MIT course "Computer Systems Security". Lecture 23: "The Economics of Security", part 2

Original author: Nikolai Zeldovich, James Mykens
  • Transfer
  • Tutorial

Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems." Nikolai Zeldovich, James Mykens. year 2014

Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.

Lecture 1: “Introduction: threat models” Part 1 / Part 2 / Part 3
Lecture 2: “Control of hacker attacks” Part 1 / Part 2 / Part 3
Lecture 3: “Buffer overflow: exploits and protection” Part 1 /Part 2 / Part 3
Lecture 4: “Privilege Separation” Part 1 / Part 2 / Part 3
Lecture 5: “Where Security System Errors Come From” Part 1 / Part 2
Lecture 6: “Capabilities” Part 1 / Part 2 / Part 3
Lecture 7: “Native Client Sandbox” Part 1 / Part 2 / Part 3
Lecture 8: “Network Security Model” Part 1 / Part 2 / Part 3
Lecture 9: “Web Application Security” Part 1 / Part 2/ Part 3
Lecture 10: “Symbolic execution” Part 1 / Part 2 / Part 3
Lecture 11: “Ur / Web programming language” Part 1 / Part 2 / Part 3
Lecture 12: “Network security” Part 1 / Part 2 / Part 3
Lecture 13: “Network Protocols” Part 1 / Part 2 / Part 3
Lecture 14: “SSL and HTTPS” Part 1 / Part 2 / Part 3
Lecture 15: “Medical Software” Part 1 / Part 2/ Part 3
Lecture 16: “Attacks through a side channel” Part 1 / Part 2 / Part 3
Lecture 17: “User authentication” Part 1 / Part 2 / Part 3
Lecture 18: “Private Internet viewing” Part 1 / Part 2 / Part 3
Lecture 19: “Anonymous Networks” Part 1 / Part 2 / Part 3
Lecture 20: “Mobile Phone Security” Part 1 / Part 2 / Part 3
Lecture 21: “Data Tracking” Part 1 /Part 2 / Part 3
Lecture 22: “MIT information security” Part 1 / Part 2 / Part 3
Lecture 23: “Security Economics” Part 1 / Part 2

Audience: how do spammers work with mailing lists, especially with huge lists?

Professor: There are problems with aggregation of mailing lists, as it is very difficult to provide mass mailing. Perhaps spammers need to use heuristics, with which they scale the payment according to the size of the list. For example, it would be heuristically more reasonable to send letters to 1000, and not to 350 million people or something like that. But you are right that there are practical limitations to mailing lists.
So, what can a spammer do to circumvent the spam protection methods mentioned above? Attackers have three workarounds.

The first is a network botnet with a lot of IP addresses that a spammer can use. Even if someone tries to create a “black list” of IP addresses, an attacker can search through a bunch of IP addresses on the network using a botnet and bypass the “black list” filtering.

The second is the use of hacked email accounts to send spam. This is a very profitable way, because due to the high popularity of the mail services Gmail, Yahoo or Hotmail can not be placed in the "black list". If you list all the services in this list, it means that you have closed it for tens of millions of people.

Of course, these individual services can put your mailbox on the “black list” if they use heuristic analysis, showing that you are sending letters to a lot of people with whom you have not copied, and the like. On the web server side of the postal service, there are technologies that allow you to detect your suspicious activity.

However, hacked accounts still represent great value for spammers, because even if your compromised account is not suitable for mass mailing, it can be used to send emails to people you know from your contact list. This makes it easier for an attacker to phish, since people are more willing to click on links sent to them by a familiar person. This is a very powerful tool for spamming attacks.

The third workaround is to capture the IP address from the rightful owner. As Mark mentioned in a previous lecture, there is a network protocol called BGP, which is used to control routing on the Internet. Thus, there are attacks in which the hacker claims that he is the owner of IP addresses, although in fact he does not own them. Because of this, all traffic associated with these addresses will be sent to the attacker, and he will be able to use these IP addresses to send spam. As soon as a spammer is detected, it will stop using BGP for one autonomous system and switch to another.

