MIT course "Computer Systems Security". Lecture 23: "The Economics of Security", part 1

Massachusetts Institute of Technology. Lecture course # 6.858. "Security of computer systems". Nikolai Zeldovich, James Mykens. year 2014

Computer Systems Security is a course on the development and implementation of secure computer systems. Lectures cover threat models, attacks that compromise security, and security methods based on the latest scientific work. Topics include operating system (OS) security, capabilities, information flow control, language security, network protocols, hardware protection and security in web applications.

Lecture 1: "Introduction: threat models" Part 1 / Part 2 / Part 3
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3
Lecture 3: "Buffer overflow: exploits and protection" Part 1 / Part 2 / Part 3
Lecture 4: "Separation of privileges" Part 1 / Part 2 / Part 3
Lecture 5: "Where Security Errors Come From" Part 1 / Part 2
Lecture 6: "Opportunities" Part 1 / Part 2 / Part 3
Lecture 7: "Sandbox Native Client" Part 1 / Part 2 / Part 3
Lecture 8: "Model of network security" Part 1 / Part 2 / Part 3
Lecture 9: "Web Application Security" Part 1 / Part 2 / Part 3
Lecture 10: "Symbolic execution" Part 1 / Part 2 / Part 3
Lecture 11: "Ur / Web programming language" Part 1 / Part 2 / Part 3
Lecture 12: "Network Security" Part 1 / Part 2 / Part 3
Lecture 13: "Network Protocols" Part 1 / Part 2 / Part 3
Lecture 14: "SSL and HTTPS" Part 1 / Part 2 / Part 3
Lecture 15: "Medical Software" Part 1 / Part 2 / Part 3
Lecture 16: "Attacks through the side channel" Part 1 / Part 2 / Part 3
Lecture 17: "User Authentication" Part 1 / Part 2 / Part 3
Lecture 18: "Private Internet browsing" Part 1 / Part 2 / Part 3
Lecture 19: "Anonymous Networks" Part 1 / Part 2 / Part 3
Lecture 20: “Mobile Phone Security” Part 1 / Part 2 / Part 3
Lecture 21: “Data Tracking” Part 1 / Part 2 / Part 3
Lecture 22: MIT Information Security Part 1 / Part 2 / Part 3
Lecture 23: "Security Economics" Part 1 / Part 2

James Mycens: Today we will talk about spam economics. Before that, we discussed technical aspects of security at lectures. We looked at things like buffer overflow, the principle of the same source, Tor, and the like. The context for the discussion was that we considered how an adversary could compromise a system. We tried to develop a threat model that describes the things we want to prevent, and then we thought about how to design systems that would help us defend against this threat model.
')


So, today we will look at an alternative perspective, which is the question of why an attacker is trying to hack the system? Why is he trying to hurt us? There are many reasons why intruders try to do these terrible things. Some of these attacks are made for ideological reasons by people who consider themselves to be political activists, or the like. You can recall the Stuxnet computer worm, which shows that governments sometimes attack other governments. Therefore, for these types of attacks, money, the economy, are not the main motivation for the attack. Interestingly, it is actually difficult to prevent these attacks by simply making computers more secure. And there is no financial leverage to redirect these intruders to other activities.

However, there are some types of attacks that include a strong economic component, and these are some of the things that we will consider today. Interestingly, if the attacks are not based on the financial interest of hackers, we cannot use any rules to prevent them. Sometimes it is difficult to understand how to stop such an attack, so, as I said, we are just trying to make computers more secure.

For example, Stuxnet is a great idea. This virus attacked industrial software related to nuclear research in Iran. So, we all know where Stuxnet came from, mostly Americans and Israelis. But can we prove it in court? For example, who can we sue by saying that he connected Stuxnet to our car?

Thus, in such attacks it is not clear who can be sued - the Federal Reserve, or Israel, or anyone else. In addition, no one officially declared that it was they. So when you think how to prevent such attacks, there are very interesting legal and financial issues.



There are many types of computer crimes that are motivated by economic reasons. For example, industrial espionage, sponsored by the state, is one of the things discussed in the previous lecture. Sometimes governments try to hack other governments or other industries to steal intellectual property, or something like that.

Interestingly, when organizing spam attacks, you must first invest some money in order to earn some money later. Spammers really need to invest in infrastructure infrastructure before they can send their messages.

If you have attacks of this kind, you can figure out what the financial chain of hacking tools looks like, and then perhaps you can think of applying financial pressure on the upper links of the chain to prevent malicious attacks or security problems on the lower links.

