MIT course "Computer Systems Security". Lecture 23: Security Economics, Part 1
Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems." Nikolai Zeldovich, James Mykens. year 2014
Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.
Lecture 1: “Introduction: threat models” Part 1 / Part 2 / Part 3
Lecture 2: “Control of hacker attacks” Part 1 / Part 2 / Part 3
Lecture 3: “Buffer overflow: exploits and protection” Part 1 /Part 2 / Part 3
Lecture 4: “Privilege Separation” Part 1 / Part 2 / Part 3
Lecture 5: “Where Security System Errors Come From” Part 1 / Part 2
Lecture 6: “Capabilities” Part 1 / Part 2 / Part 3
Lecture 7: “Native Client Sandbox” Part 1 / Part 2 / Part 3
Lecture 8: “Network Security Model” Part 1 / Part 2 / Part 3
Lecture 9: “Web Application Security” Part 1 / Part 2/ Part 3
Lecture 10: “Symbolic execution” Part 1 / Part 2 / Part 3
Lecture 11: “Ur / Web programming language” Part 1 / Part 2 / Part 3
Lecture 12: “Network security” Part 1 / Part 2 / Part 3
Lecture 13: “Network Protocols” Part 1 / Part 2 / Part 3
Lecture 14: “SSL and HTTPS” Part 1 / Part 2 / Part 3
Lecture 15: “Medical Software” Part 1 / Part 2/ Part 3
Lecture 16: “Attacks through a side channel” Part 1 / Part 2 / Part 3
Lecture 17: “User authentication” Part 1 / Part 2 / Part 3
Lecture 18: “Private Internet viewing” Part 1 / Part 2 / Part 3
Lecture 19: “Anonymous Networks” Part 1 / Part 2 / Part 3
Lecture 20: “Mobile Phone Security” Part 1 / Part 2 / Part 3
Lecture 21: “Data Tracking” Part 1 /Part 2 / Part 3
Lecture 22: “MIT Information Security” Part 1 / Part 2 / Part 3
Lecture 23: “Security Economics” Part 1 / Part 2
James Mycens: today we will talk about spam economics. Before that, we discussed technical aspects of security at lectures. We looked at things like buffer overflow, the principle of the same source, Tor, and the like. The context for the discussion was that we considered how an adversary could compromise a system. We tried to develop a threat model that describes the things we want to prevent, and then thought about how to design systems that would help us defend against this threat model.
So, today we will look at an alternative perspective, which is the question of why the attacker is trying to hack the system? Why is he trying to hurt us? There are many reasons why intruders try to do these terrible things. Some of these attacks are made for ideological reasons by people who consider themselves to be political activists, or the like. We can recall the Stuxnet computer worm, which shows that governments sometimes attack other governments. Therefore, for these types of attacks, money, the economy, are not the main motivation for the attack. Interestingly, it is actually difficult to prevent these attacks by simply making computers more secure. And there is no financial leverage to redirect these intruders to other activities.
However, there are some types of attacks that include a strong economic component, and these are some of the things that we will consider today. Interestingly, if the attacks are not based on the financial interest of hackers, we cannot use any rules to prevent them. Sometimes it is difficult to understand how to stop such an attack, so, as I said, we are just trying to make computers more secure.
For example, Stuxnet is a great idea. This virus attacked industrial software related to nuclear research in Iran. So we all know where Stuxnet came from, mostly Americans and Israelis. But can we prove it in court? For example, who can we sue by saying that he connected Stuxnet to our car?
Thus, in such attacks it is not clear who can be sued - the Federal Reserve, or Israel, or anyone else. In addition, no one officially declared that they were the ones. So when you think how to prevent such attacks, there are very interesting legal and financial issues.
There are many types of computer crimes that are motivated by economic reasons. For example, industrial espionage, sponsored by the state, is one of the things discussed in the previous lecture. Sometimes governments try to hack other governments or other industries to steal intellectual property, or something like that.
Interestingly, when organizing spam attacks, you must first invest some money in order to earn some money later. Spammers really need to invest in infrastructure infrastructure before they can send their messages.
If you have attacks of this kind, you can figure out what the financial chain of hacking tools looks like, and then perhaps you can think of applying financial pressure on the upper links of the chain to prevent malicious attacks or security problems on the lower links.