There are many studies on how to implement BGP authentication to prevent IP address capture, and a bunch of different security methods that attackers can try to work around. But all these workarounds are not free, because the attacker must somehow pay for the botnet or for getting into email accounts. So any of the protective measures will increase the cost of spam generation. Therefore, these protective measures are useful, although not perfect.

So what does a botnet network look like? In general, we have a cloud in which the Command & Control infrastructure is located, giving commands to all slave bots. So, the spammer calls C & C and says: “here are my new spam messages that I want to send”, after which the bots start acting on behalf of the command and control infrastructure and send messages to a group of people.

How are bots useful? As I already mentioned, they have IP addresses, they have bandwidth, perform computational cycles, sometimes these bots are used as a web server themselves. So these things are very, very useful for the spammer, besides they serve as a kind of indirect addressing. Indirect addressing is very useful for intruders. This means that if law enforcement or someone else disconnects this layer without affecting the infrastructure of the C & C itself, the spammer can simply attach the command and control infrastructure to another set of bots and continue his work.

This is one of the reasons for the usefulness of bots. A botnet can scale to millions of IP addresses, so people will click on random links, all the while using malicious software. So these things can get very, very big. Since whole companies are involved in a botnet network, millions and millions of computers can be present in them, so these networks are quite complex technically.

So how much does it cost to install malware for all these bots? It must be remembered that, as a rule, these are ordinary end-user computers. The cost of placing malware on one of the computers, or the price per host, is about 10 cents for American hosts and about one cent for Asian hosts. There are several reasons why the price is so different. Perhaps people tend to think that the connection established from the United States deserves more confidence. At the same time, Asian computers mostly use pirated software, which is not updated by security packages, so organizing a botnet network in Asia is much cheaper.

You will see some very interesting statistics on how these costs can fluctuate because companies like Microsoft are trying to eradicate piracy. But in any case, this is a rough estimate. Suffice to say that it is not too expensive.

What makes this C & C center and how does it look? In its simplest form, this is a centralized computer system of one or more machines. The attacker simply works on these machines, sending commands from there for the network botnet. Since this is a centralized system, it will be very useful for an attacker to have what is known as “bulletproof hosting”. His idea is that you place the Command & Control infrastructure on the servers of Internet providers that ignore requests from financial or law enforcement agencies to shut down such servers. "Bulletproof servers" really exist.

They are more expensive because there are risks in this case, but if you can place your C & C center there, it will be a great success. Because when the US government or Goldman Sachs bank says to such a provider: “hey, turn off this guy who is sending spam!”, He answers: “how can you get me to do this? I work in another jurisdiction and am not obliged to comply with intellectual property laws. ” As I said, these types of hosts actually charge a premium for the risk of launching such services on their servers.

Another alternative to running the C & C infrastructure is the P2P peer network, which is a mini-botnet. Here, the entire management infrastructure is distributed across different computers, and at any given time there is another computer that takes on the role of C & C, giving commands to all these work nodes. This is good because it does not require access to one of these "bullet-proof hosts." You can build a C & C infrastructure using regular bots. P2P makes it difficult to guarantee the availability of hosts located in this cloud, but it has other advantages. In general, these are two approaches that attackers can use to send spam.

So what happens if the hosting is closed? There are a couple of things that a spammer can do in this case. For example, it can use DNS to redirect requests. Suppose someone starts shutting down servers by counteracting the spammer. But while the servers are still alive, the attacker creates lists of server IP addresses, which can contain hundreds or thousands of these addresses. After that, it will begin to bind each address to the host name for a very short period of time, say, 300 seconds. This allows an attacker to deal with the consequences of shutting down servers that are considered to be spam messages distributors based on heuristics. In fact, every 300 seconds it changes the spamming location. So indirect addressing is a great prospect for a spammer. As I already said,

One may wonder what will happen if we just destroy the spammer’s DNS server? How difficult is it to do? The lecture article states that there are several levels at which you can counterattack a spammer. For example, you can try to remove the attacker's domain registration. For example, you say: “hey, if you are looking for, then go here to this DNS server and communicate through it!”. That is, as soon as someone tries to get to the spammer’s DNS server, you redirect it to the top-level domain. However, the difficulty is that an attacker can use fast flow switching methods at another level. For example, it can “scroll” the servers that are used as spam DNS servers, that is, switch between the servers that it uses to send spam, and so on and so forth. Thus, we see how these people can use several machines to try to avoid detection.

