Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.
-
Upload
skylar-virgo -
Category
Documents
-
view
217 -
download
2
Transcript of Where Do All the Attacks Go? Dinei Florencio and Cormac Herley Microsoft Research, Redmond.
Where Do All the Attacks Go?
Dinei Florencio and Cormac HerleyMicrosoft Research, Redmond
Why isn’t everyone hacked every day?
• Webroot Survey:– 90% share passwords across accounts– 41% share passwords with others– 20% use pet’s name as password
• Endless stream of new attacks every year– E.g. read LCD screens from reflections etc
• If things are so bad, how come they’re so good?
Traditional Threat Model
• Alice is a user• Charles attacks– Phishing, keyloggers, guessing, password-reuse– Malware, rootkits, – Physical side-channels, …………
• Security as good as weakest link
CharlesAliceAttacks
Charles
Problems with the threat model8. It is numerically impossible (2 billion users)• At 1000:1 ratio (i.e. 2 million attackers)• Attackers = 1/3 as many as sw developers• US undergrad gets 50x more attention from Profs
than Alice gets from Charles.• Idea that someone identifies/exploits weakest-link
does not scale.
9. Fails to explain the observations• 20% choose dog’s name as password• Avoiding Harm ≠ Security
A Threat Model that Scales
• Population of users• Population of attackers• Attacker doesn’t know you from a honeypot
• Attack when Expected{Gain} > Expected{Cost}
Attacks Internet UsersAlice(i)
AttackersCharles(j)
Attacks
• Alice(i) exerts effort ei(k) against Attack(k)
• Probability she succumbs: Pr{ei(k)}– Pr{ei(k)} monotonically decreasing with effort
• Gain to Charles(j) from Alice(i): Gi
• Cost for Attack(k), N users: Cj(N,k)
Pr{ei(k)}
ei(k)
# UsersCo
st
Charles(j) Expected Return Uj(k)
So, Charles(j) gain:(1-Pr{SP}) - (N,k)
Prob. Alice(i)succumbs
Gain fromAlice(i)
Cost of Attack(k)For N users
• Charles(j) selects Attack(k) that maximizes Uj(k)
Prob. fraud detected
Uj(k) =
Sum-of-efforts Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Sum over all attacked users ofweighted efforts against Attack(k)
• Recall as ei(k) increases Pr{ei(k)} decreases• Increasing effort from users decreases return
Followed by Best-Shot Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Fraud detection at Service Provider:Charles(j) must evade all detection measures
•
So, where do all the attacks go?
Average Success Rate Too Low
• Attack unprofitable if:
(1-Pr{SP}) Σi Pr{ei(k)} Gi < Cj(N,k)
• If average success = 1/N Σi Pr{ei(k)} is too low then whole attack unprofitable.
• Even if many profitable targets exist
• Similarly, if average value too low– i.e. Gi small
Attackers Collide Too Often• Recall attackers compete for vulnerable users
• Suppose Attack(k) has deterministic outcome1 if ei(k) < ε
0 otherwise• Example: brute-force using 10 popular pwds– abcdef, password, 123456, password1, etc
• Every attacker who tries succeeds in same places• If ei(k) < ε Alice(i) ends up with M attackers in acct– In general share Gi with MPr{ei(k)} other attackers
Alice(i)
Charles(j)
Pr{ei(k)} =
Attack(k) too expensive (relative to alternatives)
• Attack(k’) is cheaperUj(k) < Uj(k’) for all attackers
• Example: real-time MITM vs. pwd stealing
Fraud Detection Too High
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
• Pr{SP} 1 then return 0• Example: – Alice(i)’s bank detects 99% of attempted fraud– True protection is not Alice(i)’s effort
The Free-Rider Effect
• Suppose brute-forcing is a profitable attack• All-but-one Internet users (finally) decide to
get serious and choose strong passwords– Alice(i0) continues with “abcdef”
• Profitability of brute-forcing plummets– Alice(i0)’s risk of harm 0 (w\o action on her part)
Choosing Your Dog’s Name as Password
• User chooses bank password = dog’s name• Easy money, right?
• How many users have………– Bank password = dog’s name? Say, 1%– Auto discover dog’s name? Say, 1%– Auto discover userID? Say, 1%
• How many other Charles(j) use strategy? Say, 100• Return is reduced by 108
Dog’s Name as Password• Suppose instead:– 10 mins to discover dog’s name– 10 mins to discover userID
• Thus 20 mins on average to get 1% of accts.– Compete with 10 other attackers– Bank catches 90% of attempted fraud
• At $7.25/hour acct should be worth Gi > (10x10x100/3)x7.25 = $24200
• Suppose he makes (US min wage)/10– Needs: Gi > $2420/acct
• Exercise: find profitable assumptions
Domino Effect of Acct. Escalation
• Leveraging low-value accts to high• Password re-use across accts, etc.
“One weak spot is all it takes to open secured digital doors and online accounts causing untold damage and consequences.” Ives etal 2004
Leverage Low-Value Account To High?• Is this profitable on average
• Given N webmails…– X% are contact email for bank– Y% userID can be determined automatically– Z% of banks email pwd reset link– W% the Secret Questions auto determined
• Return dramatically reduced. For example– 0.1 x 0.01 x 0.1 x 0.05 = 0.00005 (1 in 200,000)– So 5 bank accts for every million webmails
Diversity is more Important than Strength
• Password is …………– Dog’s name, cat’s name– Significant date, sports team– Written under keyboard
• How common a strategy is matters more than how secure it is
Conclusions
• Avoiding Harm ≠ Security• Internet attackers face sum-of-effort
defense• Avoiding harm is much less expensive
than being secure
• “Thinking like an attacker” doesn’t end when an attack is found.
Alice(i)
Charles(j)
“And then what?”