Presentation is loading. Please wait.

# Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.

## Presentation on theme: "Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond."— Presentation transcript:

Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond

Why isn’t everyone hacked every day? Webroot Survey: – 90% share passwords across accounts – 41% share passwords with others – 20% use pet’s name as password Endless stream of new attacks every year – E.g. read LCD screens from reflections etc If things are so bad, how come they’re so good?

Traditional Threat Model Alice is a user Charles attacks – Phishing, keyloggers, guessing, password-reuse – Malware, rootkits, – Physical side-channels, ………… Security as good as weakest link Charles Alice Attacks Charles

Problems with the threat model 8.It is numerically impossible (2 billion users) At 1000:1 ratio (i.e. 2 million attackers) Attackers = 1/3 as many as sw developers US undergrad gets 50x more attention from Profs than Alice gets from Charles. Idea that someone identifies/exploits weakest-link does not scale. 9.Fails to explain the observations 20% choose dog’s name as password Avoiding Harm ≠ Security

A Threat Model that Scales Population of users Population of attackers Attacker doesn’t know you from a honeypot Attack when Expected{Gain} > Expected{Cost} Attacks Internet Users Alice(i) Attackers Charles(j)

Attacks Alice(i) exerts effort e i (k) against Attack(k) Probability she succumbs: Pr{e i (k)} – Pr{e i (k)} monotonically decreasing with effort Gain to Charles(j) from Alice(i): G i Cost for Attack(k), N users: C j (N,k) Pr{e i (k)} e i (k) # Users Cost

Charles(j) Expected Return U j (k) Prob. Alice(i) succumbs Gain from Alice(i) Cost of Attack(k) For N users Charles(j) selects Attack(k) that maximizes U j (k) Prob. fraud detected U j (k) =

Sum-of-efforts Defense (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Sum over all attacked users of weighted efforts against Attack(k) Recall as e i (k) increases Pr{e i (k)} decreases Increasing effort from users decreases return

Followed by Best-Shot Defense (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Fraud detection at Service Provider: Charles(j) must evade all detection measures

So, where do all the attacks go?

Average Success Rate Too Low Attack unprofitable if: (1-Pr{SP}) Σ i Pr{e i (k)} G i < C j (N,k) If average success = 1/N Σ i Pr{e i (k)} is too low then whole attack unprofitable. Even if many profitable targets exist Similarly, if average value too low – i.e. G i small

Attackers Collide Too Often Recall attackers compete for vulnerable users Suppose Attack(k) has deterministic outcome 1 if e i (k) < ε 0 otherwise Example: brute-force using 10 popular pwds – abcdef, password, 123456, password1, etc Every attacker who tries succeeds in same places If e i (k) < ε Alice(i) ends up with M attackers in acct – In general share Gi with MPr{e i (k)} other attackers Alice(i) Charles(j) Pr{e i (k)} =

Attack(k) too expensive (relative to alternatives) Attack(k’) is cheaper U j (k) < U j (k’) for all attackers Example: real-time MITM vs. pwd stealing

Fraud Detection Too High (1-Pr{SP}) Σ i Pr{e i (k)} G i - C j (N,k) Pr{SP}  1 then return  0 Example: – Alice(i)’s bank detects 99% of attempted fraud – True protection is not Alice(i)’s effort

The Free-Rider Effect Suppose brute-forcing is a profitable attack All-but-one Internet users (finally) decide to get serious and choose strong passwords – Alice(i 0 ) continues with “abcdef” Profitability of brute-forcing plummets – Alice(i 0 )’s risk of harm  0 (w\o action on her part)

Choosing Your Dog’s Name as Password User chooses bank password = dog’s name Easy money, right? How many users have……… – Bank password = dog’s name? Say, 1% – Auto discover dog’s name? Say, 1% – Auto discover userID? Say, 1% How many other Charles(j) use strategy? Say, 100 Return is reduced by 10 8

Dog’s Name as Password Suppose instead: – 10 mins to discover dog’s name – 10 mins to discover userID Thus 20 mins on average to get 1% of accts. – Compete with 10 other attackers – Bank catches 90% of attempted fraud At \$7.25/hour acct should be worth G i > (10x10x100/3)x7.25 = \$24200 Suppose he makes (US min wage)/10 – Needs: Gi > \$2420/acct Exercise: find profitable assumptions

Domino Effect of Acct. Escalation Leveraging low-value accts to high Password re-use across accts, etc. “One weak spot is all it takes to open secured digital doors and online accounts causing untold damage and consequences.” Ives etal 2004

Leverage Low-Value Account To High? Is this profitable on average Given N webmails… – X% are contact email for bank – Y% userID can be determined automatically – Z% of banks email pwd reset link – W% the Secret Questions auto determined Return dramatically reduced. For example – 0.1 x 0.01 x 0.1 x 0.05 = 0.00005 (1 in 200,000) – So 5 bank accts for every million webmails

Diversity is more Important than Strength Password is ………… – Dog’s name, cat’s name – Significant date, sports team – Written under keyboard How common a strategy is matters more than how secure it is

Conclusions Avoiding Harm ≠ Security Internet attackers face sum-of-effort defense Avoiding harm is much less expensive than being secure “Thinking like an attacker” doesn’t end when an attack is found. Alice(i) Charles(j)

“And then what?”

Download ppt "Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond."

Similar presentations

Ads by Google