As I mentioned earlier, you can use hacked email accounts to send spam. If you can access someone's account, then you do not even need to install malware on the user's computer. You can access someone else's account from your own computer, wherever you are. This method is optimal for carrying out phishing attacks, because you send spam on behalf of a person who is trusted by his friends.

Therefore, postal service providers are extremely interested in preventing this, because if they do not do this, they risk falling into the “black list”. In addition, the provider needs to somehow monetize its service. They really need real users who will click on the legal advertisements that appear on their email page. But the higher the proportion of users who spam, the less likely that advertisers will decide to use the services of such a mail service. Therefore, webmail providers are very interested in preventing spam infiltrations.

They use heuristics to detect this type of spam. They may try to use captcha. If they suspect that you have sent 5 spam messages in a row, they may ask you to enter numbers from one of these blurry images or something similar.
However, many of these methods do not work very well. If you look at the price of a hacked account, then you, as a spammer, it will seem quite cheap - from one to 5 cents per account for Yahoo, Gmail or Hotmail. It is very very cheap. So such protection is not capable of forcing spammers to refuse to purchase hacked accounts. This is a bit disappointing, because it seems that wherever we go, we have to solve a captcha if we want to buy something or send mail. So what happened to the captcha, because she had to prevent harmful things?

As it turns out, an attacker can create services to solve a captcha, and the captcha input process can be automated, like everything else. As it turned out, the cost of solving a single captcha is about $ 0.001, and this can be done with a very low latency. Therefore, captcha is not a serious barrier against spam. You might think that captchas are solved by computers, software. But in reality, this is not the case; in most cases, real people decide captchas, and an attacker can outsource this case in two ways.

First of all, a hacker can simply find a labor market with a very cheap work force and use people as captcha solvers. For example, the spammer is concerned about the Gmail captcha, in which case he sends it to where the person is sitting, he decides to send it to the spammer for a small amount of money, and then the spammer sends the answer to the legal site. You can also do this with the help of the “Mechanical Turk” Mechanical Turk. Have you heard about the "mechanical turk"?

It is rather elegant, I mean "elegant" as a way to do evil. You can post these tasks on the Mechanical Turk website and say, “Hey, I’m just playing solving problems with pictures,” or something like that. Or you can openly state that you have captcha to be solved. You publish the price, after which the market brings you together with people who are ready to perform this task, they give answers and you publish them. So you can automate the work of the spammer, but you need to consider that Amazon, which owns Mechanical Turk, charges for its use.

The second way of outsourcing is that the spammer takes a captcha from the site he needs and copies it on the legal site to which the user is being redirected. He decides to captcha in fact for the attacker, who then enters the correct answer on his website, taking advantage of the work of an unsuspecting user. In addition, if the spammer does not trust his users, he can duplicate the work using crowdsourcing.

For example, you send a captcha to solve for two or three people, and then use a majority vote and choose what is accepted by the majority of votes as a response to your captcha.

For the above reasons, captcha does not work as well as you might think. Therefore, Gmail or Yahoo providers try to use captchas as often as possible to make life difficult for spammers. However, the problem is that the frequent use of a captcha in the first place annoys respectable users.

A good example of the complexity of the spam generation process is Gmail’s two-factor authentication. Actually, this is a very good idea. If Gmail determines that you are trying to sign in to a Gmail account from a computer that it doesn’t know, it will send you a text message to your phone saying “enter this verification code before continuing to use our service”.

It's funny that this is a great idea, but at least it really annoys me. I understand that this is done for my own safety, but I am still angry. If I do not often use different computers, I agree to such conditions, otherwise it becomes very inconvenient.

