Discussion on:

Why isn't everyone hacked every day?

Targeted attacks do have a different ROI set point. And as you say, whether they are considered successful or not is evaluated differently.

Has anyone done a study on Hackers and why they hack?

That's usually why criminals commit crimes.


Hackers hack to hack it. Hack hack.

The analogy is valid only if you can make the assumption, not true here, that the said chain will only fail when stressed in one direction and basically ON ITS OWN, with no other external forces involved. Include an army of attackers, all armed with sledgehammers, axes, acetylene torches, and every other imaginable tool of destruction, each competing against time and one another to either chance upon OR CREATE vulnerabilities if they have to in the chain and exploit them before being caught at it and you may have a truer analogy.

...provided that you take into account the many aspects of low-hanging fruitness.
For example, visibility is one aspect - more detectable systems (through lack of stealthing or unsound habits, both combined with plain bad luck) will be more likely targets. But just because a system is visible, doesn't mean it will also be detected - that's where luck comes in.

Microsoft publicizes reports regularly on how many vulnerable computers they know about and the number is significant -- much more than the 5% attacked. Dr. Herley -- if I understand correctly -- is offering a possible reason why.

The image of fruit hanging low also nudges an image of someone really lazy. How high can they be bothered to reach, how long can they be bothered to look around for the best lowest candidate...?
If there's a fruit hanging low, which is also being loud about how juicy it is, odds are it will be taken before others, right?

I have read where that is factored in by some. It is an interesting concept.

I thought of 'low-hanging fruit' here as social media enthusiasts whose dog's name not only IS their password, but is posted on their 'wall' or pix ("Here's me with Spot!"). Juicy bank account hack? Maybe, but I bet a low-hanging fruit picker would have to pick a LOT of fruit to find something really juicy.

"Here's me with Spot in my new Corvette"
Can you hear the saliva starting to flow around the internet?

Can you believe it?! I got five and the bonus in the Pick6! Here's Spot and me in the new Vette...well, off to Cozumel for a week of sun and daquiris. 'Like' this if you wish you were me!!!

To err is human, but to really mess things up, you need a computer.

or

Facebook - like a facepalm, but with a Notebook... *crunch*

When we use this motto, it is to highlight that it is useless to build complex solutions if you did not first cope with the low-hanging vulnerabilities. The assumption is double:
1- the hacker is intelligent and will analyze the complete chain
2- the hacker will use the less effort possible to break the system, thus the attacker will attack the weakest link.
Indeed, the weakest link motto explains that the attacker is driven towards best ROI. Which is also what Microsoft paper seems to explain (at least when I read Michael's article. I did not yet have the time to read the paper, but will do)

This is at least what I teach when I explain law 7 (see the 9 others at http://eric-diehl.com/index.php?lang=En&page=lois)

Thank you for sharing your list. Each point is well worth knowing. I like, "Si vis pacem, para bellum".

Does the cracker work bottom-up or top-down?
If it's top-down, they start with a promising piece of code (trusted, good enough saturation) then they examine that for a money-making weakness.
After that, they don't care if Company X has other, bigger weaknesses in their systems - they care only that Company X has the weakness they're fishing for.
This is where ROI comes in, they're casting their nets wide... can they be bothered investigating 200000 weakened systems end to end? No.

If they work bottom-up, they case a target, map out it's systems, find the weakest link (actually, that's probably an optimization, they'll find the weakest link that's good enough - why do an exhaustive survey of the entire set of entrances to a building if you find an open side entrance after five minutes?), and then they make their attack to fit.

Security professionals have to deal with this paradox: Most attackers work top-down, but their client sees themselves more in line of the bottom-up model; the client doesn't see themselves as a loosely tied together set of mikado sticks, each one of which can potentially be lifted by a cracker. And probably the security guy has to safeguard against both, since a company also has to worry about getting specifically singled out (for example by a competitor).

The attacker has to only find one weakness. The defender has to protect all of them.

Generalizing is always dangerous (especially in security). The methodology of an attack is totally different depending if it is a targeted one, i.e. build for a given target, often a company/administration (have a look at what happened to Lockheed Martin) or a blind attack, i.e. not with a precise target in mind. In the first case, we can expect the attacker to prepare it by some exploratory work before, then the attacker will look for the easiest dedicated attack. In the second case, it may be more opportunistic, i.e. choosing one attack and looking randomly for a vulnerable target.

Do you agree that there are significant numbers of computing devices exhibiting weak links in IT security? If so, then why aren't more devices attacked? That is the dilemma Dr. Herley is exploring.

