Security optimize

Why isn't everyone hacked every day?

Trouble befalls only a fraction of all who ply the Internet. Why is that? Michael Kassner explores the answer with a security researcher.

From my bully pulpit, I have boldly proclaimed: Like a chain, IT security is no stronger than its weakest link.

I may have to amend that decree.

Why? I just read, "Where Do All the Attacks Go?", a paper written by friend and Microsoft Principal Researcher, Cormac Herley, along with Dinei Florencio, also a Microsoft Researcher. The paper's introduction offers this hint:

"Internet security has a puzzling fact at its core. If security is only as strong as the weakest link; then all who choose weak passwords, reuse credentials across accounts, fail to heed security warnings or neglect patches and updates, should be hacked -- regularly and repeatedly.

Clearly this fails to happen."

Alrighty then. It's obvious: I have some catching up to do. Here's what Cormac had to say.

Kassner: Through our past collaborations on security research (my favorite: "Are users right in rejecting security advice?"), I've come to expect -- cherish actually -- your "outside the box" thinking. This paper appears to be more of the same, starting with you asking:

"Why isn't everyone hacked every day?"

Definitely "outside the box." What prompted you to look at this subject?

Herley: Thanks Michael, flattery will get you everywhere! I'm always interested when there's a mismatch between what we think should happen and what we observe. And the mismatch between conventional security wisdom and what is actually occurring is a perfect example.

We're told to plug every security hole if we want to protect our digital stuff. Yet, we don't. We are careless about software updates and running anti-virus. We ignore OS and browser warnings and click on links with abandon.

Let's not forget about password habits. We choose weak passwords, use common names, write them on Post-its for everyone to see, and re-use the same three or four passwords across multiple accounts.

Yet, of the two-billion people using the Internet, only 5% suffer significant harm each year. So how do 95% of us escape scot-free?

Kassner: The paper suggests the reason for the disparity is because attackers need to use a sum-of-effort approach instead of going after the weakest link. What does that mean? Herley: Sum-of-effort means attackers need the exploit to be profitable on average across all attempts, not just in particular situations. Every attack has a cost, and no attack works 100% of the time.

To be profitable on average, you have to make enough when you succeed to cover the cost of all the times when you fail.

For example, suppose Alice uses her dog's name as the password for her bank portal. According to what we are told, her password is weak, making it an easy mark for an attacker. But, an attacker only succeeds:

  • If the username is known.
  • If he or she can figure out the dog's name.
  • The bank doesn't catch the transfer.
  • Another cyber-thief doesn't get there first.

So what percent of the time can the attacker expect to succeed? Let's say the attacker spends an hour per user, and:

  • 5% of all users choose their dog's name as the password.
  • 5% of the time, the password is determined.
  • 5% of the time, the username is figured out.

Based on that, the attacker gets into one account for every 20x20x20=8000 accounts attacked.

Let's say the attacker is willing to work for $7.25/hour. He needs the average compromised account to yield $7.25 x 8000 = $58,000 to meet payroll.

What if the bank catches 75% of the attacker's attempts? That means the attacker needs to get $232,000 per compromised account to meet payroll. And, we have not discussed competition from other attackers.

Even if an attacker is willing to work for 1/10th of the US minimum wage and spends 10 minutes (instead of an hour) per user, an average of $3,866 per compromised account will be needed to make payroll. So what started out looking like easy money has turned into a very difficult way to make a living.

Now consider this. If the attack is unprofitable, therefore not used, the 5% with weak passwords escape unscathed. The axiom that they're only as safe as their system's weakest link turns out to be false, because it's hard to build a profitable attack for exploiting weak passwords.

Kassner: The paper claims:

"Many attacks, while they succeed in particular scenarios, are not profitable when averaged over a large population. This is true even when many profitable targets exist and explains why so many attacks types end up causing so little actually observed harm."

I get the logic, until the next sentence:

"Thus, how common a security strategy is, matters at least as much as how weak it is."

Now, I'm lost. Help.

