SLIDE 1
The Imitation Game: The New Frontline of Security Fighting Robots - - PowerPoint PPT Presentation
The Imitation Game: The New Frontline of Security Fighting Robots - - PowerPoint PPT Presentation
The Imitation Game: The New Frontline of Security Fighting Robots Weve been warned for a long time Many robots are good Some robots are creepy but still good Some robots replicate rapidly Robots can overwhelm our best defenses Robots can
SLIDE 2
SLIDE 3
Fighting Robots
SLIDE 4
We’ve been warned for a long time
SLIDE 5
Many robots are good
SLIDE 6
Some robots are creepy but still good
SLIDE 7
Some robots replicate rapidly
SLIDE 8
Robots can overwhelm our best defenses
SLIDE 9
Robots can be difficult to spot
SLIDE 10
Most human-like robots are incomplete simulations
SLIDE 11
But that’s enough to fool many humans
(Ex Machina Tinder marketing campaign)
SLIDE 12
How do you identify a robot?
SLIDE 13
Alan Turing
SLIDE 14
Alan Turing
SLIDE 15
The Imitation Game as described in Computing Machinery and Intelligence (Turing, 1950)
SLIDE 16
The Imitation Game as described in Computing Machinery and Intelligence (Turing, 1950)
SLIDE 17
“Are there imaginable digital computers which would do well [in the imitation game]?”
SLIDE 18
The Turing Test
SLIDE 19
“Artificial Stupidity” (The Economist, 1992)
“Turing’s prediction may well come true. But it will be a dreadful anticlimax. The most obvious problem with Turing’s challenge is that there is no practical reason to create machine intelligences indistinguishable from human ones. People are in plentiful supply. Should a shortage arise, there are proven and popular methods for making more of them”
SLIDE 20
The only point of passing the Turing Test is to fool humans. But there is a market for that.
SLIDE 21
But computers have already passed “restricted” “Turing Tests”.
“Human nature” is part of the key: entropy in every task we perform, e.g., typos.
SLIDE 22
“We used to be pretty confident we knew the relative strengths and weaknesses of computers vis-a-vis humans. But computers have started making inroads in some unexpected areas.”
SLIDE 23
Bots and Security
SLIDE 24
OWASP Top 10
SLIDE 25
OWASP Automated Threats to Web Applications
SLIDE 26
From bots to botnets (from imitating people to imitating populations)
- Collection of malicious bots
- Large-scale threat from many IPs
- Hard to take down entirely
- Single application running malicious
automated tasks
- Easy to block based on IP or device
fingerprint
SLIDE 27
Botnets aren’t what you think they are
SLIDE 28
Botnets are the building blocks
- f beating IP-based defenses
- Passing a large-scale Turing Test: rather than imitating one user, they
imitate a crowd
- Assumption that IP address is a scarce resource is wrong
- IP blacklisting and rate throttling are ineffective
- Especially untrue in an IPv6 world
SLIDE 29
What are bad guys doing with botnets?
SLIDE 30
Financial Losses Caused by botnets
$110 Billion
Approximately 500 million computers are infected globally each year, translating into 18 victims per second
FBI estimate, 2014
https://www.fbi.gov/news/testimony/taking-down-botnets
SLIDE 31
- Pay-per-click model
- $23B in annual revenue
- >$100K per minute
- One main incentive
- Many methods
Click fraud
SLIDE 32
Click bots
SLIDE 33
Many bots target login forms
SLIDE 34
Account checking bots
SLIDE 35
Credential Stuffing at Sony (2011)
15 million credentials leaked 93,000 matches on Sony site = 93,000 user accounts breached
SLIDE 36
Botnets defeat all IP-based defenses
15 million credentials leaked 93,000 matches on Sony site = 93,000 user accounts breached Botnet tests for password reuse
SLIDE 37
Tax Fraud
Step 1: Gather “fullz” credentials from black market Step 3: Use tax transcripts to file fraud return in tax software Step 4: Receive fraudulent return Step 2: Download tax transcripts from IRS
SLIDE 38
Online Banking Fraud
SLIDE 39
Poker bots
SLIDE 40
Ticketing bots
SLIDE 41
Why is automation so easy?
SLIDE 42
All websites present an API
SLIDE 43
How can we stop bots?
SLIDE 44
Make life harder for robots with
- ur own robotic defenses
SLIDE 45
CAPTCHA
Wasting the world’s time for 15+ years and counting
SLIDE 46
Every day, the world spends 17 person years solving CAPTCHAs (CMU Estimate)
SLIDE 47
Metal CAPTCHA
SLIDE 48
reCAPTCHA
SLIDE 49
CAPTCHA beating tools
SLIDE 50
But CAPTCHAs had a good idea: Can’t make successful attacks impossible, but you can make them more difficult and expensive
SLIDE 51
To successfully imitate a crowd, there’s a lot more than IP addresses that attackers need to vary
Screen resolution Timezone Browser version Language Fonts Browser Plugins Type of Pointing Device Many other browser features
SLIDE 52
Prevention Real-Time Detection Batch Detection & Investigation Reactive Investigation
Generalized Attack Mitigation Framework
SLIDE 53
Removing Attack Incentives Reducing Attack Surface Disrupting & Deflecting Attacks Real-Time Detection Near Real-Time Detection Batch Detection Rules Data Feeds Proactive Manual Investigation Reactive Manual Investigation
Generalized Attack Mitigation Framework
SLIDE 54
Need “robots” to fight robots
SLIDE 55
Source: io9, “Yes, Deckard’s A Replicant” (03-23-09)
Need “robots” to fight robots
SLIDE 56