Person | TU Delft Repository

FÇ

F.O. Çetin

View Pure Profile

Authored

9 records found

Cleaning Up the Internet of Evil Things

Real-World Evidence on ISP and Consumer Efforts to Remove Mirai

Conference paper - F.O. Çetin, C. Hernandez Ganan, E.M. Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying Tie, Katsunari Yoshioka, M.J.G. van Eeten

With the rise of IoT botnets, the remediation of infected devices has become a critical task. As over 87% of these devices reside in broadband networks, this task will fall primarily to consumers and the Internet Service Providers. We present the first empirical study of IoT malware cleanup in the wild -- more specifically, of removing Mirai infections in the network of a medium-sized ISP. To measure remediation rates, we combine data from an observational study and a randomized controlled trial involving 220 consumers who suffered a Mirai infection together with data from honeypots and darknets. We find that quarantining and notifying infected customers via a walled garden, a best practice from ISP botnet mitigation for conventional malware, remediates 92% of the infections within 14 days. Email-only notifications have no observable impact compared to a control group where no notifications were sent. We also measure surprisingly high natural remediation rates of 58-74% for this control group and for two reference networks where users were also not notified. Even more surprising, reinfection rates are low. Only 5% of the customers who remediated suffered another infection in the five months after our first study. This stands in contrast to our lab tests, which observed reinfection of real IoT devices within minutes -- a discrepancy for which we explore various different possible explanations, but find no satisfactory answer. We gather data on customer experiences and actions via 76 phone interviews and the communications logs of the ISP. Remediation succeeds even though many users are operating from the wrong mental model -- e.g., they run anti-virus software on their PC to solve the infection of an IoT device. While quarantining infected devices is clearly highly effective, future work will have to resolve several remaining mysteries. Furthermore, it will be hard to scale up the walled garden solution because of the weak incentives of the ISPs.@en

Tell me you fixed it

Evaluating vulnerability notifications via quarantine networks

Conference paper - F.O. Çetin, C. Hernandez Ganan, Lisette Altena, S. Tajalizadehkhoob, M.J.G. van Eeten

Mechanisms for large-scale vulnerability notifications have been confronted with disappointing remediation rates. It has proven difficult to reach the relevant party and, once reached, to incentivize them to act. We present the first empirical study of a potentially more effectiv ...

Understanding the role of sender reputation in abuse reporting and cleanup

Journal article - F.O. Çetin, Mohammad Hanif Jhaveri, C. Hernandez Ganan, M.J.G. van Eeten, Tyler Moore

Motivation: Participants on the front lines of abuse reporting have a variety of options to notify intermediaries and resource owners about abuse of their systems and services. These can include emails to personal messages to blacklists to machine-generated feeds. Recipients of t ...

Increasing the Impact of Voluntary Action Against Cybercrime

Doctoral thesis - F.O. Çetin

Resources on the Internet allow constant communication and data sharing between Internet users. While these resources keep vital information flowing, cybercriminals can easily compromise and abuse them, using them as a platform for fraud and misuse. Every day, we observe millions ...

Make notifications great again: learning how to notify in the age of large-scale vulnerability scanning

Conference paper - F.O. Çetin, C. Hernandez Ganan, M.T. Korczynski, M.J.G. van Eeten

As large-scale vulnerability detection becomes more feasible, it also increases the urgency to find effective largescale notification mechanisms to inform the affected parties. Researchers, CERTs, security companies and other organizations with vulnerability data have a variety of options to identify, contact and communicate with the actors responsible for the affected system or service. A lot of things can – and do – go wrong. It might be impossible to identify the appropriate recipient of the notification, the message might not be trusted by the recipient, it might be overlooked or ignored or misunderstood. Such problems multiply as the volume of notifications increases. In this paper, we undertake several large-scale notification campaigns for a vulnerable configuration of authoritative nameservers. We investigate three issues: What is the most effective way to reach the affected parties? What communication path mobilizes the strongest incentive for remediation? And finally, what is the impact of providing recipients a mechanism to actively demonstrate the vulnerability for their own system, rather than sending them the standard static notification message. We find that retrieving contact information at scale is highly problematic, though there are different degrees of failure for different mechanisms. For those parties who are reached, notification significantly increases remediation rates. Reaching out to nameserver operators directly had better results than going via their customers, the domain owners. While the latter, in principle, have a stronger incentive to care and their request for remediation would trigger the commercial incentive of the operator to keep its customers happy, this communication path turned out to have slightly worse remediation rates. Finally, we find no evidence that vulnerability demonstrations did better than static messages. In fact, few recipients engaged with the demonstration website. @en

