Security

Why isn't everyone hacked every day?

Trouble befalls only a fraction of all who ply the Internet. Why is that? Michael Kassner explores the answer with a security researcher.

From my bully pulpit, I have boldly proclaimed: Like a chain, IT security is no stronger than its weakest link.

I may have to amend that decree.

Why? I just read, "Where Do All the Attacks Go?", a paper written by friend and Microsoft Principal Researcher, Cormac Herley, along with Dinei Florencio, also a Microsoft Researcher. The paper's introduction offers this hint:

"Internet security has a puzzling fact at its core. If security is only as strong as the weakest link; then all who choose weak passwords, reuse credentials across accounts, fail to heed security warnings or neglect patches and updates, should be hacked -- regularly and repeatedly.

Clearly this fails to happen."

Alrighty then. It's obvious: I have some catching up to do. Here's what Cormac had to say.

Kassner: Through our past collaborations on security research (my favorite: "Are users right in rejecting security advice?"), I've come to expect -- cherish actually -- your "outside the box" thinking. This paper appears to be more of the same, starting with you asking:

"Why isn't everyone hacked every day?"

Definitely "outside the box." What prompted you to look at this subject?

Herley: Thanks Michael, flattery will get you everywhere! I'm always interested when there's a mismatch between what we think should happen and what we observe. And the mismatch between conventional security wisdom and what is actually occurring is a perfect example.

We're told to plug every security hole if we want to protect our digital stuff. Yet, we don't. We are careless about software updates and running anti-virus. We ignore OS and browser warnings and click on links with abandon.

Let's not forget about password habits. We choose weak passwords, use common names, write them on Post-its for everyone to see, and re-use the same three or four passwords across multiple accounts.

Yet, of the two-billion people using the Internet, only 5% suffer significant harm each year. So how do 95% of us escape scot-free?

Kassner: The paper suggests the reason for the disparity is because attackers need to use a sum-of-effort approach instead of going after the weakest link. What does that mean? Herley: Sum-of-effort means attackers need the exploit to be profitable on average across all attempts, not just in particular situations. Every attack has a cost, and no attack works 100% of the time.

To be profitable on average, you have to make enough when you succeed to cover the cost of all the times when you fail.

For example, suppose Alice uses her dog's name as the password for her bank portal. According to what we are told, her password is weak, making it an easy mark for an attacker. But, an attacker only succeeds:

  • If the username is known.
  • If he or she can figure out the dog's name.
  • The bank doesn't catch the transfer.
  • Another cyber-thief doesn't get there first.

So what percent of the time can the attacker expect to succeed? Let's say the attacker spends an hour per user, and:

  • 5% of all users choose their dog's name as the password.
  • 5% of the time, the password is determined.
  • 5% of the time, the username is figured out.

Based on that, the attacker gets into one account for every 20x20x20=8000 accounts attacked.

Let's say the attacker is willing to work for $7.25/hour. He needs the average compromised account to yield $7.25 x 8000 = $58,000 to meet payroll.

What if the bank catches 75% of the attacker's attempts? That means the attacker needs to get $232,000 per compromised account to meet payroll. And, we have not discussed competition from other attackers.

Even if an attacker is willing to work for 1/10th of the US minimum wage and spends 10 minutes (instead of an hour) per user, an average of $3,866 per compromised account will be needed to make payroll. So what started out looking like easy money has turned into a very difficult way to make a living.

Now consider this. If the attack is unprofitable, therefore not used, the 5% with weak passwords escape unscathed. The axiom that they're only as safe as their system's weakest link turns out to be false, because it's hard to build a profitable attack for exploiting weak passwords.

Kassner: The paper claims:

"Many attacks, while they succeed in particular scenarios, are not profitable when averaged over a large population. This is true even when many profitable targets exist and explains why so many attacks types end up causing so little actually observed harm."

I get the logic, until the next sentence:

"Thus, how common a security strategy is, matters at least as much as how weak it is."

Now, I'm lost. Help.

Herley: Sure. Let's revisit the dog's name as a password example. Suppose 50% instead of 5% choose their dog's name as a password. Now (keeping the other assumptions unchanged) the attacker succeeds one time in 800 rather than one time in 8000. The return is 10 times better, just because more people use this strategy.

So if a strategy is common and predictable, it becomes very dangerous because it becomes easier for an attacker to exploit. Leaving the house key under a flower pot is risky, mostly, because a lot of people leave the key under the flower pot. If you were the only person in the world to do so, it becomes less risky because checking under the flower pot is a waste of time for a thief since it almost never succeeds.

Basically, attackers are playing a numbers game. The more people who use ‘password' as their password, the better an attacker's return for trying that.