The key point is that if you look at the context of spam, you will understand that spammers stop sending spam only when it becomes unprofitable for them. One of the sad truths in the world is that we continue to receive spam, because it costs the spammers too cheap because they only have enough profit from 2% - 3% of people who will click on the links and view the spam. As long as their costs of sending these messages are so low, spammers can still make money from such things even with minimal activity of the victims.
Therefore, today we will consider attacks that contain a significant economic component. Let me give you one interesting example that I just read about, this is happening in China. They have a problem called “text messaging machines”. The idea here is that people drive cars with antennas pointing in the direction, acting according to the “man-in-the-middle” scheme between mobile phones and cell phone towers. Driving around in these machines, they collect mobile phone numbers, which then send spam from them in the form of text messages.
Working in this way, these Text-messaging cars can send up to 200,000 messages per day, which is a huge number, while the cost of labor is very low. It is very cheap to hire a driver, drive along the route, spying on the traffic of people, and send them spam.
Let's look at the economics of this process. What is the cost of the antenna, which allows to monitor the traffic of mobile communication? Roughly speaking, it is somewhere in the region of plus or minus $ 1600. How much profit can these people get per day? With a successful scenario, too, about 1600 dollars. So it is very interesting. This means that you recoup your costs in one day and then you will receive a net profit.
You can say that the police can catch you, and then you may be imprisoned or you will have to pay a fine, but it is less than 5 thousand dollars, besides, these people rarely come across. We must pay attention to such calculations when thinking about how to economically restrain these spammers. Therefore, if spammers are caught a couple of times a year and they return their equipment costs in one day, it is very difficult to figure out how to financially prevent them from doing such a thing.
Interestingly, in China, it is understood that mobile operators also participate in this scheme, because every time you send spam, you send a small amount of money to a mobile operator, just a couple of cents. In Europe, many mobile operators have decided that they do not need angry customers who report that they constantly receive spam. But many Chinese mobile operators, at least the three largest, consider these spam messages as a source of their income. They really think that this is a good way to get some extra money.
I don’t know if you heard about this, but the Telcos network came up with the prefix 106- for telephone numbers. The original purpose of this prefix is to use the phone number for non-commercial purposes. Imagine you are running a company and want to send a bunch of text messages to all your employees. You can use one of these 106 numbers to send all messages “in bulk” and avoid some of the built-in speed limit mechanisms in the cellular network.
This can be used by spammers, and I think that 55% of mobile spam sent in China comes from one of these 106 numbers. This is an interesting example of the work of the financial scheme, when certain perverse incentives incline cellular operators to engage in a common cause with fraudsters. In the lecture notes there is a link to an interesting article in the Economist magazine.
It is interesting that there are many companies engaged in cyber weapons. They sell malware, exploits, and similar software. One example is Endgame. For example, for one and a half million dollars, this company will provide you with the IP addresses and physical location of millions of unprotected computers. They have a lot of points all over the Internet, where they collect all kinds of interesting information about computers that you can attack or vice versa, protect, if, for example, you are the government, or another agency, or something like that.
For about $ 2.5 million, they will give you what is simply terrific - “zero-day package subscription.” If you subscribe to this, you will receive 25 exploits per year and will be able to do whatever you want with their help. Most interestingly, many people who collaborate with these cyber-weapon traders are former members of the security services, such as the CIA or the NSA.
It is interesting to think about who the actual customers of these cyber traders are. Some customers are governments, for example, the US government. They use these things to attack other countries. But most often such products are bought by companies. At the end of the lecture, we will talk about how companies sometimes take cybersecurity issues into their own hands and organize what is called hackback, or internal hacking. Companies that are being attacked by cybercriminals do not involve government official structures in this matter, but try to deal with those who tried to steal their intellectual property. However, they quite successfully use very inventive legal arguments to justify their actions. So this is an interesting aspect of cyber war.
Lecture hall:is it legal?
Professor: we know that “information wants to be free, man,” right? Speaking of such things, you should not use the terminology "legally or illegally," just something works "in the shadow." For example, if I tell you that somewhere there is a house in which the door lock does not work, and ask for it for 20 bucks, it will not necessarily be illegal. As it turned out, these companies have crowds of lawyers who study such things. But in many cases, if you think about how to do dirty tricks, you can search for it on the Internet and visit sites that tell you how to make bombs. Placing such information is not illegal because it is merely educational from the point of view of education. What if I, for example, a chemist? Therefore, to provide someone with knowledge is not necessarily illegal.