Abuse reporting and the fight against cybercrime

Journal article - Mohammad Hanif Jhaveri, F.O. Çetin, C. Hernandez Ganan, Tyler Moore, M.J.G. van Eeten

Cybercriminal activity has exploded in the past decade, with diverse threats ranging from phishing attacks to botnets and drive-by-downloads afflicting millions of computers worldwide. In response, a volunteer defense has emerged, led by security companies, infrastructure operato ...

Abuse reporting and the fight against cybercrime

Journal article - Mohammad Hanif Jhaveri, F.O. Çetin, C. Hernandez Ganan, Tyler Moore, M.J.G. van Eeten

Let Me Out! Evaluating the Effectiveness of Quarantining Compromised Users in Walled Gardens

Conference paper - F.O. Çetin, E.M. Altena, C. Hernandez Ganan, M.J.G. van Eeten

An empirical analysis of ZeuS CC lifetime

Conference paper - C. Hernandez Ganan, F.O. Çetin, M.J.G. van Eeten

Contributed

2 records found

Private and public information disclosure to improve cybersecurity

A field experiment to incentivise compliance with anti-spoofing best practices

Master thesis - L. Tuttobene, M.J.G. van Eeten, C. Hernandez Ganan, Mark de Reuver, F.O. Çetin

Exploring effective notification mechanisms for infected IoT devices

Master thesis - E.M. Altena, M.J.G. van Eeten, C. Hernandez Ganan, Mark de Reuver, F.O. Çetin

Many Internet of Things (IoT) devices that are currently on the market lack security and therefore many of them got infected with malware to launch powerful distributed denial of service (DDoS) attacks. Notifications from Internet Service Providers (ISPs) to their customers play a crucial role in the fight to clean up the malware infected IoT devices. It is, however, difficult for the employees of abuse departments to explain how to cleanup an IoT malware infection to a non-technical customer and provide usable action steps to clean up the infection. In particular, because there is no “one size fits all” cleanup solution, due to the heterogeneous nature of the IoT devices. The abuse department of the Dutch ISP KPN would like to know how to notify customers with IoT malware infections and how to explain the cleanup of infected IoT devices to the customers. Therefore, the objective of this research is to make a recommendation to KPN on what notification mechanism to adopt by providing insight into: (1) how to increase the effectiveness of IoT malware notifications from an ISP to its customers in terms of IoT malware cleanup; and (2) how users perceive an IoT malware notification from their ISP. To this end, an experiment has been conducted with 190 retail customers with infected IoT devices to measure the difference in cleanup among IoT malware notifications sent via different channels and with different messages. To explore the reactions of the customers to the different notification mechanisms, telephone interviews have been conducted and the communication logs between KPN and the customers in the experiment have been analysed. We have compared the influence of the notification channel on cleanup and the reactions of customers by comparing customers that received: (1) email notifications; and (2) a combination of walled garden and email notifications. The different notification messages that have been compared in this study include: (1) the walled garden notification content that KPN’s abuse department uses to notify its customers with an IoT malware infection; and (2) a newly composed more actionable walled garden notification message which clearly defines the steps that need to be taken while avoiding technical terms. It is found that a combination of a walled garden and email notification with an actionable content is the most effective in terms of IoT malware cleanup. Furthermore, the walled garden notification is most effective in getting customers to read and react to the IoT malware notification, yet it sometimes results in customers having a low satisfaction with the service they receive. The more actionable notification content results in better understanding and trust from the customer compared to a less actionable content of the notification. However, customers’ understanding of the notification content and the satisfaction with the quarantine event remain a challenge.