Kassner: I tried to get through the math -- failed miserably. I'll let math geeks check out your work. Is it possible for you to briefly explain your conclusions? Herley: Stealing is like any other economic activity. Things have to succeed on average, not just when circumstances are favorable. Meaning, the attacker pays a price for every attempt, but gets a return only when the attack succeeds. If each attempt costs $1, but succeeds only 0.1% of the time, then each success with have to bring in $1000 just to break even. Attacks that have low success rates can have challenging economics. Kassner: Am I correct: You are concerned that security pundits are "crying wolf", because they are using the wrong modeling approach? Herley: I'm not sure I'd characterize it as "crying wolf", which makes it sound like there's a desire to deceive. Security people are trained to look for weaknesses, and see what can happen when things go wrong. So it's natural to want to warn people. At the same time, I think we have to acknowledge that two billion people are using the Internet, and in spite of poor security practices, most have positive Internet experiences.

"Think like an attacker" is an oft-repeated mantra among security pundits. But to my mind, it is seldom followed all the way through. Thinking like an attacker doesn't end when you find an attack or an exploit, unless you're only interested in it as an intellectual exercise.

If you're interested in the total effect an attack will have, you must continue, just as an attacker would continue, and figure out how the exploit can be used to turn a profit. That means not just looking for vulnerabilities and spotting when things can go wrong, but figuring out how much an attack costs and how often it can succeed. An attacker certainly has to think that through, and it's lazy of us to skip that part of the analysis.

Kassner: Now the tough question. Do you have advice for us users when it comes to security advice? Herley: I want to be clear. Our goal in this paper is to explain the mismatch between prediction and observation. While I use it as an example, I definitely do not recommend people use their dog's name as a password!

You do not want to be part of a group having vulnerabilities that are easy to predict and exploit. What advice to give is a tough question. My answer isn't that different from what others have offered. One thing I might add -- definitely avoid being predictable.

Final thoughts

I guess we should consider ourselves fortunate. Most Internet bad guys are all about turning a profit. If other motives were involved, I think we'd be in trouble. Or, to put it another way, we may be low-hanging fruit, but we are not worth the effort.

A big thanks to Dr. Cormac Herley for his insightful answers.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

121 comments
Dethpod
Dethpod

Hackers really don't care about people like me. I mean we don't even have enough money to buy an OS for farks sake.

HAL 9000
HAL 9000

There simply are not enough Crackers to go around and hit everyone every time they open their unprotected systems. From what I read there are numerous reasons why the Cracking Community does what it does. Only some of those are for Financial Gain some are for Bragging Rights and most seem to be to get even with the companies that people feel have hurt them. Cracking Sony wasn't mainly done for Financial Gain but to Hit Sony for what it's done to it's customers if the reports are to be believed. Some believe that people have to be protected from themselves so if the Sony Crack/Attack is anything to go by far more people where Hit by a Cracker than most accept, even if all that data came from Sony who has proved their complete inability to do what they say they will. ;) Col

PReinie
PReinie

I temporarily hooked a computer directly to the cable modem (bypassing any security the router provided) and monitored the traffic for a while with Ethereal (back when it was called that), just to see what was going on (because the "activity" LED on the modem kept flashing even when all the computers were off). By far the most amount of traffic was from the cable company sending out "are you there" packages for all sorts of IP addresses that weren't mine. Granted, attackers just may not have been personally on-line, but there didn't even seem to be any bots out there - at the time. On a separate note - try this for the flower pot key. It's a deception. Go to the hardware store and ask for a discarded key (or a miss-cut) that matches the key "blank" you use. (Blanks are what you cut a working key from.) Make sure it goes into the lock but won't turn. (Don't use a blank - it's too obvious.) Put that key under the flower pot. (If you want, put a proper duplicate key that does open the door somewhere else.) The bad key will keep the attacker busy and they'll likely leave - just like the hacker that can't get in with a simple access. It just isn't worth it. For burglars, the more time they spend the more likely they'll get caught. (A problem with this idea is if the burglar turns the fake key so hard it breaks off in the lock.) (A second or third lock would also help.) For passwords, like the above, use something that the checkers say is strong, something you can remember - but a deception. You can use the dog's name to remember the password, but you have to modify it a bit - or a lot. Use caps in different places other than the initial capital. Make it long - give the dog a first and middle name or a phrase ("stupid.hereStupidxYz098 - Steve Martin). Use other names you call the dog and append them. Put numbers in some positions. Have fun with it!

Slayer_
Slayer_

Somehow they managed to delete every EXE file on my C drive (left the D and E drives alone) that did not have a publisher listed as Microsoft, essentially, every non Microsoft exe got deleted. The system still booted but that was a pain, I still ran it for several more years before I finally got around to reinstalling the OS. There was never any trace of a virus on it, and it never happened again. This was about 5 years ago now.

RobertFL
RobertFL

I have to admit like many here I am sure I manage networks. I do it for a living and am Self Employed. The idea of being hacked makes my stomach turn as I take pride in my work so I try to stay on top of things and I am one that actually looks at the log files. However, with the recent hacks at will and even with notice of these high profile networks, it does make me wonder. These high profile networks have by in comparison to my own unlimited IT budgets. They have all the bells and whistles when it comes to protection and these hackers are walking all over them as if they already had domain admin access. It worries me as I have my own set of security tricks, but I am also on a tight budget and have to protect my own networks with minimal investment. If these hackers can walk all over these high profile networks like they do, then really what is stopping them from walking all over the ones I take care of??? I do not have the high end security measures in place, but somehow I have managed to keep the networks I take care of out of the spotlight. Aside from the Hershey's chocolate recipe change it seems none of these high profile networks were for profit although it did cost the companies money as in the case with the so many Sony hacks. This topic does need to be looked at better to understand why more are not hacked, but from what I have read I am not sure we are on the right track. Sorry to say however, I do not know what the right track is. What I do know is high profile networks are being walked all over. I also know there are way too many systems that do not stay current with updates and they are not hacked. Sure, many will be click happy and have spyware from heck on their systems but that is user fault and not actually being hacked. Claim to fame hacking is still very strong today even though we are taught only script kiddies do this while they strengthen their skills to become full time hackers where it's done for profit. I'm not seeing a lot of for profit, but do see the claim to fame hacks. We should be seeing more hacks. A lot more based on how easy it has been to walk all over the high profile networks with huge IT budgets. I think the question of why aren't we seeing more is still very good and unanswered. I doubt we would get the true answer, but it seems only those doing the hacking could answer. Anyone have any contacts at Lulzsec or Anonymous? - A valid unanswered question needs to be answered with accuracy. Otherwise, I feel we are all sitting ducks no matter how high we attempt to be on the fruit tree. Rob

sbarsanescu
sbarsanescu

Managing security (from an end-user perspective) only for a stand-alone is challenging for most people. Even techies don't understand the vast amount of processes working at a given time on the average PC. Sure, a virus scanner, a FW and malware scanner could help. But would they, really? For 0-day, all of these are largely useless (some help might come from heuristics). A firewall is really a patch to protect lousy apps. Most attacks nowadays base themselves (as the article points out) on predictable behavior - Facebook, net surfing, downloads. These can't really be protected with a FW. And once a system is rooted (with a clever rootkit) the inherent complexity as well as obscurity of the OS and apps prevent even savvy users from restoring without a re-image. Why fingerprinting is not implemented in major OS as a standard feature is beyond me. MS is getting better at it - signing a lot of services but it is cumbersome to ensure that one is only running signed apps and services. And then... remember, we're only talking about client software here. Do we really know how safe the online information we are now eagerly uploading is safe? I guess the main change we should contemplate here is - in the past, the real worry was the system, and its safety. In today's world, we should strive to ensure that data is adequately protected, ideally remaining protected even if the system is compromised. Just my 2 cents...

Brian.Buydens
Brian.Buydens

One factor left out of the discussion, and perhaps why sysadmins are more concerned about good passwords than users are, is that the numbers game goes against them. If weak passwords cause a 1% chance of a compromised machine but the sysadmin is administering 1000 machines they can expect 10 or them on average to be compromised. These 10 give a hacker a good chance to sniff around the network to see if there is anything interesting.

Timbo Zimbabwe
Timbo Zimbabwe

"Stealing is like any other economic activity. Things have to succeed on average, not just when circumstances are favorable. Meaning, the attacker pays a price for every attempt, but gets a return only when the attack succeeds." Bingo, the law of averages! This is such a simple concept that it often gets overlooked. This is why something as mundane, yet annoying, is changing your password. This increases the odds in your favor. Add any other options to your security to increase the odds. Security is not absolute and it's ALWAYS a moving target; keep yours moving and you make yourself a hard target. As always, Michael, you provide information that is in-depth in the concept, easy to understand and not merely a "security by the numbers" story. Thanks again!

lshanahan
lshanahan

Unless I miss my guess, it appears the research is pointing towards an evolution of the hacking paradigm. There's a lot of talk about ROI for hacking, but what that "return" is could vary quite a bit. The most obvious case being the difference between criminal hacking - to actually obtain or possibly destroy something of value belonging to someone else whether it be money or intellectual property or someone else's secrets - and the somewhat stereotypical "mountain climber" hacker - they do it because it is there and they want to prove themselves. Feel free to add your own motivations but I think ultimately they're going to fall on the continuum between those two. Those motivations are going to greatly influence how much and what type of "investment" - monetary or otherwise - a hacker is going to put toward a given effort and therefore the type and amount of a "return" they are willing to accept (or maybe it's the other way around, but in the end the effect is the same). Also factor in the differences between finding a new, unknown vulnerability, making use of existing exploits for well-known vulnerabilities and finding new ways to exploit known vulnerabilities. So for purely criminal hacking, an economic (read: dollars-and-cents) investment vs return model makes sense, but I wonder how the non-economic motivations play into the analysis?

