Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mike Hearn at RIPE 64: Abuse At Scale

Duo Security
June 12, 2012
Technology
2
900

Mike Hearn at RIPE 64: Abuse At Scale

Video: https://ripe64.ripe.net/archives/video/25/

Duo Security

June 12, 2012
Tweet

More Decks by Duo Security

See All by Duo Security
IYK4 and So Can You
duosec
6
240
Trusted Access, Trusted Company
duosec
8
650
Security Fact & Fiction: Three Lessons from the Headlines
duosec
2
480
Security for the People: End-User Authentication Security on the Internet
duosec
4
1.9k
Internet of Fails: Where IoT Has Gone Wrong and How We're Making it Right
duosec
1
920
Stay Out of the Kitchen: A DLP Security Bake-Off by Zach Lanier and Kelly Lum
duosec
1
640
A Place to Hang Our Hats: Security Community and Culture by Domenic Rizzolo
duosec
3
210
Making Web Development "Secure By Default"
duosec
2
280
Bob Beck at BSDCan 2014: LibreSSL - An OpenSSL Replacement
duosec
3
510

Other Decks in Technology

See All in Technology
AWS CDKで作るCloudWatch Dashboard
harukasakihara
3
490
S3からBigQueryへ閉域ネットワーク経由でデータ転送する方法
sbtechnight
PRO
0
370
エンジニアのためのドキュメントライティング / Docs for Developers
iwashi86
21
6.6k
スタートアップだからこそ考えるフロントエンドのテスト戦略
yoshinagaiwnl
4
530
学びが形になる!〜DeNAで6年間プロダクト開発に携わって学んだこと〜
dena_tech
PRO
0
330
ロケーターを学んでテスト自動化上級者を目指そう
nozomiito
0
660
Invitation to K8s-Docs ja
nasa9084
0
130
「新卒エンジニアが1年間で顔を売るために取った行動100連発」/YAPC::Kyoto 2023 前日祭 ネコトーストラボ杯争奪東西対抗LTマッチ
arthur1
0
540
最先端の質問応答技術の研究開発と迅速な実用化ーStudio Ousiaでの取り組みー
ikuyamada
2
450
NIST SP800-63-4 IPD 63A: Identity Proofing 概要紹介
kthrtty
0
390
赤裸々図解!新卒3年目でマネジメントもこなすフルスタックエンジニアになるまで
mizunohiroaki
0
300
How we build Ads Platform in Rust
mapbox_jp
1
200

Featured

See All Featured
Debugging Ruby Performance
tmm1
67
11k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
Music & Morning Musume
bryan
37
4.7k
Pencils Down: Stop Designing & Start Developing
hursman
114
10k
Optimizing for Happiness
mojombo
366
65k
Designing for humans not robots
tammielis
245
24k
Three Pipe Problems
jasonvnalue
89
9k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
Bootstrapping a Software Product
garrettdimon
299
110k

Transcript

  1. Abuse at scale
    [email protected]

    View Slide

  2. Agenda

    View Slide

  3. Agenda
    1.  Stories from [email protected]
    2.  Abuse in 2012
    3.  Abuse report handling
    a.  Why it's hard
    b.  What we could do about it

    View Slide

  4. Stories from the abyss

    View Slide

  5. Gmail then
    Launched 2004, invite only. 2006, open invites.
    •  Gmail does not provide sender IP for web sends
    •  Open signups make abuse fighting much harder
    •  CAPTCHA solving teams became available, $1 per
    thousand CAPTCHAs.
    •  Result>50% of all outbound mail is spam within months
    Gmail abuse team split out from inbound spam and grown

    View Slide

  6. Gmail now
    •  No major outbound campaigns using spammy accounts
    •  Disclaimer: still send 5,000 (legit) mails/sec
    o  you may get sometimes get mail from @gmail.com
    accounts that you don't want
    How?
    •  Mail send risk analysis with hundreds of features, ML
    •  Phone verification on suspect spamming accounts
    •  Tactical operations against account sellers
    •  Account signup protected by risk analysis/ML/encrypted
    javascript, dedicated team that monitors bulk signup

    View Slide

  7. Account sellers still exist. Normal price is $120-$150 per
    thousand (phone verified)
    This price level makes bulk spam uneconomic.

    View Slide

  8. Problem areas
    •  Spammers who pay for the ability to spam
    •  Spammers who claim they will pay but don't
    •  10,000+ engineers/product managers who are not used
    to thinking adversarially
    •  Highly motivated spammers who find exploits
    o  Students love Gmail. Let's make it available to
    universities!
    o  Spammer discovers he can make fake universities:
    *.edu.tk is treated as valid (now fixed)
    o  CAPTCHAs that are open to replay attacks
    o  .... etc

    View Slide

  9. Google abuse in 2012

    View Slide

  10. Recent trends
    April 2010 - the world changed
    •  Bulk signup era is over
    •  Account hijacking begins
    o  Over 1 million sets of credentials tried per day
    o  Successfully authenticating to >100,000 accounts
    per day
    WTF?
    The age of the password is over and never coming back

    View Slide

  11. View Slide

  12. Abuse team becomes anti-hijacking team
    Online login risk analysis
    o  Classifies 60-100k logins per second (2-3k/sec web)
    o  <100msec
    o  0.1% false positive rate
    2 years later, web hijacking on Gmail is largely wiped out.
    Solution

    View Slide

  13. Abuse report handling
    Nobody expects the Spanish Inquisition!

    View Slide

  14. Some unhappy truths:
    •  Receives >40 reports/second
    •  Reports grouped into "feeds"
    •  Automatically reviewed in almost all cases
    •  Abuse report handling is a hard problem
    [email protected]

    View Slide

  15. Why is processing hard?
    •  Finding trusted feeds is tricky
    o  Individual reports have wildly varying quality, useful
    only in aggregate
    o  "Trusted partners" are incentivized to become
    untrusted partners
    o  Abuse reporting mechanisms frequently gamed
    •  Trustworthiness is not enough. You have to add
    coverage too.
    o  If you have <100 users it makes no difference.
    o  Abuse feed agreements exist between most major
    players, hard to avoid spamming them

    View Slide

  16. Why is sending hard?
    •  Abuse reports contain verbatim/lightly redacted copies
    of mails
    •  Users have an expectation of privacy
    •  People click "report spam" on mails which are not spam
    •  Receivers should be processing abuse reports from us
    automatically and with reasonably good privacy
    controls:
    o  Manual review for sanity checking: OK
    o  Manual review of most abuse reports: NOT OK

    View Slide

  17. What works best?
    •  Feeds that aggregate large numbers of users
    •  Feeds that have active anti-abuse teams behind them
    o  Otherwise spammers will game the system
    •  Feeds that use standard formats like ARF
    •  Feeds which are automated

    View Slide

  18. Ideas for moving forward
    •  Upgrades to ARF:
    o  Could distinguish "this is spam" from "this is from a
    friend but doesn't seem like them".
    Easy extension to Feedback-Type.
    o  URL abuse (goo.gl)
    •  Self-service tool for @google abuse feeds?
    •  Neutral / non profit aggregators that enforce basic
    ground rules?

    View Slide

  19. The end!
    Thanks for listening

    View Slide