• No results found

Takedown Times.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Takedown Times."

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Child Sexual Abuse

Child Sexual Abuse

Image Website

Image Website

Takedown Times

Richard Clayton

Richard Clayton

[email protected] j i t k ith T l M joint work with Tyler Moore

IWF Meeting London IWF Meeting, London 23 September 2008

(2)

Website take-down measurements

• Studying phishing website removal for almost 2 years • Four major academic papers more in the pipeline

• Four major academic papers, more in the pipeline

ƒ Best Paper award at APWG meeting 2007

• Comparing performance gives key insightsp g p g y g

ƒ Some banks faster than others

ƒ Some hosting mechanisms more long-lived than others

• Web logging data yields visitor counts and hence lo$$ statistics • Multiple feeds of suspect URLs gives us one of the best views of

the problem in the world (better than any individual company) the problem in the world (better than any individual company)

ƒ We can show if company/bank unaware of sites they stay up longer

• Specialist companies faster than “community efforts” etc. etc.

(3)

Comparing website removal times

Phishing (where owner aware) Sites Mean Median F b h ti J 2008 240 4 3 0 0 Free web-hosting Jan 2008 240 4.3 0.0 Compromised machines Jan 2008 105 3.5 0.0 Rock-phish domains Jan 2008 821 70.3 33.0 Fast-flux domains Jan 2008 314 96.1 25.5 Fraudulent websites Sites Mean Median Escrow Agents Oct-Dec 2007 696 222.2 24.5 Escrow Agents Oct Dec 2007 696 222.2 24.5 Mule recruitment Mar 07-Feb 08 67 308.2 188.0

h 8

(4)

Child sexual abuse image websites

• IWF provided anonymised list of Jan-Dec 2007 websites

• Excluded 8 domains with >100 reports (likely free webhosting) • Excluded 8 domains with >100 reports (likely free webhosting)

ƒ 2585 domains, 54 sites still “up” on 3 Apr 2008 (dataset time)

• Calculated time from first appearance to first removalpp

• Unable to distinguish type of site or measure reappearances • Median removal time = 264 hours (11.0 DAYS)( )

• Mean removal time = 562 hours (23.4 DAYS)

• If include the sites not yet removed (which makes figures y ( g comparable with previous slide)

ƒ Median removal time = 12 DAYS

ƒ Mean removal time = 30 DAYS (and growing) ƒ Mean removal time = 30 DAYS (and growing)

(5)

Removal process for CSAI websites

• If in UK, check with CEOP (a few hours delay) then tell ISP • If not in UK, report via CEOP

ƒ CEOP passes to Law Enforcement in foreign countryp g y

ƒ May need to passed to local officials from central contact point ƒ Issue may not be a priority, and/or properly understood

• ALSO if not in UK, pass to country’s INHOPE member (if any)

ƒ In US this is NCMEC who only pass on reports to “members” ƒ In US, this is NCMEC, who only pass on reports to members ƒ Elsewhere, few hotlines have formal arrangements with ISPs

(6)

Removal process for other content

• Phishing websites

ƒ Bank usually uses specialist company (local language, 24 hour ops)y p p y ( g g , p ) ƒ Removal company emails ISP

ƒ If no response within minutes/hours, company telephones ISP ƒ If no response involvement of CERTs local police etc etc

ƒ If no response, involvement of CERTs, local police etc etc

• Mule recruitment (and other “volunteer” efforts)

ƒ Tend to use English and operate in spare time

ƒ Email sent to ISP

ƒ Follow up emails, phone calls etc if no reaction

ƒ Involvement of CERTs local helpers translation services etc as may Involvement of CERTs, local helpers, translation services etc as may

thereafter may be needed

ƒ Much of the effort can involve explaining the scam

d ff l ( d d) h

(7)

Why is CSAI done this way?

• “No authority” to tell Polish ISPs what to do

ƒ Nor has anyone else!y

ƒ And no formal “authority” within the UK either!

• Might interfere with a police operation

ƒ Unusual for ISP not to be aware of such an operation ƒ There may well be direct reporting anyway

• Some confusion of aims is apparent: • Some confusion of aims is apparent:

ƒ Is main aim to remove sites ? ƒ or to catch the criminals ?

• Note that failure to make timely removal is incurring significant costs to ISPs in deployment of blocking solutions

(8)

Risks of more effective removal

• Faster removal of phishing websites has driven technology

improvements by hosters (rock-phish proxies, fast-flux botnet p y ( p p , hosting etc)

• But these developments are likely for CSAI sites anyway

• Note that many of these changes imply need to move to domain removal rather than website removal

ƒ Remarks by IWF about reappearance of websites (which we were ƒ Remarks by IWF about reappearance of websites (which we were

unable to assess from the dataset we were provided with) suggest that domain removal should be being done anyway

(9)

Summary

• Phishing websites removed in hours

• Part time volunteers remove scam websites in 1 7 days • Part time volunteers remove scam websites in 1-7 days • Child Sexual Abuse Image websites removed in weeks • Only thing removed slower is fake pharmacy websites • Only thing removed slower is fake pharmacy websites

ƒ and they are not tackled by any group we can locate

• We were amazed to discover this, and consider it a scandal, • Main reason appears to be lack of prompt contact with ISPs • IWF needs to decide if main policy aim is timely removal p y y

websites or to catch the criminals running them?

• If removal is important then need to revise procedures and perhaps seek donations “in kind” from take-down companies

(10)

Child Sexual Abuse

Child Sexual Abuse

Image Website

Image Website

Takedown Times

Paper: http://www.cl.cam.ac.uk/~rnc1/takedown.pdf

Paper: http://www.cl.cam.ac.uk/ rnc1/takedown.pdf

References

Download now ( PDF - 10 Page - 40.63 KB )

Related documents

Introduction to Cray Data Virtualization Service S

DVS can project multiple file systems in serial mode by assigning a new or an existing DVS server to each additional file system in serial access mode and entering the appropriate

The measurement of adult pathological demand avoidance traits

The current research describes the adaptation of an informant-rating instrument (the Extreme Demand Avoid- ance Questionnaire; O’Nions et al. 2014b ; EDA-Q) for use as a

(3) At the expiry of his term of office, a member referred to in paragraph (1)(a) and (e) to (h) shall be eligible for reappointment.

(1) Any person holding a valid hotel certificate shall, on payment of a processing fee of 1,000 rupees, make an application in writing to the Committee for a star rating certificate

Impact of Mobility on Communication Latency and Reliability in Dense HetNets

To investigate how upcoming 5G-NR (New Radio) would be integrated with LTE in such a way that data interruption during handover would be avoided while providing high data rates

AIAI-TR-193 AIAI. October1993

Based on the knowledge elicited during the interviews with the expert, the interpretation model for hierarchical design tasks was chosen as the most suitable model for the task

Mortgage loan portfolio optimization using multi-stage stochastic programming

The results presented in this section are in agreement with the financial arguments used in the Danish mortgage market. Even though the original problem is hard to solve we have

Adaptive Case Management - comparing document-centric and customer-centric approaches

Recent developments have introduced the concept of dynamic or adaptive case management within ECM systems, able to manage the case-process workflow in a flexible way, and able to