But you are right that there are some “gray areas” here, for example, these hackback, which we will talk about later. Suppose I am a bank, I am not a government, but a bank, and they hacked me. I do not always have the legal authority to cover a botnet or something like that. Companies do such things, but the law is behind the times. Therefore, if the intruders do this, we will use the copyright infringement law, as they sell our products. If they use a botnet, we will use the law on violations in the use of IP addresses.
This is probably not what Thomas Jefferson was thinking about, suggesting how the laws really should work, this is in some way a cat-and-mouse game, later we will discuss it.
In principle, all this means that there is a market for all types of computing resources that could be used by those who want to organize attacks. For example, there is a market for hacked systems. You can go to the "dark area" of the Internet and buy all the compromised computers that can be part of a botnet. You can buy access to infected sites and use such a website to post spam or links to malware.
For money, you can access hacked email accounts, such as Gmail or Yahoo, these things are of great value to attackers. You can also just buy something like a subscription to a botnet and, if necessary, use it, for example, to organize a DDoS attack. So there is a market where all this can be bought.
There is also a hacking tools market, where you, as an attacker, can buy ready-made sets of malicious programs, or use the services of cyber-weapon traders, you can get access to zero-day exploits, and so on and so forth.
There is also a large market of stolen user information. These are things like social security numbers, credit card numbers, email addresses, and so on. So all this is on the Internet, if you are ready to search.
So, the lecture article that we are going to discuss today is mainly focused on one aspect - the spam ecosystem. In particular, the authors are considering the sale of pharmaceuticals, counterfeit goods and software. In doing so, they divide the spam ecosystem into three parts.
The first part is advertising. This process somehow makes the user click on the spamming link. As soon as the user does this, the second part arises - the need to support clicks. This implies that there must be some type of web server, DNS infrastructure, and so on, which represent the spamming site the user is going to. The final part of the spam ecosystem is the implementation, what actually allows the user to make a purchase on the site. He sends money to spammers, hoping to get a certain product, and this is the place where the money comes from.
Therefore, many of these things are outsourced to affiliate programs. Most of the time, these programs are engaged in servicing the sale and purchase, working with banks, payment systems Visa, MasterCard, and so on. However, often spammers do not intend to deal with such difficulties, they just want to create links, so spammers can be perceived as an advertising component. At the same time, the spammers themselves work for commission percent of the transaction, receiving from 30% to 50% of the sale value of the goods.
In this lecture, we will look at every component of the spam ecosystem, see how it works, and then think about how we can get rid of spammers at each of these levels.
The first thing we will notice is the advertising component. As I already mentioned, the main idea of advertising is to force the user to follow the link. This is the main question that will worry us. As you know, the first spam is sent in e-mails as a text message. However, spammers are beginning to actively use other forms of communication, including social networks. Now, when you go to Facebook, you are not only “infected” with the content of your real friends, but also with spam messages.
Our discussion is about economics, so the interesting issue is the cost of actually sending these spam messages. It turns out that it is not very expensive - for about 60 bucks you can send a million spam emails, so this is a super low price. And it will be even lower if you immediately connect to this botnet, since it is possible to refuse the services of an intermediary. But even if you rent one of the botnet systems on the market, it is still very cheap.
Audience: which part of these messages is really effective? That is, how many of them are not filtered by the mail client?
Professor:This is a good question that brings me to the next point. For example, you send a million spam messages, but they are discarded at different points in your path, getting into spam filters. People will notice them and delete them immediately, knowing that an email that, for example, is marked with a “$ 18” badge, contains spam.
Therefore, if you look at the conversion rate, you will see that due to such things as spam filters and user awareness, click-through rates are actually very low. Therefore, spamming should be super, super cheap, because otherwise you will not get great benefits. For example, empirical studies were conducted that determined clickthrough rates. It turned out that when viewing 350 million spam messages, only about 10,000 clicks were made, that is, there was a massive “drop” of messages. Moreover, these 10,000 clicks accounted for only 28 attempts to purchase the proposed product. These are very, very low rates, so it’s extremely important for a spammer that the cost of a spam ecosystem be very cheap.
