Presentation is loading. Please wait.

Presentation is loading. Please wait.

Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.

Published bySkylar Virgo Modified over 10 years ago

Similar presentations

Presentation on theme: "Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond."— Presentation transcript:

1 Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond

2 Why isn’t everyone hacked every day? Webroot Survey: – 90% share passwords across accounts – 41% share passwords with others – 20% use pet’s name as password Endless stream of new attacks every year – E.g. read LCD screens from reflections etc If things are so bad, how come they’re so good?

3 Traditional Threat Model Alice is a user Charles attacks – Phishing, keyloggers, guessing, password-reuse – Malware, rootkits, – Physical side-channels, ………… Security as good as weakest link Charles Alice Attacks Charles

4 Problems with the threat model 8.It is numerically impossible (2 billion users) At 1000:1 ratio (i.e. 2 million attackers) Attackers = 1/3 as many as sw developers US undergrad gets 50x more attention from Profs than Alice gets from Charles. Idea that someone identifies/exploits weakest-link does not scale. 9.Fails to explain the observations 20% choose dog’s name as password Avoiding Harm ≠ Security

5 A Threat Model that Scales Population of users Population of attackers Attacker doesn’t know you from a honeypot Attack when Expected{Gain} > Expected{Cost} Attacks Internet Users Alice(i) Attackers Charles(j)

6 Attacks Alice(i) exerts effort e i (k) against Attack(k) Probability she succumbs: Pr{e i (k)} – Pr{e i (k)} monotonically decreasing with effort Gain to Charles(j) from Alice(i): G i Cost for Attack(k), N users: C j (N,k) Pr{e i (k)} e i (k) # Users Cost

7 Charles(j) Expected Return U j (k) Prob. Alice(i) succumbs Gain from Alice(i) Cost of Attack(k) For N users Charles(j) selects Attack(k) that maximizes U j (k) Prob. fraud detected U j (k) =

8 Sum-of-efforts Defense (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Sum over all attacked users of weighted efforts against Attack(k) Recall as e i (k) increases Pr{e i (k)} decreases Increasing effort from users decreases return

9 Followed by Best-Shot Defense (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Fraud detection at Service Provider: Charles(j) must evade all detection measures

10 So, where do all the attacks go?

11 Average Success Rate Too Low Attack unprofitable if: (1-Pr{SP}) Σ i Pr{e i (k)} G i < C j (N,k) If average success = 1/N Σ i Pr{e i (k)} is too low then whole attack unprofitable. Even if many profitable targets exist Similarly, if average value too low – i.e. G i small

12 Attackers Collide Too Often Recall attackers compete for vulnerable users Suppose Attack(k) has deterministic outcome 1 if e i (k) < ε 0 otherwise Example: brute-force using 10 popular pwds – abcdef, password, 123456, password1, etc Every attacker who tries succeeds in same places If e i (k) < ε Alice(i) ends up with M attackers in acct – In general share Gi with MPr{e i (k)} other attackers Alice(i) Charles(j) Pr{e i (k)} =

13 Attack(k) too expensive (relative to alternatives) Attack(k’) is cheaper U j (k) < U j (k’) for all attackers Example: real-time MITM vs. pwd stealing

14 Fraud Detection Too High (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Pr{SP}  1 then return  0 Example: – Alice(i)’s bank detects 99% of attempted fraud – True protection is not Alice(i)’s effort

15 The Free-Rider Effect Suppose brute-forcing is a profitable attack All-but-one Internet users (finally) decide to get serious and choose strong passwords – Alice(i 0 ) continues with “abcdef” Profitability of brute-forcing plummets – Alice(i 0 )’s risk of harm  0 (w\o action on her part)

16 Choosing Your Dog’s Name as Password User chooses bank password = dog’s name Easy money, right? How many users have……… – Bank password = dog’s name? Say, 1% – Auto discover dog’s name? Say, 1% – Auto discover userID? Say, 1% How many other Charles(j) use strategy? Say, 100 Return is reduced by 10 8

17 Dog’s Name as Password Suppose instead: – 10 mins to discover dog’s name – 10 mins to discover userID Thus 20 mins on average to get 1% of accts. – Compete with 10 other attackers – Bank catches 90% of attempted fraud At $7.25/hour acct should be worth G i > (10x10x100/3)x7.25 = $24200 Suppose he makes (US min wage)/10 – Needs: Gi > $2420/acct Exercise: find profitable assumptions

18 Domino Effect of Acct. Escalation Leveraging low-value accts to high Password re-use across accts, etc. “One weak spot is all it takes to open secured digital doors and online accounts causing untold damage and consequences.” Ives etal 2004

19 Leverage Low-Value Account To High? Is this profitable on average Given N webmails… – X% are contact email for bank – Y% userID can be determined automatically – Z% of banks email pwd reset link – W% the Secret Questions auto determined Return dramatically reduced. For example – 0.1 x 0.01 x 0.1 x 0.05 = 0.00005 (1 in 200,000) – So 5 bank accts for every million webmails

20 Diversity is more Important than Strength Password is ………… – Dog’s name, cat’s name – Significant date, sports team – Written under keyboard How common a strategy is matters more than how secure it is

21 Conclusions Avoiding Harm ≠ Security Internet attackers face sum-of-effort defense Avoiding harm is much less expensive than being secure “Thinking like an attacker” doesn’t end when an attack is found. Alice(i) Charles(j)

22 “And then what?”

Download ppt "Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond."

Similar presentations

MANAGED SECURITY: Protecting your data and your business Insert reseller logo.

MANAGED SECURITY: Protecting your data and your business Insert reseller logo.
A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.

A Local Mean Field Analysis of Security Investments in Networks Marc Lelarge (INRIA-ENS) Jean Bolot (SPRINT) NetEcon 2008.
Part I: Making Good Online Choices

Part I: Making Good Online Choices
Victoria ISD Common Sense Media Grade 6: Scams and schemes

Victoria ISD Common Sense Media Grade 6: Scams and schemes
INTERNET SAFETY FOR EVERYONE A QUICK AND EASY CRASH COURSE.

INTERNET SAFETY FOR EVERYONE A QUICK AND EASY CRASH COURSE.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
Identity Security Time to Share Nicolas Popp VeriSign MM/DD/YY - Session Code: 22 pt Arial.

Identity Security Time to Share Nicolas Popp VeriSign MM/DD/YY - Session Code: 22 pt Arial.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
16th WATCH: Security, Cybercrime and Scale Cormac Herley Microsoft Research THURSDAY March 21 st, Noon, Room 110 W ashington A rea T rustworthy C omputing.

16th WATCH: Security, Cybercrime and Scale Cormac Herley Microsoft Research THURSDAY March 21 st, Noon, Room 110 W ashington A rea T rustworthy C omputing.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.

Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. –Email, Websites,

Homework #4 Comments. Passwords: What are they good for? Today passwords are the #1 means of authenticating users on a day-to-day basis. – , Websites,
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.

Why Cryptosystems Fail Ross Anderson Presented by Su Zhang 1.
Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.

Economics of Malware: Epidemic Risk Model, Network Externalities and Incentives. Marc Lelarge (INRIA-ENS) WEIS, University College London, June 2009.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Similar presentations

Ads by Google