Herley: Sure. Let's revisit the dog's name as a password example. Suppose 50% instead of 5% choose their dog's name as a password. Now (keeping the other assumptions unchanged) the attacker succeeds one time in 800 rather than one time in 8000. The return is 10 times better, just because more people use this strategy.

So if a strategy is common and predictable, it becomes very dangerous because it becomes easier for an attacker to exploit. Leaving the house key under a flower pot is risky, mostly, because a lot of people leave the key under the flower pot. If you were the only person in the world to do so, it becomes less risky because checking under the flower pot is a waste of time for a thief since it almost never succeeds.

Basically, attackers are playing a numbers game. The more people who use ‘password' as their password, the better an attacker's return for trying that.

Kassner: I tried to get through the math -- failed miserably. I'll let math geeks check out your work. Is it possible for you to briefly explain your conclusions? Herley: Stealing is like any other economic activity. Things have to succeed on average, not just when circumstances are favorable. Meaning, the attacker pays a price for every attempt, but gets a return only when the attack succeeds. If each attempt costs $1, but succeeds only 0.1% of the time, then each success with have to bring in $1000 just to break even. Attacks that have low success rates can have challenging economics. Kassner: Am I correct: You are concerned that security pundits are "crying wolf", because they are using the wrong modeling approach? Herley: I'm not sure I'd characterize it as "crying wolf", which makes it sound like there's a desire to deceive. Security people are trained to look for weaknesses, and see what can happen when things go wrong. So it's natural to want to warn people. At the same time, I think we have to acknowledge that two billion people are using the Internet, and in spite of poor security practices, most have positive Internet experiences.

"Think like an attacker" is an oft-repeated mantra among security pundits. But to my mind, it is seldom followed all the way through. Thinking like an attacker doesn't end when you find an attack or an exploit, unless you're only interested in it as an intellectual exercise.

If you're interested in the total effect an attack will have, you must continue, just as an attacker would continue, and figure out how the exploit can be used to turn a profit. That means not just looking for vulnerabilities and spotting when things can go wrong, but figuring out how much an attack costs and how often it can succeed. An attacker certainly has to think that through, and it's lazy of us to skip that part of the analysis.

Kassner: Now the tough question. Do you have advice for us users when it comes to security advice? Herley: I want to be clear. Our goal in this paper is to explain the mismatch between prediction and observation. While I use it as an example, I definitely do not recommend people use their dog's name as a password!

You do not want to be part of a group having vulnerabilities that are easy to predict and exploit. What advice to give is a tough question. My answer isn't that different from what others have offered. One thing I might add -- definitely avoid being predictable.

Final thoughts

I guess we should consider ourselves fortunate. Most Internet bad guys are all about turning a profit. If other motives were involved, I think we'd be in trouble. Or, to put it another way, we may be low-hanging fruit, but we are not worth the effort.

A big thanks to Dr. Cormac Herley for his insightful answers.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

119 comments
Dethpod
Dethpod

Hackers really don't care about people like me. I mean we don't even have enough money to buy an OS for farks sake.

HAL 9000
HAL 9000

There simply are not enough Crackers to go around and hit everyone every time they open their unprotected systems. From what I read there are numerous reasons why the Cracking Community does what it does. Only some of those are for Financial Gain some are for Bragging Rights and most seem to be to get even with the companies that people feel have hurt them. Cracking Sony wasn't mainly done for Financial Gain but to Hit Sony for what it's done to it's customers if the reports are to be believed. Some believe that people have to be protected from themselves so if the Sony Crack/Attack is anything to go by far more people where Hit by a Cracker than most accept, even if all that data came from Sony who has proved their complete inability to do what they say they will. ;) Col