More than anything else!
I was all the article thinking this "business" view only works if it works as a business which it doesn't necessarily.
Look at the recent Google hacks in certain countries. The hundreds of thousands of security breaches none had anything to do with money. And the attack was far more sophisticated than to just exploit the low hanging fruit.
I would rather change your sentence to "When other motives are involved, I think we'll be in trouble." That day will certainly come in my view.

Isn't 5 percent still a lot of people or companies?
I agree the attacks are random in a user-oriented sense, but I always thought a certain amount were pre-determined targets?
Most Hacking stuff I have read seemed to have little to do with money. I guess this reflects what the article is saying. If money was to be made, there would be a lot more hacking.
Good article.

One thing that makes getting other peoples info are ghost sites, where the people think that registering is going to get them something or somewhere,let say an email account: the user fills the register form and leaves precious data cause almost certainly this user is going to use the same data in other accounts. I think that if one haven't been hacked dosen't mean one isn't going to be in the (near) future, it's just a matter of time... What I'm saying is that hackers don't just hack passwords, first there's gotta be a user name, and userlists help getting both. Try registering less and obviously the chance for you to getting hacked is going to be considerably less...

Everybody isn't hacked everyday for the same reason thieves don't break into our homes daily. Our homes aren't fortress as well, and we aren't regularly robbed because thieves are minority and know that they can be caught anytime.
It doesn't mean that we don't need to care about security, but that there is far more people vulnerable than people hacking or burgling. We may be a victim someday, so we'd better be careful. But hardly our weaknesses will be explored everyday.

I work from home using my Laptop and in the past have unfortunately been a target of on line scams. In the process of finding out who and where these people operate, I have never seen any females mentioned in the perpetration of these crimes.

As I mentioned in the lead, I am concerned that writers -- including me -- may have been misleading people as to the dynamics behind digital attacks. To that end, I wanted to offer some possible explanations as to why. And, what we as users can do to stay safe.

As for individual attackers, I do not have any current data.

If my memory serves me, back the day, Kevin Mitnick's gang: Cyberpunk included Susan Headley (Susy Thunder); his equal when it came to social engineering.

Unless I miss my guess, it appears the research is pointing towards an evolution of the hacking paradigm.

There's a lot of talk about ROI for hacking, but what that "return" is could vary quite a bit. The most obvious case being the difference between criminal hacking - to actually obtain or possibly destroy something of value belonging to someone else whether it be money or intellectual property or someone else's secrets - and the somewhat stereotypical "mountain climber" hacker - they do it because it is there and they want to prove themselves. Feel free to add your own motivations but I think ultimately they're going to fall on the continuum between those two.

Those motivations are going to greatly influence how much and what type of "investment" - monetary or otherwise - a hacker is going to put toward a given effort and therefore the type and amount of a "return" they are willing to accept (or maybe it's the other way around, but in the end the effect is the same). Also factor in the differences between finding a new, unknown vulnerability, making use of existing exploits for well-known vulnerabilities and finding new ways to exploit known vulnerabilities.

So for purely criminal hacking, an economic (read: dollars-and-cents) investment vs return model makes sense, but I wonder how the non-economic motivations play into the analysis?

I alluded to similar in my final thoughts.

I would think that these motivations would be applied by one of two types of people; One would be the experienced operator who is "showing off" his "gifts" to others or otherwise maintaining some form of dominance within his circle of peers. His intent is not to steal or *permanently* destroy anything, but simply to show that he or she could if they decided to do so. The other is the up-and-coming operator. They just started to learn all of this really cool stuff and want to see what they can do. This is usually meant to satisfy their own curiosity and to test their newly-acquired skill set. They aren't in it for fame, money, etc. This is their real-world test to see if they are grasping the concepts of their education.

As for any ratio between "economic investment" or "non-economic motivations", I couldn't begin to guess.....

If hackers are doing it just for the thrill, and getting away with it more often, then this will attract more of those who hack for monetary gain.

I think if people are more informed about how best to secure their data, then the thrill seeking would be successful less of the time; and perhaps more discouraging for those who need to make a buck from the whole process.

Either that, or the focus for the hacking cons would be high-profile targets alone where a large success would outweigh the failures.

I think it might be the opposite now. Those seeking monetary gain may not be as many in number, but their presence is felt more.

I wish informing people would help. I have spent many years trying, but there is a contest between convenience and security. I'll bet you know which one wins.

To the extent that people protect their security, the specific set of exploits that would otherwise be used successfully on such people gets less attention overall, because the percentage of vulnerable targets in that space shrinks -- thus reducing the average return on investment. In short, those of us who care about our own security are, by way of throwing off the curve, actually providing greater security in effect for those who do not take any care in their own security.