The key point is that if you look at the context of spam, you will understand - spammers stop sending spam only when it becomes unprofitable for them. One of the sad truths in the world is that we continue to receive spam, because it costs the spammers too cheap because they only have enough profit from 2% - 3% of people who will click on the links and view the spam. As long as their costs of sending these messages are so low, spammers can still make money from such things even with minimal activity of the victims.

Therefore, today we will consider attacks that contain a significant economic component. Let me give you one interesting example I just read about, this is happening in China. They have a problem called “text messaging machines”. The idea here is that people drive cars with directional antennas, acting according to the “man-in-the-middle” scheme between mobile phones and cell towers. Driving around in these machines, they collect mobile phone numbers, which then send spam as text messages from the same machines.

Working in this way, these Text-messaging cars can send up to 200,000 messages per day, which is a huge number, while the cost of labor is very low. It is very cheap to hire a driver, drive along the route, spying on the traffic of people, and send them spam.
Let's look at the economics of this process. What is the cost of the antenna, which allows to monitor the mobile traffic? Roughly speaking, it is somewhere in the region of plus or minus $ 1600. How much profit can these people get per day? With a successful scenario, too, about 1600 dollars. So it is very interesting. This means that you recoup your costs in one day and continue to receive a net profit.

You can say that the police can catch you, and then you may be imprisoned or you will have to pay a fine, but it is less than 5 thousand dollars, besides, these people rarely come across. We must pay attention to such calculations when thinking about how to economically restrain these spammers. Therefore, if spammers are caught a couple of times a year and they return their equipment costs in one day, it is very difficult to figure out how you can financially prevent them from doing such a thing.

Interestingly, in China, it is understood that mobile operators also participate in this scheme, because every time you send spam, you send a small amount of money to a mobile operator, just a couple of cents. In Europe, many mobile operators have decided that they do not need angry customers who report that they constantly receive spam. But many Chinese mobile operators, at least the three largest, consider these spam messages as a source of their income. They really think that this is a good way to get some extra money.



I don’t know if you heard about this, but the Telcos network came up with the prefix 106- for telephone numbers. The initial purpose of this prefix is ​​to use the phone number for non-commercial purposes. Imagine you are running a company and want to send a bunch of text messages to all your employees. You can use one of these 106 numbers to "send in bulk" all messages and avoid some of the built-in speed limit mechanisms in the cellular network.

This can be used by spammers, and I think that 55% of mobile spam sent in China comes from one of these 106 numbers. This is an interesting example of the work of the financial scheme, when certain perverse incentives incline cellular operators to engage in a common cause with fraudsters. In the lecture notes there is a link to an interesting article in the Economist magazine.



It is interesting that there are many companies engaged in cyber weapons. They sell malware, exploits, and similar software. One example is Endgame. For example, for one and a half million dollars, this company will provide you with the IP addresses and physical location of millions of unprotected computers. They have a lot of points all over the Internet, where they collect all kinds of interesting information about computers that you can attack or vice versa, protect, if, for example, you are the government, or another agency, or something like that.

For about $ 2.5 million, they will give you what is called just amazing - a “zero-day package subscription.” If you subscribe to this, you will receive 25 exploits per year and will be able to do whatever you want with their help. Most interestingly, many of the people who work with these cyber-weapon traders are former members of the security services, such as the CIA or the NSA.

It is interesting to think about who the actual customers of these cyber traders are. Some customers are governments, for example, the US government. They use these things to attack other countries. But most often such products are bought by companies. At the end of the lecture, we will talk about how companies sometimes take cybersecurity issues into their own hands and organize what is called hackback, or internal hacking. Companies that are being attacked by cybercriminals do not involve government official structures in this matter, but try to deal with those who tried to steal their intellectual property. However, they quite successfully use very inventive legal arguments to justify their actions. So this is an interesting aspect of cyber war.

Audience: Is it legal?

Professor: we know that “information wants to be free, man,” right? Speaking of such things, you should not use the terminology "legally or illegally," just something works "in the shadow." For example, if I tell you that somewhere there is a house in which the door lock does not work, and ask for it 20 bucks, it will not necessarily be illegal. As it turned out, these companies have crowds of lawyers who study such things. But in many cases, if you think about how to do dirty tricks, you can search for it on the Internet and visit sites that tell you how to make bombs. Placing such information is not illegal, because it is simply informative in terms of learning. What if I, for example, a chemist? Therefore, to provide someone with knowledge is not necessarily illegal.

But you are right that there are some “gray areas” here, for example, these hackback, which we will talk about later. Suppose I am a bank, I am not a government, but a bank, and they hacked me. I don't always have the legal authority to cover up a botnet or something like that. Companies do such things, but the law is behind the times. Therefore, if attackers do this, we will use copyright infringement law, as they sell our products. If they use a botnet, we will use the law on violations in the use of IP addresses.