PReinie
PReinie

I temporarily hooked a computer directly to the cable modem (bypassing any security the router provided) and monitored the traffic for a while with Ethereal (back when it was called that), just to see what was going on (because the "activity" LED on the modem kept flashing even when all the computers were off). By far the most amount of traffic was from the cable company sending out "are you there" packages for all sorts of IP addresses that weren't mine. Granted, attackers just may not have been personally on-line, but there didn't even seem to be any bots out there - at the time. On a separate note - try this for the flower pot key. It's a deception. Go to the hardware store and ask for a discarded key (or a miss-cut) that matches the key "blank" you use. (Blanks are what you cut a working key from.) Make sure it goes into the lock but won't turn. (Don't use a blank - it's too obvious.) Put that key under the flower pot. (If you want, put a proper duplicate key that does open the door somewhere else.) The bad key will keep the attacker busy and they'll likely leave - just like the hacker that can't get in with a simple access. It just isn't worth it. For burglars, the more time they spend the more likely they'll get caught. (A problem with this idea is if the burglar turns the fake key so hard it breaks off in the lock.) (A second or third lock would also help.) For passwords, like the above, use something that the checkers say is strong, something you can remember - but a deception. You can use the dog's name to remember the password, but you have to modify it a bit - or a lot. Use caps in different places other than the initial capital. Make it long - give the dog a first and middle name or a phrase ("stupid.hereStupidxYz098 - Steve Martin). Use other names you call the dog and append them. Put numbers in some positions. Have fun with it!

Slayer_
Slayer_

Somehow they managed to delete every EXE file on my C drive (left the D and E drives alone) that did not have a publisher listed as Microsoft, essentially, every non Microsoft exe got deleted. The system still booted but that was a pain, I still ran it for several more years before I finally got around to reinstalling the OS. There was never any trace of a virus on it, and it never happened again. This was about 5 years ago now.

RobertFL
RobertFL

I have to admit like many here I am sure I manage networks. I do it for a living and am Self Employed. The idea of being hacked makes my stomach turn as I take pride in my work so I try to stay on top of things and I am one that actually looks at the log files. However, with the recent hacks at will and even with notice of these high profile networks, it does make me wonder. These high profile networks have by in comparison to my own unlimited IT budgets. They have all the bells and whistles when it comes to protection and these hackers are walking all over them as if they already had domain admin access. It worries me as I have my own set of security tricks, but I am also on a tight budget and have to protect my own networks with minimal investment. If these hackers can walk all over these high profile networks like they do, then really what is stopping them from walking all over the ones I take care of??? I do not have the high end security measures in place, but somehow I have managed to keep the networks I take care of out of the spotlight. Aside from the Hershey's chocolate recipe change it seems none of these high profile networks were for profit although it did cost the companies money as in the case with the so many Sony hacks. This topic does need to be looked at better to understand why more are not hacked, but from what I have read I am not sure we are on the right track. Sorry to say however, I do not know what the right track is. What I do know is high profile networks are being walked all over. I also know there are way too many systems that do not stay current with updates and they are not hacked. Sure, many will be click happy and have spyware from heck on their systems but that is user fault and not actually being hacked. Claim to fame hacking is still very strong today even though we are taught only script kiddies do this while they strengthen their skills to become full time hackers where it's done for profit. I'm not seeing a lot of for profit, but do see the claim to fame hacks. We should be seeing more hacks. A lot more based on how easy it has been to walk all over the high profile networks with huge IT budgets. I think the question of why aren't we seeing more is still very good and unanswered. I doubt we would get the true answer, but it seems only those doing the hacking could answer. Anyone have any contacts at Lulzsec or Anonymous? - A valid unanswered question needs to be answered with accuracy. Otherwise, I feel we are all sitting ducks no matter how high we attempt to be on the fruit tree. Rob

sbarsanescu
sbarsanescu

Managing security (from an end-user perspective) only for a stand-alone is challenging for most people. Even techies don't understand the vast amount of processes working at a given time on the average PC. Sure, a virus scanner, a FW and malware scanner could help. But would they, really? For 0-day, all of these are largely useless (some help might come from heuristics). A firewall is really a patch to protect lousy apps. Most attacks nowadays base themselves (as the article points out) on predictable behavior - Facebook, net surfing, downloads. These can't really be protected with a FW. And once a system is rooted (with a clever rootkit) the inherent complexity as well as obscurity of the OS and apps prevent even savvy users from restoring without a re-image. Why fingerprinting is not implemented in major OS as a standard feature is beyond me. MS is getting better at it - signing a lot of services but it is cumbersome to ensure that one is only running signed apps and services. And then... remember, we're only talking about client software here. Do we really know how safe the online information we are now eagerly uploading is safe? I guess the main change we should contemplate here is - in the past, the real worry was the system, and its safety. In today's world, we should strive to ensure that data is adequately protected, ideally remaining protected even if the system is compromised. Just my 2 cents...

