Xconomist of the Week: Stefan Savage on Computer Security

manipulate social media sites?

SS: I think fake identities are part and parcel of undercover investigations and so I’m not fundamentally concerned that this capability exists. It’s a bit more interesting when you consider that this capability might be scaled to create millions of fake identities that interact automatically, i.e., social-bots. This potential for scale, combined with our increasing trust in online identities does create interesting new security issues.

X: Where do you think the biggest opportunities are for improving security?

SS: I think in order to best address cyber-attacks we really need to understand the attacker’s world better. While we’re used to thinking about cyber-attacks as technical endeavors, that’s only part of the picture.

For example, most large-scale attacks today are commercial in nature—the attacker is profit-seeking. While we invest a great deal of money and effort (rightly so) in trying to technically harden our systems against attack, it is rare for us to consider how these defenses actually impact the attacker’s bottom line. In most cases, the underlying business model has already “priced in” the impact of defenses, and the end-system is not in fact the most critical part of the attacker’s value chain. In fact, compromised U.S. hosts are available in bulk for $100 per thousand, Asian hosts for a tenth less.

When you invest the time to understand how the attacker’s value chain works this provides pointers to where their true weak points are. In our examination of the spam ecosystem it became clear that there was just no way that spam filtering, blacklistings, or takedowns were ever going to cause enough financial drag to undermine the spam advertising channel. However, it turns out that the payment systems by which advertised goods and services accept consumer credit cards is a huge weak link that has no cheap substitute. That is going to be a far more effective place to intervene. This kind of analysis is appropriate for a wide variety of security situations, but it’s rarely undertaken because it requires considerable time and effort, and it doesn’t necessarily lend itself to selling a product.

Pages: Page 1, Page 2, Page 3, Page 4

Author: Bruce V. Bigelow

In Memoriam: Our dear friend Bruce V. Bigelow passed away on June 29, 2018. He was the editor of Xconomy San Diego from 2008 to 2018. Read more about his life and work here. Bruce Bigelow joined Xconomy from the business desk of the San Diego Union-Tribune. He was a member of the team of reporters who were awarded the 2006 Pulitzer Prize in National Reporting for uncovering bribes paid to San Diego Republican Rep. Randy “Duke” Cunningham in exchange for special legislation earmarks. He also shared a 2006 award for enterprise reporting from the Society of Business Editors and Writers for “In Harm’s Way,” an article about the extraordinary casualty rate among employees working in Iraq for San Diego’s Titan Corp. He has written extensively about the 2002 corporate accounting scandal at software goliath Peregrine Systems. He also was a Gerald Loeb Award finalist and National Headline Award winner for “The Toymaker,” a 14-part chronicle of a San Diego start-up company. He takes special satisfaction, though, that the series was included in the library for nonfiction narrative journalism at the Nieman Foundation for Journalism at Harvard University. Bigelow graduated from U.C. Berkeley in 1977 with a degree in English Literature and from the Columbia University Graduate School of Journalism in 1979. Before joining the Union-Tribune in 1990, he worked for the Associated Press in Los Angeles and The Kansas City Times.