Rice University logo
 
Top blue bar image
Comp527: Computer Systems Security
A graduate seminar: current topics in computer security
 

Archive for the ‘Real world security’ Category

Newer Entries »

Understanding the economy of Online Affiliate Programs key to fight against them

November 28th, 2012 by kb20

A USENIX 2012 security video [1] provides a rare glimpse into how the online affiliate programs work. Understanding their economy may be the key to controlling these programs. In this paper they analyze leaked data from three affiliate programs online which amounts to 185M in gross revenue, 1M+ customers, 1.5M+ purchases, and 2600+ affiliates. First, I will provide brief introduction of online affiliate programs. Next, I will present the findings of the USENIX paper, followed the discussion of ideas on how the government could control or get rid of these programs altogether.

Most of us have come across unsolicited emails advertising different types of drugs. But, what we may all not know is this is a part of a full fledged underground economy which has business that functions much like the normal businesses – they keep track of financial records, revenue, cost etc. First player in this economy is the customer, the receiver of the spam email who may turn around and buy drugs online. Next player, is the affiliate marketer, who sent the spam email to begin with. Once, the customer decides to click on the link, the affiliate marketer is out of the game and the transaction is handled from that point on by the affiliate supplier which has staffs for customer service. The affiliate supplier however relies on another entity for payment processing. In general, these affiliate programs like to retain customers. So, they try to keep them happy by promptly addressing any of their concern.

The customers are usually people who are trying to save money by buying cheaper drugs online. The affiliate marketers are mostly spammers who own botnets. They work purely on commission based on the volume of traffic that they generate to the site.  Some affiliate program apply screening process to recruit best affiliate marketers while others let anybody join as it does not cost the program anything – they work on pure commission. The payment service providers (PSP) charges a fee each time based on the value of the transaction (~10%). The shipping and handling is around 11.5% of the transaction. The cost of actual item is only around 7% percent of the transaction. After, 30% pain in commission to the marketing affiliate and other costs of operating a business, their average actual profit margin is around 16% and 30% in a highly optimistic case.

From the analysis of the data, they found out that 95% of the customers are from US, Canada, Australia and Europe. Erectile dysfunction drugs make 75% of the orders and generate 80% of the revenue. An interesting fact they found out was that between 2010 and 2011, one of the affiliate programs, RX Promotion’s relation with PSP went sour. This resulted in sharp decline in its profit to the point where it was about to close. No payment means they cannot take any new customer nor can they keep the affiliate spammers. Another point to note here is that three PSP processed 84% of the transactions for all three affiliate programs. Next important insight is that 10% of the affiliates accounted for the 80% of the revenue for these affiliate programs. Most affiliates failed with a median revenue  of US$ 350/year. However, the top earners like the operators of Rustock earned US$ 1.9M, and Scorrp2 earned US$3M. The affiliate with the largest revenue, webplanet, earned US$ 4.6M, through web-based advertising.

To, summarize, if we have any hope of fighting these affiliate programs that sell fake or unauthorized drugs online, we have to first cut their life line which is their connection to PSPs. And, since there are only handful of the PSPs that do majority of the processing, it is a cost-effective move. As we saw, a handful of affiliates generate most of the revenue, the most cost effective way curb this industry is to direct operations against these “big player” affiliates.

 

References:

[1] https://www.usenix.org/conference/usenixsecurity12/pharmaleaks-understanding-business-online-pharmaceutical-affiliate

Posted in Real world security, Uncategorized | No Comments »

Full disclosure in the real world

November 27th, 2012 by bss4

If full disclosure of lock picking aroused the ire of lock smiths in the past, it still does. Here are Andy Greenberg’s (Forbes reporter on security related issues) reports on (1) a blackhat presentation by Cody Brocious on exploiting a certain brand of hotel locks, dated 23rd July, 2012, and (2) dated 26th Novermber 2012, a recent robbery from a famous hotel in, yes, Houston! What is the connection, you might ask. Investigation authorities suspect the alleged thief to have used techniques from (1) to break into multiple rooms in the hotel.

The blackhat presentation discloses the technical details of hacking the locks by plugging an active probe into a small hole under the digital locks (meant for DC power supply and to insert a portable programmer for programming the lock) and reading the key. Bear in mind that the PP (Portable Programming) slot is openly accessible, not hidden under the lock panel. An attacker would simply need to walk up to the victim’s door, plug an arduino board (imitating the portable programmer that hotel staff use) to the PP slot and initiate communication with the lock, specifically effecting the lock to give out the key to open it! It turns out that this brand of locks stores keys in memory and no authentication is required for the read memory command. So, if one knows where keys are stored, it is not difficult for an attacker to read the key and simply replay it to open the lock.

It is suspected the the robbery took place using this type of intrusion; apparently opening the door using the PP slot leaves a trace (thanks to good old auditing mechanisms), which made the investigation authorities link the theft to material in the blackhat talk. This incident raises questions about who is right and who is wrong? It is evident that full (not responsible) disclosure led to a robbery in which a lady lost her laptop. Why didn’t Cody Brocious, the blackhat researcher, disclose the flaw to the lock making firm? Let’s suppose that he did. Do you think the firm would go about upgrading millions of installed locks that are in hotels around the world or would they simply feel, ‘No harm is going to happen if nobody knows it’, the basis for security by obscurity. Now that the firm has a fix, they are charging customers for their own hardware upgrades? Isn’t it their obligation to fix it for free; it’s not a feature upgrade we are talking about, it is simply about doing what locks are supposed to.

What can the affected hotels do, you ask? Either pay up for the “upgrade” or go low tech: plug the PP slot with a cap or some gooey concoction they use to fill holes in walls.

Posted in Full disclosure, Lockpicking, Real world security | 1 Comment »

Newer Entries »