Polly333
Polly333

I work from home using my Laptop and in the past have unfortunately been a target of on line scams. In the process of finding out who and where these people operate, I have never seen any females mentioned in the perpetration of these crimes.

rafamd
rafamd

Everybody isn't hacked everyday for the same reason thieves don't break into our homes daily. Our homes aren't fortress as well, and we aren't regularly robbed because thieves are minority and know that they can be caught anytime. It doesn't mean that we don't need to care about security, but that there is far more people vulnerable than people hacking or burgling. We may be a victim someday, so we'd better be careful. But hardly our weaknesses will be explored everyday.

fvazquez
fvazquez

One thing that makes getting other peoples info are ghost sites, where the people think that registering is going to get them something or somewhere,let say an email account: the user fills the register form and leaves precious data cause almost certainly this user is going to use the same data in other accounts. I think that if one haven't been hacked dosen't mean one isn't going to be in the (near) future, it's just a matter of time... What I'm saying is that hackers don't just hack passwords, first there's gotta be a user name, and userlists help getting both. Try registering less and obviously the chance for you to getting hacked is going to be considerably less...

smankinson
smankinson

Isn't 5 percent still a lot of people or companies? I agree the attacks are random in a user-oriented sense, but I always thought a certain amount were pre-determined targets? Most Hacking stuff I have read seemed to have little to do with money. I guess this reflects what the article is saying. If money was to be made, there would be a lot more hacking. Good article.

bornbyforce
bornbyforce

More than anything else! I was all the article thinking this "business" view only works if it works as a business which it doesn't necessarily. Look at the recent Google hacks in certain countries. The hundreds of thousands of security breaches none had anything to do with money. And the attack was far more sophisticated than to just exploit the low hanging fruit. I would rather change your sentence to "When other motives are involved, I think we'll be in trouble." That day will certainly come in my view.

Mr. Fix
Mr. Fix

The analogy is valid only if you can make the assumption, not true here, that the said chain will only fail when stressed in one direction and basically ON ITS OWN, with no other external forces involved. Include an army of attackers, all armed with sledgehammers, axes, acetylene torches, and every other imaginable tool of destruction, each competing against time and one another to either chance upon OR CREATE vulnerabilities if they have to in the chain and exploit them before being caught at it and you may have a truer analogy.

caandal
caandal

Has anyone done a study on Hackers and why they hack?

caandal
caandal

I think that there is another thing that is overlooked in the hacking scenario and that is that large corporates like the Microsofts, Chryslers and the like of this world are a target because of who they are, they are a challenge to the hacker who does not care about money but rather the esteem from his/her peers. They are also potentially targeted for IP that can be sold for a lot of money. I would say that because they would make up the the bulk of the small minority that gets hacked that the average Joe/Small to medium sized business has even less chance of being hacked.

JonathanJ2
JonathanJ2

There's just so much FUD from everyone who works in the security space. This explanation makes sense to me: it's not as easy as it looks to turn a vulnerability into cash.

Shadeburst
Shadeburst

When wireless first came out I made a fair living installing wireless in home PC's. To demonstrate why I was worth my fee I would hack into nearby wireless networks using tools freely downloadable from the Net. The first place to go would be the neighbor's Pictures folders which often contained compromising pix of his wife! But if I was clever (and evil) enough I would have written a bot hacker which searched millions of accounts daily, looking for someone with money. Why would a hacker think in terms of hourly rate when you can employ tools which work while you're sleeping? The success of the Nigerian 416 scams show that the very rich are just as vulnerable as the rest of us.

AnsuGisalas
AnsuGisalas

That one really puts that aspect of it into perspective. This is an interesting angle. Not that it means I'd feel comfortable counting on not being singled out... Also, it doesn't cover the botnet business... the botmasters have a definite gain from every single successful infection, and even if other attacks prove unprofitable, they can always sell the botpower to SEO purposes... like spamming TR.

Spitfire_Sysop
Spitfire_Sysop

How would anyone know that you exist on the internet? You would have to visit a compromised website or post something publicly. I would imagine that entering in banking information would be the most likely way that someone would want to intercept your data. This is why you don't want to do your banking from a public wifi. If, for example, I only used the internet to read this website (Techrepublic) then this website would have to be itself compromised to expose more information than I give out about myself. But then what? I think that "hacking" is more difficult than most realize. I install programs on my computer occasionally and have trouble getting them to work. Conflicts with my other hardware and software are pretty common. It would be even more difficult to get something to work remotely on a system where you cannot be sure of all of the software and hardware that they are running.

Editor's Picks