This is probably not what Thomas Jefferson was thinking about, suggesting how the laws really should work, this is in some way a cat-and-mouse game, later we will discuss it.
In principle, all this means that there is a market for all types of computing resources that could be used by those who want to organize attacks. For example, there is a market for hacked systems. You can go to the "dark area" of the Internet and buy all the compromised computers that can be part of a botnet. You can buy access to infected sites and use such a website to post spam or links to malware.



For money, you can access hacked email accounts, such as Gmail or Yahoo, these things are of great value to attackers. You can also just buy something like a subscription to a botnet and, if necessary, use it, for example, to organize a DDoS attack. So there is a market where all this can be bought.
There is also a market for hacker tools, where you, as an attacker, can buy ready-made sets of malicious programs, or use the services of cyber-weapon traders, you can get access to zero-day exploits, and so on and so forth.

There is also a large market of stolen user information. These are things like social security numbers, credit card numbers, email addresses, and so on. So all this is on the Internet, if you are ready to search.

So, the lecture article that we are going to discuss today is mainly focused on one aspect - the spam ecosystem. In particular, the authors are considering the sale of pharmaceuticals, counterfeit goods and software. In doing so, they divide the spam ecosystem into three parts.

The first part is advertising. This process somehow causes the user to click on the spamming link. As soon as the user does this, the second part arises - the need to support clicks. This implies that there must be some type of web server, DNS infrastructure, and so on, which represent the spamming site the user is going to. The final part of the spam ecosystem is the implementation, what actually allows the user to make a purchase on the site. He sends money to spammers, hoping to get a certain product, and this is the place where the money comes from.



Therefore, many of these things are outsourced to affiliate programs. Most of the time, these programs are engaged in servicing the sale and purchase, working with banks, payment systems Visa, MasterCard, and so on. However, often spammers do not intend to deal with such difficulties, they just want to create links, so spammers can be perceived as an advertising component. At the same time, the spammers themselves work for commission percent of the transaction, receiving from 30% to 50% of the sale value of the goods.

In this lecture, we will look at every component of the spam ecosystem, see how it works, and then think about how we can get rid of spammers at each of these levels.
The first thing we will notice is the advertising component. As I already mentioned, the main idea of ​​advertising is to force the user to follow the link. This is the main question that will worry us. As you know, the first spam is sent in e-mails as a text message. However, spammers are beginning to actively use other forms of communication, including social networks. Now, when you go to Facebook, you are not only “infected” with the content of your real friends, but also with spam messages.

Our discussion is about economics, so the interesting issue is the cost of actually sending these spam messages. It turns out that this is not very expensive - for about 60 bucks you can send a million spam emails, so this is a super low price. And it will be even lower if you immediately connect to this botnet, since it is possible to refuse the services of an intermediary. But even if you rent one of the botnet systems on the market, it is still very cheap.

Audience: which part of these messages is really effective? That is, how many of them are not filtered by the mail client?

Professor: This is a good question that brings me to the next point. For example, you send a million spam messages, but they are discarded at different points in your path, getting into spam filters. People will notice them and delete them immediately, knowing that the email, which, for example, is marked with a “$ 18” badge, contains spam.

Therefore, if you look at the conversion rate, you will see that due to such things as spam filters and user awareness, click-through rates are actually very low. Therefore, spamming should be super, super cheap, because otherwise you will not get great benefits. , , . , 350 - 10 000 , «» . 10 000 28 . , , .



– . , , , , «» 10 , . , .

: 10000 – 350 ? , , , .

: , , .

: , , 20% 40% , , «» . , «», .



, , . , .

: , . , , , , Gmail , , . . . , . , , , . , . , « » , . , , , , .

, , , , . , .



: , ?

: . , . , , Viagra Windows. , , , , . 1000 , .

, , , – . .

— IP-. , - - IP-, , . - , , DNS , . , , -, « » IP- .

, — . , , . , , . , , , , . , .

, , . , , , - , - . , .

, . , 9 , - , , - .

, . , .



, , , . , . , , ? , - Gmail 350 , .

Therefore, it is not entirely clear how some of these schemes are ready for implementation. However, they are an interesting thought experiment on how to limit the malicious activity of senders.

26:10 min

MIT course "Computer Systems Security". Lecture 23: Security Economics, Part 2


Full version of the course is available here .

Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending to friends, 30% discount for Habr users on a unique analogue of the entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to share the server? (Options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps until January free of charge if you pay for a period of six months, you can order here .

Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to build an infrastructure building. class c using servers Dell R730xd E5-2650 v4 worth 9000 euros for a penny?