Brian.Buydens
Brian.Buydens

One factor left out of the discussion, and perhaps why sysadmins are more concerned about good passwords than users are, is that the numbers game goes against them. If weak passwords cause a 1% chance of a compromised machine but the sysadmin is administering 1000 machines they can expect 10 or them on average to be compromised. These 10 give a hacker a good chance to sniff around the network to see if there is anything interesting.

Timbo Zimbabwe
Timbo Zimbabwe

"Stealing is like any other economic activity. Things have to succeed on average, not just when circumstances are favorable. Meaning, the attacker pays a price for every attempt, but gets a return only when the attack succeeds." Bingo, the law of averages! This is such a simple concept that it often gets overlooked. This is why something as mundane, yet annoying, is changing your password. This increases the odds in your favor. Add any other options to your security to increase the odds. Security is not absolute and it's ALWAYS a moving target; keep yours moving and you make yourself a hard target. As always, Michael, you provide information that is in-depth in the concept, easy to understand and not merely a "security by the numbers" story. Thanks again!

lshanahan
lshanahan

Unless I miss my guess, it appears the research is pointing towards an evolution of the hacking paradigm. There's a lot of talk about ROI for hacking, but what that "return" is could vary quite a bit. The most obvious case being the difference between criminal hacking - to actually obtain or possibly destroy something of value belonging to someone else whether it be money or intellectual property or someone else's secrets - and the somewhat stereotypical "mountain climber" hacker - they do it because it is there and they want to prove themselves. Feel free to add your own motivations but I think ultimately they're going to fall on the continuum between those two. Those motivations are going to greatly influence how much and what type of "investment" - monetary or otherwise - a hacker is going to put toward a given effort and therefore the type and amount of a "return" they are willing to accept (or maybe it's the other way around, but in the end the effect is the same). Also factor in the differences between finding a new, unknown vulnerability, making use of existing exploits for well-known vulnerabilities and finding new ways to exploit known vulnerabilities. So for purely criminal hacking, an economic (read: dollars-and-cents) investment vs return model makes sense, but I wonder how the non-economic motivations play into the analysis?

Polly333
Polly333

I work from home using my Laptop and in the past have unfortunately been a target of on line scams. In the process of finding out who and where these people operate, I have never seen any females mentioned in the perpetration of these crimes.

rafamd
rafamd

Everybody isn't hacked everyday for the same reason thieves don't break into our homes daily. Our homes aren't fortress as well, and we aren't regularly robbed because thieves are minority and know that they can be caught anytime. It doesn't mean that we don't need to care about security, but that there is far more people vulnerable than people hacking or burgling. We may be a victim someday, so we'd better be careful. But hardly our weaknesses will be explored everyday.

fvazquez
fvazquez

One thing that makes getting other peoples info are ghost sites, where the people think that registering is going to get them something or somewhere,let say an email account: the user fills the register form and leaves precious data cause almost certainly this user is going to use the same data in other accounts. I think that if one haven't been hacked dosen't mean one isn't going to be in the (near) future, it's just a matter of time... What I'm saying is that hackers don't just hack passwords, first there's gotta be a user name, and userlists help getting both. Try registering less and obviously the chance for you to getting hacked is going to be considerably less...

smankinson
smankinson

Isn't 5 percent still a lot of people or companies? I agree the attacks are random in a user-oriented sense, but I always thought a certain amount were pre-determined targets? Most Hacking stuff I have read seemed to have little to do with money. I guess this reflects what the article is saying. If money was to be made, there would be a lot more hacking. Good article.

bornbyforce
bornbyforce

More than anything else! I was all the article thinking this "business" view only works if it works as a business which it doesn't necessarily. Look at the recent Google hacks in certain countries. The hundreds of thousands of security breaches none had anything to do with money. And the attack was far more sophisticated than to just exploit the low hanging fruit. I would rather change your sentence to "When other motives are involved, I think we'll be in trouble." That day will certainly come in my view.