Thus, there is a very interesting compromise between the security that people talk about and those security measures with which they are willing to put up. As a result, postal service providers find it very difficult to find the optimal balance between the frequency of using captcha and the convenience of customers. Do you have any questions before I proceed to review support for clicks?

Lecture hall:It turns out that one of the reasons why encrypted emails are not widely accepted is the large role of spam filters?

Professor: do you mean that then the filters will not be able to view the contents of the letter and will not understand what is happening? This is a good question. In fact, it is difficult to answer it, this as an eternal problem, what was before - an egg or a chicken.

Since there is no huge amount of encrypted e-mail, it is unclear whether spammers could benefit from this. But I do not see that this can be a problem. I mean, people have learned how to perform calculations using encrypted data. So, probably, it would not stop spammers. For example, there are spam filters based on the Markov model. So what did the spammers come up with? They began to create images that are not responding to text scanners, and post spam content inside them. So this is always an arms race.

So let's move on to click support. What does this mean? If a publicity stunt succeeds and a link is given to the user, then after clicking on it, the user is associated with a certain DNS server that translates the host name contained in this link into an IP address. After that, the user must contact some web server that has this IP address. For all this to work, the spammer must register the domain name, start the DNS server and the web server. It turns out that the spammer has a lot to do in order for this click support to work.

You might ask, why would a spammer simply not use “raw” IP addresses, such as in these spam URLs? Does anyone have any thoughts on this? Why don't you just use something like 183.4.4 ... instead of

Lecture hall:because it looks more understandable and meaningful.

Professor:correct, because if the user looks at this thing, which is just a bunch of numbers, it will seem strange to him. As it turns out, this eliminates only a few users, but you are absolutely right. There is a group of people that a spammer could lose due to the fact that they would not want to click on a link from a pile of incomprehensible numbers. Another reason is that this kind of DNS infrastructure provides the attacker with a different level of indirection. If law enforcers closed down the domain of the lower level of the DNS infrastructure, without affecting the main web server, then the attacker could use the higher level domain name with the old server. This is one of the reasons why attackers usually do not use a “raw” IP address as a spam address.

An example of how indirect addressing comes into play is that these spam URLs often point to redirect sites, such as In addition, the role of the redirect page is often played by a hacked site. It is enough for an attacker to install the corresponding HTML or JavaScript there so that when entering this site, the browser redirects the user to some other site. This is also useful because it provides some level of indirection. In fact, the redirect acts as a spam multiplier because, having one spamming web server in the rear, you can put several different spamming websites in the foreground.

It is possible that this will allow the spammer to confuse the filters that will be blacklisted 10% of your URLs, leaving the remaining 90% to be working. Therefore, redirect technology is used by spammers quite often.

Sometimes spammers can use a botnet or a proxy as a DNS server as a web server, and so on. We mentioned this before, but this is another example of the fact that the more attacking computers there are, the more protected it is, because it can hide its malicious stuffing inside them.

The lecture article talks about affiliate programs, about partner providers.

Affiliate providers act as malicious clearing centers. They help the spammer to automate the processes of interaction with banks and payment systems.

You can ask why law enforcement officers will not cover the affiliated providers? The thing is, these providers are sort of like organizing SPECTER from the James Bond movies. By themselves, they are very decentralized, so it is rather difficult to point out an affiliate provider on a specific computer and simply turn off this computer. Often, partner providers themselves distribute their services, because, for example, it is difficult for the FBI to simply come to such a provider and demand that it refuse such activities. The article also notes that intellectual property laws are different in many countries, so the FBI cannot protect our intellectual property rights outside the United States.

In many spamming forums, spammers openly declare that they provide useful and legitimate services to users from Western countries. They argue that the prices for licensed software are too high, so people often have to click on links in order to purchase a pirated copy of Windows at a lower price, which may contain viruses. In many cases, spammers do not realize that they are doing something bad. Later we will discuss what often spammers really give you things that are worth their price. For me personally, this was one of the most unexpected results of their activities.

52:00 min

Full version of the course is available here .

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until January for free if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only here2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?

Also popular now: