Where Do All the Attacks Go?
Dinei Florencio and Cormac HerleyMicrosoft Research, Redmond
Why isn’t everyone hacked every day?
• Webroot Survey:– 90% share passwords across accounts– 41% share passwords with others– 20% use pet’s name as password
• Endless stream of new attacks every year– E.g. read LCD screens from reflections etc
• If things are so bad, how come they’re so good?
Traditional Threat Model
• Alice is a user• Charles attacks– Phishing, keyloggers, guessing, password-reuse– Malware, rootkits, – Physical side-channels, …………
• Security as good as weakest link
CharlesAliceAttacks
Charles
Problems with the threat model8. It is numerically impossible (2 billion users)• At 1000:1 ratio (i.e. 2 million attackers)• Attackers = 1/3 as many as sw developers• US undergrad gets 50x more attention from Profs
than Alice gets from Charles.• Idea that someone identifies/exploits weakest-link
does not scale.
9. Fails to explain the observations• 20% choose dog’s name as password• Avoiding Harm ≠ Security
A Threat Model that Scales
• Population of users• Population of attackers• Attacker doesn’t know you from a honeypot
• Attack when Expected{Gain} > Expected{Cost}
Attacks Internet UsersAlice(i)
AttackersCharles(j)
Attacks
• Alice(i) exerts effort ei(k) against Attack(k)
• Probability she succumbs: Pr{ei(k)}– Pr{ei(k)} monotonically decreasing with effort
• Gain to Charles(j) from Alice(i): Gi
• Cost for Attack(k), N users: Cj(N,k)
Pr{ei(k)}
ei(k)
# UsersCo
st
Charles(j) Expected Return Uj(k)
So, Charles(j) gain:(1-Pr{SP}) - (N,k)
Prob. Alice(i)succumbs
Gain fromAlice(i)
Cost of Attack(k)For N users
• Charles(j) selects Attack(k) that maximizes Uj(k)
Prob. fraud detected
Uj(k) =
Sum-of-efforts Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Sum over all attacked users ofweighted efforts against Attack(k)
• Recall as ei(k) increases Pr{ei(k)} decreases• Increasing effort from users decreases return
Followed by Best-Shot Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Fraud detection at Service Provider:Charles(j) must evade all detection measures
•
So, where do all the attacks go?
Average Success Rate Too Low
• Attack unprofitable if:
(1-Pr{SP}) Σi Pr{ei(k)} Gi < Cj(N,k)
• If average success = 1/N Σi Pr{ei(k)} is too low then whole attack unprofitable.
• Even if many profitable targets exist
• Similarly, if average value too low– i.e. Gi small
Attackers Collide Too Often• Recall attackers compete for vulnerable users
• Suppose Attack(k) has deterministic outcome1 if ei(k) < ε
0 otherwise• Example: brute-force using 10 popular pwds– abcdef, password, 123456, password1, etc
• Every attacker who tries succeeds in same places• If ei(k) < ε Alice(i) ends up with M attackers in acct– In general share Gi with MPr{ei(k)} other attackers
Alice(i)
Charles(j)
Pr{ei(k)} =
Attack(k) too expensive (relative to alternatives)
• Attack(k’) is cheaperUj(k) < Uj(k’) for all attackers
• Example: real-time MITM vs. pwd stealing
Fraud Detection Too High
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
• Pr{SP} 1 then return 0• Example: – Alice(i)’s bank detects 99% of attempted fraud– True protection is not Alice(i)’s effort
The Free-Rider Effect
• Suppose brute-forcing is a profitable attack• All-but-one Internet users (finally) decide to
get serious and choose strong passwords– Alice(i0) continues with “abcdef”
• Profitability of brute-forcing plummets– Alice(i0)’s risk of harm 0 (w\o action on her part)
Choosing Your Dog’s Name as Password
• User chooses bank password = dog’s name• Easy money, right?
• How many users have………– Bank password = dog’s name? Say, 1%– Auto discover dog’s name? Say, 1%– Auto discover userID? Say, 1%
• How many other Charles(j) use strategy? Say, 100• Return is reduced by 108
Dog’s Name as Password• Suppose instead:– 10 mins to discover dog’s name– 10 mins to discover userID
• Thus 20 mins on average to get 1% of accts.– Compete with 10 other attackers– Bank catches 90% of attempted fraud
• At $7.25/hour acct should be worth Gi > (10x10x100/3)x7.25 = $24200
• Suppose he makes (US min wage)/10– Needs: Gi > $2420/acct
• Exercise: find profitable assumptions
Domino Effect of Acct. Escalation
• Leveraging low-value accts to high• Password re-use across accts, etc.
“One weak spot is all it takes to open secured digital doors and online accounts causing untold damage and consequences.” Ives etal 2004
Leverage Low-Value Account To High?• Is this profitable on average
• Given N webmails…– X% are contact email for bank– Y% userID can be determined automatically– Z% of banks email pwd reset link– W% the Secret Questions auto determined
• Return dramatically reduced. For example– 0.1 x 0.01 x 0.1 x 0.05 = 0.00005 (1 in 200,000)– So 5 bank accts for every million webmails
Diversity is more Important than Strength
• Password is …………– Dog’s name, cat’s name– Significant date, sports team– Written under keyboard
• How common a strategy is matters more than how secure it is
Conclusions
• Avoiding Harm ≠ Security• Internet attackers face sum-of-effort
defense• Avoiding harm is much less expensive
than being secure
• “Thinking like an attacker” doesn’t end when an attack is found.
Alice(i)
Charles(j)
“And then what?”