I read this article here for the university, and found very interesting. They approach the fact that even if the major of the user in the internet ignore even the basic security “best practices” (do you remember? Keep you antivirus and programs up to date, do not click in links that you do not know, do not execute javascript from unknown sources) the internet is still usable: it is still safe enough so you can buy on ebay, use internet banking and so on.
Why?
They defend that you have 2 possibilities of attacks: scalable attacks and non-scalable (after that they introduce briefly a third one, which is a hybrid type of both). In the scalable, you have a fixed cost, and it grows less than linearly when the number of potential victims increases, so it is easy to scale and the higher the number of attempts, the better. In the non-scalable, you have a cost that increases at least linearly with the number of attempts. This means that if you have a cost x to perform 1 attack, you will have a cost of at least 2x to perform 2 attacks.
Examples for the first type are easy to find: spam, phishing and so on. For the second one, it is a little less common: it is when the attacker has to get extra information about the victim to perform the attack, to personalize the attack. For instance, answering the secret question to get access to the email account.
Once they divided the attacks in these two groups, they show some calculations and use market rules to show that the scalable attack (which they call the attacker Carl) is much cheaper, so it doesn’t need a big gain from each victim, its goal is to reach as much as possible (to spread the cost) and get a reasonable amount of money. Klara, the attacker using non-scalable attacks, has a different situation: her attacks are not scalable, so the cost cannot be spread within the victims, so the return it needs is much higher than Carl. Which makes sense: imagine 2 companies that produce the same product, one does it in large quantities and the other produces it manually. The first one is scalable and gets the money in the quantity, not the price of the product, while the second has to get its money in the price, not quantity.
Regarding the scalable attacks, they claim that are very easy to be avoided, because they are simple. Regarding Klara’s attack, we have a problem. Assuming computers as they are today, it is just not possible to be 100% secure from attacks, so if Klara wants to attack you, she will succeed (and she is also a girl, girls always get what they want). But the fact is: you have to be worth her effort. You have to be some value for Klara. You have to be very rich, someone important or an ex-boyfriend that she is not very happy with. You can’t be just someone, for some reason, you have to be special to her. They get to some results that indicate less than 1% of the users of internet are special, so attacking the others 99% will only hurt Klara instead of helping her.
With this information, the conclude that: if you are in this less-than-1%-rate of the users (and for each attacker, this changes, because its personal reasons and “enemy circle” changes), you are in trouble: the attacker will be able to attack you and there isn’t anything you can do about it. But if you are not in this rate, you are happy because nobody cares about you: if you do not let you wallet on the table, they will not going to steal you. So they say that you have only to defend against the simple attacks, trying to defend against the complex attacks will require time/money/effort and you are probably not going to be victim of it. If you are, it will be useless, so they defend: “Do the minimum and hope for the best”.
I found the article very interesting, the way they get to the results and the logic they use to do that. The problem I have is with their conclusions, for me they are a little bit extreme: doing the minimum and hoping that someone “smart” will never want to attack you is not enough for me. Also, the attackers are not all high skilled, there may be some people that are beginners and using simple hacking-programs (imagine a co-worker that for some reason does not like you). These attacks can also be prevented. So I think it may be yes useful to invest time in some security improvements and knowledge.
Almost forgot: the paper is from Microsoft Research ;).
0 comments:
Post a Comment