"Stealing is like any other economic activity. Things have to succeed on average, not just when circumstances are favorable. Meaning, the attacker pays a price for every attempt, but gets a return only when the attack succeeds."

Bingo, the law of averages! This is such a simple concept that it often gets overlooked. This is why something as mundane, yet annoying, is changing your password. This increases the odds in your favor. Add any other options to your security to increase the odds. Security is not absolute and it's ALWAYS a moving target; keep yours moving and you make yourself a hard target.

As always, Michael, you provide information that is in-depth in the concept, easy to understand and not merely a "security by the numbers" story. Thanks again!

One factor left out of the discussion, and perhaps why sysadmins are more concerned about good passwords than users are, is that the numbers game goes against them. If weak passwords cause a 1% chance of a compromised machine but the sysadmin is administering 1000 machines they can expect 10 or them on average to be compromised. These 10 give a hacker a good chance to sniff around the network to see if there is anything interesting.

You might be interested in another article I wrote with Dr.Herley:

http://www.techrepublic.com/blog/security/are-users-right-in-rejecting-security-advice/3275

Thanks. It was a good read.

Managing security (from an end-user perspective) only for a stand-alone is challenging for most people. Even techies don't understand the vast amount of processes working at a given time on the average PC.

Sure, a virus scanner, a FW and malware scanner could help. But would they, really? For 0-day, all of these are largely useless (some help might come from heuristics). A firewall is really a patch to protect lousy apps.

Most attacks nowadays base themselves (as the article points out) on predictable behavior - Facebook, net surfing, downloads. These can't really be protected with a FW.

And once a system is rooted (with a clever rootkit) the inherent complexity as well as obscurity of the OS and apps prevent even savvy users from restoring without a re-image.

Why fingerprinting is not implemented in major OS as a standard feature is beyond me. MS is getting better at it - signing a lot of services but it is cumbersome to ensure that one is only running signed apps and services.

And then... remember, we're only talking about client software here. Do we really know how safe the online information we are now eagerly uploading is safe?

I guess the main change we should contemplate here is - in the past, the real worry was the system, and its safety. In today's world, we should strive to ensure that data is adequately protected, ideally remaining protected even if the system is compromised.

Just my 2 cents...

I have to admit like many here I am sure I manage networks. I do it for a living and am Self Employed. The idea of being hacked makes my stomach turn as I take pride in my work so I try to stay on top of things and I am one that actually looks at the log files. However, with the recent hacks at will and even with notice of these high profile networks, it does make me wonder. These high profile networks have by in comparison to my own unlimited IT budgets. They have all the bells and whistles when it comes to protection and these hackers are walking all over them as if they already had domain admin access. It worries me as I have my own set of security tricks, but I am also on a tight budget and have to protect my own networks with minimal investment. If these hackers can walk all over these high profile networks like they do, then really what is stopping them from walking all over the ones I take care of???
I do not have the high end security measures in place, but somehow I have managed to keep the networks I take care of out of the spotlight. Aside from the Hershey's chocolate recipe change it seems none of these high profile networks were for profit although it did cost the companies money as in the case with the so many Sony hacks.

This topic does need to be looked at better to understand why more are not hacked, but from what I have read I am not sure we are on the right track. Sorry to say however, I do not know what the right track is. What I do know is high profile networks are being walked all over. I also know there are way too many systems that do not stay current with updates and they are not hacked. Sure, many will be click happy and have spyware from heck on their systems but that is user fault and not actually being hacked.

Claim to fame hacking is still very strong today even though we are taught only script kiddies do this while they strengthen their skills to become full time hackers where it's done for profit. I'm not seeing a lot of for profit, but do see the claim to fame hacks.

We should be seeing more hacks. A lot more based on how easy it has been to walk all over the high profile networks with huge IT budgets. I think the question of why aren't we seeing more is still very good and unanswered. I doubt we would get the true answer, but it seems only those doing the hacking could answer. Anyone have any contacts at Lulzsec or Anonymous? - A valid unanswered question needs to be answered with accuracy. Otherwise, I feel we are all sitting ducks no matter how high we attempt to be on the fruit tree.
Rob

Somehow they managed to delete every EXE file on my C drive (left the D and E drives alone) that did not have a publisher listed as Microsoft, essentially, every non Microsoft exe got deleted.

The system still booted but that was a pain, I still ran it for several more years before I finally got around to reinstalling the OS.

There was never any trace of a virus on it, and it never happened again.

This was about 5 years ago now.