Understanding humans as well as maths

The largest global cyber-attack in history, using malware known as WannaCry or Wanna Decryptor, infected Windows computers in a network.  It utilised a security glitch in the Windows operating system that allowed it to jump from computer to computer on an internal network

It appears to have been halted, largely by chance, by a British 22-year-old cyber expert when he discovered a failsafe that when triggered made the malware essentially ‘self-destruct’.  By registering a certain web address the computer virus that held organisations and individuals at ransom in over 150 countries globally and that halted large parts of the NHS in Britain terminated itself. The 22-year-old admits to this being an accidental discovery as he tweeted:

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental”

The attack was in terms of computing technology, simple and even naive.  For example, no sophisticated password-breaking software was used.

But the developers of the malware had a deep understanding of the behavioural biases which are frequently encountered in organisations.

The attackers simply hoped that at least one user on a network would click on a malicious link an email or download a malicious attachment, for example a PDF file seemingly sent to you by your boss with the software hidden inside. The virus could then get to work with minimal sophistication.   One of the ways the Bletchley Park team cracked the German Enigma code was because some of the lazier enemy users of it began their first messages of the day in similar fashion day after day.  So the WannaCry developers simply relied upon human inertia.

But even so how could this happen? Microsoft had released a system patch for its operating system long before the virus became large-scale operational. The NHS in Britain was notified by Microsoft two months ago about a security patch that could have prevented the spread of the virus within the organisation. But nearly all NHS trusts use a version of the Windows operating system that Microsoft stopped providing security updates for as long as three years ago.

A long-standing reluctance by large organisations to roll out system updates before substantial internal testing clearly contributed to the crisis. In effect, paranoia about system security was a cause of this system vulnerability.

This problem is not new. The illusion that elaborate rule-based systems can eliminate systemic risk was prevalent amongst regulators in the run up to the financial crisis, and still persist even to this day.  The apparent security provided by having lots of boxes ticked and the paperwork passed through endless committees before an update could be approved proved to be completely false.

The state of affairs puts into question the complicated security procedures in place within organisations. For example, what is the point of spamming staff with emails forcing them to update their passwords as often as once every two/three months when this large-scale cyber-attack took place without breaking even a single password?

A study published in the Proceedings of the 17th ACM conference on Computer and communications security attempted to assess the security advantages of password expiration policies, aptly titled The security of modern password expiration: an algorithmic framework and empirical analysis. It has long been thought that frequent password updates makes it much harder for hackers to guess correct passwords. However, this assumption is now rightly being questioned.

The study points out that users asked to update their passwords will often apply mental shortcuts and heuristics (due to what we would term cognitive overload) on all but the first password. For example, changing a character to a symbol or number, such as ‘s’ to ‘$’ or ‘A’ to ‘4’, by removing or adding a special character (for example changing ‘!!!’ to ‘!!’) or by simply incrementing a number.

Such mental shortcuts introduce patterns and biases to your password that makes it much easier to guess your updated password if you have at least partial access to the password history. Hence, once a hacker knows at least one of your past passwords using state-of-the-art password breaking software he/she can easily guess your current password, often in a matter of seconds (more specifically, the researchers in this study could break the current password of approximately 41% of the accounts in less than three seconds, if they knew their previous password).

The situation might be even more disconcerting as reported in a technical report by Carnegie Mellon University[1]. In a study, several personal characteristics and traits were correlated with password strengths among CMU students, faculty and staff. They found a strong correlation indicating that individuals who reported annoyance with university password policies also tend to choose weaker passwords. It is not difficult to imagine the causal argument.

Like the reluctance to roll out system updates without substantial testing by an organisation’s IT department, the obsessiveness for frequent password updates may in fact reduce overall system security rather than enhance it.

Perhaps do us all a favour and stop filling our inboxes with password-update requests.

[1] https://www.cylab.cmu.edu/research/techreports/2013/tr_cylab13013.html

Rickard Nyman

Image: Data Security Breach by Blogtrepreneur is licensed under CC by 2.0