Mr. Fix
Mr. Fix

The analogy is valid only if you can make the assumption, not true here, that the said chain will only fail when stressed in one direction and basically ON ITS OWN, with no other external forces involved. Include an army of attackers, all armed with sledgehammers, axes, acetylene torches, and every other imaginable tool of destruction, each competing against time and one another to either chance upon OR CREATE vulnerabilities if they have to in the chain and exploit them before being caught at it and you may have a truer analogy.

Papa_Bill
Papa_Bill

HoHoHoHo... why am i laffing? Tain't funny. Tain't funny at all. dammit.

JCitizen
JCitizen

You don't blue-tooth it with Android. Since open source mobile platforms have become popular, many of the experts in Linux varieties have been admitting they are taking a new look at their own favorite distros. The new low hanging fruit will probably be the newbie Linux user on Ubuntu, with an Android device practically tethered to the PC. It is already a fact that IPhones and their Mac users are already getting pwned. There is a new banking Trojan that works with Macs, and iPhones are a favorite vector.

Michael Kassner
Michael Kassner

But, research points to financial motivation as the overwhelming favorite reason for compromising computers.

apotheon
apotheon

With your key blank example, you're basically advocating for security through obscurity. Unfortunately, that's not real security. Let's say you go to the trouble of doing exactly what you describe. Now let's say you haven't done anything else to secure the door -- no deadbolt, no steel-core door, no alarms, and so on. The hinges are even basically just screwed into drywall. A would-be burglar shows up. Hopefully, he'll find the key under the flower pot and waste time on that, then give up. Right? Unfortunately, this burglar doesn't even bother looking for the key under the flower pot. He raises his foot and kicks the door. It comes off its hinges due to poor construction. No alarm sounds, the door flies open, and he walks right in. When you come home, $2K of stereo equipment is gone.

seanferd
seanferd

No, I'm not joking, either. I had 95 once rename every file in system32 by pre-pending extended characters to the file names. No internet connection, no unknown disks inserted into the machine.

Michael Kassner
Michael Kassner

I think ROI is the point, whether it be trade secrets, money, to discredit, or whatever reason. If the attacker believes the ROI is there, the attack will happen. I also am not so sure the networks are being walked over all that easily. They have security in place, but attackers have the upper hand. They only need to find one weakness, the defense team has to protect everything. And, the bigger the network, the more to defend.

Michael Kassner
Michael Kassner

As for what to worry about, systems or data, I sense that the industry is agreeing with you. And it is particularly important with cloud services now being "The buzz."

Michael Kassner
Michael Kassner

Your comments are appreciated. The "Law of Averages" is a good way to describe it.

jana.squires
jana.squires

If hackers are doing it just for the thrill, and getting away with it more often, then this will attract more of those who hack for monetary gain. I think if people are more informed about how best to secure their data, then the thrill seeking would be successful less of the time; and perhaps more discouraging for those who need to make a buck from the whole process. Either that, or the focus for the hacking cons would be high-profile targets alone where a large success would outweigh the failures.

Timbo Zimbabwe
Timbo Zimbabwe

I would think that these motivations would be applied by one of two types of people; One would be the experienced operator who is "showing off" his "gifts" to others or otherwise maintaining some form of dominance within his circle of peers. His intent is not to steal or *permanently* destroy anything, but simply to show that he or she could if they decided to do so. The other is the up-and-coming operator. They just started to learn all of this really cool stuff and want to see what they can do. This is usually meant to satisfy their own curiosity and to test their newly-acquired skill set. They aren't in it for fame, money, etc. This is their real-world test to see if they are grasping the concepts of their education. As for any ratio between "economic investment" or "non-economic motivations", I couldn't begin to guess.....

JCitizen
JCitizen

in articles about large spamming operations. They are out there, but not so much on the bank heist side, as far as I can tell.