Pay attention to the filtering rate of spam - it reduces the initial number of mailings by several orders of magnitude. Therefore, it is hoped that, at least theoretically, we could “scroll” this newsletter for only $ 10, but this could have a disastrous effect on its effectiveness. So for spammers it is very important that everything is as cheap as possible.
Audience: about these 10,000 clicks - how many of these 350 million emails were filtered from the incoming email? I'm just trying to get an idea of how many emails users clicked on to see how effective spam filtering is and how stupid people are in the US.
Professor: I'm not sure I can answer, but this is a very good question.
Nikolai Zeldovich:on Friday, I listened to Jeff Walker's speech on this topic, and he said that from 20% to 40% of the clicks leading to one of the spamming sites actually come from the Spam folder in the user's mailbox. It turns out that people go to the Spam folder, search for these things and click on the links.
That is, there is a whole class of users who are consciously searching for adventures for themselves by entering a spam folder. So filtering statistics do not reflect the real state of things, because filtered messages can also be used by some users.
James Mycens:Yes, I also heard anecdotal reports about this. Some people mark even legal e-mails as spam so that, for example, they hide from their work colleagues that they enter their Gmail account and they don’t find out, for example, what you are following. Then these people go to the spam folder and view the messages they need. In fact, this is a very interesting point. There is a psychology of those who actually click on these links. One of the articles I linked to the lecture notes tells why these Nigerian scams are still working. After all, one might think that any sane person would never press on the messages of one of these Nigerian postal scammers. But it turns out that the “Nigerian meme” is actually useful for spammers to filter out idiots. In other words,
This is one of the key things that spammers need, they need people who are so trusting or idealistic that they click on such a link. There is a whole psychology behind it, so it’s very interesting.
Audience: What is the cost of things that spammers offer to buy?
Professor: this is a good question. It all depends on what you are looking for. Many of these purchases are not very expensive, such as Viagra tablets or a hacked copy of Windows. In most cases, people are tempted to buy fake products, because their price is lower than the official stores offer, otherwise you would just go to a local mall and buy what you want. So basically these are purchases of things that cost up to $ 1,000, often a lot less.
So, as I said, the key question that a spam defender should ask is how to make spam more expensive for the spammer himself. There are several ways to do this.
One of them is blacklists of IP addresses. It is possible that Internet providers or someone else is collecting a list of IP addresses from which spam is being sent, and then we simply will not allow these people to send traffic. For a while this method worked, but now it is much easier for an attacker to use methods such as DNS redirection and so on, which we will talk about a little later. Now spammers have a much larger set of addresses from which you can send spam, as well as dynamically reassign host names and web servers, so that the “black lists” of IP addresses are no longer effective.
Another idea that has been used for a long time is to charge for sending e-mails. Every time you send an email, you make a micropayment in the most different currencies. For example, if I wanted to send you an email, I would have to pay a tenth of a tenth of a penny. For me, it doesn’t matter, since I don’t send a lot of emails every day, but if you’re a spammer trying to send a bunch of emails, it’s going to be a good deal. Thus, it undermines the chain of creating spam profits.
Another idea that people had was to use computing as a payment for sending messages. That is, in order for my mail server to accept an outgoing letter, I need to solve some puzzles, I have to do some kind of mathematical trick, or something like that. It also increases the cost of mass spamming, as it takes a lot of time.
In addition, we are all familiar with the captcha. For example, you need to look at a picture of 9 animals and find a cat instead of a dog, or enter some strange wavy number causing a headache, or something like that.
These are ways to charge for sending e-mail to prevent mass spamming. The classic problem in this case is who will deal with the implementation of these schemes first.
If all email providers do not implement such protection at the same time, then of course, spammers will simply go to those email providers that have not yet implemented these methods. This is where the problem arises, how to make all providers simultaneously upgrade. Also, what happens if the user device is compromised? For example, someone hacks into my Gmail account and forces me to pay 350 million micropayments that can bankrupt me.
Therefore, it is not entirely clear how some of these schemes are ready for implementation. However, they represent an interesting thought experiment on the topic of how one could limit the malicious activity of senders.
Course MIT "Computer Systems Security". Lecture 23: "The Economics of Security", part 2
Full version of the course is available here .
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr's users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until January for free if you pay for a period of six months, you can order here .
Dell R730xd 2 times cheaper? Only here2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?