Ruj Akavipat

7.2.1 The Principles Behind Fastwords 256

7.2.2 Basic Feature Set 258

7.2.3 Extended Feature Set 260

7.2.4 Sample Stories and Frequencies 261

7.2.5 Recall Rates 262

7.2.6 Security Analysis 264

7.2.7 The Security of Passwords 264

7.2.8 Entry Speed 268

7.2.9 Implementation of Fastword Entry 270

7.2.10 Conclusion 271

7.3 Deriving PINs from Passwords 271
Markus Jakobsson and Debin Liu

7.3.1 Introduction 272

7.3.2 A Brief Discussion of Passwords 273

7.3.3 How to Derive PINs from Passwords 274

7.3.4 Analysis of Passwords and Derived PINs 275

7.3.5 Security Analysis 278

7.3.6 Usability Experiments 280

7.4 Visual Preference Authentication 282
Yuan Niu, Markus Jakobsson, Gustav Rydstedt, and Dahn Tamir

7.4.1 Password Resets 282

7.4.2 Security Questions Aren’t so Secure 283

7.4.3 What is Visual Preference-Based Authentication 283

7.4.4 Evaluating Visual Preference-Based Authentication 285

7.4.5 Case Study: Visual Blue Moon Authentication 286

7.4.6 Conclusion 290

7.5 The Deadly Sins of Security User Interfaces 290
Nathan Good

7.5.1 Security Applications with Frustrating User Interfaces 291

7.5.2 The Four Sins of Security Application User Interfaces 293

7.5.3 Consumer Choice: A Security Bugbear 293

7.5.4 Security by Verbosity 299

7.5.5 Walls of Checkboxes 300

7.5.6 All or Nothing Switch 302

7.5.7 Conclusion 304

7.6 SpoofKiller—Let’s Kiss Spoofing Goodbye! 304
Markus Jakobsson and William Leddy

7.6.1 A Key to the Solution: Interrupts 305

7.6.2 Why can the User Log in to Good Sites, but not Bad Ones? 305

7.6.3 What About Sites that are Good . . . but not Certified Good? 308

7.6.4 SpoofKiller: Under the Hood 309

7.6.5 Say we Implement SpoofKiller—then What? 311

7.7 Device Identification and Intelligence 312
Ori Eisen

7.7.1 1995–2001: The Early Years of Device Identification 313

7.7.2 2001–2008 Tagless Device Identification Begins 314

7.7.3 2008—Present: Private Browsing and Beyond 319

7.8 How can we Determine if a Device is Infected or not? 323
Aur´elien Francillon, Markus Jakobsson, and Adrian Perrig

7.8.1 Why Detection is Difficult 323

7.8.2 Setting up an Isolated Environment 324

7.8.3 What Could go Wrong? 326

7.8.4 Brief Comparison with TrustZone 328

7.8.5 Summary 328

8 The Future 331

8.1 Security Needs the Best User Experience 332
Hampus Jakobsson

8.1.1 How the User Won Over Features 332

8.1.2 So How Come the iPhone Became so Successful? 332

8.1.3 A World of Information Anywhere 333

8.1.4 Midas’ Touch Screens 334

8.1.5 New Input, New Opportunities 335

8.1.6 Zero-Click and Real-Life User Interfaces 335

8.1.7 Privacy and User Interfaces 336

8.1.8 It all Comes Together 336

8.2 Fraud and the Future 336
Markus Jakobsson

References 339

Index 359

See More

MARKUS JAKOBSSON, PhD, is Principal Scientist for Consumer Security at PayPal. He is the founder of the security startups RavenWhite and FatSkunk and has held positions at Palo Alto Research Center, RSA Laboratories, and Bell Labs. The editor of RSA's technical newsletter CryptoBytes, Dr. Jakobsson holds numerous U.S. patents, has published more than 100 articles, and authored and edited several books, including Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft (Wiley). He has been interviewed on the subjects of phishing and crimeware on NPR, BBC, and other high-profile media outlets.

See More

“For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.”  (Word Virus, 17 April 2013)

For those looking for a book to gain situation awareness about the dangers of the Internet, one is hard pressed to find a better title than The Death of the Internet.”  (Slashdot, 15 April 2013)

“The book includes possible solutions to some of the problems, but the overwhelming appeal of this text is the awareness is provides.  Summing Up: Highly recommended.  Students of all levels, general readers, and professionals/practitioners.”  (Choice, 1 January 2012)

 

See More
Buy Both and Save 25%!
+

The Death of the Internet (US $72.95)

-and- Liars and Outliers: Enabling the Trust that Society Needs to Thrive (US $24.95)

Total List Price: US $97.90
Discounted Price: US $73.42 (Save: US $24.48)

Buy Both
Cannot be combined with any other offers. Learn more.
Back to Top