Michael Kassner
Michael Kassner

As I mentioned in the lead, I am concerned that writers -- including me -- may have been misleading people as to the dynamics behind digital attacks. To that end, I wanted to offer some possible explanations as to why. And, what we as users can do to stay safe. As for individual attackers, I do not have any current data. If my memory serves me, back the day, Kevin Mitnick's gang: Cyberpunk included Susan Headley (Susy Thunder); his equal when it came to social engineering.

Michael Kassner
Michael Kassner

Physical attacks are hard to automate, digital ones aren't. Also, digital attackers are quite a bit harder to catch. Finally, I think digitally, our perimeters are being probed constantly.

Michael Kassner
Michael Kassner

That amounts to phishing, and I believe, part of what Dr. Herley considered.

Michael Kassner
Michael Kassner

It is. I suspect that Dr. Herley was pointing out the fact that we are using inaccurate measurements. You also have to differentiate general shot-gun attacks from severely-focused attacks aimed at single entities.

Michael Kassner
Michael Kassner

The older I get, the more I am surprised as to what motivates people.

koen.bossaert
koen.bossaert

In my opinion the weak chain analogy is not invalidated by Mr Herley's findings. The dog name password is indeed the weak link in the chain for that environment. It's just that attackers will look for other chains to break that will yield a better (effort+risk)/result ratio. That means that in the example that weak link is still strong enough -until the environment changes in such a way that the chain becomes more interesting...

Michael Kassner
Michael Kassner

Do you agree that there are significant numbers of computing devices exhibiting weak links in IT security? If so, then why aren't more devices attacked? That is the dilemma Dr. Herley is exploring.

Wunderbarb
Wunderbarb

When we use this motto, it is to highlight that it is useless to build complex solutions if you did not first cope with the low-hanging vulnerabilities. The assumption is double: 1- the hacker is intelligent and will analyze the complete chain 2- the hacker will use the less effort possible to break the system, thus the attacker will attack the weakest link. Indeed, the weakest link motto explains that the attacker is driven towards best ROI. Which is also what Microsoft paper seems to explain (at least when I read Michael's article. I did not yet have the time to read the paper, but will do) This is at least what I teach when I explain law 7 (see the 9 others at http://eric-diehl.com/index.php?lang=En&page=lois)

AnsuGisalas
AnsuGisalas

...provided that you take into account the many aspects of low-hanging fruitness. For example, visibility is one aspect - more detectable systems (through lack of stealthing or unsound habits, both combined with plain bad luck) will be more likely targets. But just because a system is visible, doesn't mean it will also be detected - that's where luck comes in.

apotheon
apotheon

Even Ubuntu is not quite as easy to crack as MS Windows, due at least to the fact that the OS still has decent architectural privilege separation and is not natively prone to autorun behavior. Of course, Canonical is doing everything it can to overcome these hurdles to maximum compability (with malware) for the Ubuntu OS, but it still has a ways to go to catch up with MS Windows.

Papa_Bill
Papa_Bill

As any respectable non - hacking computer user would know, it's Lunix that does the damage. Look at what happened to *me*! Brain fried and rusty on the bottom. I don't us a Compak any more, cause Microsoft and AOL block all hacking..And please note: It's Linyos Travolta, cousin to John and Alex Andertra Volta. The program was written for the Federal Radio Shack as a way to decode those secret police codes (like 10-1 means "victim dead now"). Incidentally, the link you provided has some erronious information, but the correct information is property of Wewill Spankum Technical and Correctional High School, and I signed a non - disclosure agreement in order to get my Dapplomah.

apotheon
apotheon

That thing is obvious satire -- but there are probably a lot of people for whom it is not obvious at all.

