Where Do All the Attacks Go?
Dinei Florencio and Cormac Herley
Microsoft Research, Redmond
Why isn’t everyone hacked every day?
• Webroot Survey:
– 90% share passwords across accounts
– 41% share passwords with others
– 20% use pet’s name as password
• Endless stream of new attacks every year
– E.g. read LCD screens from reflections etc
• If things are so bad, how come they’re so good?
Traditional Threat Model
Charles
Attacks
Charles
Alice
• Alice is a user
• Charles attacks
– Phishing, keyloggers, guessing, password-reuse
– Malware, rootkits,
– Physical side-channels, …………
• Security as good as weakest link
Problems with the threat model
8. It is numerically impossible (2 billion users)
• At 1000:1 ratio (i.e. 2 million attackers)
• Attackers = 1/3 as many as sw developers
• US undergrad gets 50x more attention from Profs
than Alice gets from Charles.
• Idea that someone identifies/exploits weakest-link
does not scale.
9. Fails to explain the observations
• 20% choose dog’s name as password
• Avoiding Harm ≠ Security
A Threat Model that Scales
Attackers
Charles(j)
Attacks
Internet Users
Alice(i)
• Population of users
• Population of attackers
• Attacker doesn’t know you from a honeypot
• Attack when Expected{Gain} > Expected{Cost}
Attacks
• Alice(i) exerts effort ei(k) against Attack(k)
• Probability she succumbs: Pr{ei(k)}
– Pr{ei(k)} monotonically decreasing with effort
Pr{ei(k)}
• Gain to Charles(j) from Alice(i): Gi
• Cost for Attack(k), N users: Cj(N,k)
Cost
ei(k)
# Users
Charles(j) Expected Return Uj(k)
So, Charles(j) gain:
Uj(k) = (1-Pr{SP}) 𝑖 Pr{𝑒𝑖 (k)}𝐺𝑖
Prob. fraud
detected
Prob. Alice(i)
succumbs
- 𝐶𝑗 (N,k)
Gain from
Alice(i)
Cost of Attack(k)
For N users
• Charles(j) selects Attack(k) that maximizes Uj(k)
Sum-of-efforts Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Sum over all attacked users of
weighted efforts against Attack(k)
• Recall as ei(k) increases Pr{ei(k)} decreases
• Increasing effort from users decreases return
Followed by Best-Shot Defense
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
Fraud detection at Service Provider:
Charles(j) must evade all detection measures
•
So, where do all the attacks go?
Average Success Rate Too Low
• Attack unprofitable if:
(1-Pr{SP}) Σi Pr{ei(k)} Gi < Cj(N,k)
• If average success = 1/N Σi Pr{ei(k)} is too low
then whole attack unprofitable.
• Even if many profitable targets exist
• Similarly, if average value too low
– i.e. Gi small
Attackers Collide Too Often
• Recall attackers compete for vulnerable users
Alice(i)
• Suppose Attack(k) has deterministic outcome
1 if ei(k) < ε
Pr{ei(k)} =
0 otherwise
• Example: brute-force using 10 popular pwds
– abcdef, password, 123456, password1, etc
• Every attacker who tries succeeds in same places
• If ei(k) < ε Alice(i) ends up with M attackers in acct
– In general share Gi with MPr{ei(k)} other attackers
Charles(j)
Attack(k) too expensive (relative to
alternatives)
• Attack(k’) is cheaper
Uj(k) < Uj(k’) for all attackers
• Example: real-time MITM vs. pwd stealing
Fraud Detection Too High
(1-Pr{SP}) Σi Pr{ei(k)} Gi - Cj(N,k)
• Pr{SP}  1 then return  0
• Example:
– Alice(i)’s bank detects 99% of attempted fraud
– True protection is not Alice(i)’s effort
The Free-Rider Effect
• Suppose brute-forcing is a profitable attack
• All-but-one Internet users (finally) decide to
get serious and choose strong passwords
– Alice(i0) continues with “abcdef”
• Profitability of brute-forcing plummets
– Alice(i0)’s risk of harm  0 (w\o action on her
part)
Choosing Your Dog’s Name as
Password
• User chooses bank password = dog’s name
• Easy money, right?
• How many users have………
– Bank password = dog’s name? Say, 1%
– Auto discover dog’s name? Say, 1%
– Auto discover userID? Say, 1%
• How many other Charles(j) use strategy? Say, 100
• Return is reduced by 108
Dog’s Name as Password
• Suppose instead:
– 10 mins to discover dog’s name
– 10 mins to discover userID
• Thus 20 mins on average to get 1% of accts.
– Compete with 10 other attackers
– Bank catches 90% of attempted fraud
• At $7.25/hour acct should be worth
Gi > (10x10x100/3)x7.25 = $24200
• Suppose he makes (US min wage)/10
– Needs: Gi > $2420/acct
• Exercise: find profitable assumptions
Domino Effect of Acct. Escalation
• Leveraging low-value accts to high
• Password re-use across accts, etc.
“One weak spot is all it takes to open secured
digital doors and online accounts causing untold
damage and consequences.” Ives etal 2004
Leverage Low-Value Account To High?
• Is this profitable on average
• Given N webmails…
–
–
–
–
X% are contact email for bank
Y% userID can be determined automatically
Z% of banks email pwd reset link
W% the Secret Questions auto determined
• Return dramatically reduced. For example
– 0.1 x 0.01 x 0.1 x 0.05 = 0.00005 (1 in 200,000)
– So 5 bank accts for every million webmails
Diversity is more Important than
Strength
• Password is …………
– Dog’s name, cat’s name
– Significant date, sports team
– Written under keyboard
• How common a strategy is matters more than
how secure it is
Conclusions
• Avoiding Harm ≠ Security
• Internet attackers face sum-of-effort
defense
• Avoiding harm is much less expensive
than being secure
• “Thinking like an attacker” doesn’t end
when an attack is found.
Alice(i)
Charles(j)
“And then what?”