HAL 9000
HAL 9000

Would those who don't know that they have been hit understand what the Crackers are actually attempting? Most would immediately think that if they have been Infected someone is after their money. I doubt many would think that they are part of a BotNet used by people like Anonymous. Way too many people are paranoid about their finical position and think that everyone is out to get what they can. This isn't always the case but the majority seem to think it is mainly because that is what scares them the most. ;) Besides Michael I work for a Big Financial Organization and getting the truth out of them about any breach is impossible they are not going to admit to anything that makes them look bad. And to be perfectly honest the Biggest Breach that I know of there was an internal one where it was cheaper to leave in place than try to stop. Someone who wrote a Big bit of their software diverted every .3 of a cent or lower from Interest Transactions into their own account and forwarded it on from there along with Logic Bombs. After accidentally trigging the first and taking down the entire country they didn't want to bother with it any more, but to be perfectly honest the money was probably going to the Boards Slush Fund to buy then Drinkies for their Christmas Party that last all year. After all several truck loads of Dom cost a decent amount of money so there where millions being diverted somewhere else other than the Bank. :D Col

Papa_Bill
Papa_Bill

That's the most common method used around here. On a car it can be even easier...small screwdriver used to pry vent window latch. Your in like Flint. Take four SLRs, 11 lenses, 18 microphones, 14 boom stands, 2 - 400 Watt/channel power amps, 3 packed - to - the - rim toolboxes with test equipment, *crowbar* the factory radio out of the dash, get the battery, leave hood and doors wide open as a message to me...*If I want it, I'll get it*. Insurance gave me $3800 bucks on a good $6000 worth. Theft took place 30 - 40 feet from my snoring head guessing around 3 AM. Nothing recovered. Clearly I needed better locks on my '72 Dodge Omni. and an alarm system.

AnsuGisalas
AnsuGisalas

...that the crackers are already using. Depending on what you mean by a "thrill seeker". Many people like to poke around software just for kicks, that doesn't mean they break into other peoples servers (although there may be those that do both). Remember that the crackers are doing it for a living. Some of them might not have to do other work. If the overall environment was more secure, it would affect profitability. Affecting profitability will affect the number of active criminals.

apotheon
apotheon

To the extent that people protect their security, the specific set of exploits that would otherwise be used successfully on such people gets less attention overall, because the percentage of vulnerable targets in that space shrinks -- thus reducing the average return on investment. In short, those of us who care about our own security are, by way of throwing off the curve, actually providing greater security in effect for those who do not take any care in their own security.

Michael Kassner
Michael Kassner

I think it might be the opposite now. Those seeking monetary gain may not be as many in number, but their presence is felt more. I wish informing people would help. I have spent many years trying, but there is a contest between convenience and security. I'll bet you know which one wins.

AnsuGisalas
AnsuGisalas

Does the cracker work bottom-up or top-down? If it's top-down, they start with a promising piece of code (trusted, good enough saturation) then they examine that for a money-making weakness. After that, they don't care if Company X has other, bigger weaknesses in their systems - they care only that Company X has the weakness they're fishing for. This is where ROI comes in, they're casting their nets wide... can they be bothered investigating 200000 weakened systems end to end? No. If they work bottom-up, they case a target, map out it's systems, [b]find the weakest link[/b] (actually, that's probably an optimization, they'll find the weakest link that's good enough - why do an exhaustive survey of the entire set of entrances to a building if you find an open side entrance after five minutes?), and then they make their attack to fit. Security professionals have to deal with this paradox: Most attackers work top-down, but their client sees themselves more in line of the bottom-up model; the client doesn't see themselves as a loosely tied together set of mikado sticks, each one of which can potentially be lifted by a cracker. And probably the security guy has to safeguard against both, since a company also has to worry about getting specifically singled out (for example by a competitor).

Michael Kassner
Michael Kassner

Thank you for sharing your list. Each point is well worth knowing. I like, "Si vis pacem, para bellum".

Michael Kassner
Michael Kassner

Microsoft publicizes reports regularly on how many vulnerable computers they know about and the number is significant -- much more than the 5% attacked. Dr. Herley -- if I understand correctly -- is offering a possible reason why.

apotheon
apotheon

Even given the featuritis-infected bloat of HTML5, I still think that would be a tremendous improvement.

JCitizen
JCitizen

browsers using in Linux, maybe the flash/java problems will disappear. (i.e. cease to exist)

apotheon
apotheon

Things like Flash and Java certainly provide security issues, especially as browser plugins. They actually fall under the heading of different problems than I meant to identify, though. For instance, a file that is misnamed to appear to be something it isn't -- e.g. a Word document by appearance, but actually an executable -- will just execute or open in the appropriate application all too often in MS Windows. That sort of behavior has to be kludged together as a layer of extra frippery on Unix-like systems, though, and such coverage is far from complete, in contrast to the ubiquitously operating feature on MS Windows. The result is that very thinly veiled malware executes flawlessly on MS Windows so easily and often that it has become one of the most popular means of getting people to run malware, but it actually takes real effort in many cases to do the same on a Unix-like system, often requiring conscious complicity from a local user. That same set of conditions also fosters greater ability to serve the user on Unix-like systems, where one can open even a binary file in vi and start poking around in it; on MS Windows, Notepad refuses to open a binary executable, and double-clicking just executes it. Another autorun disaster area on MS Windows is the case where things execute without even the aid of a double-click from a user. Consider the case described in my article No Autorun Can Help Protect Microsoft Windows From Malware, involving a USB mass storage device that automatically executes malware just by plugging the damned thing into the computer. Sure, there are work-arounds to prevent this sort of thing, but they are non-default and kind of a pain in the butt to apply, to say nothing of the fact that the interface to the filesystem on MS Windows can make it sort of a pain to find the contents of your USB mass storage device "manually" to execute things you may want to open.

JCitizen
JCitizen

to get flash and java and such stuff on their brand new linux installations .

Michael Kassner
Michael Kassner

I haven't looked at it that way. I see it as people or SMBs seeing unusual activity with their financial accounts as triggering a response. You are right about bots and other than malware. The bad guys are going to want to keep a low profile. I still say that whatever the unknown infected amount is, it is a long ways from 5 percent to 100 percent of 2 billion users.

apotheon
apotheon

> That's the most common method used around here. I don't have any statistics on that. It's just how I'd do it if I saw such a poorly secured door. I think like a security guy, basically -- which means I see in things not just how they are meant to be used, but how they can be misused as well. People who think inside the box, who look at a tool and see only how it was meant to be used, tend to overlook the most direct approaches to cracking security. A crowbar is often much more effective than lockpicks, and a boot can sometimes be even more effective than that.

Michael Kassner
Michael Kassner

Cormac is a great source. I follow his work very closely.

Wunderbarb
Wunderbarb

Generalizing is always dangerous (especially in security). The methodology of an attack is totally different depending if it is a targeted one, i.e. build for a given target, often a company/administration (have a look at what happened to Lockheed Martin) or a blind attack, i.e. not with a precise target in mind. In the first case, we can expect the attacker to prepare it by some exploratory work before, then the attacker will look for the easiest dedicated attack. In the second case, it may be more opportunistic, i.e. choosing one attack and looking randomly for a vulnerable target.

Michael Kassner
Michael Kassner

The attacker has to only find one weakness. The defender has to protect all of them.

AnsuGisalas
AnsuGisalas

To err is human, but to really mess things up, you need a computer. or Facebook - like a facepalm, but with a Notebook... *crunch*

hippiekarl
hippiekarl

Can you believe it?! I got five and the bonus in the Pick6! Here's Spot and me in the new Vette...well, off to Cozumel for a week of sun and daquiris. 'Like' this if you wish you were me!!!

AnsuGisalas
AnsuGisalas

"Here's me with Spot in my new Corvette" Can you hear the saliva starting to flow around the internet?

hippiekarl
hippiekarl

I thought of 'low-hanging fruit' here as social media enthusiasts whose dog's name not only IS their password, but is posted on their 'wall' or pix ("Here's me with Spot!"). Juicy bank account hack? Maybe, but I bet a low-hanging fruit picker would have to pick a LOT of fruit to find something really juicy.

Michael Kassner
Michael Kassner

I have read where that is factored in by some. It is an interesting concept.

AnsuGisalas
AnsuGisalas

The image of fruit hanging low also nudges an image of someone really lazy. How high can they be bothered to reach, how long can they be bothered to look around for the best lowest candidate...? If there's a fruit hanging low, which is also being loud about how juicy it is, odds are it will be taken before others, right?